ftp document

C H A P T E R 15

Lin u x F TP Se r ve r Se t u p

IN THIS CHAPTER

+ FTP Overview

+ Problems with FTP and Firewa lls

+ How to Download and Insta ll VSFTPD

+ How to Get VSFTPD Star t ed

+ Test ing the Sta tus of VSFTPD

+ The vsftpd.conf File

+ FTP Secur ity Issues

+ Troubleshoot ing FTP

+ Tutor ia l

+ Conclusion

The F ile Tr a n sfe r P r ot ocol (F TP ) is one of t he most common means of copy-

ing files between servers over t he In t ernet . Most Web-based download sites

use the bu ilt -in FTP capabilit ies of Web browsers, and, therefore, most server-

or ien ted opera t ing systems usually include an FTP server applica t ion as par t

of the software su ite. Linux is no except ion .

Th is chapter will show you how to conver t your Linux box in to an FTP

server u sing the defau lt Ve r y Secu r e F TP Da em on (VSFTPD) package

included in Fedora .

FTP OVERVIEW

FTP relies on a pa ir of TCP por t s to get the job done. It opera tes u sing two

connect ion channels:

237

+ FTP con t r o l ch a n n e l, TCP Por t 21: All commands you send, as well a s

the FTP server 's responses to t hose commands, go over t he con t rol con -

nect ion , bu t any da ta sen t back (such a s ls directory list s or actua l file

da ta in either direct ion ) will go over the da t a connect ion .

+ FTP d a t a ch a n n e l, TCP Por t 20: This por t is u sed for a ll subsequen t

da ta t ransfers between the clien t and server.

In addit ion to t hese channels, there a re severa l var iet ies of FTP.

Types of FTP

From a networking perspect ive, the two main t ypes of FTP are act ive and pas-

sive. In a c t ive F TP , the FTP server in it ia tes a da ta t ransfer connect ion back

to the clien t . For p a ss ive F TP, the connect ion is in it ia ted from the FTP clien t .

These are illu st ra ted in F igu re 15.1.

238 Linux FTP Server Setup Chapter 15

FTP Control Connection

to Port 21

from High Port

FTP Data Connection Initiation

from Port 20 on Server to High Port on Client

High

Port

Port

20ServerClient

Computer

ServerClient

Computer

Active FTP

Passive FTP

FTP Control Connection

to Port 21

from High Port

FTP Data Connection Initiation

from High Port on Client to High Port on the Server

High

Port

High

Port

Figure 15.1 Act ive and passive FTP.

From a user management perspect ive, there are two addit ional types of

FTP: r egu la r F TP , in which files are t ransferred using the username and pass-

word of a regular user FTP server, and a n on ym ou s F TP, in which general

access is provided to the FTP server using a well known universal login method.

Take a closer look a t each type.

Active FTP

The sequence of even ts for act ive FTP is:

1. Your clien t connects to the FTP server by est ablish ing an FTP con t rol

connect ion to por t 21 of t he server. Your commands such a s ls and get a re

sent over t h is connect ion .

2. Whenever t he clien t requests da ta over t he con t rol connect ion , the server

in it ia tes da ta t ransfer connect ions back to the clien t . The source por t of

these da ta t ransfer connect ions is a lways por t 20 on the server, and the

dest ina t ion por t is a h igh por t (grea ter than 1024) on the clien t .

3. Thus the ls list ing tha t you asked for comes back over the por t 20 to h igh

por t connect ion , not the por t 21 con t rol connect ion .

FTP act ive mode, therefore, t ransfers da t a in a coun ter in tu it ive way to

the TCP standard, as it select s por t 20 as it s sou rce por t (not a random high

por t tha t 's grea t er than 1024) and connects back to the clien t on a random

high por t t ha t has been pre-negot ia t ed on the por t 21 con t rol connect ion .

Active FTP may fail in cases where the clien t is protected from the

In ternet via many to one NAT (masquerading), because the firewall will not

know which of the many servers beh ind it should receive the retu rn connect ion .

