Tag Archives: ftp

ftp/sftp – vsftpd

# VSFTPD chroot configuration

>> Create a no-shell user
useradd -d $HOME_PATH -s /sbin/nologin $FTPUSER && passwd $FTPUSER

!!!MAKE SURE TO CHMOD 755 the parent directory!!!

yum -y install vsftpd

chkconfig vsftpd on

sed -i -e 's/IPTABLES_MODULES=""/IPTABLES_MODULES="ip_conntrack_ftp"/g' /etc/sysconfig/iptables-config

modprobe ip_conntrack_ftp

echo "rack" >> /etc/vsftpd/vsftpd.chroot_list

mv /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.ORIG

cat >/etc/vsftpd/vsftpd.conf <<EOF
# vsftpd.conf - PASSIVE
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
listen_port=21
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
pasv_min_port=60000
pasv_max_port=65000

# Add in /etc/vsftpd/vsftpd.chroot_list who you do *NOT* want to be chrooted
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/vsftpd.chroot_list

# RackConnect
# pasv_enable=YES
# pasv_min_port=60000
# pasv_max_port=60100
# pasv_address=<publicRCip> (might not be required)

# Logging
xferlog_enable=YES
log_ftp_protocol=NO
syslog_enable=NO
vsftpd_log_file=/var/log/vsftpd.log
EOF

>> Make sure  to comment out "auth   required    pam_shells.so" in /etc/pam.d/vsftpd (errors in authenticate users with /bin/false shell):
sed -i 's/^\(auth.*required.*pam_shells\.so.*$\)/#\1/' /etc/pam.d/vsftpd 

>> Enable firewall ports (in Rackconnect, open the same on the physical firewall):

iptables -I INPUT -p tcp --dport 21 -m comment --comment "FTP" -j ACCEPT
iptables -I INPUT -p tcp -m multiport --dports 60000:65000 -m comment --comment "FTP passive mode ports" -j ACCEPT
/etc/init.d/iptables save

>> Restart the service
service vsfptd restart


If -> vsftpd: refusing to run with writable root inside chroot ()
=> allow_writable_chroot=YES

=======================================================

SFTP Jailed: 
!!!! remember that the users home directory must be owned by root 

groupadd sftponly

>> 1 domain managed by 1 or more users:
    useradd -d /var/www/vhosts -s /bin/false -G sftponly bob

>> 1 user managing multiple domains:
    useradd -d /var/www/vhosts -s /bin/false -G sftponly bob

SFTPUSER=bob
SFTPUSERPASS=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w12 | head -n1)
echo "$SFTPUSERPASS" | passwd --stdin $SFTPUSER && echo -e "\nsfptuser: $SFTPUSER\npassword: $SFTPUSERPASS" 


>> /etc/ssh/sshd_config
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

>> 1 domain managed by 1 or more users:
Match Group sftponly
   ChrootDirectory %h
   X11Forwarding no
   AllowTCPForwarding no
   ForceCommand internal-sftp

>> 1 user managing multiple domains:
    Match Group sftponly
         ChrootDirectory /var/www/vhosts/%u
         X11Forwarding no
         AllowTCPForwarding no
         ForceCommand internal-sftp

sshd -t
service sshd restart 

>> Set correct permissions!!!
chmod 755 /var/www/
chown root:root /var/www
chown -R root:sftponly /var/www/*
find /var/www/ -type d | xargs chmod 2775
find /var/www/ -type f | xargs chmod 644

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

# VSFTPD chroot configuration

>> Create a no-shell user

useradd -d $HOME_PATH -s /sbin/nologin $FTPUSER && passwd $FTPUSER

!!!MAKE SURE TO CHMOD 755 the parent directory!!!

yum -y install vsftpd

chkconfig vsftpd on

sed -i -e 's/IPTABLES_MODULES=""/IPTABLES_MODULES="ip_conntrack_ftp"/g' /etc/sysconfig/iptables-config

