|
|
= Onionized Hidden FTP Server =
|
|
|
> ''''' Tor Hidden FTP server :- '''''
|
|
|
# Onionized Hidden FTP Server
|
|
|
> **_ Tor Hidden FTP server :- **_
|
|
|
File Transfer Protocol (FTP) is one of the standard ways to transfer files from Client-Server and vice versa. FTP servers run on two modes Active and Passive. But some firewall/NAT blocks the Data port (20) from the FTP server. And the Passive mode of the FTP solved this by Client connecting to a random port on the server which can penetrate the firewall/NAT device.
|
|
|
|
|
|
> ''''' Issue with Passive FTP mode as a Tor Hidden Service :- '''''
|
|
|
> **_ Issue with Passive FTP mode as a Tor Hidden Service :- **_
|
|
|
This works fine for clearnet, but this is a huge problem if you want to Onionize your FTP service. Because, Tor expects you to know the know the ports for which requests might come. Since client connects to an PASV FTP, Its impossiable for Tor to predict the port used for Data channel.
|
|
|
|
|
|
> ''''' Fix to Data port issue on Tor :- '''''
|
|
|
> **_ Fix to Data port issue on Tor :- **_
|
|
|
One way of fixing this issue is limiting the port usage of the PASV FTP server config. Something like 5000-5019 (20 ports) would be ideal and map all the 20 ports on the Tor config file as a HiddenServicePort. I have shown complete steps below.
|
|
|
|
|
|
== STEPS TO ONIONIZE HIDDEN FTP SERVER : ==
|
|
|
## STEPS TO ONIONIZE HIDDEN FTP SERVER :
|
|
|
* ''' Step 1 :- '''
|
|
|
Install vsFTPd on your machine
|
|
|
{{{ #!bash
|
... | ... | @@ -42,12 +42,12 @@ |
|
|
HiddenServicePort 5019
|
|
|
}}}
|
|
|
|
|
|
* Make sure you add all the 20 ports ranging from 5000-5019 as a ''HiddenServicePort''
|
|
|
* Make sure you add all the 20 ports ranging from 5000-5019 as a _HiddenServicePort_
|
|
|
* After this is done, Restart Tor process and you will be be seeing hostname, key pair and other files under the __/var/lib/tor/ftp_service/__ (If you are not seeing those, You might be doing something wrong so Check the Tor logs or journalctl)
|
|
|
|
|
|
It is really important to lockdown/jail the FTP user into their home directory. Following are some really important security measures
|
|
|
|
|
|
== SECURITY MEASURES : ==
|
|
|
## SECURITY MEASURES :
|
|
|
* Always create new user for FTP
|
|
|
* It's important to create a new user which is only used for the PASV FTP login
|
|
|
{{{#!bash
|
... | ... | @@ -55,10 +55,10 @@ |
|
|
}}}
|
|
|
Now, essential important step is to revoke SSH access to this FTP_USER (Very important, Never skip)
|
|
|
To revoke/deny SSH access to a particular user, In our case FTP_USER, add the following to __/etc/ssh/sshd_config__ file
|
|
|
{{{ DenyUsers FTP_USER }}}
|
|
|
` DenyUsers FTP_USER `
|
|
|
|
|
|
It's also good idea to only allow root to login via SSH. To do so, add the following to __/etc/ssh/sshd_config__ file
|
|
|
{{{ AllowUsers root }}}
|
|
|
` AllowUsers root `
|
|
|
* Chroot Jail the FTP user
|
|
|
Chroot Jailing is a way of isolating applications (FTP) from the rest of your computer, by putting them in a jail. This is an important
|
|
|
security measures for out PASV FTP Onion Service. To do so, add the following to your /etc/vsftpd.conf file
|
... | ... | @@ -74,7 +74,7 @@ |
|
|
|
|
|
And ofcourse, we can do much more things for security purposes (Like Writable, File Permission and etc) but the above are the main or essential ones.
|
|
|
|
|
|
== Advantages of using Tor Hidden FTP Service : ==
|
|
|
## Advantages of using Tor Hidden FTP Service :
|
|
|
1. It's End to End Encrypted
|
|
|
* The payload or your FTP Packet is insecure by design but on top of Onion Encryption, It becomes End to End encrypted since the Layered encryption will only unpeel at the Hidden Service Endpoint.
|
|
|
An example of this is in Clearnet is If a web server or httpd listener supported HTTP only. A reverse proxy server can
|
... | ... | @@ -89,7 +89,7 @@ |
|
|
4. Transfers can be resumed under connection losts.
|
|
|
|
|
|
|
|
|
== How to configure your Client to connect to the Onion v3 PASV FTP Hidden Service ? ==
|
|
|
## How to configure your Client to connect to the Onion v3 PASV FTP Hidden Service ?
|
|
|
|
|
|
If your running a Tor daemon locally, port 9050 is your Tor SOCKS5 or if your using Tor browser 9150 will be your SOCKS5 port. So, You will need to goto
|
|
|
Proxy settings on your FTP client and insert '''127.0.0.1''' and '''9050''' or '''9150''' on '''SOCKS5''' Proxy configurations. |
|
|
Proxy settings on your FTP client and insert **127.0.0.1** and **9050** or **9150** on **SOCKS5** Proxy configurations. |