Skip to content

Instantly share code, notes, and snippets.

@carlessanagustin

carlessanagustin/TODO.sh

Last active December 20, 2018 11:07
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save carlessanagustin/6c2032856589c3e0f65c8517dcab50e4 to your computer and use it in GitHub Desktop.
Save carlessanagustin/6c2032856589c3e0f65c8517dcab50e4 to your computer and use it in GitHub Desktop.
Download ZIP
Install proftpd, create & delete ftp users (MUST BE RUN AS ROOT)
Raw
proftpd.sh
#!/usr/bin/env bash
# MUST BE RUN AS ROOT
usage_message(){
echo Usage options:
echo "1. Install proftpd: $0 -i <PASVADDR> <MIN_PORT> <MAX_PORT>"
echo "2. Create ftp user: $0 -c <FTPUSER> <FTPPASS>"
echo "3. Delete ftp user: $0 -d <FTPUSER>"
}
install_proftpd(){
apt-get update && sudo apt-get -y upgrade
apt-get -y install proftpd ftp whois
cat << EOF > /etc/proftpd/conf.d/custom
DefaultRoot ~/ftp/files
PassivePorts $MIN_PORT $MAX_PORT
MasqueradeAddress $PASVADDR
RequireValidShell off
EOF
}
restart_proftpd(){
systemctl restart proftpd.service
systemctl status proftpd.service
}
firewall_rules(){
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -j REJECT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j REJECT
iptables -A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport $MIN_PORT:$MAX_PORT --dport $MIN_PORT:$MAX_PORT -m conntrack --ctstate RELATED,ESTABLISHED,NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 21 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 20 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport $MIN_PORT:$MAX_PORT --dport $MIN_PORT:$MAX_PORT -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
}
create_user(){
useradd --create-home --password $(mkpasswd -m sha-512 $FTPPASS) --shell=/bin/false $FTPUSER
mkdir /home/$FTPUSER/ftp
chown nobody:nogroup /home/$FTPUSER/ftp
chmod a-w /home/$FTPUSER/ftp
mkdir /home/$FTPUSER/ftp/files
chown $FTPUSER:$FTPUSER /home/$FTPUSER/ftp/files
}
delete_user(){
userdel -rf $FTPUSER
}
if [[ $# -eq 0 ]] ; then
usage_message
exit 0
fi
while getopts c:d:i:R: option
do
case "${option}"
in
c)
echo ">> CREATING FTP USER $2 WITH PASSWORD $3"
echo
FTPUSER=$2
FTPPASS=$3
create_user
restart_proftpd
;;
d)
echo ">> DELETING FTP USER $2"
echo
FTPUSER=$2
delete_user
restart_proftpd
;;
i)
echo ">> INSTALLING proftpd IN IP $2 WITH $3 TO $4 PASV PORT RANGE"
echo
PASVADDR=$2
MIN_PORT=$3
MAX_PORT=$4
install_proftpd
# TODO firewall_rules
restart_proftpd
;;
R)
restart_proftpd
;;
*)
usage_message
exit 0
;;
esac
done
Raw
TODO.sh
improve...
---------
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
# -A INPUT -p tcp -m tcp --dport 990 -j ACCEPT
-A INPUT -p tcp -m multiport --dports $MIN_PORT:$MAX_PORT -j ACCEPT
---------
apt-get -y install proftpd openssl
---------
Country_Name=ES
State_Name=Catalunya
Locality=Barcelona
Organization="Example Co"
Common_Name=www.example.com
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
-keyout cert.pem -out cert.pem \
-subj "/C=$Country_Name/ST=$State_Name/L=$Locality/O=$Organization/CN=$Common_Name"
---------
Include /etc/proftpd/tls.conf
---------
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol SSLv23
TLSCipherSuite AES128+EECDH:AES128+EDH
TLSOptions NoCertRequest AllowClientRenegotiations
TLSRSACertificateFile cert.pem
TLSRSACertificateKeyFile cert.pem
TLSVerifyClient off
TLSRequired off
RequireValidShell no
</IfModule>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment