How to Setup Secure FTP (SFTP)

BeethovenLive · October 4, 2013, 11:47pm

I’m at my [limited] wits end!

I’ve been trying to fortify my My Book Live 3GB’s for external access by family members gradually spreading out around the globe.

I don’t like the WD2GO solution due to the lack of controls/logging, so I’ve been utilizing FTP within the MBL.

However, I feel exposed with that solution, so I’ve been trying to implement SFTP with logons for specified MBL users.

Using threads like How to Setup Secure FTP, and others, I sucessfully got it working. However, when the client software (Filezilla) connects, the user (not admin) goes to the root level of the device, not to the /shares folder. The etc/password file shows /shares as the home directory, but it’s being ignored. I love my family, but I’m not at all confortable with them being able to modify root level files!

I have configured etc/vsftpd.conf and restarted it.

Following is the vsftp.conf file I’m using.

Hopefully someone knows what I’m doing wrong! Thanks!

ftpd_banner=“MBL 1”
listen=yes
listen_port=21
accept_timeout=60
connect_timeout=60
data_connection_timeout=300
max_clients=0
max_per_ip=2
xferlog_enable=YES
hide_ids=YES
dirlist_enable=YES
download_enable=YES
use_localtime=YES
write_enable=YES
file_open_mode=0755
local_enable=YES
local_umask=02
local_max_rate=0
anon_root=/shares
check_shell=NO
chroot_local_user=YES
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/user_list
vsftpd_log_file=/var/log/vsftpd.log
anonymous_enable=NO
anon_mkdir_write_enable=NO
anon_upload_enable=NO
anon_world_readable_only=YES
anon_other_write_enable=NO
no_anon_password=YES
anon_max_rate=0
anon_umask=077
#share_acl_enable=YES
pasv_enable=YES
pasv_promiscuous=YES
pasv_min_port=5000
pasv_max_port=5099

Turn on SSL

ssl_enable=YES

Allow anonymous users to use secured SSL connections Sugg: YES

allow_anon_ssl=NO

All non-anonymous logins are forced to use a secure SSL connection in order to

send and receive data on data connections. Sugg: YES

force_local_data_ssl=NO

All non-anonymous logins are forced to use a secure SSL connection in order to send the password.

force_local_logins_ssl=NO

Permit TLS v1 protocol connections. TLS v1 connections are preferred

ssl_tlsv1=YES

Permit SSL v2 protocol connections. TLS v1 connections are preferred

ssl_sslv2=NO

permit SSL v3 protocol connections. TLS v1 connections are preferred

ssl_sslv3=NO

Disable SSL session reuse (required by WinSCP)

require_ssl_reuse=NO

Select which SSL ciphers vsftpd will allow for encrypted SSL connections (required by FileZilla)

ssl_ciphers=HIGH

This option specifies the location of the RSA certificate to use for SSL

encrypted connections.

rsa_cert_file=/etc/ssl/private/vsftpd.pem

Ichigo · October 6, 2013, 7:09pm

Hello, FTP access with third party software is not officially supported, but maybe some of the other community members can chime in and share some advice.

Shabuboy · October 7, 2013, 10:00pm

SFTP runs over 22 (ssh), I was able to get it running in a very simple way.

http://community.wd.com/t5/My-Book-Live/what-s-my-normal-non-root-user-s-SSH-password/m-p/566360/highlight/true#M21992

BeethovenLive · October 8, 2013, 12:53am

Thanks very much for your suggestions!

As per the instructions provided, I:

Had already enabled SSH
Had created shares, users, set passwords and permissions via dashboard
Allow Users to SSH:

edit file /etc/ssh/sshd_config
Change “AllowUsers” line by adding user names such as:
AllowUsers root user1 user2

Optional: Set users home dir: edit file /etc/passwd
The following will set home dir to “Public”
Change from “/shares:/bin/sh” to “/shares/Public:/bin/sh”
Restart ssh deamon or reboot:
/etc/init.d/ssh restart
Tested ssh SFTP for a user within the home network.

The result was still the same. Configured users can connect fine in SFTP, but they are positioned at the root level, not at the /shares/Public (or at the /shares directory, where I would really like them to be).

Is there something I’m doing wrong? …or is there a missing step? …or any other suggestions?

Thanks!

Shabuboy · October 8, 2013, 5:33pm

no idea. It seems to work fine for me via ssh and sftp/scp.

can you test with SSH see if that places the user at the home dir?

BeethovenLive · October 9, 2013, 5:27am

I tested it with SSH.

Yes, with SSH, it positions the connection at the directory specified in the passwd file.

Now, if only I could figure out why SFTP won’t cooperate!

Shabuboy · October 9, 2013, 4:15pm

hmmm, make sure in filezilla you are using “sftp - ssh file transfer protocol” as the server type.

