Replace TFTP with FTP for SIP phone configuration

Sections: 

These are my notes on how I replace TFTP with FTP for Aastra SIP phone configuration files on a Redhat Enterprise Linux server.  With the TFTP port exposed to the internet and no IP restrictions for remote phone configuration the directory is wide open. This makes it easy for someone to obtain extension passwords. FTP allows us to secure the directory with a username/password.  I am making it public to help others who might find it useful for their own projects.

Disable tftp server on startup if enabled:

nano /etc/xinetd.d/tftp
change “disable=no” to “disable=yes”
(Ctrl-X>y>ENTER)

Restart xinetd to stop tftp-server
service xinetd restart

Install vsftp
yum -y install vsftpd

edit vsftp configuration.  Erase the existing default config and replace it with this.
nano /etc/vsftpd/vsftpd.conf

use_localtime=YES
anonymous_enable=NO
local_enable=YES
write_enable=NO
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=NO
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
#Only allow access for the users listed in /etc/vsftpd/user_list
userlist_deny=NO
tcp_wrappers=YES
#add the following for verbose logging to /var/log/vsftpd.log
log_ftp_protocol=YES
#Restrict them to the root of their account directory.  
#Make sure to put the account in the ftp directory
chroot_local_user=YES
#Default to root of ftp directory when connected
local_root=/var/ftp/
#This next line prevents someone from listing
#files if they manage to somehow get access via FTP.  
#So with access you still must know the file names.
#This is not a problem for SIP phones.
hide_file=*


(Ctrl-X>y>ENTER)

Now remove the actual ftp directory and create a symbolic link between the TFTP directory and the FTP directory.  We do this because aastra xml scripts assume TFTP and use /tftpboot by default so we are just going with the flow.
rm -rf /var/ftp
ln -sf /tftpboot /var/ftp


Add our ftp user ("sipphone" in this example) and give it a password.
useradd -s /sbin/nologin -b /var/ftp sipphone
passwd sipphone

The -s /sbin/nologin is the standard way to prevent a non-root user from logging into the system.  The second part makes /var/ftp their base directory.  We have restricted them to that directory further up in this procedure with the chroot_local_user=YES declaration in the vsftpd.conf file.

Make sure group/owner and permissions are set correctly for this new user
chown -R asterisk.asterisk /var/ftp/sipphone
chmod -R 0755 /var/ftp/sipphone

Add this user to list of allowed users.  Remove all other uses otherwise it's a security risk.
nano /etc/vsftpd/user_list

sipphone

(Ctrl-X>y>ENTER)

Set vsftp to start on boot
chkconfig vsftpd on

start the service
service vsftpd start

Not a bad idea to reboot at the end of all this.
reboot