There are tons of ftp servers out there. Some are leftovers from the stone age others are fairly up to date with SSL capability and virtual user support. In this case I have chosen Ubuntu server and Pure-ftpd.
Why: Ubuntu comes out of the box unencumbered by unnecessary bloat that many server editions are forced to install out of a spider web of software dependencies. It at the same time has a very mature package management system which allows for easy software updates.
I'll stop there because I don't intend this to be a flame war on what Linux is best. An important difference that the Ubuntu installation has versus its native configuration is that it uses a configuration wrapper instead of modifying a start-up script. Which is why I am writing this article.
This article assumes that you have an intermediate or advanced knowledge of command line based UNIX operating systems.
Table of contents:
1..........System setup and overview on what needs to be done
3..........Wrapper configuration with virtual users and SSL
4..........Access control via virtual users and iptables and or pure-ftp
1.System setup and overview on what needs to be done
We will be needing an Ubuntu server edition installation. Preferably with a firewall in place.
In this case I have a pile of users who need to use dreamweaver to edit their web sites. Preferably they need to have their own logins, those logins need to be chrooted to their directory. Secondly, the users have no earthly reason to have a system user account.
For security sake I want the option for them to use encryption (once we can get licenses for the newer version of Dreamweaver which supports it). Lastly having these virtual users have disk space quotas so some idiot doesn't up load a ton of the family pictures that were taken with a 10 Megapixel camera and are like 20 Mb a piece causing the storage array to !#*& itself.
Pure-Ftpd can use arbitrary file paths for virtual user home directories. You can assign a local system user account and group for each virtual user or group of virtual users.
You can make a system user and group called webadmin who owns the "sites" folder under "/data/sites". All of the virtual users from a system standpoint are doing business as "webadmin". Pureftp does the job of doing access control and permissions on its end and keeping people in their home folders.
Run the command:
apt-get install pure-ftpdThere is a GUI configuration tool but by default Ubuntu does not have a GUI so I leave that to you.
Once installed the wrapper configuration folder is on "/etc/pure-ftpd". The folder contains a structure like so:
root@stage:/etc/pure-ftpd# ls -al
drwxr-xr-x 5 root root 4096 2008-02-20 01:32 .
drwxr-xr-x 133 root root 12288 2008-02-20 01:32 ..
drwxr-xr-x 2 root root 4096 2008-02-20 01:32 auth
drwxr-xr-x 2 root root 4096 2008-02-20 01:32 conf
drwxr-xr-x 2 root root 4096 2007-06-21 19:01 db
-rw-r--r-- 1 root root 230 2007-06-21 19:01 pureftpd-dir-aliases
Under Auth you will find the following symlinks:
root@stage:/etc/pure-ftpd/auth# ls -alFDelete all of these and make a symlink to "../conf/PureDB":
drwxr-xr-x 2 root root 4096 2008-02-20 01:32 ./
drwxr-xr-x 5 root root 4096 2008-02-20 01:32 ../
lrwxrwxrwx 1 root root 26 2008-02-20 01:32 65unix -> ../conf/UnixAuthentication
lrwxrwxrwx 1 root root 25 2008-02-20 01:32 70pam -> ../conf/PAMAuthentication
root@stage:/etc/pure-ftpd/auth# ln -s ../conf/PureDBGo to the conf directory and edit the "PAMAuthentication" file to say NO insted of YES.
Add a new file called "ChrootEveryone" and edit it and add the word "YES".
Now lets make a user!
pure-pw useradd test -u webadmin -g webadmin -d /data/sites/localhost/ -N 25Where -N is a 25 Mb quota and -u and -g is the userid and groupid of the corresponding system user. -d is the folder that the user is chrooted in. The command "mkdb" creates the binary password database.
Now we have our chrooted ftpd environment finished we just need to configure the ssl option.
now it is possible to FORCE users to use ftp-SSL however thats out side of the scope of this article.
(from the pure-ftpd documentation)
Then go into "/etc/pure-ftpd/conf" and edit the file named "TLS" and add the number "1".mkdir -p /etc/ssl/private openssl req -x509 -nodes -newkey rsa:1024 -keyout \
chmod 600 /etc/ssl/private/*.pem
(0 disables encryption, 1 makes it optional and 2 makes it mandatory).
Now restart the service :
And login to your new ftp server!
4.Access control via virtual users and iptables and or pure-ftp
It pisses me off to read the logs and see all of the automated Interweb
exploit scripted attacks. So here are some suggestions to keep the
automated attacks down.
1. Hosts.deny doesn't work. Use Ip tables filtering.
2. Grab a blackhole ip list (BBL) from http://www.unixhub.com/block.html.
3. Determine your scope of service, if your users work only within the continental United States then blocking AP-NIC and any other non-local IP ranges in their entirety would be a good idea.
If you want to tie it down on a per-user basis try this:
pure-pw usermod testuser \where -r is allowed IP ranged and -R is denied ranges (Example: -R 220.127.116.11/8 -r 192.168.0.0/16)
Barnes, Robert. "Bad IP addresses/Bob's Block List (BBL)", (Accessed Feb, 2008)
Denis, Frank. "Pure ftpd", (Accessed Feb, 2008)
Hornburg, Stefan (Racke). "Debian pure-ftpd-wrapper man page", (Accessed Feb, 2008)