Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
cloudappliance/sftpsetup [2019_09_18 13:49] – [SFTP configuration files] doug | cloudappliance:sftpsetup [2024_03_15 22:07] (current) – removed steven | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | # FTP/SFTP Configuration | ||
- | |||
- | The File Fabric Appliance and SaaS support a number of protocol gateways allowing applications to natively access the File Fabric using FTP/FTPS, SFTP or WebDAV. These are ideal for retrofitting existing applications for object storage. | ||
- | |||
- | This document covers the configuration of the appliance FTP/SFTP and FTPS gateways. For information on the configuration of clients see [[cloudftp]]. | ||
- | |||
- | Applies to: | ||
- | |||
- | * Enterprise File Fabric Appliance | ||
- | |||
- | See also: | ||
- | |||
- | * [[cloudftp]] | ||
- | * [[cloudappliance/ | ||
- | |||
- | ## Initial Setup | ||
- | |||
- | Setting the domain name during [[cloudappliance: | ||
- | |||
- | In the example below, the domain name is perf.smestorage.com. | ||
- | |||
- | {{ : | ||
- | |||
- | The services will be available at the following ports: | ||
- | |||
- | ^Protocol | ||
- | |FTP | ||
- | |FTP w/TLS | 21 |Same as FTP, with Self Signed Certificates (FTP Explicit)| | ||
- | |FTPS | 990 |Same as FTP w/TLS| | ||
- | |SFTP | 2200 |SSH File Transfer Protocol uses default RSA key| | ||
- | |||
- | All firewall settings are already configured for the default basic configuration. | ||
- | |||
- | ## FTP Services | ||
- | |||
- | All Cloud FTP services (FTP/FTPS, SFTP) can be restarted when logging in | ||
- | as root via systemctl. | ||
- | |||
- | Log in as smeconfiguser then become root | ||
- | |||
- | ``` | ||
- | su - | ||
- | systemctl stop cloudftp | ||
- | systemctl start cloudftp | ||
- | systemctl restart cloudftp | ||
- | ``` | ||
- | |||
- | |||
- | ## Advanced FTP/FTPS Setup | ||
- | |||
- | Systems publicly exposing FTP based protocols might need additional setup to meet the needs of security administrations. Common changes are detailed below, for advanced changes contact SME Support. | ||
- | |||
- | ### FTP configuration files | ||
- | |||
- | |||
- | To access the ftp configuration files log into the File Fabric as | ||
- | smeconfiguser and elevate to root using the command: | ||
- | |||
- | ``` | ||
- | su - | ||
- | ``` | ||
- | |||
- | The file ftpserver.conf contains all FTP, FTP w/TLS, and FTPS settings. | ||
- | It can be found at: | ||
- | |||
- | / | ||
- | |||
- | Defaults: | ||
- | |||
- | ^ Settings | ||
- | | ftp\_server\_ip=xxx.xxx.xxx.xxx | ||
- | | ftp\_server\_host=perf.smestorage.com | ||
- | | port=21 | ||
- | | FTPISport=990 | ||
- | |serversme=perf.smestorage.com | ||
- | |debug=100 | ||
- | |countprocesses=20 | ||
- | |ftp\_timeout=180 | ||
- | |min\_port=20001|Minimum port # for Passive Mode| | ||
- | |max\_port=20100|Maximum port # for Passive Mode| | ||
- | |pathToSSLkey=/ | ||
- | |pathToSSLcert=/ | ||
- | |||
- | ### Changing Domain Name | ||
- | |||
- | To access the ftp server via a custom domain name instead of the one configured for the appliance create an A or CNAME DNS record pointing to the IP address or domain name of the appliance. Any fully-qualified domain name can be used - the File Fabric FTP services do not validate. | ||
- | |||
- | ### Custom Certificates | ||
- | |||
- | FTP w/TLS and FTPS clients are not as strict as web browsers when using | ||
- | self signed certificates. Regardless, if a client needs to use a | ||
- | properly signed certificate the process is as follows: | ||
- | |||
- | 1. Upload certificate public and private key to File Fabric, preferably | ||
- | in the following directories | ||
- | |||
- | a. Private key in / | ||
- | b. Ordered List ItemPublic key in =/ | ||
- | |||
- | 2. Update ftpserver.conf entries | ||
- | |||
- | a. pathToSSLkey should point to the private key | ||
- | b. pathToSSLcert should point to the public certificate | ||
- | |||
- | 3. Restart CloudFTP service | ||
- | |||
- | ### FTP Passive Mode through NAT/PAT | ||
- | |||
- | FTP Passive Mode requires that the FTP server sends the client the port and IP address of File Fabric. When File Fabric is secured behind a public firewall the internal IP address will most likely not match the public IP address. Set up passive mode as follows: | ||
