Here is something really basic as FTP setup.
Yeah, ftp setup is easy and fun isn’t it?
What you need is just install an ftp server software, configure the users, and you’re done.
Piece of cake, right?
YOU ARE FUCKING WRONG!!!!!
I’ll write my steps for setting up an secure FTP server, in case this will help some freaking guy like me out.
You should use a good ftp software.
This could be a very easy choice if you’re using distribution like CentOS or RHEL.
They suggest you install vsftp as the ftp software. I’m not an expert at this domain, and as so far, vsftp works fine for me.
You should create the ftp user in the Linux and setup the permissions
vsftp using Linux’s user system and file system as its user system and file system, it’s a brilliant idea to have, since it can have the most sophisticated user permission system on the fly.
But, this requires you to treat your users and system more carefully, don’t make the folder opposed to FTP or FTP user to open, so anyone can update or read your file by ftp without any problem.
Fine, this is not the key point I want to make, so I make them as short as I can, let’s go to the KEY POINTS
1. You must setup SELinux to accept your FTP, or it will kill your vsftp when it tries to access the file system.
This is a very fucking thing, but it is true. If you didn’t tell SELinux that vsftp’s action is fine, SELinux will stop the action to keep folder safe.
SELinux can be your friend in many ways, so turn it down may not be a good option.
I have googled the ways to make these two things work together, and here is the way:
/usr/sbin/setsebool -P ftp_home_dir=1
This command will update the SELinux’s policy, and let ftp application have the previldeges to access user’s home folders.
This command will take a little time to execute, but this is the easiest way to acchieve this target, believe me.
2. You must configure the iptables firewall to let FTP application to connect
This step is easy to understand, no one wants his server too open, so at the begining, iptables only let ICMP and SSH requests to access the ports of the server.
In order to let FTP application to access the server, you must open two ports, 20 for data transfer, and 21 for commands.
So the configuration for iptables should be like this:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
After this, your FTP application can connect to server then.
Are we finished yet?
NO!!!!, not yet.
You still can’t upload your files onto the server.
VSFTP IS USING PASSIVE MODE BY DEFAULT, and the passive mode of FTP is like this:
- FTP Client tell server: Let’s using passive mode
- Server respond: You can connect to me using port xxxx for this transfer
- Client open a tcp channel on local 2001 to server’s port xxxx to start
Yes, passive mode can make use more port on server than active mode, this is a better way to use, isn’t it?
But, did you remember, that we only allow port 21 and 20 for requests on iptables?
So, this is a very very very big problem for FTP applications.
They’ll confused by the server, server told them to open a connecto to port xxxx, but when they try, they’ll get a connection refused.
So, you need to:
3. Change the configuration of vsftpd to let passive mode to use only port of a range
For example, like this:
This only opens 10090 to 10100 port for passive mode.
4. You need to chnage iptables configuration to let port 10090 to 10100 open for requests
-I INPUT -p tcp --dport 10090:10100 -j ACCEPT
Then your FTP server is done and secure, and if you want to make the transfer to be more secured, you can:
5. Adding SSL transfer support to vsftp
First you need to generate a self assigned ceritificate for SSL
cd /etc/vsftpd /usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem
This command will generate a certificate for SSL and this ceriticate will valid through a year.
Then you need to change /etc/vsftpd.conf adding these lines
# Turn on SSL ssl_enable=YES # Allow anonymous users to use secured SSL connections allow_anon_ssl=YES # All non-anonymous logins are forced to use a secure SSL connection in order to # send and receive data on data connections. force_local_data_ssl=YES # All non-anonymous logins are forced to use a secure SSL connection in order to send the password. force_local_logins_ssl=YES # Permit TLS v1 protocol connections ssl_tlsv1=YES # Permit SSL v2 protocol connections ssl_sslv2=YES # permit SSL v3 protocol connections ssl_sslv3=YES # Specifies the location of the RSA certificate to use for SSL encrypted connections rsa_cert_file=/etc/vsftpd/vsftpd.pem
after these steps,
6. Restart all the services
service iptables restart service vsftpd restart
And, you’re done.
So, what we learned today?
- It is very hard to be secure, especially for a very easy and foundamental service like FTP
- Linux is secure, only when you are understanding it more deeply and use it more carefully
- Don’t blame firewall for the problems, it protects you
- When something is wrong, maybe the only problem is at your understanding, so, read and ask before compian is a good way to solve the proble