Passive FTP

Passive FTP works differen t ly:

1. Your clien t connects to the FTP server by est ablish ing an FTP con t rol

connect ion to por t 21 of t he server. Your commands such a s ls and get a re

sent over t ha t connect ion .

2. Whenever the clien t requests da ta over t he con t rol connect ion , the clien t

in it ia tes the da ta t ransfer connect ions to t he server. The source por t of

these da ta t ransfer connect ions is a lways a h igh por t on the clien t with a

dest ina t ion por t of a h igh por t on the server.

Passive FTP shou ld be viewed a s the server never making an act ive

a t tempt to connect t o t he clien t for FTP data t ransfers. Because the clien t

a lways in it ia tes t he requ ired connect ions, passive FTP works bet t er for clien t s

protected by a firewall.

As Windows defau lt s to act ive FTP and Linux defau lt s to passive, you 'll

probably have to accommodate both forms when deciding upon a secu r ity pol-

icy for your FTP server .

Regular FTP

By defau lt , the VSFTPD package a llows regu lar Linux u sers to copy files to

and from their home director ies with an FTP clien t u sing their Linux user -

names and passwords as their login creden t ia ls.

FTP Overview 239

VSFTPD also has the opt ion of a llowing th is type of access to on ly a

group of Linux users, enabling you to rest r ict the addit ion of new files to your

syst em to au thor ized personnel.

The disadvan tage of regu lar FTP is t ha t it isn 't su it able for genera l

download dist r ibut ion of software as everyone either has to get a un ique

Linux user accoun t or has to u se a shared username and password.

Anonymous FTP a llows you to avoid th is difficu lty.

Anonymous FTP

Anonymous FTP is t he choice of Web sites tha t need to exchange files with

numerous unknown remote users. Common uses include downloading soft -

ware updates and MP3s and uploading diagnost ic in format ion for a t echn ica l

suppor t engineers ' a t ten t ion . Un like regu la r FTP where you login with a pre-

con figu red Linux username and password, anonymous FTP requ ires on ly a

username of anonymous and your e-ma il address for the password. Once

logged in to a VSFTPD server, you au tomat ica lly have access to on ly the

defau lt anonymous FTP directory (/var/ftp in t he case of VSFTPD) and a ll it s

subdirector ies.

As seen in Chapter 6,Installing RPM Software,using anonymous FTP as

a remote user is fa ir ly st raightforward. VSFTPD can be configured to support

user-based and/or anonymous FTP in it s configura t ion file, as you 'll see later.

PROBLEMS WITH FTP AND FIREWALLS

FTP frequen t ly fa ils when the da ta has to pass th rough a firewall, because

firewa lls a re designed to lim it da ta flows to predict able TCP por ts and FTP

uses a wide range of unpredictable TCP por ts. You have a choice of methods to

overcome th is.

Not e

Appendix II, Codes, Scripts, and Configura t ions,conta ins examples of how to con-

figure the VSFTPD Linux firewall to funct ion with both act ive and passive FTP.

Client Protected by a Firewall Problem

Typica lly firewalls don 't a llow any incoming connect ions a t a ll, wh ich fre-

quen t ly blocks act ive FTP from funct ion ing. With th is type of FTP fa ilu re, t he

act ive FTP connect ion appears to work when the clien t in it ia t es an ou tbound

connect ion to the server on por t 21. The connect ion then appears to hang, how-

ever, a s soon as you use the ls, dir, or get commands. The reason is t ha t the fire-

wall is blocking the retu rn connect ion from the server to the clien t (from por t


20 on the server to a h igh por t on the clien t ). If a firewa ll a llows a ll ou tbound

connect ions to the In ternet , then passive FTP clien t s beh ind a firewall will

u sua lly work correct ly a s t he clien ts in it ia t e a ll the FTP connect ions.

