ExtraDRM : Design Ressource Management

Web content and data design solutions

Want to prevent people from viewing the files in a particular web directory ?

Here are the steps that will enable you to secure a web directory (in this example, /var/www/html/admin directory or http://yourip/admin/).

Step # 1: Make sure Apache is configured to use .htaccess file

You need to have AllowOverride AuthConfig directive in /etc/apache2/httpd.conf file in order for these directives to have any effect. Look for DocumentRoot Directory entry. In this example, our DocumentRoot directory is set to /var/www. Therefore, my entry in httpd.conf looks like as follows:

<Directory /var/www>
Options Indexes Includes FollowSymLinks MultiViews
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>

Change the value from “AllowOverride None” to “AllowOverride AuthConfig” (or “AllowOverride All” if you want to change other, non-authorization related options).

Save the file and restart Apache :
> sudo service apache2 restart

Next Steps are to create .htccess and a .htpasswd files :

  • From an SSH command prompt run: htpasswd -c /etc/apache2/.htpasswd yourusername and specify the password you want (change the file location to suit). This will create a .htpasswd file like: yourusername:me7asnd1UpLYw (Dont put the htpasswd file inside your webroot for security reasons). -c option is to create a new
  • In the Create Options File input, enter the name of the .htaccess file you wish to create. e.g. /var/www/html/admin/.htaccess

Your .htaccess file options will look like this:


AuthType Basic
AuthName "Protected Area
Require valid-user
AuthUserFile /etc/apache2/.htpasswd

Protect your .htacess and .htpasswd. (Read this)

CHMOD your .htaccess file 644 which translates to rw-r-r

chmod your .htpasswd file 640 (rw-r–)

$ chmod 644 .htaccess
$ chmod 640 .htpasswd

So in /etc/apache2/sites-available in default websites edit with nano and add a virtual host ( Read this for details  ) :

/etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    <Directory "/var/www/html">
        AuthType Basic
        AuthName "Restricted Content"
        AuthUserFile /etc/apache2/.htpasswd
        Require valid-user
    </Directory>
</VirtualHost>

 

Monsta is an open source web based FTP file manager written in PHP and Ajax. Easy to install too, it lets you upload, download and manage your file in an easy way too. With drag & drop to upload or move, on screen file editing and multi language support, Monsta can replace your desktop FTP software like Filezilla and others …

Before Install Check apache2 and php5 are installed :
prerequesites

1) Download and unzip their latest zip in a dedicated folder of your /var/www

Currently, their latest version is the V1.8.5. But make sure you download the latest one.

In root (or with sudo), run:

1
2
3
4
5
6
cd /var/www
mkdir monsta
cd monsta/
wget www.monstaftp.com/download/monsta_ftp_v1.8.5_install.zip
unzip monsta_ftp_v1.8.5_install.zip
rm monsta_ftp_v1.8.5_install.zip

On a new VPS debian wheezy we can do also :
wget  –no-check-certificate https://www.monstacdn.com/downloads/monsta_ftp_v1.8.5_install.zip -O monsta.zip
sudo apt-get unzip
unzip -q monsta.zip && rm -rf monsta.zip

Under Monsta folder give apache user permission www-data (33) :
chown -R www-data:www-data mftp.

chmod -R 755 mftp

The Monsta FTP default language is English (en_us).

To switch to French:

Go in / var / www / html / mftp / languages

Assign the value 0 into $ file_lang_default en_us.php the file.

Assign the value 1 to the variable $ file_lang_default fr_fr.php the file.

PS: feel free to correct some spelling mistakes contained in the fr_fr.php provided by default …

monsta2

2) Change the owner of the folder (by www-data:www-data) to avoid permission issues.

1
chown -R www-data:www-data monsta

chmod -R 755 mftp

You can directly access it through http://yourserverIP/monsta

monsta

Serve multiple directories with Apache (virtualhost monstaftp.conf)

Running Apache on Debian. My /var/www folder consists of two directories /codeigniter /wordpress

I would like mydomain.com to point to /codeigniter and mydomain.com/blog to point to /wordpress. I have acheived the first one but not the second. How can we do it ?

I have the following in site-available/mydomain.com

<VirtualHost *:80>
  ServerAdmin me@example.com
  ServerName  www.mydomain.com
  ServerAlias mydomain.com

  # Index file and Document Root (where the public files are located)
  DirectoryIndex index.html index.php
  DocumentRoot /var/www/codeigniter/public

  <Directory "/var/www/codeigniter/public">
  Options FollowSymLinks
  AllowOverride All
  Order allow,deny
  Allow from all
  </Directory>
</VirtualHost>

Simple, add an Alias and another directory block inside your VirtualHost block :

Alias /blog/ "/var/www/wordpress/"
<Directory "/var/www/wordpress/">
    ... whatever you want ...
</Directory>

Install MySQL

> sudo apt-get install mysql-server

During the installation process, you will be prompted to set a password for the MySQL root user as shown below. Choose a strong password and keep it in a safe place for future reference. MySQL will bind to localhost (127.0.0.1) by default.

