Which Directory Should You Configure Again
Introduction
FTP, short for File Transfer Protocol, is a network protocol that was once widely used for moving files between a client and server. It has since been replaced by faster, more secure, and more convenient ways of delivering files. Many coincidental Internet users expect to download direct from their web browser with https, and control-line users are more than likely to use secure protocols such as the scp or sFTP.
FTP is yet used to support legacy applications and workflows with very specific needs. If you have a selection of what protocol to utilise, consider exploring the more modern options. When you practise demand FTP, however, vsftpd is an excellent choice. Optimized for security, operation, and stability, vsftpd offers stiff protection against many security bug constitute in other FTP servers and is the default for many Linux distributions.
In this tutorial, we'll show y'all how to configure vsftpd to let a user to upload files to his or her home directory using FTP with login credentials secured by SSL/TLS.
Prerequisites
To follow along with this tutorial you volition need:
- An Ubuntu 16.04 server with a non-root user with
sudoprivileges: You can acquire more most how to set up a user with these privileges in our Initial Server Setup with Ubuntu 16.04 guide.
Once you have an Ubuntu server in place, you're set up to begin.
Footstep 1 — Installing vsftpd
We'll start by updating our packet list and installing the vsftpd daemon:
- sudo apt-get update
- sudo apt-get install vsftpd
When the installation is complete, we'll copy the configuration file so we tin can start with a blank configuration, saving the original as a fill-in.
- sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.orig
With a fill-in of the configuration in place, we're ready to configure the firewall.
Stride two — Opening the Firewall
Nosotros'll cheque the firewall status to meet if information technology'south enabled. If so, we'll ensure that FTP traffic is permitted so you won't run into firewall rules blocking you when it comes fourth dimension to test.
- sudo ufw status
In this case, only SSH is immune through:
Output
Status: active To Action From -- ------ ---- OpenSSH Let Anywhere OpenSSH (v6) Permit Anywhere (v6) Y'all may take other rules in place or no firewall rules at all. Since only ssh traffic is permitted in this case, nosotros'll need to add rules for FTP traffic.
We'll need to open up ports 20 and 21 for FTP, port 990 for later when nosotros enable TLS, and ports 40000-50000 for the range of passive ports we plan to set in the configuration file:
- sudo ufw permit xx/tcp
- sudo ufw allow 21/tcp
- sudo ufw allow 990/tcp
- sudo ufw allow 40000:50000/tcp
- sudo ufw condition
Now our firewall rules looks similar:
Output
Condition: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere 990/tcp ALLOW Anywhere 20/tcp ALLOW Anywhere 21/tcp Permit Anywhere 40000:50000/tcp ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) 20/tcp (v6) ALLOW Anywhere (v6) 21/tcp (v6) Allow Anywhere (v6) 990/tcp (v6) ALLOW Anywhere (v6) 40000:50000/tcp (v6) Let Anywhere (v6) With vsftpd installed and the necessary ports open, we're ready to continue to the next pace.
Footstep 3 — Preparing the User Directory
For this tutorial, we're going to create a user, simply you may already have a user in need of FTP access. We'll have care to preserve an existing user'southward admission to their information in the instructions that follow. Even then, nosotros recommend you kickoff with a new user until yous've configured and tested your setup.
Starting time, we'll add a test user:
- sudo adduser sammy
Assign a password when prompted and experience free to printing "ENTER" through the other prompts.
FTP is mostly more than secure when users are restricted to a specific directory.vsftpd accomplishes this with chroot jails. When chroot is enabled for local users, they are restricted to their dwelling directory by default. Nevertheless, because of the way vsftpd secures the directory, it must not be writable by the user. This is fine for a new user who should only connect via FTP, simply an existing user may need to write to their home folder if they also beat admission.
In this case, rather than removing write privileges from the home directory, we're will create an ftp directory to serve every bit the chroot and a writable files directory to hold the actual files.
