All posts by Don Matteo

How to Install VSFTPD

13. 06. 2021 Don Matteo Leave a comment

Install FTP server with VSFTPD and hardening using Fail2ban

Very Secure File Transfer Protocol Deamon (VSFTPD), as the service of the same name promises us, VSFTPD is a secure FTP daemon, which is used as the default FTP server by most Linux distributions, such as in Debian, Ubuntu, CentOS, Fedora, RHEL and more. VSFTPD is a secure and stable FTP server and is authorized under the GNU General Public License. VSFTPD is designed for secure and easy support for virtual clients with PAM (Pluggable Authentication Modules). This tutorial shows how to install VSFTPD and implement it with Fail2ban on Debian 10 (buster) or other Linux versions. Fail2ban is an intrusion prevention system written in Python that runs on any Linux operating system that includes a manipulable firewall.

Installation

On Debian and Ubuntu, VSFTPD installation goes with the apt package manager from the default repository.


$ sudo apt-get install vsftpd -y

1 2	$ sudo apt-get install vsftpd -y

CentOS and RHEL install VSFTPD using YUM.


$ sudo yum install vsftpd -y

1 2	$ sudo yum install vsftpd -y

After the installation we take steps to configuring VSFTPD.


$ sudo vi /etc/vsftpd.conf

1 2	$ sudo vi /etc/vsftpd.conf

For CentOS / RHEL / Fedora, vsftpd.conf is under /etc/vsftpd.


$ sudo vi /etc/vsftpd/vsftpd.conf

1 2	$ sudo vi /etc/vsftpd/vsftpd.conf

If you don’t work with VIM, you can edit with nano or ne.

We disable anonymous login and allow local users to write.


anonymous_enable=NO
local_enable=YES
write_enable=YES

anonymous_enable=NO

local_enable=YES

write_enable=YES

chroot jail for FTP users

chroot stands for change root and is a feature for Unix systems to change the root directory. chroot only affects the current process and its child processes, it is a simple jail mechanism in which the FTP server prevents users from accessing files outside of its directory. chroot is also an easy way to sandbox untrusted data. The chroot settings for VSFTPD users can be found in the file vsftpd.conf under the line chroot_local_user and change there to YES, also with chroot_list_enable.

The configuration for chroot users, go to the line chroot_local_user and change to YES, as with chroot_list_enable


chroot_local_user=YES
chroot_list_enable=YES

chroot_local_user=YES

chroot_list_enable=YES

All users are chrooted, except for a few who are exempt by creating the file /etc/vsftpd.chroot_list to containing those users who are excluded from chroot.


chroot_list_file=/etc/vsftpd.chroot_list
allow_writeable_chroot=YES

chroot_list_file=/etc/vsftpd.chroot_list

allow_writeable_chroot=YES

CentOS / RHEL path /etc/vsftpd/vsftpd.chroot_list

It is possible to completely lock out users, to refuse login for certain users, add following lines to the file vsftpd.conf.


userlist_deny=YES
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist

userlist_deny=YES

userlist_enable=YES

userlist_file=/etc/vsftpd.userlist

Create a file vsftpd.userlist and add users to it. Add user per line like the service accounts, for example: vsftpd.userlist


# for users that are denied.
root
bin
daemon
sys
sync
man
backup
admin
sshd
lp
sync
proxy
list
irc
shutdown
halt
mail
news
uucp
operator
games
nobody
postfix
www-data
ftp
mysql

# for users that are denied.

root

bin

daemon

sys

sync

man

backup

admin

sshd

sync

proxy

list

irc

shutdown

halt

mail

news

uucp

operator

games

nobody

postfix

www-data

ftp

mysql

SFTP encrypted authentication

So that passwords are not sent in clear text, add these options to the configuration file, some of which are already available, check them and change the options if necessary.


ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

ssl_enable=YES

allow_anon_ssl=NO

force_local_data_ssl=YES

force_local_logins_ssl=YES

ssl_tlsv1=YES

ssl_sslv2=NO

ssl_sslv3=NO

rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem

rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

Note: The default is that SFTP is already enabled by the SSH daemon, so check the file /etc/ssh/sshd_config.


