-
Notifications
You must be signed in to change notification settings - Fork 7
/
vsftpd-installer.sh
169 lines (142 loc) · 5.5 KB
/
vsftpd-installer.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
#!/bin/bash
###################################################################################################
# DESCRIPTION: #
# This script is used to quickly and easily configure a secure FTP over SSL server on Linux #
# This will allow whitelisted authenticated users upload and download access to personal FTP dir #
# #
# Company: OsbornePro LLC. #
# Website: https://osbornepro.com #
# Author: Robert H. Osborne #
# Contact: rosborne@osbornepro.com #
# #
###################################################################################################
HOSTNAME=$(hostname)
OSID=$(grep ID_LIKE /etc/os-release | cut -d"=" -f 2)
if [ "$OSID" == '"debian"' ]; then
printf "[*] Using the Debian based OS settings \n"
CONFFILE="/etc/vsftpd.conf"
CERTFILE="/etc/ssl/certs/vsftpd.crt"
KEYFILE="/etc/ssl/private/vsftpd.key"
USERLIST="/etc/vsftpd.userlist"
printf "[*] Installing the vsftpd service \n"
apt-get update && apt-get install -y vsftpd openssl ufw
wait
printf "[*] Opening firewall rules for FTP service"
ufw allow 20:21/tcp
ufw allow 40000:41000/tcp
ufw reload
elif [ "$OSID" == '"fedora"' ]; then
printf "[*] Using the Fedora based OS settings \n"
CONFFILE="/etc/vsftpd/vsftpd.conf"
CERTFILE="/etc/pki/tls/certs/vsftpd.crt"
KEYFILE="/etc/pki/tls/private/vsftpd.key"
USERLIST="/etc/vsftpd/vsftpd.userlist"
printf "[*] Installing the vsftpd service \n"
dnf install -y vsftpd openssl
wait
printf "[*] Opening firewall rules for FTP service"
firewall-cmd --zone=public --add-port=21/tcp --permanent
firewall-cmd --zone=public --add-port=20/tcp --permanent
firewall-cmd --zone=public --add-port=40000-41000/tcp
firewall-cmd --reload
else
printf "[!] Operating system ID is not Debian or Fedora \n"
exit 1
fi
printf "[*] Backing up original vsftpd.conf file \n"
cp "${CONFFILE}" "${CONFFILE}.orig" && printf "[*] Created backup of originali vsftpd.conf file at ${CONFFILE}.orig \n"
CONFIG=$(cat <<EOF > $CONFFILE
#------------------------------------------------------------------------------
# CONFIGURED SETTINGS
#------------------------------------------------------------------------------
# LISTENERS
listen=YES
listen_port=21
listen_ipv6=NO
session_support=YES
pasv_enable=YES
connect_from_port_20=YES
ftp_data_port=20
pasv_min_port=40000
pasv_max_port=41000
# SET THE BELOW VALUE IF YOUR FTP SERVER IS PUBLICLY ACCESSIBLE
#pasv_address=<Public IP Address or hostname>
#pasv_addr_resolve=YES
# RESTRICT COMMANDS THAT CAN BE EXECUTED
#cmds_allowed=ABOR,ACCT,ALLO,APPE,BINARY,CDUP,CWD,DELE,EPRT,EPSV,FEAT,HELP,LIST,MDTM,MODE,NLST,NOOP,OPTS,PASS,PASV,PORT,PWD,QUIT,REIN,REST,RETR,RMD,RNFR,RNTO,SITE,SIZE,SMNT,STAT,STOR,STOU,STRU,SYST,TYPE,USER,XCUP,XCWD,XPWD,XRMD
#cmds_denied=PUT,MPUT,RM,RMD,RMDIR,XRMD,MKD,MKDIR,XMKD
# PERMISSIONS
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
anon_upload_enable=NO
anon_mkdir_write_enable=NO
user_sub_token=$USER
local_root=/home/$USER/ftp
userlist_enable=YES
userlist_file=$USERLIST
userlist_deny=NO
allow_writeable_chroot=NO
nopriv_user=ftpsecure
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
ls_recurse_enable=NO
# LOGGING
syslog_enable=NO
dual_log_enable=YES
vsftpd_log_file=/var/log/vsftpd.log
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=NO
log_ftp_protocol=YES
debug_ssl=YES
# SESSIONS
idle_session_timeout=600
data_connection_timeout=120
# CHAR
ascii_upload_enable=NO
ascii_download_enable=NO
#utf8_filesystem=YES
# BANNER
ftpd_banner=FTP over SSL Server
# OR You can use a file to load a banner
#banner_file=/etc/vsftpd.welcome_banner
# SERVICE
pam_service_name=ftp
# SSL SETTINGS
rsa_cert_file=$CERTFILE
rsa_private_key_file=$KEYFILE
ssl_enable=YES
ssl_ciphers=HIGH
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
# SET THIS TO YES IF YOU ARE USING PORT 990
implicit_ssl=NO
EOF
)
printf "[*] Generating a self signed SSL certificate \n"
openssl req -newkey rsa:2048 -x509 -sha256 -days 365 -subj "/CN=${HOSTNAME}/OU=Certificates" -nodes -out $CERTFILE -keyout $KEYFILE
wait
printf "[*] Creating least privilege 'ftpsecure' user for FTP service \n"
useradd ftpsecure
printf "[*] Creating an FTP directory for all local users on this device and adding them to the allowed FTP users list in $USERLIST \n"
USERS=$(ls /home)
for u in $USERS; do
echo $u >> $USERLIST
mkdir -p /home/$u/ftp/files
chown nobody:nogroup /home/$u/ftp
chown $u:$u /home/$u/ftp/files
chmod a-w /home/$u/ftp
done
printf "[*] Backing up current VSFTPD configuration file \n"
cp "${CONFFILE}" "${CONFFILE}.bak" && printf "[*] Created backup of active vsftpd.conf file at ${CONFFILE}.bak \n"
printf "[*] Restarting the VSFTPD service with latest config"
systemctl enable --now vsftpd.service && systemctl status vsftpd.service