ftp document
TRANSCRIPT
-
C H A P T E R 15
Lin u x F TP Se r ve r Se t u p
IN THIS CHAPTER
+ FTP Overview
+ Problems with FTP and Firewa lls
+ How to Download and Insta ll VSFTPD
+ How to Get VSFTPD Star t ed
+ Test ing the Sta tus of VSFTPD
+ The vsftpd.conf File
+ FTP Secur ity Issues
+ Troubleshoot ing FTP
+ Tutor ia l
+ Conclusion
The F ile Tr a n sfe r P r ot ocol (F TP ) is one of t he most common means of copy-
ing files between servers over t he In t ernet . Most Web-based download sites
use the bu ilt -in FTP capabilit ies of Web browsers, and, therefore, most server-
or ien ted opera t ing systems usually include an FTP server applica t ion as par t
of the software su ite. Linux is no except ion .
Th is chapter will show you how to conver t your Linux box in to an FTP
server u sing the defau lt Ve r y Secu r e F TP Da em on (VSFTPD) package
included in Fedora .
FTP OVERVIEW
FTP relies on a pa ir of TCP por t s to get the job done. It opera tes u sing two
connect ion channels:
237
-
+ FTP con t r o l ch a n n e l, TCP Por t 21: All commands you send, as well a s
the FTP server 's responses to t hose commands, go over t he con t rol con -
nect ion , bu t any da ta sen t back (such a s ls directory list s or actua l file
da ta in either direct ion ) will go over the da t a connect ion .
+ FTP d a t a ch a n n e l, TCP Por t 20: This por t is u sed for a ll subsequen t
da ta t ransfers between the clien t and server.
In addit ion to t hese channels, there a re severa l var iet ies of FTP.
Types of FTP
From a networking perspect ive, the two main t ypes of FTP are act ive and pas-
sive. In a c t ive F TP , the FTP server in it ia tes a da ta t ransfer connect ion back
to the clien t . For p a ss ive F TP, the connect ion is in it ia ted from the FTP clien t .
These are illu st ra ted in F igu re 15.1.
238 Linux FTP Server Setup Chapter 15
FTP Control Connection
to Port 21
from High Port
FTP Data Connection Initiation
from Port 20 on Server to High Port on Client
High
Port
Port
20ServerClient
Computer
ServerClient
Computer
Active FTP
Passive FTP
FTP Control Connection
to Port 21
from High Port
FTP Data Connection Initiation
from High Port on Client to High Port on the Server
High
Port
High
Port
Figure 15.1 Act ive and passive FTP.
From a user management perspect ive, there are two addit ional types of
FTP: r egu la r F TP , in which files are t ransferred using the username and pass-
word of a regular user FTP server, and a n on ym ou s F TP, in which general
access is provided to the FTP server using a well known universal login method.
Take a closer look a t each type.
-
Active FTP
The sequence of even ts for act ive FTP is:
1. Your clien t connects to the FTP server by est ablish ing an FTP con t rol
connect ion to por t 21 of t he server. Your commands such a s ls and get a re
sent over t h is connect ion .
2. Whenever t he clien t requests da ta over t he con t rol connect ion , the server
in it ia tes da ta t ransfer connect ions back to the clien t . The source por t of
these da ta t ransfer connect ions is a lways por t 20 on the server, and the
dest ina t ion por t is a h igh por t (grea ter than 1024) on the clien t .
3. Thus the ls list ing tha t you asked for comes back over the por t 20 to h igh
por t connect ion , not the por t 21 con t rol connect ion .
FTP act ive mode, therefore, t ransfers da t a in a coun ter in tu it ive way to
the TCP standard, as it select s por t 20 as it s sou rce por t (not a random high
por t tha t 's grea t er than 1024) and connects back to the clien t on a random
high por t t ha t has been pre-negot ia t ed on the por t 21 con t rol connect ion .
Active FTP may fail in cases where the clien t is protected from the
In ternet via many to one NAT (masquerading), because the firewall will not
know which of the many servers beh ind it should receive the retu rn connect ion .
