In case you are relatively new around server administration or security, we will suggest to read the IPTables series – IPTables Basics Tutorial Part 1, IPTables Basics Tutorial Part 2, IPTables Basics Tutorial Part 3. Otherwise it will be meaningless to secure only FTP. Securing FTP Tutorial is an Important Series of Guide to Secure Your Cloud Server or Virtual Server. This guide is not for dedicated server. We tried to keep the guide as easy as possible.
Securing FTP Tutorial : After Our IPTables Guide
After reading our iptables Basics tutorials, your port 21 is already closed. FTP used port 21 by default and port 22 can be used by SCP. We already changed settings on /etc/ssh/sshd_config file in those tutorial to disallow root access. For one user, Factually if you use Fail2Ban rules for FTP to restrict number of attempts, it becomes difficult to get inside the server. Our FTP port it already closed. It utilises the SSH protocol and, as a result, it works easily when connecting to a remote Unix machine. We can see /var/log/messages file for log for the attempts of ftp@ip.a.d.re.ss. But not always people want SSH username and FTP username same. Rather want to restrict FTP user.
Securing FTP Tutorial : Part 1
First we need to install openssh-server id not installed :
---
1 | sudo apt-get install openssh-server |
We are creating a new group named ftpaccess for the FTP users :
1 | sudo groupadd ftpaccess |
Add user named example-change to the group :
1 | sudo useradd -m example-change -g ftpaccess -s /usr/sbin/nologin |
password :
1 | sudo passwd example-change |
Now how the added SFTP user “example-change” can also access the website’s directory like /var/www/html via SFTP?
Use the following commands when /var/www/html/ is the directory where your website files are :
1 2 3 4 5 | sudo chown root /home/example-change mkdir /home/example-change/ftp/www_html sudo chown example-change:ftpaccess /home/example-change/ftp/www_html mount --bind /var/www/html/ /home/example-change/ftp/www_html sudo nano /etc/fstab |
and then added the following line to that fstab:
1 | /var/www/html /home/example-change/ftp/www_html none bind 0 0 |
Now open /etc/ssh/sshd_config file :
1 | nano /etc/ssh/sshd_config |
You’ll find a line on that file :
1 | Subsystem sftp /usr/lib/openssh/sftp-server |
comment the above line and add these lines at the end of the file (or make sure that the lines are not already present on the file) :
1 2 3 4 5 6 | Subsystem sftp internal-sftp Match group ftpaccess ChrootDirectory %h X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp |
Restart sshd service :
1 | sudo service ssh restart |
Now, we can install a software named VsFTPD to manage FTP stuffs more strictly :
1 2 | apt-get install vsftpd nano /etc/vsftpd.conf |
Some lines on /etc/vsftpd.conf should be like this :
1 2 3 4 5 6 7 | write_enable=YES local_umask=022 chroot_local_user=YES allow_writeable_chroot=YES pasv_enable=Yes pasv_min_port=40000 pasv_max_port=40100 |
Restart vsftpd :
1 | service vsftpd restart |
