Continuing from Part 1...
With installing and configuring VSFTPD...here is what we want to accomplish:
1. Setup a FTP server that only allows secure (TSL/SSL) connections so passwords and data aren't sent in the clear.
2. Have virtual users who are linked to a local user account with no shell privledges.
3. Be able to access it from outside of our private network.
Lets start by creating a user with no shell privledges:
nano /etc/shells
(Add the following entry at the bottom: /usr/sbin/nologin)
mkdir /home/luigi
groupadd ftpaccess
useradd -d /home/luigi -G ftpaccess -s /usr/sbin/nologin luigi
chown luigi /home/luigi
chgrp ftpaccess /home/luigi
Then we will install VSFTPD:
apt-get install vsftpd libdb4.7 db4.7-util
cd /etc
mkdir vsftpd
mv vsftpd.conf vsftpd.bak
nano vsftpd.conf
(Make your vsftpd.conf look like the following) *UPDATE: the config file cannot have spaces between the entries and the values (i.e. 'listen = yes' is bad, it should be 'listen=yes').
listen=YES
listen_port=21
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=NO
xferlog_file=/var/log/vsftpd.log
ftpd_banner=ITSA ME...MARIO
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd
pam_service_name=ftp
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
pasv_min_port=13000
pasv_max_port=12300
hide_ids=YES
guest_enable=YES
guest_username=luigi
user_config_dir=/etc/vsftpd
nano users.txt (with alternating lines of username and passwords; exclude the markings when making the file)
bill #username
verysecure #password
sue
filetransfer
bob
protocol
db4.7_load -T -t hash -f users.txt /etc/vsftpd_users.db
nano /etc/pam.d/ftpservice
auth required /lib/sercurity/pam_userdb.so db=/etc/vsftpd_users
account required /lib/security/pam_userdb.so db=/etc/vsftpd_users
Now we must specify a user config file for each virtual user.
nano /etc/vsftp_userconfig
Now add the following:
write_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_upload_enable=YES
local_root=/home/luigi
chroot_local_user=YES
dirlist_enable=YES
download_enable=YES
guest_username=luigi
Save and exit. Now lets make a link to this file for each user:
ln -s /etc/vsftp_userconfig /etc/vsftpd/bill
ln -s /etc/vsftp_userconfig /etc/vsftpd/sue
ln -s /etc/vsftp_userconfig /etc/vsftpd/bob
Now open up your router and set it to forward the port range specified in pasv_min_port and pasv_max_port...in this case port forward 12300-12400. Then use IPTABLES to set an outbound exception with the following commands:
iptables -A OUTPUT -p tcp --dport 12300:12400 -j ACCEPT
iptables -L (to verify the exception was added)
Then finally restart the vsftpd service:
/etc/init.d/vsftpd restart
Now for fail2ban...the configs are pretty self-explanitory, but read up on it if you have questions:
apt-get install fail2ban
cd /etc/fail2ban
mv jail.conf jail.bak
nano jail.conf
[DEFAULT]
ignoreip = 127.0.0.1
bantime = 600
maxretry = 3
backend = polling
destemail = root@localhost
action = iptables[name=%(__name__)s, port=%(port)s]
[ssh]
enabled = true
port = 12345
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
[vsftp]
enabled = tue
port = 21
filter = vsftpd
logpath = /var/log/vsftpd.log
maxretry = 3
/etc/init.d/fail2ban restart
Try to SSH into your machine from another virtual or another computer and enter the wrong credentials...check /var/log/fail2ban.log to see if it worked. You can also look at the IPTABLES again.
Please give me feedback on if this worked for you or any problems you encounter by dropping a comment.
Part 3 with OpenVPN coming soon...