Otherwise, try a different version of Filezilla and/or another app. I am using and old version, 3.3.51 and works just fine.

BeethovenLive · October 10, 2013, 1:38am

Thanks for your continued suggestions.

Yes, I’m definately using the SFTP - SSH File Transfer Protocol of Filezilla.

Regarding switching versions. The reason I’m trying to implement SFTP is for security. If somebody can get at my root files if they use the latest version of Filezilla (or any particular SFTP client), that sort of defeats the purpose.

Shabuboy · October 10, 2013, 4:23pm

different versions refers to filezilla, 3.7.1, 3.7.2, etc. not different protocols such as sftp/scp/ftp/etc…

Now, whether they are in a different home folder, has nothing to do with the home dir. They might be able to browse to different dirs anyway when home dir is set. However, it will all depend on the permissions you provide.

But do not take my word for it, test it. try deleting, creating files, listing files, etc…

BeethovenLive · October 12, 2013, 4:36pm

Sigh!

Well, I set aside some time to do as you suggested, Shabuboy.

However, when I did my first (standard) test with the settings above, it worked! I can’t explain it. Each user was positioned at the directory specified in the Passwd file, and although they could move up the hierchy, they could only modify files as specified in the MBL dashboard.

I had rebooted sshd, vsftp, and the device. Is there something else that I needed to restart (that later restarted on it’s own), or some cache that needed to be flushed? I’m at a loss - HAPPY - but at a loss!

So thank-you very much for your help!

A follow-up question, now that I’m on a roll!

Is there a way to log SFTP file transfers? I see logon messages in the sshd.log, but nothing about file transfers in it, nor in the messages file.

I tried changing the sshd_config “Subsystem sftp /usr/lib/openssh/sftp-server” line to:

Subsystem sftp /usr/lib/openssh/sftp-server -l INFO (or VERBOSE)

And restarted with: /etc/init.d/ssh restart

…but that didn’t help.

Any suggestions?

Thanks again!

Shabuboy · October 14, 2013, 7:08pm

No idea, to tell you the true. Search for sftp logging on Debian. These davices run Debian Lenny.

BeethovenLive · October 14, 2013, 9:18pm

Thanks again! That should help me narrow it down.

leeeonb · January 7, 2014, 6:04pm

Did you got it working yet? I’m having the same problem here an searching for the solution

Thanks in advance!

Shabuboy · January 7, 2014, 6:20pm

Leeeonb,

I was able to get it to work as specified below…

http://community.wd.com/t5/My-Book-Live/what-s-my-normal-non-root-user-s-SSH-password/m-p/566360/highlight/true#M21992

test with “root” before moving to user/shares creation

leeeonb · January 7, 2014, 8:57pm

checkmark that!

I got it working! The solution appeared to be tot FIRST connect true root and AFTER THAT through your own created user / share to make the connection wanted. Using the login credentials both local and remote works now. I have removed the login option root from / etc / ssh / sshd_config just for safety.

How do you ensure that the other folders are not available? I want one-defined primary folder accessible. The one i log on to. Where can i determine the rights?

Shabuboy · January 7, 2014, 10:18pm

hmmm, my post mentions the folder permissions and home folder… not sure if you read it all.

Anyhow, the permisions will be whatever you defined in the dashboard, private vs public

How do you ensure that the other folders are not available?

Dashboard, private vs public. The folder might be listed even if you do not have rights, but won’t be able to access it

I want one-defined primary folder accessible. The one i log on to.

Set a home folder for SSH, see my post…

Where can i determine the rights?

Dashboard, public vs private (and users who can access it).

Just play with it, you will get it…

leeeonb · January 8, 2014, 3:56pm

OK,

Maybe i’m explaining my self wrong, or not searching to well… :smiley:

Ive got the following setup:

Screen Shot 2014-01-08 at 4.39.30 PM.png

When logging in with the credentials especially for the share ‘Transfer’ i can go up a level in the FTP client and see the other folders. Private, Media, Public. The first 2 are not accessible which i managed true the GUI from My Book Live. The public one still is, that’s my problem. I even would prefer NO visibility of ALL of these folder and just go in that one share ‘Transfer’ without the possibility to go up to the other folders but okay…

If i should make a concession to see the folder(s) but not make them accessible, especially the Public folder, thats would be ok to.

Is this possible then please guide me the way or point me in the direction where to look

Shabuboy · January 8, 2014, 5:33pm

If you are looking how to hide folders, sorry no idea. I believe there was a guide somewhere in this forum how to do that. Search for it.

Otherwise, what you are looking for is for advanced Unix Admins (which I am far from…). The MBL runs Debian Lenny, good luck.