Information Security and Network Awareness

Hurricane Labs

Subscribe to Hurricane Labs: eMailAlertsEmail Alerts
Get Hurricane Labs: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Blog Feed Post

Dealing with the Dinosaurs of IT: Setting up vsftpd on Ubuntu

Although File Transfer Protocol (FTP) is easy to set up, fast, and a widely-used way to transmit files between two remote hosts, it has the downside of being an insecure protocol. Sometimes FTP is okay for files that aren’t as sensitive; however, there are going to be other times when you’re not going to want the possibility of eavesdroppers retrieving your confidential information.

This is where Secure File Transfer Protocol (SFTP) has the advantage of ensuring that file transmission will be secure and prevent unauthorized access. With SFTP, data is encrypted while being passed between client and server, which provides a layer of protection that FTP doesn’t have.

So, now that I’ve given you a little a refresher on FTP and SFTP, I want to share an interesting issue I ran into the other day.

I was working on setting up a new SFTP server with the following requirements:

  1. A particular legacy device, that was not capable of using SFTP, needed to connect to the server with FTP. (Sometimes older mainframe systems, also known as the “dinosaurs of information technology,” have environments that don’t understand SFTP.)
  2. All other users called for having their own SFTP directory access as before.
  3. The FTP user required access to one of the same directories that the SFTP user needed.

Alright, so, not a big deal. I decided I would just set up SFTP and FTP side-by-side and restrict who is allowed to FTP to the box. I figured I could do this with symlinks, but nope. Filezilla (the client of choice in this case) saw the symlink as a file and wouldn’t recognize it as a separate directory.

I then realized I would have to attack this from a slightly different angle, which was to set up Very Secure FTP Daemon (vsftpd).

Following these instructions from the article: “How to setup FTP server on ubuntu 14.04 (VSFTPD)”, I was able to setup vsftpd and ssh for SFTP.

Here are the steps:

Step 1 » Update repositories:

$ sudo apt-get update

Step 2 » Install vsftpd package using the below command:

$ sudo apt-get install vsftpd

Step 3 » After installation open /etc/vsftpd.conf file and make changes as follows:

Uncomment the below lines (line no:29 and 33).

write_enable=YES
local_umask=022

» Uncomment the below line (line no: 120 ) to prevent access to the other folders outside the Home Directory:

chroot_local_user=YES

and add the following line at the end:

allow_writeable_chroot=YES

» Add the following lines to enable passive mode:

pasv_enable=Yes
pasv_min_port=40000
pasv_max_port=40100

Step 4 » Restart vsftpd service using the command below:

krizna@leela:~$ sudo service vsftpd restart

Step 5 » Now ftp server will listen on Port 21. Create user with the below command. Use /usr/sbin/nologin shell to prevent access to the bash shell for the ftp users:

$ sudo useradd -m john -s /usr/sbin/nologin
$ sudo passwd john

Step 6 » Allow login access for nologin shell. Open /etc/shells and add the following line at the end:

/usr/sbin/nologin

Now try to connect this ftp server with the username on Port 21 using winscp or filezilla client and make sure that user cannot access the other folders outside the Home Directory.

(Please note using FTP on Port 21 is a big security risk. It is highly recommended to use SFTP. Please continue for SFTP configuration)

SFTP, also called “Secure FTP,” generally uses SSH File Transfer Protocol. So, we need OpenSSH-server package installed. Issue the command below, if it’s not already installed:

$ sudo apt-get install openssh-server

Step 7 » Create a new group ftpaccess for FTP users:

$ sudo groupadd ftpaccess

Step 8 » Now make changes in this /etc/ssh/sshd_config file.

» Find the below line:

Subsystem sftp /usr/lib/openssh/sftp-server

and replace with:

Subsystem sftp internal-sftp
Match group ftpaccess
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

» and comment the below line (Last line):

#UsePAM yes

Step 9 » Restart SSHD service:

$ sudo service ssh restart

Step 10 » The below steps must be followed while creating Users for SFTP access:

Create user john with ftpaccess group and /usr/bin/nologin shell:

$ sudo useradd -m john -g ftpaccess -s /usr/sbin/nologin
$ sudo passwd john

Change ownership for the home directory:

$ sudo chown root /home/john

Create a folder inside Home Directory for writing, and change ownership of that folder:

$ sudo mkdir /home/john/www
$ sudo chown john:ftpaccess /home/john/www

After following those instructions I had two separate users. We’ll call them FTP and SFTP.

FTP and SFTP had their own home directories (for some reason writing this sounds like I’m explaining the birds and the bees).

I needed to make sure that FTP was the only user that could use that protocol. All other users when setup can SFTP, but only explicit accounts will be allowed to FTP.

  1. Create /etc/vsftpd.user_list and add the user you want to ONLY use FTP
  2. Add to /etc/vsftpd.conf

userlist_deny=NOuserlist_enable=YESuserlist_file=/etc/vsftpd.user_list

As I said, the symlinks to another shared directory wasn’t working. So, I added another group “SHAREDFILES” and added both of the users to it. I used:

$ sudo mount --bind /var/SHAREDFILES /home/FTP
$ sudo mount --bind /var/SHAREDFILES /home/SFTP

See more here: “DefaultRoot, Symlinks and Chroot()”
Add that to your fstab (etc/fstab), so your mounts show up after reboot:

$ sudo nano /etc/fstab
/var/SHAREDFILES /home/FTP none defaults,bind 0 0
/var/SHAREDFILES /home/SFTP none defaults,bind 0 0

In a normal case, most people would just default back to allowing both accounts to FTP access, but I wanted to make sure I took the more secure route. So, ultimately, thanks to legacy systems that can’t SFTP, I was able do things a little differently and gain a new learning experience.

Read the original blog entry...

More Stories By Hurricane Labs

Christina O’Neill has been working in the information security field for 3 years. She is a board member for the Northern Ohio InfraGard Members Alliance and a committee member for the Information Security Summit, a conference held once a year for information security and physical security professionals.