FTP

From Blue-IT.org Wiki

Revision as of 14:29, 28 June 2017 by Apos (talk | contribs) (Configuration file)

VSFTP

The "Vsftp" FTP-server claims to be the "probably most secure and fastest FTP server for UNIX-like systems". Unfortunately it turned out: to get it running really securely, was not very easy. ;-)

Installation for Ubuntu 14.04 and up

sudo apt-get install vsftpd
cd /etc
sudo touch vsftpd.conf           # server configuration
sudo touch vsftpd.user_list      # allowed users
sudo touch vsftpd.chroot_list    # normally empty

You can also use the /etc/vsftpd directory if you like. It is not important where these files lay or how they are named. Everything is written down in the configuration file.

Troubleshooting

1. I could not get the service running under Ubuntu 14.04 because of the wrong service name in the configuration file:

# PAM service vsftpd will use
#pam_service_name=vsftpd
# https://askubuntu.com/questions/413677/vsftpd-530-login-incorrect
pam_service_name=ftp  # IMPORTANT

2. The service did not start because the base dir of the ftp-user has to be non-writable:

# Restrict local users to their home directories
# Root dir of FTP user MUST not be writable, so
chroot_local_user=YES # ONLY THIS
#user_config_dir=/etc/vsftpd_user_conf
# Does not work:  you have to make the users base dir not writable with: chmod a-w /home/ftp_user
#allow_writable_chroot=YES

Configuration file

My allowed user list:

vim /etc/vsftpd.user_list
# allowed user list
bobs_websites

My configuration file using above vsftpd.user_list:

vim /etc/vsftpd.conf
# /etc/vsftpd.conf - vsftpd configuration file
#
# Run standalone
listen=YES
listen_address=192.168.50.1  (private ip / VPN)
#listen_address=xxx.xxx.xxx.xxx (public ip)
listen_port=21
#
# Allow anonymous FTP
anonymous_enable=NO
anon_world_readable_only=NO
#
# Allow local users to log in
local_enable=YES  # IMPORTANT!
#
# Allow any form of FTP write command
write_enable=YES # IMPORTANT
#
# Default umask is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd)
local_umask=022
anon_umask=022
#
# Allow the anonymous FTP user to write files
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
#
# Activate directory messages
dirmessage_enable=YES
#
# Display directory listings with the time in your local time zone
use_localtime=YES
#
# Activate logging of uploads/downloads
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data)
connect_from_port_20=YES
#
# Uploaded anonymous files to be owned by a different user
#chown_uploads=YES
#chown_username=www-data
#
# Log file path
xferlog_file=/var/log/vsftpd.log
#
# Log file in standard ftpd xferlog format
#xferlog_std_format=YES
#
# Customise the login banner string
ftpd_banner=Welcome.
#
# Use the contents of this file for the login banner
#banner_file=/etc/vsftpd/banner
#
# Restrict local users to their home directories
# Root dir of FTP user MUST not be writable, so
chroot_local_user=YES
#user_config_dir=/etc/vsftpd_user_conf
# Does not work:  you have to make the users base dir not writable with: chmod a-w /home/ftp_user
#allow_writable_chroot=YES
#
# List of local users to chroot() to their home directory. If
# chroot_local_user is YES, then this list becomes a list of users to NOT
# chroot()
#chroot_list_enable=YES
#chroot_list_file=/etc/vsftpd/chroot_list # EXISTS BUT IS EMPTY 
#
# Activate the "-R" option to the builtin ls. This is disabled by default to
# avoid remote users being able to cause excessive I/O on large sites.
# However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option
ls_recurse_enable=YES
#
# Show textual names in the user and group fields of directory listings
text_userdb_names=YES
#
# Empty directory not writable by the ftp user as a secure chroot() jail at
# times vsftpd does not require filesystem access
secure_chroot_dir=/var/run/vsftpd/empty
#
# PAM service vsftpd will use
#pam_service_name=vsftpd
# https://askubuntu.com/questions/413677/vsftpd-530-login-incorrect
pam_service_name=ftp  # IMPORTANT
#
# Support secure connections via SSL. This applies to the control connection
# (including login) and also data connections
ssl_enable=YES
#
# Certificate to use for SSL encrypted connections
rsa_cert_file=/etc/vsftpd/ssl/ssl.pem
#
# Not to require all SSL data connections to exhibit SSL session reuse
require_ssl_reuse=NO
#
# Force authenticated login and data via SSL
force_local_logins_ssl=NO
force_local_data_ssl=NO
#
# Disable seccomp sandboxing new feature because it causes errors
# https://bugs.launchpad.net/ubuntu/+source/vsftpd/+bug/1195816
seccomp_sandbox=NO
#
#############################################################################
# CUSTOMIZIATION
#############################################################################
# Userlist
userlist_deny=NO
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list

Security

Create pure ftp users with its own ftp directory

This point is sometimes neglected. A ftp-user is something different to an normal shell user. Normally, you would avoid that users can see the content on the server. Or the home directories of /home. A logged-in FTP-user can ALWAYS see the directory directly below its own root directory. If not explicitly forbidden (chrooted) he can also see the whole server content. For example: a ftp-user called bobs_websites which has the home directory /home/bobs_websites can see all content in /home if nothing is taken care of. How can this be avoided? There are 2 ways to get a pure ftp user and separate it from the servers content.

Example

We want to let the FTP user manage its website-content. This ftp-user should be called bobs_websites. The website is a wordpress site and the directory on our server is called bobs_wordpress_site (found under e.g. /var/www/bobs_wordpress_site). Bob should only and really only see its own website-content and the (empty) ftp root folder. He should be able to upload, download and alter files without any hassle. Therefore the files must run under the webservers (apache) www-data user and group. How can this be achieved?:

1. we need the webservers uid and gid (apache). The ftp-user bobs_websites must run under these (www-data). You can get the id of www-data with the id-command:

#> id -u www-data  # gives the user-id of www-data
33
#> id -g www-data  # gives the group-id of www-data
33

You can also alter an existing user this with usermod to match the new id's:

usermod -u 33 bobs_websites
usermod -g 33 bob_website

afterwards change the directory ids:

find /home/bobs_websites -exec chown -h 33 {} \;
find /home/bobs_websites -exec chgrp -h 33 {} \;

'If the user does not exist yet create a user called bobs_websites, create (-m) a special directory and webservers credentials:

useradd --gid 33 -o --uid 33 -b /home/ -m bobs_websites

2. THIS IS IMPORTANT: create a subdirectory bob/ftp and make this ftp-directory the home directory of the user

usermod --home-dir /home/bob/ftp bob
mkdir -p /home/bobs_websites/

3. THIS IS IMPORTANT:Make the ftp dir not writable (this is also CRUCIAL for getting chroot and vsftp to work)

chmod a-w /home/bobs_websites/ftp

4. Apache will refuse to run a website under the home directory. The trick is, to create the website under /var/www (or /srv/www) and then mount it with the bind-command under the ftp

mkdir /var/www/bobs_wordpress_site
mkdir /home/bobs_websites/ftp/bobs_wordpress_site # this is the place for the wordpress install

Add this to your /etc/fstab to make the content of the ftp-account from bobs_websites accessible to the webserver:

 /home/bobs_websites/ftp/bobs_wordpress_site /srv/www/bobs_wordpress_site  none bind  0  0

5. Voilá

If you want to add more websites, bob MUST ask the administrartor the add another another subdirectory in the ftp-directory and add another entry in the /etc/fstab to the new site.

In any case he is not allowed to write into the ftp-directory and cannot see below.