Create the ftp folder, set its ownership, and be sure to remove write permissions with the following commands:
- sudo mkdir /domicile/sammy/ftp
- sudo chown nobody:nogroup /home/sammy/ftp
- sudo chmod a-w /home/sammy/ftp
Let'due south verify the permissions:
- sudo ls -la /habitation/sammy/ftp
Output
total 8 iv dr-xr-xr-ten 2 nobody nogroup 4096 Aug 24 21:29 . 4 drwxr-xr-x 3 sammy sammy 4096 Aug 24 21:29 .. Side by side, nosotros'll create the directory where files can be uploaded and assign ownership to the user:
- sudo mkdir /home/sammy/ftp/files
- sudo chown sammy:sammy /dwelling house/sammy/ftp/files
A permissions check on the files directory should return the following:
- sudo ls -la /home/sammy/ftp
Output
total 12 dr-xr-xr-x three nobody nogroup 4096 Aug 26 14:01 . drwxr-xr-x 3 sammy sammy 4096 Aug 26 thirteen:59 .. drwxr-xr-10 2 sammy sammy 4096 Aug 26 14:01 files Finally, we'll add a test.txt file to use when we test after on:
- echo "vsftpd test file" | sudo tee /abode/sammy/ftp/files/examination.txt
Now that nosotros've secured the ftp directory and allowed the user access to the files directory, we'll plow our attention to configuration.
Pace iv — Configuring FTP Admission
Nosotros're planning to allow a unmarried user with a local shell account to connect with FTP. The two key settings for this are already set in vsftpd.conf. Showtime by opening the config file to verify that the settings in your configuration match those below:
- sudo nano /etc/vsftpd.conf
/etc/vsftpd.conf
. . . # Permit bearding FTP? (Disabled by default). anonymous_enable=NO # # Uncomment this to allow local users to log in. local_enable=YES . . . Next nosotros'll need to change some values in the file. In guild to allow the user to upload files, we'll uncomment the write_enable setting so that we have:
/etc/vsftpd.conf
. . . write_enable=YES . . . We'll also uncomment the chroot to prevent the FTP-connected user from accessing any files or commands outside the directory tree.
/etc/vsftpd.conf
. . . chroot_local_user=Yes . . . We'll add a user_sub_token in order to insert the username in our local_root directory path then our configuration will work for this user and any future users that might be added.
/etc/vsftpd.conf
user_sub_token=$USER local_root=/home/$USER/ftp We'll limit the range of ports that can exist used for passive FTP to make certain enough connections are available:
/etc/vsftpd.conf
pasv_min_port=40000 pasv_max_port=50000 Note: Nosotros pre-opened the ports that nosotros set here for the passive port range. If you alter the values, be sure to update your firewall settings.
Since we're only planning to allow FTP admission on a case-by-case basis, we'll set up the configuration so that access is given to a user only when they are explicitly added to a list rather than by default:
/etc/vsftpd.conf
userlist_enable=YES userlist_file=/etc/vsftpd.userlist userlist_deny=NO userlist_deny toggles the logic. When it is set up to "YES", users on the list are denied FTP access. When it is fix to "NO", only users on the listing are allowed admission. When you're done making the change, salvage and exit the file.
Finally, we'll create and add our user to the file. We'll use the -a flag to suspend to file:
- echo "sammy" | sudo tee -a /etc/vsftpd.userlist
Double-check that it was added every bit you expected:
true cat /etc/vsftpd.userlist Output
sammy Restart the daemon to load the configuration changes:
- sudo systemctl restart vsftpd
At present we're ready for testing.
Pace 5 — Testing FTP Admission
Nosotros've configured the server to allow only the user sammy to connect via FTP. Let'southward make sure that's the case.
Anonymous users should fail to connect: Nosotros disabled anonymous access. Here nosotros'll examination that past trying to connect anonymously. If we've done information technology properly, anonymous users should exist denied permission:
- ftp -p 203.0.113.0
Output
Connected to 203.0.113.0. 220 (vsFTPd 3.0.3) Proper name (203.0.113.0:default): bearding 530 Permission denied. ftp: Login failed. ftp> Close the connexion:
- bye
Users other than sammy should fail to connect: Next, we'll try connecting as our sudo user. They, likewise, should be denied access, and it should happen before they're allowed to enter their password.
