LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   vsftpd (ftp server) setup questions (http://www.linuxquestions.org/questions/linux-server-73/vsftpd-ftp-server-setup-questions-797583/)

linuxlychallenged 03-24-2010 12:14 PM

vsftpd (ftp server) setup questions
 
I am trying to set up an FTP server.
I'll describe how I want to use it first. I have about 6 windows vista machines with a program set to auto backup. I want to use a scheduled windows task (running a script) to connect to my linux server and upload the backup files via ftp. So first I think I have figured out how to setup the ftp script (maybe) but thats secondary to my first issue.

I have downloaded vsftpd and installed through yum (running RHEL). I am trying to set up the ftp so that it only allows uploads, only allows valid users, and if possible to allow no other actions other than actually deposit a file on the server. I am trying to be security conscious and prevent people from doing bad things to our server if they capture the ftp password.

I followed directions found herehttp://wjholden.com/vsftpd-help.html and set up the uploader user. to test I used putty and SSH'd in under uploades and it shows -bash-3.2$ instead of user@servername$ What does that mean? also does it matter that rhel doesn't have the command rc-update mentioned as the last step for creating the users?

last part of the question, is there more I can do to make this ftp safe?
so far, set to upload only and no anonymous users.

10speed705 03-24-2010 09:27 PM

I am not familiar with that specific ftp software. but do have a few suggestions. in your hosts.allow file set ftp to only allow connections from either your internal network or just the IP'S of the client box's...this will keep you nice and safe. also another possibility for what you are trying to accommodate is using rsync. or maybe try using existing backup software with your server config...sorry can't be much more help with the config you have...good luck...oh and it doesn't sound like the user has bash shell as default as appose to another shell you can fix that by typing bash and for good you will have to research but I THINK in RHEL it is chsh so just man chsh and it should give u the answer you need.

deadeyes 03-27-2010 03:03 PM

Quote:

Originally Posted by linuxlychallenged (Post 3910578)
I am trying to set up an FTP server.
I'll describe how I want to use it first. I have about 6 windows vista machines with a program set to auto backup. I want to use a scheduled windows task (running a script) to connect to my linux server and upload the backup files via ftp. So first I think I have figured out how to setup the ftp script (maybe) but thats secondary to my first issue.

I have downloaded vsftpd and installed through yum (running RHEL). I am trying to set up the ftp so that it only allows uploads, only allows valid users, and if possible to allow no other actions other than actually deposit a file on the server. I am trying to be security conscious and prevent people from doing bad things to our server if they capture the ftp password.

I would recommend you using chroot:
Code:

chroot_list_enable
    If activated, you may provide a list of local users who are placed in a chroot() jail in their home directory upon login. The meaning is slightly different if chroot_local_user is set to YES. In this case, the list becomes a list of users which are NOT to be placed in a chroot() jail. By default, the file containing this list is /etc/vsftpd.chroot_list, but you may override this with the chroot_list_file setting.

    Default: NO

Code:

chroot_local_user
    If set to YES, local users will be (by default) placed in a chroot() jail in their home directory after login. Warning: This option has security implications, especially if the users have upload permission, or shell access. Only enable if you know what you are doing. Note that these security implications are not vsftpd specific. They apply to all FTP daemons which offer to put local users in chroot() jails.

    Default: NO

I just wonder if ftp really can ever be a good way to do backups.

Quote:

I followed directions found herehttp://wjholden.com/vsftpd-help.html and set up the uploader user. to test I used putty and SSH'd in under uploades and it shows -bash-3.2$ instead of user@servername$ What does that mean? also does it matter that rhel doesn't have the command rc-update mentioned as the last step for creating the users?
I don't understand what bash has to do with vsftpd or your ftp client.
rc-update is a tool for configuring your runlevels. In RHEL you use "chkconfig" (to change runlevels) or "service" (to start, restart, ... daemons)

Quote:

last part of the question, is there more I can do to make this ftp safe?
so far, set to upload only and no anonymous users.
What do you mean with "set to upload only"?

linuxlychallenged 04-12-2010 10:04 AM

Quote:

I just wonder if ftp really can ever be a good way to do backups.
I plan to create a backup using a backup program and then ftp that one file nightly to the server, does this not seem like an ok idea?

Quote:

What do you mean with "set to upload only"?
I have the vsftp set up to allow people to only upload files and not download them

I'm going to look up rsync and see what possibilities it has.

Thanks for the info about chroot I overlooked that when I looked at the vsftp stuff originally, I've got it turned on now. And I set up the hosts.allow and hosts.deny with vsftpd: (my IP) :allow and vsftpd:ALL respectively, is this correct?

Also, I really appreciate the responses and I'm sorry it took so long to get back to this, I've been really busy with finishing up this semester at school the past few weeks and haven't had time to come into work

deadeyes 04-13-2010 02:29 AM

Quote:

Originally Posted by linuxlychallenged (Post 3932965)
I plan to create a backup using a backup program and then ftp that one file nightly to the server, does this not seem like an ok idea?

It depends if you want an eavesdropper to catch your backup file so he can restore your data :)
I would think about sftp, scp, or everything else in an encrypted ssl tunnel :)

Quote:

I have the vsftp set up to allow people to only upload files and not download them
That is ok. Be aware that still sometimes you will probably have someone uploading some warez files to your ftp (even if they can't download them; they cant do anything with it then)
As an extra security messure you could use the chown_uploads and chown_username in combination with anon_umask.
This way you can make the uploads invisible and inaccessible for download again.

Quote:

I'm going to look up rsync and see what possibilities it has.

Thanks for the info about chroot I overlooked that when I looked at the vsftp stuff originally, I've got it turned on now. And I set up the hosts.allow and hosts.deny with vsftpd: (my IP) :allow and vsftpd:ALL respectively, is this correct?
/etc/hosts.allow is host based security. putting vsftpd: yourip in /etc/hosts.allow and vsftpd: all in /etc/hosts.deny will only allow your own ip. So no other hosts. I think this is not what you want.

Quote:

Also, I really appreciate the responses and I'm sorry it took so long to get back to this, I've been really busy with finishing up this semester at school the past few weeks and haven't had time to come into work
no problem

linuxlychallenged 04-14-2010 09:30 AM

Quote:

/etc/hosts.allow is host based security. putting vsftpd: yourip in /etc/hosts.allow and vsftpd: all in /etc/hosts.deny will only allow your own ip. So no other hosts. I think this is not what you want.
I'm actually using hosts.allow vsftpd:(my IP)/255.255.252.0 which allows all machines on my network but only those on my immediate network right?

Quote:

I would think about sftp, scp, or everything else in an encrypted ssl tunnel
I'm trying to figure out how to get rsync set up on the windows machines and use SSH, this would be more secure right?

if using rsync should i use chown and other security measures as well?

deadeyes 04-15-2010 02:53 AM

As an ssh tunnel is encrypted this is indeed more secure.

I do not have experience with rsync so I can't really help you with specifics.
You have to think about if you trust the client that is backup up to your server.
Can he get a shell through ssh? How can you prevent this, ...?


All times are GMT -5. The time now is 10:22 PM.