Passive FTP
Passive FTP works differen t ly:
1. Your clien t connects to the FTP server by est ablish ing an FTP con t rol
connect ion to por t 21 of t he server. Your commands such a s ls and get a re
sent over t ha t connect ion .
2. Whenever the clien t requests da ta over t he con t rol connect ion , the clien t
in it ia tes the da ta t ransfer connect ions to t he server. The source por t of
these da ta t ransfer connect ions is a lways a h igh por t on the clien t with a
dest ina t ion por t of a h igh por t on the server.
Passive FTP shou ld be viewed a s the server never making an act ive
a t tempt to connect t o t he clien t for FTP data t ransfers. Because the clien t
a lways in it ia tes t he requ ired connect ions, passive FTP works bet t er for clien t s
protected by a firewall.
As Windows defau lt s to act ive FTP and Linux defau lt s to passive, you 'll
probably have to accommodate both forms when deciding upon a secu r ity pol-
icy for your FTP server .
Regular FTP
By defau lt , the VSFTPD package a llows regu lar Linux u sers to copy files to
and from their home director ies with an FTP clien t u sing their Linux user -
names and passwords as their login creden t ia ls.
FTP Overview 239
-
VSFTPD also has the opt ion of a llowing th is type of access to on ly a
group of Linux users, enabling you to rest r ict the addit ion of new files to your
syst em to au thor ized personnel.
The disadvan tage of regu lar FTP is t ha t it isn 't su it able for genera l
download dist r ibut ion of software as everyone either has to get a un ique
Linux user accoun t or has to u se a shared username and password.
Anonymous FTP a llows you to avoid th is difficu lty.
Anonymous FTP
Anonymous FTP is t he choice of Web sites tha t need to exchange files with
numerous unknown remote users. Common uses include downloading soft -
ware updates and MP3s and uploading diagnost ic in format ion for a t echn ica l
suppor t engineers ' a t ten t ion . Un like regu la r FTP where you login with a pre-
con figu red Linux username and password, anonymous FTP requ ires on ly a
username of anonymous and your e-ma il address for the password. Once
logged in to a VSFTPD server, you au tomat ica lly have access to on ly the
defau lt anonymous FTP directory (/var/ftp in t he case of VSFTPD) and a ll it s
subdirector ies.
As seen in Chapter 6,Installing RPM Software,using anonymous FTP as
a remote user is fa ir ly st raightforward. VSFTPD can be configured to support
user-based and/or anonymous FTP in it s configura t ion file, as you 'll see later.
PROBLEMS WITH FTP AND FIREWALLS
FTP frequen t ly fa ils when the da ta has to pass th rough a firewall, because
firewa lls a re designed to lim it da ta flows to predict able TCP por ts and FTP
uses a wide range of unpredictable TCP por ts. You have a choice of methods to
overcome th is.
Not e
Appendix II, Codes, Scripts, and Configura t ions,conta ins examples of how to con-
figure the VSFTPD Linux firewall to funct ion with both act ive and passive FTP.
Client Protected by a Firewall Problem
Typica lly firewalls don 't a llow any incoming connect ions a t a ll, wh ich fre-
quen t ly blocks act ive FTP from funct ion ing. With th is type of FTP fa ilu re, t he
act ive FTP connect ion appears to work when the clien t in it ia t es an ou tbound
connect ion to the server on por t 21. The connect ion then appears to hang, how-
ever, a s soon as you use the ls, dir, or get commands. The reason is t ha t the fire-
wall is blocking the retu rn connect ion from the server to the clien t (from por t
240 Linux FTP Server Setup Chapter 15
-
20 on the server to a h igh por t on the clien t ). If a firewa ll a llows a ll ou tbound
connect ions to the In ternet , then passive FTP clien t s beh ind a firewall will
u sua lly work correct ly a s t he clien ts in it ia t e a ll the FTP connect ions.
Solution
Table 15.1 shows the genera l ru les you 'll need to a llow FTP clien ts t h rough a
firewa ll.