Install interactive process viewer Htop

>sudo apt-get install htop
pureftpd004

Install and Setting Up phpMyAdmin

  1. Install the current version of phpMyAdmin:
    1
    sudo apt-get install phpmyadmin

    You will be asked which server to automatically configure phpMyAdmin for. Select “apache2.” When asked to configure database for phpmyadmin with dbconfig-common, select yes.

Using MySQL

The standard tool for interacting with MySQL is the mysql client which installs with the mysql-server package. The MySQL client is used through a terminal.
* If you are more confortable with Gui interface so Phpmyadim was installed too (http://yourIP/phpmyadmin)

Root Login

  1. To log in to MySQL as the root user:
    1
    mysql -u root -p
  2. When prompted, enter the root password. You’ll then be presented with a welcome header and the MySQL prompt as shown below:
    1
    mysql>

Now we create a database called pureftpd and a MySQL user named pureftpd which the PureFTPd daemon will use later on to connect to the pureftpd database:

mysql -u root -p
mysql> CREATE DATABASE pureftpd;

GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON pureftpd.* TO ‘pureftpd’@'localhost’ IDENTIFIED BY ‘ftpdpass’;

GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON pureftpd.* TO ‘pureftpd’@'localhost.localdomain’ IDENTIFIED BY ‘ftpdpass’;

FLUSH PRIVILEGES;

Next we create a custom mysql Table according to our needs and the options explained below …

CREATE TABLE `users` (
 `Id` int(11) NOT NULL auto_increment,
 `User` varchar(32) NOT NULL default '',
 `Password` varchar(64) NOT NULL default '',
 `Uid` int(3) NOT NULL default '2001',
 `Gid` int(3) NOT NULL default '2001',
 `Dir` varchar(255) NOT NULL default '',
 `QuotaSize` int(4) NOT NULL default '250',
 `ULBandwidth` int(2) NOT NULL default '100',
 `DLBandwidth` int(2) NOT NULL default '100',
 PRIMARY KEY  (`ID`),
 UNIQUE KEY `User` (`User`)
);

 

Column Description
user The name of the virtual PureFTPd user
status 0 or 1. 0 means the account is disabled, the user cannot login.
password The password of the virtual user. Make sure you use MySQL’s encrypt function to save the password in encrypted form
uid The userid of the ftp user you created at the end of step two (e.g. 2001).
gid The groupid of the ftp group you created at the end of step two (e.g. 2001).
dir The home directory of the virtual PureFTPd user (e.g. /home/www.example.com). If it does not exist, it will be created when the new user logs in the first time via FTP. The virtual user will be jailed into this home directory, i.e., he cannot access other directories outside his home directory.
ulbandwidth Upload bandwidth of the virtual user in KB/sec. (kilobytes per second). 0 means unlimited.
dlbandwidth Download bandwidth of the virtual user in KB/sec. (kilobytes per second). 0 means unlimited.
comment You can enter any comment here (e.g. for your internal administration) here. Normally you leave this field empty.
ipaccess Enter IP addresses here that are allowed to connect to this FTP account. * means any IP address is allowed to connect.
quotasize Storage space in MB (not KB, as in ULBandwidth and DLBandwidth!) the virtual user is allowed to use on the FTP server. 0 means unlimited.
quotafiles amount of files the virtual user is allowed to save on the FTP server. 0 means unlimited.

Insert a new User in the Database / Note Password MD5 or ClearText :

INSERT INTO `users` ( `User` , `Password` , `Uid` , `Gid` , `Dir`, `Quotasize`,`ULBandwidth`, `ULBandwidth` )
VALUES ('web', MD5( 'PASS_FTP_USER' ) , '2001', '2001', '/home/ftp/users/U1', `250`, `0`, `0`);

Install PureFTPd With MySQL Support

> sudo apt-get install pure-ftpd pure-ftpd-common

> sudo apt-get install pure-ftpd-mysql

 

Then we create a ftp group (ftpgroup) and user (ftpuser) that all virtual users will be mapped to. Replace the group and userid 2001 with a number that is free on your system:

> groupadd -g 2001 ftpgroup
> useradd -u 2001 -s /bin/false -d /bin/null -c "pureftpd user" -g ftpgroup ftpuser

Assign Linux rights to the user Folder :
> sudo mkdir /home/ftpuser/test1

> sudo chown -R ftpuser:ftpgroup /home/ftpuser/test1

The configuration files of Pure-FTPd

All files on the FTP server are in / etc / pure-ftpd /, configuration files are in the “conf” folder and file for the database is in “db”.

