Difference between revisions of "FTP"

From Blue-IT.org Wiki

(Installation for Ubuntu 14.04 and up)
(Create pure ftp users with their own ftp directory)
 
(9 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
== VSFTP ==
 
== VSFTP ==
 
The "[https://security.appspot.com/vsftpd.html Vsftp]" FTP-server claims to be the "probably most secure and fastest FTP server for UNIX-like systems".
 
The "[https://security.appspot.com/vsftpd.html Vsftp]" FTP-server claims to be the "probably most secure and fastest FTP server for UNIX-like systems".
Unfortunately it turned out: to get it running really securely, was not very easy. ;-)  
+
Unfortunately it turned out: to get it running really securely, was not very easy. ;-)
 +
 
 +
This is also a small guide to create a special ftp-user for to manage a website without ssh.
 +
 
 +
I also recommend using OpenVPN. You can change the listen_address of vsftp.
  
 
== Installation for Ubuntu 14.04 and up ==
 
== Installation for Ubuntu 14.04 and up ==
Line 13: Line 17:
 
You can also use the /etc/vsftpd directory if you like. It is not important where these files lay or how they are named. Everything is written down in the configuration file.
 
You can also use the /etc/vsftpd directory if you like. It is not important where these files lay or how they are named. Everything is written down in the configuration file.
  
== Trouble ==
+
== Troubleshooting ==
 
1. I could not get the service running under Ubuntu 14.04 because of the wrong service name in the configuration file:
 
1. I could not get the service running under Ubuntu 14.04 because of the wrong service name in the configuration file:
  
Line 25: Line 29:
 
  # Restrict local users to their home directories
 
  # Restrict local users to their home directories
 
  # Root dir of FTP user MUST not be writable, so
 
  # Root dir of FTP user MUST not be writable, so
  chroot_local_user=YES
+
  chroot_local_user=YES # ONLY THIS
 
  #user_config_dir=/etc/vsftpd_user_conf
 
  #user_config_dir=/etc/vsftpd_user_conf
 
  # Does not work:  you have to make the users base dir not writable with: chmod a-w /home/ftp_user
 
  # Does not work:  you have to make the users base dir not writable with: chmod a-w /home/ftp_user
Line 31: Line 35:
  
 
== Configuration file ==
 
== Configuration file ==
My chroot user list
+
My allowed user list:
 
  vim /etc/vsftpd.user_list
 
  vim /etc/vsftpd.user_list
  
Line 37: Line 41:
 
  bobs_websites
 
  bobs_websites
  
My configuration file using above ''vsftpd.user_list'':
+
My configuration file using above ''vsftpd.user_list''. As you can see my vsftp-instance is listening to a local ip-address. This is my vpn-interface (tun0). With this, I don't have to open up the port to the outside world:
 
  vim /etc/vsftpd.conf
 
  vim /etc/vsftpd.conf
  
Line 154: Line 158:
  
 
== Security ==
 
== Security ==
=== Create pure ftp users with its own ftp directory ===
+
=== Create pure ftp users with their own ftp directory ===
 
This point is sometimes neglected. A ftp-user is something different to an normal shell user. Normally, you would avoid that users can see the content on the server. Or the home directories of /home. A logged-in FTP-user can ALWAYS see the directory directly below its own root directory. If not explicitly forbidden (chrooted) he can also see the whole server content. For example: a ftp-user called ''bobs_websites'' which has the home directory ''/home/bobs_websites'' can see all content in /home if nothing is taken care of. How can this be avoided? There are 2 ways to get a pure ftp user and separate it from the servers content.
 
This point is sometimes neglected. A ftp-user is something different to an normal shell user. Normally, you would avoid that users can see the content on the server. Or the home directories of /home. A logged-in FTP-user can ALWAYS see the directory directly below its own root directory. If not explicitly forbidden (chrooted) he can also see the whole server content. For example: a ftp-user called ''bobs_websites'' which has the home directory ''/home/bobs_websites'' can see all content in /home if nothing is taken care of. How can this be avoided? There are 2 ways to get a pure ftp user and separate it from the servers content.
  