modprobe ip_conntrack_ftp

echo "rack" >> /etc/vsftpd/vsftpd.chroot_list

mv /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.ORIG

cat >/etc/vsftpd/vsftpd.conf <<EOF

# vsftpd.conf - PASSIVE

anonymous_enable=NO

local_enable=YES

write_enable=YES

local_umask=022

dirmessage_enable=YES

xferlog_enable=YES

listen_port=21

connect_from_port_20=YES

xferlog_std_format=YES

listen=YES

pam_service_name=vsftpd

userlist_enable=YES

tcp_wrappers=YES

pasv_min_port=60000

pasv_max_port=65000

# Add in /etc/vsftpd/vsftpd.chroot_list who you do *NOT* want to be chrooted

chroot_local_user=YES

chroot_list_enable=YES

chroot_list_file=/etc/vsftpd/vsftpd.chroot_list

# RackConnect

# pasv_enable=YES

# pasv_min_port=60000

# pasv_max_port=60100

# pasv_address=<publicRCip> (might not be required)

# Logging

xferlog_enable=YES

log_ftp_protocol=NO

syslog_enable=NO

vsftpd_log_file=/var/log/vsftpd.log

EOF

>> Make sure to comment out "auth required pam_shells.so" in /etc/pam.d/vsftpd (errors in authenticate users with /bin/false shell):

sed -i 's/^$auth.*required.*pam_shells\.so.*$$/#\1/' /etc/pam.d/vsftpd

>> Enable firewall ports (in Rackconnect, open the same on the physical firewall):

iptables -I INPUT -p tcp --dport 21 -m comment --comment "FTP" -j ACCEPT

iptables -I INPUT -p tcp -m multiport --dports 60000:65000 -m comment --comment "FTP passive mode ports" -j ACCEPT

/etc/init.d/iptables save

>> Restart the service

service vsfptd restart

If -> vsftpd: refusing to run with writable root inside chroot ()

=> allow_writable_chroot=YES

=======================================================

SFTP Jailed:

!!!! remember that the users home directory must be owned by root

groupadd sftponly

>> 1 domain managed by 1 or more users:

useradd -d /var/www/vhosts -s /bin/false -G sftponly bob

>> 1 user managing multiple domains:

useradd -d /var/www/vhosts -s /bin/false -G sftponly bob

SFTPUSER=bob

SFTPUSERPASS=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w12 | head -n1)

echo "$SFTPUSERPASS" | passwd --stdin $SFTPUSER && echo -e "\nsfptuser: $SFTPUSER\npassword: $SFTPUSERPASS"

>> /etc/ssh/sshd_config

#Subsystem sftp /usr/libexec/openssh/sftp-server

Subsystem sftp internal-sftp

>> 1 domain managed by 1 or more users:

Match Group sftponly

ChrootDirectory %h

X11Forwarding no

AllowTCPForwarding no

ForceCommand internal-sftp

>> 1 user managing multiple domains:

Match Group sftponly

ChrootDirectory /var/www/vhosts/%u

X11Forwarding no

AllowTCPForwarding no

ForceCommand internal-sftp

sshd -t

service sshd restart

>> Set correct permissions!!!

chmod 755 /var/www/

chown root:root /var/www

chown -R root:sftponly /var/www/*

find /var/www/ -type d | xargs chmod 2775

find /var/www/ -type f | xargs chmod 644

One liners to automatic creation of username and passwords

Automatic creation of users/passwords (FTP)

Manually create list.txt with user:doc_root
e.g.:

mydomain.com:/var/www/vhost/mydomain.com
example.com:/var/www/vhost/example.com

1 2	mydomain.com:/var/www/vhost/mydomain.com example.com:/var/www/vhost/example.com

Get commands to create FTP users

cat list.txt | awk -F: '{print "useradd -d ",$2, "-s /bin/false -c TICKET_NUMBER ",$1 }'

1	cat list.txt \| awk -F: '{print "useradd -d ",$2, "-s /bin/false -c TICKET_NUMBER ",$1 }'

Get commands to set FTP permissions (if doc_root exists already)

cat list.txt | awk -F: '{print "chown -R",$1, $2 }'

1	cat list.txt \| awk -F: '{print "chown -R",$1, $2 }'

Generate and Assign random passwords to the users.

# for USER in $(awk -F: '{print $1}' list.txt) ; do PASS=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w12 | head -n1) ; echo $PASS | passwd --stdin $USER ; echo -e "username: $USER\npassword: $PASS\n" | tee -a pass.txt ; done ; echo -e "\n========================\nHere the credentials:" ; cat pass.txt

# for USER in $(awk -F: '{print $1}' list.txt) ; do PASS=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w12 | head -n1) ; echo $PASS | passwd --stdin $USER ; echo -e "username: $USER\npassword: $PASS\n" | tee -a pass.txt ; done ; echo -e "\n========================\nHere the credentials:" ; cat pass.txt

