Categories
Programming

VSFTP to backup multiple websites

For our web management service we also performance website backups in a timely manner by using our own FTP server. This guide is written on how we configured VSFTP (A recognized FTP server in Linux distros such as Ubuntu) to handle multiple websites.

Intro

For example lets say the develop website is based on WordPress. There is a good free backup plugin called Backwpup. We use this plugin to automate the backup process. This plugin has options to select as the backup location. They include such as DropBox, Amazon, and FTP. We wanted to move to FTP because we would then have the control of our data. This article discrbe how we setup our FTP server so that it will be available through Internet to backup the websites.

What is our case?

  1. There are multiple websites that need to be backup
  2. We need to have unique FTP accounts for each client/ website
  3. FTP connections has to be secure
  4. Need to use a sub domain of a domain we own to point the FTP server

Configuring the sub domain to point to our server

You can skip this part if you do not need to use a domain to point to your FTP server over the Internet. You must own he domain name and ability to configure it. We need to edit/ add some DNS records. In our case we brought the domain name from namecheap. Our domain name is ‘creotex.com’ so lets say I want to point ‘ftp’ sub domain to our server here’s how to do it. Please note that our server already have a static Internet IP address. So we need to point that IP address. If you are using a dynamic DNS, your configuration would be different.

In our case we have to add the desired sub domain and assign the IP address and record type as A (Address).

Sub Domain Name: ftp
IP Address: 999.999.999.999
Record Type: A(Address)

Save the changes. It will take some time to see the changes take affect.

Port Forwarding in the network router

Ok cool, now who ever call our sub domain will point to our Internet IP address. In other words it will reach the local network router. From there we must tell the router to send the FTP request data to the FTP server. Let’s say out VSFTP server listens on port 900 for connections (This is the gneeral port used in vsftpd for secure connections) and let’s say we configure our website to use port 21 to establish FTP connections with the server. So we need to tell the router that whoever talks to port 21 from Internet, send them to our server on port 900. That way our FTP server will recieve the request. Also port 20 would be required by VSFTP to initiate a data connection. So this port has to be forwarded too.

We must also specify the local machines IP address along with port 900. Below is a diagram of the situation.

Note: It is recommended to set the machine’s local IP address to be static so that it wouldn’t change when the machine is restarted. [How To?]

ftp router configurationInstalling VSFTPD

apt-get install vsftpd

With this command, VSFTPD server should be installed on your Ubuntu machine. One of the reasons to use VSFTPD is with it we can allow local users or virtual users to login. In our case we needed to have virtual users because we need to create a separate user for each website.

Note: Since a client can have more than one website, you can think a virtual user as a client or you can think each website will represent as a virtual user. Important thing is, here each virtual user can assign a unique folder that will act as the root to his login. And whatever inside that folder will be accessible by the virtual user. With this in mind you can chose how you structure the virtual user’s unique folder.

Configuring VSFTPD

Folder Strucutre

Let’s first discuss the folder structure to backup our sites. There should be a main folder that going to hold every virtual user’s backup data. We will call this ‘ftp’. So in our case we have placed it as ‘media/backup/ftp’. We will need this absolute path to use in the VSFTP config file. Inside this folder then separate folders are created for each virtual user. The folder name must be equal to the username of the virtual user. So if there are virtual users with usernames user1, user2 we have to create these folders inside ftp folder.

media/backup/ftp/user1
media/backup/ftp/user2

Once created, these folders must have limited permissions. It is because these folders are used as the root directories for each virtual user and VSFTPD does not allow write permission for root folders. To do that use chown. Example, I will assign root for these folders.

sudo chown root:root /media/backup/ftp/user1

Note:

There is a config option to override this security feature and avoid changing permissions. But that configuration is available from VSFTPD version 3 and upper. It is.

allow_writeable=YES

Then we need to create another folder inside each of these root folders to hold the backups. In our case we are going to create two folders called ‘website’ and ‘database’. Website folder will contain backups of the whole website along with database. The other will only contain the database backups. Why because we backup the whole site weekly and database daily. You can chose as you like.

Now ‘website’ and ‘database’ folder must have read, write permissions. Let’s give the ownership to ftp.

sudo chown ftp:ftp /media/backup/ftp/user1/website

Create virtual users and authentication

We need to create a PAM file first. That will tell where to look for user and authentication details. We need to create this file inside ‘etc/pam.d’ folder. Will call it vsftpd.virtual.

sudo gedit /etc/pam.d/vsftpd.virtual

Then append the following.

#%PAM-1.0
auth       required     pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user
account    required     pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user
session    required     pam_loginuid.so

Note: vsftpd-virtual-user is the db file that we are now going to create that hold virtual users and passwords.

To setup the vsftpd-virtual-user db, first we must create a text file that list the users and passwords. Lets place this file inside /etc/vsftpd.

sudo mkdir /etc/vsftpd
cd /etc/vsftpd
sudo gedit vusers.txt

The first line is for the username then next line is for that user’s password. Likewise you can place other usernames and passwords.

user1
user1password
user2
user2password

Now this must be put into the db fie. To create the db file we use db_load program. If it’s not available you must install the db-utils package.

db_load -T -t hash -f vusers.txt vsftpd-virtual-user.db
chmod 600 vsftpd-virtual-user.db

Update vftpd.conf file

Now we will edit the VFTPD config file. it is by default placed in /etc folder.

listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=YES
guest_enable=YES
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
listen_port=990
virtual_use_local_privs=YES
write_enable=YES
pam_service_name=vsftpd.virtual
guest_enable=YES
guest_username=vsftpd
user_sub_token=$USER
local_root=/media/backup/ftp/$USER
passv_enable=YES
passv_min_port=10090
passv_min_port=10100
pssv_address=99.99.99.99

All configuration options are listed here.
http://vsftpd.beasts.org/vsftpd_conf.html

Using SSL to secure FTP

By default VSFTP will have a certificate used in the configuration. They are configured with the following options.

rsa_cert_file
rsa_private_key_file

Using Passive mode FTP

Passive mode FTP can be enabled by using passv options in the configuration. Note that for the data connections we are using a set of selected ports (10090 – 10100). These ports are need to port forward from router to the FTP server machine. [More about Passive Mode]

 

Summary

Setting up VSFTPD might be hard to configure, so with this guide I hope it will help someone.

 

 

0 0 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments