Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

OpenSSH and FTP access

Posted on 2006-03-27
20
Medium Priority
?
354 Views
Last Modified: 2010-03-18
Hi there,

I am running Gentoo linux on a Sun Ultra 60.  I have OpenSSH installed and I generally either FTP in using SFTP or use a SSH shell to log in over the local network.

I am considering setting up FTP access from outside.  I guess I need to set up port forwarding on my ADSL modem/router for port 22 for SSH.

Now what should I do next to do it properly?  Ideally I want a new 'FTP' user, but really I only want 'that' user to be able to FTP in from the outside, if you know what I mean.  Also I would want anyone uploading not to be able to see the contents of the directory etc, though I guess that can be taken care of by permissions on the directory.

Basically I just want some direction on how to do this correctly!

Cheers,

Mark
0
Comment
Question by:marky9074
  • 10
  • 7
18 Comments
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 16306712
some tips:

a) check your ftp software configuration. disable anonymous access.
b) if the software allows you, jail it! this means to create a subdirectory that mimics the / filesystem (only needed files) and then run the ftp software with that directory.
c) enable only that user to access the ftp system.

one big problem is ftp protocol needs two ports working: tcp/21 and tcp/20 (tcp/20 can change to any port. it is used for data transmission while tcp/21 is for control only)

so if you can, better go with sftp. this has many things that make it better than ftp, and only one drawback: since it is encrypted traffic, sftp is slower than regular ftp. If you can live with it, then you only need a restricted shell to jail the user to he/she home directory, and you're all set.

hope this help
0
 

Author Comment

by:marky9074
ID: 16308285
Hi, thanks for the post.  As I only have OpenSSH installed (no ftpd or proftpd), I would only be using SFTP.  Are you saying that using sftp I would still need ports 20 & 21 open?

What I want to do is stop for example someone sftp in as root, how do I restrict this?  I can pretty much work out how to set up a restrictive account for a sftp access, but how do I force all connections from 'outside' to be dropped apart from the dedicated sftp user?
0
 
LVL 19

Accepted Solution

by:
Gabriel Orozco earned 500 total points
ID: 16311764
with sftp, you are using ssh under the cover. so you only need port tcp/22 to be redirected.

to restrict access from outside, check /etc/hosts.deny. there is a mechanism called "tcp wrappers" ssh obeys. if you read

http://www.section6.net/wiki/index.php/Basics_Of_Securing_Linux#TCP_Wrappers

so read these URLs to better understand how tcpwrappers work:

http://www.derkeiler.com/Newsgroups/comp.security.ssh/2002-10/1221.html
http://linuxhelp.blogspot.com/2005/10/using-tcp-wrappers-to-secure-linux.html
 man 5 hosts_access
 man 8 tcpd  

or, You can give someone file copy access over the “ssh” version 2 protocol by means of the Open Source tool “rssh”:
 
    http://sourceforge.net/projects/rssh/ 
 
The “rssh” tool allows you to restrict on a per-user basis, access to any of “rsync”, “rdist”, “cvs”, “sftp”, and/or “scp”.  You can control the file creation on a per-user basis.  You can also force a given non-privileged user to be confined inside a chroot jail.  If properly setup, the chroot jail will prevent the user from accessing any files outside of the chroot jail.  
 
The “rssh” tool needs to be installed on any remote host into which you want to give selected users “rsync”, “rdist”, “cvs”, “sftp”, and/or “scp” access.  The shells for those users must be “/usr/bin/rssh”.  Also the “/etc/rssh.conf” needs to be configured on that remote host.  This will allow users to use any of the standard “rsync”, “rdist”, “cvs”, “sftp”, and/or “scp” tools to access the remote host via the “ssh” protocol 2.

