Connect FTPS with multiple users using chroot with vsftpd

Hello.
Wrinkles on your skin
are the essence of life's binary log system solution department.

I want to eat yakitori. I like Seseri and Hatsu.

Well, the other day I was using vsftpd, and it had some strange settings. I'm sure those who have set it up will sympathize with me, but I feel like the way you set it up in a way that makes you think, ``It's the opposite of the opposite,'' makes your brain shrink.

This time, I will use vsftpd to perform FTPS communication, and at the same time, enable chroot and flexibly change the privileges of multiple users, leaving a memorandum on how to set it up. There wasn't much information about vsftpd x FTPS, so I hope this article will be helpful to someone.

Operating environment and protocols used

I use Alma Linux9.
The protocol uses FTPS (Explicit mode), which is more secure than FTP for exchanging data connections.
vsftpd version is 3.0.5.

Purpose of using chroot

Basically, it will uniformly access
/mnt/ftp However, some administrators want to be able to freely move directories, so we add them to the chroot list. By doing so,
you will be able to upload files to locations other than the specified directory.
Also, by defining a file for each user,
it is possible to use it flexibly, for example, by allowing a user who does not want to have many privileges to only be able to access files under " /mnt/ftp/user1

vsftpd installation

Let's install it right away

dnf install vsftpd

vsftpd settings

Once the installation is complete, you can immediately modify the conf file.
First, make a backup just in case, then

cd /etc/vsftpd cp -ip vsftpd.conf vsftpd.conf_org

Configure vsftpd.conf.
There are many things to change/leave from the default configuration, so I will only excerpt the parts that will be enabled this time.
Please try adjusting the settings as appropriate depending on your usage environment.

#Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=NO

▶Login not possible with anonymous user (NO)

# Uncomment this to allow local users to log in. local_enable=YES

▶ Allow access by local user (YES)

# Uncomment this to enable any form of FTP write command. write_enable=YES

▶ "write_enable" is YES to grant upload authority to the user

# Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022

▶ Items related to permissions for uploaded files. Quite important.
The initial value is "022", so the uploaded file authority will be 755, which is 777 minus 022 .

# Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # You may fully customize the login banner string: ftpd_banner=Welcome!

▶ This is up to you. Display an arbitrary message (“Welcome!” in this case) when logging in.

# Activate logging of uploads/downloads. xferlog_enable=YES # You may override where the log file goes if you like. The default is shown # below. # xferlog_file=/var/log/vsftpd.log log_ftp_protocol=YES dual_log_enable=YES # If you want, you can have your log file in standard ftpd xferlog format. # Note that the default log file location is /var/log/xferlog in this case. xferlog_std_format=NO

▶ Especially around complicated logs. It depends on your requirements, but if you can confirm these four items, it should be sufficient.
" xferlog_enable " is the most important. Enable logging. Default value is YES
" log_ftp_protocol " Logs FTP requests/responses. For debugging. At the same time, disable "xferlog_std_format".
" dual_log_enable " Enable when you want to obtain both vsftpd and xferlog. "xferlog_enable" must also be enabled.
This will need to be considered as the log capacity will increase. By making these settings, FTP file exchange will be output to "/var/log/xferlog" and FTP connection log will be output to "/var/log/vsftpd.log".

⇩The log looks like this

xferlog

Mon Jul 24 16:25:03 2023 1 10.10.10.10 8230 /test.jpg b _ ir ftp_test ftp 0 * c Mon Jul 24 18:01:39 2023 1 10.10.10.10 8230 /test.jpg b _ ir ftp_test ftp 0 *c

vsftpd.log

Mon Jul 24 18:17:16 2023 [pid 42580] FTP response: Client "10.10.10.10", "220 Welcome!" Mon Jul 24 18:17:16 2023 [pid 42580] FTP command: Client "10.10.10.10" , "QUIT" Mon Jul 24 18:17:16 2023 [pid 42580] FTP response: Client "10.10.10.10", "221 Goodbye."

 

# Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES pasv_address=<IP> pasv_min_port=61000 pasv_max_port=61010

▶ Passive mode related settings. For "pasv_address", set the IP address assigned to the WAN side (global if via the Internet).
Specify the port range used for data connection with "pasv_min_port" and "pasv_max_port".