- | |||
- | 1. Add the following entry to ftpserver.conf | ||
- | |||
- | a. external\_ip\_for\_passive\_mode=xxx.xxx.xxx.xxx | ||
- | |||
- | 2. Restart CloudFTP service | ||
- | |||
- | |||
- | ### FTP Passive Mode port # changes | ||
- | |||
- | FTP Passive Mode ports are defaulted to TCP 20001 -- 20100 | ||
- | |||
- | Changing these port numbers in ftpserver.conf also requires firewall | ||
- | changes to IP tables. | ||
- | |||
- | After changing min\_port & max\_port, restart CloudFTP service. | ||
- | |||
- | Then alter / | ||
- | |||
- | Change the range highlighted in yellow to the new port range: | ||
- | **TODO yellow** | ||
- | |||
- | ``` | ||
- | -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW, | ||
- | -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 990 -m conntrack --ctstate NEW, | ||
- | -A RH-Firewall-1-INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED, | ||
- | -A RH-Firewall-1-INPUT -p tcp -m tcp --sport 1024: --dport 20001:20100 -j ACCEPT | ||
- | -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | ||
- | -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT | ||
- | -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT | ||
- | -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 990 -j ACCEPT | ||
- | -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2200 -j ACCEPT | ||
- | -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT | ||
- | -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited | ||
- | ``` | ||
- | Restart IPtables with the following command: | ||
- | ``` | ||
- | systemctl restart iptables | ||
- | ``` | ||
- | |||
- | ### FTP / FTPS port # changes | ||
- | |||
- | FTP is defaulted to TCP port 21 and FTPS is defaulted to port 990 | ||
- | Changing these port numbers in ftpserver.conf also requires firewall changes to IP tables. | ||
- | After changing port or FTPISport, restart CloudFTP service. | ||
- | |||
- | Change the range highlighted in yellow to the new port range: | ||
- | |||
- | ``` | ||
- | -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW, | ||
- | -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 990 -m conntrack --ctstate NEW, | ||
- | -A RH-Firewall-1-INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED, | ||
- | -A RH-Firewall-1-INPUT -p tcp -m tcp --sport 1024: --dport 20001:20100 -j ACCEPT | ||
- | -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | ||
- | -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT | ||
- | -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT | ||
- | -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 990 -j ACCEPT | ||
- | -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2200 -j ACCEPT | ||
- | -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT | ||
- | -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited | ||
- | ``` | ||
- | |||
- | Restart IPtables with the following command: | ||
- | |||
- | ``` | ||
- | systemctl restart iptables | ||
- | ``` | ||
- | |||
- | ### FTP / FTPS Rate Limiting | ||
- | |||
- | FTP & FTPS can be rate limited both to disk and via networking bandwidth. | ||
- | |||
- | ``` | ||
- | max_speed_write_to_disk=2097152 | ||
- | max_download_speed=3145728 | ||
- | max_upload_speed=3145728 | ||
- | ``` | ||
- | |||
- | ### FTP / FTPS Scratch Space | ||
- | |||
- | FTP & FTPS sometimes require scratch space. | ||
- | |||
- | Scratch space defaults to the temp folder in / | ||
- | |||
- | ``` | ||
- | tmpfolder=/ | ||
- | ``` | ||
- | |||
- | ## Advanced SFTP Setup | ||
- | |||
- | Systems publicly exposing SFTP based protocols might need additional setup to meet the needs of security administrations. | ||
- | |||
- | ### SFTP configuration files | ||
- | |||
- | To access the ftp configuration files log into the File Fabric as smeconfiguser and elevate to root using the command: | ||
- | |||
- | ``` | ||
- | su - | ||
- | ``` | ||
- | The file sftpserver.conf contains all SFTP settings. | ||
- | / | ||
- | |||
- | Defaults: | ||
- | ^Settings ^Details^ | ||
- | |ftp\_server\_ip=0.0.0.0|Interface addresses listening for sftp| | ||
- | |port=2200 |Default port for SFTP| | ||
