Unit – 5 FTP Server

FTP Introduction One of the oldest and most commonly used protocols The original specification for the File Transfer Protocol was written by Abhay Bhushan and published as RFC 114 on 16 April 1971 Purpose is to transfer files reliably between computer hosts on a network. Allows users to access files on remote systems using a standard set of simple commands. ftp uses a client server architecture to transfer files using the TCP network protocol.

-- Because ftp is an older protocol, it uses unencrypted username and password authentication. – It is considered an insecure protocol and should not be used unless absolutely necessary. – A secure substitute for ftp is sftp, which is included in the OpenSSH suite of tools.

vsftpd Default daemon of FTP server. Light weight and makes less use of system resources. Features : A. extends support for virtual IP configuration. B. extends support for virtual users. C. runs on standalone daemon from xientd. D. configurable on per-user or per-IP basis. E. Bandwidth saving.

Configuring vsftpd Check the whether vsftp configuration. [root#]rpmquery –qa|grep vsftpd ** If not installed, install it [root#] rpm –ivh vsftpd* To enable it on boot : [root#] chkconfig vsftpd on

Start the vsftpd service [root#] service vsftpd start Login in FTP prompt $ftp localhost Connected to localhost( ) Name (localhost:john):ftp Please specify the password. Password : Login succesful.

Commands used on ftp prompt 1. ls Directory listing 2. get file1 Get file1 from FTP server 3. put file1 Put file1 on FTP server

Configuration files in vsftpd A. /etc/vsftpd/vsftpd.conf : to manage and control the operation of FTP daemon. B. /etc/vsftpd/ftpusers : it contains the usernames who are not controlled to login via FTP. C. /etc/vsftpd/user-list : it defines user permitted via FTP.

/etc/vsftpd/ftpusers /etc/vsftpd/ftpusers file contains a list of user or account names, that are not allowed to log in using FTP. Increases security. For eg. If a cracker somehow obtains the root password and he tries to log in as root using FTP, the access will be denied. User accounts listed in this file are not permitted to log in to the system via FTP.

/etc/vsftpd/ftpusers is used to prevent privileged user accounts, such as root from using FTP to obtain access to the system. The following code shows the default /etc/vsftpd/ftpusers file as : root bin adm nobody Eg : to prevent a user named ‘john’ from using FTP to log in add “John” to the end of /etc/vsftpd/ftpusers

/etc/vsftpd/user_list This file is used to deny as well as permit access depending on the value of userlist_deny directive in /etc/vsftpd.conf. For eg. In the file /etc/vsftpd/vsftpd.conf, userlist_deny=NO it means that vsftpd allows ftp access to the user listed in /etc/vsftpd/user_list. If the value of userlist_deny =YES then the user listed in /etc/vsftpd/user_list will not be permitted to login via ftp.

/etc/vsftpd/vsftpd.conf Main configuration file for FTP. Each line in this file is either a comment(#) or a directive. It contains many options and its corresponding values.

Options anonymous_enable=NO/YES – Turns anonymous FTP access on or off – Unless you really need this, it's best to set this option to NO – It is safer to allow ftp downloads via web pages local_enable=NO/YES – This options activates or deactivated the ability of local system users to be able to FTP to your server – Typical FTP servers will have this option set to YES

write_enable=NO/YES – Activates or deactivates FTP write ability – In most cases, you will want this set to YES xferlog_enable=YES – activates logging of uploads & downloads. ftpd_banner=Our FTP service – Not a critical option, but it allows you to customize ftp greetings for your users userlist_enable=NO/YES userlist_deny=NO/YES

connect_from_port_20 = YES Makes FTP to be accessed via port 20. tcp_wrappers = YES Enable firewall for FTP.

Disabling anonymous FTP There are two ways to do : 1. remove the files /etc/passwd and /etc/group [root#]userdel –r ftp userdel –r options removes files in ftp’s home directory. userdel also removes the ftp user from /etc/group. Drawback of this method is if now one decides to permit anonymous again, then there is need to recreate the ftp user and groups account.

