Although File Transfer Protocol (FTP) is easy to set up, fast, and a widely-used way to transmit files between two remote hosts, it has the downside of being an insecure protocol. Sometimes FTP is okay for files that aren’t as sensitive; however, there are going to be other times when you’re not going to want the possibility of eavesdroppers retrieving your confidential information.
This is where Secure File Transfer Protocol (SFTP) has the advantage of ensuring that file transmission will be secure and prevent unauthorized access. With SFTP, data is encrypted while being passed between client and server, which provides a layer of protection that FTP doesn’t have.
So, now that I’ve given you a little a refresher on FTP and SFTP, I want to share an interesting issue I ran into the other day.
I was working on setting up a new SFTP server with the following requirements:
- A particular legacy device, that was not capable of using SFTP, needed to connect to the server with FTP. (Sometimes older mainframe systems, also known as the “dinosaurs of information technology,” have environments that don’t understand SFTP.)
- All other users called for having their own SFTP directory access as before.
- The FTP user required access to one of the same directories that the SFTP user needed.
Alright, so, not a big deal. I decided I would just set up SFTP and FTP side-by-side and restrict who is allowed to FTP to the box. I figured I could do this with symlinks, but nope. Filezilla (the client of choice in this case) saw the symlink as a file and wouldn’t recognize it as a separate directory.
I then realized I would have to attack this from a slightly different angle, which was to set up Very Secure FTP Daemon (vsftpd).
Following these instructions from the article: “How to setup FTP server on ubuntu 14.04 (VSFTPD)”, I was able to setup vsftpd and ssh for SFTP.
Here are the steps:
Step 1 » Update repositories:
$ sudo apt-get update
Step 2 » Install vsftpd package using the below command:
$ sudo apt-get install vsftpd
Step 3 » After installation open /etc/vsftpd.conf file and make changes as follows:
Uncomment the below lines (line no:29 and 33).
» Uncomment the below line (line no: 120 ) to prevent access to the other folders outside the Home Directory:
and add the following line at the end:
» Add the following lines to enable passive mode:
pasv_enable=Yes pasv_min_port=40000 pasv_max_port=40100
Step 4 » Restart vsftpd service using the command below:
krizna@leela:~$ sudo service vsftpd restart
Step 5 » Now ftp server will listen on Port 21. Create user with the below command. Use /usr/sbin/nologin shell to prevent access to the bash shell for the ftp users:
$ sudo useradd -m john -s /usr/sbin/nologin $ sudo passwd john
Step 6 » Allow login access for nologin shell. Open /etc/shells and add the following line at the end:
(Please note using FTP on Port 21 is a big security risk. It is highly recommended to use SFTP. Please continue for SFTP configuration) SFTP, also called “Secure FTP,” generally uses SSH File Transfer Protocol. So, we need OpenSSH-server package installed. Issue the command below, if it’s not already installed:
$ sudo apt-get install openssh-server
Step 7 » Create a new group ftpaccess for FTP users:
$ sudo groupadd ftpaccess
Step 8 » Now make changes in this /etc/ssh/sshd_config file.
» Find the below line:
Subsystem sftp /usr/lib/openssh/sftp-server
and replace with:
Subsystem sftp internal-sftp Match group ftpaccess ChrootDirectory %h X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp
» and comment the below line (Last line):
Step 9 » Restart SSHD service:
$ sudo service ssh restart
Step 10 » The below steps must be followed while creating Users for SFTP access:
Create user john with ftpaccess group and /usr/bin/nologin shell:
$ sudo useradd -m john -g ftpaccess -s /usr/sbin/nologin $ sudo passwd john
Change ownership for the home directory:
$ sudo chown root /home/john
Create a folder inside Home Directory for writing, and change ownership of that folder:
$ sudo mkdir /home/john/www $ sudo chown john:ftpaccess /home/john/www
After following those instructions I had two separate users. We'll call them FTP and SFTP.
FTP and SFTP had their own home directories (for some reason writing this sounds like I'm explaining the birds and the bees).
I needed to make sure that FTP was the only user that could use that protocol. All other users when setup can SFTP, but only explicit accounts will be allowed to FTP.
- Create /etc/vsftpd.user_list and add the user you want to ONLY use FTP
- Add to /etc/vsftpd.conf
As I said, the symlinks to another shared directory wasn't working. So, I added another group "SHAREDFILES" and added both of the users to it. I used:
$ sudo mount --bind /var/SHAREDFILES /home/FTP $ sudo mount --bind /var/SHAREDFILES /home/SFTP
See more here: "DefaultRoot, Symlinks and Chroot()"
Add that to your fstab (etc/fstab), so your mounts show up after reboot:
$ sudo nano /etc/fstab /var/SHAREDFILES /home/FTP none defaults,bind 0 0 /var/SHAREDFILES /home/SFTP none defaults,bind 0 0
In a normal case, most people would just default back to allowing both accounts to FTP access, but I wanted to make sure I took the more secure route. So, ultimately, thanks to legacy systems that can't SFTP, I was able do things a little differently and gain a new learning experience.