![[PukiWiki]](image/pukiwiki.png "[PukiWiki]")
総数:13 今日:1 昨日:0
参考URL
How to Setup an SFTP Server on Ubuntu 22.04 using OpenSSH
How To Setup SFTP Server on Ubuntu 22.04 LTS
Linux サーバーに SFTP をインストールして使用する方法
参考url
Ubuntu 22.04 LTS ServerのIPを固定する
例
192.168.3.9
~$ sudo apt update ~$ sudo apt install openssh-server
verify that OpenSSH is installed on your system and actively running.
Use the below command and confirm that you see “active (running)” on the third line.
~$ sudo systemctl status ssh
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2023-07-19 14:36:02 JST; 40min ago
Docs: man:sshd(8)
man:sshd_config(5)
Process: 764 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
Main PID: 798 (sshd)
Tasks: 1 (limit: 18946)
Memory: 3.8M
CPU: 34ms
CGroup: /system.slice/ssh.service
└─798 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"
7月 19 14:36:00 OptiPlex-790 systemd[1]: Starting OpenBSD Secure Shell server...
7月 19 14:36:02 OptiPlex-790 sshd[798]: Server listening on 0.0.0.0 port 22.
7月 19 14:36:02 OptiPlex-790 sshd[798]: Server listening on :: port 22.
7月 19 14:36:02 OptiPlex-790 systemd[1]: Started OpenBSD Secure Shell server.
create a new user for logging into the SFTP server.
$ sudo adduser sftpuser
ユーザー `sftpuser' を追加しています... 新しいグループ `sftpuser' (1001) を追加しています... 新しいユーザー `sftpuser' (1001) をグループ `sftpuser' に追加しています... ホームディレクトリ `/home/sftpuser' を作成しています... `/etc/skel' からファイルをコピーしています... 新しい パスワード: →例)sftpuser と入力した 正しくないパスワード: このパスワードには、一部に何らかの形でユーザー名が含まれています 新しい パスワードを再入力してください: →例)sftpuser と入力した passwd: パスワードは正しく更新されました sftpuser のユーザ情報を変更中 新しい値を入力してください。標準設定値を使うならリターンを押してください フルネーム []: 部屋番号 []: 職場電話番号 []: 自宅電話番号 []: その他 []: 以上で正しいですか? [Y/n] Y
create a new group for our sftpuser.
We will configure SSH to give SFTP access to any user in this group.
$ sudo addgroup sftpusers
グループ `sftpusers' (GID 1002) を追加しています... 完了。
add the user to the new group.
Run the usermod command to add the sftpuser to the sftpusers group.
$ sudo usermod -a -G sftpusers sftpuser
set new permissions on the sftpuser’s home directory.
This will allow the SFTP server to access these files.
First execute the chown command followed by the chmod command.
The sftpuser’s home will be the folder you access when you connect to the SFTP server.
$ sudo chown root: /home/sftpuser
$ sudo chmod 777 /home/sftpuser
$ ls -la ..|grep -i --color -e "sftpuser" drwxrwxrwx 2 root root 4096 7月 19 15:28 sftpuser
変更前は下記の状態
drwxr-x--- 2 sftpuser sftpuser 4096 7月 19 15:28 sftpuser
edit the sshd_config file and edit a few lines.
Open the configuration file using the gvim text editor as shown below.
$ sudo gvim -f /etc/ssh/sshd_config
The vsftpd server can be configured by editing the /etc/vsftpd.conf file.
Most of the settings are well documented inside the configuration file.
In the following sections, we will go over some important settings needed to configure a secure vsftpd installation.
$ sudo cp -p /etc/vsftpd.conf /etc/vsftpd.conf.original
~$ ls -la /etc/vsftpd.conf* -rw-r--r-- 1 root root 5850 2月 6 2018 /etc/vsftpd.conf -rw-r--r-- 1 root root 5850 2月 6 2018 /etc/vsftpd.conf.original
$ sudo gvim -f /etc/vsftpd.conf
ローカルユーザーのみを許可する。
We’ll allow access to the FTP server only the local users,
find the anonymous_enable and local_enable directives and
verify your configuration match to lines below:
anonymous_enable=NO local_enable=YES
Uncomment the write_enable setting to allow changes to the filesystem such as uploading and deleting files.
write_enable=YES
To prevent the FTP users to access any files outside of their home directories uncomment the chroot setting.
chroot_local_user=YES
By default to prevent a security vulnerability, when chroot is enabled vsftpd will refuse to upload files if the directory that users are locked in is writable.
