Discover Centmin Mod today
Register Now

Security Sysadmin Enable chrooted SFTP and get rid of Pure-Ftpd

Discussion in 'System Administration' started by EckyBrazzz, May 4, 2019.

  1. EckyBrazzz

    EckyBrazzz Active Member

    867
    182
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +333
    Local Time:
    2:54 AM
    Latest
    Latest
    Hi,

    Followed some manuals but I did not give me the possiblity to create a chrooted envorment to have a chrooted sftp to my /home/nginx

    Most of the manuals did not have a ssh key and mentioned only a user/passwd. And because the /home/nginx already exists in CMM most manuals I found did not work because they assume to create a new user/group.

    Did some tries, but it everytime was a NO-GO zone.

    I want this because I and some of my team members are the only persons that are allowd to enter into SFTP, and realy I don't want to gain access to some support teams to FTP because they disable my security plugins be renaming them to .old. :) (like ehhh, limited admin access). I think a support team should only have access to the WP parts that are important for them and keep the rest in peace/place. Got some private parts also. Now I tell them that I won't provide ftp access, but the keep coming back and tell me that they can't connect op port 21 (I disable FTP when I don't use it). But I do prefer to keep port 21 down/blocked and use a custom SFTP port.

    So, please, who has a manual to create the perfect SFTP chrooted enviorment to the /home/nginx directory?
     
  2. pamamolf

    pamamolf Premium Member Premium Member

    3,807
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    8:54 AM
    Nginx-1.17.x
    MariaDB 10.3.x
  3. EckyBrazzz

    EckyBrazzz Active Member

    867
    182
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +333
    Local Time:
    2:54 AM
    Latest
    Latest
    Well, guess the main issue is that CMM has ssh limited to root only, so to use for example nginx as ssh user is a problem.
     
  4. eva2000

    eva2000 Administrator Staff Member

    44,425
    10,144
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,693
    Local Time:
    3:54 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    which directory do you want team members limited to exactly ? pure-ftpd virtual ftp users are already limited even in a more narrow range to just /home/nginx/domains/domain.com already which is better than giving access to everything under /home/nginx from what I am understanding you want.
     
  5. EckyBrazzz

    EckyBrazzz Active Member

    867
    182
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +333
    Local Time:
    2:54 AM
    Latest
    Latest
    Dammed, just before I could post got the famous BSOD with that nice QR-Code.....

    Well here I go again.

    As noticed from other users of CMM they prefer SFTP to FTP.

    I want to have a simple and secure chrooted login to the complete /home/nginx. But due the fact that ssh is limited to ROOT only I guess adding the NGINX to the ROOT group is not a good idea.

    This to easy the access to all my trusted team members to access everything they need. Some plugins need to be updated manualy and I am using a some themes that are not compatible with WP-CLI; my bad again.

    For now I only have 1 server with CMM and only a dozen domains, but planning to create a Cluster with a 25-30 servers and for each country a differtent domain. In my user case it's better to use a cluser of servers than using cloudflare and pay $200 for each domain. So instead to keep track of all these different logins of FPT I want the ease of use with a ssh key.

    I also want to keep out other support teams that want to have access to my server with FTP to resolve a problem with their plugin or theme. I give them access with a limmeted admin WP account so that they can access only their plugin or theme, nothing else. They even change security plugins to gain FULL access to their temp. limited WP admin access. They simply rename the security plugin to .old when I give them FTP access.

    If I find a BUG or whatever, I share it with them in all details or they have to reproduce it on their own server. I am willing to help, actuly I glad to help because I believe that we can get a better product afterall. I pay for it so on a update I get the correct working plugin or theme.

    There were some other things I wanted to write, but due to the BSOD can't rember it.

    Sorry for my gramatical errors, after the BSOD my language tool grammarly stopped working.
     
  6. eva2000

    eva2000 Administrator Staff Member

    44,425
    10,144
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,693
    Local Time:
    3:54 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Unfortunately, Centmin Mod out of box isn't setup for such a usage case as it's essentially like shared hosting which Centmin Mod isn't for - it's intended for 1 root user managing their own sites - FAQ item 2

    Though you can create additional Pure-ftpd virtual ftp users - see re-create pure-ftpd user section on official site at https://centminmod.com/ftp.html. Full chroot setup is on Centmin Mod's books eventually - full jailed/chrooted user preview. Just nothing anytime soon.
     
  7. EckyBrazzz

    EckyBrazzz Active Member

    867
    182
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +333
    Local Time:
    2:54 AM
    Latest
    Latest
    https://community.centminmod.com/threads/jailed-chrooted-sftp-ssh-user-nginx-vhost-menu.8/
    Too bad, you stopped dev in 2016.

    Off topic:
    Well, I started in 1986 with Novel, in 1996 with suse and in 2003 with Gentoo from scratch, haha, took me a complete week on a simple notebook. Several parts took over 24 hours to compile.

    I do see the need for CMM to have cluster options, so maybe I can give a helping hand in creating some stuff to get this done in little fases. As a kind of addon. Time will learn about that. But that will require at least 3 servers due to MariaDB Galeria Enterprise Clusters specs. Already created one at 18 non-geographic loctions for a multinational for their financial control and stock control on other locations. It's not my job, I have a business to run (well got paid for it, but that was just a nice side effect:)). Just created it and to got to know a little bit more about the ins and outs of it.
     
  8. eva2000

    eva2000 Administrator Staff Member

    44,425
    10,144
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,693
    Local Time:
    3:54 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Not really stopped but delayed heh. Chroot dev is planned after 123.09beta01 goes stable as features developed/added in 123.09beta01 may conflict with chroot operation and vice versa so chroot may limit or break 123.09beta01 features. So I can either spend time troubleshooting that with each few feature or routine added each time or spend time developing and perfecting 123.09beta01 features and routines first.

    Think of it like buying a house site unseen (123.09beta01 development) and not knowing the floor plans/dimensions right now but trying to go shopping for furniture and kitchen appliances/bathroom fixtures now (chroot).

    Yeah cluster/multi server setups is probably something for after 123.09beta01 goes stable and for next dev release after that. Though it may not be a totally free option out of the box - still no concrete decisions made until after 123.09beta01 is done.