So you need to get files from your computer to your server, securely and easy. FTP is the solution in this case, but it's really important to setup SSL on it too! FTP without SSL is a bad setup, since passwords and files are sent in cleartext.
First of all we need OpenSSL and an FTP server. I like vsftpd because it's lightweight and easy to use.
To install vsftpd type:
apt-get install vsftpd, this should start installing the vsftpd package. If it asks you if you want to install it, type y and press enter.
Now, that vsftpd is installed, we can configure it. The configuration file is under /etc/vsftpd.conf.
Add/Change these lines in your configuration:
anonymous_enable=NO disable anonymous access, in FTP anonymous is a user without a password, so definitely disable thatlocal_enable=YES this will allow local users to login to the FTP server.write_enable=YES this will allow users to modify/upload files to the server, without this the server is basically read-onlychroot_local_users=YES this will restrict all users to their home directory, this is a good option, since even if our password gets stolen an attacker can't access the whole filesystemNow save & close this file.
This is good practice, since if the FTP user's password gets compromised, our main account stays untouched. It's also worth to put a different password on your FTP user to prevent attackers from logging in with the same password to every service.
So to create a new user type:
adduser secureftp, where secureftp is the name of our new user.
You'll be presented with prompts, like name, address, country code. You can fill them out, but you can just press enter on them and ignore it, this is up to you.
This is good, since we can restrict the FTP user to only one directory.
Let root take over the new ftp account:
chown root:root /home/secureftp, this will prevent secureftp from reading/writing to/from it's own home directory.
Next create a new directory in the ftp user's home folder:
mkdir /home/secureftp/ftp, this will create a new directory.
Give the ftp user full access to the ftp directory:
chown secureftp:secureftp /home/secureftp/ftp
So now the ftp client will only see the ftp directory!
Now that's all good and secure so far, but what about SSL.
First we need to generate the SSL keys for our FTP Server:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
This will ask similar questions as the adduser command did.
Important: You need the leave the password field empty, this is a self signed key, and it doesn't need a password, your key is still secure without a password, make sure you don't give your vsftpd.pem file to anyone.
Now we need to tell vsftpd to use our new keys.
Open /etc/vsftpd.conf and add/change the following lines:
ssl_enable=YES this will tell the server, that we can use SSLrsa_private_key_file=/etc/ssl/private/vsftpd.pem this will tell the server where to locate the private keyrsa_cert_file=/etc/ssl/private/vsftpd.pem this will tell the server where to locate the public key.Now SSL is added, but:
Force SSL connections:
allow_anon_ssl=NO, prevent anonymous users from connecting via SSLforce_local_data_ssl=YES, force authenticated users to send and receive data via SSLforce_local_logins_ssl=YES, force clients to send passwords via SSLrequire_ssl_reuse=NO, setting this to YES can break some FTP clients according to the manpage of vsftpdssl_ciphers=HIGH, this prevents the usage of weak or vulnerable ciphersSetup TLSv1:
ssl_tlsv1=YES, enable the TLSv1 protocolssl_sslv3=NO, disable the SSLv3 protocolssl_sslv2=NO, disable the SSLv2 protocolNow we have a fully configured FTP server with SSL enabled, we need to restart for the changes to take effect:
service vsftpd restart
We have a server, but we need a client that can upload and download files from the server too.
Open filezilla and follow the steps:
File > Site Manager... or press CTRL + SNew siteHost field21 to the Port fieldFTP - File Transfer ProtocolRequire explicit FTP over TLSAsk for passwordsecureftp (this is our ftp user on the server)Now our client is ready to go.
If you want to connected to your server, open Site Manager again, selected the site you've just added and press connect. You'll be prompted for the user's password, just type it in and click OK
Ok, so now we have a fully working file transfer solution, that is secure and easy to use. The only negative to it, is that only clients capable of SSL and TLS can connect now to our server. So a .bat file can't, because it only supports regular FTP connections.
Now go and upload some files to your server.