Difference between revisions of "FTP"
From Blue-IT.org Wiki
(→Installation for Ubuntu 14.04 and up) |
(→Create pure ftp users with their own ftp directory) |
||
(10 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== VSFTP == | == VSFTP == | ||
The "[https://security.appspot.com/vsftpd.html Vsftp]" FTP-server claims to be the "probably most secure and fastest FTP server for UNIX-like systems". | The "[https://security.appspot.com/vsftpd.html Vsftp]" FTP-server claims to be the "probably most secure and fastest FTP server for UNIX-like systems". | ||
− | Unfortunately it turned out: to get it running really securely, was not very easy. ;-) | + | Unfortunately it turned out: to get it running really securely, was not very easy. ;-) |
+ | |||
+ | This is also a small guide to create a special ftp-user for to manage a website without ssh. | ||
+ | |||
+ | I also recommend using OpenVPN. You can change the listen_address of vsftp. | ||
== Installation for Ubuntu 14.04 and up == | == Installation for Ubuntu 14.04 and up == | ||
Line 11: | Line 15: | ||
sudo touch vsftpd.chroot_list # normally empty | sudo touch vsftpd.chroot_list # normally empty | ||
− | You can also use the /etc/vsftpd directory | + | You can also use the /etc/vsftpd directory if you like. It is not important where these files lay or how they are named. Everything is written down in the configuration file. |
− | == | + | == Troubleshooting == |
1. I could not get the service running under Ubuntu 14.04 because of the wrong service name in the configuration file: | 1. I could not get the service running under Ubuntu 14.04 because of the wrong service name in the configuration file: | ||
Line 25: | Line 29: | ||
# Restrict local users to their home directories | # Restrict local users to their home directories | ||
# Root dir of FTP user MUST not be writable, so | # Root dir of FTP user MUST not be writable, so | ||
− | chroot_local_user=YES | + | chroot_local_user=YES # ONLY THIS |
#user_config_dir=/etc/vsftpd_user_conf | #user_config_dir=/etc/vsftpd_user_conf | ||
# Does not work: you have to make the users base dir not writable with: chmod a-w /home/ftp_user | # Does not work: you have to make the users base dir not writable with: chmod a-w /home/ftp_user | ||
Line 31: | Line 35: | ||
== Configuration file == | == Configuration file == | ||
− | My | + | My allowed user list: |
vim /etc/vsftpd.user_list | vim /etc/vsftpd.user_list | ||
Line 37: | Line 41: | ||
bobs_websites | bobs_websites | ||
− | My configuration file using above ''vsftpd.user_list'': | + | My configuration file using above ''vsftpd.user_list''. As you can see my vsftp-instance is listening to a local ip-address. This is my vpn-interface (tun0). With this, I don't have to open up the port to the outside world: |
vim /etc/vsftpd.conf | vim /etc/vsftpd.conf | ||
Line 154: | Line 158: | ||
== Security == | == Security == | ||
− | === Create pure ftp users with | + | === Create pure ftp users with their own ftp directory === |
This point is sometimes neglected. A ftp-user is something different to an normal shell user. Normally, you would avoid that users can see the content on the server. Or the home directories of /home. A logged-in FTP-user can ALWAYS see the directory directly below its own root directory. If not explicitly forbidden (chrooted) he can also see the whole server content. For example: a ftp-user called ''bobs_websites'' which has the home directory ''/home/bobs_websites'' can see all content in /home if nothing is taken care of. How can this be avoided? There are 2 ways to get a pure ftp user and separate it from the servers content. | This point is sometimes neglected. A ftp-user is something different to an normal shell user. Normally, you would avoid that users can see the content on the server. Or the home directories of /home. A logged-in FTP-user can ALWAYS see the directory directly below its own root directory. If not explicitly forbidden (chrooted) he can also see the whole server content. For example: a ftp-user called ''bobs_websites'' which has the home directory ''/home/bobs_websites'' can see all content in /home if nothing is taken care of. How can this be avoided? There are 2 ways to get a pure ftp user and separate it from the servers content. | ||
Line 167: | Line 171: | ||
You can also alter an existing user this with ''usermod'' to match the new id's: | You can also alter an existing user this with ''usermod'' to match the new id's: | ||
− | usermod -u 33 bobs_websites | + | usermod -u 33 bobs_websites # you can also leave bobs_websites with its own unique id |
− | usermod -g 33 | + | usermod -g 33 bobs_websites |
afterwards change the directory ids: | afterwards change the directory ids: | ||
find /home/bobs_websites -exec chown -h 33 {} \; | find /home/bobs_websites -exec chown -h 33 {} \; | ||
find /home/bobs_websites -exec chgrp -h 33 {} \; | find /home/bobs_websites -exec chgrp -h 33 {} \; | ||
− | + | ''If the user does not exist yet'' we can do all at once using ''useradd'': | |
useradd --gid 33 -o --uid 33 -b /home/ -m bobs_websites | useradd --gid 33 -o --uid 33 -b /home/ -m bobs_websites | ||
− | 2. THIS IS IMPORTANT: create a subdirectory '' | + | Or this leaver ''bobs_websites'' with its own id: |
− | + | useradd --gid 33 -b /home/ -m bobs_websites | |
− | + | ||
+ | Now set a password for the ftp user: | ||
+ | passwd bobs_websites | ||
+ | |||
+ | 2. THIS IS IMPORTANT: create a subdirectory ''bobs_websites/ftp'' and make this ftp-directory the home directory of the user | ||
+ | mkdir -p /home/bobs_websites/ftp | ||
+ | usermod --home-dir /home/bobs_websites/ftp bobs_websites | ||
3. THIS IS IMPORTANT:Make the ftp dir not writable (this is also CRUCIAL for getting chroot and vsftp to work) | 3. THIS IS IMPORTANT:Make the ftp dir not writable (this is also CRUCIAL for getting chroot and vsftp to work) |
Latest revision as of 11:26, 29 June 2017
Contents
VSFTP
The "Vsftp" FTP-server claims to be the "probably most secure and fastest FTP server for UNIX-like systems". Unfortunately it turned out: to get it running really securely, was not very easy. ;-)
This is also a small guide to create a special ftp-user for to manage a website without ssh.
I also recommend using OpenVPN. You can change the listen_address of vsftp.
Installation for Ubuntu 14.04 and up
sudo apt-get install vsftpd
cd /etc sudo touch vsftpd.conf # server configuration sudo touch vsftpd.user_list # allowed users sudo touch vsftpd.chroot_list # normally empty
You can also use the /etc/vsftpd directory if you like. It is not important where these files lay or how they are named. Everything is written down in the configuration file.
Troubleshooting
1. I could not get the service running under Ubuntu 14.04 because of the wrong service name in the configuration file:
# PAM service vsftpd will use #pam_service_name=vsftpd # https://askubuntu.com/questions/413677/vsftpd-530-login-incorrect pam_service_name=ftp # IMPORTANT
2. The service did not start because the base dir of the ftp-user has to be non-writable:
# Restrict local users to their home directories # Root dir of FTP user MUST not be writable, so chroot_local_user=YES # ONLY THIS #user_config_dir=/etc/vsftpd_user_conf # Does not work: you have to make the users base dir not writable with: chmod a-w /home/ftp_user #allow_writable_chroot=YES
Configuration file
My allowed user list:
vim /etc/vsftpd.user_list
# allowed user list bobs_websites
My configuration file using above vsftpd.user_list. As you can see my vsftp-instance is listening to a local ip-address. This is my vpn-interface (tun0). With this, I don't have to open up the port to the outside world:
vim /etc/vsftpd.conf
# /etc/vsftpd.conf - vsftpd configuration file # # Run standalone listen=YES listen_address=192.168.50.1 (private ip / VPN) #listen_address=xxx.xxx.xxx.xxx (public ip) listen_port=21 # # Allow anonymous FTP anonymous_enable=NO anon_world_readable_only=NO # # Allow local users to log in local_enable=YES # IMPORTANT! # # Allow any form of FTP write command write_enable=YES # IMPORTANT # # Default umask is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd) local_umask=022 anon_umask=022 # # Allow the anonymous FTP user to write files anon_upload_enable=NO anon_mkdir_write_enable=NO anon_other_write_enable=NO # # Activate directory messages dirmessage_enable=YES # # Display directory listings with the time in your local time zone use_localtime=YES # # Activate logging of uploads/downloads xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data) connect_from_port_20=YES # # Uploaded anonymous files to be owned by a different user #chown_uploads=YES #chown_username=www-data # # Log file path xferlog_file=/var/log/vsftpd.log # # Log file in standard ftpd xferlog format #xferlog_std_format=YES # # Customise the login banner string ftpd_banner=Welcome. # # Use the contents of this file for the login banner #banner_file=/etc/vsftpd/banner # # Restrict local users to their home directories # Root dir of FTP user MUST not be writable, so chroot_local_user=YES #user_config_dir=/etc/vsftpd_user_conf # Does not work: you have to make the users base dir not writable with: chmod a-w /home/ftp_user #allow_writable_chroot=YES # # List of local users to chroot() to their home directory. If # chroot_local_user is YES, then this list becomes a list of users to NOT # chroot() #chroot_list_enable=YES #chroot_list_file=/etc/vsftpd/chroot_list # EXISTS