======================
1. Przygotowanie
======================
instalacja openbsd 5.3 x86_i386 w 3,5 min. - link
======================
2. Instalacja FTPD
======================
sudo export PKG_PATH=ftp://ftp.icm.edu.pl/pub/OpenBSD/5.3/packages/i386/
sudo pkg_add pure-ftpd-chroot
sudo chmod 500 /usr/local/sbin/pure-ftpd /usr/local/bin/pure*
autorstart:
sudo vi /etc/rc.local
legenda:
-4 ipv4
-H standalone
-B praca w tle
-A chrooting
-C dozowlona ilosc polaczen z tego samego ip
-c maxymalna ilosc aktualnie zalogowanych kont ftp
-d verbose (opcjonalnie)
-X ukrycie plikow zaczynajacych sie od .dot np. .htaccess, .quotalimit, .profile etc.
-E brak dostepu dla anonimowych userow
-I idle time
-K zezwolenie na wznowienie uploadu, mozliwosc kasaowania tylko pustych katalogow
-R zabronienie nadawania uprawnien chmod
-k mozliwe max % zajetosci hdd
-lpuredb:/etc/pureftpd.pdb opcja uzycie virtual users + lokalizacja bazy
-L 1000:5 maxymalne listowanie plikow : podkatalogow
-n 30:2 quota limit, max_plikow:max_rozmiar_pliku_w_Mb (30 plikow o rozmiarze 2mb kazdy)
-O clf:/var/log/pureftpd.log logowanie poczynan
-T 500:500 dozwolony max transfer upload:download w kb/s
-U 133:022 maska_plikow:maska_katalogow 644:755
-u komu zabronic logowania? (-u 1 - zabrania root'owi)
-Z awaryjnie - brak mozliwosci ustawienia chmod'u 0
-s antiwarez
w razie problemow z polaczeniem ext_if uruchamiamy NAT mode: -N
more info - link
===============================
3. Tworzymy virtualnego uzytkownika
===============================
addgroup fgroup1
pure-pw mkdb (jednorazowo)
touch /etc/pureftpd.passwd (jednorazowo)
chown root:wheel /etc/pureftpd.passwd /etc/pureftpd.pdb ; chmod 600 /etc/pureftpd.passwd /etc/pureftpd.pdb
userad -g ftpgroup -d /nonexistent -s /sbin/nologin fuser1
pure-pw useradd vuser4516 -f /etc/pureftpd.passwd -u ftpuser -g ftpgroup -d /mnt/vftp/fuser1 -m
[ podajemy haslo virtualnego usera ]
chown fuser1:fgroup1 /mnt/vftp/fuser1
Mozemy sie zalogowac ftp://host.com
user: vuser4516
pass: *********
===============================
4. Usuwamy virtualnego uzytkownika
===============================
pure-pw userdel vuser4516 -f /etc/pureftpd.passwd -F /etc/pureftpd.pdb
==================================
5. Modyfikujemy virtualnego uzytkownika
==================================
pure-pw usermod -f /etc/pureftpd.passwd -F /etc/pureftpd.pdb -d /mnt/new_dir -u new_uid -g new_gid etc.
more info link
=====================================
6. Lista aktywnych virtualnych uzytkownikow
=====================================
pure-pw list -f /etc/pureftpd.passwd
Ad.note nie zwazywszy na globalny config ftpd, indywidualnym userom mozemy nadac wyzsze uprawnienia na etapie tworzenia virtualnego konta ftp (wieksza quota, dwn/up bandwidth etc.) mor info - link
===============
7. Konfiguracja PF
===============
(wlaczamy ip_forward w /etc/sysctl.conf - net.inet.ip.forwarding=1)
# main
int_if="fxp0" or em0
ext_if="fxp1" or em1
int_net="192.168.11.0/24"
ftpserver="192.168.11.5"
set skip on lo
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
scrub in all
# antispoof
antispoof for $ext_if
antispoof for $int_if
# antiportscan
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF
block in quick on $ext_if proto tcp from any to any flags FUP/FU
# nat
nat on $ext_if from $int_net to any -> ($ext_if)
# kolejkowanie
altq on $ext_if cbq bandwidth 1000Mb queue {local}
queue local bandwitdth 10264576 cbq(borrow)
queue dns bandwith 25% cbq(borrow)
queue ftp bandwith 20% cbq(borrow, green)
queue misc bandwith 1% cbq(borrow, default)
# block all
block in log all
# misc
pass out on $ext_if from $int_net to any queue misc
pass out on $ext_if from $int_net proto { tcp, udp } to any port domain modulate state queue dns
pass out on $ext_if from $int_net proto tcp to any port { ftp, ftp-data } modulate state queue ftp
# prerouting
rdr on $ext_if proto tcp from any to $ext_ip port ftp -> $ftpserver port ftp
pass in on $ext_if proto tcp from any to $ftpserver port ftp keep state queue ftp-in
# local
pass out on $ext_if from $int_net to $ext_net modulate state queue local
====================================
Ad.note Dlaczego nie tls/ssl/sftp ?
Korporacyjni klienci z reguly maja odblokowany 21 port + brak uprawnien/mozliwosci na instalacje dodatkowych programow np. Winscp.
