Remove FTP support - SFTP is the future
This commit is contained in:
Daniel Winzen
@ -33,7 +33,7 @@ echo "deb https://deb.torproject.org/torproject.org `lsb_release -cs` main" >> /
|
||||
|
||||
The following command will install all required packages:
|
||||
```
|
||||
apt-get --no-install-recommends install apt-transport-tor brotli bzip2 clamav-daemon clamav-freshclam clamav-milter curl dovecot-imapd dovecot-pop3d git dnsmasq hardlink haveged iptables libsasl2-modules locales locales-all logrotate mariadb-server nano nodejs postfix postfix-mysql quota quotatool rsync ssh subversion tor unzip vim vsftpd wget xz-utils zip zopfli
|
||||
apt-get --no-install-recommends install apt-transport-tor brotli bzip2 clamav-daemon clamav-freshclam clamav-milter curl dovecot-imapd dovecot-pop3d git dnsmasq hardlink haveged iptables libsasl2-modules locales locales-all logrotate mariadb-server nano nodejs postfix postfix-mysql quota quotatool rsync ssh subversion tor unzip vim wget xz-utils zip zopfli
|
||||
```
|
||||
The following command will install all required build dependencies for nginx and php:
|
||||
```
|
||||
|
||||
@ -1,10 +0,0 @@
|
||||
# Standard behaviour for ftpd(8).
|
||||
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
|
||||
|
||||
# Note: vsftpd handles anonymous logins on its own. Do not enable pam_ftp.so.
|
||||
|
||||
# Standard pam includes
|
||||
@include common-account
|
||||
@include common-session
|
||||
@include common-auth
|
||||
#auth required pam_shells.so
|
||||
@ -39,7 +39,7 @@ iptables -A OUTPUT -p udp --dport 123 -d $clearnet -j ACCEPT
|
||||
)done
|
||||
#restrict local communication for php and webserver
|
||||
#allowed tcp ports
|
||||
for port in 3306 9040 9050 110 143 25 21 5000:5050 53; do(
|
||||
for port in 3306 9040 9050 110 143 25 22 53; do(
|
||||
iptables -A OUTPUT -d 127.0.0.0/8 -p tcp --dport $port -m owner --gid-owner www-data -j ACCEPT;
|
||||
ip6tables -A OUTPUT -d ::1 -p tcp --dport $port -m owner --gid-owner www-data -j ACCEPT
|
||||
)done
|
||||
|
||||
@ -6,58 +6,6 @@ HiddenServicePort 25
|
||||
HiddenServicePort 143
|
||||
HiddenServicePort 110
|
||||
HiddenServicePort 22
|
||||
HiddenServicePort 21
|
||||
HiddenServicePort 5000
|
||||
HiddenServicePort 5001
|
||||
HiddenServicePort 5002
|
||||
HiddenServicePort 5003
|
||||
HiddenServicePort 5004
|
||||
HiddenServicePort 5005
|
||||
HiddenServicePort 5006
|
||||
HiddenServicePort 5007
|
||||
HiddenServicePort 5008
|
||||
HiddenServicePort 5009
|
||||
HiddenServicePort 5010
|
||||
HiddenServicePort 5011
|
||||
HiddenServicePort 5012
|
||||
HiddenServicePort 5013
|
||||
HiddenServicePort 5014
|
||||
HiddenServicePort 5015
|
||||
HiddenServicePort 5016
|
||||
HiddenServicePort 5017
|
||||
HiddenServicePort 5018
|
||||
HiddenServicePort 5019
|
||||
HiddenServicePort 5020
|
||||
HiddenServicePort 5021
|
||||
HiddenServicePort 5022
|
||||
HiddenServicePort 5023
|
||||
HiddenServicePort 5024
|
||||
HiddenServicePort 5025
|
||||
HiddenServicePort 5026
|
||||
HiddenServicePort 5027
|
||||
HiddenServicePort 5028
|
||||
HiddenServicePort 5029
|
||||
HiddenServicePort 5030
|
||||
HiddenServicePort 5031
|
||||
HiddenServicePort 5032
|
||||
HiddenServicePort 5033
|
||||
HiddenServicePort 5034
|
||||
HiddenServicePort 5035
|
||||
HiddenServicePort 5036
|
||||
HiddenServicePort 5037
|
||||
HiddenServicePort 5038
|
||||
HiddenServicePort 5039
|
||||
HiddenServicePort 5040
|
||||
HiddenServicePort 5041
|
||||
HiddenServicePort 5042
|
||||
HiddenServicePort 5043
|
||||
HiddenServicePort 5044
|
||||
HiddenServicePort 5045
|
||||
HiddenServicePort 5046
|
||||
HiddenServicePort 5047
|
||||
HiddenServicePort 5048
|
||||
HiddenServicePort 5049
|
||||
HiddenServicePort 5050
|
||||
HiddenServiceVersion 3
|
||||
HiddenServiceNumIntroductionPoints 5
|
||||
HiddenServiceEnableIntroDoSDefense 1
|
||||
|
||||
161
etc/vsftpd.conf
161
etc/vsftpd.conf
@ -1,161 +0,0 @@
|
||||
# Example config file /etc/vsftpd.conf
|
||||
#
|
||||
# The default compiled in settings are fairly paranoid. This sample file
|
||||
# loosens things up a bit, to make the ftp daemon more usable.
|
||||
# Please see vsftpd.conf.5 for all compiled in defaults.
|
||||
#
|
||||
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
|
||||
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
|
||||
# capabilities.
|
||||
#
|
||||
#
|
||||
# Run standalone? vsftpd can run either from an inetd or as a standalone
|
||||
# daemon started from an initscript.
|
||||
listen=YES
|
||||
#listen=0.0.0.0
|
||||
#
|
||||
# This directive enables listening on IPv6 sockets. By default, listening
|
||||
# on the IPv6 "any" address (::) will accept connections from both IPv6
|
||||
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
|
||||
# sockets. If you want that (perhaps because you want to listen on specific
|
||||
# addresses) then you must run two copies of vsftpd with two configuration
|
||||
# files.
|
||||
listen_ipv6=NO
|
||||
#
|
||||
# Allow anonymous FTP? (Disabled by default).
|
||||
anonymous_enable=NO
|
||||
#
|
||||
# Uncomment this to allow local users to log in.
|
||||
local_enable=YES
|
||||
#
|
||||
# Uncomment this to enable any form of FTP write command.
|
||||
write_enable=YES
|
||||
#
|
||||
# Default umask for local users is 077. You may wish to change this to 022,
|
||||
# if your users expect that (022 is used by most other ftpd's)
|
||||
local_umask=022
|
||||
#
|
||||
# Uncomment this to allow the anonymous FTP user to upload files. This only
|
||||
# has an effect if the above global write enable is activated. Also, you will
|
||||
# obviously need to create a directory writable by the FTP user.
|
||||
#anon_upload_enable=YES
|
||||
#
|
||||
# Uncomment this if you want the anonymous FTP user to be able to create
|
||||
# new directories.
|
||||
#anon_mkdir_write_enable=YES
|
||||
#
|
||||
# Activate directory messages - messages given to remote users when they
|
||||
# go into a certain directory.
|
||||
dirmessage_enable=YES
|
||||
#
|
||||
# If enabled, vsftpd will display directory listings with the time
|
||||
# in your local time zone. The default is to display GMT. The
|
||||
# times returned by the MDTM FTP command are also affected by this
|
||||
# option.
|
||||
use_localtime=YES
|
||||
#
|
||||
# Activate logging of uploads/downloads.
|
||||
xferlog_enable=NO
|
||||
#
|
||||
# Make sure PORT transfer connections originate from port 20 (ftp-data).
|
||||
connect_from_port_20=YES
|
||||
#
|
||||
# If you want, you can arrange for uploaded anonymous files to be owned by
|
||||
# a different user. Note! Using "root" for uploaded files is not
|
||||
# recommended!
|
||||
#chown_uploads=YES
|
||||
#chown_username=whoever
|
||||
#
|
||||
# You may override where the log file goes if you like. The default is shown
|
||||
# below.
|
||||
#xferlog_file=/var/log/vsftpd.log
|
||||
#
|
||||
# If you want, you can have your log file in standard ftpd xferlog format.
|
||||
# Note that the default log file location is /var/log/xferlog in this case.
|
||||
#xferlog_std_format=YES
|
||||
#
|
||||
# You may change the default value for timing out an idle session.
|
||||
#idle_session_timeout=600
|
||||
#
|
||||
# You may change the default value for timing out a data connection.
|
||||
#data_connection_timeout=120
|
||||
#
|
||||
# It is recommended that you define on your system a unique user which the
|
||||
# ftp server can use as a totally isolated and unprivileged user.
|
||||
nopriv_user=ftp
|
||||
#
|
||||
# Enable this and the server will recognise asynchronous ABOR requests. Not
|
||||
# recommended for security (the code is non-trivial). Not enabling it,
|
||||
# however, may confuse older FTP clients.
|
||||
#async_abor_enable=YES
|
||||
#
|
||||
# By default the server will pretend to allow ASCII mode but in fact ignore
|
||||
# the request. Turn on the below options to have the server actually do ASCII
|
||||
# mangling on files when in ASCII mode.
|
||||
# Beware that on some FTP servers, ASCII support allows a denial of service
|
||||
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
|
||||
# predicted this attack and has always been safe, reporting the size of the
|
||||
# raw file.
|
||||
# ASCII mangling is a horrible feature of the protocol.
|
||||
#ascii_upload_enable=YES
|
||||
#ascii_download_enable=YES
|
||||
#
|
||||
# You may fully customise the login banner string:
|
||||
#ftpd_banner=Welcome to blah FTP service.
|
||||
#
|
||||
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
|
||||
# useful for combatting certain DoS attacks.
|
||||
#deny_email_enable=YES
|
||||
# (default follows)
|
||||
#banned_email_file=/etc/vsftpd.banned_emails
|
||||
#
|
||||
# You may restrict local users to their home directories. See the FAQ for
|
||||
# the possible risks in this before using chroot_local_user or
|
||||
# chroot_list_enable below.
|
||||
chroot_local_user=YES
|
||||
#
|
||||
# You may specify an explicit list of local users to chroot() to their home
|
||||
# directory. If chroot_local_user is YES, then this list becomes a list of
|
||||
# users to NOT chroot().
|
||||
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
|
||||
# the user does not have write access to the top level directory within the
|
||||
# chroot)
|
||||
#chroot_local_user=YES
|
||||
#chroot_list_enable=YES
|
||||
# (default follows)
|
||||
#chroot_list_file=/etc/vsftpd.chroot_list
|
||||
#
|
||||
# You may activate the "-R" option to the builtin ls. This is disabled by
|
||||
# default to avoid remote users being able to cause excessive I/O on large
|
||||
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
|
||||
# the presence of the "-R" option, so there is a strong case for enabling it.
|
||||
#ls_recurse_enable=YES
|
||||
#
|
||||
# Customization
|
||||
#
|
||||
# Some of vsftpd's settings don't fit the filesystem layout by
|
||||
# default.
|
||||
#
|
||||
# This option should be the name of a directory which is empty. Also, the
|
||||
# directory should not be writable by the ftp user. This directory is used
|
||||
# as a secure chroot() jail at times vsftpd does not require filesystem
|
||||
# access.
|
||||
secure_chroot_dir=/run/vsftpd/empty
|
||||
#
|
||||
# This string is the name of the PAM service vsftpd will use.
|
||||
pam_service_name=vsftpd
|
||||
#
|
||||
# This option specifies the location of the RSA certificate to use for SSL
|
||||
# encrypted connections.
|
||||
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
|
||||
ssl_enable=NO
|
||||
|
||||
#
|
||||
# Uncomment this to indicate that vsftpd use a utf8 filesystem.
|
||||
utf8_filesystem=YES
|
||||
|
||||
pasv_min_port=5000
|
||||
pasv_max_port=5050
|
||||
pasv_promiscuous=YES
|
||||
force_dot_files=YES
|
||||
@ -10,8 +10,8 @@ const CAPTCHA=1; // Captcha difficulty (0=off, 1=simple, 2=moderate, 3=extreme)
|
||||
const ADDRESS='dhosting4xxoydyaivckq7tsmtgi4wfs3flpeyitekkmqwu4v4r46syd.onion'; // our own address
|
||||
const CANONICAL_URL='https://hosting.danwin1210.me'; // our preferred domain for search engines
|
||||
const SERVERS=[ //servers and ports we are running on
|
||||
'dhosting4xxoydyaivckq7tsmtgi4wfs3flpeyitekkmqwu4v4r46syd.onion'=>['sftp'=>22, 'ftp'=>21, 'pop3'=>'110', 'imap'=>'143', 'smtp'=>'25'],
|
||||
'hosting.danwin1210.me'=>['sftp'=>22, 'ftp'=>21, 'pop3'=>'995', 'imap'=>'993', 'smtp'=>'465']
|
||||
'dhosting4xxoydyaivckq7tsmtgi4wfs3flpeyitekkmqwu4v4r46syd.onion'=>['sftp'=>22, 'pop3'=>'110', 'imap'=>'143', 'smtp'=>'25'],
|
||||
'hosting.danwin1210.me'=>['sftp'=>22, 'pop3'=>'995', 'imap'=>'993', 'smtp'=>'465']
|
||||
];
|
||||
const EMAIL_TO=''; //Send email notifications about new registrations to this address
|
||||
const INDEX_MD5S=[ //MD5 sums of index.hosting.html files that should be considdered as unchanged for deletion
|
||||
@ -22,7 +22,7 @@ const INDEX_MD5S=[ //MD5 sums of index.hosting.html files that should be considd
|
||||
'31ff0d6a1d280d610a700f3c1ec6d857', //MyHacker test page
|
||||
];
|
||||
const REQUIRE_APPROVAL=false; //require admin approval of new sites? true/false
|
||||
const ENABLE_SHELL_ACCESS=true; //allows users to login via ssh, when disabled only (s)ftp is allowed - run setup.php to migrate existing accounts
|
||||
const ENABLE_SHELL_ACCESS=true; //allows users to login via ssh, when disabled only sftp is allowed - run setup.php to migrate existing accounts
|
||||
const ADMIN_PASSWORD='MY_PASSWORD'; //password for admin interface
|
||||
const SERVICE_INSTANCES=['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's']; //one character per instance - run multiple tor+php-fpm instances for load balancing, remove all but one instance if you expect less than 200 accounts. If tor starts using 100% cpu and failing circuits every few hours after a restart, add more instances. In my experience this happens around 250 hidden services per instance - run setup.php after change
|
||||
const DISABLED_PHP_VERSIONS=[3 => '7.2']; //php versions still installed on the system but no longer offered for new accounts
|
||||
@ -128,7 +128,7 @@ const ACCOUNT_UPGRADES = [
|
||||
'20g_quota' => ['name' => '+20GB disk Quota', 'usd_price' => 40],
|
||||
'100k_files_quota' => ['name' => '+100k files Quota', 'usd_price' => 10],
|
||||
];
|
||||
const COINPAYMENTS_ENABLED = true; //enable CoinPayments as payment processor true/false
|
||||
const COINPAYMENTS_ENABLED = false; //enable CoinPayments as payment processor true/false
|
||||
const COINPAYMENTS_PRIVATE = 'COINPAYMENTS_PRIVATE'; //Coinpayments private API key
|
||||
const COINPAYMENTS_PUBLIC = 'COINPAYMENTS_PUBLIC'; //Coinpayments public API key
|
||||
const COINPAYMENTS_MERCHANT_ID = 'COINPAYMENTS_MERCHANT_ID'; //Coinpayments merchant ID
|
||||
|
||||
@ -12,7 +12,7 @@ print_header('FAQ');
|
||||
<tr><td>I have an .htaccess file, but it doesn't work. How can I fix it?</td><td>.htaccess files are meant for Apache2 webservers. My server is based on NginX, which is much faster due to using static configuration files and not reading files like .htaccess at runtime. You can <a href="https://danwin1210.me/contact.php">contact me</a> and tell me your sites address where the .htaccess file is. I will then check your .htaccess and convert the rules to NginX rules and apply those.</td></tr>
|
||||
<tr><td>I just uploaded my page, but it's broken. HELP!</td><td>Most likely your site makes use of rewriting rules, which are typically located in an .htaccess file or are mentioned in a README file. Just <a href="https://danwin1210.me/contact.php">contact me</a> in this case. Also see the previous question.</td></tr>
|
||||
<tr><td>Can I host a porn site?</td><td>Yes as long as your content is legal you may upload adult content.</td></tr>
|
||||
<tr><td>What is the directory structure for when I connect via (s)ftp?</td><td>There are several directories you on the server for your account:<br><b>Maildir</b> - used to store your mails in (don't touch it)<br><b>data</b> - You can store application data here that should not be accessible via your site. E.g. configuration or database files.<br><b>tmp</b> - anything saved here will automatically be deleted after about 24 hours<br><b>www</b> - this is where you upload your website which becomes then available under your domain.<br><b>logs</b> - you will find webserver logs here<br><b>.ssh</b> - by uploading your ssh public key as authorzed_keys in this folder, you can authenticate to sftp using your ssh key, without a password</td></tr>
|
||||
<tr><td>What is the directory structure for when I connect via sftp?</td><td>There are several directories you on the server for your account:<br><b>Maildir</b> - used to store your mails in (don't touch it)<br><b>data</b> - You can store application data here that should not be accessible via your site. E.g. configuration or database files.<br><b>tmp</b> - anything saved here will automatically be deleted after about 24 hours<br><b>www</b> - this is where you upload your website which becomes then available under your domain.<br><b>logs</b> - you will find webserver logs here<br><b>.ssh</b> - by uploading your ssh public key as authorzed_keys in this folder, you can authenticate to sftp using your ssh key, without a password</td></tr>
|
||||
<tr><td>My application is very ressource intensive or I want to host a different service e.g. my own tor relay. Can you get me a VPS?</td><td>Yes, if you have special requirements, want a dedicated VPS for your application or just want to anonymously support the TOR network (or other networks) without having to deal with server setup etc. I can offer you a managed VPS hosting. However this will not be for free. It depends on which server you want me to get. For details, <a href="https://danwin1210.me/contact.php">contact me</a></td></tr>
|
||||
