Drop FTP(S) and use SFTP by default in Virtualmin

24 posts / 0 new
Last post
#1 Sat, 03/07/2015 - 07:02
fakemoth
fakemoth's picture

Drop FTP(S) and use SFTP by default in Virtualmin

Joe, Jamie, andreychek you should seriously consider making SFTP the default file transfer technology in Virtualmin:

-FTP(S) requires a big range of high ports opened - that implies you don't have a firewall anymore; or to use something like ftp_conntrack in iptables, but if you have a different firewall in FRONT of the server, that doesn't help you anymore; and if you are using FTPS, the firewall can't really listen for FTP traffic to open ports (it is encrypted). Yeah, I know: CCC, but I rather not trust that all the firewalls I put in front of my server (just for fun) work with that; cause they don't. So FTPS is difficult for most people to configure. And FTP sends everything in plain text. Never mind it was designed in '70s...

-webDAVS for me sucks big time as you have to let loose the rights on directories, and my permissions are always maximum 755 for folders and 644 for files with the proper uid/gid. This is a no-no mostly because that's what keeps a web server working, not letting scripts influence other virtual servers/directories/files. It seems to me like a serious security issue, that's how mass defaces are done. And I decided not to use it. But webdavs is still cool, as you might use it in just a directory. .../public_html/Owncloud for example :)

-"FTP over SSH" - this shouldn't be used; in fact you are logging in SSH, on the same port used by SSH, and yes there are difficulties to configure every user and group; in fact this function it is better to be disabled in SSH so the ones that login via SSH shouldn't be able to use it!

-SFTP "Secure File Transfer Protocol" as the SFTP module for Proftpd; the FTP server (Proftpd) can be configured (easily) to use SFTP, on a DIFFERENT port from SSH and FTP or FTPS; there are no problems here as it respects the way (FTP or FTPS) it was working, including user access and rights! The users are jailed in their homes, at least it works for me; and you can't believe how simple is to achieve that. If someone thinks that the users CAN'T BE JAILED, please post here, how/why/setup/conditions. BTW, you can't login from a terminal here, I guess somehow you don't get a shell? Which is uber-ok.

So SFTP is the only thing we should use. Hope some more people agree with me, and you would consider this. It requires only one port (different from SSH, in fact SFTP must be disabled in SSH, and SFTP configured as a module in Proftpd, so the users are not seeing the root (default SSH behavior), but their home, like in ProFTPD; no configuration of "FTP over SSH" which is a nightmare in a hosting environment, it's just Proftpd making good use of SSH and a nice protocol), firewalls are left intact and/or no stupid modules in iptables, everything secured so on.

After I got it working I was thinking "why the hell are we still using FTP(S)"??? And it works with keys or passwords :)

Sat, 03/07/2015 - 07:19
fakemoth
fakemoth's picture

PS - my users had to do almost NOTHING, when I switched, but to change the port and select the connection in Filezilla as SFTP.

Don't take the name of root in vain...

Sun, 03/08/2015 - 12:34
Welshman
Welshman's picture

SFTP please guys. Drop FTP it's insecure.

Chaos Reigns Within, Reflect, Repent and Reboot, Order Shall Return.

Mon, 03/09/2015 - 13:29
jimdunn
  • comment remove, due to hostile reply
Mon, 03/09/2015 - 01:40
fakemoth
fakemoth's picture

@jimdunn I beg to differ! SSH CAN be jailed too, but it is a lot of work to do it. You seem to confuse two things here:

-"FTP over SSH" - this shouldn't be used; in fact you are logging in SSH, on the same port used by SSH, and yes there are difficulties to configure every user and group; in fact this function it is better to be disabled in SSH!

-SFTP "Secure File Transfer Protocol" as the SFTP module for Proftpd; the FTP server (Proftpd) can be configured (easily) to use SFTP, on a DIFFERENT port from SSH and FTP; there are no problems here as it respects the way (FTP or FTPS) it was working, including user access and rights!

-sometimes people often confuse the previous two (not your case, but sometimes it happens) with FTPS "File Transfer Protocol over SSL" - this is just FTP encrypted.

Please read again my post, I edited it to be more clear! And in fact I mentioned the user access problem a few times deliberately...

Don't take the name of root in vain...

Mon, 03/09/2015 - 13:26
jimdunn
  • comment remove, due to hostile reply
Mon, 03/09/2015 - 13:36 (Reply to #6)
fakemoth
fakemoth's picture

The comment should be "removed for providing eronous information about major protocols and about the capabilities of the product that also provides this forum; also for being a self-sufficient dude and just doing my thing, not listening to others, nor searching the web, even if I am wrong".

Don't take the name of root in vain...

Mon, 03/09/2015 - 06:55
Welshman
Welshman's picture

Yes, the jailing is important, ftp is ok there, but even if someone with ftp access logs in via a sftp client they can have a good look around the server. Can you stop them using sftp?

SFTP is the way to go but the jailing needs to be sorted somehow and built in.

Chaos Reigns Within, Reflect, Repent and Reboot, Order Shall Return.

