During my time studying Computing Security at the Rochester Institute of Technology, I was involved in a number of security-related clubs. Their premier security research group was SPARSA, where students would present security topics and demo exploits.
ISTS — the Information Security Talent Search — was a 2-day hackathon where teams of four would attack other team’s servers while simultaneously defending their own. A good portion of the points were awarded for keeping services like FTP and DNS up and running throughout the competition.
In preparation for the competition, my team looked at both vsftpd and ProFTP. These services worked out of the box, but configuring a secure chroot for users to drop files into was more difficult than I imagined.
500 OOPS: vsftpd: refusing to run with writable root inside chroot()
Messages like these became infuriating. After countless hours, we were able to configure vsftpd to act as a chroot dropbox. This let a user read and write files to a controlled directory without having access to the entire filesystem.
Note: Although vsftpd should act the same on most servers, I am using Ubuntu 16.04.2 LTS for this example.
To install vsftpd, I used the apt package manager.
$ sudo apt update $ sudo apt install vsftpd
Once you have installed the package, ensure that the service is up and running.
$ sudo systemctl status vsftpd
After installing the service, it’s time to configure the service. The configuration file by default lives in /etc/vsftpd.conf. Open the config file with an editor and paste in the configuration.
$ sudo vim /etc/vsftpd.conf allow_writeable_chroot=YES anonymous_enable=NO chroot_local_user=YES connect_from_port_20=YES data_connection_timeout=120 dirmessage_enable=YES ftpd_banner=Welcome. idle_session_timeout=600 listen=YES local_enable=YES local_umask=022 pam_service_name=ftp pasv_enable=NO secure_chroot_dir=/home/ use_localtime=YES write_enable=YES xferlog_enable=YES
Creating an FTP User
This is just good practice. Having one account — sometimes called a functional account — that can only access this service is strongly advised.
$ sudo adduser ftpuser
Once the account is created, we will set the correct permissions on the user’s home directory.
$ sudo chmod -R 755 /home/ftpuser $ sudo usermod -s /sbin/nologin ftpuser
Restart and Test
Once the service is installed, the configuration file has been copied and a user account has been created, you can restart the service and test!
$ sudo sudo systemctl reload vsftpd $ sudo systemctl restart vsftpd $ ftp server.com
One of the most common applications of an FTP dropbox is for companies that wish to regularly push you information. It is most commonly called “FTP Push.”
This is a common practice with government entities and services that offer daily data dumps. “FTP Push” can be a pain, especially since we live in a world of RESTful APIs and other file-sharing services. But hopefully this guide makes it painless to setup a secure FTP dropbox with ease.