<tr><td>I want to also publish my site on clearnet. Can you offer a clearnet relay?</td><td>Yes, I can offer you a free subdomain on my server, e.g. yoursite.danwin1210.me, which you can configure in your dashboard. Or if you have your own domain you can use that one, point your DNS settings to the IPs given in your dashboard and <a href="https://danwin1210.me/contact.php">contact me</a> for setting up an SSL certificate for your domain.</td></tr>
|
||||
<tr><td>I'm using CloudFlare, but when I open my site, it shows too many redirects.</td><td>By default CloudFlare makes unencrypted requests to the backend server, but my server tells any client that wants an insecure connection to upgrade to a secure connection and use https:// instead of http://. CloudFlare just forwards this redirection to the client, which then again asks CloudFlare for the same thing again, but CloudFlare still connects to my server via an insecure http:// connection. To fix this, go to your CloudFlare dashboard and manage your domains settings. Under "Crypto" you can find settings for SSL. Change the setting from Flexible to Full, which makes CloudFlare use a secure https:// connection when talking to my server.</td></tr>
|
||||
|
||||
@ -2,15 +2,15 @@
|
||||
require('../common.php');
|
||||
$db = get_db_instance();
|
||||
$user=check_login();
|
||||
if(!empty($_POST['ftp_pass'])){
|
||||
$_SESSION['ftp_pass']=$_POST['ftp_pass'];
|
||||
if(!empty($_POST['sftp_pass'])){
|
||||
$_SESSION['sftp_pass']=$_POST['sftp_pass'];
|
||||
}
|
||||
if(empty($_SESSION['ftp_pass'])){
|
||||
if(empty($_SESSION['sftp_pass'])){
|
||||
send_login();
|
||||
exit;
|
||||
}
|
||||
$ssh=ssh2_connect('127.0.0.1') or die ('No Connection to SFTP server!');
|
||||
if(@!ssh2_auth_password($ssh, $user[system_account], $_SESSION['ftp_pass'])){
|
||||
if(@!ssh2_auth_password($ssh, $user[system_account], $_SESSION['sftp_pass'])){
|
||||
send_login();
|
||||
exit;
|
||||
}
|
||||
@ -116,7 +116,6 @@ if(!is_dir("ssh2.sftp://$sftp$dir")){
|
||||
}else{
|
||||
send_not_found();
|
||||
}
|
||||
fclose($tmpfile);
|
||||
exit;
|
||||
}
|
||||
|
||||
@ -355,7 +354,7 @@ function send_not_found(){
|
||||
function send_login(){
|
||||
print_header('FileManager - Login');
|
||||
?>
|
||||
<p>Please type in your system account password: <form action="files.php" method="post"><input name="ftp_pass" type="password" autofocus><input type="submit" value="Login"></form></p>
|
||||
<p>Please type in your system account password: <form action="files.php" method="post"><input name="sftp_pass" type="password" autofocus><input type="submit" value="Login"></form></p>
|
||||
<p><a href="home.php">Go back to dashboard</a>.</p>
|
||||
</body></html>
|
||||
<?php
|
||||
|
||||
@ -278,10 +278,10 @@ if($count_dbs<MAX_NUM_USER_DBS){
|
||||
<p>You can use <a href="/phpmyadmin/" target="_blank">PHPMyAdmin</a> and <a href="/adminer/?username=<?php echo rawurlencode($user['mysql_user']); ?>" target="_blank">Adminer</a> for web based database administration.</p>
|
||||
<h3>System Account</h3>
|
||||
<table border="1">
|
||||
<tr><th>Username</th><th>Host</th><th>FTP Port</th><th>SFTP Port</th><th>POP3 Port</th><th>IMAP Port</th><th>SMTP port</th></tr>
|
||||
<tr><th>Username</th><th>Host</th><th>SFTP Port</th><th>POP3 Port</th><th>IMAP Port</th><th>SMTP port</th></tr>
|
||||
<?php
|
||||
foreach(SERVERS as $server=>$tmp){
|
||||
echo "<tr><td>$user[system_account]</td><td>$server</td><td>$tmp[ftp]</td><td>$tmp[sftp]</td><td>$tmp[pop3]</td><td>$tmp[imap]</td><td>$tmp[smtp]</td></tr>";
|
||||
echo "<tr><td>$user[system_account]</td><td>$server</td><td>$tmp[sftp]</td><td>$tmp[pop3]</td><td>$tmp[imap]</td><td>$tmp[smtp]</td></tr>";
|
||||
}
|
||||
?>
|
||||
</table>
|
||||
|
||||
@ -16,7 +16,7 @@ print_header('Info');
|
||||
<li>Up to <?php echo MAX_NUM_USER_DBS; ?> MariaDB (MySQL) databases</li>
|
||||
<li><a href="/phpmyadmin/" target="_blank">PHPMyAdmin</a> and <a href="/adminer/" target="_blank">Adminer</a> for web based database administration</li>
|
||||
<li>Web-based file manager</li>
|
||||
<li>FTP and SFTP access</li>
|
||||
<li>SFTP access</li>
|
||||
<li>command line access to shell via SSH</li>
|
||||
<li>1GB disk quota and a maximum of 100.000 files<?php echo ENABLE_UPGRADES ? ' - upgradable' : ''; ?></li>
|
||||
<li>mail() can send e-mails from your_system_account@<?php echo ADDRESS; ?> (your_system_account@hosting.danwin1210.me for clearnet)</li>
|
||||
|
||||
Reference in New Issue
Block a user