Unlike users you can add or remove without restarting the server, when you edit a configuration file, remember to reload the configuration with the following command.

/etc/init.d/pure-ftpd-mysql force-reload

The configuration files are in / etc / pure-ftpd / conf.

The default configuration contains 7 files.

- AltLog: file to configure the location of logs

- FSCharset: file for setting the character encoding (UTF8 etc …)

- MINUID: file to indicate the minimum UID has access to the server.

- Noanonymous: file to indicate whether to allow or not the anonymous FTP.

- PAMAuthentication: file to indicate whether to allow or not authentication PAM.

- PureDB: file to specify the path to the database of virtual accounts.

- UnixAuthentication: file to indicate whether to allow or not the standard Unix authentication.
Additional files to create :
- MaxIdleTime : Set the timeout by adding a file called “MaxIdleTime” inside the conf directory The content of the file should be the number of minutes you like to set the timeout to be. Afterwards just restart your server.

echo 10 > /etc/pure-ftpd/conf/MaxIdleTime

- PassivePortRange : If you run a firewall on your Linux server and want to use passive FTP connections, you have to define the passive port range in pure-ftpd and your firewall to ensure that the connections dont get blocked. The following example is for pure-ftpd on Debian Linux :

echo "40110 40210" > /etc/pure-ftpd/conf/PassivePortRange
/etc/init.d/pure-ftpd-mysql restart

pureftpd003

Next Update the file /etc/pure-ftpd/conf/ChrootEveryone which simply contains the string yes, and which will make PureFTPd chroot every virtual user in his home directory so he will not be able to browse directories and files outside his home directory

> echo "yes" > /etc/pure-ftpd/conf/ChrootEveryone

Next Update the file /etc/pure-ftpd/conf/NoAnonymous to forbid this type of connexion

> echo "yes" > /etc/pure-ftpd/conf/NoAnonymous

Next Update the file /etc/pure-ftpd/conf/MinUID which simply contains the string yes, and which will make PureFTPd chroot every virtual user in his home directory so he will not be able to browse directories and files outside his home directory

> echo "yes" > /etc/pure-ftpd/conf/ChrootEveryone

Also Update the file /etc/pure-ftpd/conf/CreateHomeDir which again simply contains the string yes. This will make PureFTPd create a user’s home directory when the user logs in and the home directory does not yet exist.

> echo "yes" > /etc/pure-ftpd/conf/CreateHomeDir

pureftpd002

Now we must configure PureFTPd as a standalone daemon (it is currently controlled by inetd). To do this, we open /etc/default/pure-ftpd-common and change the value of the parameter STANDALONE_OR_INETD to standalone:

> sudo nano /etc/default/pure-ftpd-common

Next, we modify /etc/inetd.conf and comment out the ftp line so that it looks like this:

#:STANDARD: These are standard services.
#ftp    stream  tcp nowait  root    /usr/sbin/tcpd /usr/sbin/proftpd

Now restart Inetd and PureFTPd mysql :

> /etc/init.d/openbsd-inetd restart
> /etc/init.d/pure-ftpd-mysql restart

pureftpd001

Configure PureFTPd with mysql

In the folder “conf”, edit the file MySQLConfigFile to put the path to the configuration file we will create: /etc/pure-ftpd/db/pure-ftpd-mysql.conf
Create the MySQL configuration file

Now we create the /etc/pure-ftpd/db/pure-ftpd-mysql.conf configuration file that will be used to indicate the connection information between the FTP server and MySQL.

nano /etc/pure-ftpd/db/pure-ftpd-mysql.conf

MYSQLSocket      /var/run/mysqld/mysqld.sock
#MYSQLServer     localhost
#MYSQLPort       3306
MYSQLUser       pureftpd
MYSQLPassword   ftpdpass
MYSQLDatabase   pureftpd
#MYSQLCrypt md5, cleartext, crypt() or password() - md5 is VERY RECOMMENDABLE uppon cleartext
MYSQLCrypt      md5
MYSQLGetPW      SELECT Password FROM ftpd WHERE User="\L" AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MYSQLGetUID     SELECT Uid FROM ftpd WHERE User="\L" AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MYSQLGetGID     SELECT Gid FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MYSQLGetDir     SELECT Dir FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MySQLGetBandwidthUL SELECT ULBandwidth FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MySQLGetBandwidthDL SELECT DLBandwidth FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MySQLGetQTASZ   SELECT QuotaSize FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MySQLGetQTAFS   SELECT QuotaFiles FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")

Make sure that you replace the string ftpdpass with the real password for the MySQL user pureftpd in the line MYSQLPassword! Please note that we use md5 as MYSQLCrypt method, which means we will store the users’ passwords as an MD5 string in the database which is far more secure than using plain text passwords!