1. Przygotowanie
======================
instalacja openbsd 5.3 x86_i386 w 3,5 min. - link
======================
2. Instalacja FTPD
======================
sudo export PKG_PATH=ftp://ftp.icm.edu.pl/pub/OpenBSD/5.3/packages/i386/
sudo pkg_add pure-ftpd-chroot
sudo chmod 500 /usr/local/sbin/pure-ftpd /usr/local/bin/pure*
autorstart:
sudo vi /etc/rc.local
Kod:
if [ -x /usr/local/sbin/pure-ftpd ]; then
/usr/local/sbin/pure-ftpd -4 -H -B -A -C 1 -c 10 -d -X -E -I 15 -K -R -k 95 -lpuredb:/etc/pureftpd.pdb -L 1000:5 -n 30:2 -O clf:/var/log/pureftpd.log -T 500:500 -U 133:022 -u 1
-Z -s
filegenda:
-4 ipv4
-H standalone
-B praca w tle
-A chrooting
-C dozowlona ilosc polaczen z tego samego ip
-c maxymalna ilosc aktualnie zalogowanych kont ftp
-d verbose (opcjonalnie)
-X ukrycie plikow zaczynajacych sie od .dot np. .htaccess, .quotalimit, .profile etc.
-E brak dostepu dla anonimowych userow
-I idle time
-K zezwolenie na wznowienie uploadu, mozliwosc kasaowania tylko pustych katalogow
-R zabronienie nadawania uprawnien chmod
-k mozliwe max % zajetosci hdd
-lpuredb:/etc/pureftpd.pdb opcja uzycie virtual users + lokalizacja bazy
-L 1000:5 maxymalne listowanie plikow : podkatalogow
-n 30:2 quota limit, max_plikow:max_rozmiar_pliku_w_Mb (30 plikow o rozmiarze 2mb kazdy)
-O clf:/var/log/pureftpd.log logowanie poczynan
-T 500:500 dozwolony max transfer upload:download w kb/s
-U 133:022 maska_plikow:maska_katalogow 644:755
-u komu zabronic logowania? (-u 1 - zabrania root'owi)
-Z awaryjnie - brak mozliwosci ustawienia chmod'u 0
-s antiwarez
w razie problemow z polaczeniem ext_if uruchamiamy NAT mode: -N
more info - link
===============================
3. Tworzymy virtualnego uzytkownika
===============================
addgroup fgroup1
pure-pw mkdb (jednorazowo)
touch /etc/pureftpd.passwd (jednorazowo)
chown root:wheel /etc/pureftpd.passwd /etc/pureftpd.pdb ; chmod 600 /etc/pureftpd.passwd /etc/pureftpd.pdb
userad -g ftpgroup -d /nonexistent -s /sbin/nologin fuser1
pure-pw useradd vuser4516 -f /etc/pureftpd.passwd -u ftpuser -g ftpgroup -d /mnt/vftp/fuser1 -m
[ podajemy haslo virtualnego usera ]
chown fuser1:fgroup1 /mnt/vftp/fuser1
Mozemy sie zalogowac ftp://host.com
user: vuser4516
pass: *********
===============================
4. Usuwamy virtualnego uzytkownika
===============================
pure-pw userdel vuser4516 -f /etc/pureftpd.passwd -F /etc/pureftpd.pdb
==================================
5. Modyfikujemy virtualnego uzytkownika
==================================
pure-pw usermod -f /etc/pureftpd.passwd -F /etc/pureftpd.pdb -d /mnt/new_dir -u new_uid -g new_gid etc.
more info link
=====================================
6. Lista aktywnych virtualnych uzytkownikow
=====================================
pure-pw list -f /etc/pureftpd.passwd
Ad.note nie zwazywszy na globalny config ftpd, indywidualnym userom mozemy nadac wyzsze uprawnienia na etapie tworzenia virtualnego konta ftp (wieksza quota, dwn/up bandwidth etc.) mor info - link
===============
7. Konfiguracja PF
===============
(wlaczamy ip_forward w /etc/sysctl.conf - net.inet.ip.forwarding=1)
# main
int_if="fxp0" or em0
ext_if="fxp1" or em1
int_net="192.168.11.0/24"
ftpserver="192.168.11.5"
set skip on lo
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
scrub in all
# antispoof
antispoof for $ext_if
antispoof for $int_if
# antiportscan
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF
block in quick on $ext_if proto tcp from any to any flags FUP/FU
# nat
nat on $ext_if from $int_net to any -> ($ext_if)
# kolejkowanie
altq on $ext_if cbq bandwidth 1000Mb queue {local}
queue local bandwitdth 10264576 cbq(borrow)
queue dns bandwith 25% cbq(borrow)
queue ftp bandwith 20% cbq(borrow, green)
queue misc bandwith 1% cbq(borrow, default)
# block all
block in log all
# misc
pass out on $ext_if from $int_net to any queue misc
pass out on $ext_if from $int_net proto { tcp, udp } to any port domain modulate state queue dns
pass out on $ext_if from $int_net proto tcp to any port { ftp, ftp-data } modulate state queue ftp
# prerouting
rdr on $ext_if proto tcp from any to $ext_ip port ftp -> $ftpserver port ftp
pass in on $ext_if proto tcp from any to $ftpserver port ftp keep state queue ftp-in
# local
pass out on $ext_if from $int_net to $ext_net modulate state queue local
====================================
Ad.note Dlaczego nie tls/ssl/sftp ?
Korporacyjni klienci z reguly maja odblokowany 21 port + brak uprawnien/mozliwosci na instalacje dodatkowych programow np. Winscp.
Ostatnia edycja:
