In the past we have webapps user and we can use the username and password for user to login via FTP. It seems it has been removed (due to security reason) based on this guide https://docs.cleavr.io/guides/ftp-server.
While security is the most important aspect, however not all users are tech savvy and understand how to create ssh key. I built some sites for friend and they need FTP. So, I installed vsftpd and configure the setting so the user can only access its home directory and unable to go up to another directories. I am not sure if this will have any impact to the entire environment, especially the security? Could you please let me know if there is any other concern by installing this vsftpd?
Yes, we disabled the password capability a while back for security as we want to avoid that being a vulnerability. vsftpd should be OK to use as long as you’re OK with it. I don’t believe it will impact Cleavr, but I’ve also never played around with it to find out.
Is there any guide how I can edit or override the Cleavr interface in my server so I can add my additional services to the Services panel?
There’s not currently a way to do that, but that would be an interesting feature to have. Thanks for bringing that up, we’ll add it to our backlog to take a closer look at the possibilities.
If these users are not able to create a ssh key, it might better if they don’t have access via FTP
In my opinion it’s better (easier) to enable the SSH password authentication, than installing some other FTP server. A strong SSH password together with Fail2Ban should be safe enough. If this isn’t enough, you can use UFW to restrict access to some IP addresses only (I did this for years, before I decided to allow only SSH key authentication).
Hello @finalwebsites, thanks so much for your suggestion. Yes, I think I agree with you, last time I tried it, I didn’t manage to jail the user to his specific folders. Perhaps my wrong configuration, while with vsftpd all can be configured easier and faster. But like you said, it’s not secure of course.
I will retry the ssh password auth sftp with some match user rules and chroot configuration again. I can’t restrict the IP because in our country here, the ISP always changes the IP randomly, even with different subnet.
