March 16th, 2005, 11:35 AM
Creating a Secure SUSE Linux server for FTP and SSH
Creating a Secure SUSE Linux server for FTP and SSH
Written by gore
Introduction for beginners:
No server is secure 100% When you open a service up on a machine, you take a risk. Any type of server can be broken into, but this can help prevent things from happening that you probably don't want going on with your server. I'm going to use SUSE Linux 9.2 Professional. This is going to work fine in 9.1 as well, and should work just as well in 8.2.
So first off, get a look at my SUSE installation tutorials so you can get it installed. You should read the SUSE basics as well as it will touch over some of this. I'm going to do this all with nothing but the tools SUSE comes with on the DVDs. If I add a bunch more, it adds to complexity, and I would like to try and keep this simple.
Now first, after you have read my tutorials for installing SUSE and have a basic security practice in place, continue.
Locking the box down.
In the first security tutorial I wrote I showed you how to get a decent lock down on SUSE which would help users out but I didn't really get into server use much at all. That's where this steps in. I'm starting with SUSE DVDs only because then you don't have to download.
The FTP server I'm going to use is PureFTPd because of simplicity of setting it up, and of course, it's fairly easy to make it at the very least not easy for someone to abuse. Now, remember FTP is sent out in the clear and you can use SSH and SCP to do this, but again, for the reason of simplicity, I'm going to show you how, but not hold your hand.
So if you want to use SCP, well, read up on it, this is mainly going to form a base for that. You'll be able to log in over SSH, and you'll be able to upload and download files from the FTP server side of it. I use this quite a bit, because one of my machines have this huge drive in it that can fit quite a few things and it has a fast CD-RW drive, so I use this for back ups. I upload all the files I want to back up, then I burn them to a CD-R and file them in a cabinet I have where I keep back ups.
And of course SSH is good for logging in remotely and keeping it at least somewhat secure. But remember, when a new exploit comes out, if you haven't updated, you'll learn why you should.
And don't think no one wants anything on your home network. I put an FTP server online, and in 3 days I had a bunch of attempts at root log ins. This should be reason enough to not think that way and reason enough to make your password as hard as possible. And not letting root log in is fairly good too.
That file can be opened in a text editor like Emacs or Vim, and you can edit out everything except /dev/tty1 and /dev/tty2
That would prevent root from logging in from ANYTHING OR ANYWHERE BUT TTY1 and 2 and of course would stop root logging in from X because that is TTY7.
that is a good idea if you're setting up a locked down machine and don't want people logging in from anywhere but the keyboard sitting in front of the desk. But a false sense of security is worse than no security at all.
Remember that, and don't let your box get rooted.
YAST2 is the main configuration utility in SUSE Linux, so learn to use it.
Click on the module titled "Security and Users".
Click on the "Firewall" Icon to launch the Firewall configuration.
The module pops up, and then you can configure the Firewall.
Now, this part I can't walk you through, as I doubt all of you reading have the exact same set up as I do, but I can help:
Read what's on the screen. You should see "External Interface". If you have a Cable connection, or if you're using a Network connection, or a LAN, then you will be selecting "etho" for this.
For the "Internal Interface" that one is up to you.
the screen has directions on the left, so if you're using DSL or Dial up, read it.
After you have this section done, click on "Next" in the lower right of that window, to go to the next page. Clicking "Next" brings you to a page with a few more options than the last.
I'm going to use this box for FTP, and SSH, so I click on the following:
And then I click on "Expert" and type in "21" for the FTP port.
you may open as many ports as you want here, and I don't think I have to walk you through anymore.
After you have what you want typed in, click on "OK" to go back to the other window.
After you have all the services you need opened up, click on "Next".
The next window doesn't have a whole lot to it, and is fairly easy. By default, the pre-checked boxes are fine. If you don't know if you want to check the last box or not, leave it alone.
Click on "Next".
The next configuration window shows a few options for logging. Leave these alone unless you're sure.
After you click on "Next" a window pops up saying it will save the configuration. Click on "Continue" and it saves your settings and restarts the SUSE2Firewall.
