FTP
From Blue-IT.org Wiki
Contents
VSFTP
The "Vsftp" FTP-server claims to be the "probably most secure and fastest FTP server for UNIX-like systems". Unfortunately it turned out: to get it running really securely, was not very easy. ;-)
Installation for Ubuntu 14.04 and up
sudo apt-get install vsftpd
cd /etc sudo touch vsftpd.conf # server configuration sudo touch vsftpd.user_list # allowed users sudo touch vsftpd.chroot_list # normally empty
You can also use the /etc/vsftpd directory if you like. It is not important where these files lay or how they are named. Everything is written down in the configuration file.
Troubleshooting
1. I could not get the service running under Ubuntu 14.04 because of the wrong service name in the configuration file:
# PAM service vsftpd will use #pam_service_name=vsftpd # https://askubuntu.com/questions/413677/vsftpd-530-login-incorrect pam_service_name=ftp # IMPORTANT
2. The service did not start because the base dir of the ftp-user has to be non-writable:
# Restrict local users to their home directories # Root dir of FTP user MUST not be writable, so chroot_local_user=YES # ONLY THIS #user_config_dir=/etc/vsftpd_user_conf # Does not work: you have to make the users base dir not writable with: chmod a-w /home/ftp_user #allow_writable_chroot=YES
Configuration file
My chroot user list
vim /etc/vsftpd.user_list
# allowed user list bobs_websites
My configuration file using above vsftpd.user_list:
vim /etc/vsftpd.conf
# /etc/vsftpd.conf - vsftpd configuration file # # Run standalone listen=YES listen_address=192.168.50.1 (private ip / VPN) #listen_address=xxx.xxx.xxx.xxx (public ip) listen_port=21 # # Allow anonymous FTP anonymous_enable=NO anon_world_readable_only=NO # # Allow local users to log in local_enable=YES # IMPORTANT! # # Allow any form of FTP write command write_enable=YES # IMPORTANT # # Default umask is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd) local_umask=022 anon_umask=022 # # Allow the anonymous FTP user to write files anon_upload_enable=NO anon_mkdir_write_enable=NO anon_other_write_enable=NO # # Activate directory messages dirmessage_enable=YES # # Display directory listings with the time in your local time zone use_localtime=YES # # Activate logging of uploads/downloads xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data) connect_from_port_20=YES # # Uploaded anonymous files to be owned by a different user #chown_uploads=YES #chown_username=www-data # # Log file path xferlog_file=/var/log/vsftpd.log # # Log file in standard ftpd xferlog format #xferlog_std_format=YES # # Customise the login banner string ftpd_banner=Welcome. # # Use the contents of this file for the login banner #banner_file=/etc/vsftpd/banner # # Restrict local users to their home directories # Root dir of FTP user MUST not be writable, so chroot_local_user=YES #user_config_dir=/etc/vsftpd_user_conf # Does not work: you have to make the users base dir not writable with: chmod a-w /home/ftp_user #allow_writable_chroot=YES # # List of local users to chroot() to their home directory. If # chroot_local_user is YES, then this list becomes a list of users to NOT # chroot() #chroot_list_enable=YES #chroot_list_file=/etc/vsftpd/chroot_list # EXISTS BUT IS EMPTY # # Activate the "-R" option to the builtin ls. This is disabled by default to # avoid remote users being able to cause excessive I/O on large sites. # However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option ls_recurse_enable=YES # # Show textual names in the user and group fields of directory listings text_userdb_names=YES # # Empty directory not writable by the ftp user as a secure chroot() jail at # times vsftpd does not require filesystem access secure_chroot_dir=/var/run/vsftpd/empty # # PAM service vsftpd will use #pam_service_name=vsftpd # https://askubuntu.com/questions/413677/vsftpd-530-login-incorrect pam_service_name=ftp # IMPORTANT # # Support secure connections via SSL. This applies to the control connection # (including login) and also data connections ssl_enable=YES # # Certificate to use for SSL encrypted connections rsa_cert_file=/etc/vsftpd/ssl/ssl.pem # # Not to require all SSL data connections to exhibit SSL session reuse require_ssl_reuse=NO # # Force authenticated login and data via SSL force_local_logins_ssl=NO force_local_data_ssl=NO # # Disable seccomp sandboxing new feature because it causes errors # https://bugs.launchpad.net/ubuntu/+source/vsftpd/+bug/1195816 seccomp_sandbox=NO # ############################################################################# # CUSTOMIZIATION ############################################################################# # Userlist userlist_deny=NO userlist_enable=YES userlist_file=/etc/vsftpd.user_list
Security
Create pure ftp users with its own ftp directory
This point is sometimes neglected. A ftp-user is something different to an normal shell user. Normally, you would avoid that users can see the content on the server. Or the home directories of /home. A logged-in FTP-user can ALWAYS see the directory directly below its own root directory. If not explicitly forbidden (chrooted) he can also see the whole server content. For example: a ftp-user called bobs_websites which has the home directory /home/bobs_websites can see all content in /home if nothing is taken care of. How can this be avoided? There are 2 ways to get a pure ftp user and separate it from the servers content.
Example
We want to let the FTP user manage its website-content. This ftp-user should be called bobs_websites. The website is a wordpress site and the directory on our server is called bobs_wordpress_site (found under e.g. /var/www/bobs_wordpress_site). Bob should only and really only see its own website-content and the (empty) ftp root folder. He should be able to upload, download and alter files without any hassle. Therefore the files must run under the webservers (apache) www-data user and group. How can this be achieved?:
1. we need the webservers uid and gid (apache). The ftp-user bobs_websites must run under these (www-data). You can get the id of www-data with the id-command:
#> id -u www-data # gives the user-id of www-data 33 #> id -g www-data # gives the group-id of www-data 33
You can also alter an existing user this with usermod to match the new id's:
usermod -u 33 bobs_websites usermod -g 33 bob_website
afterwards change the directory ids:
find /home/bobs_websites -exec chown -h 33 {} \; find /home/bobs_websites -exec chgrp -h 33 {} \;
'If the user does not exist yet create a user called bobs_websites, create (-m) a special directory and webservers credentials:
useradd --gid 33 -o --uid 33 -b /home/ -m bobs_websites
2. THIS IS IMPORTANT: create a subdirectory bob/ftp and make this ftp-directory the home directory of the user
usermod --home-dir /home/bob/ftp bob mkdir -p /home/bobs_websites/
3. THIS IS IMPORTANT:Make the ftp dir not writable (this is also CRUCIAL for getting chroot and vsftp to work)
chmod a-w /home/bobs_websites/ftp
4. Apache will refuse to run a website under the home directory. The trick is, to create the website under /var/www (or /srv/www) and then mount it with the bind-command under the ftp
mkdir /var/www/bobs_wordpress_site mkdir /home/bobs_websites/ftp/bobs_wordpress_site # this is the place for the wordpress install
Add this to your /etc/fstab to make the content of the ftp-account from bobs_websites accessible to the webserver:
/home/bobs_websites/ftp/bobs_wordpress_site /srv/www/bobs_wordpress_site none bind 0 0
5. Voilá
If you want to add more websites, bob MUST ask the administrartor the add another another subdirectory in the ftp-directory and add another entry in the /etc/fstab to the new site.
In any case he is not allowed to write into the ftp-directory and cannot see below.