By default, SSH on Ubuntu comes configured in a way that disables the root users log in. This was originall enabled as a security precaution which means that you cannot directly log in as the root user over SSH. However, you can usually get around the need for root ssh login by using the sudo command. In some cases, though it’s just more convenient to get directly logged in as root.
This tutorial describes the process of setting up SSH Keys for use when logging in to a remote server via SSH.
II. How to Setup SSH Keys for Use with File Synchronization
What is cPanel?
cPanel is a server control panel which allows users the ability to access and automate server tasks and, provides the tools needed to manage the overall server, their applications, and websites. Some features include the capability to modify php versions, creating individual cPanel accounts, adding FTP users, installing SSL’s, configuring security settings, and installing packages to name a few. cPanel and WHM have a vast range of customizations and configurations that can be completed to further personalize your platform specifically for your needs. It also includes 24/7 support from cPanel as well.
When purchasing a server from Liquid Web, we offer several images your server can be built from. We offer these images on most of our hosting products, including, dedicated servers, cloud dedicated servers, and our VPS offerings. Another bonus is that cPanel is supported out of the box on our fully managed servers. Our staff is well versed in providing assistance as well. Our automated install process will install and setup cPanel on your server. If you happen to have a cPanel license or are utilizing cPanel’s free trial, then please continue reading as we will be discussing how to install and setup cPanel on a CentOS 6 or 7 Linux box.
After spinning up a new Ubuntu server you may find yourself looking for a guide of what to do next. Many times the default setting do not provide the top security that your server should have. Throughout this article, we provide you security tips and pose questions to help determine the best kind of setup for your environment.
Configuring Multi-User FTP with User Isolation
This article is intended to give an overview of a chroot environment and configuring your FTP service for user isolation. This is done with a few lines within the main configuration file of the FTP service.
This article is also intended as a guide for our Core-Managed servers running CentOS or Ubuntu without a control panel. Our Fully Managed servers that utilize the cPanel software already have the FTP user isolation configured by default and also provide utilities for creating FTP users.
What is Chroot?
Chroot or change-root is the implementation of setting a new root directory for the environment that a user has access to. By doing this, from the user’s perspective, there will appear to be no higher directory that the user could escape to. They would be limited to the directory they start in and only see the contents inside of that directory.
If a user were to try and list the contents of the root (/) of the system, it would return the contents of their chroot environment and not the actual root of the server. Read more about this at the following link.
As there are many FTP options available, ProFTPd, Pure-FTPd, vsftpd, to name a few, this article will only focus on the use of ProFTPd for simplicity and brevity. This is also not intended to be a guide for installing an FTP service as it’s covered in our Knowledge Base articles below.
User Isolation with ProFTPd
By default, ProFTPd will read the system /etc/passwd file. These users in this file are the normal system users and are not required to be created outside of normal user creation. There are many ways to create additional FTP users, but this is one way to get started.
Here are some typical entries from the system passwd file. From left to right, you can see the username the user and group IDs, the home directory and the default shell configured for that user.
To create these users, you would use the useradd command from the command line or whatever other methods you would typically use to create users on the server.
Create the user
useradd -m -d /home/homedir newuser
Set the user password
If you are setting up multiple users that all need to have access to the same directory, you will need to make sure that the users are all in the same group. Being in the same group means that each user can have group level access to the directory and allow everyone in the group to access the files that each user uploads. This level of user management is beyond the scope of this article, but be aware that things of this nature are possible.
ProFTPd User Configuration
To jail a user to their home directory within ProFTPd, you have to set the DefaultRoot value to ~.
With this set, it tells the FTP service to only allow the user to access their home directory. The ~ is a shortcut that tells the system to read whatever the user’s home directory is from the /etc/passwd file and use that value.
Using this functionality in ProFTPd, you can also define multiple DefaultRoot directives and have those restrictions match based on some criteria. You can jail some users, and not others, or jail a set of users all to the same directory if desired. This is done by matching the group that a user belongs to.
When a new user is created, as shown above, their default group will be the same as their username. You can, however, add or modify the group(s) assigned to the user after they are created if necessary.