And now you're back at the main window. Next, click on "Security settings".
When you open the Security settings window, you'll have a few options for setting up some security on your system.
By default it has a custom level, which you will now be setting.
The next window has password options. At the top where it says "Checks" click the box that says "Checking new passwords" which will keep users from setting bad passwords.
Next, in the Password Length section, you should probably raise the "Maximum" length up a few notches, as 8 is nothing. I raised mine to 25. You can also set some password change warnings here, which may come in handy if a lot of users are going to use the system.
Click on "Next".
The next section should be changed from default:
Where it says "Boot permissions" click on the drop down box where it says "Reboot" and select "Ignore" so no one can just reboot your system. This is especially important if you're running a server.
Under that, where it says "Automatic" you should select "Only Root". That way no one can just shut the system down.
This window allows you to set how long of a delay there is if someone logs in and mistypes a password, or if someone is trying to guess passwords. The default is 3 seconds.
This can be left alone unless you have a nosey little brother or sister, or people like to try and guess your password, in which case you can set it to whatever you want.
After you have chosen your options, click on "Next".
The next section is the "Adding users" section. Unless you're sure, leave this alone. Click on the "Next" button.
The next window has a few more options, and some important ones.
The setting of file permissions will really have to depend on you. Easy is selected by default, but if you're trying to be secure, just click on the box and select the option entitled "Secure".
The next setting is for updatedb. This is run every night, and you can select which user runs the command. You won't be typing it if you select your own user name, it in fact just runs with permissions of whichever of the user names you tell it to run as.
I'd suggest leaving it at "Nobody". Most of the other options here should be left alone unless you know what you're doing.
After you have selected what you would like here, click on the "Next" button, and all the settings will be saved.
Now you have the box ready, and you just need to set up the PureFTPd Server. I'm adding a few things from the tutorial I wrote for this because it makes it simpler to use.
I wrote a short tutorial on setting up a PureFTPd server on SUSE which I'll put here as I want to show the configuration and how to set it up properly for this.
The reason I'm really adding this in, is for one thing the config file is in this so you can copy it, and of course, when you follow, all users have to log in with a valid local account. They can't just log in with anonymous. this is in my opinion the best because no password = easy access.
SUSE Linux makes it fairly easy to have a stable and fast FTP server. This should work on just about any version of SUSE, as I've had it on 9.1 and 8.2 Professional, and the only reason I'm saying 9.1 is because that is what I'm currently using as my FTP server for my LAN.
I've been using Linux for a year and a half now, and I've learned a lot. I've never read a manual for setting up a server of any kind on SUSE Linux, but it seems fairly easy too me as I've done it now quite a few times, and the reason I didn't need a manual, was because I just read the configuration file, and went from there.
As I type this, I'm transferring 7 GB of data from this box, over too my newly installed XP Home SP2 box so I can burn the information to CD fast.
FTP servers can come in very handy. My LAN has 5 machines, and I don't always have money to buy CD - Rs to do back ups, and on one of my machines, my laptop, I don't have a CD-R drive on it, so I have to rely on FTP to do back ups. Which is fine, because my LAN is pretty fast, and I have a lot of disk space around.
One thing I don't like and won't do, is an anonymous FTP server. I want the person using it to have to log in. I don't want anyone to be able to use it without a user name and password from my Linux box. So to use my FTP server, you have to log in with an account that I give, and it must be a valid account on my machine, and you can only upload and download to your home directory.
This adds a bit more security to the process, but this isn't a security tutorial, it's a tutorial to get you started.
So how do you set up FTP? Well, first ready my tutorial on installing SUSE Linux, either 8.1, 8.2 or 9.1 Professional, and if you want Windows too stay on the disk, read my tutorial on Dual booting SUSE and XP.
After you have everything in that tutorial done, read the Basics of securing SUSE Linux tutorial to make sure the box is locked down at least with a basic security setting that I show you how too set up there.
Next, make sure you installed Pure FTPd from the SUSE installation media, which you can do by opening up YAST2, and clicking on "Install/Remove Software". If you didn't install it, just simply check the box next too it, and click on Accept, and make sure you have either the CDs handy, or the DVD.