Table 15.1 Client Protected by Firewall: Required Rules for FTP
Method Source Source Destination Destination Connection
Address Port Address Port Type
Allow outgoing control connect ions to server
Control FTP client / High 1 FTP server 2 21 New
channel network
FTP server 2 21 FTP client / H igh Established3
network
Allow the client to establish da ta channels to r emote server
Act ive FTP server 2 20 FTP client / High New
FTP network
FTP client / High FTP server 2 20 Established3
network
Passive FTP client / High FTP server 2 High New
FTP network
FTP server 2 High FTP client / High Established3
network
1 Greater than 1024.
2 In some cases, you may want to a llow a ll I nternet user s to have access, not just a specific client ,
server, or network.
3 Many home-based firewa ll routers automat ica lly a llow t r affic for a lready established connect ions.
This ru le may not be necessary in a ll cases.
Server Protected by a Firewall Problem
Typica lly, firewalls don 't let any connect ions come in a t a ll. When an incor-
rect ly configu red firewall protects an FTP server, the FTP connect ion from the
clien t doesn 't appea r to work a t a ll for both act ive and passive FTP.
Solution
Table 15.2 ou t lines t he genera l ru les needed to a llow FTP servers th rough a
firewa ll.
Problems with FTP and Firewalls 241
-
Table 15.2 Server Protected by Firewall: Required Rules for FTP
Method Source Source Destination Destination Connection
Address Port Address Port Type
Allow incoming control connect ions to server
Cont rol FTP client / High 2 FTP server 21 New
channel network 1
FTP server 21 FTP client / High Established3
network 1
Allow server to establish da ta channel to remote client
Act ive FTP server 20 FTP client / High New
FTP network 1
FTP client / High FTP server 20 Established3
network 1
Passive FTP client / High FTP server High New
FTP network 1
FTP server High FTP client / High Established3
network 1
1 In some cases, you may want to a llow a ll In ternet user s to have access, not just a specific client ,
server, or network.
2 Greater than 1024.
3 Many home-based firewall routers automat ica lly a llow t r affic for a lready established connect ions.
This ru le may not be necessary in a ll cases.
HOW TO DOWNLOAD AND INSTALL VSFTPD
Most Red Ha t and Fedora Linux software products a re ava ilable in the RPM
format . Downloading and in sta lling RPMs isn 't hard. If you need a refresher,
Chapter 6 covers how to do th is in deta il. It is best t o u se t he la test version of
VSFTPD.
When sea rch ing for t he file, remember t ha t the VSFTPD RPM's filename
usually sta r t s with the word vsftpdfollowed by a version number, a s in
vsftpd-1.2.1-5.i386.rpm.
HOW TO GET VSFTPD STARTED
You can st a r t , stop, or resta r t VSFTPD after boot ing u sing these commands:
[root@bigboy tmp]# service vsftpd start[root@bigboy tmp]# service vsftpd stop[root@bigboy tmp]# service vsftpd restart
242 Linux FTP Server Setup Chapter 15
-
To configu re VSFTPD to st a r t a t boot , u se the chkconfig command:
[root@bigboy tmp]# chkconfig vsftpd on
Not e
In Red Ha t Linux version 8.0 and ear lier, VSFTPD opera t ion is con t rolled by the
xinetd process, wh ich is covered in Chapter 16, TELNET, TFTP, and XINETD.
You can find a fu ll descr ipt ion of how to con figure these versions of Linux for
VSFTPD in Appendix III, Fedora Version Differences.
TESTING THE STATUS OF VSFTPD
You can a lways test whether the VSFTPD process is runn ing by using the
netstat -a command, wh ich list s a ll the TCP and UDP por ts on wh ich the
server is list en ing for t ra ffic. Th is example shows the expected ou tput :
[root@bigboy root]# netstat -a | grep ftptcp 0 0 *:ftp *:* LISTEN[root@bigboy root]#
If VSFTPD wasn 't runn ing, there wou ld be no ou tpu t a t a ll.