# You may change the default value for timing out an idle session. idle_session_timeout=<number>

▶ The default value is 600 when commented out. Specifies the number of seconds before disconnection when the connection is idle (≒ abandoned).
Comment in only when necessary.

ascii_upload_enable=YES ascii_download_enable=YES

▶ Enabled to allow transfer in ASCII mode.

local_root=/mnt/ftp chroot_local_user=YES chroot_list_enable=YES allow_writeable_chroot=YES chroot_list_file=/etc/vsftpd/chroot_list user_config_dir=/etc/vsftpd/users

▶ chroot setting location.
Specify the root directory when connecting with
" local_root This time, with /mnt/ftp and "c hroot_local_user ", it is possible to set the user to not be able to browse directories higher than the directory specified by local_root.
(This is the basic chroot settings)

chroot_list_enable=YES
allow_writeable_chroot=YES
chroot_list_file=/etc/vsftpd/chroot_list

▶ Enable chroot list enforcement and grant file editing permissions.
Additionally, the users listed in "chroot_list_file" will be able to move to (anywhere) other than the directory specified in "local_root".
Finally, by creating a user name file under "user_config_dir", you can specify the root directory for each user.

# Example) local_root=/var/www/html

 

listen=YES # Make sure, that one of the listen options is commented !! # listen_ipv6=NO

▶ This time, only the setting to listen on IPv4 is valid. Communication will not be possible unless one of these is enabled.

userlist_enable=YES userlist_file=/etc/vsftpd/user_list

that prevents you from logging in with the user name listed in "user_list" . Access from common usernames such as root and shutdown is blocked in the first place.

⇩Users listed in user_list by default

# vsftpd userlist # If userlist_deny=NO, only allow users in this file # If userlist_deny=YES (default), never allow users in this file, and # do not even prompt for a password. # Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers # for users that are denied. root bin daemon adm lp sync shutdown halt mail news uucp operator games nobody

 

ssl_enable=YES ssl_sslv2=NO ssl_sslv3=NO ssl_tlsv1=NO ssl_tlsv1_1=YES ssl_tlsv1_2=YES ssl_ciphers=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:EC DHE-ECDSA-AES256-CCM:ECDHE- ECDSA-AES256-CCM8:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM: ECDHE-ECDSA-AES128-CCM8:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES256-CCM8:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM- SHA256:DHE-RSA-AES128-CCM:DHE-RSA-AES128-CCM8:!EXP force_local_data_ssl=YES force_local_logins_ssl=YES rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem rsa_private_key_file=/etc/pki/tls/private /vsftpd.key

▶ Around SSL/TLS.
Since there is also the issue of POODLE, set YES to TLS only and enable TLS 1.1 or higher.
Add various cipher settings and use "force_local_..." to force encrypted communication for the connection.
Specify the certificate and private key path to be used at the bottom.

use_localtime=YES

▶ Specify local time.

User preparation

We will prepare a user who can only connect to FTP, so grant the following minimum user privileges.
At the same time, add a group called "ftp-grroup".

useradd <username> passwd <username> usermod <username> -s /sbin/nologin # Add only if /sbin/nologin is not in /etc/shells echo /sbin/nologin >> /etc/shells groupadd ftp- group usermod -aG ftp-group <username>

Also, since it is better to be able to create directories, etc., edit the FTP root directory permissions.
(Please set this according to your security requirements. In this article, we will set the SGID in the directory and give privileges to users belonging to the group.)

cd /mnt chmod g+s ftp/ chgrp ftp-group -R ftp/ ls /mnt/ drwxr-sr-x 2 root ftp-group 4096 Jul 23 22:06 ftp

Preparing chroot and user files

/etc/vsftpd/chroot_list specified in vsftpd.conf using touch, etc., and write the user name in the file as necessary.
Also, use mkdir to create the /etc/vsftpd/users directory, use touch, etc. to create a user name file under users/ if necessary, and write local_root.

Preparing a self-signed certificate for FTPS

Create an Oreore certificate by following the steps below. If there are no problems with the requirements, you can set the expiration date to about 10 years.

cd /etc/pki/tls/private openssl genrsa 2048 > vsftpd.key openssl req -new -key vsftpd.key -x509 -days 3650 -out vsftpd.pem mv vsftpd.pem /etc/pki/tls/certs/vsftpd. pem chmod 600 /etc/pki/tls/certs/vsftpd.pem

As you need to enter the certificate ON information etc. in the above flow, set it to Yoshina as shown below.
(Since it is self-signed, if you are only using it internally, I think you can use anything other than the host name.)

Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Osaka Locality Name (eg, city) [Default City]:Osaka Organization Name (eg, company) [Default Company Ltd]: Beyond Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:test-server Email Address []: [email protected]

Connection test

Start vsftpd.

systemctl start vsftpd.service

Connect using explicit encrypted communication (Explicit mode) using WinSCP, FileZilla, etc.
This may be interfered with by firewalld, SELinux, etc., so please allow or disable it as appropriate.

complete