For FTP, I would recommend the following:
1. Log into WHM as root
2. Click "FTP Server Configuration"
3. The first option is labeled "TLS Encryption Support". In the dropdown menu there is an option that says "Required (Command/Data)"
That will prevent usernames and passwords being sent over the Internet in plain text when users log into FTP.
Additionally, avoid using insecure FTP applications like FileZilla that store your FTP usernames and passwords in plain text on your computer, and warn your users of the same.
In regards to security in general, keep in mind that less code means less surface area to attack. So, be very careful about installing 3rd party applications on your machine, regardless of their intended purpose.
1. Log into WHM as root
2. Click "FTP Server Configuration"
3. The first option is labeled "TLS Encryption Support". In the dropdown menu there is an option that says "Required (Command/Data)"
That will prevent usernames and passwords being sent over the Internet in plain text when users log into FTP.
Additionally, avoid using insecure FTP applications like FileZilla that store your FTP usernames and passwords in plain text on your computer, and warn your users of the same.
In regards to security in general, keep in mind that less code means less surface area to attack. So, be very careful about installing 3rd party applications on your machine, regardless of their intended purpose.
It wouldn't be better to use sFTP over TLS with data and command being forced. sFTP allows users access to view / portions of the system outside their /home directory due to how it works. TLS is as secure if not more than sFTP without the inherent security issues and weaknesses that sFTP includes.
Hello,
We use /http://www.pyxsoft.com. It scans all FTP uploads in realtime, blocking all known malware (c99,r57 and so on ).
Also it scans all HTTP uploads blocking known and unknown scripts (perl scripts and PHP scritps)
We are using it in our network and it have blocked hundreds of attacks.
We use /http://www.pyxsoft.com. It scans all FTP uploads in realtime, blocking all known malware (c99,r57 and so on ).
Also it scans all HTTP uploads blocking known and unknown scripts (perl scripts and PHP scritps)
We are using it in our network and it have blocked hundreds of attacks.
I arrived to a solution suitable for servers with cpanel.
Background:
1. When the user logs in via SFTP the authentication runs against their /home/username allowing them to have a ~/.ssh/authorized_keys file.
2. Once authenticated they are chrooted to /chroot/username.
3. Then the internal-sftp service is launched delivering a shell to in their home directory /home/username within the chroot.
Their home directory will look the same to them with or without the chroot. The only difference is that if they cd out of their home directory they will see a filesystem that contains nothing else.
It requires openssh >=4.8, which is not available in standard repositories with centos 5 + cpanel, since it takes advantage of ChrootDirectory directive.
Centos 6 + cpanel servers run an updated version of openssh (>=5.3) so this is perfectly suitable for them.
Solution tested on a Centos 6 server.
1. Common steps for all accounts (just once)
In /etc/ssh/sshd_config change to:
# Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Then append a new section:
Match Group sftponly
ChrootDirectory /chroot/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
2. Script to run once per account.
usermod -G sftponly username
mkdir -p /chroot/username/home/username
chown -R root.sftponly /chroot/username
chmod -R 750 /chroot/username
#cosmetic section (displays user-friendly owner and group names in sftp client session)
mkdir /chroot/username/etc
chgrp sftponly /chroot/username/etc
chmod 710 /chroot/username/etc
getent passwd username > /chroot/username/etc/passwd
echo "root:x:0:0:falso root:::" >> /chroot/username/etc/passwd
chmod 644 /chroot/username/etc/passwd
getent group sftponly > /chroot/username/etc/group
getent group username >> /chroot/username/etc/group
chmod 644 /chroot/username/etc/group
#end cosmetic section
echo "/home/username/public_html /chroot/username/home/username bind defaults,bind 0 0" >> /etc/fstab
mount /chroot/username/home/username
To-do: encapsulate in a bash shellscript with parameter <username>
Hope you find it interesting.
Last edited:
| Thread starter | Similar threads | Forum | Replies | Date |
|---|---|---|---|---|
| M | [HELP] AutoSSL cPanel | Security | 2 | |
| K | Need help with cPanel support IP addresses | Security | 1 | |
| N | HELP: Potential reduced AutoSSL coverage | Security | 3 | |
| S | secure help | Security | 0 | |
| W | Please help to Secure for NO DDOS Attach | Security | 0 |