Solution

Table 15.1 shows the genera l ru les you 'll need to a llow FTP clien ts t h rough a

firewa ll.

Table 15.1 Client Protected by Firewall: Required Rules for FTP

Method Source Source Destination Destination Connection

Address Port Address Port Type

Allow outgoing control connect ions to server

Control FTP client / High 1 FTP server 2 21 New

channel network

FTP server 2 21 FTP client / H igh Established3

network

Allow the client to establish da ta channels to r emote server

Act ive FTP server 2 20 FTP client / High New

FTP network

FTP client / High FTP server 2 20 Established3

network

Passive FTP client / High FTP server 2 High New

FTP network

FTP server 2 High FTP client / High Established3

network

1 Greater than 1024.

2 In some cases, you may want to a llow a ll I nternet user s to have access, not just a specific client ,

server, or network.

3 Many home-based firewa ll routers automat ica lly a llow t r affic for a lready established connect ions.

This ru le may not be necessary in a ll cases.

Server Protected by a Firewall Problem

Typica lly, firewalls don 't let any connect ions come in a t a ll. When an incor-

rect ly configu red firewall protects an FTP server, the FTP connect ion from the

clien t doesn 't appea r to work a t a ll for both act ive and passive FTP.

Solution

Table 15.2 ou t lines t he genera l ru les needed to a llow FTP servers th rough a

firewa ll.

Problems with FTP and Firewalls 241

Table 15.2 Server Protected by Firewall: Required Rules for FTP

Method Source Source Destination Destination Connection

Address Port Address Port Type

Allow incoming control connect ions to server

Cont rol FTP client / High 2 FTP server 21 New

channel network 1

FTP server 21 FTP client / High Established3

network 1

Allow server to establish da ta channel to remote client

Act ive FTP server 20 FTP client / High New

FTP network 1

FTP client / High FTP server 20 Established3

network 1

Passive FTP client / High FTP server High New

FTP network 1

FTP server High FTP client / High Established3

network 1

1 In some cases, you may want to a llow a ll In ternet user s to have access, not just a specific client ,

server, or network.

2 Greater than 1024.

3 Many home-based firewall routers automat ica lly a llow t r affic for a lready established connect ions.

This ru le may not be necessary in a ll cases.

HOW TO DOWNLOAD AND INSTALL VSFTPD

Most Red Ha t and Fedora Linux software products a re ava ilable in the RPM

format . Downloading and in sta lling RPMs isn 't hard. If you need a refresher,

Chapter 6 covers how to do th is in deta il. It is best t o u se t he la test version of

VSFTPD.

When sea rch ing for t he file, remember t ha t the VSFTPD RPM's filename

usually sta r t s with the word vsftpdfollowed by a version number, a s in

vsftpd-1.2.1-5.i386.rpm.

HOW TO GET VSFTPD STARTED

You can st a r t , stop, or resta r t VSFTPD after boot ing u sing these commands:

[root@bigboy tmp]# service vsftpd start[root@bigboy tmp]# service vsftpd stop[root@bigboy tmp]# service vsftpd restart


To configu re VSFTPD to st a r t a t boot , u se the chkconfig command:

[root@bigboy tmp]# chkconfig vsftpd on

Not e

In Red Ha t Linux version 8.0 and ear lier, VSFTPD opera t ion is con t rolled by the

xinetd process, wh ich is covered in Chapter 16, TELNET, TFTP, and XINETD.

You can find a fu ll descr ipt ion of how to con figure these versions of Linux for

VSFTPD in Appendix III, Fedora Version Differences.

TESTING THE STATUS OF VSFTPD

You can a lways test whether the VSFTPD process is runn ing by using the

netstat -a command, wh ich list s a ll the TCP and UDP por ts on wh ich the

server is list en ing for t ra ffic. Th is example shows the expected ou tput :

[root@bigboy root]# netstat -a | grep ftptcp 0 0 *:ftp *:* LISTEN[root@bigboy root]#

If VSFTPD wasn 't runn ing, there wou ld be no ou tpu t a t a ll.