For a more simple table in clear text without IP control  ans status the content of this file is :

#Database connexion
MYSQLServer 127.0.0.1
MYSQLUser pureftpd
MYSQLPassword pwdftp
MYSQLDatabase pureftpd#Parametres supplementaires
MYSQLPort 3306
MYSQLSocket /var/lib/mysql/mysql.sock# Methode de cryptage du mot de passe
# Parametres possible : 'crypt', 'md5' ou 'cleartext' pour afficher le mot de passe en clair.
MYSQLCrypt cleartext# Requetes SQL permettant a Pure-FTPd de trouver les donnees dans la base
MYSQLGetPW SELECT Password FROM users WHERE User="\L"
MYSQLGetUID SELECT Uid FROM users WHERE User="\L"
MYSQLGetGID SELECT Gid FROM users WHERE User="\L"
MYSQLGetDir SELECT Dir FROM users WHERE User="\L"
MySQLGetQTASZ SELECT QuotaSize FROM users WHERE User="\L"
MySQLGetRatioUL SELECT ULRatio FROM users WHERE User="\L"
MySQLGetRatioDL SELECT DLRatio FROM users WHERE User="\L"
MySQLGetBandwidthUL SELECT ULBandwidth FROM users WHERE User="\L"
MySQLGetBandwidthDL SELECT DLBandwidth FROM users WHERE User="\L"

 

Think to Protect Access to Passwords mysql in File pure-ftpd-mysql.conf

> chmod 640 pure-ftpd-mysql.conf

Problem on CreateHomeDir :

When Virtual user try to connect :
they may get this error “Home directory not available – abort” even if they set CreateHomeDir to yes.

Solution:
the last existing in the home path should be own by root.
for example, we want to create somebody’s home directory when he log in, /home/ftpuser/somebody
then the last existing directory ‘ftpuer’ may look like this,

drwxr-xr-x 2 root ftpgroup 4096 2008-04-15 11:20 ftpuser

Showing Another example :

sudo mkdir /home/ftp

sudo chown root:groupftp /home/ftp
pureftpd005

In case CreateHomeDir is set to no, Assign Linux rights to the user Folder :
> sudo mkdir /home/ftpuser/test1

> sudo chown -R ftpuser:ftpgroup /home/ftpuser/test1

 

Uninstall pure-ftpd-common

To remove just pure-ftpd-common package itself from Debian 7 (Wheezy) execute on terminal:

sudo apt-get remove pure-ftpd-common

Uninstall pure-ftpd-common and it’s dependent packages

To remove the pure-ftpd-common package and any other dependant package which are no longer needed from Debian Wheezy.

sudo apt-get remove --auto-remove pure-ftpd-common

Uninstall pure-ftpd-mysql too

apt-get --purge remove pure-ftpd-mysql
apt-get --purge remove pure-ftpd

Purging pure-ftpd-common

If you also want to delete configuration and/or data files of pure-ftpd-common from Debian Wheezy then this will work:

sudo apt-get purge pure-ftpd-common

To delete configuration and/or data files of pure-ftpd-common and it’s dependencies from Debian Wheezy then execute:

sudo apt-get purge --auto-remove pure-ftpd-common

Debian archive repository :

Anyway, when a config file for an installed package is missing, you can use the following command to force dpkg to reinstall original missing configuration files :

dpkg --force-confmiss -i /var/cache/apt/archives/pure-ftpd-mysql_1.0.24-1_i386.deb

When use want a complete removing of a package you need to purge it (usually it means removing also config files).

aptitude purge pure-ftpd-mysql

Assuming you don’t have done an:

apt-get clean

that remove the cache …

Starting ans checking service pure-ftpd

ps uaxf|grep pure-ftpd
service pure-ftpd restart
service pure-ftpd status

Remove a directory recursively with all files inside :
rm -rf mydir

Get a list of Open Ports in Linux

netstat -lntu

as replied by @askmish will give you list of services running on your system on tcp and udp ports where

  • -l = only services which are listening on some port
  • -n = show port number, don’t try to resolve the service name
  • -t = tcp ports
  • -u = udp ports
  • -p = name of the program

You don’t need the ‘p’ parameter as you’re only interested in getting which ports are free and not which program is running on it.

This only shows which ports on your system are used up, though. This doesn’t tell you the status of your network e.g. if you’re behind NAT and you want some services to be accessible from outside. Or if the firewall is blocking the port for outside visitors. In that case, nmap comes to the rescue. WARNING: Use nmap only on networks which are under your control. Also, there are firewall rules which can block nmap pings, you’ll have to fiddle around with options to get correct results.

How to check Firewall Rules :

>  iptables -L -v

Iptables Help :

https://help.ubuntu.com/community/IptablesHowTo