FTP service configuration

FTP service configuration

Process overview

SFTP logins are only accepted on the ftpserver, which in turn creates a temporary ssh fuse connection to the target server for the user this also only allows access to the user directory and not to any luther locations

Access from the internet is via ftps.irax.com 185.70.9.229 using port 22 any connection on this address on port 22 is forwarded to the ftpserver on 192.168.10.16 port 2222

The user ftpconnect needs to be on the target host for the sshfs connection and the associated keys held in .ssh/authorized_keys

The sftp server also is open to the internet and attracts unwanted traffic.

There are two methods of managing this - The external pfsense firewall has a plock list rule where we can add particularly troubling IP addresses and the server also has fail2ban installed to operate on port 2222

SFTP server 192.168.10.16 configuration.

A. SFTP users. (the logins to be used by the users of the ftp service )

User overview

Only available to users having a radius login. Pam radius calls a batch script

/etc/ftpusers/map.sh

This script uses the user.conf file where we map the drive to be mounted on a target host.

In order to achieve this we need to configure the following

  1. SSH User configuration Local ssh user with home directory in a particular location
  2. SSHD configuration for SSH user ssh in /etc/ssh/sshd
  3. Scripted user creation
  4. User configuration for mounting sshfs drive.
  5. PAM modifications and pam radius auth

1 SSH user configuration

Preliminary conditions.

There should be a directory named /home/ftpusers owned by root

Create sftp user as follows 

useradd -m  -s /usr/sbin/nologin  -d /home/ftpusers/<user>  <user> 
mkdir /home/ftpusers/<user>/home 
chown root:root /home/ftpusers/$1/ -R
chmod 755  /home/ftpusers/$1/
chmod 777  /home/ftpusers/$1/home **

2 SSHD configuration

Preliminary conditions.

/etc/ssh/sshd_config should have the following instruction 

subsystem  sftp internal-sftp

This config file should also be able to load .conf files in /etc/ssh/sshd_config.d

Chroot config for ftp users

A file named 

 <user>.conf

containing the following should be created for each user in /etc/ssh/sshd_config.d 

 Match Group <user>
 X11Forwarding no
 AllowTcpForwarding no
 ChrootDirectory /home/ftpusers/<user>  
 ForceCommand  internal-sftp"

3 Scripted user creation

Scripts exist for enabling sections 1 and 2 to be done more efficiently.

Scripts are located here: /etc/ftpusers

Script Description Usage
newftpuser.sh Add new user ./newftpuser.sh foobar
delftpuser.sh Delete a user ./delftpuser.sh foobar
map.sh Mapping sftp drives per user, called by pam sshd at login
users.conf User mapping configuration must be manually edited after user is created
sftp.log Log of connections tail -sftp.log
mountme.sh Use for testing mounts. ./mountme.sh

4 User configuration for mounting sshfs drive.

/etc/ftpusers/map.sh called by pam is the bash script that creates the sshfs mount to the target host for a given user the script uses the mappings per user is configured in users.conf 

 [<user>]
 user = <user>
 path = a_folder/another/folder
 host = <host Address or name

Note: the path is actually /home/ a_folder/another/folder as per the Irax standard for web sites ( perhaps we could change this in map.sh so that /home/was not prepended)

Eg 

 [iw-ian]
 user = iw-ian
 path = http-sites/ecoco/
 host = 192.168.10.10

Note 2 Perhaps this could be modified to load config files from a subdirectory . it would be easier to set up a default to be automatically added in newftpuser.sh

5. PAM modifications and pam radius auth

/etc/pam.d/sshd configuration

We are concerned with the sshd login so edit /etc/pam.d/sshd

The following is the current configuration for ubuntu 24.04 LTS

Key additions to the standard sshd file are 

auth sufficient pam_radius_auth.so

and 

session  optional  pam_exec.so  /etc/ftpusers/map.sh

** PAM configuration for the Secure Shell service **
auth sufficient pam_radius_auth.so
# Standard Un*x authentication.
@include common-auth
# Disallow non-root logins when /etc/nologin exists.
account  required  pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required  pam_access.so

# Standard Un*x authorization.
@include common-account

# SELinux needs to be the first session rule.  This ensures that any
# lingering context has been cleared.  Without this it is possible that a
# module could execute code in the wrong domain.
#session [success=ok ignore=ignore module_unknown=ignore default=bad]  pam_selinux.so close

# Set the loginuid process attribute.
session  required  pam_loginuid.so
# Create a new session keyring.
session  optional  pam_keyinit.so force revoke
# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session  optional  pam_motd.so  motd=/run/motd.dynamic
session  optional  pam_motd.so noupdate
session  optional  pam_exec.so  /etc/ftpusers/map.sh
# Print the status of the user's mailbox upon successful login.
session  optional  pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session  required  pam_limits.so
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session  required  pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session  required  pam_env.so user_readenv=1 envfile=/etc/default/locale
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context.  Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad]  pam_selinux.so open
# Standard Un*x password updating.
@include common-password

B. ftpconnect user

  • There needs to be a user on the target machine that the can be used for ssh connections with the ssh keys.
  • Sshfs relies on the user also having the same GID and UID
  • GID and UID may be set retrospectively using 
usermod -u 2000 ftpconnect;groupmod -g 2000 ftpconnect
  • Or by assigning them at user creation 
useradd  -U -u 2000 -m -s /bin/bash ftpconnect
  • The keys should be located in the usual place i.e. home/ftpconnect/.ssh/authorized_keys.

Ian Warburton

8th Nov 2024

Task Runner