Mon, 04/27/2015 - 02:26
fakemoth
fakemoth's picture

@jimdunn Dude what are you talking about??? You posted a VERY wrong statement, and now making a point through... non-sense bullets?

Reversed order answers:

-first of all I did write quite a few How Tos; I actually used to run an IT&C online magazine. And regarding SFTP, well... I will provide to any other user than you, my proftpd.conf. Just because you keep saying the same thing and not asking "How to configure Proftpd for SFTP?".

-second - don't ever say this thing again: just because it is standard=should remain the same even if it's garbage. First of all that's windowish stuff. Second it is standard because of the horde of admins like you saying "SFTP cannot be jailed, do NOT take away FTP." I just shown you how wrong you are, in both flavors, "FTP over SSH" (where it is a bit of worked involved, and not very convenient and is really just SSH in fact) and SFTP "Secure File Transfer Protocol" as the SFTP module for Proftpd. Search the web for more details.

-I did disabled everything I don't need, why would you think otherwise it's beyond me? Problem is leaving, in fact writing those three letters anywhere in the panel "F.T.P." (the main problem) encourages people to use the protocol: "hey the Webmin dudes surely know what they are doing, so FTP it's fine". No it's not fine, they are just giving you the option, because you are used to "convenient" ways. Kinda what are you doing now.

-The problems with the firewalls are not with the local ones, but with different machines who fill in the role of a router/firewall being Cisco/Juniper/Others, or in my case built by me, whom don't cope well with CCC (mentioned this twice already); now I am using pfSense in 1U servers, but I like to try stuff. BTW only now in 2015, linux based stand alone firewalls are beginning to get close to BSD ones. And this is another piece of good advice: "open high ports for FTP"...

-Never said "non-standard ports provide security"... yeahh... quite sure of it... let me think... MNOPE, I DIDN'T; I was trying to explain to you in vain that you can leave your SSH port alone, that you don't have to configure SSH in fact, but Proftpd. And just to tell Proftpd to use a different port, on which you can't login with SSH, obviously, and to load the sftp module. Your odlye 22 port (or any other SSH port you might have chosen) should in fact remain in place.

-bla-bla-bla

-"there are attempts to jail SSH, none yet that are fully secure" really dude? After all my effort to put this down... You don't even bothered to search the web if you don't trust me, which you don't for sure (fine). But at least don't mislead people as the info in this forum will be referenced for years and the conclusion will be: "Hah, the Virtualmin software is no good because look what jimdunn said; it brokes even the lowest level rulz!".

Don't take the name of root in vain...

Mon, 03/09/2015 - 07:50
fakemoth
fakemoth's picture

People please read this http://www.proftpd.org/docs/contrib/mod_sftp.html or just read bellow:

"The mod_sftp module implements the SSH2 protocol and its SFTP subsystem, for secure file transfer over an SSH2 connection. The mod_sftp module supports:

Public key authentication
Password authentication (e.g. user authentication via mod_sql, mod_ldap, mod_auth_file, mod_auth_unix, mod_auth_pam)
SCP support
Quotas (via the mod_quotatab module)
FIPS support (see Usage section)
Throttled transfers (via TransferRate, and/or the mod_shaper module)
Blacklisted public keys
Configurable traffic analysis protection
Passphrase-protected host keys
SFTP extensions: check-file, copy-file, vendor-id, version-select, posix-rename@openssh.com, statvfs@openssh.com, fstatvfs@openssh.com

This module supports the SFTP and SCP file transfer protocols; it does not support shell access. The mod_sftp module does not currently support:

<Anonymous>
ListOptions
MaxRetrieveFileSize

The mod_sftp module is contained in the mod_sftp/ directory, is intended for ProFTPD 1.3.3rc1 and later, and is not compiled by default. Installation instructions are discussed here.

The most current version of mod_sftp is distributed with the ProFTPD source code."

Don't take the name of root in vain...

Mon, 03/09/2015 - 13:41
fakemoth
fakemoth's picture

@Welshman there are no problems with jailing users: the Proftpd server via sftp module offers the same set of commands as for FTP, it just uses SSH2. I can confirm, no user on my server can get out of their home, nor can they login in the actual SSH server, which is restricted to my special-secret-fancy-unprivileged-user-guess-what-is-it only :)

Don't take the name of root in vain...

Tue, 03/28/2017 - 23:38 (Reply to #11)
volk

I think that would be the best solution as it doesn't require major changes or removing Proftpd.

Mon, 03/09/2015 - 15:36
andreychek

Howdy,

Alright, let's all try to be nice :-)

One of the issues with jailing users is that it only affects the one protocol -- it doesn't prevent access via other means, such as from a web app.

There's some comments regarding that here in the section "How can I prevent other types of users from browsing the entire filesystem?"

https://www.virtualmin.com/documentation/security/faq

SSH, SCP, and SFTP is available by default for users on port 22.

And FTP isn't there because we want it, but due to demand (ie, people do really crazy things to get it working if it's not available). However, anyone who doesn't want it can certainly disable it -- few people would be happier than us to see FTP go away.