THE VSFTPD.CONF FILE
VSFTPD reads the con ten ts of it s vsftpd.conf configu ra t ion file on ly when it
sta r t s, so you 'll have to restar t VSFTPD each t ime you edit t he file in order for
the changes to t ake effect .
Th is file u ses a number of defau lt set t ings you need to know abou t :
+ VSFTP D r u n s a s a n a n on ym ou s F TP se r ve r : Un less you wan t any
remote user to log in to to your defau lt FTP directory using a u sername of
anonymous and a password tha t 's t he same as t heir e-ma il address, I sug-
gest t u rn ing th is off. You can set t he con figu ra t ion file's anonymous_enable
direct ive to no to disable th is fea tu re. You 'll a lso need to simu ltaneously
enable loca l u sers to be able to log in by removing the comment symbol
(#) before t he local_enable in st ruct ion .
+ VSFTP D a llow s on ly a n on ym ou s F TP d ow n loa d s t o r em ot e
u se r s , n ot u p loa d s fr om t h em : You can change th is by modifying the
anon_upload_enable direct ive shown la ter.
The vsftpd.conf File 243
-
+ VSFTP D d oe sn 't a llow a n on ym ou s u se r s t o cr e a t e d ir e c t or ie s on
you r F TP se r ve r : You can change th is by modifying the
anon_mkdir_write_enable direct ive.
+ VSFTP D logs F TP a cce ss t o t h e /var/log/vsftpd.log log fi le : You can
change th is by modifying the xferlog_file direct ive.
+ VSFTP D exp ec t s fi le s for a n on ym ou s F TP t o b e p la ced in t h e
/var/ftp d ir e c t or y : You can change th is by modifying the anon_root
direct ive. There is a lways the r isk with anonymous FTP tha t u sers will
discover a way to wr ite files to your anonymous FTP directory. You run
the r isk of filling up your /var par t it ion if you use the defau lt set t ing. It is
best to make the anonymous FTP directory reside in it s own dedica t ed
par t it ion .
The configurat ion file is fair ly straightforward as you can see in the snippet:
# Allow anonymous FTP?anonymous_enable=YES
# Uncomment this to allow local users to log in.local_enable=YES
# Uncomment this to enable any form of FTP write command.# (Needed even if you want local users to be able to upload files)write_enable=YES
# Uncomment to allow the anonymous FTP user to upload files. This only# has an effect if global write enable is activated. Also, you will# obviously need to create a directory writable by the FTP user.#anon_upload_enable=YES
# Uncomment this if you want the anonymous FTP user to be able tocreate# new directories.#anon_mkdir_write_enable=YES
# Activate logging of uploads/downloads.xferlog_enable=YES
# You may override where the log file goes if you like.# The default is shown# below.#xferlog_file=/var/log/vsftpd.log
# The directory which vsftpd will try to change# into after an anonymous login. (Default = /var/ftp)#anon_root=/data/directory
To act iva te or deact iva te a fea tu re, remove or add the # a t the beginning
of the appropr ia te line.
244 Linux FTP Server Setup Chapter 15
-
Other vsftpd.conf Options
There a re many other opt ions you can add to th is file:
+ Lim it ing the maximum number of clien t connect ions (max_clients)
+ Lim it ing the number of connect ions by source IP address (max_per_ip)
+ Set t ing the maximum ra te of da ta t ransfer per anonymous login
(anon_max_rate)
+ Set t ing the maximum ra te of da t a t ransfer per non-anonymous login
(local_max_rate)
Descr ipt ions on th is and more can be found in the vsftpd.conf man
pages.
FTP SECURITY ISSUES
FTP has a number of secu r ity drawbacks, bu t you can overcome them in some
cases. You can rest r ict an individua l Linux user 's access to non -anonymous
FTP, and you can change the con figu ra t ion to not display the FTP server 's
software version in format ion , but un for tunately, though very conven ient , FTP
logins and da ta t ransfers a re not encrypted.
