I created an FTP user under domainx.be This user should only have access to the homedir of domainx.be (so: /home/domainx/
Though I noticed it has access to a lot more:
/
/etc/
/cgroup/
/dev/
/var/
/usr/
…
I feel this is a security risk. Is there a way to bind the users to their homedirs and not let them get out?
Did I overlook something in the config?
Also, And I know it has been talked about here before, but I didn’t really find a suitable answer:
I would like the ftp to work sshftp only.
Is there an easy way of doing this?
Ok so I have done this for SFTP (tls, not ssh):
Open FTP Virtual Server Options (Vritualmin => servers => proftpd)
Edit Directives
Add this code:
TLSEngine on
TLSRequired on
TLSRSACertificateFile /etc/pki/tls/certs/proftpd.cert.pem
TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.key.pem
TLSOptions NoCertRequest NoSessionReuseRequired
TLSVerifyClient off
TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
TLSLog /var/log/proftpd/tls.log
Create a certificate in that directory:
openssl req -new -x509 -days 365 -nodes -out /etc/pki/tls/certs/proftpd.cert.pem -keyout /etc/pki/tls/certs/proftpd.key.pem
SFTP connection works
I also changed the default port to 21212. by adding:
Port 21212
Malicious people like to try to bruteforce default ports. I changed all default ports to something else.
/var/log/message Says:
May 1 14:20:25 server02 proftpd[32028]: xx.xxseverip.xx.xx (::ffff:myip.xx.xx.xx.xx[::ffff:myip.xx.xx.xx.xx]) - FTP session opened.
May 1 14:20:25 server02 proftpd[32028]: xx.xxseverip.xx.xx (::ffff:myip.xx.xx.xx.xx[::ffff:myip.xx.xx.xx.xx]) - Preparing to chroot to directory ‘/home/domainx/public_html’
May 1 14:21:26 server02 proftpd[32028]: xx.xxseverip.xx.xx (::ffff:myip.xx.xx.xx.xx[::ffff:myip.xx.xx.xx.xx]) - FTP session closed.
May 1 14:21:26 server02 proftpd[32422]: xx.xxseverip.xx.xx (::ffff:myip.xx.xx.xx.xx[::ffff:myip.xx.xx.xx.xx]) - FTP session opened.
May 1 14:21:27 server02 proftpd[32422]: xx.xxseverip.xx.xx (::ffff:myip.xx.xx.xx.xx[::ffff:myip.xx.xx.xx.xx]) - Preparing to chroot to directory ‘/home/domainx/public_html’
May 1 14:21:27 server02 proftpd[32422]: xx.xxseverip.xx.xx (::ffff:myip.xx.xx.xx.xx[::ffff:myip.xx.xx.xx.xx]) - Refused PORT 192,168,1,101,200,183 (address mismatch)
May 1 14:21:27 server02 proftpd[32422]: xx.xxseverip.xx.xx (::ffff:myip.xx.xx.xx.xx[::ffff:myip.xx.xx.xx.xx]) - FTP session closed.
May 1 14:21:37 server02 proftpd[29249]: xx.xxseverip.xx.xx (::ffff:myip.xx.xx.xx.xx[::ffff:myip.xx.xx.xx.xx]) - Client session idle timeout, disconnected
May 1 14:21:37 server02 proftpd[29249]: xx.xxseverip.xx.xx (::ffff:myip.xx.xx.xx.xx[::ffff:myip.xx.xx.xx.xx]) - FTP session closed.
You may notice this line:
May 1 14:21:27 server02 proftpd[32422]: xx.xxseverip.xx.xx (::ffff:myip.xx.xx.xx.xx[::ffff:myip.xx.xx.xx.xx]) - Refused PORT 192,168,1,101,200,183 (address mismatch)
192.168.1.101 is my internal IP. What is happening here?
/var/log/prodtpd/tls.log says:
May 01 14:20:25 mod_tls/2.4.2[32028]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)
May 01 14:20:25 mod_tls/2.4.2[32028]: TLS/TLS-C requested, starting TLS handshake
May 01 14:20:25 mod_tls/2.4.2[32028]: TLSv1/SSLv3 connection accepted, using cipher RC4-MD5 (128 bits)
May 01 14:20:25 mod_tls/2.4.2[32028]: Protection set to Private
This user should only have access to the homedir of domainx.be (so: /home/domainx/ Though I noticed it has access to a lot more
You can setup FTP directory restrictions in Virtualmin by going into Limits and Validation -> FTP Directory Restrictions. In there, you can specify that FTP users should be jailed into their own directories.
I know it has been talked about here before, but I didn’t really find a suitable answer: I would like the ftp to work sshftp only. Is there an easy way of doing this?
Hmm, are you interested in SFTP (which uses SSH over port 22)? Or FTP, using TLS?
I’ve unfortunately had little success configuring FTP and TLS. Which isn’t to say that it can’t work, but moreso to say that I’m not sure how to make it work