Use one of the methods below to allow uploads when chroot is enabled.
The recommended method to allow upload is to keep chroot enabled, and configure FTP directories.
In this tutorial, we will create an ftp directory inside the user home which will serve as the chroot and a writable uploads directory for uploading files.
下記をファイルの末尾に追記する。
user_sub_token=$USER local_root=/home/$USER/ftp
Another option is to add the following directive in the vsftpd configuration file.
Use this option if you must to grant writable access to your user to its home directory.
allow_writeable_chroot=YES
vsftpd can use any port for passive FTP connections.
We’ll specify the minimum and maximum range of ports and later open the range in our firewall.
Add the following lines to the configuration file:
pasv_min_port=30000 pasv_max_port=31000
To allow only certain users to log in to the FTP server add the following lines at the end of the file:
userlist_enable=YES userlist_file=/etc/vsftpd.user_list userlist_deny=NO
When this option is enabled you need to explicitly specify
which users are able to log in
by adding the user names to the /etc/vsftpd.user_list file (one user per line).
$ sudo gvim -f /etc/vsftpd.user_list
下記の1行を記述する
ftp_user
# Example config file /etc/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # # Run standalone? vsftpd can run either from an inetd or as a standalone # daemon started from an initscript. listen=NO # # This directive enables listening on IPv6 sockets. By default, listening # on the IPv6 "any" address (::) will accept connections from both IPv6 # and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6 # sockets. If you want that (perhaps because you want to listen on specific # addresses) then you must run two copies of vsftpd with two configuration # files. listen_ipv6=YES # # Allow anonymous FTP? (Disabled by default). anonymous_enable=NO # # Uncomment this to allow local users to log in. local_enable=YES # # Uncomment this to enable any form of FTP write command. write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) #local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. #anon_upload_enable=YES # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # If enabled, vsftpd will display directory listings with the time # in your local time zone. The default is to display GMT. The # times returned by the MDTM FTP command are also affected by this # option. use_localtime=YES # # Activate logging of uploads/downloads. xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #chown_username=whoever # # You may override where the log file goes if you like. The default is shown # below. #xferlog_file=/var/log/vsftpd.log # # If you want, you can have your log file in standard ftpd xferlog format. # Note that the default log file location is /var/log/xferlog in this case. #xferlog_std_format=YES # # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. #ascii_upload_enable=YES #ascii_download_enable=YES # # You may fully customise the login banner string: #ftpd_banner=Welcome to blah FTP service. # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd.banned_emails # # You may restrict local users to their home directories. See the FAQ for # the possible risks in this before using chroot_local_user or # chroot_list_enable below. chroot_local_user=YES # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). # (Warning! chroot'ing can be very dangerous. If using chroot, make sure that # the user does not have write access to the top level directory within the # chroot) #chroot_local_user=YES #chroot_list_enable=YES # (default follows) #chroot_list_file=/etc/vsftpd.chroot_list # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # # Customization # # Some of vsftpd's settings don't fit the filesystem layout by # default. # # This option should be the name of a directory which is empty. Also, the # directory should not be writable by the ftp user. This directory is used # as a secure chroot() jail at times vsftpd does not require filesystem # access. secure_chroot_dir=/var/run/vsftpd/empty # # This string is the name of the PAM service vsftpd will use. pam_service_name=vsftpd # # This option specifies the location of the RSA certificate to use for SSL # encrypted connections. rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key ssl_enable=NO # # Uncomment this to indicate that vsftpd use a utf8 filesystem. #utf8_filesystem=YES # keep chroot enabled, and configure FTP directories. # In this case, we will create an ftp directory inside the user home # which will serve as the chroot and a writable uploads directory # for uploading files. user_sub_token=$USER local_root=/home/$USER/ftp allow_writeable_chroot=YES # vsftpd can use any port for passive FTP connections. # We’ll specify the minimum and maximum range of ports # and later open the range in our firewall. pasv_min_port=30000 pasv_max_port=31000 # allow only certain users to log in to the FTP server userlist_enable=YES userlist_file=/etc/vsftpd.user_list userlist_deny=NO
~$ diff -uprN /etc/vsftpd.conf.original /etc/vsftpd.conf --- /etc/vsftpd.conf.original 2018-02-06 01:55:32.000000000 +0900 +++ /etc/vsftpd.conf 2019-09-22 16:54:58.583925247 +0900 @@ -28,7 +28,7 @@ anonymous_enable=NO local_enable=YES # # Uncomment this to enable any form of FTP write command. -#write_enable=YES +write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) @@ -111,7 +111,7 @@ connect_from_port_20=YES # You may restrict local users to their home directories. See the FAQ for # the possible risks in this before using chroot_local_user or # chroot_list_enable below. -#chroot_local_user=YES +chroot_local_user=YES # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of @@ -153,3 +153,25 @@ ssl_enable=NO # # Uncomment this to indicate that vsftpd use a utf8 filesystem. #utf8_filesystem=YES + +# keep chroot enabled, and configure FTP directories. +# In this case, we will create an ftp directory inside the user home +# which will serve as the chroot and a writable uploads directory +# for uploading files. +user_sub_token=$USER +local_root=/home/$USER/ftp + +allow_writeable_chroot=YES + +# vsftpd can use any port for passive FTP connections. +# We’ll specify the minimum and maximum range of ports +# and later open the range in our firewall. +pasv_min_port=30000 +pasv_max_port=31000 + + +# allow only certain users to log in to the FTP server +userlist_enable=YES +userlist_file=/etc/vsftpd.user_list +userlist_deny=NO +
$ sudo adduser ftp_user ユーザー `ftp_user' を追加しています... 新しいグループ `ftp_user' (1001) を追加しています... 新しいユーザー `ftp_user' (1001) をグループ `ftp_user' に追加しています... ホームディレクトリ `/home/ftp_user' を作成しています... `/etc/skel' からファイルをコピーしています... 新しい UNIX パスワードを入力してください: ★ ftp_user と入力する 新しい UNIX パスワードを再入力してください: ★ ftp_user と入力する passwd: パスワードは正しく更新されました ftp_user のユーザ情報を変更中 新しい値を入力してください。標準設定値を使うならリターンを押してください フルネーム []: 部屋番号 []: 職場電話番号 []: 自宅電話番号 []: その他 []: 以上で正しいですか? [Y/n] Y
~$ sudo bash -c "echo 'ftp_user' | sudo tee -a /etc/vsftpd.user_list"
~$ sudo mkdir -p /home/ftp_user/ftp/upload/ ~$ sudo chmod 550 /home/ftp_user/ftp/ ~$ sudo chmod 750 /home/ftp_user/ftp/upload/ ~$ sudo chown -R ftp_user:ftp_user /home/ftp_user/ftp/
restart the vsftpd service for changes to take effect:
sudo systemctl restart vsftpd
~$ sudo systemctl status vsftpd
● vsftpd.service - vsftpd FTP server
Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2019-09-22 15:50:56 JST; 19s ago
Process: 5116 ExecStartPre=/bin/mkdir -p /var/run/vsftpd/empty (code=exited, status=0/SUCCESS)
Main PID: 5117 (vsftpd)
Tasks: 1 (limit: 4672)
CGroup: /system.slice/vsftpd.service
└─5117 /usr/sbin/vsftpd /etc/vsftpd.conf
9月 22 15:50:56 test-ftp-server systemd[1]: Stopping vsftpd FTP server...
9月 22 15:50:56 test-ftp-server systemd[1]: Stopped vsftpd FTP server.
9月 22 15:50:56 test-ftp-server systemd[1]: Starting vsftpd FTP server...
9月 22 15:50:56 test-ftp-server systemd[1]: Started vsftpd FTP server.
| host IP address | 192.168.3.19 |
| username | ftp_user |
| password | ftp_user |
https://forest.watch.impress.co.jp/library/software/ffftp/
FFFTP(64bit版) v4.2(19/09/11)
変更した項目のみ
| ホストの設定名 | ftp server |
| ホスト名 | 192.168.3.19 |
| ユーザー名 | ftp_user |
| パスワード/フレーズ | ftp_user |
| 暗号化なしで接続を許可 | チェックする |
| FTPS(Explicit)で接続 | チェックしない |
| FTPS(Implicit)で接続 | チェックしない |