After it's installed, or if you already had it installed, which saves you time, open a Terminal, like Eterm, and if you aren't Root, type su and give the root password, and then type cd /etc and you will be put in the etc directory to configure the file for PureFTPd.
Now that you're in Etc, type ls and hit enter to get a list of the file names. If you did this all correctly, you'll see something called pure-ftpd.conf and if you don't, cd into the pure-ftpd directory and see if it is there. If you find it there but not in etc, then simply copy it with:
cp pure-ftpd.conf /etc
And hit enter.
Now go back into etc and type:
Hit Enter and you'll be able to edit the file. Now what you want too edit too make an FTP server like mine, is this:
# Configuration file for pure-ftpd wrappers #
# If you want to run Pure-FTPd with this configuration
# instead of command-line options, please run the
# following command :
# /usr/sbin/pure-config.pl /usr/etc/pure-ftpd.conf
# Please don't forget to have a look at documentation at
# http://www.pureftpd.org/documentation.html for a complete list of
# Cage in every user in his home directory
# If the previous option is set to "no", members of the following group
# won't be caged. Others will be. If you don't want chroot()ing anyone,
# just comment out ChrootEveryone and TrustedGID.
# TrustedGID 100
# Turn on compatibility hacks for broken clients
# Maximum number of simultaneous users
# Fork in background
# Maximum number of sim clients with the same IP address
# If you want to log all client commands, set this to "yes".
# This directive can be duplicated to also log server responses.
# Allow dot-files
# List dot-files even when the client doesn't send "-a".
# Don't allow authenticated users - have a public anonymous FTP only.
# Disallow anonymous connections. Only allow authenticated users.
# Syslog facility (auth, authpriv, daemon, ftp, security, user, local*)
# The default facility is "ftp". "none" disables logging.
# Display fortune cookies
# FortunesFile /usr/share/fortune/zippy
# Don't resolve host names in log files. Logs are less verbose, but
# it uses less bandwidth. Set this to "yes" on very busy servers or
# if you don't have a working DNS.
# Maximum idle time in minutes (default = 15 minutes)
# LDAP configuration file (see README.LDAP)
# LDAPConfigFile /etc/pure-ftpd/pureftpd-ldap.conf
# MySQL configuration file (see README.MySQL)
# MySQLConfigFile /etc/pure-ftpd/pureftpd-mysql.conf
# Postgres configuration file (see README.PGSQL)
# PGSQLConfigFile /etc/pure-ftpd/pureftpd-pgsql.conf
# PureDB user database (see README.Virtual-Users)
# PureDB /etc/pure-ftpd/pureftpd.pdb
# Path to pure-authd socket (see README.Authentication-Modules)
# ExtAuth /var/run/ftpd.sock
# If you want to enable PAM authentication, uncomment the following line
# If you want simple Unix (/etc/passwd) authentication, uncomment this
# UnixAuthentication yes
# Please note that LDAPConfigFile, MySQLConfigFile, PAMAuthentication and
# UnixAuthentication can be used only once, but they can be combined
# together. For instance, if you use MySQLConfigFile, then UnixAuthentication,
# the SQL server will be asked. If the SQL authentication fails because the
# user wasn't found, another try # will be done with /etc/passwd and
# /etc/shadow. If the SQL authentication fails because the password was wrong,
# the authentication chain stops here. Authentication methods are chained in
# the order they are given.
# 'ls' recursion limits. The first argument is the maximum number of
# files to be displayed. The second one is the max subdirectories depth
LimitRecursion 2000 8
# Are anonymous users allowed to create new directories ?
# If the system is more loaded than the following value,
# anonymous users aren't allowed to download.
# Port range for passive connections replies. - for firewalling.
# PassivePortRange 30000 50000
# Force an IP address in PASV/EPSV/SPSV replies. - for NAT.
# Symbolic host names are also accepted for gateways with dynamic IP
# ForcePassiveIP 192.168.0.1
# Upload/download ratio for anonymous users.
# AnonymousRatio 1 10
# Upload/download ratio for all users.
# This directive superscedes the previous one.
# UserRatio 1 10
# Disallow downloading of files owned by "ftp", ie.
# files that were uploaded but not validated by a local admin.
# IP address/port to listen to (default=all IP and port 21).
