Guide to secure ftp

From NAS-4220

Jump to: navigation, search

Goal: restricting ftp access to a specified zone, even with admin login. Admin will have full access and user "user_a" will have only read access.

WARNING: loging to ftp as admin is a bad idea, be sure to check "One step beyond' section of this guide

The hardcore way is to install SSH and Local_Apps packages and use Putty (easy to find with google) to log on the box through SSH and edit the protftpd.conf file with the horrible "vi" - a nightmare to windows users like me - and finally find how to keep changes on reboot (I haven't been as far as this last step and that's beyond this guide's range). Hoppefully, there's an easier way

Assumed statements for this guide (some stuff will need to be adjusted to your hardware and needs):

  1. FTP is enabled... Easy and obvious one
  2. "user_a" exists
  3. There's no user named "nobody"
  4. The ftp access will be limited to /public/ftp/
  5. In my case, the box' hard drives are mounted as md1 (check the "Path" in your box' "Share Management" console page if you need)

Recommended software: Notepad++ for easy editing of all the sexy box' config files and the like in Windows since notepad isn't abble to read them correctly and shows them as one long line (a very nice portable version can be found here, note: if you want to associate .conf file extention to it in windows, don't link to Notepad++Portable.exe but to notepad++.exe in \App\Notepad++\)

Required package: Skara's excellent Userscript package (see here for details and make sure to download version 0.21 from there)

  • Simply copy the userscript package to /public/applications/new_software/ and reboot the box to install it (reboot required before going on to next step)
  • Copy /public/applications/userscript/example/proftpd.sh to /public/applications/userscript/scripts/
  • Look into /public/applications/userscript/example/config/ and select the file corresponding to your hard drive(s), copy it, rename the copy proftpd.conf and finally move it to /public/applications/userscript/config/
  • Edit that new proftpd.conf file (that's where Notepad++ is usefull) and apply those changes:

Change the line DefaultRoot (this is enough to lock your ftp server to the restricted zone but at this point, only "admin" user has access to it): 

DefaultRoot /mnt/md1/public/ftp

Change the following lines in <Anonymous //mnt/md1/guest-share> section: 

User nobody
Group nobody

Now in <Directory /mnt/md1/admin> section (you can also remove those lines): 

# <Limit DIRS READ WRITE>
# AllowUser admin
# </Limit>

Same thing in <Directory /mnt/md1/guest-share>: 

# <Limit DIRS READ WRITE>
# AllowUser guest-share
# </Limit>

And finally change the last section to (1st line changed and <Limit DIRS READ> section added): 

<Directory /mnt/md1/public/ftp>
<Limit DIRS READ WRITE>
DenyAll
</Limit>
<Limit DIRS READ>
AllowUser user_a
</Limit>
<Limit DIRS READ WRITE>
AllowUser admin
</Limit>
</Directory>

-Reboot the box

Done! :)


Special thanks to jger and vishcompany for their help


== One step beyond ==

Loging to ftp as admin is a bad idea without SSL and holding ftp inside public zone doesn't seem such a good idea either (maybe a hacker could access the rest of public share even if it's supposedly locked by Proftpd)

New goal: ftp access will be restricted to "/mnt/md1/ftp" instead of "/mnt/md1/public/ftp" and "user_a" will have full access to avoid logging in as admin

Additional statements:

  1. you have created a share named "ftp" (supposedly in "/mnt/md1/ftp", might need to adjust this)
  2. "ftp" share rights: "user_a" has full access, "admin" has none

Here come the code changes (note: these changes replace first guide's ones):

Change the line DefaultRoot (this is enough to lock your ftp server to the restricted zone but at this point, only "admin" user has access to it): 

DefaultRoot /mnt/md1/ftp

Change the following lines in <Anonymous //mnt/md1/guest-share> section: 

User nobody
Group nobody

Look for "Scoreboard" line, change it as stated here and add the 2 lines: 

#ScoreboardFile /var/run/proftpd.pid
PidFile /var/run/proftpd.pid
ScoreboardFile /var/run/proftpd/proftpd.scoreboardfile


Now in <Directory /mnt/md1/admin> section (you can also remove those lines): 

# <Limit DIRS READ WRITE>
# AllowUser admin
# </Limit>

Same thing in <Directory /mnt/md1/guest-share>: 

# <Limit DIRS READ WRITE>
# AllowUser guest-share
# </Limit>

And finally change the last section to (1st line changed, admin is denied access and "user_a" is given full access): 

<Directory /mnt/md1/ftp>
<Limit DIRS READ WRITE>
DenyAll
</Limit>
<Limit DIRS READ WRITE>
#AllowUser admin
AllowUser user_a
</Limit>
</Directory>

-Reboot the box


--fatimon

Retrieved from "http://en.nas-4220.org/index.php/Guide_to_secure_ftp"
Personal tools