FTP user
How to create a FTP user with specific /dir/ access only on a Centos / linux installation
1. mkdir /var/www/mydomain.com
2. mkdir /var/www/mydomain.com/html
3. useradd <-username>
4. passwd <-username>
5. chown –R <-username> /var/www/mydomain.com
5. groupadd <-groupname>
6. gpasswd -a <-username> <-groupname>
7. chgrp -R <-groupname> /var/www/mydomain.com
8. chmod -R g+rw /var/www/mydomain.com
--------------------------------------------------------------
[root@leela ~]# mkdir /ftp
Step 4 » Now start creating users for accessing ftp server .
[root@leela ~]# useradd -d /ftp/jamal jamal
[root@leela ~]# passwd jamal
Changing password for user jamal.
New password:
This means, that the user will just have access on the folder you configured as HOME of the user.Below, i have an example of a user passwd entry:
# upload_ftp:x:1001:1001::/var/www/sites/:/bin/bash
Set the home directory of the user with the following command
# usermod -d /var/www/my.domain.example/ exampleuser
Modify user home directory from default to a new folder
# usermod -d /target/directory username
You could change the user's shell to /usr/sbin/nologin so that if the password leaks you will have mitigated some risk (set the home directory too)
# usermod -d /var/www/my.domain.example -s /usr/sbin/nologin exampleuser
---------------------------------------------
Linux Create An FTP User Account
# adduser -c 'FTP USER Tom' -m tom
# passwd tom
How add ftp users to folder or Apache server?
In this example we will create ftp group , ftp user and add it to the new or existing folder for ftp.
Step 1: If we already have group then we can skip this or lets start by creating a group, and lets call it ftpgroup
$ groupadd ftpgroup
Step 2: Create a user called ftpuser and add it to the group and also assign it with the folder. If folder is not assign default folder will be assigned which is normally/home/username
$ useradd userftp -p your-password -g ftpgroup -d /home/ftpfolder -s /bin/false
Normally ftp users dont need shell access so -s /bin/false.
Step 3: Set ownership.
chown ftpuser:ftpgroup /home/ftpuser
And you are done.
If we need more user to be added to already existing ftp folder then we can do as follows:
Add new user to existing ftp group:
$ useradd newftpuser -p your-password -g gtpgroup -d /home/ftpfolder -s bin/false
Note: we can modify user anytime with the usermod eg:
$ usermod - d /home/differentlocation
When we add new user to the group, we need to logout and login to the system, otherwise new user will not able to do ftp. If we dont want to logout/login then we can run following command to the folder.
chmod -R ugo+rw /home/ftpfolder
Extra: Limiting ftp users to their permitted folders:
To limit ftp users not able to go to top level folder we can do..sdfsdfdsf
if ftp server is vsftpd then make you have following un -commented or set.
vi /etc/vsftpd/vsftpd.conf
set :
chroot_local_user = yes
local_enable = Yes
and don’t forget to restart
service vsftpd restart
FTP users for web server like Apache:
If you are creating ftp for web users then make user user group is also apache else files uploaded by users will not be run by apache. So we can add multiple group to the users as follows:
usermod -a -G apache,group2 ftpuser
This step should work, but still you may not able to edit/create files because
When adding a user to a new group, that won’t be applied in any currently-running processes, only new ones. You need to log out and then log back in.
To fix this you can either logout and login or do the following command for your directory.
chmod -R ugo+rw sit3 this will give access to the group / user to read /write to the folder.
Red Hat / CentOS VSFTPD FTP Server Configuration
sftpd (Very Secure FTP Daemon) is an FTP server for UNIX-like systems, including CentOS / RHEL / Fedora and other Linux distributions. It supports IPv6, SSL, locking users to their home directories and many other advanced features.
In this guide you will learn:
Setup vsftpd to provide FTP service.
Configure vsftpd.
Configure Firewalls to protect the FTP server.
Configure vsftpd with SSL/TLS.
Setup vsftpd as download only anonymous internet server.
Setup vsftpd with virtual users and more.
VSFTPD offer security, performance and stability over other servers. A quick list of vsftpd features:
Virtual IP configurations
Virtual users
Run as standalone or inetd / xinetd operation
Per-user configuration
Bandwidth throttling
Per-source-IP configurability
Per-source-IP limits
IPv6 ready
Encryption support through SSL integration
And much more.