- ftp -p 203.0.113.0
Output
Connected to 203.0.113.0. 220 (vsFTPd 3.0.3) Proper name (203.0.113.0:default): sudo_user 530 Permission denied. ftp: Login failed. ftp> Shut the connection:
- good day
sammy should exist able to connect, too as read and write files: Here, we'll brand sure that our designated user _can_connect:
- ftp -p 203.0.113.0
Output
Connected to 203.0.113.0. 220 (vsFTPd iii.0.3) Name (203.0.113.0:default): sammy 331 Please specify the password. Password: your_user's_password 230 Login successful. Remote organization type is UNIX. Using binary fashion to transfer files. ftp> Nosotros'll change into the files directory, and then utilize the become control to transfer the test file we created earlier to our local auto:
- cd files
- go test.txt
Output
227 Entering Passive Way (203,0,113,0,169,12). 150 Opening BINARY style data connectedness for exam.txt (16 bytes). 226 Transfer complete. 16 bytes received in 0.0101 seconds (1588 bytes/due south) ftp> Nosotros'll turn right back effectually and try to upload the file with a new proper name to exam write permissions:
- put exam.txt upload.txt
Output
227 Entering Passive Style (203,0,113,0,164,71). 150 Ok to send information. 226 Transfer consummate. 16 bytes sent in 0.000894 seconds (17897 bytes/s) Close the connection:
- bye
At present that we've tested our configuration, nosotros'll accept steps to further secure our server.
Step 6 — Securing Transactions
Since FTP does not encrypt any information in transit, including user credentials, we'll enable TTL/SSL to provide that encryption. The first step is to create the SSL certificates for utilize with vsftpd.
We'll utilise openssl to create a new document and utilise the -days flag to make it valid for one year. In the aforementioned command, nosotros'll add a private 2048-bit RSA key. Then by setting both the -keyout and -out flags to the same value, the private key and the certificate will be located in the aforementioned file.
We'll do this with the following command:
- sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
You'll be prompted to provide address information for your document. Substitute your own data for the questions below:
Output
Generating a 2048 fleck RSA private key ............................................................................+++ ...........+++ writing new private key to '/etc/ssl/individual/vsftpd.pem' ----- Yous are nigh to exist asked to enter information that volition exist incorporated into your certificate asking. What you are about to enter is what is called a Distinguished Proper name or a DN. There are quite a few fields but you tin can get out some blank For some fields there will be a default value, If yous enter '.', the field will be left bare. ----- State Proper noun (2 letter of the alphabet code) [AU]:US State or Province Name (full proper noun) [Some-State]:NY Locality Proper name (eg, city) []:New York City Organization Name (eg, visitor) [Internet Widgits Pty Ltd]:DigitalOcean Organizational Unit Name (eg, section) []: Mutual Proper name (e.m. server FQDN or YOUR proper name) []: your_IP_address E-mail Accost []: For more detailed information nearly the document flags, encounter OpenSSL Essentials: Working with SSL Certificates, Individual Keys and CSRs
Once you've created the certificates, open the vsftpd configuration file again:
- sudo nano /etc/vsftpd.conf
Toward the lesser of the file, you should two lines that begin with rsa_. Comment them out and so they wait like:
/etc/vsftpd.conf
# rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem # rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.cardinal Below them, add the following lines which point to the certificate and private key we just created:
/etc/vsftpd.conf
rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem After that, nosotros will force the apply of SSL, which volition prevent clients that can't deal with TLS from connecting. This is necessary in order to ensure all traffic is encrypted simply may force your FTP user to change clients. Change ssl_enable to Yes:
/etc/vsftpd.conf
ssl_enable=Yep After that, add together the following lines to explicitly deny anonymous connections over SSL and to crave SSL for both data transfer and logins:
/etc/vsftpd.conf
allow_anon_ssl=NO force_local_data_ssl=Yeah force_local_logins_ssl=YES Afterwards this we'll configure the server to utilise TLS, the preferred successor to SSL by adding the following lines:
/etc/vsftpd.conf
ssl_tlsv1=Yes ssl_sslv2=NO ssl_sslv3=NO Finally, we will add two more options. Showtime, we volition not require SSL reuse because it tin break many FTP clients. We will require "high" encryption cipher suites, which currently means fundamental lengths equal to or greater than 128 $.25:
/etc/vsftpd.conf
require_ssl_reuse=NO ssl_ciphers=HIGH When you're done, save and shut the file.
