How to make a regular FTP server really safe and at the same time convenient?
Immediately make a reservation: I do not provide detailed instructions / configurations, I just share my thoughts on how to do it. Also, by FTP I mean not only classic FTP, but also SFTP and SSL-FTP - this is an article about password security, not a protocol as such.
Imagine a hosting company providing hosting accounts with enhanced security, namely two-factor authentication.
There is nothing difficult, you just need to implement one or several variants of authentication plug-ins on the server with a second factor (for example code.google.com/p/google-authenticator/wiki/PamModuleInstructions or motp.sourceforge.net/#6 ) and link to them users.
In most cases, PAM can be specified in the configuration of FTP servers, and in principle, the problem of FTP security will be solved in the same way.
The problem is different; The fact is that depending on the connection speed, server / router settings or FTP connection mode, the FTP session can be interrupted when there is no activity for a certain time (or even just interrupted at the most inappropriate moment). In the "classic" FTP client just connect again, you just need to put a tick "save password". In the case of two factor authentication, this will not work, you will have to enter the password and the code from the "token" quite often, and this is very inconvenient for the end user. If you can convince a user of the need to use a “token” when logging in to the system, it’s difficult to explain the need to do this while downloading files several times.
The problem, I hope, explained. Now I will share the idea of ​​improving convenience for end users.
In fact, the principle itself is not original, I propose to do something like application passwords used for Google accounts with activated two-step authentication.
To do this, you need a similar web interface to generate application passwords. The web interface itself will only be accessible using two-factor authentication. After logging in, the user will generate an FTP password that will be active only for a certain time and only for a specific IP address (by default, the current address will be offered). An approximate interface might look like this:
')
When generated, the script enters the data in a database table (for example, MySQL), namely the username, IP address and timestamp of the user-specified time, as well as the generated FTP password, which is shown to the user in the interface. For FTP access, this temporary password will be used. The table will look like this:
As an example, take PureFTPD, since it can be tied to MySQL. Guided by the instructions, we configure PureFTPD as follows:
Variables are used in the configuration file.
\ L - user login
\ R - IP adress client
That's basically it. Ideally, you would need some kind of cron script to clear the table of expired passwords.
Imagine a hosting company providing hosting accounts with enhanced security, namely two-factor authentication.
There is nothing difficult, you just need to implement one or several variants of authentication plug-ins on the server with a second factor (for example code.google.com/p/google-authenticator/wiki/PamModuleInstructions or motp.sourceforge.net/#6 ) and link to them users.
In most cases, PAM can be specified in the configuration of FTP servers, and in principle, the problem of FTP security will be solved in the same way.
The problem is different; The fact is that depending on the connection speed, server / router settings or FTP connection mode, the FTP session can be interrupted when there is no activity for a certain time (or even just interrupted at the most inappropriate moment). In the "classic" FTP client just connect again, you just need to put a tick "save password". In the case of two factor authentication, this will not work, you will have to enter the password and the code from the "token" quite often, and this is very inconvenient for the end user. If you can convince a user of the need to use a “token” when logging in to the system, it’s difficult to explain the need to do this while downloading files several times.
The problem, I hope, explained. Now I will share the idea of ​​improving convenience for end users.
Generate FTP temporary passwords
In fact, the principle itself is not original, I propose to do something like application passwords used for Google accounts with activated two-step authentication.
To do this, you need a similar web interface to generate application passwords. The web interface itself will only be accessible using two-factor authentication. After logging in, the user will generate an FTP password that will be active only for a certain time and only for a specific IP address (by default, the current address will be offered). An approximate interface might look like this:
')
When generated, the script enters the data in a database table (for example, MySQL), namely the username, IP address and timestamp of the user-specified time, as well as the generated FTP password, which is shown to the user in the interface. For FTP access, this temporary password will be used. The table will look like this:
FTP server configuration
As an example, take PureFTPD, since it can be tied to MySQL. Guided by the instructions, we configure PureFTPD as follows:
MYSQLSocket /tmp/mysql.sock MYSQLUser root MYSQLPassword rootpw MYSQLDatabase pureftpd MYSQLCrypt cleartext MYSQLGetPW SELECT temp_password FROM temp_pass WHERE username="\L" AND IP="\R" AND expires <= UNIX_TIMESTAMP() MYSQLGetUID SELECT Uid FROM users WHERE User="\L" MYSQLGetGID SELECT Gid FROM users WHERE User="\L" MYSQLGetDir SELECT Dir FROM users WHERE User="\L" Variables are used in the configuration file.
\ L - user login
\ R - IP adress client
That's basically it. Ideally, you would need some kind of cron script to clear the table of expired passwords.
Source: https://habr.com/ru/post/205152/
All Articles