Install Vsftpd FTP Server
Install the vsftpd package via yum command:
# yum install vsftpd
Vsftpd Defaults
Default port: TCP / UDP – 21 and 20
The main configuration file: /etc/vsftpd/vsftpd.conf
Users that are not allowed to login via ftp: /etc/vsftpd/ftpusers
Configure Vsftpd Server
Open the configuration file, type:
# vi /etc/vsftpd/vsftpd.conf
Turn off standard ftpd xferlog log format:
Turn on verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log:
Above two directives will enable logging of all FTP transactions. To lock down users to their home directories, edit/append directives as follows:
Create warning banners for all FTP users:
Create /etc/vsftpd/issue file with a message compliant with the local site policy or a legal disclaimer:
NOTICE TO USERS Use of this system constitutes consent to security monitoring and testing. All activity is logged with your host name and IP address.
Turn On Vsftpd Service
Turn on vsftpd on boot:
# chkconfig vsftpd on
Start the service:
# service vsftpd start
# netstat -tulpn | grep :21
Configure Iptables To Protect The FTP Server
Open file /etc/sysconfig/iptables, enter:
# vi /etc/sysconfig/iptables
Add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT:
Open file /etc/sysconfig/iptables-config, enter:
# vi /etc/sysconfig/iptables-config
Ensure that the space-separated list of modules contains the FTP connection tracking module:
Save and close the file. Restart firewall:
# service iptables restart
Tip: View FTP Log File
Type the following command:
# tail -f /var/log/vsftpd.log
Sample output:
Thu May 21 11:40:31 2009 [pid 42298] FTP response: Client "10.1.3.108", "530 Please login with USER and PASS." Thu May 21 11:40:36 2009 [pid 42298] FTP command: Client "10.1.3.108", "USER vivekda" Thu May 21 11:40:36 2009 [pid 42298] [vivek] FTP response: Client "10.1.3.108", "331 Please specify the password." Thu May 21 11:40:38 2009 [pid 42298] [vivek] FTP command: Client "10.1.3.108", "PASS " Thu May 21 11:40:38 2009 [pid 42297] [vivek] OK LOGIN: Client "10.1.3.108" Thu May 21 11:40:38 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "230 Login successful." Thu May 21 11:40:38 2009 [pid 42299] [vivek] FTP command: Client "10.1.3.108", "SYST" Thu May 21 11:40:38 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "215 UNIX Type: L8" Thu May 21 11:40:39 2009 [pid 42299] [vivek] FTP command: Client "10.1.3.108", "PORT 10,1,3,108,162,253" Thu May 21 11:40:39 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "200 PORT command successful. Consider using PASV." Thu May 21 11:41:05 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "150 Ok to send data." Thu May 21 11:41:06 2009 [pid 42299] [vivek] OK UPLOAD: Client "10.1.3.108", "/windows-7-too-many-programs.png", 8957 bytes, 6.70Kbyte/sec Thu May 21 11:41:06 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "226 File receive OK." Thu May 21 11:41:10 2009 [pid 42299] [vivek] FTP command: Client "10.1.3.108", "TYPE A" Thu May 21 11:41:10 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "200 Switching to ASCII mode." Thu May 21 11:41:11 2009 [pid 42299] [vivek] FTP command: Client "10.1.3.108", "PORT 10,1,3,108,217,96" Thu May 21 11:41:11 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "200 PORT command successful. Consider using PASV." Thu May 21 11:41:11 2009 [pid 42299] [vivek] FTP command: Client "10.1.3.108", "LIST" Thu May 21 11:41:11 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "150 Here comes the directory listing." Thu May 21 11:41:11 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "226 Directory send OK."
Tip: Restrict Access to Anonymous User Only
Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:
Tip: Disable FTP Uploads
Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:
Security Tip: Place the FTP Directory on its Own Partition
Separation of the operating system files from FTP users files may result into a better and secure system. Restrict the growth of certain file systems is possible using various techniques. For e.g., use /ftp partition to store all ftp home directories and mount ftp with nosuid, nodev and noexec options. A sample /etc/fstab enter:
/dev/sda5 /ftp ext3 defaults,nosuid,nodev,noexec,usrquota 1 2
Disk quota must be enabled to prevent users from filling a disk used by FTP upload services. Edit the vsftpd configuration file. Add or correct the following configuration options to represents a directory which vsftpd will try to change into after an anonymous login:
anon_root=/ftp/ftp/pub
----------------
--
write_enable=NO
local_enable=NO
IPTABLES_MODULES="ip_conntrack_ftp"
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
xferlog_std_format=NO
log_ftp_protocol=YES
chroot_local_user=YES
banner_file=/etc/vsftpd/issue