{"id":28,"date":"2012-09-28T11:10:17","date_gmt":"2012-09-28T09:10:17","guid":{"rendered":"http:\/\/clark.tipistrani.it\/?p=28"},"modified":"2018-04-04T14:00:25","modified_gmt":"2018-04-04T12:00:25","slug":"ftp","status":"publish","type":"post","link":"https:\/\/clark.tipistrani.it\/?p=28","title":{"rendered":"FTP"},"content":{"rendered":"

FTP<\/a> \u00e8 un modo comodo anzi molto comodo per trasferire grosse moli di dati.
\nLa sua principale caratteristica \u00e8 la stabilit\u00e0 una volta avviata una sessione di ftp a meno di cadute di linea o di interruzioni di servizio (per la serie si spegne il server) arriva sempre a buon fine.
\nA volte in ditta succede che si debbano trasferire dei filmati di macchine o presentazioni che sono pesantissime la soluzione canonica e’ fare\u00a0 il classico cd\/dvd e spedire con corriere, ma un server FTP\u00a0 pu\u00f2 essere una valida alternativa.
\nIl grosso contro di un server FTP e’ che tutto passa in chiaro, password messaggi files e questo \u00e8 MALE.
\nInoltre la macchina non \u00e8 direttamente su internet ma bens\u00ec all’interno della lan, infatti le chiamate da internet alla porta 21 vengono reindirizzate dal firewall a una macchina specifica e questo aggrava ulteriormente la questione sicurezza.
\nPer cercare di ovviare alla cosa ho pensato di mettere il servizio ftp in chroot.
\nPremetto che questa realizzazione \u00e8 volutamente fatta in modo da rendere difficile la vita a chi volesse “sfondare” il servizio, infatti oltre al chroot fatto con debootstrap la directory in cui gira il tutto (\/jail) \u00e8 vincolata da ACL posix, non \u00e8 permesso il login anonimo, lo stesso utente che puo’ operare ha limitazioni ed inoltre nella configurazione di proftp \u00e8 stata imposta la condizione di chrooting alla home stessa dell’utente (~), la sicurezza “sicura” non esiste, ma almeno il rendere dura la vita a chi non ha nulla di meglio da fare che far vedere quanto sia bravo si pu\u00f2 fare.
\nDa questo punto in poi tutto \u00e8 riferito all’ambiente chrootato.
\nPer pura comodit\u00e0 ho creato un utente archivio con pw archivio con home \/home\/ftp e per complicare ulteriormente la vita ai probabili malintenzionati ho anche imposto come \/bin\/false la shell dell’utente, archivio \u00e8 la login che diamo ai clienti ed \u00e8 come vedremo di seguito limitata.
\nquindi nel file passwd troveremo una riga come questa:
\narchivio:x:1000:1000:,,,:\/home\/ftp:\/bin\/false
\n\/bin\/false va aggiunto anche al file shells in \/etc.
\nMi serviva per\u00f2 una login che non fosse root per poter gestire senza particolari problemi le direcory e ho quindi creato l’utente manager con password $unabellapasswordlungaecomplicata che pu\u00f2 fare tutto.
\nHo quindi creato due directory sotto \/home\/ftp\u00a0 upload e download e ho imposto con le acl quanto segue:
\nsetfacl -R -d -m u:archivio:rx download\/
\nsetfacl -R -d -m u:manager:rwx download\/
\nsetfacl -R -d -m u:manager:rwx upload\/
\nsetfacl -R -d -m u:archivio:wx upload\/
\nin altre parole l’utente manager pu\u00f2 tutto in entrambe le directory, l’utente archivio pu\u00f2 leggere nella directory download ma non scrivere, viceversa pu\u00f2 di contro scrivere ma non leggere nella directory upload.
\nUna spiegazione mi pare opportuna per i meno smaliziati, la directory download e’ di pubblico dominio per tutti quelli che hanno la login di archivio, quindi \u00e8 nostra cura mettere in quella directory materiale non riservato ne sensibile, di contro la directory upload pu\u00f2 contenere documenti delicati e non \u00e8 pensabile che il cliente B possa leggere quello che ci ha spedito via FTP il cliente A che ha la stessa login.
\nLa scelta del server FTP \u00e8 caduta su proftpd che non \u00e8 certo il migliore per\u00f2 permette parecchie pi\u00f9 cose di quante a noi servano e ha il non trascurabile vantaggio di essere facile da configurare.
\nDi seguito il file di configurazione che si trova in \/etc\/proftpd (siamo sempre nella chroot).
\n#
\n# \/etc\/proftpd\/proftpd.conf — This is a basic ProFTPD configuration file.
\n# To really apply changes reload proftpd after modifications.
\n#<\/p>\n

# Includes DSO modules
\nInclude \/etc\/proftpd\/modules.conf<\/p>\n

# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
\nUseIPv6\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 off
\n# If set on you can experience a longer connection delay in many cases.
\nIdentLookups\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 off<\/p>\n

ServerName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 “grecale FTP server”
\nServerType\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 standalone
\nDeferWelcome\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 on
\nServerAdmin\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 my_address@my_company.com
\nMultilineRFC2228\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 on
\nDefaultServer\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 on
\nShowSymlinks\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 on<\/p>\n