Create a list of vhosts’ paths: vhosts.txt

Example with only .com domains:
/var/www/domain1.com
/var/www/domain2.com
/var/www/domain3.com

Use a regex for sed to extract the vhost name, removing dots (example based on the example above)
This will return a list of PATH and VHOSTNAME. We will use VHOSTNAME as USER for that path

for i in `cat vhosts.txt` ; do echo "$i" | tr '\n' ' ' ; echo "$i" | sed 's/^.*www\/\(.*\)com.*$/\1/' | sed 's/\.//g' ; done >> list.txt

1	for i in `cat vhosts.txt` ; do echo "$i" \| tr '\n' ' ' ; echo "$i" \| sed 's/^.www\/$.$com.*$/\1/' \| sed 's/\.//g' ; done >> list.txt

Print out the commands to run to add FTP users (no SSH)
Once checked the output, run these lines

cat list.txt | awk '{print "useradd -d ",$1, "-s /bin/false -c COMMENT_HERE ",$2 }'

1	cat list.txt \| awk '{print "useradd -d ",$1, "-s /bin/false -c COMMENT_HERE ",$2 }'

(for sftp only):

cat list.txt | awk '{print "useradd -d ",$1, "-s /bin/false -G sftponly -cCOMMENT_HERE ",$2 }'

1	cat list.txt \| awk '{print "useradd -d ",$1, "-s /bin/false -G sftponly -cCOMMENT_HERE ",$2 }'

This will print out commands to run to assign user:apache_group to the vhosts’ paths

cat list.txt | awk '{print "chown -R ",$2 ":www-data ",$1 }'

1	cat list.txt \| awk '{print "chown -R ",$2 ":www-data ",$1 }'

(for sftp only):

cat list.txt | awk '{print "chown root:root",$1 }'
cat list.txt | awk '{print "chown -R ",$2":"$2 ,$1"/*"}'

1 2	cat list.txt \| awk '{print "chown root:root",$1 }' cat list.txt \| awk '{print "chown -R ",$2":"$2 ,$1"/*"}'

Set g+s on vhosts to preserve directory owner
[TO CHECK]

for i in `cat list.txt` ; do echo "chmod g+s $i" ; done

1	for i in `cat list.txt` ; do echo "chmod g+s $i" ; done

[THIS EXECUTE]

for i in `cat list.txt` ; do chmod g+s "$i" ; done

1	for i in `cat list.txt` ; do chmod g+s "$i" ; done

Create list of random passwords using pwgen

for i in `cat list.txt` ; do p=$(pwgen -s -B 16 1) ; echo "$i:$p" ; done > list_u_p.txt

1	for i in `cat list.txt` ; do p=$(pwgen -s -B 16 1) ; echo "$i:$p" ; done > list_u_p.txt

Create list of random passwords using openssl

for i in `cat list.txt` ; do p=$(openssl rand -base64 12) ; echo "$i:$p" ; done > list_u_p.txt

1	for i in `cat list.txt` ; do p=$(openssl rand -base64 12) ; echo "$i:$p" ; done > list_u_p.txt

Apply these passwords automatically

for i in `cat list_u_p.txt` ; do USER=`echo "$i" | awk -F":" '{print $1}'` ; PASS=`echo "$i" | awk -F":" '{print $2}'` ; echo -e "$PASS\n$PASS" | passwd "$USER" ; done

1	for i in `cat list_u_p.txt` ; do USER=`echo "$i" \| awk -F":" '{print $1}'` ; PASS=`echo "$i" \| awk -F":" '{print $2}'` ; echo -e "$PASS\n$PASS" \| passwd "$USER" ; done

Print output for reference

hostname ; cat list_u_p.txt | awk -F":" '{print "\nusername:", $1, "\npassword:", $2}'

1	hostname ; cat list_u_p.txt \| awk -F":" '{print "\nusername:", $1, "\npassword:", $2}'

SSL PASSIVE FTP with virtual users on Raspberry Pi

I found this handy plugin to backup my blog: BackWPup
It has also an interesting feature which is the ability to backup remotely, for example on a FTP server.

So… here we go! 🙂

Few notes:

This uses vsftpd software
It will work ONLY over SSL
Due to SSL encryption, the FTP will also work ONLY in PASSIVE mode (ACTIVE mode is disabled)
This configuration has been made based of the fact that this raspberry pi is behind a router
This will use ONLY virtual users, chroot’ed, to increase the security (vsftpd will use a custom PAM auth file, which won’t lookup in /etc/passwd files – for this reason, any local user attempts to login will fail)
Virtual users usernames and credentials will be stored in a file
There is a workaround in place to avoid some common issues like “500 OOPS: Vsftpd: Refusing to Run With Writable Root Inside Chroot ()” – FYI, allow_writeable_chroot=yes does NOT work on vsftpd version 2.3.5.

Install required packets:

apt-get install vsftpd apache2-utils libpam-pwdfile

1	apt-get install vsftpd apache2-utils libpam-pwdfile

Create SSL certificate:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/certs/vsftpd.pem -out /etc/ssl/certs/vsftpd.pem
chmod 600 /etc/ssl/certs/vsftpd.pem

1 2	openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/certs/vsftpd.pem -out /etc/ssl/certs/vsftpd.pem chmod 600 /etc/ssl/certs/vsftpd.pem

Add a local user with limited access (like no console) that vsfpd will use to run virtual users:

useradd --home /home/vsftpd --gid nogroup -m --shell /bin/false vsftpd

1	useradd --home /home/vsftpd --gid nogroup -m --shell /bin/false vsftpd

Create directory structures for the virtual users:

mkdir -p /space/ftpusers/
chmod a-w /space/ftpusers/
mkdir -p /space/ftpusers/ftp01/rw
chmod a-w /space/ftpusers/ftp01
chown -R vsftpd:nogroup /space/ftpusers/ftp01

mkdir -p /space/ftpusers/

chmod a-w /space/ftpusers/

mkdir -p /space/ftpusers/ftp01/rw

chmod a-w /space/ftpusers/ftp01

chown -R vsftpd:nogroup /space/ftpusers/ftp01

Please note that all new virtual users added need its home directory manually created as per above. Also, due to the chroot option and the current limitation on vsftpd, if you want a user to be able to write in its home directory, you need to create an extra folder. Its root home folder has to be -w. This is a workaround that works 🙂

Setup PAM authentication

Create a new file /etc/pam.d/vsftpd.virtual and add the following:

auth required pam_pwdfile.so pwdfile /etc/vsftpd/vsftpd.users
account required pam_permit.so

1 2	auth required pam_pwdfile.so pwdfile /etc/vsftpd/vsftpd.users account required pam_permit.so

Now, let’s reorder a bit vsftp files in a directory:

mkdir -p /etc/vsftpd
cd /etc/
mv vsftpd.conf vsftpd
ln -s /etc/vsftpd/vsftpd.conf .

mkdir -p /etc/vsftpd

cd /etc/

mv vsftpd.conf vsftpd

ln -s /etc/vsftpd/vsftpd.conf .

Add new users (password max 8 characters):

htpasswd -c -d -b /etc/vsftpd/vsftpd.users ftp01 ftp01password

1	htpasswd -c -d -b /etc/vsftpd/vsftpd.users ftp01 ftp01password

Use the flag -c only the first time to create the file. If you re-use it, the file will be overwritten!
Also the -d flag is required because vsftpd is unable to read MD5 hashed password (default if -d is not used). The downside of this is a password limited to 8 characters.
Openssl could be used to produce a MD5 based BSD password with algorithm 1 using # openssl passwd -1 (not tested)

Let’s configure vsftpd

vi /etc/vsftpd.conf

# Main Settings
listen=YES
listen_port=21
connect_from_port_20=NO
ftpd_banner=Welcome to my FTP :-)
use_localtime=YES
force_dot_files=YES

# FTP Passive settings
pasv_enable=YES
pasv_min_port=1100
pasv_max_port=1150
pasv_addr_resolve=YES
pasv_enable=YES
pasv_addr_resolve=YES
pasv_address=<span style="color: #ff0000;">&lt;EXTERNAL IP or DYN DNS&gt;</span>

# Virtual user settings
local_enable=YES
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
virtual_use_local_privs=YES
guest_enable=YES
guest_username=vsftpd
pam_service_name=vsftpd.virtual
user_sub_token=$USER
local_root=/space/ftpusers/$USER
hide_ids=YES

# Anonymous settings
anonymous_enable=NO
anon_upload_enable=NO
no_anon_password=NO
anon_other_write_enable=NO
anon_mkdir_write_enable=NO

# Write permissions
write_enable=YES
local_umask=022
async_abor_enable=YES

# SSL
ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
rsa_cert_file=/etc/ssl/certs/vsftpd.pem

# Logging
xferlog_enable=YES
log_ftp_protocol=NO
syslog_enable=NO
vsftpd_log_file=/var/log/vsftpd.log

vi /etc/vsftpd.conf

# Main Settings

listen=YES

listen_port=21

connect_from_port_20=NO

ftpd_banner=Welcome to my FTP :-)

use_localtime=YES

force_dot_files=YES

# FTP Passive settings

pasv_enable=YES

pasv_min_port=1100

pasv_max_port=1150

pasv_addr_resolve=YES

pasv_enable=YES

pasv_addr_resolve=YES

pasv_address=<span style="color: #ff0000;"><EXTERNAL IP or DYN DNS></span>

# Virtual user settings

local_enable=YES

chroot_local_user=YES

secure_chroot_dir=/var/run/vsftpd/empty

virtual_use_local_privs=YES

guest_enable=YES

guest_username=vsftpd

pam_service_name=vsftpd.virtual

user_sub_token=$USER

local_root=/space/ftpusers/$USER

hide_ids=YES

# Anonymous settings

anonymous_enable=NO

anon_upload_enable=NO

no_anon_password=NO

anon_other_write_enable=NO

anon_mkdir_write_enable=NO

# Write permissions

write_enable=YES

local_umask=022

async_abor_enable=YES

# SSL

ssl_enable=YES

force_local_data_ssl=YES

force_local_logins_ssl=YES

ssl_tlsv1=YES

ssl_sslv2=NO

ssl_sslv3=NO

require_ssl_reuse=NO

ssl_ciphers=HIGH

rsa_cert_file=/etc/ssl/certs/vsftpd.pem

# Logging

xferlog_enable=YES

log_ftp_protocol=NO

syslog_enable=NO

vsftpd_log_file=/var/log/vsftpd.log

Now, on your router, make sure that the module ip_conntrack_ftp is loaded using lsmod command.
This is required for FTP PASSIVE mode to work.
I’ve realised that this can be called also nf_conntrack_ftp.
A good way to check all the alias associated to that netfilter module is using the following command:

# modinfo nf_conntrack_ftp
filename: /lib/modules/3.3.7/kernel/net/netfilter/nf_conntrack_ftp.ko
alias: nfct-helper-ftp
alias: <span style="color: #ff0000;">ip_conntrack_ftp</span>
description: ftp connection tracking helper
author: Rusty Russell &lt;rusty@rustcorp.com.au&gt;
license: GPL
depends: nf_conntrack
intree: Y
vermagic: 3.3.7 mod_unload MIPS32_R1 32BIT
parm: ports:array of ushort
parm: loose:bool

# modinfo nf_conntrack_ftp

filename: /lib/modules/3.3.7/kernel/net/netfilter/nf_conntrack_ftp.ko

alias: nfct-helper-ftp

alias: <span style="color: #ff0000;">ip_conntrack_ftp</span>

description: ftp connection tracking helper

author: Rusty Russell <rusty@rustcorp.com.au>

license: GPL

depends: nf_conntrack

intree: Y

vermagic: 3.3.7 mod_unload MIPS32_R1 32BIT

parm: ports:array of ushort

parm: loose:bool

Also, make sure to setup a port forwarding like as below:

$IPT -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIP --dport 21 -j DNAT --to $FTPIP:21 # FTP connection port
$IPT -t nat -A PREROUTING -d $EXTIP -p tcp -m tcp --dport 1100:1150 -j DNAT --to-destination $FTPI # FTP PASS ports
$IPT -A FORWARD -i $EXTIF -d $FTPI -p tcp --dport 21 -j ACCEPT
$IPT -A FORWARD -i $EXTIF -d $FTPI -p tcp --dport 1100:1150 -j ACCEPT

$IPT -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIP --dport 21 -j DNAT --to $FTPIP:21 # FTP connection port

$IPT -t nat -A PREROUTING -d $EXTIP -p tcp -m tcp --dport 1100:1150 -j DNAT --to-destination $FTPI # FTP PASS ports

$IPT -A FORWARD -i $EXTIF -d $FTPI -p tcp --dport 21 -j ACCEPT

$IPT -A FORWARD -i $EXTIF -d $FTPI -p tcp --dport 1100:1150 -j ACCEPT

My notepad

Chris' IT notes…

Tag Archives: ftp

ftp/sftp – vsftpd

One liners to automatic creation of username and passwords

Automatic creation of users/passwords (FTP)

SSL PASSIVE FTP with virtual users on Raspberry Pi