Vsftpd (Very Secure FTP Daemon) is an FTP server for UNIX-like systems, including CentOS / RHEL / Fedora and other Linux distributions. It supports IPv6, SSL, locking users to their home directories and many other advanced features.
In this guide you will learn:
- Setup vsftpd to provide FTP service.
- Configure vsftpd.
- Configure Firewalls to protect the FTP server.
- Configure vsftpd with SSL/TLS.
- Setup vsftpd as download only anonymous internet server.
- Setup vsftpd with virtual users and more.
There is a way to protect different directories with different username/password under Lighttpd server using conditionals directives.
Security is an important aspect of the IBM AIX operating system. Follow along with this quick reference guide on AIX user security commands to learn more.
rssh is a restricted shell for providing limited access to a host via ssh. It also allows system wide configuration and per user configuration. From the man page:
The user configuration directive allows for the configuration of options on a per-user basis. THIS KEYWORD OVERRIDES ALL OTHER KEYWORDS FOR THE SPECIFIED USER. That is, if you use a user keyword for user foo, then foo will use only the settings in that user line, and not any of the settings set with the keywords above. The user keywordâ€™s argument consists of a group of fields separated by a colon (:), as shown below. The fields are, in order:
- username : The username of the user for whom the entry provides options
- umask : The umask for this user, in octal, just as it would be specified to the shell access bits. Five binary digits, which indicate whether the user is allowed to use rsync, rdist, cvs, sftp, and scp, in that order. One means the command is allowed, zero means it is not.
- path : The directory to which this user should be chrooted (this is not a command, it is a directory name).
rssh examples of configuring per-user options
Open /etc/rssh.conf file:
# vi /etc/rssh.conf
All user tom to bypass our chroot jail:
Provide jerry cvs access with no chroot:
Provide spike rsync access with no chroot:
Provide tyke access with chroot jail located at /users
user="tyke:011:00001:/users" # whole user string can be quoted
if your chroot_path contains spaces, it must be quoted. Provide nibbles scp access with chroot directory:
user=nibbles:011:00001:"/usr/local/tv/shows/tom and jerry"
=> rssh home page
=> Redhat specific chroot jail script (outdated)
=> Refer man pages: rssh.conf, rssh, ssh, sshd, sftp, scp, rsync, sshd_config
I was writing and testing few python scripts (yes I’m moving lot of stuff from shell / perl to python these days) and accidentally I renamed my own user account from vivek to test. However, I did not noticed change until I rebooted my box. Now I cannot run sudo (or become a root user) and cannot access special devices such as sound or video.
By default your first account has all power via sudo under Ubuntu Linux. There is a special group called adm and admin which grants unlimited power via sudo.
The only solution was to boot computer in emergency mode (reboot computer and at grub menu select recovery mode kernel), open /etc/group file and add user vivek to admin and adm group:
# vi /etc/group
Add user vivek to admin and adm group:
Save and close the file.
Now I’m able to run sudo and do other stuff. Luckily, my scripts always backup critical files before modification. So I was able to restore permission instantly. Here is my group membership with all power and glory 😉
vivek adm dialout cdrom floppy audio dip video plugdev scanner netdev lpadmin powerdev admin
Under Linux password related utilities and config file(s) comes from shadow password suite. The /etc/login.defs file defines the site-specific configuration for this suite. This file is a readable text file, each line of the file describing one configuration parameter. The lines consist of a configuration name and value, separated by whitespace.
You need to set default password expiry using /etc/login.defs file (password aging controls parameters):
- PASS_MAX_DAYS : Maximum number of days a password may be used. If the password is older than this, a password change will be forced.
- PASS_MIN_DAYS : Minimum number of days allowed between password changes. Any password changes attempted sooner than this will be rejected
- PASS_WARN_AGE : Number of days warning given before a password expires. A zero means warning is given only upon the day of expiration, a negative value means no warning is given. If not specified, no warning will be provided.
Open file /etc/login.defs using text editor:
# vi /etc/login.defs
Setup (sample) values as follows:
Close and save the file.
Please note that much of the functionality that used to be provided by the shadow password suite is now handled by PAM suite. Next time I will write about PAM configuration.
For security reason you must enable Password expiry policy on FreeBSD box. Linux comes with chage command, which changes the number of days between password changes and the date of the last password change.
FreeBSD pw command
Use pw command to setup password expiry date for existing user account. Syntax is as follows:
pw user mod USERNAME -p DD-MMM-YY
- -p DD-MMM-YY: Set the account’s password expiration date.
For example, expire user rockyâ€™s password on 31-Mar-2006:
# pw user mod USERNAME -p 31-mar-06
Use pw command to setup password expiry while creating new user account.
pw user add USERNAME -p DATE -e DAYS:
- -p DAYS: Set default account expiration period in days
- -e DAYS: Set the account’s expiration date.
For example create a user called didi and Set the default password expiration to 30 days.
# pw user add didi -p 30 -d /home/didi -m
# passwd didi
This is good if you have small number of users. For large installation base (such as University computers) you need to define user login class. With login class you can control the following :
- Resource limits
- Accounting limits
- Authentication limits
- Default user environment settings.
You need to use autofs. It is use to mount file system on demand. Usually autofs is invoked at system boot time with the start parameter and at shutdown time with the stop parameter. The autofs script can also manually be invoked by the system administrator to shut down, restart or reload the automounters.
autofs will consult a configuration file /etc/auto.master to find mount points on the system.
i) Install autofs if not installed. if you are using Debian / Ubuntu Linux, enter:
# apt-get install autofs
ii) Create dekstop group and add user jimmy to this group:
# groupadd desktop
# usermod -G video,desktop jimmy
# chmod -R a+rx /var/autofs/misc
iii) Configure autofs so that usb stick can be accessed:
# vi /etc/auto.misc
iv) Append following text to auto.misc:
usb -fstype=auto, user, sync, nodev, nosuid, gid=desktop, umask=002 :/dev/sda1
d -fstype=vfat, user, sync, nodev, nosuid,gid=desktop, umask=002 :/dev/hda2
- usb : Is directory name, which can be accessed via /var/autofs/misc/usb directory. User in desktop group just need to type cd command (cd /var/autofs/misc/usb) to change the directory.
- -fstype- auto, user, sync, nodev, nosuid, gid-desktop, umask-002 :- All these are options used to mount the file system by automounter.
- auto: File system is automatically determined by kernel.
- user: Normal user are allowed to mount devices
- nodev: Do not interpret character or block special devices on the file system.
- nosuid: Do not allow set-user-identifier or set-group-identifier bits to take effect. This is security feature.
- gid=desktop: This allows file system mounted as as group dekstop. As we have added user jimmy to this group already.
- umask=002: Setup umask so that users in group desktop can write data to device.
Please note that without gid and umask option normal user cannot write data to device.
v)Restart the autofs:
vi) Test it as user jimmy (make sure usb stick/pen is inserted into usb port):
$ ls /var/autofs/misc/usb
$ cd /var/autofs/misc/usb
$ mkdir testdir
$ ls -l