# Bind 127.0.0.1,21
# Maximum bandwidth for anonymous users in KB/s
# AnonymousBandwidth 8
# Maximum bandwidth for *all* users (including anonymous) in KB/s
# Use AnonymousBandwidth *or* UserBandwidth, both makes no sense.
# UserBandwidth 8
# File creation mask. <umask for files>:<umask for dirs> .
# 177:077 if you feel paranoid.
# Minimum UID for an authenticated user to log in.
# Allow FXP transfers for authenticated users only.
# Allow anonymous FXP for anonymous and non-anonymous users.
# Users can't delete/write files beginning with a dot ('.')
# even if they own them. If TrustedGID is enabled, this group
# will have access to dot-files, though.
# Prohibit *reading* of files beginning with a dot (.history, .ssh...)
# Never overwrite files. When a file whoose name already exist is uploaded,
# it get automatically renamed to file.1, file.2, file.3, ...
# Disallow anonymous users to upload new files (no = upload is allowed)
# Only connections to this specific IP address are allowed to be
# non-anonymous. You can use this directive to open several public IPs for
# anonymous FTP, and keep a private firewalled IP for remote administration.
# You can also only allow a non-routable local IP (like 10.x.x.x) to
# authenticate, and keep a public anon-only FTP server on another IP.
# If you want to add the PID to every logged line, uncomment the following
# Create an additional log file with transfers logged in a Apache-like format :
# fw.c9x.org - jedi [13/Dec/1975:19:36:39] "GET /ftp/linux.tar.bz2" 200 21809338
# This log file can then be processed by www traffic analyzers.
# AltLog clf:/var/log/pureftpd.log
# Create an additional log file with transfers logged in a format optimized
# for statistic reports.
# AltLog stats:/var/log/pureftpd.log
# Create an additional log file with transfers logged in the standard W3C
# format (compatible with most commercial log analyzers)
# AltLog w3c:/var/log/pureftpd.log
# Disallow the CHMOD command. Users can't change perms of their files.
# Allow users to resume and upload files, but *NOT* to delete them.
# Automatically create home directories if they are missing
# Enable virtual quotas. The first number is the max number of files.
# The second number is the max size of megabytes.
# So 1000:10 limits every user to 1000 files and 10 Mb.
# If your pure-ftpd has been compiled with standalone support, you can change
# the location of the pid file. The default is /var/run/pure-ftpd.pid
# If your pure-ftpd has been compiled with pure-uploadscript support,
# this will make pure-ftpd write info about new uploads to
# /var/run/pure-ftpd.upload.pipe so pure-uploadscript can read it and
# spawn a script to handle the upload.
# This option is useful with servers where anonymous upload is
# allowed. As /var/ftp is in /var, it save some space and protect
# the log files. When the partition is more that X percent full,
# new uploads are disallowed.
# Set to 'yes' if you don't want your users to rename files.
# Be 'customer proof' : workaround against common customer mistakes like
# 'chmod 0 public_html', that are valid, but that could cause ignorant
# customers to lock their files, and then keep your technical support busy
# with silly issues. If you're sure all your users have some basic Unix
# knowledge, this feature is useless. If you're a hosting service, enable it.
# Per-user concurrency limits. It will only work if the FTP server has
# been compiled with --with-peruserlimits (and this is the case on
# most binary distributions) .
# The format is : <max sessions per user>:<max anonymous sessions>
# For instance, 3:20 means that the same authenticated user can have 3 active
# sessions max. And there are 20 anonymous sessions max.
# PerUserLimits 3:20
# When a file is uploaded and there is already a previous version of the file
# with the same name, the old file will neither get removed nor truncated.
# Upload will take place in a temporary file and once the upload is complete,
# the switch to the new version will be atomic. For instance, when a large PHP
# script is being uploaded, the web server will still serve the old version and
# immediatly switch to the new one as soon as the full file will have been
# transfered. This option is incompatible with virtual quotas.
# NoTruncate yes
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
