I ran into an
interesting issue the other day. I was setting up a new SFTP server with the following requirements:
1. A particular legacy device that was not capable of using SFTP needed to connect to the server with FTP.
2. All other users should have their own SFTP directory access as before.
3. The FTP user needs access to one of the same directories that the SFTP user needs.
Ok fine no big deal, so I'll just set up SFTP and FTP side by side and restrict who is allowed to actually FTP to the box. I figured I could do this with symlinks, but nope. Filezilla (the client of choice in this case) sees the symlink as a file and wouldn't recognize it as a separate directory. So here are the steps.
1. A particular legacy device that was not capable of using SFTP needed to connect to the server with FTP.
2. All other users should have their own SFTP directory access as before.
3. The FTP user needs access to one of the same directories that the SFTP user needs.
Ok fine no big deal, so I'll just set up SFTP and FTP side by side and restrict who is allowed to actually FTP to the box. I figured I could do this with symlinks, but nope. Filezilla (the client of choice in this case) sees the symlink as a file and wouldn't recognize it as a separate directory. So here are the steps.
Following instructions
from http://www.krizna.com/ubuntu/setup-ftp-server-on-ubuntu-14-04-vsftpd/
I setup vsFTPd and ssh for SFTP
Step 1 » Update repositories.
$
sudo apt-get update
Step 2 » Install VsFTPD package using the below
command.
$
sudo apt-get install vsftpd
Step 3 » After installation open /etc/vsftpd.conf file
and make changes as follows.
Uncomment the below lines
(line no:29 and 33).
write_enable=YES
local_umask=022
local_umask=022
» Uncomment the below
line (line no: 120 ) to prevent access to the other folders outside the Home
directory.
chroot_local_user=YES
and add the following
line at the end.
allow_writeable_chroot=YES
» Add the following
lines to enable passive mode.
pasv_enable=Yes
pasv_min_port=40000
pasv_max_port=40100
pasv_min_port=40000
pasv_max_port=40100
Step 4 » Restart vsftpd service using the below
command.
krizna@leela:~$
sudo service vsftpd restart
Step 5 » Now ftp server will listen on port 21.
Create user with the below command.Use /usr/sbin/nologin shell
to prevent access to the bash shell for the ftp users .
$
sudo useradd -m john -s /usr/sbin/nologin
$ sudo passwd john
$ sudo passwd john
Step 6 » Allow login access for nologin shell .
Open /etc/shells and add the following line at the end.
/usr/sbin/nologin
Now try to connect
this ftp server with the username on port 21 using winscp or filezilla client and make sure that user
cannot access the other folders outside the home directory.
Please note using ftp
on port 21 is a big security risk . it’s highly recommended to use SFTP. Please
continue for SFTP configuration
Secure FTP ( SFTP )
SFTP is called as
“Secure FTP” which generally use SSH File Transfer Protocol . so we need
openssh-server package installed , Issue the below command if it’s not already
installed.
$
sudo apt-get install openssh-server
Step 7 » Create a new group ftpaccess for
FTP users.
$
sudo groupadd ftpaccess
Step 8 » Now make changes in this /etc/ssh/sshd_config file.
» Find the below line
Subsystem
sftp /usr/lib/openssh/sftp-server
and replace with
Subsystem
sftp internal-sftp
Match group ftpaccess
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Match group ftpaccess
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
» and comment the
below line ( Last line).
#UsePAM
yes
Step 9 » Restart sshd service.
$
sudo service ssh restart
Step 10 » The below steps must be followed while
creating Users for sftp access.
Create user john with ftpaccess group
and /usr/bin/nologin shell.
$
sudo useradd -m john -g ftpaccess -s /usr/sbin/nologin
$ sudo passwd john
$ sudo passwd john
Change ownership for
the home directory.
$
sudo chown root /home/john
Create a folder inside
home directory for writing and change ownership of that folder.
$
sudo mkdir /home/john/www
$ sudo chown john:ftpaccess /home/john/www
$ sudo chown john:ftpaccess /home/john/www
------------------------------------------------------------------------------------------------------------
After following those
instructions I had two separate users. We'll call them FTP and SFTP.
FTP and SFTP had their
own home directories (for some reason writing this sounds like I'm explaining
the birds and the bees)
I needed to make sure
that FTP was the only user that could use that protocol. All other users when
setup can SFTP, but only explicit accounts will be allowed to FTP.
1. Create
/etc/vsftpd.user_list and add the user you want to ONLY use FTP
2. Add to
/etc/vsftpd.conf
userlist_deny=NOuserlist_enable=YESuserlist_file=/etc/vsftpd.user_list
As I said the symlinks
to another shared directory wasn't working. So I added another group
"SHAREDFILES" and added both of the users to it. I used
$
sudo mount --bind /var/SHAREDFILES /home/FTP
$ sudo mount --bind /var/SHAREDFILES /home/SFTP
$ sudo mount --bind /var/SHAREDFILES /home/SFTP
Found that here
(http://www.proftpd.org/docs/howto/Chroot.html)
Add that to your fstab
(etc/fstab) so your mounts show up after reboot
$
sudo nano /etc/fstab
/var/SHAREDFILES
/home/FTP none defaults,bind 0 0
/var/SHAREDFILES
/home/SFTP none defaults,bind 0 0
Yay for legacy systems that can't SFTP!!
Yay for legacy systems that can't SFTP!!
No comments:
Post a Comment