IRAX.

User Tools

Site Tools

Trace:
irax:dc_plus:ftp_service:start

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
irax:dc_plus:ftp_service:start [2025/01/31 16:39] ianirax:dc_plus:ftp_service:start [2026/04/24 08:42] (current) – removed 216.73.216.148
Line 1: Line 1:
-====== FTP service configuration ====== 
-**__FTP service configuration __** 
- 
-**__Process overview __** 
- 
-**SFTP logins are **only accepted on the ftpserver, which in turn creates a temporary ssh fuse connection to the target server for the user  this also only allows access to the user directory and not to any luther locations   
- 
-Access from the internet is via ftps.irax.com 185.70.9.229 using port 22  any connection on this address on port 22 is forwarded to the ftpserver on 192.168.10.16 port 2222 
- 
-The user ftpconnect needs to be on the target host for the sshfs connection  and the associated keys held  in .ssh/authorized_keys 
- 
-The sftp server also is open to the internet and attracts unwanted traffic.  
- 
-There are two methods of managing this - The external pfsense  firewall has  a plock list rule where we can add particularly troubling IP addresses  and the server also has fail2ban installed to operate on port 2222 
- 
-**SFTP server 192.168.10.16 configuration.  ** 
- 
-**__A.  SFTP users. (the logins to be used by the users of the ftp service )__** 
- 
-**User overview ** 
- 
-Only available to users having a radius login. Pam radius calls a batch script   
- 
-/etc/ftpusers/map.sh 
- 
-This script uses the user.conf file where we map the drive to be mounted on a target host.   
- 
-In order to achieve this we need to configure the following  
- 
-  - SSH User configuration Local ssh user with home directory in a particular location  
-  - SSHD configuration for SSH user ssh in /etc/ssh/sshd 
-  - Scripted user creation 
-  - User configuration for mounting sshfs drive.  
-  - PAM modifications and pam radius auth  
-**1 SSH user configuration** 
- 
-** Preliminary conditions.**  
- 
-There should be a directory  named /home/ftpusers owned by root  
- 
- ** Create sftp user as follows ** 
- 
-  useradd -m  -s /usr/sbin/nologin  -d /home/ftpusers/<user>  <user>  
-  mkdir /home/ftpusers/<user>/home  
-  chown root:root /home/ftpusers/$1/ -R 
-  chmod 755  /home/ftpusers/$1/ 
-  chmod 777  /home/ftpusers/$1/home ** 
- 
-**2 SSHD configuration**** ** 
- 
-**Preliminary conditions.  ** 
- 
- /etc/ssh/sshd_config should have the  following instruction  
- 
-  subsystem  sftp internal-sftp 
- 
- This config  file should also be able to load .conf files in /etc/ssh/sshd_config.d 
- 
-**Chroot config for ftp users** 
- 
-A file named<code> <user>.conf </code> containing the following should be created for each user in  /etc/ssh/sshd_config.d 
- 
-  
-<code> 
- Match Group <user> 
- X11Forwarding no 
- AllowTcpForwarding no 
- ChrootDirectory /home/ftpusers/<user>   
- ForceCommand  internal-sftp" 
- </code> 
- 
-**3 Scripted user creation** 
- 
-Scripts exist for enabling sections 1 and 2 to be done more efficiently.  
- 
-Scripts are located here:  /etc/ftpusers 
- 
-| Script| Description | Usage | 
-| newftpuser.sh| Add new user | ./newftpuser.sh foobar| 
-| delftpuser.sh | Delete a user | ./delftpuser.sh foobar| 
-| map.sh| Mapping sftp drives per user, called by pam sshd at login | | 
-| users.conf| User mapping configuration must be manually edited after user is created | | 
-| sftp.log| Log of connections | tail -sftp.log| 
-| mountme.sh| Use for testing mounts. | ./mountme.sh| 
- 
-**4 User configuration for mounting sshfs drive. ** 
- 
-/etc/ftpusers/map.sh  called by pam  is the bash script that creates the sshfs mount to the target host for a given user the script uses the mappings per user  is configured in users.conf 
-<code> 
- [<user>] 
- user = <user> 
- path = a_folder/another/folder 
-host = <host Address or name 
-</code 
- 
