In this document we will be covering the steps necessary to securely and persistently mount a FTP/SFTP location to a folder in Red Hat Enterprise 7 so that the contents are able to be searched by a Spirion endpoint.
You will be required to have credentials with R/W FTP access and the Root credentials to the RHEL7 server to complete these steps.
Install curlftpfs and dependencies
# yum install glib2-devel
# yum install fuse-devel
# yum install libcurl-devel
# wget http://sourceforge.net/projects/curlftpfs/files/latest/download
# tar xvzf curlftpfs-0.9.2.tar.gz
# cd curlftpfs-0.9.2
# ./configure # make # make install
Test Mount to the FTP folder
Create a test mount point (/mnt/ftp) and then mount the FTP site to the folder. Note that the directory name can be whatever you want, we are using /mnt/ftp in this test. If you want to change the path, be sure to reference your path in all the remaining test steps.
# mkdir /mnt/ftp
# curlftpfs ftp.example.com /mnt/ftp/ -o user=username:password
To allow other users to access the mounted folder add allow_other, to use FTP in active mode add the option 'ftp_port=-':
# curlftpfs ftp.example.com /mnt/ftp/ -o user=username:password,allow_other,ftp_port=-
In its default settings, CurlFtpFS will authenticate in cleartext when connecting to a non-encrypted connection port. If the remote server is configured to refuse non-encrypted authentication method / force encrypted authentication, CurlFtpFS will return an error.
# Error connecting to ftp: Access denied: 530
To authenticate to the ftp server using explicit encrypted authentication, you must specify the SSL option.
# curlftpfs ftp.example.com /mnt/ftp/ -o ssl,user=username:password
If your server uses a self-generated certificate not trusted by your computer, you can specify to ignore it
# curlftpfs ftp.example.com /mnt/ftp/ -o ssl,no_verify_peer,no_verify_hostname,user=username:password
When successful, the mounted FTP data will be available in the file structure as /mnt/ftp.
Configure mount to occur at system start
These steps require you to be logged into the RHEL instance as root
Once you have confirmed that the mount is successful, you can add the mount entry to /etc/fstab. For security, we will want to create a .netrc file in /root to house the credentials rather than entering plaintext password into the fstab file. For this example, the Username will be FTPUser and the Password will be FTP123Security.
Now, we set the .netrc file to be only visible to the root user. This will mean that for someone to see your plaintext password, they need root access to your server.
#sudo chmod 600 ~/.netrc
With the .netrc file created, we need to only include the username and FTP address into the fstab file. Using nano or a gui editor, open /etc/fstab (as root, otherwise you can’t save your changes) and add the line to the bottom of the existing entries. Don’t forget to save your changes!
To ensure that the mount attempt occurs after the network initialization is complete, we will also add the _netdev option to the entry.
Note that in the permanent entry I am using a different mount location (/mnt/SpiFtp). When the system restarts, the test mount connection created above will not be restored.
curlftpfs#FTPUser:@ftp.example.com /mnt/SpiFtp fuse auto,user,uid=1000,allow_other,_netdev 0 0
Once complete, reboot the system and the newly mounted FTP folder will be in /mnt/SpiFtp and is available for searching.
To configure a search, simply create a new policy for this machine, enable Custom Folder search and set the folder location to /mnt/SpiFtp
Search Results for this location will appear under the endpoint that performs the search with the mount folder information listed as location. It is advisable that if you are mounting several FTP folders to the same server that you clearly identify the mount points to avoid confusion.
Additionally, a workflow rule can be created to assign the resulting matches from a specific mount location to user(s) or role(s) that are responsible for the contents of the data at that location.
Using persistent classification, assign an independent marker that uniquely identifies the data at that location. This will allow for clear indication of the file source in the event that the data is discovered outside of the permitted location, or to allow edge enabled devices to lock down data traffic to a limited scope.