Subsystem   sftp  /usr/lib/openssh/sftp-server

1 2	Subsystem sftp /usr/lib/openssh/sftp-server

Hint! more recommended VSFTPD settings


# chroot() jail at times vsftpd does not require filesystem.
secure_chroot_dir=/var/run/vsftpd/empty
# This string is the name of the PAM service vsftpd will use.
pam_service_name=ftp
# Uncomment this to indicate that vsftpd use a utf8 filesystem.
utf8_filesystem=YES
# passive mode FTP port range this allows by firewall.
pasv_min_port=40000
pasv_max_port=50000

# chroot() jail at times vsftpd does not require filesystem.

secure_chroot_dir=/var/run/vsftpd/empty

# This string is the name of the PAM service vsftpd will use.

pam_service_name=ftp

# Uncomment this to indicate that vsftpd use a utf8 filesystem.

utf8_filesystem=YES

# passive mode FTP port range this allows by firewall.

pasv_min_port=40000

pasv_max_port=50000

VSFTPD protection with Fail2ban

To protect the FTP server from brute force attacks, Fail2ban is activated for VSFTPD. If there are a defined number of failed login attempts, the suspicious host is locked for a certain amount of time. For Fail2ban to work, the logs are important. For this purpose, Fail2ban is installed on the FTP server.


$ sudo apt install -y fail2ban

1 2	$ sudo apt install -y fail2ban

For Fail2ban and VSFTPD, create the file jail.local, if not already exist.


$ sudo vi /etc/fail2ban/jail.local

1 2	$ sudo vi /etc/fail2ban/jail.local

The file jail.conf can also be copied, or individual blocks of the services can be added to jail.local.


[vsftpd]
enabled = true
# or overwrite it in jails.local to be
# logpath = %(syslog_authpriv)s
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
port = ftp,ftp-data,ftps,ftps-data
logpath = %(vsftpd_log)s
findtime=1800
bantime = 7200
maxretry = 4

[vsftpd]

enabled = true

# or overwrite it in jails.local to be

# logpath = %(syslog_authpriv)s

# if you want to rely on PAM failed login attempts

# vsftpd's failregex should match both of those formats

port = ftp,ftp-data,ftps,ftps-data

logpath = %(vsftpd_log)s

findtime=1800

bantime = 7200

maxretry = 4

The logs are important for the functionality of Fail2ban. The FTP server (VSFTPD) logs in to log file /var/log/vsftpd.log. Fail2ban is flexible and can be adapted to most requirements. If an additional service is used, which requires xferlog, it can be logged in both log files with dual_log_enable=YES.

In the standard, /var/log/vsftpd.log is read out, which is predefined with the variable %(vsftpd_log)s.


xferlog_enable=YES
log_ftp_protocol=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=NO

xferlog_enable=YES

log_ftp_protocol=YES

xferlog_file=/var/log/vsftpd.log

xferlog_std_format=NO

The fail2ban filter for vsftpd contains the file at /etc/fail2ban/filter.d/vsftpd.conf


[INCLUDES]

before = common.conf

[Definition]

__pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:?
_daemon =  vsftpd

failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
#            ^ \[pid \d+\] \[[^\]]+\] FAIL LOGIN: Client "<HOST>"(?:\s*$|,)
            ^ \[pid \d+\] \[[^\]]+\] FTP response: Client "<HOST>", "530 Login incorrect\."*$

ignoreregex =

[INCLUDES]

before = common.conf

[Definition]

__pam_re=$?%(__pam_auth)s(?:\(\S+$)?\)?:?

_daemon = vsftpd

failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$

# ^ \[pid \d+\] \[[^\]]+\] FAIL LOGIN: Client "<HOST>"(?:\s*$|,)

^ \[pid \d+\] \[[^\]]+\] FTP response: Client "<HOST>", "530 Login incorrect\."*$

ignoreregex =

To apply changes to Fail2ban, the daemon must be restarted.


$ sudo systemctl restart fail2ban

1 2	$ sudo systemctl restart fail2ban

The IP addresses blocked by Fail2ban can be checked, here as root with the following fail2ban-client command.


$ fail2ban-client status vsftpd
Status for the jail: vsftpd
| Filter
|  |- Currently failed: 0
|  |- Total failed: 3
|  '- File list: /var/log/vsftpd.log
'- Actions
   |- Currently Banned: 17
   |- Total banned: 126
   '- Banned IP list:

$ fail2ban-client status vsftpd

Status for the jail: vsftpd

| Filter

| |- Currently failed: 0

| |- Total failed: 3

| '- File list: /var/log/vsftpd.log

'- Actions

|- Currently Banned: 17

|- Total banned: 126

'- Banned IP list:

Howto Tutorials (EN)

Windows view file extensions

7. 06. 2021 Don Matteo Leave a comment

How to make file extensions in Explorer visible

For Windows 10, the file extensions are hidden by default, settings are in control panel – File Explorer Options – Advanced Settings:

Hide extensions for known file types

The file extension is often used to identify the format of a file. For example: name.txt indicates a text file. Modern Windows versions do not know the limitation of file names, like the 8.3 convention known by MS-DOS (8 characters file name, 3 characters extension). In Windows 10, the default setting is that all file extensions known to the system are hidden in Explorer. This fact is exploited by various malware programs. To make the file extension visible, go to the Explorer options in the Control Panel, or call up File Explorer Options directly.