At present, we demand to restart the server for the changes to take consequence:
- sudo systemctl restart vsftpd
At this signal, we will no longer be able to connect with an insecure command-line client. If nosotros tried, we'd see something like:
- ftp -p 203.0.113.0
- Connected to 203.0.113.0.
- 220 (vsFTPd 3.0.3)
- Name ( 203.0.113.0:default): sammy
- 530 Non-anonymous sessions must use encryption.
- ftp: Login failed.
- 421 Service non available, remote server has closed connectedness
- ftp>
Next, we'll verify that we can connect using a client that supports TLS.
Step 7 — Testing TLS with FileZilla
Most modern FTP clients tin be configured to use TLS encryption. We volition demonstrate how to connect using FileZilla because of its cantankerous platform support. Consult the documentation for other clients.
When you first open FileZilla, find the Site Manager icon just below the word File, the left-about icon on the top row. Click it:
A new window volition open. Click the "New Site" button in the bottom correct corner:
Under "My Sites" a new icon with the words "New site" will announced. Yous can name it at present or return afterwards and apply the Rename button.
You must fill up out the "Host" field with the name or IP address. Under the "Encryption" drop downward menu, select "Crave explicit FTP over TLS".
For "Logon Blazon", select "Inquire for password". Fill up in the FTP user you created in the "User" field:
Click "Connect" at the bottom of the interface. You lot will exist asked for the user's password:
Click "OK" to connect. You should at present be connected with your server with TLS/SSL encryption.
When you lot've accustomed the certificate, double-click the files binder and drag upload.txt to the left to ostend that you lot're able to download files.
When you've washed that, correct-click on the local copy, rename it to upload-tls.txt` and elevate information technology back to the server to confirm that you lot can upload files.
You've now confirmed that y'all tin can securely and successfully transfer files with SSL/TLS enabled.
Step 8 — Disabling Shell Access (Optional)
If you're unable to employ TLS because of client requirements, you tin can gain some security by disabling the FTP user'southward ability to log in any other way. 1 relatively straightforward way to prevent it is by creating a custom trounce. This volition not provide any encryption, but information technology will limit the access of a compromised account to files accessible by FTP.
First, open a file called ftponly in the bin directory:
- sudo nano /bin/ftponly
We'll add a message telling the user why they are unable to log in. Paste in the following:
#!/bin/sh echo "This account is express to FTP access only." Change the permissions to make the file executable:
- sudo chmod a+10 /bin/ftponly
Open the list of valid shells:
- sudo nano /etc/shells
At the bottom, add:
/etc/shells
. . . /bin/ftponly Update the user'south shell with the following command:
- sudo usermod sammy -due south /bin/ftponly
At present endeavour logging in as sammy:
- ssh sammy@203.0.113.0
Y'all should see something like:
Output
This account is express to FTP access merely. Connection to 203.0.113.0 closed. This confirms that the user can no longer ssh to the server and is limited to FTP access only.
Conclusion
In this tutorial we covered setting upward FTP for users with a local account. If you need to utilize an external hallmark source, you might want to look into vsftpd's back up of virtual users. This offers a rich ready of options through the use of PAM, the Pluggable Authentication Modules, and is a skillful choice if y'all manage users in another system such as LDAP or Kerberos.
Source: https://www.digitalocean.com/community/tutorials/how-to-set-up-vsftpd-for-a-user-s-directory-on-ubuntu-16-04
0 Response to "Which Directory Should You Configure Again"
Post a Comment