THE VSFTPD.CONF FILE

VSFTPD reads the con ten ts of it s vsftpd.conf configu ra t ion file on ly when it

sta r t s, so you 'll have to restar t VSFTPD each t ime you edit t he file in order for

the changes to t ake effect .

Th is file u ses a number of defau lt set t ings you need to know abou t :

+ VSFTP D r u n s a s a n a n on ym ou s F TP se r ve r : Un less you wan t any

remote user to log in to to your defau lt FTP directory using a u sername of

anonymous and a password tha t 's t he same as t heir e-ma il address, I sug-

gest t u rn ing th is off. You can set t he con figu ra t ion file's anonymous_enable

direct ive to no to disable th is fea tu re. You 'll a lso need to simu ltaneously

enable loca l u sers to be able to log in by removing the comment symbol

(#) before t he local_enable in st ruct ion .

+ VSFTP D a llow s on ly a n on ym ou s F TP d ow n loa d s t o r em ot e

u se r s , n ot u p loa d s fr om t h em : You can change th is by modifying the

anon_upload_enable direct ive shown la ter.

The vsftpd.conf File 243

+ VSFTP D d oe sn 't a llow a n on ym ou s u se r s t o cr e a t e d ir e c t or ie s on

you r F TP se r ve r : You can change th is by modifying the

anon_mkdir_write_enable direct ive.

+ VSFTP D logs F TP a cce ss t o t h e /var/log/vsftpd.log log fi le : You can

change th is by modifying the xferlog_file direct ive.

+ VSFTP D exp ec t s fi le s for a n on ym ou s F TP t o b e p la ced in t h e

/var/ftp d ir e c t or y : You can change th is by modifying the anon_root

direct ive. There is a lways the r isk with anonymous FTP tha t u sers will

discover a way to wr ite files to your anonymous FTP directory. You run

the r isk of filling up your /var par t it ion if you use the defau lt set t ing. It is

best to make the anonymous FTP directory reside in it s own dedica t ed

par t it ion .

The configurat ion file is fair ly straightforward as you can see in the snippet:

# Allow anonymous FTP?anonymous_enable=YES

# Uncomment this to allow local users to log in.local_enable=YES

# Uncomment this to enable any form of FTP write command.# (Needed even if you want local users to be able to upload files)write_enable=YES

# Uncomment to allow the anonymous FTP user to upload files. This only# has an effect if global write enable is activated. Also, you will# obviously need to create a directory writable by the FTP user.#anon_upload_enable=YES

# Uncomment this if you want the anonymous FTP user to be able tocreate# new directories.#anon_mkdir_write_enable=YES

# Activate logging of uploads/downloads.xferlog_enable=YES

# You may override where the log file goes if you like.# The default is shown# below.#xferlog_file=/var/log/vsftpd.log

# The directory which vsftpd will try to change# into after an anonymous login. (Default = /var/ftp)#anon_root=/data/directory

To act iva te or deact iva te a fea tu re, remove or add the # a t the beginning

of the appropr ia te line.


Other vsftpd.conf Options

There a re many other opt ions you can add to th is file:

+ Lim it ing the maximum number of clien t connect ions (max_clients)

+ Lim it ing the number of connect ions by source IP address (max_per_ip)

+ Set t ing the maximum ra te of da ta t ransfer per anonymous login

(anon_max_rate)

+ Set t ing the maximum ra te of da t a t ransfer per non-anonymous login

(local_max_rate)

Descr ipt ions on th is and more can be found in the vsftpd.conf man

pages.

FTP SECURITY ISSUES

FTP has a number of secu r ity drawbacks, bu t you can overcome them in some

cases. You can rest r ict an individua l Linux user 's access to non -anonymous

FTP, and you can change the con figu ra t ion to not display the FTP server 's

software version in format ion , but un for tunately, though very conven ient , FTP

logins and da ta t ransfers a re not encrypted.

