More Linux Server Topics - Network Diagram - About This Site

 

Chapter 13

Linux FTP Server Setup

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

In This Chapter

Chapter 13

Linux FTP Server Setup

FTP Overview

Problems With FTP And Firewalls

How To Download And Install The VSFTP Package

How To Get VSFTP Started

Testing To See If VSFTP Is Running

What Is Anonymous FTP?

The /etc/vsftpd.conf File

FTP Security Issues

Example #1:

 

© Peter Harrison, www.linuxhomenetworking.com

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = 

 

This chapter will show you how to convert your Linux box into an FTP server using the VSFTP package. The RedHat software download site runs on VSFTP. 

FTP Overview

File Transfer Protocol (FTP) is a common method of copying files between computer systems. Two TCP ports are used to do this: 


 

FTP Control Channel - TCP Port 21

All commands you send and the ftp server's responses to those commands will go over the control connection, but any data sent back (such as "ls" directory lists or actual file data in either direction) will go over the data connection.

 

FTP Data Channel - TCP Port 20

Used for all data sent between the client and server.

 

 

Active FTP

Active FTP works as follows:

o        Your client connects to the FTP server by establishing an FTP control connection to port 21 of the server. Your commands such as 'ls' and 'get' are sent over this connection. 

o        Whenever the client requests data over the control connection, the server initiates data transfer connections back to the client. The source port of these data transfer connections is always port 20 on the server, and the destination port is a high port on the client.

o        Thus the 'ls' listing that you asked for comes back over the "port 20 to high port connection", not the port 21 control connection.

o        FTP active mode data transfer therefore does this in a counter intuitive way to the TCP standard as it selects port 20 as it's source port (not a random high port > 1024) and connects back to the client on a random high port that has been pre-negotiated on the port 21 control connection.

o        Active FTP may fail in cases where the client is protected from the Internet via many to one NAT (masquerading). This is because the firewall will not know which of the many servers behind it should receive the return connection.

 

Passive FTP

Passive FTP works as follows:

o        Your client connects to the FTP server by establishing a FTP control connection to port 21 of the server. Your commands such as 'ls' and 'get' are sent over that connection.

o        Whenever the client requests data over the control connection, the client initiates the data transfer connections to the server. The source port of these data transfer connections is always a high port on the client with a destination port of a high port on the server.

o        Passive FTP should be viewed as the server never making an active attempt to connect to the client for FTP data transfers.

o        Passive FTP works better for clients protected by a firewall as the client always initiates the required connections. 
 

Problems With FTP And Firewalls 

FTP frequently fails when the data has to pass through a firewall as FTP uses a wide range of unpredictable TCP ports and firewalls are designed to limit data flows to predictable TCP ports. There are ways to overcome this as explained in the following sections.

The Appendix has examples of how to configure the iptables Linux filewall to function with both active and passive FTP.

Client Protected By A Firewall Problem

Typically firewalls don't let any incoming connections at all, this will frequently cause active FTP not to function. This type of FTP failure has the following symptoms:

o        The active ftp connection appears to work when the client initiates an outbound connection to the server on port 21. The connection appears to hang as soon as you do an "ls" or a "dir" or a "get". This is because the firewall is blocking the return connection from the server to the client. (From port 20 on the server to a high port on the client) 

Solutions

 Here are the general firewall rules you'll need to allow FTP clients through a firewall:


 

Client Protected by Firewall - Required Rules for FTP

 

Method

Source Address

Source Port

Destination

Address

Destination

Port

Connection

Type

Allow outgoing control connections to server

Control

Channel

FTP client/ network

High

FTP server**

21

New

 

FTP server**

21

FTP client/ network

High

Established*

Allow the client to establish data channels to remote server

Active FTP

FTP server**

20

FTP client /network

High

New

 

FTP client/ network

High

FTP server**

20

Established*

Passive

FTP

FTP client/ network

High

FTP server**

High

New

 

FTP server**

High

FTP client/ network

High

Established*

 

*Many home based firewall/routers automatically allow traffic for already established connections. This rule may not be necessary in all cases.

** in some cases, you may want to allow all Internet users to have access, not just a specific client server or network.

 

Server Protected By A Firewall Problem

o        Typically firewalls don't let any connections come in at all. FTP server failure due to firewalls in which the active ftp connection from the client doesn't appear to work at all 

Solutions

Here are the general firewall rules you'll need to allow FTP severs through a firewall


 

Server Protected by Firewall - Required Rules for FTP

 

Method

Source Address

Source Port

Destination

Address

Destination

Port

Connection

Type

Allow incoming control connections to server

Control

Channel

FTP client/ network**

High

FTP server

21

New

 

FTP server

21

FTP client/ network**

High

Established*

Allow server to establish data channel to remote client

Active FTP

FTP server

20

FTP client/network**

High

New

 

FTP client/ network**

High

FTP server

20

Established*

Passive

FTP

FTP client/ network**

High

FTP server

High

New

 

FTP server

High

FTP client/ network**

High

Established*

 

*Many home based firewall/routers automatically allow traffic for already established connections. This rule may not be necessary in all cases.

