vsftpd

DC FTPS

Created by Grant White, last modified on 23 Mar, 2016

Overview

This page will detail the installation of FTPS using vsftpd. The following list are some of the specific changes that have been made.

Changed listen and data ports
Chroot users
Changed default umask
Add login banner
Make ftp secure with ftps. A Self Signed Certificate can be used for testing but a certificate from a Public CA will be required.

Prerequisites

You must follow the below installation steps prior to installing the Application.

Server Installation

Setup vsftpd

Install vsftpd, rsync and mailx

Set vsftpd to run on startup

Set the SELinux ftp_home_dir and ftpd_anon_write booleans

Create the directory where sites are going to be uploaded. The directory structure should be setup in a way that multiple third parties can be accommodated.For example.

Set the SELinux context for the directory structure. Read for the root and write for the sub directories.

yum install vsftpd rsync mailx
systemctl enable vsftpd
semanage boolean -m --on ftp_home_dir
semanage boolean -m --on ftpd_anon_write
mkdir -p /apps/ftps
semanage fcontext -a -f d -t public_content_t "/apps/ftps"
semanage fcontext -a -t public_content_rw_t "/apps/ftps(/.*)?"
restorecon -rv /apps/ftps/

Set the Linux permissions
For the initial directory setup only. Ensure that the groups have been created in IdM as well. See IDM User and Group Management for details.

Create the SSL CSR and request the certificate

chmod -R 555 /apps/ftps/
chown -R root:webupdates /apps/ftps/
cd /etc/vsftpd/
openssl genrsa -out ftps_2015.key 2048
openssl req -new -key ftps_2015.key -out ftps_2015.csr

Once the CSR has been created you will need to send it to CSC using the SSL Certificate Request Form.

When you receive the certifcate, create the certificate file and past the contents of the certificate in. Set permissions on the certificate files permissions.

Amend/add the following directives in the vsftpd.conf file

cd /etc/vsftpd/
vim ftps_2015.crt
chmod 400 ftps_2015.*
vim /etc/vsftpd/vsftpd.conf
# Disallow anonymous FTP
anonymous_enable=NO
# Uncomment this to allow local users to log in.
local_enable=YES
# Uncomment this to enable any form of FTP write command.
write_enable=YES
# Set the umask for when files are created
file_open_mode=0666
local_umask=0007
# Set new listening and data port
connect_from_port_20=NO
ftp_data_port=38590
listen_port=38591
# Set the passive port for a data connection
pasv_enable=YES
pasv_min_port=38592
pasv_max_port=38599
pasv_addr_resolve=yes
pasv_address=vsftpd.example.co.uk
# Set the login banner
banner_file=/etc/issue
# chroot local users
chroot_local_user=YES
secure_chroot_dir=/usr/share/empty
# Make the server listen on a specific IP.
listen=YES
listen_address=10.105.218.18
# Disable listen on ipv6
listen_ipv6=NO
# Enable SSL and only allow TLS v1
ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/ftps_2015.crt
rsa_private_key_file=/etc/vsftpd/ftps_2015.key
require_ssl_reuse=YES
# Force non-anonymous logins to use SSL for data and password encryption
force_local_data_ssl=YES
force_local_logins_ssl=YES
# Disallow Anonymous Access
allow_anon_ssl=NO
anonymous_enable=NO

Setup IdM for ftps User Access

ipa hbacrule-add vsftp_access --desc="Access to ftps Server"

ipa hbacrule-add-host vsftp_access --hosts=vsftpdhost

ipa hbacrule-add-user vsftp_access --groups=rwc

ipa hbacrule-add-service vsftp_access --hbacsvcs=vsftpd

Adding FTPS Users/Groups

Users and groups are added to IdM and then to the relevant group. Documentation for this is at IdM User/Group Management. Specifically, users should not have a login shell. Example below. Each upload folder should have it's own group with the required users. EVERY group must have the rsync user added for rsync to work.

ipa user-add "ftps.user" --first="Ftps" --last="User" --email="user_email@example.com" --city=london --shell="/sbin/nologin" --random

ipa group-add rwc --desc="RWC ftps update group"

ipa group-add-member rwc --users="ftps.user"

You must also add any new groups to the hbac rule allowing access to the vsftpd server.

ipa hbacrule-add-user --groups=rwc vsftp_access

Adding a New FTPS Folder

Ensure that the group has been added into IdM before creating the folder structure. Create the new site folder structure. Example only

mkdir -p /apps/ftps/cricket

chmod -R 2770 /apps/ftps/cricket

chown -R root:cricket /apps/ftps/cricket

A slightly more interesting setup is when you need a group of users to be able to upload to a sub folder of the site. For example group. The group can upload to all folders. group2 need to be able to upload to the sub folder group/folder/

mkdir -p /apps/ftps/group/folder

chmod -R 2770 /apps/ftps/group

chown -R root:group2 /apps/ftps/group

setfacl -m g:group:rx /apps/ftps/group/

setfacl -m g:group:rwx /apps/ftps/group/folder/

Set up rsync to Synchronise to the Web Server

A user called rsync has been setup in IdM with ssh keys along with the relevant HBAC rules to allow for the synchronisation of the files. Add the following to the root crontab. Note that some web sites may need a custom rsync like rwc which requires that some folders are excluded. The Developer will advise how often a rsync will need to run. Every 10 minutes should be fine.

# Default

00,10,20,30,40,50 * * * * rsync -rptz --delete --chmod=Dug=rx,o=,Fug=r,o= /apps/ftps/cricket/ rsync@webserver:/apps/http/www/cricket/

# RWC #

00,10,20,30,40,50 * * * * rsync -rtvz --exclude=/uploads --exclude=chat --delete --chmod=Dug+rx,Fug+r,Dug-w,Fug-w /apps/ftps/group/folder/ root@webserver.example.co.uk:/apps/http/www/rwc/

Google Sites

Report abuse