# including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.
# TLS 1
# Listen only to IPv4 addresses in standalone mode (ie. disable IPv6)
# By default, both IPv4 and IPv6 are enabled.
# IPV4Only yes
# Listen only to IPv6 addresses in standalone mode (ie. disable IPv4)
# By default, both IPv4 and IPv6 are enabled.
# IPV6Only yes
Now, if you want, you can copy that and make it your configuration file, as it is mine. Doing this as your configuration file will make it so everyone has to log in and can ONLY upload and download to their home directories. This is perfect for a LAN setting where you want to make back ups, or if you only want people you know to be able to use it, just make sure you have STRONG passwords. VERY strong passwords.
Passwords after all are nothing more than security by obscurity.
Try and remember that this will open a port on your machine, so it does make it more attacker friendly in a way, but if you keep your machine updated, and have good passwords, you shouldn't have to worry much. If you want you could change the dot files to "No" if you don't want to look at things like that over FTP.
Now, when you get done, save this file. If you're using Vim hit Esc and then :wq Enter. After you press enter it's saved, and ready to go. If you used a wussy editor, well, save it. After you're done, you're not ready yet though. Read the top in the comments where it says to type that out to make this the configuration file for the FTP server.
Type it all out, and press Enter. Of course, on Linux, you should change the last one. Which confused me for a day.
Try this one, and it will work. Now, if you want to have the box run FTP everytime it starts up, or you just don't want to keep typing that, simply go into YAST2 and edit the run level editors "Options" and tell it to start the FTP service.
Look at that I found a bug
SUSE FireWall2 needs to be told to allow FTP as well. So just open the firewall settings and allow port 21. This will work fine. I believe I covered that all in my last tutorial. The one I'm working on besides this one will teach you to edit system files with YAST2
If you want, you can now try out your FTP server. From Windows just open the command line and type ftp and your machines IP address and it will ask for a username and password.
And if you're on a Linux machine, same thing =)
Here is the link for the SUSE basics: http://www.antionline.com/showthread...hreadid=260361
And now you have a box with both SSH and FTP. And it's fairly locked down. There is more you could do, but lately I've been busy trying to keep up with everything going on, the few I've told know what I mean, so if you have anything I should or could have done better here, just reply and let me know and when I go for my next tutorial I'll think it over.
Just remember no server is 100 % That is a myth thought up by a security company who want to sell things to technical managers who should be emptying your garbage bin.
March 16th, 2005, 12:35 PM
Hi. Neat article. I will prob. try this today since I have some time. Quick questions.
Since this is going to be just a dedicated FTP server and nothing else, we can get away with the absolute minimum as far as comp. specs are concerned. Whatever is the min. that the distro can be installed on, right? This box will not need much processing power or RAM, just lots of disk space. Right?
March 16th, 2005, 12:43 PM
Well, that is more or less how fast you want it to be at all times. I'd seriously say go for a little above minimum to make it at least decent. And not running any X can help too. Is this what you are saying?
March 16th, 2005, 10:33 PM
While On SuSE:
I am an old console user who went into gnome a few times... but I am loving this KDE. I am having a hell of a time with RPMs so I swtiched to KDE just to use and check out the YaST interface in Kongueror etc. And I find myself staying in KDE. I have never used RPMs before so YaST is cool as hell. I just can't win the dependency battle but I love the way YaST displays them with options. I messed around a little and now I get Kernal depenency problems but hey, thats what they make source code for damnit. I would like to figure out how to manipulate RPMs though. I think I'll just configure and compile snort. Oh damn, no compiler (I accepted SuSE defaults). And when I select the C++ compiler in YaST I get that damn Kernal error and it wants me to uninstall the latest kernal. My ignoring dependencies got me into this mess. lol. ;D I am down with SuSE though.
Oh sorry, nice article gore. Thats what i really wanted to say.
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.