TimeoutLogin\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 120
\nTimeoutNoTransfer\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 120
\nTimeoutStalled\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 240
\nTimeoutIdle\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 300<\/p>\n

DisplayLogin\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 welcome.msg
\nDisplayChdir\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 .message true
\nListOptions\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 “-l”<\/p>\n

DenyFilter\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \\*.*\/<\/p>\n

# Use this to jail all users in their homes
\nDefaultRoot\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ~<\/p>\n

# Port 21 is the standard FTP port.
\nPort\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 21<\/p>\n

MaxInstances\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 30<\/p>\n

# Set the user and group that the server normally runs at.
\n#User\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 proftpd
\nUser\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nobody
\nGroup\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nogroup<\/p>\n

# Umask 022 is a good standard umask to prevent new files and dirs
\n# (second parm) from being group and world writable.
\nUmask\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 022\u00a0 022
\n# Normally, we want files to be overwriteable.
\nAllowOverwrite\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 on
\nTransferLog \/var\/log\/proftpd\/xferlog
\nSystemLog\u00a0\u00a0 \/var\/log\/proftpd\/proftpd.log<\/p>\n

<IfModule mod_quotatab.c>
\nQuotaEngine off
\n<\/IfModule><\/p>\n

<IfModule mod_ratio.c>
\nRatios off
\n<\/IfMo<IfModule mod_delay.c>
\nDelayEngine on
\n<\/IfModule><\/p>\n

<IfModule mod_ctrls.c>
\nControlsEngine\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 off
\nControlsMaxClients\u00a0\u00a0\u00a0 2
\nControlsLog\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/var\/log\/proftpd\/controls.log
\nControlsInterval\u00a0\u00a0\u00a0\u00a0\u00a0 5
\nControlsSocket\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/var\/run\/proftpd\/proftpd.sock
\n<\/IfModule>
\n<IfModule mod_ctrls_admin.c>
\nAdminControlsEngine off
\n<\/IfModule>
\n<Directory \/*>
\nAllowOverwrite\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 on
\n<\/Directory><\/p>\n

<Anonymous ~archivio>
\nAccessGrantMsg “Accesso consentito all’utente %u.”
\nAllowRetrieveRestart on
\nAllowStoreRestart on
\nDisplayChdir .primo_cambio
\nDisplayLogin .welcome.msg
\nExtendedLog \/var\/log\/ftp.log read,write,auth
\nAnonRequirePassword yes
\nMaxClients 10 “E’ stato raggiunto il limite di utenti ammessi The limit of allowed users has been (%m).”
\nMaxClientsPerHost 1 “E’ gia’ connesso 1 utente dal tuo dominio. 1 user is\u00a0 already connected from your domain”
\nRequireValidShell yes<\/p>\n

<Directory *>
\n<Limit WRITE>
\nDenyAll
\n<\/Limit>
\n<Limit READ>
\nDenyAll
\n<\/Limit>
\n<Limit DIRS>
\nAllowAll
\n<\/Limit>
\n<\/Directory>
\n<Directory \/home\/ftp\/download>
\n<Limit STOR>
\nOrder deny,allow
\nDeny from 192.168.2.239
\nDeny from 192.168.2.240
\nDeny from 192.168.2.241
\nAllow 192.168.2.0\/24
\nAllowUser manager
\nDeny from all
\nDenyAll
\n<\/Limit>
\n<\/Directory>
\n<Directory \/home\/ftp\/upload>
\nUmask 222
\n<Limit STOR>
\nAllowAll
\n<\/Limit><\/p>\n

<Limit READ>
\nOrder deny,allow
\nDeny from 192.168.2.239
\nDeny from 192.168.2.240
\nDeny from 192.168.2.241
\nAllow 192.168.2.0\/24
\nAllowUser manager
\nDenyAll
\n<\/Limit>
\n<\/Directory>
\n<\/Anonymous><\/p>\n

Resta solo da far partire il servizio chrootato al boot della macchina a questo provvedono i due script
\nchroot_start<\/a>\u00a0 che a sua volta chiama il jail.sh<\/a><\/p>\n

Abbiamo ottenuto un server ftp funzionante e per quanto questo possa signficare qualcosa informaticamente parlando relativamente sicuro<\/p>\n","protected":false},"excerpt":{"rendered":"

FTP \u00e8 un modo comodo anzi molto comodo per trasferire grosse moli di dati. La sua principale caratteristica \u00e8 la stabilit\u00e0 una volta avviata una sessione di ftp a meno di cadute di linea o di interruzioni di servizio (per la serie si spegne il server) arriva sempre a buon fine. A volte in ditta […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,7,6],"tags":[],"class_list":["post-28","post","type-post","status-publish","format-standard","hentry","category-linux","category-sistemi-operativi","category-work"],"_links":{"self":[{"href":"https:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/28","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=28"}],"version-history":[{"count":6,"href":"https:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/28\/revisions"}],"predecessor-version":[{"id":1426,"href":"https:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/28\/revisions\/1426"}],"wp:attachment":[{"href":"https:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=28"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=28"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=28"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}