BUT IS EMPTY # # Activate the "-R" option to the builtin ls. This is disabled by default to # avoid remote users being able to cause excessive I/O on large sites. # However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option ls_recurse_enable=YES # # Show textual names in the user and group fields of directory listings text_userdb_names=YES # # Empty directory not writable by the ftp user as a secure chroot() jail at # times vsftpd does not require filesystem access secure_chroot_dir=/var/run/vsftpd/empty # # PAM service vsftpd will use #pam_service_name=vsftpd # https://askubuntu.com/questions/413677/vsftpd-530-login-incorrect pam_service_name=ftp # IMPORTANT # # Support secure connections via SSL. This applies to the control connection # (including login) and also data connections ssl_enable=YES # # Certificate to use for SSL encrypted connections rsa_cert_file=/etc/vsftpd/ssl/ssl.pem # # Not to require all SSL data connections to exhibit SSL session reuse require_ssl_reuse=NO # # Force authenticated login and data via SSL force_local_logins_ssl=NO force_local_data_ssl=NO # # Disable seccomp sandboxing new feature because it causes errors # https://bugs.launchpad.net/ubuntu/+source/vsftpd/+bug/1195816 seccomp_sandbox=NO # ############################################################################# # CUSTOMIZIATION ############################################################################# # Userlist userlist_deny=NO userlist_enable=YES userlist_file=/etc/vsftpd.user_list
Security
Create pure ftp users with their own ftp directory
This point is sometimes neglected. A ftp-user is something different to an normal shell user. Normally, you would avoid that users can see the content on the server. Or the home directories of /home. A logged-in FTP-user can ALWAYS see the directory directly below its own root directory. If not explicitly forbidden (chrooted) he can also see the whole server content. For example: a ftp-user called bobs_websites which has the home directory /home/bobs_websites can see all content in /home if nothing is taken care of. How can this be avoided? There are 2 ways to get a pure ftp user and separate it from the servers content.
Example
We want to let the FTP user manage its website-content. This ftp-user should be called bobs_websites. The website is a wordpress site and the directory on our server is called bobs_wordpress_site (found under e.g. /var/www/bobs_wordpress_site). Bob should only and really only see its own website-content and the (empty) ftp root folder. He should be able to upload, download and alter files without any hassle. Therefore the files must run under the webservers (apache) www-data user and group. How can this be achieved?:
1. we need the webservers uid and gid (apache). The ftp-user bobs_websites must run under these (www-data). You can get the id of www-data with the id-command:
#> id -u www-data # gives the user-id of www-data 33 #> id -g www-data # gives the group-id of www-data 33
You can also alter an existing user this with usermod to match the new id's:
usermod -u 33 bobs_websites # you can also leave bobs_websites with its own unique id usermod -g 33 bobs_websites
afterwards change the directory ids:
find /home/bobs_websites -exec chown -h 33 {} \; find /home/bobs_websites -exec chgrp -h 33 {} \;
If the user does not exist yet we can do all at once using useradd:
useradd --gid 33 -o --uid 33 -b /home/ -m bobs_websites
Or this leaver bobs_websites with its own id:
useradd --gid 33 -b /home/ -m bobs_websites
Now set a password for the ftp user:
passwd bobs_websites
2. THIS IS IMPORTANT: create a subdirectory bobs_websites/ftp and make this ftp-directory the home directory of the user
mkdir -p /home/bobs_websites/ftp usermod --home-dir /home/bobs_websites/ftp bobs_websites
3. THIS IS IMPORTANT:Make the ftp dir not writable (this is also CRUCIAL for getting chroot and vsftp to work)
chmod a-w /home/bobs_websites/ftp
4. Apache will refuse to run a website under the home directory. The trick is, to create the website under /var/www (or /srv/www) and then mount it with the bind-command under the ftp
mkdir /var/www/bobs_wordpress_site mkdir /home/bobs_websites/ftp/bobs_wordpress_site # this is the place for the wordpress install
Add this to your /etc/fstab to make the content of the ftp-account from bobs_websites accessible to the webserver:
/home/bobs_websites/ftp/bobs_wordpress_site /srv/www/bobs_wordpress_site none bind 0 0
5. Voilá
If you want to add more websites, bob MUST ask the administrartor the add another another subdirectory in the ftp-directory and add another entry in the /etc/fstab to the new site.
In any case he is not allowed to write into the ftp-directory and cannot see below.