The /etc/vsftpd.ftpusers File

For added secu r it y, you may rest r ict FTP access to cer ta in u sers by adding

them to the list of u sers in t he /etc/vsftpd.ftpusers file. The VSFTPD package

crea t es t h is file with a number of en t r ies for pr ivileged users tha t normally

shou ldn 't have FTP access. As FTP doesn 't encrypt passwords, thereby

increasing the r isk of da t a or passwords being compromised, it is a good idea

to let these en t r ies remain and add new en t r ies for addit ional secu r ity.

Anonymous Upload

If you wan t remote users to wr it e da t a to your FTP server, t hen you shou ld

crea t e a wr it e-on ly directory with in /var/ftp/pub. Th is will a llow your u sers to

upload bu t not access other files uploaded by other u sers. The commands you

need are:

[root@bigboy tmp]# mkdir /var/ftp/pub/upload[root@bigboy tmp]# chmod 722 /var/ftp/pub/upload

FTP Security Issues 245

FTP Greeting Banner

Change the defau lt greet ing banner in the vsftpd.conf file to make it harder

for malicious u sers to det erm ine the t ype of syst em you have. The direct ive in

th is file is:

ftpd_banner= New Banner Here

Using SCP as Secure Alternative to FTP

One of the disadvan tages of FTP is t ha t it does not encrypt your u sername

and password. Th is cou ld make your u ser accoun t vu lnerable to an unau tho-

r ized a t tack from a person eavesdropping on the network connect ion . Secu r e

Cop y (SCP ) and Secu r e F TP (SFTP ) provide encrypt ion and cou ld be con -

sidered as an a lterna t ive to FTP for t ru st ed users. SCP does not suppor t

anonymous services, however, a fea tu re tha t FTP does suppor t .

TROUBLESHOOTING FTP

You shou ld a lways t est your FTP inst a lla t ion by a t tempt ing to u se an FTP

clien t t o log in to your FTP server to t ransfer sample files.

The most common sources of day-to-day fa ilu res a re incorrect u sernames

and passwords.

In it ia l setup fa ilu res cou ld be caused by firewa lls a long the pa th between

the clien t and server blocking some or a ll t ypes of FTP t ra ffic. Typica l symp-

toms of th is a re either connect ion t imeou ts or t he ability to u se the ls com-

mand to view the con ten ts of a directory withou t the ability to either upload or

download files. Follow the firewall ru le guidelines to help overcome th is prob-

lem . Connect ion problems cou ld a lso be the resu lt of t ypica l network issues

ou t lined in Chapter 4, Simple Network Troubleshoot ing.

TUTORIAL

FTP has many uses, one of wh ich is a llowing numerous unknown users to

download files. You have to be ca refu l, because you run the r isk of accidenta lly

a llowing unknown persons to upload files to your server. Th is sor t of unin -

t ended act ivity can qu ickly fill up your ha rd dr ive with illega l software,

images, and music for the wor ld to download, wh ich in tu rn can clog your

server 's In t ernet access and dr ive up your bandwidth charges.


FTP Users with Read-Only Access to a Shared Directory

In this example, anonymous FTP is not desired, but a group of t rusted users need

to have read-only access to a directory for downloading files. Here are the steps:

1. Disable anonymous FTP. Comment ou t the anonymous_enable line in t he

vsftpd.conf file:

# Allow anonymous FTP?

# anonymous_enable=YES

2. Enable individua l logins by making su re you have the local_enable line

uncommented in the vsftpd.conf file:

# Uncomment this to allow local users to log in.

local_enable=YES

3. Sta r t VSFTP.

[root@bigboy tmp]# service vsftpd start

4. Crea te a u ser group and sha red directory. In t h is ca se, u se /home/ftp-

users and a u ser group name of ftp-users for the remote u sers:

[root@bigboy tmp]# groupadd ftp-users

[root@bigboy tmp]# mkdir /home/ftp-docs

5. Make the directory accessible to t he ftp-users group:

[root@bigboy tmp]# chmod 750 /home/ftp-docs

[root@bigboy tmp]# chown root:ftp-users /home/ftp-docs

6. Add users, and make their defau lt directory /home/ftp-docs:

[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user1




[root@bigboy tmp]# passwd user1




7. Copy files to be downloaded by your u sers in to the /home/ftp-docs

directory.