** in some cases, you may want to allow all Internet users to have access, not just a specific client server or network.  

How To Download And Install The VSFTP Package

·      As explained previously, RedHat software is installed using RPM packages. In version 8.0 of the operating system, the VSFTP RPM file is named:

 

vsftpd-1.1.0-1.i386.rpm

 

Downloading and installing RPMs isn’t hard. If you need a refresher, the RPM chapter covers how to do this in detail.

 

·     Now download the file to a directory such as /tmp and install it using the “rpm” command:

 

[root@bigboy tmp]# rpm -Uvh vsftpd-1.1.0-1.i386.rpm
Preparing... ########################################### [100%]
1:vsftpd     ########################################### [100%]

[root@bigboy tmp]#
 

 

How To Get VSFTP Started

The starting and stopping of VSFTP is controlled by xinetd via the /etc/xinetd.d/vsftpd file. VSFTP is deactivated by default, so you’ll have to edit this file to start the program. Make sure the contents look like this. The disable feature must be set to "no" to accept connections.

 

service ftp
{

disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/vsftpd
nice = 10

}

 

You will then have to restart xinetd for these changes to take effect using the startup script in the /etc/init.d directory.

 

[root@aqua tmp]#  /etc/init.d/xinetd restart

Stopping xinetd: [  OK  ]

Starting xinetd: [  OK  ]

[root@aqua tmp]#

 

Naturally, to disable VSFTP once again, you’ll have to edit /etc/xinetd.d/vsftpd, set “disable” to “yes” and restart xinetd.

Testing To See If VSFTP Is Running

You can always test whether the VSFTP process is running by using the netstat –a command which lists all the TCP and UDP ports on which the server is listening for traffic. The example below shows the expected output, there would be no output at all if VSFTP wasn’t running.

 

[root@bigboy root]# netstat -a | grep ftp
tcp        0        0        *:ftp         *:*        LISTEN
[root@bigboy root]#


 

What Is Anonymous FTP?

Anonymous FTP is used by web sites that need to exchange files with numerous unknown remote users. Common uses include downloading software updates and MP3s to uploading diagnostic information for a technical support engineer’s attention. Unlike regular FTP where you login with a user-specific username, anonymous FTP only requires a username of "anonymous" and your email address for the password. Once logged in to a VSFTP server, you’ll automatically have access to only the default anonymous FTP directory /var/ftp and all its subdirectories.

As seen in the chapter on RPMs, using anonymous FTP as a remote user is fairly straight forward. VSFTP can be configured to support user based and or anonymous FTP in its configuration file.  

The /etc/vsftpd.conf File

VSFTP only reads the contents of its /etc/vsftpd.conf configuration file when it starts, so you’ll have to restart xinetd each time you edit the file in order for the changes to take effect.

This file uses a number of default settings you need to know. By default, VSFTP runs as an anonymous FTP server. Unless you want any remote user to log into to your default FTP directory using a username of “ananoymous” and a password that’s the same as their email address, I would suggest turning this off. The configuration file’s anonymous_enable instruction can be commented out by using a “#” to disable this feature. You’ll also want to simultaneously enable local users to be able to log in by uncommenting the local_enable instruction.

By default VSFTP only allows anonymous FTP downloads to remote users, not uploads from them. Also by default, VSFTP doesn't allow remote users to create directories on your FTP server and it logs FTP access to the /var/log/vsftpd.log log file.

The configuration file is fairly straight forward as you can see in the snippet below. Remove/add the "#" at the beginning of the line to "activate/deactivate" the feature on each line.

 

# Allow anonymous FTP?
anonymous_enable=YES
...

...

# Uncomment this to allow local users to log in.
local_enable=YES
...

...

# Uncomment this to enable any form of FTP write command.

# (Needed even if you want local users to be able to upload files)
write_enable=YES
...

...

# Uncomment to allow the anonymous FTP user to upload files. This only
# has an effect if global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
...

...

# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
...

...

# Activate logging of uploads/downloads.
xferlog_enable=YES
...

...

# You may override where the log file goes if you like.

# The default is shown# below.
#xferlog_file=/var/log/vsftpd.log

 

FTP Security Issues

The /etc/vsftpd.ftpusers File

For added security you may restrict FTP access to certain users by adding them to the list of users in this file. Do not delete entries from the default list, it is best to add. 