The /etc/vsftpd.ftpusers File
For added secu r it y, you may rest r ict FTP access to cer ta in u sers by adding
them to the list of u sers in t he /etc/vsftpd.ftpusers file. The VSFTPD package
crea t es t h is file with a number of en t r ies for pr ivileged users tha t normally
shou ldn 't have FTP access. As FTP doesn 't encrypt passwords, thereby
increasing the r isk of da t a or passwords being compromised, it is a good idea
to let these en t r ies remain and add new en t r ies for addit ional secu r ity.
Anonymous Upload
If you wan t remote users to wr it e da t a to your FTP server, t hen you shou ld
crea t e a wr it e-on ly directory with in /var/ftp/pub. Th is will a llow your u sers to
upload bu t not access other files uploaded by other u sers. The commands you
need are:
[root@bigboy tmp]# mkdir /var/ftp/pub/upload[root@bigboy tmp]# chmod 722 /var/ftp/pub/upload
FTP Security Issues 245
-
FTP Greeting Banner
Change the defau lt greet ing banner in the vsftpd.conf file to make it harder
for malicious u sers to det erm ine the t ype of syst em you have. The direct ive in
th is file is:
ftpd_banner= New Banner Here
Using SCP as Secure Alternative to FTP
One of the disadvan tages of FTP is t ha t it does not encrypt your u sername
and password. Th is cou ld make your u ser accoun t vu lnerable to an unau tho-
r ized a t tack from a person eavesdropping on the network connect ion . Secu r e
Cop y (SCP ) and Secu r e F TP (SFTP ) provide encrypt ion and cou ld be con -
sidered as an a lterna t ive to FTP for t ru st ed users. SCP does not suppor t
anonymous services, however, a fea tu re tha t FTP does suppor t .
TROUBLESHOOTING FTP
You shou ld a lways t est your FTP inst a lla t ion by a t tempt ing to u se an FTP
clien t t o log in to your FTP server to t ransfer sample files.
The most common sources of day-to-day fa ilu res a re incorrect u sernames
and passwords.
In it ia l setup fa ilu res cou ld be caused by firewa lls a long the pa th between
the clien t and server blocking some or a ll t ypes of FTP t ra ffic. Typica l symp-
toms of th is a re either connect ion t imeou ts or t he ability to u se the ls com-
mand to view the con ten ts of a directory withou t the ability to either upload or
download files. Follow the firewall ru le guidelines to help overcome th is prob-
lem . Connect ion problems cou ld a lso be the resu lt of t ypica l network issues
ou t lined in Chapter 4, Simple Network Troubleshoot ing.
TUTORIAL
FTP has many uses, one of wh ich is a llowing numerous unknown users to
download files. You have to be ca refu l, because you run the r isk of accidenta lly
a llowing unknown persons to upload files to your server. Th is sor t of unin -
t ended act ivity can qu ickly fill up your ha rd dr ive with illega l software,
images, and music for the wor ld to download, wh ich in tu rn can clog your
server 's In t ernet access and dr ive up your bandwidth charges.
246 Linux FTP Server Setup Chapter 15
-
FTP Users with Read-Only Access to a Shared Directory
In this example, anonymous FTP is not desired, but a group of t rusted users need
to have read-only access to a directory for downloading files. Here are the steps:
1. Disable anonymous FTP. Comment ou t the anonymous_enable line in t he
vsftpd.conf file:
# Allow anonymous FTP?
# anonymous_enable=YES
2. Enable individua l logins by making su re you have the local_enable line
uncommented in the vsftpd.conf file:
# Uncomment this to allow local users to log in.
local_enable=YES
3. Sta r t VSFTP.
[root@bigboy tmp]# service vsftpd start
4. Crea te a u ser group and sha red directory. In t h is ca se, u se /home/ftp-
users and a u ser group name of ftp-users for the remote u sers:
[root@bigboy tmp]# groupadd ftp-users
[root@bigboy tmp]# mkdir /home/ftp-docs
5. Make the directory accessible to t he ftp-users group:
[root@bigboy tmp]# chmod 750 /home/ftp-docs
[root@bigboy tmp]# chown root:ftp-users /home/ftp-docs
6. Add users, and make their defau lt directory /home/ftp-docs:
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user1
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user2
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user3
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user4
[root@bigboy tmp]# passwd user1
[root@bigboy tmp]# passwd user2
[root@bigboy tmp]# passwd user3
[root@bigboy tmp]# passwd user4
7. Copy files to be downloaded by your u sers in to the /home/ftp-docs
directory.
