How to make a regular FTP server truly secure and at the same time convenient?

Published on December 06, 2013

How to make a regular FTP server truly secure and at the same time convenient?

    Immediately make a reservation: I do not provide detailed instructions / configurations, I just share my thoughts on how to do it. Also, by FTP I mean not only classic FTP, but also SFTP and SSL-FTP - this is an article about the security of passwords, and not the protocol itself.

    Imagine a hosting company providing hosting accounts with increased security, namely with two-factor authentication.

    There is nothing complicated, you just need to implement one or several authentication plug-in options with a second factor on the server (for example, code.google.com/p/google-authenticator/wiki/PamModuleInstructions or motp.sourceforge.net/#6 ) and bind to them users.
    In most cases, PAM can be specified in the configuration of FTP servers, and in principle, the FTP security problem will be solved in the same way.
    The problem is different; the fact is that depending on the connection speed, server / router settings or FTP connection mode, an FTP session can be interrupted if there is no activity for a certain time (or even just be interrupted at the most inopportune moment). In the "classic" FTP client simply connects again, you just need to check the "save password" checkbox. In the case of two factor authentication, this will not work, you will have to enter the password and code from the “token” quite often, and this is very inconvenient for the end user. If you can somehow convince the user of the need to use a “token” at the entrance to the system, it is already difficult to explain the need to do this in the process of downloading files several times.
    I hope I explained the problem. Now I will share the idea of ​​increasing convenience for end users.

    FTP temporary password generation


    In fact, the principle itself is not original, I propose to do something like passwords for applications used for Google accounts with activated two-step authentication.
    To do this, you need a semblance of a web interface for generating application passwords. The web interface itself will only be available using two-factor authentication. After logging in, the user will generate an FTP password that will be active only for a certain time and only for a specific IP address (the current address will be offered by default). An approximate interface might look like this:


    When generating the script, the data is entered into the database table (for example, MySQL), namely the username, IP address and timestamp of the time specified by the user, as well as the generated FTP password, which is displayed to the user in the interface. This FTP password will be used for FTP access. The table will look like this:


    FTP server configuration


    Take PureFTPD as an example, since it can be tied to MySQL. Guided by the instructions, configure PureFTPD in this way:

    MYSQLSocket     /tmp/mysql.sock
    MYSQLUser       root
    MYSQLPassword   rootpw
    MYSQLDatabase   pureftpd
    MYSQLCrypt      cleartext
    MYSQLGetPW      SELECT temp_password FROM temp_pass WHERE username="\L" AND IP="\R" AND expires <= UNIX_TIMESTAMP()
    MYSQLGetUID     SELECT Uid FROM users WHERE User="\L"
    MYSQLGetGID     SELECT Gid FROM users WHERE User="\L"
    MYSQLGetDir     SELECT Dir FROM users WHERE User="\L"
    


    The configuration file uses the variables
    \ L - user login
    \ R - IP address client

    This is basically all. Ideally, you would also need some kind of crown script to clear the table from expired passwords.