Anonymous Upload

If you want remote users to write data to your FTP server then it is recommended you create a write-only directory within /var/ftp/pub. This will allow your users to upload, but not access other files uploaded by other users. Here are the commands to do this:


[root@bigboy tmp]# mkdir /var/ftp/pub/upload
[root@bigboy tmp]# chmod 733 /var/ftp/pub/upload 

FTP Greeting Banner

Change the default greeting banner in /etc/vsftpd.conf to make it harder for malicious users to determine the type of system you have.


ftpd_banner= New Banner Here
 

Using SCP As Secure Alternative To FTP

One of the disadvantages of FTP is that it does not encrypt your username and password. This could make your user account vulnerable to an unauthorized attack from a person eavesdropping on the network connection. Secure Copy (SCP) provides encryption and could be considered as an alternative to FTP for trusted users. SCP however does not support anonymous services, a feature that FTP does.


 

Example #1:

 

FTP Users With Only Read Access To A Shared Directory

In this example, anonymous FTP is not desired, but a group of trusted users need to have read only access to a directory for downloading files. Here are the steps:

 

o        Enable FTP. Edit the /etc/xinetd.d/vsftp and set the disable value to "no".

 

o        Disable anonymous FTP. Comment out the anonymous_enable line in the /etc/vsftpd.conf file like this:

 

# Allow anonymous FTP?

# anonymous_enable=YES
 

o        Enable individual logins by making sure you have the local_enable line uncommented in the /etc/vsftpd.conf file like this:

 

# Uncomment this to allow local users to log in.

local_enable=YES
 

o        Create a user group and shared directory. In this case we’ll use "/home/ftp-users" and a user group name of "ftp-users” for the remote users.

 

[root@bigboy tmp]# groupadd ftp-users
[root@bigboy tmp]# mkdir /home/ftp-docs

 

o        Make the directory accessible to the ftp-users group.

[root@bigboy tmp]# chmod 750 /home/ftp-docs
[root@bigboy tmp]# chown root:ftp-users /home/ftp-docs
 

o        Add users, and make their default directory /home/ftp-docs

[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user1
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user2
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user3
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user4
[root@bigboy tmp]# passwd user1
[root@bigboy tmp]# passwd user2

[root@bigboy tmp]# passwd user3
[root@bigboy tmp]# passwd user4
 

o        Copy files to be downloaded by your users into the /home/ftp-docs directory

 

o        Change the permissions of the files in the /home/ftp-docs directory for read only access by the group

 

[root@bigboy tmp]# chown root:ftp-users /home/ftp-docs/*
[root@bigboy tmp]# chmod 740 /home/ftp-docs/*
 

Users should now be able to log in via ftp to the server using their new user names and passwords. If you absolutely don't want any FTP users to be able to write to any directory then you should comment out the write_enable line in your /etc/vsftpd.conf file like this:

 

#write_enable=YES

 

o        Restart vsftp for the configuration file changes to take effect.

[root@bigboy tmp]# /etc/init.d/xinetd restart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
[root@bigboy tmp]#

 

Sample Login Session To Test Funtionality

 

o        Check for the presence of a test file on the ftp client server.

[root@smallfry tmp]# ll
total 1
-rw-r--r-- 1 root root 0 Jan 4 09:08 testfile
[root@smallfry tmp]#

 

o        Connect to bigboy via FTP

[root@smallfry tmp]# ftp 192.168.1.100
Connected to 192.168.1.100 (192.168.1.100).
220 ready, dude (vsFTPd 1.1.0: beat me, break me)
Name (192.168.1.100:root): user1
331 Please specify the password.
Password:
230 Login successful. Have fun.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

 

o        As expected, we can't do an upload transfer of "testfile" to bigboy.

ftp> put testfile
local: testfile remote: testfile
227 Entering Passive Mode (192,168,1,100,181,210)
553 Could not create file.

ftp>

 

o        We can view and download a copy of the VSFTP RPM

ftp> ls
227 Entering Passive Mode (192,168,1,100,35,173)
150 Here comes the directory listing.
-rwxr----- 1 0 502 76288 Jan 04 17:06 vsftpd-1.1.0-1.i386.rpm
226 Directory send OK.
ftp> get vsftpd-1.1.0-1.i386.rpm vsftpd-1.1.0-1.i386.rpm.tmp
local: vsftpd-1.1.0-1.i386.rpm.tmp remote: vsftpd-1.1.0-1.i386.rpm
227 Entering Passive Mode (192,168,1,100,44,156)
150 Opening BINARY mode data connection for vsftpd-1.1.0-1.i386.rpm (76288 bytes).
226 File send OK.
76288 bytes received in 0.499 secs (1.5e+02 Kbytes/sec)

ftp> exit
221 Goodbye.

[root@smallfry tmp]#

 

o        As expected, we can't do anonymous ftp.

[root@smallfry tmp]# ftp 192.168.1.100
Connected to 192.168.1.100 (192.168.1.100).
220 ready, dude (vsFTPd 1.1.0: beat me, break me)
Name (192.168.1.100:root): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> quit
221 Goodbye.

[root@smallfry tmp]#