I looked it up and am intrigued that the SFTP module is included with ProFTP in all the major distros though, I'll take a closer look at that.

-Eric

Tue, 12/06/2016 - 16:03
Rhandy

Hi!

Someone can please tell me step by step how to do it?

I would Like to automatic gen ssh keys for users and password for ssh-keys and only allow SFTP with pair of keys. Any module on webmin or I have to do it by hand?

Tue, 03/28/2017 - 23:37
volk

andreychek has a good point. I don't think jailing at its current way can solve some of the things that most thing it will solve here. While I personally don't use FTP for years now, if you remove this it will cause dooms day among webmasters and developers. There is a reason why no other commercial control panel has removed it either. Just force FTPS (which is secure FTP) and don't allow plain FTP and problem solved.

The problem with killing FTP is that nobody except us geeks now what SSH is and how to use it properly. Most people still thing that SFTP is somehow related to FTP and its not, its SSH so they will be looking like crazy in their FTP software. The fact that some people confuse SFTP with FTPS tells you the market is not ready. FTP is just widely supported everywhere, from most developer IDE programs to operating system.

While there will be a future where it can be removed. Nothing at all forces someone to use it today. You can decide not to offer FTP for your customers and accounts and even remove the FTP software or leave it stopped on boot so it can't be used even my mistake. Why would they remove a widely used feature because some folks don't want to use it? Nothing stops anyone here from not providing it as an option to their customers. If you don't want it in your server, disable the service, disable it on boot or even uninstall the ProFTP service completely.

If the jailing is not completely working, do you honestly want to give users a way to look around all the other usernames you have setup in your server? While technically any experienced user can break out of the FTP service, with SSH you are giving this option to everyone, even newbies. Some people when they see that, thing your server is hacked and vulnerable and may even cancel the service just because they are able see all the hosted customers in that server. Not to mention some people setting incorrect permission on files (777) which makes the whole thing even worse. You can still do this with a file manager in PHP or any other scripts but if you disable FTP and force them straight to SFTP, right now they will be able to freely browser all your server, everyone, even regular users. Good luck trying to explain that to newbie Linux users...

Thu, 03/30/2017 - 10:55
fakemoth
fakemoth's picture

@volk we meet again today :D And mnope, they can't browse anything else with SFTP. Not in my case at least.

Don't take the name of root in vain...

Thu, 03/30/2017 - 11:14
jimdunn

Too bad you don't show a "how to jail SFTP" readme.

Thu, 03/30/2017 - 11:22
fakemoth
fakemoth's picture

But I did post it, I think there were two threads regarding this. I will search for it right now, but... you don't have to do anything special! Just configure Proftpd (or keep your current running configuration, if it is working for you) to jail the users in their homes and simply add the module in Proftpd. It is really easy. Let me search for the thread.

Don't take the name of root in vain...

Fri, 03/31/2017 - 06:42
fakemoth
fakemoth's picture

My comment is being moderated, don't know why, wait for it pls.

Don't take the name of root in vain...

Wed, 05/10/2017 - 14:09 (Reply to #20)
ksihota

I have been hunting for an easy way to do this in Virtualmin. Can you post your link?

edit: Okay, I think I have figured it out. Just read the manual.

Wed, 05/10/2017 - 19:48
jimdunn

Remember to also block any PHP functions that could allow users to "look" around the file-system as well.

Thu, 03/07/2019 - 10:35
borekon
borekon's picture

Hi, Sorry for asking in such old threat, but things on my server are not working as they should do. First, i changed FTPS port to 2121. So, connecting with filezilla is ok, but when overwritting/uploading any files, it says permission denied. But when connecting to my ssh port with filezilla using FTPS as well, there is no permissions problems; i can delete/create/overwrite any file. What could be wrong?

Thu, 03/14/2019 - 19:43
adamjedgar

i would like to also weigh in on this topic...this is such a completely shitty topic its driving me completely nuts!

Which should we be using...ftps or SSH?

Also, i still have not found a single tutorial anywhere for this that is written for virtualmin...and quite frankly I am about ready to move to another control panel that has decent support on these kinds of issues. To be honest, i think that ISPConfig is a far more trustworthy platform because its developers have some decent documentation and are very accessible for their experties on topics such as this. For some of us to defect to ISPConfig would be a tragedy as the server administrator workload increases in using that platform compared to virtulamin (i am a believer in the automation that virtualmin offers in so many areas)

AJECreative is the home of $5 webhosting, $15/month VPS servers (1cpu,1gb RAM, 25GB storage)
Centos7, Debian9, or Ubuntu18LTS
Available Control Panels = Centos-Webpanel, Cyberpanel, or Virtualmin

https://ajecreative.com.au

Fri, 03/15/2019 - 03:28
jimdunn

I've always been amused by this thread.

If you know network configuration then use both (FTPS and SSH). They're great!! : )

As for "FTPS for Virtualmin"... see my article at http://www.virtualmin.com/node/29262