Line 167: Line 171:
  
 
You can also alter an existing user this with ''usermod'' to match the new id's:
 
You can also alter an existing user this with ''usermod'' to match the new id's:
  usermod -u 33 bobs_websites
+
  usermod -u 33 bobs_websites # you can also leave bobs_websites with its own unique id
  usermod -g 33 bob_website
+
  usermod -g 33 bobs_websites
 
afterwards change the directory ids:
 
afterwards change the directory ids:
 
  find /home/bobs_websites -exec chown -h 33 {} \;
 
  find /home/bobs_websites -exec chown -h 33 {} \;
 
  find /home/bobs_websites -exec chgrp -h 33 {} \;
 
  find /home/bobs_websites -exec chgrp -h 33 {} \;
 
   
 
   
'''If the user does not exist yet'' create a user called ''bobs_websites'', create (-m) a special directory and webservers credentials:
+
''If the user does not exist yet'' we can do all at once using ''useradd'':
 
  useradd --gid 33 -o --uid 33 -b /home/ -m bobs_websites
 
  useradd --gid 33 -o --uid 33 -b /home/ -m bobs_websites
  
2. THIS IS IMPORTANT: create a subdirectory ''bob/ftp'' and make this ftp-directory the home directory of the user  
+
Or this leaver ''bobs_websites'' with its own id:
  usermod --home-dir /home/bob/ftp bob
+
useradd --gid 33 -b /home/ -m bobs_websites
  mkdir -p /home/bobs_websites/
+
 
 +
Now set a password for the ftp user:
 +
passwd bobs_websites
 +
 
 +
2. THIS IS IMPORTANT: create a subdirectory ''bobs_websites/ftp'' and make this ftp-directory the home directory of the user  
 +
  mkdir -p /home/bobs_websites/ftp
 +
  usermod --home-dir /home/bobs_websites/ftp bobs_websites
  
 
3. THIS IS IMPORTANT:Make the ftp dir not writable (this is also CRUCIAL for getting chroot and vsftp to work)
 
3. THIS IS IMPORTANT:Make the ftp dir not writable (this is also CRUCIAL for getting chroot and vsftp to work)

Latest revision as of 11:26, 29 June 2017

VSFTP

The "Vsftp" FTP-server claims to be the "probably most secure and fastest FTP server for UNIX-like systems". Unfortunately it turned out: to get it running really securely, was not very easy. ;-)

This is also a small guide to create a special ftp-user for to manage a website without ssh.

I also recommend using OpenVPN. You can change the listen_address of vsftp.

Installation for Ubuntu 14.04 and up

sudo apt-get install vsftpd
cd /etc
sudo touch vsftpd.conf           # server configuration
sudo touch vsftpd.user_list      # allowed users
sudo touch vsftpd.chroot_list    # normally empty

You can also use the /etc/vsftpd directory if you like. It is not important where these files lay or how they are named. Everything is written down in the configuration file.

Troubleshooting

1. I could not get the service running under Ubuntu 14.04 because of the wrong service name in the configuration file:

# PAM service vsftpd will use
#pam_service_name=vsftpd
# https://askubuntu.com/questions/413677/vsftpd-530-login-incorrect
pam_service_name=ftp  # IMPORTANT

2. The service did not start because the base dir of the ftp-user has to be non-writable:

# Restrict local users to their home directories
# Root dir of FTP user MUST not be writable, so
chroot_local_user=YES # ONLY THIS
#user_config_dir=/etc/vsftpd_user_conf
# Does not work:  you have to make the users base dir not writable with: chmod a-w /home/ftp_user
#allow_writable_chroot=YES

Configuration file

My allowed user list:

vim /etc/vsftpd.user_list
# allowed user list
bobs_websites

My configuration file using above vsftpd.user_list. As you can see my vsftp-instance is listening to a local ip-address. This is my vpn-interface (tun0). With this, I don't have to open up the port to the outside world:

vim /etc/vsftpd.conf
# /etc/vsftpd.conf - vsftpd configuration file
#
# Run standalone
listen=YES
listen_address=192.168.50.1  (private ip / VPN)
#listen_address=xxx.xxx.xxx.xxx (public ip)
listen_port=21
#
# Allow anonymous FTP
anonymous_enable=NO
anon_world_readable_only=NO
#
# Allow local users to log in
local_enable=YES  # IMPORTANT!
#
# Allow any form of FTP write command
write_enable=YES # IMPORTANT
#
# Default umask is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd)
local_umask=022
anon_umask=022
#
# Allow the anonymous FTP user to write files
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
#
# Activate directory messages
dirmessage_enable=YES
#
# Display directory listings with the time in your local time zone
use_localtime=YES
#
# Activate logging of uploads/downloads
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data)
connect_from_port_20=YES
#
# Uploaded anonymous files to be owned by a different user
#chown_uploads=YES
#chown_username=www-data
#
# Log file path
xferlog_file=/var/log/vsftpd.log
#
# Log file in standard ftpd xferlog format
#xferlog_std_format=YES
#
# Customise the login banner string
ftpd_banner=Welcome.
#
# Use the contents of this file for the login banner
#banner_file=/etc/vsftpd/banner
#
# Restrict local users to their home directories
# Root dir of FTP user MUST not be writable, so
chroot_local_user=YES
#user_config_dir=/etc/vsftpd_user_conf
# Does not work:  you have to make the users base dir not writable with: chmod a-w /home/ftp_user
#allow_writable_chroot=YES
#
# List of local users to chroot() to their home directory. If
# chroot_local_user is YES, then this list becomes a list of users to NOT
# chroot()
#chroot_list_enable=YES
#chroot_list_file=/etc/vsftpd/chroot_list # EXISTS BUT IS EMPTY 
#
# Activate the "-R" option to the builtin ls. This is disabled by default to
# avoid remote users being able to cause excessive I/O on large sites.
# However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option
ls_recurse_enable=YES
#
# Show textual names in the user and group fields of directory listings
text_userdb_names=YES
#
# Empty directory not writable by the ftp user as a secure chroot() jail at
# times vsftpd does not require filesystem access
secure_chroot_dir=/var/run/vsftpd/empty
#
# PAM service vsftpd will use
#pam_service_name=vsftpd
# https://askubuntu.com/questions/413677/vsftpd-530-login-incorrect
pam_service_name=ftp  # IMPORTANT
#
# Support secure connections via SSL. This applies to the control connection
# (including login) and also data connections
ssl_enable=YES
#
# Certificate to use for SSL encrypted connections
rsa_cert_file=/etc/vsftpd/ssl/ssl.pem
#
# Not to require all SSL data connections to exhibit SSL session reuse
require_ssl_reuse=NO
#
# Force authenticated login and data via SSL
force_local_logins_ssl=NO
force_local_data_ssl=NO
#
# Disable seccomp sandboxing new feature because it causes errors
# https://bugs.launchpad.net/ubuntu/+source/vsftpd/+bug/1195816
seccomp_sandbox=NO
#
#############################################################################
# CUSTOMIZIATION
#############################################################################
# Userlist
userlist_deny=NO
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list

Security

Create pure ftp users with their own ftp directory

This point is sometimes neglected. A ftp-user is something different to an normal shell user. Normally, you would avoid that users can see the content on the server. Or the home directories of /home. A logged-in FTP-user can ALWAYS see the directory directly below its own root directory. If not explicitly forbidden (chrooted) he can also see the whole server content. For example: a ftp-user called bobs_websites which has the home directory /home/bobs_websites can see all content in /home if nothing is taken care of. How can this be avoided? There are 2 ways to get a pure ftp user and separate it from the servers content.

Example

We want to let the FTP user manage its website-content. This ftp-user should be called bobs_websites. The website is a wordpress site and the directory on our server is called bobs_wordpress_site (found under e.g. /var/www/bobs_wordpress_site). Bob should only and really only see its own website-content and the (empty) ftp root folder. He should be able to upload, download and alter files without any hassle. Therefore the files must run under the webservers (apache) www-data user and group. How can this be achieved?:

1. we need the webservers uid and gid (apache). The ftp-user bobs_websites must run under these (www-data). You can get the id of www-data with the id-command:

#> id -u www-data  # gives the user-id of www-data
33
#> id -g www-data  # gives the group-id of www-data
33

You can also alter an existing user this with usermod to match the new id's:

usermod -u 33 bobs_websites # you can also leave bobs_websites with its own unique id
usermod -g 33 bobs_websites

afterwards change the directory ids:

find /home/bobs_websites -exec chown -h 33 {} \;
find /home/bobs_websites -exec chgrp -h 33 {} \;

If the user does not exist yet we can do all at once using useradd:

useradd --gid 33 -o --uid 33 -b /home/ -m bobs_websites

Or this leaver bobs_websites with its own id:

useradd --gid 33 -b /home/ -m bobs_websites

Now set a password for the ftp user:

passwd bobs_websites

2. THIS IS IMPORTANT: create a subdirectory bobs_websites/ftp and make this ftp-directory the home directory of the user

mkdir -p /home/bobs_websites/ftp
usermod --home-dir /home/bobs_websites/ftp bobs_websites

3. THIS IS IMPORTANT:Make the ftp dir not writable (this is also CRUCIAL for getting chroot and vsftp to work)

chmod a-w /home/bobs_websites/ftp

4. Apache will refuse to run a website under the home directory. The trick is, to create the website under /var/www (or /srv/www) and then mount it with the bind-command under the ftp

mkdir /var/www/bobs_wordpress_site
mkdir /home/bobs_websites/ftp/bobs_wordpress_site # this is the place for the wordpress install

Add this to your /etc/fstab to make the content of the ftp-account from bobs_websites accessible to the webserver:

 /home/bobs_websites/ftp/bobs_wordpress_site /srv/www/bobs_wordpress_site  none bind  0  0

5. Voilá

If you want to add more websites, bob MUST ask the administrartor the add another another subdirectory in the ftp-directory and add another entry in the /etc/fstab to the new site.

In any case he is not allowed to write into the ftp-directory and cannot see below.