Replace TFTP with FTP for SIP phone configuration
These are my notes on how I replace TFTP with FTP for Aastra SIP phone configuration files on a Redhat Enterprise Linux server. With the TFTP port exposed to the internet and no IP restrictions for remote phone configuration the directory is wide open. This makes it easy for someone to obtain extension passwords. FTP allows us to secure the directory with a username/password. I am making it public to help others who might find it useful for their own projects.
Disable tftp server on startup if enabled:
change “disable=no” to “disable=yes”
Restart xinetd to stop tftp-server
service xinetd restart
yum -y install vsftpd
edit vsftp configuration. Erase the existing default config and replace it with this.
#Only allow access for the users listed in /etc/vsftpd/user_list
#add the following for verbose logging to /var/log/vsftpd.log
#Restrict them to the root of their account directory.
#Make sure to put the account in the ftp directory
#Default to root of ftp directory when connected
#This next line prevents someone from listing
#files if they manage to somehow get access via FTP.
#So with access you still must know the file names.
#This is not a problem for SIP phones.
Now remove the actual ftp directory and create a symbolic link between the TFTP directory and the FTP directory. We do this because aastra xml scripts assume TFTP and use /tftpboot by default so we are just going with the flow.
rm -rf /var/ftp
ln -sf /tftpboot /var/ftp
Add our ftp user ("sipphone" in this example) and give it a password.
useradd -s /sbin/nologin -b /var/ftp sipphone
The -s /sbin/nologin is the standard way to prevent a non-root user from logging into the system. The second part makes /var/ftp their base directory. We have restricted them to that directory further up in this procedure with the chroot_local_user=YES declaration in the vsftpd.conf file.
Make sure group/owner and permissions are set correctly for this new user
chown -R asterisk.asterisk /var/ftp/sipphone
chmod -R 0755 /var/ftp/sipphone
Add this user to list of allowed users. Remove all other uses otherwise it's a security risk.
Set vsftp to start on boot
chkconfig vsftpd on
start the service
service vsftpd start
Not a bad idea to reboot at the end of all this.