Difference between revisions of "FTP"

From Blue-IT.org Wiki

(Installation for Ubuntu 14.04 and up)
(Create pure ftp users with their own ftp directory)
 
(11 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
== VSFTP ==
 
== VSFTP ==
 
The "[https://security.appspot.com/vsftpd.html Vsftp]" FTP-server claims to be the "probably most secure and fastest FTP server for UNIX-like systems".
 
The "[https://security.appspot.com/vsftpd.html Vsftp]" FTP-server claims to be the "probably most secure and fastest FTP server for UNIX-like systems".
Unfortunately it turned out: to get it running really securely, was not very easy. ;-)  
+
Unfortunately it turned out: to get it running really securely, was not very easy. ;-)
 +
 
 +
This is also a small guide to create a special ftp-user for to manage a website without ssh.
 +
 
 +
I also recommend using OpenVPN. You can change the listen_address of vsftp.
  
 
== Installation for Ubuntu 14.04 and up ==
 
== Installation for Ubuntu 14.04 and up ==
Line 9: Line 13:
 
  sudo touch vsftpd.conf          # server configuration
 
  sudo touch vsftpd.conf          # server configuration
 
  sudo touch vsftpd.user_list      # allowed users
 
  sudo touch vsftpd.user_list      # allowed users
  sudo touch vsftpd.chroot_list   # normally empty
+
  sudo touch vsftpd.chroot_list   # normally empty
  
You can also use the /etc/vsftpd directory, if you like. It is not important, where these files ly or how they are named. Everything
+
You can also use the /etc/vsftpd directory if you like. It is not important where these files lay or how they are named. Everything is written down in the configuration file.
  
== Trouble ==
+
== Troubleshooting ==
 
1. I could not get the service running under Ubuntu 14.04 because of the wrong service name in the configuration file:
 
1. I could not get the service running under Ubuntu 14.04 because of the wrong service name in the configuration file:
  
Line 25: Line 29:
 
  # Restrict local users to their home directories
 
  # Restrict local users to their home directories
 
  # Root dir of FTP user MUST not be writable, so
 
  # Root dir of FTP user MUST not be writable, so
  chroot_local_user=YES
+
  chroot_local_user=YES # ONLY THIS
 
  #user_config_dir=/etc/vsftpd_user_conf
 
  #user_config_dir=/etc/vsftpd_user_conf
 
  # Does not work:  you have to make the users base dir not writable with: chmod a-w /home/ftp_user
 
  # Does not work:  you have to make the users base dir not writable with: chmod a-w /home/ftp_user
Line 31: Line 35:
  
 
== Configuration file ==
 
== Configuration file ==
My chroot user list
+
My allowed user list:
 
  vim /etc/vsftpd.user_list
 
  vim /etc/vsftpd.user_list
  
Line 37: Line 41:
 
  bobs_websites
 
  bobs_websites
  
My configuration file using above ''vsftpd.user_list'':
+
My configuration file using above ''vsftpd.user_list''. As you can see my vsftp-instance is listening to a local ip-address. This is my vpn-interface (tun0). With this, I don't have to open up the port to the outside world:
 
  vim /etc/vsftpd.conf
 
  vim /etc/vsftpd.conf
  
Line 154: Line 158:
  
 
== Security ==
 
== Security ==
=== Create pure ftp users with its own ftp directory ===
+
=== Create pure ftp users with their own ftp directory ===
 
This point is sometimes neglected. A ftp-user is something different to an normal shell user. Normally, you would avoid that users can see the content on the server. Or the home directories of /home. A logged-in FTP-user can ALWAYS see the directory directly below its own root directory. If not explicitly forbidden (chrooted) he can also see the whole server content. For example: a ftp-user called ''bobs_websites'' which has the home directory ''/home/bobs_websites'' can see all content in /home if nothing is taken care of. How can this be avoided? There are 2 ways to get a pure ftp user and separate it from the servers content.
 
This point is sometimes neglected. A ftp-user is something different to an normal shell user. Normally, you would avoid that users can see the content on the server. Or the home directories of /home. A logged-in FTP-user can ALWAYS see the directory directly below its own root directory. If not explicitly forbidden (chrooted) he can also see the whole server content. For example: a ftp-user called ''bobs_websites'' which has the home directory ''/home/bobs_websites'' can see all content in /home if nothing is taken care of. How can this be avoided? There are 2 ways to get a pure ftp user and separate it from the servers content.
  
