Last active
February 2, 2020 19:35
-
-
Save linuxoracledev/554f76ad9cc9bdd0fbe14f574d9e1fb8 to your computer and use it in GitHub Desktop.
How to install FileZilla and configure vsftpd to allow a user to upload files to his home directory using FTP with login credentials secured by SSL/TLS.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Update the system and install filezilla and vsftpd | |
| sudo apt-get update | |
| sudo apt install filezilla | |
| sudo apt-get install vsftpd | |
| #Copy the original configuration file as a backup | |
| sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.orig | |
| #Check and enable firewall | |
| sudo ufw status | |
| sudo ufw enable | |
| #Open ports 20 and 21 for FTP, port 990 for TLS, and ports 40000-50000 for the range of passive ports | |
| sudo ufw allow 20/tcp | |
| sudo ufw allow 21/tcp | |
| sudo ufw allow 990/tcp | |
| sudo ufw allow 40000:50000/tcp | |
| sudo ufw status | |
| #Add a test user: | |
| sudo adduser ftpazad | |
| #Create folder(ftp), set its ownership, remove write permissions | |
| sudo mkdir /home/ftpazad/ftp | |
| sudo chown nobody:nogroup /home/ftpazad/ftp | |
| sudo chmod a-w /home/ftpazad | |
| sudo chmod a-w /home/ftpazad/ftp | |
| #Verify the permissions: | |
| sudo ls -la /home/ftpazad/ftp | |
| #Create a directory where files can be uploaded and assign ownership to the user | |
| sudo mkdir /home/ftpazad/ftp/files | |
| sudo chown ftpazad:ftpazad /home/ftpazad/ftp/files | |
| #Permissions check | |
| sudo ls -la /home/ftpazad/ftp | |
| #Add a test.txt file | |
| echo "vsftpd test file" | sudo tee /home/ftpazad/ftp/files/test.txt | |
| #Configuring FTP Access | |
| sudo nano /etc/vsftpd.conf | |
| # Make changes as bellow if any of these line not found then add the line | |
| #<- anonymous_enable=NO | |
| #<- local_enable=YES | |
| #<- write_enable=YES | |
| #<- chroot_local_user=YES | |
| #<- user_sub_token=$USER | |
| #<- local_root=/home/$USER/ftp | |
| #<- pasv_min_port=40000 | |
| #<- pasv_max_port=50000 | |
| #<- userlist_enable=YES | |
| #<- userlist_file=/etc/vsftpd.userlist | |
| #<- userlist_deny=NO | |
| #Create and add the user to the file | |
| echo "ftpazad" | sudo tee -a /etc/vsftpd.userlist | |
| #Check that it was added as expected | |
| cat /etc/vsftpd.userlist | |
| #Restart the daemon to load the configuration changes | |
| sudo systemctl restart vsftpd | |
| #Testing FTP Access | |
| ftp -p localhost | |
| # transfer the test file we created earlier to our local machine: | |
| cd files | |
| get test.txt | |
| #test write permissions: | |
| put test.txt upload.txt | |
| #Close the connection: | |
| bye | |
| ##Securing Transactions | |
| #Create a new certificate using openssl and use the -days flag to make it valid for one year, add a private 2048-bit RSA key | |
| sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem | |
| #Open the vsftpd configuration file | |
| sudo nano /etc/vsftpd.conf | |
| #Toward the bottom of the file, there are two lines that begin with rsa_. Comment them out so they look like: | |
| # rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem | |
| # rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key | |
| #Below them, add the following lines without # which point to the certificate and private key we just created | |
| #<- rsa_cert_file=/etc/ssl/private/vsftpd.pem | |
| #<- rsa_private_key_file=/etc/ssl/private/vsftpd.pem | |
| # Change ssl_enable to YES | |
| #<- ssl_enable=YES | |
| #add the following lines to explicitly deny anonymous connections over SSL | |
| #<- allow_anon_ssl=NO | |
| #<- force_local_data_ssl=YES | |
| #<- force_local_logins_ssl=YES | |
| #Add the following lines to use TLS, the preferred successor to SSL | |
| #<- ssl_tlsv1=YES | |
| #<- ssl_sslv2=NO | |
| #<- ssl_sslv3=NO | |
| #Add the following lines to make sure that key lengths equal to or greater than 128 bits | |
| #<- require_ssl_reuse=NO | |
| #<- ssl_ciphers=HIGH | |
| #save and close the file | |
| #restart the server | |
| sudo systemctl restart vsftpd | |
| ##Testing TLS with FileZilla | |
| #Open FileZilla Cick on Site Mana | |
| #fill out the “Host” field with the name or IP address. Under the “Encryption” drop down menu, select “Require explicit FTP over TLS”. | |
| #For “Logon Type”, select “Ask for password”. Fill in the FTP user you created in the “User” field | |
| #download the file test.txt to the left and rename it to upload.txt and drag it to right | |
| ##Disabling Shell Access | |
| #open a file called ftponly | |
| sudo nano /bin/ftponly | |
| #Add following lines | |
| #<- echo "This account is limited to FTP access only." | |
| #Change the permissions to make the file executable | |
| sudo chmod a+x /bin/ftponly | |
| #Open the list of valid shells | |
| sudo nano /etc/shells | |
| #At the bottom, add: | |
| #<- /etc/shells | |
| #Update the user’s shell | |
| sudo usermod ftpazad -s /bin/ftponly | |
| #Now try logging in as ftpazad: | |
| ssh ftpazad@localhost | |
sudo service vsftpd stop
sudo apt-get remove vsftpd
pgrep ftp
pidof ftp
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
View on Youtube: https://www.youtube.com/watch?v=i3R4XiKnZZQ