FTP File Transfer Protocol allows file transfer between hosts on a network without having to login on a standard shell directly on the remote host. The file transfer is done using a standard set of simple commands without encryption, so it must be used only in a not hostile environment. Features like 'scp' that uses ssh protocol for encrypted file transfer can be used to file transfers on a hostile environment like Internet.
FTP Server
In order to configure a host as a FTP server the package vsftp must be installed, configured through /etc/vsftpd/vsftpd.conf and configured to be started at boot.
# yum install vsftpd
# chkconfig vsftpd on
# /etc/init.d/vsftpd start
/etc/vsftpd/vsftpd.conf
This is the main configuration file and specifies the way that the FTP server runs. The most important parameters that can be configured are the following :
anonymous_enable=YES
It allows FTP transfer using the anonymous user with password anonymous.
local_enable=YES
Local accounts are valid FTP accounts.
write_enable=YES
Enables write operations on FTP.
#anon_upload_enable=YES
It allows anonymous user to upload files. By default this line is commented so the anonymous user by default con not upload files to the FTP server.
#chroot_list_enable=YES
With chroot_local_user=YES you can configure users who are logged on FTP server to be confined in to their home directory on the FTP server. Disabled by default.
pam_service_name=vsftpd
Configures Pluggable Authentication Modules (PAM) security for FTP.
userlist_enable=YES
Keeps users such as root and system user listed on /etc/vsftpd/user_list from logging into the FTP server. It must be activated always !!!
tcp_wrappers=YES
Supports the use of security commands in /etc/hosts.allow and /etc/hosts.deny through tcpwrappers
FTP Security
Firewall
The FTP server listen on port 21 TCP so it must be open on the firewall .
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
In the case of FTP server is also required to load the nat iptable module that keep track all FTP connections and allows it. This configuration is applied on /etc/sysconfig/iptables-config file :
IPTABLES_MODULES="nf_conntrack_ftp"-->/etc/sysconfig/iptables-config
# /etc/init.d/iptables restart
SElinux
There are five directives associated with making FTP server work with SELinux in targeted mode:
# setsebool -P allow_ftpd_full_access 1
If this parameter is enabled ftpd will run on a SElinux context without any restriction.
# setsebool -P allow_ftpd_anon_write 1
Supports the writing of files to directories configured with the public_content_rw_t SELinux setting.
# setsebool -P allow_ftpd_use_cifs 1
Allows the use of files shared via CIFS on an FTP server.
# setsebool -P allow_ftpd_use_nfs 1
Allows the use of files shared via NFS on an FTP server.
# setsebool -P ftp_home_directory 1
Supports FTP read/write access to user home directories.
In addition any directory that is going to be used on read-write FTP operations it must be labelled as 'public_content_rw_t' SElinux attribute in order to work correctly in SElinux targered mode .
# chcon -R -t public_content_rw_t /var/pub/ftp
FTP anonymous server
In this section we are going to configure a FTP server on rhel6 server and only allow anonymous login. Only downloading data from FTP server must be allowed files, uploading must be forbidden.
# cat /etc/vsftpd/vsftp.conf | grep -v ^#
anonymous_enable=YES
local_enable=NO
write_enable=NO
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
Configure the firewall as defined on 'FTP Security'. If SElinux is running on targered mode the easy way applied in this case is give full access to the ftpd daemon on SElinux context :
# setsebool -P allow_ftpd_full_access 1
Lets create a file on the root of the ftp directory /var/ftp/pub. This file will be downloaded by anonymous user.
# dd if=/dev/null of=/var/ftp/pub/file bs=1024 count=1000
And finally restart the ftp service. Make sure the service starts correctly watching logs on /var/log/messages.
# /etc/init.d/vsftpd restart
From another host login to the FTP server on rhel6 as anonymous user using the FTP client 'lftp'. Download file created previously and verify that uploading is forbidden.
node01> lftp 192.168.1.10
lftp 192.168.1.10:~> cd pub
cd ok, cwd=/pub
lftp 192.168.1.10:/pub> ls
-rw-r--r-- 1 0 0 10240000 Feb 22 20:36 file
lftp 192.168.1.10:/pub> get file
10240000 bytes transferred
By default the FTP client 'lftp' login as anonymous. From there file has been downloaded correctly. Lets try to download a file :
lftp 192.168.1.10:/pub> put anaconda-ks.cfg
put: Access failed: 550 Permission denied. (anaconda-ks.cfg)
Uploads are not allowed.
lftp 192.168.1.10:/> cd /var
cd: Access failed: 550 Failed to change directory. (/var)
Navigate outside the FTP server is not allowed.
Try to login as other user as anonymous and verify that only anonymous logins are permitted.
node01> lftp -u john
Password:
lftp john@:~> ls
ls: Not connected
The same is we try as root and other users ... only anonymous logins are allowed.