8. Change the perm issions of the files in t he /home/ftp-docs directory to

read-only access by the group:

[root@bigboy tmp]# chown root:ftp-users /home/ftp-docs/*

[root@bigboy tmp]# chmod 740 /home/ftp-docs/*

Tutorial 247

Users shou ld now be able to log in via FTP to t he server u sing their new

usernames and passwords. If you absolu tely don 't wan t any FTP users to

be able to wr ite to any directory, then you shou ld set the write_enable line

in your vsftpd.conf file t o no:

write_enable = NO

Remember, you must rest ar t VSFTPD for t he configu ra t ion file changes

to take effect .

Sample Login Session to Test Functionality

Here is a simple test procedure you can use to make su re everyth ing is work-

ing correct ly:

1. Check for the presence of a t est file on the FTP clien t server.

[root@smallfry tmp]# ll

total 1

-rw-r--r-- 1 root root 0 Jan 4 09:08 testfile

[root@smallfry tmp]#

2. Connect t o Bigboy via FTP:

[root@smallfry tmp]# ftp 192.168.1.100

Connected to 192.168.1.100 (192.168.1.100)

220 ready, dude (vsFTPd 1.1.0: beat me, break me)

Name (192.168.1.100:root): user1

331 Please specify the password.

Password:

230 Login successful. Have fun.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp>

As expected, you can 't do an upload t ransfer of test file to bigboy:

ftp> put testfile

local: testfile remote: testfile

227 Entering Passive Mode (192,168,1,100,181,210)

553 Could not create file.

ftp>

But we can view and download a copy of the VSFTPD RPM on the FTP

server bigboy:

ftp> ls


150 Here comes the directory listing.

-rwxr----- 1 0 502 76288 Jan 04 17:06 vsftpd-1.1.0-1.i386.rpm


226 Directory send OK.

ftp> get vsftpd-1.1.0-1.i386.rpm vsftpd-1.1.0-1.i386.rpm.tmp

local: vsftpd-1.1.0-1.i386.rpm.tmp remote: vsftpd-1.1.0-

1.i386.rpm


150 Opening BINARY mode data connection for vsftpd-1.1.0-

1.i386.rpm (76288 bytes).

226 File send OK.

76288 bytes received in 0.499 secs (1.5e+02 Kbytes/sec)

ftp> exit

221 Goodbye.


As expected, an anonymous FTP fa ils:

[root@smallfry tmp]# ftp 192.168.1.100

Connected to 192.168.1.100 (192.168.1.100)

220 ready, dude (vsFTPd 1.1.0: beat me, break me)

Name (192.168.1.100:root): anonymous

331 Please specify the password.

Password:

530 Login incorrect.

Login failed.

ftp> quit

221 Goodbye.


Now tha t test ing is complete, you can make th is a regu lar par t of your

FTP server 's opera t ion .

CONCLUSION

FTP is a very usefu l software applica t ion tha t can have enormous benefit to a

Web sit e or t o collabora t ive compu t ing in wh ich files need to be shared

between business pa r tners. Although in secu re, it is un iversa lly accessible,

because FTP clien t s a re a par t of a ll opera t ing systems and Web browsers. If

da t a encrypt ion secu r it y is of grea t impor tance to you , then you shou ld proba -

bly consider SCP as a possible a lt erna t ive. You can find more in format ion on it

in Chapter 17, Secure Remote Logins and File Copying.

Conclusion 249

ftp document

Documents