FTPS Service
2:04 PM
FTPS Service
The FTPS Service is a secured ftp service available for Linux systems. The requirements for the service's design were:
must use encryption for authentication and data transfer
must not allow remote shell access
must not allow anonymous transfers
user accounts must be virtual and not OS-level accounts
must use high numbered ports chosen randomly
users must be chrooted (locked) to their home directories
The FTPS Service is a supported configuration of the vsftpd daemon and includes a tool for user management. Additionally, it can be clustered using Red Hat Cluster Services for high availability (note: due to the nature of the ftp protocol and the use of encryption, a cluster failover will cause all currently connected clients to disconnect.)
Installation
Upon receipt of a ticket, the FTPS Service will be installed by System Engineers. Clients will need to either identify an existing public VIP to attach the service to or procure a new VIP for the service. Additionally, the client will need to get an SSL certificate (either through their SDM or on their own) or a self-signed certificate will be used. Once the service is installed, it must be audited by the Security Team for compliance before it can be made available to the world. If the audit is successful, the Networking Team will add the service to the load balancers.
User Management
A user management tool will be installed for use by clients to manage, at their option, the virtual users. If clients do no wish to manage the virtual user database, Engineers can add, update and remove virtual users through the regular ticketing system. Standard turn-around times for tickets applies to these requests.
For clients who wish to maintain the virtual user database, the tool, vsftpd_users_tool, requires administrative rights to use due to security permissions on the database file itself. For clients who do not have administrative rights, due to SLA guidelines, special rules can be added allowing them to use the tool without violating their SLA.
vsftpd_users_tool
The vsftpd_users_tool must be invoked using the sudo command. The command usage is:
$ sudo /usr/local/bin/vsftpd_users_tool
Usage: /usr/local/bin/vsftpd_users_tool <action> username [pass]
Where 'action' is one of:
--add|--create|--insert add username to the database with password pass
--update|--modify|--change change the password of username to pass
--delete|--remove delete username from the database
Note: passwords should be enclosed in single quotes
Usernames can only contain the letters A through Z (upper and lower case), the numbers 0 through 9 and the special characters '.', '-' and '_'. Passwords can contain any letter, number or special characters and they should be enclosed in single quotes. You only need to specify a password when adding or updating a user.
User home directories must exist before the user can log in. The vsftpd_users_tool will attempt to create the directory for you. If it fails, then an Engineer will be needed to create it for you. Open a ticket specifying the username you added and that the vsftpd_users_tool was unable to create the home directory. Deleting a user will not remove their home directory. If you no longer require the home directory or its contents, an Engineer will be required to remove it for you. Simply open a ticket specifying the directory to remove.
Examples
The following examples illustrate how to use the vsftpd_users_tool
$ sudo /usr/local/bin/vsftpd_users_tool --add fred 'fredpassword'
User fred added.
User directory for fred created
$ sudo /usr/local/bin/vsftpd_users_tool --update fred 'complexpassword'
Password for user fred updated.
$ sudo /usr/local/bin/vsftpd_users_tool --remove fred
User fred removed. The ftp directory must be removed manually.
The FTPS Service is a secured ftp service available for Linux systems. The requirements for the service's design were:
must use encryption for authentication and data transfer
must not allow remote shell access
must not allow anonymous transfers
user accounts must be virtual and not OS-level accounts
must use high numbered ports chosen randomly
users must be chrooted (locked) to their home directories
The FTPS Service is a supported configuration of the vsftpd daemon and includes a tool for user management. Additionally, it can be clustered using Red Hat Cluster Services for high availability (note: due to the nature of the ftp protocol and the use of encryption, a cluster failover will cause all currently connected clients to disconnect.)
Installation
Upon receipt of a ticket, the FTPS Service will be installed by System Engineers. Clients will need to either identify an existing public VIP to attach the service to or procure a new VIP for the service. Additionally, the client will need to get an SSL certificate (either through their SDM or on their own) or a self-signed certificate will be used. Once the service is installed, it must be audited by the Security Team for compliance before it can be made available to the world. If the audit is successful, the Networking Team will add the service to the load balancers.
User Management
A user management tool will be installed for use by clients to manage, at their option, the virtual users. If clients do no wish to manage the virtual user database, Engineers can add, update and remove virtual users through the regular ticketing system. Standard turn-around times for tickets applies to these requests.
For clients who wish to maintain the virtual user database, the tool, vsftpd_users_tool, requires administrative rights to use due to security permissions on the database file itself. For clients who do not have administrative rights, due to SLA guidelines, special rules can be added allowing them to use the tool without violating their SLA.
vsftpd_users_tool
The vsftpd_users_tool must be invoked using the sudo command. The command usage is:
$ sudo /usr/local/bin/vsftpd_users_tool
Usage: /usr/local/bin/vsftpd_users_tool <action> username [pass]
Where 'action' is one of:
--add|--create|--insert add username to the database with password pass
--update|--modify|--change change the password of username to pass
--delete|--remove delete username from the database
Note: passwords should be enclosed in single quotes
Usernames can only contain the letters A through Z (upper and lower case), the numbers 0 through 9 and the special characters '.', '-' and '_'. Passwords can contain any letter, number or special characters and they should be enclosed in single quotes. You only need to specify a password when adding or updating a user.
User home directories must exist before the user can log in. The vsftpd_users_tool will attempt to create the directory for you. If it fails, then an Engineer will be needed to create it for you. Open a ticket specifying the username you added and that the vsftpd_users_tool was unable to create the home directory. Deleting a user will not remove their home directory. If you no longer require the home directory or its contents, an Engineer will be required to remove it for you. Simply open a ticket specifying the directory to remove.
Examples
The following examples illustrate how to use the vsftpd_users_tool
$ sudo /usr/local/bin/vsftpd_users_tool --add fred 'fredpassword'
User fred added.
User directory for fred created
$ sudo /usr/local/bin/vsftpd_users_tool --update fred 'complexpassword'
Password for user fred updated.
$ sudo /usr/local/bin/vsftpd_users_tool --remove fred
User fred removed. The ftp directory must be removed manually.
0 comments