FTP service configuration
Process overview
SFTP logins are only accepted on the ftpserver, which in turn creates a temporary ssh fuse connection to the target server for the user this also only allows access to the user directory and not to any luther locations
Access from the internet is via ftps.irax.com 185.70.9.229 using port 22 any connection on this address on port 22 is forwarded to the ftpserver on 192.168.10.16 port 2222
The user ftpconnect needs to be on the target host for the sshfs connection and the associated keys held in .ssh/authorized_keys
The sftp server also is open to the internet and attracts unwanted traffic.
There are two methods of managing this - The external pfsense firewall has a plock list rule where we can add particularly troubling IP addresses and the server also has fail2ban installed to operate on port 2222
SFTP server 192.168.10.16 configuration.
A. SFTP users. (the logins to be used by the users of the ftp service )
User overview
Only available to users having a radius login. Pam radius calls a batch script
/etc/ftpusers/map.sh
This script uses the user.conf file where we map the drive to be mounted on a target host.
In order to achieve this we need to configure the following
1 SSH user configuration
Preliminary conditions.
There should be a directory named /home/ftpusers owned by root
Create sftp user as follows
useradd -m -s /usr/sbin/nologin -d /home/ftpusers/<user> <user>
mkdir /home/ftpusers/<user>/home
chown root:root /home/ftpusers/$1/ -R
chmod 755 /home/ftpusers/$1/
chmod 777 /home/ftpusers/$1/home **
2 SSHD configuration
Preliminary conditions.
/etc/ssh/sshd_config should have the following instruction
subsystem sftp internal-sftp
This config file should also be able to load .conf files in /etc/ssh/sshd_config.d
Chroot config for ftp users
A file named
<user>.conf
containing the following should be created for each user in /etc/ssh/sshd_config.d
Match Group <user>
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory /home/ftpusers/<user>
ForceCommand internal-sftp"
3 Scripted user creation
Scripts exist for enabling sections 1 and 2 to be done more efficiently.
Scripts are located here: /etc/ftpusers
| Script | Description | Usage |
| newftpuser.sh | Add new user | ./newftpuser.sh foobar |
| delftpuser.sh | Delete a user | ./delftpuser.sh foobar |
| map.sh | Mapping sftp drives per user, called by pam sshd at login | |
| users.conf | User mapping configuration must be manually edited after user is created | |
| sftp.log | Log of connections | tail -sftp.log |
| mountme.sh | Use for testing mounts. | ./mountme.sh |
4 User configuration for mounting sshfs drive.
/etc/ftpusers/map.sh called by pam is the bash script that creates the sshfs mount to the target host for a given user the script uses the mappings per user is configured in users.conf
[<user>]
user = <user>
path = a_folder/another/folder
host = <host Address or name
Note: the path is actually /home/ a_folder/another/folder as per the Irax standard for web sites ( perhaps we could change this in map.sh so that /home/was not prepended)
Eg
[iw-ian]
user = iw-ian
path = http-sites/ecoco/
host = 192.168.10.10
Note 2 Perhaps this could be modified to load config files from a subdirectory . it would be easier to set up a default to be automatically added in newftpuser.sh
5. PAM modifications and pam radius auth
/etc/pam.d/sshd configuration
We are concerned with the sshd login so edit /etc/pam.d/sshd
The following is the current configuration for ubuntu 24.04 LTS
Key additions to the standard sshd file are
auth sufficient pam_radius_auth.so
and
session optional pam_exec.so /etc/ftpusers/map.sh
** PAM configuration for the Secure Shell service **
auth sufficient pam_radius_auth.so
# Standard Un*x authentication.
@include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
@include common-account
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible that a
# module could execute code in the wrong domain.
#session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Set the loginuid process attribute.
session required pam_loginuid.so
# Create a new session keyring.
session optional pam_keyinit.so force revoke
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session optional pam_exec.so /etc/ftpusers/map.sh
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context. Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# Standard Un*x password updating.
@include common-password
B. ftpconnect user
usermod -u 2000 ftpconnect;groupmod -g 2000 ftpconnect
useradd -U -u 2000 -m -s /bin/bash ftpconnect
Ian Warburton
8th Nov 2024