0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 

Author Comment

by:marky9074
ID: 16312055
Thanks for that, it is a lot clearer now, so basically there is no quick and easy (platform independant) way for user based control?
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 16312149
I think only tcp wrappers can do the job, but I tried and tested some of the solutions and myself still cannot do the filtering of only one user.

host based is much more easy, however. So if you can use host based authentication, just go for it.

regards
0
 

Author Comment

by:marky9074
ID: 16313445
Hi Redimido,

I just forwarded the port and checked that it worked and it is all OK.  I thought that I had a handle on creating an anonymous user that was restricted to its home directory, but I am not sure if even this is going to work using ssh and sftp.  Have you got any ideas how I go about this?

Mark
0
 

Author Comment

by:marky9074
ID: 16313484
That probably doesnt make much sense!  I want a secure ftp hence sftp, but I dont want the user trawling through my system I only want them to have access to their home directory....

Mark
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 16313587
use a restricted shell that can do that job for you.

as I told you before, this program can make your life easier:

    http://sourceforge.net/projects/rssh/ 

when the user connects, this shell will be the underlying program and will not allow him to go out of his home directory. (his or her)
0
 

Author Comment

by:marky9074
ID: 16313842
Dooh, the penny has dropped now!  I misinterpreted what you said earlier, as I thought that if I used rssh I would need something on each client to use rssh, but I guess what you meant is that 'any' client will need an app to access through an ssh.  Personally I use ws_ftp...

Thanks for the help I will see if their is a gentoo package for it on my arch..
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 16315072
sorry I was not very clear =)

you will need to edit /etc/passwd in order to modify the user you want to restric, to have rssh as his shell.

then on the rssh configuration (need to follow their readme) you will be able to restrict the user in many aspects, like jail him on his home directory.

client is not important as long as it understands sftp

hope this help
Gabriel
0
 

Author Comment

by:marky9074
ID: 16319588
Hi Gabriel,

Thanks for all you help!  At the moment I am updating my Gentoo system and I have left it far too long.  At the moment I am at 11 of 276, so I think it will be a few hours until I can get to installing rssh...

I will let you know as soon as I am up again...

Thanks,

Mark
0
 

Author Comment

by:marky9074
ID: 16322031
OK, my update barfed at a lib for openssl so I took the opertunity to emerge rssh...

Got it up and edited the config for sftp...worked OK.  Added my user and set home as /data/ftp with rssh shell.

Now I though all I had to do was edit the line for:

chrootpath = /data/ftp

To jail any user using rssh to this directory.  But it fails to log in.  If I remove this I can ftp in, but have free run of the system.

Nearly there, but need your help again!

Thanks,

Mark
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 16324188
hwat happends here is this software jails the user in it's home directory, and I suppose you tried to jail him on a directory outside his home directory, right?

edit /etc/passwd and make /data/ftp the user's home directory. also chown that directory to the username, and try again =)
0
 

Author Comment

by:marky9074
ID: 16324191
Oh, after downloading the source and looking at the chroot docs its not as simple as I thought....
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 16324417
that's right...

security is not simple... this is what is driving us I.T. people to a much harder work to do more or less same things but in a more secure manner...

that tool can help you, but you need to understand how to use it
0
 

Author Comment

by:marky9074
ID: 16324898
It seems a lot or work recreating file structures within the chroot jail, when all I want to do is stop the logged in user going up any higher than his home directory......

Just upgrading mysql at the moment, and my gentoo system is in a terrible mess, hopefully will get time to play with rssh soon...
0
 
LVL 1

Expert Comment

by:verborghs
ID: 16398338
You could also just use PAM (plugable authentication modules)
there is one: pam_listfile which allows you to specify  a list of users. in gentoo look in /etc/pam/ssh-something

or you could use the AllowUsers Directive of ssh which allows you to specify users in the form of user@host and *@...


0
 

Author Comment

by:marky9074
ID: 16406428
At the moment I am just using scponly to make sure the logged in user does not have a shell.  Also I was going to change the mapping on the router so that the public port was not 22, which should help, but I am awaiting a firmware change....

Hopefully will get a solution soon!

Mark
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Screencast - Getting to Know the Pipeline
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question