FTP user

How to create a FTP user with specific /dir/ access only on a Centos / linux installation

1. mkdir /var/www/mydomain.com

2. mkdir /var/www/mydomain.com/html

3. useradd <-username>

4. passwd <-username>

5. chown –R <-username> /var/www/mydomain.com

5. groupadd <-groupname>

6. gpasswd -a <-username> <-groupname>

7. chgrp -R <-groupname> /var/www/mydomain.com

8. chmod -R g+rw /var/www/mydomain.com

--------------------------------------------------------------

[root@leela ~]# mkdir /ftp

Step 4 » Now start creating users for accessing ftp server .

[root@leela ~]# useradd -d /ftp/jamal jamal

[root@leela ~]# passwd jamal

Changing password for user jamal.

New password:

This means, that the user will just have access on the folder you configured as HOME of the user.Below, i have an example of a user passwd entry:

# upload_ftp:x:1001:1001::/var/www/sites/:/bin/bash

Set the home directory of the user with the following command

# usermod -d /var/www/my.domain.example/ exampleuser

Modify user home directory from default to a new folder

# usermod -d /target/directory username

You could change the user's shell to /usr/sbin/nologin so that if the password leaks you will have mitigated some risk (set the home directory too)

# usermod -d /var/www/my.domain.example -s /usr/sbin/nologin exampleuser

---------------------------------------------

Linux Create An FTP User Account

# adduser -c 'FTP USER Tom' -m tom

# passwd tom

How add ftp users to folder or Apache server?

In this example we will create ftp group , ftp user and add it to the new or existing folder for ftp.

Step 1: If we already have group then we can skip this or lets start by creating a group, and lets call it ftpgroup

$ groupadd ftpgroup

Step 2: Create a user called ftpuser and add it to the group and also assign it with the folder. If folder is not assign default folder will be assigned which is normally/home/username

$ useradd userftp -p your-password -g ftpgroup -d /home/ftpfolder -s /bin/false

Normally ftp users dont need shell access so -s /bin/false.

Step 3: Set ownership.

chown ftpuser:ftpgroup /home/ftpuser

And you are done.

If we need more user to be added to already existing ftp folder then we can do as follows:

Add new user to existing ftp group:

$ useradd newftpuser -p your-password -g gtpgroup -d /home/ftpfolder -s bin/false

Note: we can modify user anytime with the usermod eg:

$ usermod - d /home/differentlocation

When we add new user to the group, we need to logout and login to the system, otherwise new user will not able to do ftp. If we dont want to logout/login then we can run following command to the folder.

chmod -R ugo+rw /home/ftpfolder

Extra: Limiting ftp users to their permitted folders:

To limit ftp users not able to go to top level folder we can do..sdfsdfdsf

if ftp server is vsftpd then make you have following un -commented or set.

vi /etc/vsftpd/vsftpd.conf

set :

chroot_local_user = yes

local_enable = Yes

and don’t forget to restart

service vsftpd restart

FTP users for web server like Apache:

If you are creating ftp for web users then make user user group is also apache else files uploaded by users will not be run by apache. So we can add multiple group to the users as follows:

usermod -a -G apache,group2 ftpuser

This step should work, but still you may not able to edit/create files because

When adding a user to a new group, that won’t be applied in any currently-running processes, only new ones. You need to log out and then log back in.

To fix this you can either logout and login or do the following command for your directory.

chmod -R ugo+rw sit3 this will give access to the group / user to read /write to the folder.

Red Hat / CentOS VSFTPD FTP Server Configuration

sftpd (Very Secure FTP Daemon) is an FTP server for UNIX-like systems, including CentOS / RHEL / Fedora and other Linux distributions. It supports IPv6, SSL, locking users to their home directories and many other advanced features.

In this guide you will learn:

1. Setup vsftpd to provide FTP service.
2. Configure vsftpd.
3. Configure Firewalls to protect the FTP server.
4. Configure vsftpd with SSL/TLS.
5. Setup vsftpd as download only anonymous internet server.
6. Setup vsftpd with virtual users and more.

VSFTPD offer security, performance and stability over other servers. A quick list of vsftpd features:

1. Virtual IP configurations
2. Virtual users
3. Run as standalone or inetd / xinetd operation
4. Per-user configuration
5. Bandwidth throttling
6. Per-source-IP configurability
7. Per-source-IP limits
8. IPv6 ready
9. Encryption support through SSL integration
10. And much more.

