Table of Contents

FTPS on CentOS 8 via VSFTPD

https://www.liquidweb.com/kb/how-to-install-and-configure-vsftpd-on-centos-7/
https://www.liquidweb.com/kb/configure-vsftpd-ssl/
https://www.digitalocean.com/community/tutorials/how-to-set-up-vsftpd-for-a-user-s-directory-on-ubuntu-16-04
http://www.tuxfixer.com/vsftpd-installation-on-centos-7-with-selinux/

Install CentOS 8 minimal with 2 CPU, 512MB+ RAM, 20GB+ storage, set FQDN, set static IP, enable NTP.

3.) After install if finished reboot → login → perform a “dnf update”.

Create limited user account and add to wheel group for sudo
useradd example_user && passwd example_user
usermod -aG wheel example_user
Install useful stuff
dnf install vim rsyslog policycoreutils-python-utils
systemctl enable rsyslog
systemctl start rsyslog

Logout of root and login using sudo user

Disallow root login over SSH
sudo vim /etc/ssh/sshd_config

then set 

PermitRootLogin no

Restart sshd 

sudo systemctl restart sshd
Create Dedicated FTPS/SFTP User/Group
sudo useradd sftps
sudo usermod -s /sbin/nologin sftps

Create FTP directory 

sudo mkdir -p /opt/public/share
sudo chown root:root /opt/public/share
sudo chown -R sftps:sftps /opt/public/share
sudo chmod 770 /opt/public/share
sudo semanage fcontext -a -t public_content_rw_t /opt/public/share
sudo restorecon -Rvv /opt/public/share

Note: for chroot for SFTP the parent dir must be owned by root, this is for later if adding SFTP also.

Set other selinux options 

sudo setsebool -P ftp_home_dir 1
sudo setsebool -P ftpd_full_access 1
Create Individual FTPS User

And add to sftps group 

sudo useradd ftpuser && passwd ftpuser
sudo usermod -aG sftps ftpuser

Install VSFTPD

sudo dnf install vsftpd

Create log file (if it's not there fail2ban won't start, the log file is created automatically on ftp login) 

sudo touch /var/log/vsftpd.log
Edit Config
sudo vim /etc/vsftpd/vsftpd.conf

Set the following: 

anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=YES
allow_writeable_chroot=YES
user_sub_token=$USER
local_root=/opt/public/share
userlist_enable=YES
userlist_file=/etc/vsftpd/user_list
userlist_deny=NO
dual_log_enable=YES

Add the users you want to allow FTP access for 

sudo vim /etc/vsftpd/user_list

Remove everything in there then add the users you want to have FTP access.

Enable and Restart Service
sudo systemctl enable vsftpd
sudo systemctl restart vsftpd
Add Firewall Rules
sudo firewall-cmd --permanent --add-port=21/tcp
sudo firewall-cmd --permanent --add-port=21000-21010/tcp
sudo firewall-cmd --reload

Enable SSL/TLS Encryption

https://forums.centos.org/viewtopic.php?t=43230 https://www.getpagespeed.com/server-setup/ssl-directory https://help.thorntech.com/docs/sftp-gateway-classic/enabling-ftps-using-vsftp/

Create Private Key and CSR
sudo openssl req -new -newkey rsa:4096 -nodes -keyout site1.domain.com.key -out site1.domain.com.csr

Move the files to your PKI folder 

sudo mv site1.domain.com.* /etc/pki/tls/private/

Set permissions on private key 

sudo chown root:root /etc/pki/tls/private/site1.domain.com.key
sudo chmod 600 /etc/pki/tls/private/site1.domain.com.key
sudo restorecon -RvF /etc/pki/tls/private/

Submit the CSR to your CA (public or private)

Copy the BASE64 certificate from your CA to your cert folder 

sudo vim /etc/pki/tls/certs/site1.domain.com.crt

Create the CA bundle associated with your certificate 

sudo vim /etc/pki/tls/certs/site1.domain.com.ca-bundle

Paste the subordinate followed by the root BASE64 certificates

Edit the conf file for VSFTPD 

sudo vim /etc/vsftpd/vsftpd.conf

Set the following 

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1_1=YES
ssl_tlsv1_2=YES
ssl_tlsv1=NO
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=YES
ssl_ciphers=HIGH
rsa_cert_file=/etc/pki/tls/certs/site1.domain.com.crt
rsa_private_key_file=/etc/pki/tls/private/site1.domain.com.key
pasv_enable=Yes
pasv_min_port=21000
pasv_max_port=21010

