ftp questions
I have a lot of FTP questions, so I won't ask them all at once.
My first questions are about security, which I consider to be very important, and the utmost priority. I am using vsftpd. Not sure if that was a good choice or not in using a FTP service. I would like users on the server that have accounts, to access the FTP service, but not their entire home directory. Just a defined directory (the standard, /var/www - Apache site). I have disabled the pi account in ftpusers. I sftp to it, and it allows me access to whatever directory I like. I just enter the root directory, and it takes me there. There are two issues with this: 1) It should be denying me access when accessing the pi account in the first place 2) It should at least limit me to my home directory / /var/www directory. I have a User1 account, for example, that is allowed to access the FTP service. How do I make it so that only they are allowed to access it, and even then, with the restrictions? Some vsftpd.conf settings: anonymous_enable=NO local_enable=NO chroot_local_user=YES chroot_list_enable=YES chroot_list_file=/etc/vsftp.chroot_list (yes the file exists) local_root=/var/www Let me know if there is anything else I should share. These are just those things that I thought were most important in regards to my issue. My next questions will be in regards to it using SFTP, instead of the TLS/SSL that I have already set up.... |
vsftpd is a good choice, if you set it up perfect, it is perfect ftp service for you.
You can jailed the user in particular directory so they can not go in parent directory , they can access only sub directories. To jail the user. You have done this thing using chroot_local_user=YES local_root=/var/www Allow users to upload file, set local_enable=YES write_enable_YES If you want that any user should not access ftp account. Run following command. if you are using debian, ubuntu Code:
echo username >> /etc/ftpusers Code:
echo username >> /etc/vsftpd/ftpusers |
Note that ftp is a plaintext protocol, so if you want an encrypted cxn, either add TLS to it (see https://security.appspot.com/vsftpd.html) or use sftp/scp instead (part of the ssh pkg).
|
I heard that not even sftp is safe. it only sends the username/password in an encrypted form. As for the SSL/TLS, I have it enabled. I tried selecting the SSL/TLS option, but it wouldn't connect. It will only use the SFTP connection.
I did what you said, and I restarted my machine. I connected via sftp, and it still allows me to the root account. I made sure to add the root user to the ftpusers file. |
sftp has ZERO to do with ftp eg vsftpd, that's why 'ftpusers' had no effect..
As above sftp & scp are part of the ssh pkg. You need to choose EITHER sftp (or scp) OR vsftpd+TLS. Hope that's clearer. |
I tried sftp, and it seemed to work. tried ftp over ssl/tls, with both implicit and explicit encryption, and it failed. I am thinking the last two options (or at least one of them) is what should actually be selected.
|
my opinion is that the old, deprecated and insecure ftp protocol should never be used (much like the way that rsh/rlogin, telnet are rarely used). instead just use scp with keys for automated file transfers or sftp for human prompted sessions.
also sshfs is pretty flexible, |
I would like to see if I can get the current setup to work. I seemed to follow through with the whole tutorial, yet, it is not working.
|
Good luck.
If you decide to look at sftp (everything is encrypted on the cxn) with a chroot jail, try http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/ |
All times are GMT -5. The time now is 10:49 PM. |