====FTPS on CentOS 8 via VSFTPD====
https://www.liquidweb.com/kb/how-to-install-and-configure-vsftpd-on-centos-7/ \\
https://www.liquidweb.com/kb/configure-vsftpd-ssl/ \\
https://www.digitalocean.com/community/tutorials/how-to-set-up-vsftpd-for-a-user-s-directory-on-ubuntu-16-04 \\
http://www.tuxfixer.com/vsftpd-installation-on-centos-7-with-selinux/
Install CentOS 8 minimal with 2 CPU, 512MB+ RAM, 20GB+ storage, set FQDN, set static IP, enable NTP.
3.) After install if finished reboot -> login -> perform a "dnf update".
==Create limited user account and add to wheel group for sudo==
useradd example_user && passwd example_user
usermod -aG wheel example_user
==Install useful stuff==
dnf install vim rsyslog policycoreutils-python-utils
systemctl enable rsyslog
systemctl start rsyslog
Logout of root and login using sudo user
==Disallow root login over SSH==
sudo vim /etc/ssh/sshd_config
then set
PermitRootLogin no
Restart sshd
sudo systemctl restart sshd
==Create Dedicated FTPS/SFTP User/Group==
sudo useradd sftps
sudo usermod -s /sbin/nologin sftps
Create FTP directory
sudo mkdir -p /opt/public/share
sudo chown root:root /opt/public/share
sudo chown -R sftps:sftps /opt/public/share
sudo chmod 770 /opt/public/share
sudo semanage fcontext -a -t public_content_rw_t /opt/public/share
sudo restorecon -Rvv /opt/public/share
Note: for chroot for SFTP the parent dir must be owned by root, this is for later if adding SFTP also.
Set other selinux options
sudo setsebool -P ftp_home_dir 1
sudo setsebool -P ftpd_full_access 1
==Create Individual FTPS User==
And add to sftps group
sudo useradd ftpuser && passwd ftpuser
sudo usermod -aG sftps ftpuser
====Install VSFTPD====
sudo dnf install vsftpd
Create log file (if it's not there fail2ban won't start, the log file is created automatically on ftp login)
sudo touch /var/log/vsftpd.log
==Edit Config==
sudo vim /etc/vsftpd/vsftpd.conf
Set the following:
anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=YES
allow_writeable_chroot=YES
user_sub_token=$USER
local_root=/opt/public/share
userlist_enable=YES
userlist_file=/etc/vsftpd/user_list
userlist_deny=NO
dual_log_enable=YES
Add the users you want to allow FTP access for
sudo vim /etc/vsftpd/user_list
Remove everything in there then add the users you want to have FTP access.
==Enable and Restart Service==
sudo systemctl enable vsftpd
sudo systemctl restart vsftpd
==Add Firewall Rules==
sudo firewall-cmd --permanent --add-port=21/tcp
sudo firewall-cmd --permanent --add-port=21000-21010/tcp
sudo firewall-cmd --reload
====Enable SSL/TLS Encryption====
https://forums.centos.org/viewtopic.php?t=43230
https://www.getpagespeed.com/server-setup/ssl-directory
https://help.thorntech.com/docs/sftp-gateway-classic/enabling-ftps-using-vsftp/
==Create Private Key and CSR==
sudo openssl req -new -newkey rsa:4096 -nodes -keyout site1.domain.com.key -out site1.domain.com.csr
Move the files to your PKI folder
sudo mv site1.domain.com.* /etc/pki/tls/private/
Set permissions on private key
sudo chown root:root /etc/pki/tls/private/site1.domain.com.key
sudo chmod 600 /etc/pki/tls/private/site1.domain.com.key
sudo restorecon -RvF /etc/pki/tls/private/
Submit the CSR to your CA (public or private)
Copy the BASE64 certificate from your CA to your cert folder
sudo vim /etc/pki/tls/certs/site1.domain.com.crt
Create the CA bundle associated with your certificate
sudo vim /etc/pki/tls/certs/site1.domain.com.ca-bundle
Paste the subordinate followed by the root BASE64 certificates
Edit the conf file for VSFTPD
sudo vim /etc/vsftpd/vsftpd.conf
Set the following
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1_1=YES
ssl_tlsv1_2=YES
ssl_tlsv1=NO
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=YES
ssl_ciphers=HIGH
rsa_cert_file=/etc/pki/tls/certs/site1.domain.com.crt
rsa_private_key_file=/etc/pki/tls/private/site1.domain.com.key