Press the Win + R key to open Run, enter control folders and click OK.

In the File Explorer Options, the setting for file extensions can be hidden or displayed in the View Tab.

Uncheck Hide extensions for known file types and click OK. Any files are now displayed with extensions.

Howto Tutorials (EN)

SSH Login with PuTTY Key Authentication

5. 06. 2021 Don Matteo Leave a comment

PuTTY SSH login with using puttygen key pairs

SSH authentication via asymmetric keys is more secure than using passwords, further public key authentication also enables automated login, for example to log in from scripts without a password request. The PuTTY Key Generator puttygen.exe is used to generate RSA (standard) or DSA and ECDSA key pairs.

Generate PuTTY Key Pair in puttygen
Save Public Key to server
Use PuTTY with Private Key
SSH configuration on Linux server

The tool can be found at putty.org via Download PuTTY, if you have install PuTTY using the putty-installer.msi, then puttygen can already be found in the Windows Start menu under PuTTY. To create an RSA key pair, just click on the Generate button. If you want to generate DSA or ECDSA keys, the desired algorithm can be choose at the parameter box with radio button.

Generate PuTTY Key Pair in puttygen

The necessary random mechanism is provided by moving the mouse freely in the free area of the dialog box during key generation. Then you can enter optionally Key passphrase.

To save the private key be click on the button Save private key, in the dialog “are you sure you want to save this key without a passphrase to protect it!“, you can decide to save with or without passphrase. The save of the public key is not absolutely necessary, because it can be calculated at any time from the private key.

The private key should be kept in a safe place, especially if the private key is not protected by a passphrase. Once a private key has been lost, unauthorized persons cannot do anything, if is protected by a passphrase. On the other hand, in the case of automated processing by scripts, a passphrase is not desired.

The file name and the path when saving are free of choice in the chooser, but the extension .ppk has spread for PuTTY keys, because there is a reference to the format that differs from Linux. PuTTY does not accept OpenSSH keys, but in the Conversions menu it is possible to import existing OpenSSH keys and also to export PuTTY keys.

Save Public Key to server

The public key should be published on the server, completely mark it with the mouse in the Key field and copy it to the clipboard with Ctrl + C.

PuTTY Key Generator Public key pasting into authorized_keys

Just log in with PuTTY again with username and password on the Linux server, open the file ~/.ssh/authorized_keys with an editor of choice and insert the public key from the clipboard.

Do not changed anything on the key, just copy & paste. The file authorized_keys can contain several keys one after the other, without spaces or lines in between.

Use PuTTY with Private Key

To use public key authentication next time you log in, go to the PuTTY start page Basic options for your PuTTY session in the Session area enter the IP address or the Host Name, for Saved Sessions you enter a desired name and click on Save, but first choose the file name of the private key in the Category under Connection click + on SSH they opens the Auth area with Private key file for authentication field. The easiest way to do this is to click on Browse and select the appropriate file in the file chooser.

The credentials for each individual connection can be stored as a session. If a connection is now established to the Linux server, it requires the identity, so that the specified user name must have a public key specified in the file authorized_keys which matches the private key.

Now it asks for the passphrase (if entered) to activate the private key stored in the local .ppk file. If both keys are matched access will granted.

SSH configuration on Linux server

On the Linux server, the SSH server configuration for SSH authentication via asymmetric keys must be activated, with most Linux distributions public key authentication is activated by default.


#PubkeyAuthentication yes
#RSAAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

#PubkeyAuthentication yes

#RSAAuthentication yes

AuthorizedKeysFile .ssh/authorized_keys

OpenSSH: A leading hash (#) character means that it is the default value, if you would change the value, removed # and modify the parameter.

The users manage their public keys under $home in the key file ~/.ssh/authorized_keys, after creating it with adduser the .ssh directory is usually not exist, in this case it is made as root for the user john as follows.


$ cd /home/john
$ mkdir .ssh
$ chown john:john .ssh
$ chmod 700 .ssh
$ touch .ssh/authorized_keys
$ chmod 600 .ssh/authorized_keys

$ cd /home/john

$ mkdir .ssh

$ chown john:john .ssh

$ chmod 700 .ssh

$ touch .ssh/authorized_keys

$ chmod 600 .ssh/authorized_keys

The .ssh directory is not visible to other users.