-Note:  the path is actually  /home/ a_folder/another/folder  as per the Irax standard for web sites ( perhaps we could change this in map.sh  so that /home/was not prepended) 
- 
-Eg 
-<code> 
- [iw-ian] 
- user = iw-ian 
- path = http-sites/ecoco/ 
- host = 192.168.10.10 
-</code> 
- 
-//**Note 2  Perhaps this could be modified to load config files from a subdirectory . it would be easier to set  up a default to be automatically added in newftpuser.sh**// 
- 
-**5. PAM modifications and pam radius auth** 
- 
-**/etc/pam.d/sshd configuration ** 
- 
-We are concerned with the sshd login  so edit /etc/pam.d/sshd  
- 
-/the following is the current configuration for ubuntu 24.04 LTS 
- 
-Key additions to the standard sshd file are  
- 
-auth sufficient pam_radius_auth.so 
- 
-and  
- 
-session  optional  pam_exec.so  /etc/ftpusers/map.sh 
- 
-** ** 
- 
-# PAM configuration for the Secure Shell service 
- 
-auth sufficient pam_radius_auth.so 
- 
-# Standard Un*x authentication. 
- 
-@include common-auth 
- 
-# Disallow non-root logins when /etc/nologin exists. 
- 
-account  required  pam_nologin.so 
- 
-# Uncomment and edit /etc/security/access.conf if you need to set complex 
- 
-# access limits that are hard to express in sshd_config. 
- 
-# account  required  pam_access.so 
- 
-# Standard Un*x authorization. 
- 
-@include common-account 
- 
-# SELinux needs to be the first session rule.  This ensures that any 
- 
-# lingering context has been cleared.  Without this it is possible that a 
- 
-# module could execute code in the wrong domain. 
- 
-#session [success=ok ignore=ignore module_unknown=ignore default=bad]  pam_selinux.so close 
- 
-# Set the loginuid process attribute. 
- 
-session  required  pam_loginuid.so 
- 
-# Create a new session keyring. 
- 
-session  optional  pam_keyinit.so force revoke 
- 
-# Standard Un*x session setup and teardown. 
- 
-@include common-session 
- 
-# Print the message of the day upon successful login. 
- 
-# This includes a dynamically generated part from /run/motd.dynamic 
- 
-# and a static (admin-editable) part from /etc/motd. 
- 
-session  optional  pam_motd.so  motd=/run/motd.dynamic 
- 
-session  optional  pam_motd.so noupdate 
- 
-session  optional  pam_exec.so  /etc/ftpusers/map.sh 
- 
-# Print the status of the user's mailbox upon successful login. 
- 
-session  optional  pam_mail.so standard noenv # [1] 
- 
-# Set up user limits from /etc/security/limits.conf. 
- 
-session  required  pam_limits.so 
- 
-# Read environment variables from /etc/environment and 
- 
-# /etc/security/pam_env.conf. 
- 
-session  required  pam_env.so # [1] 
- 
-# In Debian 4.0 (etch), locale-related environment variables were moved to 
- 
-# /etc/default/locale, so read that as well. 
- 
-session  required  pam_env.so user_readenv=1 envfile=/etc/default/locale 
- 
-# SELinux needs to intervene at login time to ensure that the process starts 
- 
-# in the proper default security context.  Only sessions which are intended 
- 
-# to run in the user's context should be run after this. 
- 
-session [success=ok ignore=ignore module_unknown=ignore default=bad]  pam_selinux.so open 
- 
-# Standard Un*x password updating. 
- 
-@include common-password 
- 
-**__ B. ftpconnect user __** 
- 
-**** 
- 
-There needs to be a user on the target machine that the can be used for ssh connections with the ssh keys  
- 
-Sshfs relies on the user also having the same GID and UID  
- 
-GID and UID may be set  retrospectively using   
- 
- usermod -u 2000 ftpconnect;groupmod -g 2000 ftpconnect 
- 
-Or by assigning them at user creation  
- 
- Useradd ftpconnect -u 2000 -g 2000 
- 
-The keys should be located in the usual place i.e.  home/ftpconnect/.ssh/authorized_keys. 
- 
-Ian Warburton  
- 
-8th Nov 2024  
- 
- 
  
irax/dc_plus/ftp_service/start.1738341583.txt.gz · Last modified: 2025/01/31 16:39 by ian · Currently locked by: 10.32.1.188,216.73.216.148