Howto Tutorials (EN)

Install FTP server vsFTPD and hardening trough Fail2ban

Home
Leave a comment
Install FTP server VSFTPD and hardening trough Fail2ban

In this tutorial we will show you how to deploy FTP daemon vsFTPD on a Linux server, finally vsFTPD will be hardened by fail2ban.

Very Secure File Transfer Protocol Deamon (VSFTPD), as the service of the same name promises us, VSFTPD is a secure FTP daemon, which is used as the default FTP server by most Linux distributions, such as in Debian, Ubuntu, CentOS, Fedora, RHEL and more. VSFTPD provide a stable FTP server and is authorized under the GNU General Public License. VSFTPD is designed for secure and easy support for virtual clients with PAM (Pluggable Authentication Modules). This tutorial shows how to install VSFTPD and implement it with Fail2ban on Debian 10 (buster) or other Linux versions. Fail2ban is an intrusion prevention system written in Python that runs on any Linux operating system that includes a manipulable firewall.

How to Install vsFTPD and hardening FTP with Fail2ban

Installation

The provision of vsFTPD on Debian as well as under Ubuntu as usual by running the apt package manager from the default repository.

$ sudo apt-get install vsftpd -y

CentOS and RHEL install vsFTPD using DNF Dandified Yum.

$ sudo yum install vsftpd -y

After the installation we take steps to configuring vsFTPD.

$ sudo vi /etc/vsftpd.conf

For CentOS / RHEL / Fedora, vsftpd.conf find on path /etc/vsftpd.

$ sudo vi /etc/vsftpd/vsftpd.conf

  If you don’t like VIM, you can edit using nano or ne. or whatever your favorite is,

We disable anonymous login and allow local users to write.

anonymous_enable=NO
local_enable=YES
write_enable=YES

chroot jail for FTP users

chroot stands for change root and is a feature for Unix systems to change the root directory. chroot only affects the current process and its child processes, it is a simple jail mechanism in which the FTP server prevents users from accessing files outside of its directory. chroot is also an easy way to sandbox untrusted data. The chroot settings for vsFTPD ftp users can be found in the file vsftpd.conf.

To configuring for chroot users, go to the line chroot_local_user and change to YES, as with chroot_list_enable

chroot_local_user=YES
chroot_list_enable=YES

All users are chrooted, except for a few who are exempt by creating the file /etc/vsftpd.chroot_list to containing those users who are excluded from chroot.

chroot_list_file=/etc/vsftpd.chroot_list
allow_writeable_chroot=YES

  CentOS / RHEL path /etc/vsftpd/vsftpd.chroot_list

It is possible to completely lock out users, to refuse login for certain users, add following lines to the file vsftpd.conf.

userlist_deny=YES
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist

Create a file vsftpd.userlist and add users to it. Add user per line like the service accounts, for example: vsftpd.userlist

# for users that are denied.
root
bin
daemon
sys
sync
man
backup
admin
sshd
lp
sync
proxy
list
irc
shutdown
halt
mail
news
uucp
operator
games
nobody
postfix
www-data
ftp
mysql

SFTP encrypted authentication

So that passwords are not sent in clear text, add these options to the configuration file, some of which are already available, check them and change the options if necessary.

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

Note: The default is that SFTP is already enabled by the SSH daemon, so check the file /etc/ssh/sshd_config.

Subsystem   sftp  /usr/lib/openssh/sftp-server
# chroot() jail at times vsftpd does not require filesystem.
secure_chroot_dir=/var/run/vsftpd/empty
# This string is the name of the PAM service vsftpd will use.
pam_service_name=ftp
# Uncomment this to indicate that vsftpd use a utf8 filesystem.
utf8_filesystem=YES
# passive mode FTP port range this allows by firewall.
pasv_min_port=40000
pasv_max_port=50000

Note: An FTP connection consists of the command channel and the data channel. Passive mode allows the FTP client to create both channels, so the firewall is allowed to let the FTP connection through, therefore the port range from pasv_min_port to pasv_max_port must be open on the firewall.

FTP server vsFTPD hardening trough Fail2ban

To protect the FTP server from brute force attacks, Fail2ban is enabled for vsFTPD. If there are a defined number of failed login attempts, the suspicious host is locked for a certain amount of time. For Fail2ban to work, the logs are important. To this end, Fail2ban is installed on the FTP server.

