Custom FTP Acces

General support questions including new installations
Post Reply
Katana
Posts: 2
Joined: 2008/07/28 13:01:20

Custom FTP Acces

Post by Katana » 2008/07/28 13:09:59

Heyall, im getting a bit stuck on getting a specified user to connect to the directory.

My server is a dedicated with CentOS 5.x with ProFTPD as ftp server.

I have a directory in /home/tf2 wich will run the Team Fortress 2 Server and the user to run it as.
So far no problem, but now i want a user to be able to connect to that directory.

And there i run into problems..
I dont know how.. And i must overlook something since i haven't found a specified solution for proftpd...
Also, im not sure whether i need to make a new user, or that i can use the user that also runs the server..

If you guys could help me on the way it would be great.


Leon


*edit
In /etc/passwd the user is standing at:
tf2ftp:x:505:508::/home/tf2:/bin/bash


**Edit 2

changed the previous line to:
tf2ftp:x:505:508::/home/tf2:/sbin/nologin

Is this secure enough or do i need to do some other things?

unspawn
Posts: 172
Joined: 2006/12/11 12:28:52

Custom FTP Acces

Post by unspawn » 2008/08/02 12:44:27

[quote]So far no problem, but now i want a user to be able to connect to that directory.[/quote]
Do you mean that as in allow the user to *only that* directory? Then see "chroot": http://www.proftpd.org/localsite/Userguide/linked/chroot.html#AEN715


[quote]Also, im not sure whether i need to make a new user, or that i can use the user that also runs the server.. [/quote]
That depends on what kind of access is necessary. Is it a select group of people that will access this (like a clan)? Anonymous downloading (http://www.proftpd.org/localsite/Userguide/linked/c781.html) of maps or uploading as well? Never ever let any user have network access to the account that runs the ProFTP daemon.


[quote]Is this secure enough or do i need to do some other things?[/quote]
Asking that you almost *know* the answer will be "no and yes" :-]

There's some questions you should ask yourself: do you *need* FTP or should SFTP or SCP suffice? FTP offers features like anonymous downloading, but as protocol and implementation is less safe compared to SSH. If SFTP, SCP or downloading of maps over HTTP isn't feasable then you have to decide which FTP daemon you want to use. There are FTP daemons with a better track record when it comes to security like VsFTPd (its in the CentOS repo) which also allow you to run with *virtual* users. That means you can manage users from a separate user database and they won't require a login shell. Both daemons come with extensive docs and you should read those. For instance http://www.proftpd.org/localsite/Userguide/linked/c226.html contains (IIRC) references to "kernel 2.2" but the basic security risks of FTP still stand. After deciding which daemon you should think about access. Anonymous D/L is relatively safe, uploading will be a hazard for instance if uploaded items can be run in any way. That's why a "drop-off" usually is configured to chmod and chown contents to an inert user out of reach of "regular" users. With respect to access you should also watch quota (so you wont be surprised the disk is filled and you cant write logs anymore), blocking repeated failed login attempts (denyhosts or equivalent) and other means of restricting access like libwrap (if used, not Xinetd has its own implementation) and your firewall ("recent" module or similar).

This sounds like much but really it isn't. Otherwise try to think of it as an investment: the more you prevent now, the more time you can spend playing afterwards instead of mopping up.

HTH

Katana
Posts: 2
Joined: 2008/07/28 13:01:20

Re: Custom FTP Acces

Post by Katana » 2008/08/07 14:43:08

Cheers for that.
I'll go do some reading and see how it turns out :D

As far as the amount of people that have acces, it's limited to 4 persons for the FTP and SSH.

The FTP part is working flawlessly, i can login, upload / delete / rename etc. But now i need a separate SSH acces, because i can't get the user used for ftp to login through SSH.
That way i can even lower the amount of persons that have the need to know for the SSH acces to just 2 persons.

I myself use a login ( set up when server was delivered ) and then su to root and others, but im not willing to share that login. As it is my primairy way to login to the server.
I've been looking for a way to get a user that does exactly the same as my login account, but with the restriction of the home directory.
Somewere i must miss a few lines of reading.. I haven't been able to figure out how to get the user logged in.

tf2A = FTP login = working. No way of getting in a other directory then the tf2 dir and subdirs.
tf2B = SSH login = not working.. Has a password set, and compared in etc/passwd with my login account, and has the same lines...
[code]
tf2B :X:506:508:: /home/tf2:/bin/bash
[/code]

Do i need to do somethign with skeleton orso? Since it said the skel was not copied because there it already was there.

Post Reply