Thursday, July 7, 2016

Creating an FTP server on AWS with Centos

So I needed a micro server that would host files for a VERY dump ftp server. The use case was simple. Protect our production server while opening up ftp access for one specific client to one specific set of files. On my production server, I'll setup an rsync with a cron job, and I'll be all set.

What I found, however was a configuration nightmare. OK, truly, it wasn't that bad, but my inexperience with setting up FTP servers really became a bottleneck. So for future reference, and for anyone attempting the same, here is the script I came up with, after much trial and error.

  1. Create your ec2 instance:
    1. In my case, I used "CentOS 7 (x86_64) - with Updates HVM" from the marketplace as it is my goto AMI. 
    2. I selected a t2.nano, as I know the traffic to this server will be minimal. 
    3. I chose the correct VPC and Subnet to ensure public accessability.
    4. I then chose a moderately sized magnetic volume as I know that the load will be minimal.
    5. For security groups, I have configured a security group for each use case. This allows me to easily add and remove security groups to each server as needed. Simply looking at the list of groups shows me what permissions have been added. I added my internal group, FTP for port 21 & 22, and FTP - passv for the port range that I selected in pasv mode (see step x below). Depending on your setup, you may also want to add port 22 to allow ssh access. That is built into my internal group.
    6. Next I added the appropriate keys and launched my server.
    7. Then, I added an elastic IP address so that I can easily swap instances if needed.
    8. Finally, I added a dns record pointing to the elastic ip.
  2. Configure your instance:
    1. SSH into your instance and give yourself root access: sudo su
    2. Update the server: yum -y update
    3. Install vsfptd: yum -y install vsftpd
    4. Configure vsftpd by editing vsftpd.conf, adding the following to the bottom of the config file, replacing the min/max ports with whatever range you would like, and the pasv_address to the elastic ip you assigned above:
      1. anonymous_enable=NO
        local_enable=YES
        chroot_local_user=YES
        pasv_enable=yes
        pasv_min_port=1224
        pasv_max_port=1248
        pasv_address=xxx.xxx.xxx.xxx
    5. Add an FTP user: useradd -d /home/ftpuser -s /sbin/nologin ftpuser
    6. Set the Password: passwd ftpuser.
    7. You could stop there, but you might get an error like this: "500 OOPS: vsftpd: refusing to run with writable root inside chroot ()" 
      1. To fix that, adjust the permissions of the directory: chmod a-w /home/ftpuser
      2. Then run: setsebool -P allow_ftpd_full_access 1


That should be it! In my case I also setup an rsync script in my production server's crontab to populate the files onto the ftp server.