pasv_enable=Yes
pasv_min_port=21000
pasv_max_port=21010
====Automatic Updates for CentOS====
https://www.tecmint.com/dnf-automatic-install-security-updates-automatically-in-centos-8/
sudo dnf install dnf-automatic
sudo vim /etc/dnf/automatic.conf
Set:
upgrade_type = security
download_updates = yes
system_name = (your system name)
emit_via = motd
Enable the auto-update timer
sudo systemctl enable --now dnf-automatic.timer
====fail2ban====
https://idroot.us/install-fail2ban-centos-8/
https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04
sudo dnf install epel-release
sudo dnf install fail2ban
==Create a Jail for SSHd==
sudo vim /etc/fail2ban/jail.d/sshd.local
Add the following:
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
[selinux-ssh]
enabled = true
port = ssh
logpath = %(auditd_log)s
==Create Jail for VSFTPD==
sudo vim /etc/fail2ban/jail.d/vsftpd.local
Add the following:
[vsftpd]
enabled = true
# or overwrite it in jails.local to be
# logpath = %(syslog_authpriv)s
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
port = ftp,ftp-data,ftps,ftps-data
logpath = %(vsftpd_log)s
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
sudo fail2ban-client status sshd
====SFTP====
https://www.atlantic.net/vps-hosting/how-to-create-a-sftp-user-without-shell-access-on-centos-8/ \\
https://unix.stackexchange.com/questions/293756/set-startup-folder-for-sftp-to-be-other-than-home-username-is-throwing-me-permi
Create a new directory for SFTP or use the existing FTP directory if you need more than one access method.
sudo mkdir -p /opt/public/sftp
sudo chown root:root /opt/public
sudo chown -R sftps:sftps /opt/public/sftp
sudo chmod 770 /opt/public/sftp
sudo semanage fcontext -a -t public_content_rw_t /opt/public/sftp
sudo restorecon -Rvv /opt/public/sftp
==Generate SSH key for sudo user on client computer (not the webserver)==
To help keep things organized we'll create a keypair that is specific to the user and the remote sudo user+host. \\
https://www.ssh.com/ssh/keygen/
ssh-keygen -C "your_email@example.com" -f ~/.ssh/your_email@example.com-remote_sudo_username_@remote_hostname -t ed25519
Record the private and public keys in a secure document for the server. \\
Copy the public key to the remote server. \\
ssh-copy-id -i ~/.ssh/your_email@example.com-remote_sudo_username_@remote_hostname.pub sudo_username@remote_hostname
Login using SSH key
ssh -i deployment_key.txt demo@192.237.248.66
==Restrict Access in SSH==
sudo vim /etc/ssh/sshd_config
Add the following:
Match User ftpuser
ForceCommand internal-sftp -d /sftp
PasswordAuthentication yes
ChrootDirectory /opt/public
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
This will force the listed parameters on the ftpuser, namely that they are allowed sftp access only and that they'll start out in the sftp directory and that they are chrooted to /opt/public. Note, /opt/public must be owned by root:root for chroot to work and the subdirectories need permissions giving access to desired users/groups.
==Restrict SSH Access==
We want to restrict access to our sudo user and sftp users
sudo vim /etc/ssh/sshd_config
Add the following:
AllowUsers sudo_username ftpuser_username
And since theoretically you're going to allow public SFTP access this means your SSH port is open to the public. We've already restricted who can login over ssh/sftp but now we want to enable key login only for the sudo user.
Don't allow members of the wheel group to login with passwords
Match Group wheel
PasswordAuthentication no
And change the default SSH/SFTP port
Port 21011
Tell Selinux of the change
sudo semanage port -a -t ssh_port_t -p tcp 21011
Setup firewall rules
sudo firewall-cmd --permanent --zone=public --add-port=21011/tcp
sudo firewall-cmd --reload
Restart SSHD
sudo systemctl restart sshd
sudo systemctl restart vsftpd