2. the more flexible way is to add ftp to /etc/vsftpd/user_list and set userlis_deny=YES and anonymous_enable=NO in /etc/vsftpd/vsftpd.conf

Advantages of FTP Server vsftpd can run via xinetd instead of standalone daemon. vsftpd also permit anonymous uploads. Guest user can also access FTP services by using its advanced features. vsftpd can run over SSL (secure socket layer) with the advanced features.

Running vsftpd from xinetd 1. create vsftpd file in xinetd.d directory. 2. file is as follows : service ftp { socket_type =stream wait=no user=root server=/usr/sbin/vsftpd server_args=/etc/vsftpd/vsftpd.conf disable=no }

3.restart xinetd service [root#] service xinetd restart 4. make xinetd enable on boot [root#] chkconfig xinetd on

Enabling anonymous uploads Allowing anonymous users to access and upload data via FTP is called as anonymous uploads. Enabling anonymous uploads raises different security risks of someone uploading virus or trojan to FTP server.

1. edit /etc/vsftpd/vsftpd.conf anon_upload_enable=YES write_enable=YES 2. create a directory for anonymous uploads [root#]mkdir /var/ftp/anondir 3. give full permission to directory [root#] chmod 777 /var/ftp/anondir

4. make the ftp user the group owner of /var/ftp/anondir [root#] chgrp /var/ftp/anondir 5. restart vsftpd [root#] service vsftpd restart [root#] chkconfig vsftpd on

Enabling guest user FTP accounts When an anonymous user is granted privilege to login to FTP via suitable login name and password, that user is known as guest user. A guest user is referred to as virtual user in vsftpd. The main purpose of guest user account is to provide broader privileges to FTP user than anonymous FTP.

1. using useradd, create a guest user account. [root#] useradd –d /var/ftp/ftpdir –s /sbin/nologin tyit This command creates a user tyit with the home directory as /var/ftp/ftpdir and a login shell of sbin/nologin which disables local login for that account.

2. create a new file [root#] cat > /var/ftp/ftpdir/demo.txt This is new file for ftp sharing ^Z Change ownership creates simple text file. [root#]chown tyit:tyit /var/ftp/ftpdir/demo.txt This command will change the user and group ownership to tyit.

3. create a file guestuser.txt with login name and password john redhat steve redhat124 jack redhat456

4. create a Berkeley db file from the text file [root#] db_load –T –t hash –f guestuser.txt /etc/vsftpd/vsftpd_login.db 5. create a PAM(pluggable authentication module) file (/etc/pam.) 6. change the following entries in /etc/vsftpd/vsftpd.conf local_enable = YES Chroot_local_users=YES

7. restart the vsftpd services [root#]service vsftpd restart 8. enable vsftpd on boot [root#] chkconfig vsftpd on

9. test guest user login $ftp localhost Connected to localhost Please login with user and password. Name :john Password : Login successful. Remote system type is UNIX ftp> /var/ftp/ftpdir

Running vsftpd over SSL Vsftpd server socket layer, it supports the aunthetication information which is passed in the form of clear text. To use SSL with vsftpd one needs to set at least ssl_enable=YES in /etc/vsftpd/vsftpd.conf

1. add following entries to /etc/vsftpd/vsftpd.conf ssl_enable = YES allow_anon_ssl=YES force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES

2. in the directory certs, create a self signed RSA certificate file as [root#] cd /usr/share/ssl/certs [root#certs]make democert.pem 3. start or restart the vsftpd service [root#] service vsftpd start 4. enable chkconfig enable on boot [root#] chkconfig vsftpd on

Using SFTP SFTP is an alternative for vsftpd to rum over SSL. The sftp server is a part of open SSH(secure shell) that aims towards secure client and server programs. It implements the server side perspective of FTP protocol. To configure SFTP,open SSH related packages needs to be installed.

1. check the openssh installation [root#] rpmquery –qa|grep openssh ** If not installed [root#] rpm –ivh openssh* 2. open the file /etc/ssh/sshd_config find the line subsystem sftpd /user/libexec/openssh/sftp- server

3. from the client side configuration of sftp, simply sftp command is required to be executed for secure upload and download. Client command : $sftp localhost Password : sftp> get file1 sftp> put file1 User will have sftp prompt and not ftp.