Install Vsftpd FTP Server

Install the vsftpd package via yum command:

# yum install vsftpd

Vsftpd Defaults

1. Default port: TCP / UDP – 21 and 20
2. The main configuration file: /etc/vsftpd/vsftpd.conf
3. Users that are not allowed to login via ftp: /etc/vsftpd/ftpusers

Configure Vsftpd Server

Open the configuration file, type:

# vi /etc/vsftpd/vsftpd.conf

Turn off standard ftpd xferlog log format:

Turn on verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log:

Above two directives will enable logging of all FTP transactions. To lock down users to their home directories, edit/append directives as follows:

Create warning banners for all FTP users:

Create /etc/vsftpd/issue file with a message compliant with the local site policy or a legal disclaimer:

NOTICE TO USERS Use of this system constitutes consent to security monitoring and testing. All activity is logged with your host name and IP address.

Turn On Vsftpd Service

Turn on vsftpd on boot:

# chkconfig vsftpd on

Start the service:

# service vsftpd start

# netstat -tulpn | grep :21

Configure Iptables To Protect The FTP Server

Open file /etc/sysconfig/iptables, enter:

# vi /etc/sysconfig/iptables

Add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT:

Open file /etc/sysconfig/iptables-config, enter:

# vi /etc/sysconfig/iptables-config

Ensure that the space-separated list of modules contains the FTP connection tracking module:

Save and close the file. Restart firewall:

# service iptables restart

Tip: View FTP Log File

Type the following command:

# tail -f /var/log/vsftpd.log

Sample output:

Thu May 21 11:40:31 2009 [pid 42298] FTP response: Client "10.1.3.108", "530 Please login with USER and PASS." Thu May 21 11:40:36 2009 [pid 42298] FTP command: Client "10.1.3.108", "USER vivekda" Thu May 21 11:40:36 2009 [pid 42298] [vivek] FTP response: Client "10.1.3.108", "331 Please specify the password." Thu May 21 11:40:38 2009 [pid 42298] [vivek] FTP command: Client "10.1.3.108", "PASS " Thu May 21 11:40:38 2009 [pid 42297] [vivek] OK LOGIN: Client "10.1.3.108" Thu May 21 11:40:38 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "230 Login successful." Thu May 21 11:40:38 2009 [pid 42299] [vivek] FTP command: Client "10.1.3.108", "SYST" Thu May 21 11:40:38 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "215 UNIX Type: L8" Thu May 21 11:40:39 2009 [pid 42299] [vivek] FTP command: Client "10.1.3.108", "PORT 10,1,3,108,162,253" Thu May 21 11:40:39 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "200 PORT command successful. Consider using PASV." Thu May 21 11:41:05 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "150 Ok to send data." Thu May 21 11:41:06 2009 [pid 42299] [vivek] OK UPLOAD: Client "10.1.3.108", "/windows-7-too-many-programs.png", 8957 bytes, 6.70Kbyte/sec Thu May 21 11:41:06 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "226 File receive OK." Thu May 21 11:41:10 2009 [pid 42299] [vivek] FTP command: Client "10.1.3.108", "TYPE A" Thu May 21 11:41:10 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "200 Switching to ASCII mode." Thu May 21 11:41:11 2009 [pid 42299] [vivek] FTP command: Client "10.1.3.108", "PORT 10,1,3,108,217,96" Thu May 21 11:41:11 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "200 PORT command successful. Consider using PASV." Thu May 21 11:41:11 2009 [pid 42299] [vivek] FTP command: Client "10.1.3.108", "LIST" Thu May 21 11:41:11 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "150 Here comes the directory listing." Thu May 21 11:41:11 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "226 Directory send OK."

Tip: Restrict Access to Anonymous User Only

Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:

Tip: Disable FTP Uploads

Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:

Security Tip: Place the FTP Directory on its Own Partition

Separation of the operating system files from FTP users files may result into a better and secure system. Restrict the growth of certain file systems is possible using various techniques. For e.g., use /ftp partition to store all ftp home directories and mount ftp with nosuid, nodev and noexec options. A sample /etc/fstab enter:

/dev/sda5 /ftp ext3 defaults,nosuid,nodev,noexec,usrquota 1 2

Disk quota must be enabled to prevent users from filling a disk used by FTP upload services. Edit the vsftpd configuration file. Add or correct the following configuration options to represents a directory which vsftpd will try to change into after an anonymous login:

anon_root=/ftp/ftp/pub

----------------

write_enable=NO

local_enable=NO

IPTABLES_MODULES="ip_conntrack_ftp"

-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

xferlog_std_format=NO

log_ftp_protocol=YES

chroot_local_user=YES

banner_file=/etc/vsftpd/issue