Pure-FTP on SLES OES2

I will be talking about PURE-FTP

Installation:

You can install pure-ftp using YAST ( interactive tool for software installation on SLES/OES2)

# rpm -qagrep ftp
pure-ftpd-1.0.20-24.13

Configuration:

Configuration files:

/etc/pure-ftpd/pure-ftpd.conf
/etc/ftpusers


Make sure that service is running and will startup on next reboot

#chkconfig --list grep ftp
pure-ftpd 0:off 1:off 2:off 3:on 4:off 5:on 6:off

pure-ftpd is the name of the deamon/service. If there were 'off' on runleve 3 and 5, you could run the command

#chkconfig pure-ftpd on


/etc/pure-ftpd/pure-ftpd.conf file is very clean and nicely described.

Some of the parameters are:
ChrootEveryone yes
TrustedGID 100

NoAnonymous yes
UnixAuthentication yes

NoRename yes
and many more


Make sure that, after making some changes on this file, you have to restart the service.

#service pure-ftpd restart



Additional Tips:

What should I do to give ftp user (say ftpuser) access to some different directory?

Ans: Say, ftpuser is chrooted to /home/ftpuser. So, he won't be able to access other than /home/ftpuser. Say, ftpuser need access to /tmp/backup. You can create a shortcut for /tmp/backup in /home/ftpuser. However, 'ln' command will not help in FTP. You will have to use 'mount --bind ' command

#mount --bind /tmp/backup /home/ftpuser/backup

You can go to /etc/bash.bashrc and add the above line to mount the drive automatically at every reboot.


Have a fun :)

User add/remove in SLES

[Note: Don't use [ ] bracket in command line. You have been warned! ]

In SLES, adding user and removing user from the system requires some special flags to be used in command line.

To add user

#useradd -m [username]

-m flag enables to create /home/[username] directory

#useradd -r -m [username]

-r flag create a system account. A system account is an user with an UID between SYSTEM_UID_MIN and SYSTEM_UID_MAX as defined in /etc/login.defs, if no UID is specified. The GROUPS entry in /etc/default/useradd is ignored, too.

#passwd [username]
to create/change the password



Check out this after you add the user

#tail /etc/passwd --> This file contains user's information
testuser:x:1001:100::/home/testuser:/bin/bash
testuserdev:x:103:100::/home/testuserdev:/bin/false

testuser is created using only -m flag. Since, it is regular user, it is allowed to make login in the shell. It uses /bin/bash shell. [Remember, without shell you can't login. As shell is the middleware between user and kernel]

testuserdev is created using -r -m flag. Since, it is system user, it is not allowed to login in the shell. That's the reason, it has /bin/false




To remove the user
#userdel [username]

This will simply remove the user account credentials, but all the files in /home/[username] directory is not removed

#userdel -r [username]

-r flag forces to remove /home/[username] directory as well while deleting the user.

Grant access to Anonymous user for FTP read/write operation

In SLES, anonymous user is chrooted to /srv/ftp directory
In CentOS and RedHat linux, anonymous user is chrooted to /var/ftp directory

(when I say chrooted, I mean that '/sr/ftp' acts like '/' for anonymous user. This prevents anonymous user to hack into the root structure of the ftp server)

Make some changes on vsftpd.conf so that anonymous user can do read/write operation.
However, before making any changes, make a backup copy of vsftpd.conf


Server01:/srv/ftp # diff /etc/vsftpd.conf /etc/vsftpd.conf.bak
+anon_upload_enable=YES
-#anon_upload_enable=YES
+ anon_mkdir_write_enable=YES
-#anon_mkdir_write_enable=YES
+ anon_other_write_enable=YES
-#anon_other_write_enable=YES
Now you have to grant "WRITE" access to "other" user in /srv/ftp directory

#chmod o+w /srv/ftp
After that, restart the ftp server

#service vsftpd restart



Try login into the ftp server as anonymous user and try to use 'get' and 'put' commands to download and upload files.

:)



However, above process may not fullfill your needs.
So, try something different

--> Create FTP user

#useradd -r -m ftpuser
#passwd ftpuser
(you can give any name u like)

--> Chroot the user to it's home directory. i.e /home/ftpuser will be root for the ftp user

Server01:~ # diff /etc/vsftpd.conf /etc/vsftpd.conf.backup+chroot_list_enable=YES
-#chroot_list_enable=YES
+chroot_list_file=/etc/vsftpd.chroot_list
- #chroot_list_file=/etc/vsftpd.chroot_list

--> Restart ftp server

#service vsftpd restart



Now, try to login in ftp server using username and password. You can upload and download flawlessly now. You can't break into the root structure of the server as you are in chroot jail of /home/[username]
Have a fun! :)


Today, one of my friend asked me, can we define /var/ftp rather than /srv/ftp as the root directory for the ftpuser in SLES?
Of course, yes. However, you have to hack in /etc/vsftpd.conf

FTPserver#vi /etc/vsftpd.conf
........
write_enable=YES
local_enable=YES
chroot_list_enable=YES
#anonymous_enable=YES
#anon_world_readable_only=YES
....
userlist_enable=YES
userlist_deny=NO
local_root=/var/ftp/
listen_address=[ftp server IP address]


#vi /etc/vsftpd.user_list
add the list of the allowed ftp users over here

#service vsftpd restart


That's it. Try it. ;D

Firewall in SuSe Linux

How to check if Firewall is running or not?
Ans: You have to check if the Firewall service is running or not.

# /sbin/rcSuSEfirewall2 status
Checking the status of SuSEfirewall2 running

It is tellling you that Firewall is running. Firewall blocks telnet/ssh/scp by default.
You can stop firewall by following command

# /sbin/rcSuSEfirewall2 stop

Now try to telnet/ssh/scp into the server remotely, you should be able to make connection


You can use 'chkconfig' command to check the service startup status after reboot.

# chkconfig --list|grep firewall
SuSEfirewall2_init 0:off 1:off 2:off 3:off 4:off 5:off 6:off
SuSEfirewall2_setup 0:off 1:off 2:off 3:off 4:off 5:off 6:off

In my case, it says that firewall will not start automatically after next reboot as it's has off status in every terminal (1 thru' 5)


If you are not feeling comfortable playing with command line, you can use YAST for the firewall management. 'Firewall' is located in 'Security and Users' option.

#yast


Have a good one!