I found this handy plugin to backup my blog: BackWPup
It has also an interesting feature which is the ability to backup remotely, for example on a FTP server.
So… here we go! 🙂
Few notes:
- This uses vsftpd software
- It will work ONLY over SSL
- Due to SSL encryption, the FTP will also work ONLY in PASSIVE mode (ACTIVE mode is disabled)
- This configuration has been made based of the fact that this raspberry pi is behind a router
- This will use ONLY virtual users, chroot’ed, to increase the security (vsftpd will use a custom PAM auth file, which won’t lookup in /etc/passwd files – for this reason, any local user attempts to login will fail)
- Virtual users usernames and credentials will be stored in a file
- There is a workaround in place to avoid some common issues like “500 OOPS: Vsftpd: Refusing to Run With Writable Root Inside Chroot ()” – FYI,
allow_writeable_chroot=yes does NOT work on vsftpd version 2.3.5.
Install required packets:
|
|
apt-get install vsftpd apache2-utils libpam-pwdfile |
Create SSL certificate:
|
|
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/certs/vsftpd.pem -out /etc/ssl/certs/vsftpd.pem chmod 600 /etc/ssl/certs/vsftpd.pem |
Add a local user with limited access (like no console) that vsfpd will use to run virtual users:
|
|
useradd --home /home/vsftpd --gid nogroup -m --shell /bin/false vsftpd |
Create directory structures for the virtual users:
|
|
mkdir -p /space/ftpusers/ chmod a-w /space/ftpusers/ mkdir -p /space/ftpusers/ftp01/rw chmod a-w /space/ftpusers/ftp01 chown -R vsftpd:nogroup /space/ftpusers/ftp01 |
Please note that all new virtual users added need its home directory manually created as per above. Also, due to the chroot option and the current limitation on vsftpd, if you want a user to be able to write in its home directory, you need to create an extra folder. Its root home folder has to be -w. This is a workaround that works 🙂
Setup PAM authentication
Create a new file /etc/pam.d/vsftpd.virtual and add the following:
|
|
auth required pam_pwdfile.so pwdfile /etc/vsftpd/vsftpd.users account required pam_permit.so |
Now, let’s reorder a bit vsftp files in a directory:
|
|
mkdir -p /etc/vsftpd cd /etc/ mv vsftpd.conf vsftpd ln -s /etc/vsftpd/vsftpd.conf . |
Add new users (password max 8 characters):
|
|
htpasswd -c -d -b /etc/vsftpd/vsftpd.users ftp01 ftp01password |
Use the flag -c only the first time to create the file. If you re-use it, the file will be overwritten!
Also the -d flag is required because vsftpd is unable to read MD5 hashed password (default if -d is not used). The downside of this is a password limited to 8 characters.
Openssl could be used to produce a MD5 based BSD password with algorithm 1 using # openssl passwd -1 (not tested)
Let’s configure vsftpd
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
vi /etc/vsftpd.conf # Main Settings listen=YES listen_port=21 connect_from_port_20=NO ftpd_banner=Welcome to my FTP :-) use_localtime=YES force_dot_files=YES # FTP Passive settings pasv_enable=YES pasv_min_port=1100 pasv_max_port=1150 pasv_addr_resolve=YES pasv_enable=YES pasv_addr_resolve=YES pasv_address=<span style="color: #ff0000;"><EXTERNAL IP or DYN DNS></span> # Virtual user settings local_enable=YES chroot_local_user=YES secure_chroot_dir=/var/run/vsftpd/empty virtual_use_local_privs=YES guest_enable=YES guest_username=vsftpd pam_service_name=vsftpd.virtual user_sub_token=$USER local_root=/space/ftpusers/$USER hide_ids=YES # Anonymous settings anonymous_enable=NO anon_upload_enable=NO no_anon_password=NO anon_other_write_enable=NO anon_mkdir_write_enable=NO # Write permissions write_enable=YES local_umask=022 async_abor_enable=YES # SSL ssl_enable=YES force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO require_ssl_reuse=NO ssl_ciphers=HIGH rsa_cert_file=/etc/ssl/certs/vsftpd.pem # Logging xferlog_enable=YES log_ftp_protocol=NO syslog_enable=NO vsftpd_log_file=/var/log/vsftpd.log |
Now, on your router, make sure that the module ip_conntrack_ftp is loaded using lsmod command.
This is required for FTP PASSIVE mode to work.
I’ve realised that this can be called also nf_conntrack_ftp.
A good way to check all the alias associated to that netfilter module is using the following command:
|
|
# modinfo nf_conntrack_ftp filename: /lib/modules/3.3.7/kernel/net/netfilter/nf_conntrack_ftp.ko alias: nfct-helper-ftp alias: <span style="color: #ff0000;">ip_conntrack_ftp</span> description: ftp connection tracking helper author: Rusty Russell <rusty@rustcorp.com.au> license: GPL depends: nf_conntrack intree: Y vermagic: 3.3.7 mod_unload MIPS32_R1 32BIT parm: ports:array of ushort parm: loose:bool |
Also, make sure to setup a port forwarding like as below:
|
|
$IPT -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIP --dport 21 -j DNAT --to $FTPIP:21 # FTP connection port $IPT -t nat -A PREROUTING -d $EXTIP -p tcp -m tcp --dport 1100:1150 -j DNAT --to-destination $FTPI # FTP PASS ports $IPT -A FORWARD -i $EXTIF -d $FTPI -p tcp --dport 21 -j ACCEPT $IPT -A FORWARD -i $EXTIF -d $FTPI -p tcp --dport 1100:1150 -j ACCEPT |