$ sudo apt install -y fail2ban

Fail2ban vsFTPD Configure FTP services

For fail2ban and vsFTPD, create the file jail.local, if not already exist.

$ sudo vi /etc/fail2ban/jail.local

  The file jail.conf can also be copied, or individual blocks of the services can be added to jail.local.

[vsftpd]
enabled = true
# or overwrite it in jails.local to be
# logpath = %(syslog_authpriv)s
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
port = ftp,ftp-data,ftps,ftps-data
logpath = %(vsftpd_log)s
findtime=1800
bantime = 7200
maxretry = 4

Logs are important for the functionality of fail2ban. The FTP server (VSFTPD) logs in to log file /var/log/vsftpd.log. Fail2ban is flexible and can be adapted to most requirements. If an additional service is used, which requires xferlog, it can be logged in both log files with dual_log_enable=YES.

  In the standard, /var/log/vsftpd.log is read out, which is predefined with the variable %(vsftpd_log)s.

xferlog_enable=YES
log_ftp_protocol=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=NO

The fail2ban filter for vsftpd contains the file at /etc/fail2ban/filter.d/vsftpd.conf

[INCLUDES]

before = common.conf

[Definition]

__pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:?
_daemon =  vsftpd

failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
            ^ \[pid \d+\] \[[^\]]+\] FAIL LOGIN: Client "<HOST>"(?:\s*$|,)

ignoreregex =

The Fail2ban daemon must restart to apply changes.

$ sudo systemctl restart fail2ban

Now check vsftpd blocked IP addresses by fail2ban, you can be here as root run this fail2ban-client command.

$ fail2ban-client status vsftpd
Status for the jail: vsftpd
| Filter
|  |- Currently failed: 0
|  |- Total failed: 3
|  '- File list: /var/log/vsftpd.log
'- Actions
   |- Currently Banned: 17
   |- Total banned: 126
   '- Banned IP list:
Howto Tutorials (EN)

File extension in Windows Explorer, How to view!

Home
Leave a comment

How to make File extensions in Windows Explorer visible

For Windows 10 and 11, the file extensions are hidden by default. In Windows 11 open View in the toolbar and scroll down to Show and choose File name extensions.

The file extension is often used to identify the format of a file. For example: name.txt indicates a text file. Modern Windows versions do not know the limitation of file names, like the 8.3 convention known by MS-DOS (8 characters file name, 3 characters extension). In Windows 10, the default setting is that all extensions known to the system are hidden in Explorer. This fact is exploited by various malware programs. To make the file extension visible, go to the Explorer options in the Control Panel, or call up File Explorer Options directly.

File extensions for known file types

In Windows 10 explorer ribbon click the checkbox File name extensions or click the options button in the view tab to open File Explorer Options.

Windows Explorer File name extensions

Alternatively, there is the option of calling the MMC console directly.

Windows Run control folders

Press the Windows + R key and hit control folders and click OK

In the File Explorer Options, the setting for file extensions can be hidden or displayed in the View Tab.

File extension in Windows Explorer, Hide extensions for known file types

Uncheck Hide extensions for known file types and click OK. Any files are now displayed with extensions.

Windows 11 Show File name extensions

In Windows 11 it has become easier, in the explorer open View in the toolbar and scroll down to Show and choose File name extensions.

Windows 11 File explorer Show File name extensions

The filename extensions with type for all files in Windows 11 File Explorer will now displayed.

quote  With regard to system security, the visibility of the file extensions is also recommended, as malware and Trojans are less able to hide because the extension identifies the type and which program the file is associated with.

quote  A related post here that might also interest you!

Common filename extensions

Many operating systems do not limit filenames to one extension shorter than 4 characters. It as was common with some operating systems that supported the File Allocation Table (FAT) file system. Operating systems that do not impose this limit include Unix-like systems, and Microsoft Windows NT, 95-98, and ME. Which have no three character limit on extensions for 32-bit or 64-bit applications on file systems other than pre-Windows 95 and Windows NT 3.5 versions of the FAT file system. Some filenames are given extensions longer than three characters. While MS-DOS and NT always treat the suffix after the last period in a file’s name as its extension, in UNIX-like systems. The final period does not necessarily mean that the text after the last period is the file’s extension.

This is a list of common Windows file name extensions, organized by type.