8. Change the perm issions of the files in t he /home/ftp-docs directory to
read-only access by the group:
[root@bigboy tmp]# chown root:ftp-users /home/ftp-docs/*
[root@bigboy tmp]# chmod 740 /home/ftp-docs/*
Tutorial 247
-
Users shou ld now be able to log in via FTP to t he server u sing their new
usernames and passwords. If you absolu tely don 't wan t any FTP users to
be able to wr ite to any directory, then you shou ld set the write_enable line
in your vsftpd.conf file t o no:
write_enable = NO
Remember, you must rest ar t VSFTPD for t he configu ra t ion file changes
to take effect .
Sample Login Session to Test Functionality
Here is a simple test procedure you can use to make su re everyth ing is work-
ing correct ly:
1. Check for the presence of a t est file on the FTP clien t server.
[root@smallfry tmp]# ll
total 1
-rw-r--r-- 1 root root 0 Jan 4 09:08 testfile
[root@smallfry tmp]#
2. Connect t o Bigboy via FTP:
[root@smallfry tmp]# ftp 192.168.1.100
Connected to 192.168.1.100 (192.168.1.100)
220 ready, dude (vsFTPd 1.1.0: beat me, break me)
Name (192.168.1.100:root): user1
331 Please specify the password.
Password:
230 Login successful. Have fun.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
As expected, you can 't do an upload t ransfer of test file to bigboy:
ftp> put testfile
local: testfile remote: testfile
227 Entering Passive Mode (192,168,1,100,181,210)
553 Could not create file.
ftp>
But we can view and download a copy of the VSFTPD RPM on the FTP
server bigboy:
ftp> ls
227 Entering Passive Mode (192,168,1,100,35,173)
150 Here comes the directory listing.
-rwxr----- 1 0 502 76288 Jan 04 17:06 vsftpd-1.1.0-1.i386.rpm
248 Linux FTP Server Setup Chapter 15
-
226 Directory send OK.
ftp> get vsftpd-1.1.0-1.i386.rpm vsftpd-1.1.0-1.i386.rpm.tmp
local: vsftpd-1.1.0-1.i386.rpm.tmp remote: vsftpd-1.1.0-
1.i386.rpm
227 Entering Passive Mode (192,168,1,100,44,156)
150 Opening BINARY mode data connection for vsftpd-1.1.0-
1.i386.rpm (76288 bytes).
226 File send OK.
76288 bytes received in 0.499 secs (1.5e+02 Kbytes/sec)
ftp> exit
221 Goodbye.
[root@smallfry tmp]#
As expected, an anonymous FTP fa ils:
[root@smallfry tmp]# ftp 192.168.1.100
Connected to 192.168.1.100 (192.168.1.100)
220 ready, dude (vsFTPd 1.1.0: beat me, break me)
Name (192.168.1.100:root): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> quit
221 Goodbye.
[root@smallfry tmp]#
Now tha t test ing is complete, you can make th is a regu lar par t of your
FTP server 's opera t ion .
CONCLUSION
FTP is a very usefu l software applica t ion tha t can have enormous benefit to a
Web sit e or t o collabora t ive compu t ing in wh ich files need to be shared
between business pa r tners. Although in secu re, it is un iversa lly accessible,
because FTP clien t s a re a par t of a ll opera t ing systems and Web browsers. If
da t a encrypt ion secu r it y is of grea t impor tance to you , then you shou ld proba -
bly consider SCP as a possible a lt erna t ive. You can find more in format ion on it
in Chapter 17, Secure Remote Logins and File Copying.
Conclusion 249