Jail Everyone Not in the “Special-Group”
DefaultRoot ~ !special-group
Jail Group1 and Group2 to the Same Directory
DefaultRoot /path/to/uploads group1,group2
After making these changes to the proftpd.conf file you’ll need to restart the FTP service.
CentOS 6.x (init)
CentOS 7.x (systemd)
systemctl restart proftpd
User Isolation with SFTP (SSH)
You can also isolate SFTP users or restrict a subset of SSH users to only have SFTP access. Again, this pertains to regular system users created using the useradd command.
While you can secure FTP communications using SSL, this is an extra level of setup and configuration. SFTP, by contrast, is used for file transfers over an SSH connection. SSH is an encrypted connection to the server and is secure by default. If you are concerned about security and are unsure about adding SSL to your FTP configuration, this may be another option to look into.
SFTP User Setup
Create the user and their home directory just like with the FTP user, but here we make sure to set the shell to not allow normal SSH login. We are presuming that you are looking for SFTP-only users and not just regular shell users, so we add the restriction on the shell to prevent non-SFTP logins.
useradd -m -d /home/homedir/ -s /sbin/nologin username
We need to make sure that permissions and ownership are set for the home directory to be owned by root, and the upload directory is owned by the user.
chmod 755 /home/homedir/
chown root. /home/homedir/
mkdir -p /home/homedir/upload-dir/
chown username. /home/homedir/upload-dir/
Hereby setting the ChrootDirectory to the %h variable, we are confining the user to their home directory as set up when the user was created. Using the ForceCommand directive also limits the commands the user is allowed to execute to only SFTP commands used for file transfers, again eliminating the possibility that the users will be able to break out of the jail and into a normal shell environment.
Subsystem sftp internal-sftp
Match User user1,user2,user3
Jail Multiple FTP Users to a Location
Alternatively, if you wanted to have multiple users all jailed to the same location, you can set them all to be in the same group, have the same home directory, and then use a Match Group directive within the SSH configuration.
Subsystem sftp internal-sftp
Match Group groupname
After making these changes to the sshd_config file, restart the SSH service. One of the following commands should work for you.
CentOS 6.x (init)
CentOS 7.x (systemd)
systemctl restart sshd
Further Reading can be found at:
A few configuration changes are needed as part of the basic setup with a new Ubuntu 16.04 LTS server. This article will provide a comprehensive list of those basic configurations and help to improve the security and usability of your server while creating a solid foundation to build on. Continue reading “Getting Started with Ubuntu 16.04 LTS”
Have you ever wanted to use SSH to control your Linux server from Windows? You’ve most likely downloaded and launched third-party applications like PuTTY or KiTTY to get this functionality on your Windows computer. Thankfully, with the Windows 10 Fall Creators Update, you can now use a built-in SSH client directly within your Windows OS. Continue reading “Using SSH Client Natively in Windows 10”
On an Ubuntu server the default firewall management command is iptables. While iptables provides powerful functionality it’s syntax is often seen as complex. For most users a friendlier syntax can make managing your firewall much easier.
The uncomplicated firewall (UFW) is an alternative program to iptables for managing firewall rules. Most typical Ubuntu installations will include UFW by default. In cases where UFW isn’t included it’s just a quick command away! Continue reading “Installing and using UFW on Ubuntu 16.04 LTS”
SSH, or secure shell, is a network protocol used for secure network communications and remote command execution. Common use cases for SSH include: controlling computers remotely and securing network services. A great example of securing other services is the SFTP protocol which uses SSH to securely connect to a server and FTP to transfer the files. Continue reading “What is SSH?”
The EPEL repository is an additional package repository that provides easy access to install packages for commonly used software. This repo was created because Fedora contributors wanted to use Fedora packages they maintain on RHEL and other compatible distributions.
To put it simply the goal of this repo was to provide greater ease of access to software on Enterprise Linux compatible distributions.
What’s an ‘EPEL repository’?
The EPEL repository is managed by the EPEL group, which is a Special Interest Group within the Fedora Project. The ‘EPEL’ part is an abbreviation that stands for Extra Packages for Enterprise Linux. The EPEL group creates, maintains and manages a high quality set of additional packages. These packages may be software not included in the core repository, or sometimes updates which haven’t been provided yet.
Continue reading “How to enable EPEL repository?”