Automatic Updates for CentOS

https://www.tecmint.com/dnf-automatic-install-security-updates-automatically-in-centos-8/ 

sudo dnf install dnf-automatic
sudo vim /etc/dnf/automatic.conf

Set: 

upgrade_type = security
download_updates = yes
system_name = (your system name)
emit_via = motd

Enable the auto-update timer 

sudo systemctl enable --now dnf-automatic.timer

fail2ban

https://idroot.us/install-fail2ban-centos-8/ https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04 

sudo dnf install epel-release
sudo dnf install fail2ban
Create a Jail for SSHd
sudo vim /etc/fail2ban/jail.d/sshd.local

Add the following: 

[sshd]
enabled = true
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

[selinux-ssh]
enabled  = true
port     = ssh
logpath  = %(auditd_log)s
Create Jail for VSFTPD
sudo vim /etc/fail2ban/jail.d/vsftpd.local

Add the following: 

[vsftpd]
enabled = true
# or overwrite it in jails.local to be
# logpath = %(syslog_authpriv)s
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(vsftpd_log)s
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
sudo fail2ban-client status sshd

SFTP

https://www.atlantic.net/vps-hosting/how-to-create-a-sftp-user-without-shell-access-on-centos-8/
https://unix.stackexchange.com/questions/293756/set-startup-folder-for-sftp-to-be-other-than-home-username-is-throwing-me-permi

Create a new directory for SFTP or use the existing FTP directory if you need more than one access method. 

sudo mkdir -p /opt/public/sftp
sudo chown root:root /opt/public
sudo chown -R sftps:sftps /opt/public/sftp
sudo chmod 770 /opt/public/sftp
sudo semanage fcontext -a -t public_content_rw_t /opt/public/sftp
sudo restorecon -Rvv /opt/public/sftp
Generate SSH key for sudo user on client computer (not the webserver)

To help keep things organized we'll create a keypair that is specific to the user and the remote sudo user+host.
https://www.ssh.com/ssh/keygen/ 

ssh-keygen -C "your_email@example.com" -f ~/.ssh/your_email@example.com-remote_sudo_username_@remote_hostname -t ed25519

Record the private and public keys in a secure document for the server.
Copy the public key to the remote server. 

ssh-copy-id -i ~/.ssh/your_email@example.com-remote_sudo_username_@remote_hostname.pub sudo_username@remote_hostname

Login using SSH key 

ssh -i deployment_key.txt demo@192.237.248.66
Restrict Access in SSH
sudo vim /etc/ssh/sshd_config

Add the following: 

Match User ftpuser
ForceCommand internal-sftp -d /sftp
PasswordAuthentication yes
ChrootDirectory /opt/public
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no

This will force the listed parameters on the ftpuser, namely that they are allowed sftp access only and that they'll start out in the sftp directory and that they are chrooted to /opt/public. Note, /opt/public must be owned by root:root for chroot to work and the subdirectories need permissions giving access to desired users/groups.

Restrict SSH Access

We want to restrict access to our sudo user and sftp users 

sudo vim /etc/ssh/sshd_config

Add the following: 

AllowUsers sudo_username ftpuser_username

And since theoretically you're going to allow public SFTP access this means your SSH port is open to the public. We've already restricted who can login over ssh/sftp but now we want to enable key login only for the sudo user.

Don't allow members of the wheel group to login with passwords 

Match Group wheel
PasswordAuthentication no

And change the default SSH/SFTP port 

Port 21011

Tell Selinux of the change 

sudo semanage port -a -t ssh_port_t -p tcp 21011

Setup firewall rules 

sudo firewall-cmd --permanent --zone=public --add-port=21011/tcp
sudo firewall-cmd --reload

Restart SSHD 

sudo systemctl restart sshd
sudo systemctl restart vsftpd