Archive for April 25, 2016

Happy Path Chef: How to Set up VSFTPD with Chef on CentOS 6

Automated Infrastructure vs. Manual Infrastructure

There are many tutorials about how to configure an VSFTPD server by hand. However, manual infrastructure is neither easy to replicate or document. If you create a server with Chef or another infrastructure-as-code tool, you can reproduce it in a fraction of the time it would take to do by hand. Automated infrastructure is becoming a necessity and therefore, organizations’ infrastructure must change quickly while remaining flexible and reliable to meet market demands.

FTP-like Servers allow you to receive and view files from anywhere. This tutorial is a walkthrough of the first iteration of a (much more) secure server VSFTPD server for QA testing and validation. The purpose of the server is to serve as a building block for more automated testing and it makes any manual testing done much more reliable and faster. The final version of this server should be a huge timesaver for our QA Team 🙂

Requirements:

  • Set up a VSFTPD server with client-side access.
  • Login as a specific user.
  • Upload, download, and view files.

Your Toolbox

  • FTP Client application. (I like Cyberduck, the UI is nice)
  • Vagrant and Virtualbox.

Your Cookbooks

You will need the following cookbooks for this server:

Put these in your chef/cookbooks directory.

Getting Started

The first step is to get the cookbooks installed on our CentOS 6 machine.

Go to your local machine, and in your local chef directory, enter:

$ EDITOR=vim knife node edit vsftpd-demo

This will allow you to set up an initial run list to install your cookbooks.

Let’s set up an initial run_list with our two cookbooks:

Set the run_list as shown below:

“recipe[selinux::permissive]”,

“recipe[vsftpd]”

Save the knife file in vim

On your virtual machine, enter:

$ sudo chef-client

Check your Progress in Cyberduck

This server functions with anonymous authentication. For security purposes, a user besides anonymous should be able to log into their home directory to view, upload, and download files. We need to adjust the vsftpd configurations to get past this version insecure, anonymous FTP.

Configure VSFPTD with Attributes

Navigate to vsftpd/attributes/default.rb in your text editor or IDE. This is not the configuration file itself, but this is where chef gets the information to create the configuration file.

To get all these things ready from the vsftpd side, set the default[‘vsftpd’][‘config’] section  of the attributes/default.rb file in your cookbook like this:

default['vsftpd']['config'] = {

    'port_enable' => 'YES',

    'anonymous_enable' => 'NO',

    'local_enable' => 'YES',

    'chroot_local_user' => 'YES',

    'write_enable' => 'YES',

    'ascii_upload_enable' => 'YES',

    'ascii_download_enable' => 'YES',

    'local_umask' => '022',

    'dirmessage_enable' => 'YES',

    'connect_from_port_20' => 'YES',

    'listen' => 'YES',

    'background' => 'YES',

    'pam_service_name' => 'vsftpd',

    'userlist_enable' => 'YES',

    'tcp_wrappers' => 'YES',

    'use_localtime'=>'YES',

    'pasv_enable' => 'YES',

    'pasv_address' => 'YES',

    'pasv_max_port' => '50744',

    'pasv_min_port' => '50624',

    'pasv_address' => "#{node['ipaddress']}"

}

Save the file and upload the new cookbook with:

knife cookbook upload vsftpd

Inside the chef directory of your local machine.

Check Yourself in Cyberduck

Open Cyberduck and try logging in as vagrant, with the password ‘vagrant’. Make sure you set the ‘Connect’ dropdown to ‘Active’. We are making an active FTP server for the purposes of this demo. 

Now you can view, upload and download files as the vagrant user, which is a step closer to our requirements.

Create a User

Although the vagrant user is a specific user, it isn’t a secret user. The standard vagrant password is not too hard to guess and easy to find. Let’s create another user with chef.

Add the following lines to the recipes/default.rb file:

directory '/home/ftpdemo' do

  owner 'ftpdemo'

  group 'ftpdemo'

  mode '0755'

  action :create

end

user 'ftpdemo' do

  supports :manage_home => true

  comment 'FTP Demo User'

  home '/home/ftpdemo'

  shell '/bin/bash'

  password 'ftpdemopass'

end

On your local machine, run:

$ knife cookbook upload vsftpd

Run sudo chef-client again in the virtual machine.

Check yourself, again

Open Cyberduck and log in as user ‘ftpdemo’.

You should be able to upload, download and view files as user ftpdemo.

Check in the browser at ‘ftp://<ipaddress>’ Log in again as ftp-demo. You should see the same files. We’re wrapping up things at this point.

Create a Chef Role

Now, we want to integrate these two recipes into a role. This makes replication in the future much simpler.

Create a file in the roles directory called vsftpd-demo.rb

It should look like this:

name "vsftpd-demo"

description "role to install and configure basic VSFTPD daemon for demo"

run_list=[

    "recipe[selinux::permissive]",

   "recipe[vsftpd]"

]

env_run_lists(

    "_default" => []

)

Upload the new role with this command: 

 knife role from file vsftpd-demo.rb

Edit the knife.rb file again with EDITOR=vim knife node edit vsftpd-demo in the local machine.

Change the run list to:

“role[vsftpd-demo]”

Run sudo chef-client in the virtual machine.

Cyberduck will allow you to upload, download and view files, while the browser should only allow you to download view files.

Congratulations! You just Cheffed FTP!