FTP user issue

Help! (Home for newbies)
1

Hello,

I created an FTP user under domainx.be This user should only have access to the homedir of domainx.be (so: /home/domainx/
Though I noticed it has access to a lot more:

  • /
  • /etc/
  • /cgroup/
  • /dev/
  • /var/
  • /usr/

  • I feel this is a security risk. Is there a way to bind the users to their homedirs and not let them get out?
    Did I overlook something in the config?

Also, And I know it has been talked about here before, but I didn’t really find a suitable answer:
I would like the ftp to work sshftp only.
Is there an easy way of doing this?

Thanks

2

Okay, I found the restriction part:

  • webmin
  • Servers
  • ProFTPD server
  • Open your virtual FTP server
  • Files and Directories
  • Enable 3rd option "Limit Users to Directories:
    - Home Directory – Everyone
3

Ok so I have done this for SFTP (tls, not ssh):
Open FTP Virtual Server Options (Vritualmin => servers => proftpd)
Edit Directives
Add this code:

TLSEngine on
TLSRequired on
TLSRSACertificateFile /etc/pki/tls/certs/proftpd.cert.pem
TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.key.pem
TLSOptions NoCertRequest NoSessionReuseRequired
TLSVerifyClient off
TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
TLSLog /var/log/proftpd/tls.log

Create a certificate in that directory:
openssl req -new -x509 -days 365 -nodes -out /etc/pki/tls/certs/proftpd.cert.pem -keyout /etc/pki/tls/certs/proftpd.key.pem

SFTP connection works

I also changed the default port to 21212. by adding:

Port 21212

Malicious people like to try to bruteforce default ports. I changed all default ports to something else.

4

In the meantime I also set my iptables (allow 21212, drop everything else) and I’m facing a problem:

I can connect to the ftp server and I can list.n I cannot download or upload.

What might I have done wrong?

5

I created a group “ftpusers” and added the users to it that should be able to have ftp access
I added the following code to the Directive:


AllowGroup ftpusers


This does not seem to work. still cannot download or upload.

I get a time out. Perhaps this has something to do with the ports I blocked?

6

So I checked the logs:

/var/log/message Says:

May 1 14:20:25 server02 proftpd[32028]: xx.xxseverip.xx.xx (::ffff:myip.xx.xx.xx.xx[::ffff:myip.xx.xx.xx.xx]) - FTP session opened.
May 1 14:20:25 server02 proftpd[32028]: xx.xxseverip.xx.xx (::ffff:myip.xx.xx.xx.xx[::ffff:myip.xx.xx.xx.xx]) - Preparing to chroot to directory ‘/home/domainx/public_html’
May 1 14:21:26 server02 proftpd[32028]: xx.xxseverip.xx.xx (::ffff:myip.xx.xx.xx.xx[::ffff:myip.xx.xx.xx.xx]) - FTP session closed.
May 1 14:21:26 server02 proftpd[32422]: xx.xxseverip.xx.xx (::ffff:myip.xx.xx.xx.xx[::ffff:myip.xx.xx.xx.xx]) - FTP session opened.
May 1 14:21:27 server02 proftpd[32422]: xx.xxseverip.xx.xx (::ffff:myip.xx.xx.xx.xx[::ffff:myip.xx.xx.xx.xx]) - Preparing to chroot to directory ‘/home/domainx/public_html’
May 1 14:21:27 server02 proftpd[32422]: xx.xxseverip.xx.xx (::ffff:myip.xx.xx.xx.xx[::ffff:myip.xx.xx.xx.xx]) - Refused PORT 192,168,1,101,200,183 (address mismatch)
May 1 14:21:27 server02 proftpd[32422]: xx.xxseverip.xx.xx (::ffff:myip.xx.xx.xx.xx[::ffff:myip.xx.xx.xx.xx]) - FTP session closed.
May 1 14:21:37 server02 proftpd[29249]: xx.xxseverip.xx.xx (::ffff:myip.xx.xx.xx.xx[::ffff:myip.xx.xx.xx.xx]) - Client session idle timeout, disconnected
May 1 14:21:37 server02 proftpd[29249]: xx.xxseverip.xx.xx (::ffff:myip.xx.xx.xx.xx[::ffff:myip.xx.xx.xx.xx]) - FTP session closed.

You may notice this line:
May 1 14:21:27 server02 proftpd[32422]: xx.xxseverip.xx.xx (::ffff:myip.xx.xx.xx.xx[::ffff:myip.xx.xx.xx.xx]) - Refused PORT 192,168,1,101,200,183 (address mismatch)
192.168.1.101 is my internal IP. What is happening here?

/var/log/prodtpd/tls.log says:

May 01 14:20:25 mod_tls/2.4.2[32028]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)
May 01 14:20:25 mod_tls/2.4.2[32028]: TLS/TLS-C requested, starting TLS handshake
May 01 14:20:25 mod_tls/2.4.2[32028]: TLSv1/SSLv3 connection accepted, using cipher RC4-MD5 (128 bits)
May 01 14:20:25 mod_tls/2.4.2[32028]: Protection set to Private

During this action I tried to download index.html

7

Howdy,

This user should only have access to the homedir of domainx.be (so: /home/domainx/ Though I noticed it has access to a lot more

You can setup FTP directory restrictions in Virtualmin by going into Limits and Validation -> FTP Directory Restrictions. In there, you can specify that FTP users should be jailed into their own directories.

I know it has been talked about here before, but I didn’t really find a suitable answer: I would like the ftp to work sshftp only. Is there an easy way of doing this?

Hmm, are you interested in SFTP (which uses SSH over port 22)? Or FTP, using TLS?

I’ve unfortunately had little success configuring FTP and TLS. Which isn’t to say that it can’t work, but moreso to say that I’m not sure how to make it work :slight_smile:

-Eric

8

Eric,

Thanks. I set the option. for the FTP Limit.
This seems to be working also.

Either option is fine for me. TLS or SSH. I got TLS working that I can login, but I can’t do any actions (chmod, download, upload)
Only list.

Do you have any clue as to why this is not working, or can you tell me what a better practice would be to setup ssh ftp?

Thanks