- | |serversme=perf.smestorage.com|FQDN of File Fabric| | ||
- | |pathToKey=/ | ||
- | |pathToCert=/ | ||
- | |tmpFolder=./ | ||
- | |logFile=./ | ||
- | |countprocesses=30|Max processes| | ||
- | |timeout=360|SFTP Timeout| | ||
- | |maximumlimitsizeupload=10737418240|Max SFTP upload in bytes| | ||
- | |limitConnectionsForOneUser=5|Connections per user| | ||
- | |SMALL\_FILE\_SIZE=1048576|Small file in bytes| | ||
- | |memcache\_ip=127.0.0.1|Memcache server| | ||
- | |memcache\_port=11211|Memcache port| | ||
- | |debugmode=0|Enable/ | ||
- | |disable\_sftp=0|Enable/ | ||
- | |||
- | ### SFTP custom FQDN | ||
- | |||
- | To access the SFTP server via a custom FQDN instead of the system FQDN nothing needs to be done other than registering A or CNAME DNS records to point to the IP address of the File Fabric. | ||
- | |||
- | ### Regenerate SFTP RSA Keys | ||
- | |||
- | It is recommended to generate new secure keys for the SFTP server. | ||
- | |||
- | As the root user | ||
- | |||
- | ``` | ||
- | cd / | ||
- | ssh-keygen -t rsa -f " | ||
- | chown smestorage: | ||
- | ``` | ||
- | |||
- | This will generate 2 files ssh_host_rsa_key and ssh_host_rsa_key.pub | ||
- | Edit sftpserver.conf file and change the 2 lines as below: | ||
- | ``` | ||
- | pathToKey=ssh_host_rsa_key | ||
- | pathToCert=ssh_host_rsa_key.pub | ||
- | ``` | ||
- | |||
- | ### SFTP default port # change | ||
- | |||
- | SFTP is set to 2200. This can be changed to another port, but if the desire is to change SFTP to the default port of 22, SSH must be moved to another port. | ||
- | |||
- | ### Change SSH port | ||
- | |||
- | As root user edit the following file: / | ||
- | Uncomment the line highlighted in yellow and change port number to a new number such as 2222 **TODO Yellow** | ||
- | |||
- | ``` | ||
- | # If you want to change the port on a SELinux system, you have to tell | ||
- | # SELinux about this change. | ||
- | # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER | ||
- | # | ||
- | #Port 22 | ||
- | # | ||
- | # | ||
- | # | ||
- | ``` | ||
- | |||
- | After saving the file run the following command to let SELinux know of the change. | ||
- | |||
- | ``` | ||
- | semanage port -a -t ssh_port_t -p tcp # | ||
- | ``` | ||
- | Changing port numbers also requires firewall changes to IP tables. | ||
- | Edit / | ||
- | |||
- | Change the entry highlighted in yellow to the new SSH port.**TODO Yellow** | ||
- | Change the entry highlighted in red to the new SFTP port **TODO Red** | ||
- | |||
- | ``` | ||
- | -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 990 -m conntrack --ctstate NEW, | ||
- | -A RH-Firewall-1-INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED, | ||
- | -A RH-Firewall-1-INPUT -p tcp -m tcp --sport 1024: --dport 20001:20100 -j ACCEPT | ||
- | -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | ||
- | -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT | ||
- | -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT | ||
- | -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 990 -j ACCEPT | ||
- | -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2200 -j ACCEPT | ||
- | -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT | ||
- | -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited | ||
- | ``` | ||
- | |||
- | Restart IPtables and SSH with the following command: | ||
- | |||
- | ``` | ||
- | systemctl restart iptables | ||
- | systemctl restart sshd | ||
- | ``` | ||
- | |||
- | Before moving on, open a new ssh connection to the file fabric using the new port number. | ||
- | |||
- | ### Change SFTP port | ||
- | |||
- | Edit sftpserver.conf in / | ||
- | Change line port=2200 to the new value and save. | ||
- | Restart CloudFTP service | ||
- | |||
- | ### SFTP Rate Limiting | ||
- | |||
- | FTP & FTPS can be rate limited both to disk and via networking bandwidth. | ||
- | |||
- | ``` | ||
- | max_speed_write_to_disk=2097152 | ||
- | max_download_speed=3145728 | ||
- | max_upload_speed=3145728 | ||
- | ``` | ||
- | |||
- | ### SFTP Scratch Space | ||
- | |||
- | |||
- | SFTP sometimes require scratch space. | ||
- | |||
- | Scratch space defaults to the temp folder in / | ||
- | |||
- | tmpfolder=/ | ||
- | | ||