Line 167: Line 171:
  
 
You can also alter an existing user this with ''usermod'' to match the new id's:
 
You can also alter an existing user this with ''usermod'' to match the new id's:
  usermod -u 33 bobs_websites
+
  usermod -u 33 bobs_websites # you can also leave bobs_websites with its own unique id
  usermod -g 33 bob_website
+
  usermod -g 33 bobs_websites
 
afterwards change the directory ids:
 
afterwards change the directory ids:
 
  find /home/bobs_websites -exec chown -h 33 {} \;
 
  find /home/bobs_websites -exec chown -h 33 {} \;
 
  find /home/bobs_websites -exec chgrp -h 33 {} \;
 
  find /home/bobs_websites -exec chgrp -h 33 {} \;
 
   
 
   
'''If the user does not exist yet'' create a user called ''bobs_websites'', create (-m) a special directory and webservers credentials:
+
''If the user does not exist yet'' we can do all at once using ''useradd'':
 
  useradd --gid 33 -o --uid 33 -b /home/ -m bobs_websites
 
  useradd --gid 33 -o --uid 33 -b /home/ -m bobs_websites
  
2. THIS IS IMPORTANT: create a subdirectory ''bob/ftp'' and make this ftp-directory the home directory of the user  
+
Or this leaver ''bobs_websites'' with its own id:
  usermod --home-dir /home/bob/ftp bob
+
useradd --gid 33 -b /home/ -m bobs_websites
  mkdir -p /home/bobs_websites/
+
 
 +
Now set a password for the ftp user:
 +
passwd bobs_websites
 +
 
 +
2. THIS IS IMPORTANT: create a subdirectory ''bobs_websites/ftp'' and make this ftp-directory the home directory of the user  
 +
  mkdir -p /home/bobs_websites/ftp
 +
  usermod --home-dir /home/bobs_websites/ftp bobs_websites
  
 
3. THIS IS IMPORTANT:Make the ftp dir not writable (this is also CRUCIAL for getting chroot and vsftp to work)
 
3. THIS IS IMPORTANT:Make the ftp dir not writable (this is also CRUCIAL for getting chroot and vsftp to work)

Latest revision as of 11:26, 29 June 2017

VSFTP

The "Vsftp" FTP-server claims to be the "probably most secure and fastest FTP server for UNIX-like systems". Unfortunately it turned out: to get it running really securely, was not very easy. ;-)

This is also a small guide to create a special ftp-user for to manage a website without ssh.

I also recommend using OpenVPN. You can change the listen_address of vsftp.

Installation for Ubuntu 14.04 and up

sudo apt-get install vsftpd
cd /etc
sudo touch vsftpd.conf           # server configuration
sudo touch vsftpd.user_list      # allowed users
sudo touch vsftpd.chroot_list    # normally empty

You can also use the /etc/vsftpd directory if you like. It is not important where these files lay or how they are named. Everything is written down in the configuration file.

Troubleshooting

1. I could not get the service running under Ubuntu 14.04 because of the wrong service name in the configuration file:

# PAM service vsftpd will use
#pam_service_name=vsftpd
# https://askubuntu.com/questions/413677/vsftpd-530-login-incorrect
pam_service_name=ftp  # IMPORTANT

2. The service did not start because the base dir of the ftp-user has to be non-writable:

# Restrict local users to their home directories
# Root dir of FTP user MUST not be writable, so
chroot_local_user=YES # ONLY THIS
#user_config_dir=/etc/vsftpd_user_conf
# Does not work:  you have to make the users base dir not writable with: chmod a-w /home/ftp_user
#allow_writable_chroot=YES

Configuration file

My allowed user list:

vim /etc/vsftpd.user_list
# allowed user list
bobs_websites

My configuration file using above vsftpd.user_list. As you can see my vsftp-instance is listening to a local ip-address. This is my vpn-interface (tun0). With this, I don't have to open up the port to the outside world:

vim /etc/vsftpd.conf
# /etc/vsftpd.conf - vsftpd configuration file
#
# Run standalone
listen=YES
listen_address=192.168.50.1  (private ip / VPN)
#listen_address=xxx.xxx.xxx.xxx (public ip)
listen_port=21
#
# Allow anonymous FTP
anonymous_enable=NO
anon_world_readable_only=NO
#
# Allow local users to log in
local_enable=YES  # IMPORTANT!
#
# Allow any form of FTP write command
write_enable=YES # IMPORTANT
#
# Default umask is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd)
local_umask=022
anon_umask=022
#
# Allow the anonymous FTP user to write files
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
#
# Activate directory messages
dirmessage_enable=YES
#
# Display directory listings with the time in your local time zone
use_localtime=YES
#
# Activate logging of uploads/downloads
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data)
connect_from_port_20=YES
#
# Uploaded anonymous files to be owned by a different user
#chown_uploads=YES
#chown_username=www-data
#
# Log file path
xferlog_file=/var/log/vsftpd.log
#
# Log file in standard ftpd xferlog format
#xferlog_std_format=YES
#
# Customise the login banner string
ftpd_banner=Welcome.
#
# Use the contents of this file for the login banner
#banner_file=/etc/vsftpd/banner
#
# Restrict local users to their home directories
# Root dir of FTP user MUST not be writable, so
chroot_local_user=YES
#user_config_dir=/etc/vsftpd_user_conf
# Does not work:  you have to make the users base dir not writable with: chmod a-w /home/ftp_user
#allow_writable_chroot=YES
#
# List of local users to chroot() to their home directory. If
# chroot_local_user is YES, then this list becomes a list of users to NOT
# chroot()
#chroot_list_enable=YES
#chroot_list_file=/etc/vsftpd/chroot_list # EXISTS BUT IS EMPTY 
#
# Activate the "-R" option to the builtin ls. This is disabled by default to
# avoid remote users being able to cause excessive I/O on large sites.
# However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option
ls_recurse_enable=YES
#
# Show textual names in the user and group fields of directory listings
text_userdb_names=YES
#
# Empty directory not writable by the ftp user as a secure chroot() jail at
# times vsftpd does not require filesystem access
secure_chroot_dir=/var/run/vsftpd/empty
#
# PAM service vsftpd will use
#pam_service_name=vsftpd
# https://askubuntu.com/questions/413677/vsftpd-530-login-incorrect
pam_service_name=ftp  # IMPORTANT
#
# Support secure connections via SSL. This applies to the control connection
# (including login) and also data connections
ssl_enable=YES
#
# Certificate to use for SSL encrypted connections
rsa_cert_file=/etc/vsftpd/ssl/ssl.pem
#
# Not to require all SSL data connections to exhibit SSL session reuse
require_ssl_reuse=NO
#
# Force authenticated login and data via SSL
force_local_logins_ssl=NO
force_local_data_ssl=NO
#
# Disable seccomp sandboxing new feature because it causes errors
# https://bugs.launchpad.net/ubuntu/+source/vsftpd/+bug/1195816
seccomp_sandbox=NO
#
#############################################################################
# CUSTOMIZIATION
#############################################################################
# Userlist
userlist_deny=NO
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list

Security

Create pure ftp users with their own ftp directory

This point is sometimes neglected. A ftp-user is something different to an normal shell user. Normally, you would avoid that users can see the content on the server. Or the home directories of /home. A logged-in FTP-user can ALWAYS see the directory directly below its own root directory. If not explicitly forbidden (chrooted) he can also see the whole server content. For example: a ftp-user called bobs_websites which has the home directory /home/bobs_websites can see all content in /home if nothing is taken care of. How can this be avoided? There are 2 ways to get a pure ftp user and separate it from the servers content.

Example

We want to let the FTP user manage its website-content. This ftp-user should be called bobs_websites. The website is a wordpress site and the directory on our server is called bobs_wordpress_site (found under e.g. /var/www/bobs_wordpress_site). Bob should only and really only see its own website-content and the (empty) ftp root folder. He should be able to upload, download and alter files without any hassle. Therefore the files must run under the webservers (apache) www-data user and group. How can this be achieved?:

1. we need the webservers uid and gid (apache). The ftp-user bobs_websites must run under these (www-data). You can get the id of www-data with the id-command:

#> id -u www-data  # gives the user-id of www-data
33
#> id -g www-data  # gives the group-id of www-data
33

You can also alter an existing user this with usermod to match the new id's:

usermod -u 33 bobs_websites # you can also leave bobs_websites with its own unique id
usermod -g 33 bobs_websites

afterwards change the directory ids:

find /home/bobs_websites -exec chown -h 33 {} \;
find /home/bobs_websites -exec chgrp -h 33 {} \;

If the user does not exist yet we can do all at once using useradd:

useradd --gid 33 -o --uid 33 -b /home/ -m bobs_websites

Or this leaver bobs_websites with its own id:

useradd --gid 33 -b /home/ -m bobs_websites

Now set a password for the ftp user:

passwd bobs_websites

2. THIS IS IMPORTANT: create a subdirectory bobs_websites/ftp and make this ftp-directory the home directory of the user

mkdir -p /home/bobs_websites/ftp
usermod --home-dir /home/bobs_websites/ftp bobs_websites

3. THIS IS IMPORTANT:Make the ftp dir not writable (this is also CRUCIAL for getting chroot and vsftp to work)

chmod a-w /home/bobs_websites/ftp

4. Apache will refuse to run a website under the home directory. The trick is, to create the website under /var/www (or /srv/www) and then mount it with the bind-command under the ftp

mkdir /var/www/bobs_wordpress_site
mkdir /home/bobs_websites/ftp/bobs_wordpress_site # this is the place for the wordpress install

Add this to your /etc/fstab to make the content of the ftp-account from bobs_websites accessible to the webserver:

 /home/bobs_websites/ftp/bobs_wordpress_site /srv/www/bobs_wordpress_site  none bind  0  0

5. Voilá

If you want to add more websites, bob MUST ask the administrartor the add another another subdirectory in the ftp-directory and add another entry in the /etc/fstab to the new site.

In any case he is not allowed to write into the ftp-directory and cannot see below.