FTP non-anonymous server
In this case we are going to configure an FTP server on rhel6 that must only allow logins to all system users less the listed on /etc/vsftpd/user_list . Download/upload must be allowed for these users.
cat /etc/vsftpd/vsftpd.conf | grep -v ^#
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
Configure the firewall as defined on 'FTP Security'. In this case we are going to configure ftpd to run on SElinux environment. This is not the easy way as in previous example :
# setsebool -P allow_ftpd_full_access 0
# setsebool -P allow_ftpd_anon_write 1
# setsebool -P allow_ftpd_use_cifs 1
# setsebool -P allow_ftpd_use_nfs 1
# setsebool -P ftp_home_dir 1
Lets create a file on 'john' /home dir of the ftp directory /home/john. This file will be downloaded by user john.
# cp /var/ftp/pub/file /home/john
# chown john:john /home/john/file
And finally restart the ftp service. Make sure the service starts correctly watching logs on /var/log/messages.
# /etc/init.d/vsftpd restart
From another host login to the FTP server on rhel6 as 'john' user using the FTP client 'lftp'. Download file created previously and verify that uploading is allowed on john /home.
node01> lftp -u john 192.168.1.10
Password:
lftp john@192.168.1.10:~> ls
-rw-r--r-- 1 1001 1001 10240000 Feb 22 22:08 file
lftp john@192.168.1.10:~> get file
10240000 bytes transferred
lftp john@192.168.1.10:~> put install.log
21820 bytes transferred
lftp john@192.168.1.10:~> ls
-rw-r--r-- 1 1001 1001 10240000 Feb 22 22:08 file
-rw-r--r-- 1 1001 1001 21820 Feb 23 20:06 install.log
lftp john@192.168.1.10:~> cd /var
lftp john@192.168.1.10:/var>
As can be seen 'john' user can download/upload files on /home/john through FTP. But 'john' still has access to directories outside his home, on Lab1 we will configure the FTP server to chroot users onto his home directory.
Users listed on /etc/vsftpd/user_list are not allowed to login on FTP server :
node01> lftp -u root 192.168.1.10
Password: lftp root@192.168.1.10:~> dir
`ls' at 0 [Delaying before reconnect: 20]
...
FTP Client
As has been seen in previous sections the lftp RPM can be used as FTP Client.
# yum install lftp
In order to login as user 'john' on FTP server 192.168.1.10 :
lftp -u john 192.168.1.10
Password:
lftp john@192.168.1.10:~>
If no user is specified the FTP login is done using the anonymous user.
In order to execute a remote command on the FTP server as 'ls' :
lftp john@192.168.1.10:~> ls
-rw-r--r-- 1 1001 1001 10240000 Feb 22 22:08 file
-rw-r--r-- 1 1001 1001 21820 Feb 23 20:06 install.log
In order to execute a local command on the FTP client as 'ls' :
lftp john@192.168.1.10:~> ! ls
file install.log install.log.syslog test
To download a file from FTP server use 'get' command :
lftp john@192.168.1.10:~> get file
10240000 bytes transferred
To upload a file from FTP client to the FTP server use 'put' command :
lftp john@192.168.1.10:~> put install.log
21820 bytes transferred
More info on 'man lftp'.
FTP Server
In order to configure a host as a FTP server the package vsftp must be installed, configured through /etc/vsftpd/vsftpd.conf and configured to be started at boot.
# yum install vsftpd
# chkconfig vsftpd on
# /etc/init.d/vsftpd start
/etc/vsftpd/vsftpd.conf
This is the main configuration file and specifies the way that the FTP server runs. The most important parameters that can be configured are the following :
anonymous_enable=YES
It allows FTP transfer using the anonymous user with password anonymous.
local_enable=YES
Local accounts are valid FTP accounts.
write_enable=YES
Enables write operations on FTP.
#anon_upload_enable=YES
It allows anonymous user to upload files. By default this line is commented so the anonymous user by default con not upload files to the FTP server.
#chroot_list_enable=YES
With chroot_local_user=YES you can configure users who are logged on FTP server to be confined in to their home directory on the FTP server. Disabled by default.
pam_service_name=vsftpd
Configures Pluggable Authentication Modules (PAM) security for FTP.
userlist_enable=YES
Keeps users such as root and system user listed on /etc/vsftpd/user_list from logging into the FTP server. It must be activated always !!!
tcp_wrappers=YES
Supports the use of security commands in /etc/hosts.allow and /etc/hosts.deny through tcpwrappers
FTP Security
Firewall
The FTP server listen on port 21 TCP so it must be open on the firewall .
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
In the case of FTP server is also required to load the nat iptable module that keep track all FTP connections and allows it. This configuration is applied on /etc/sysconfig/iptables-config file :
IPTABLES_MODULES="nf_conntrack_ftp"-->/etc/sysconfig/iptables-config
# /etc/init.d/iptables restart
SElinux
There are five directives associated with making FTP server work with SELinux in targeted mode:
# setsebool -P allow_ftpd_full_access 1
If this parameter is enabled ftpd will run on a SElinux context without any restriction.
# setsebool -P allow_ftpd_anon_write 1
Supports the writing of files to directories configured with the public_content_rw_t SELinux setting.
# setsebool -P allow_ftpd_use_cifs 1
Allows the use of files shared via CIFS on an FTP server.
# setsebool -P allow_ftpd_use_nfs 1
Allows the use of files shared via NFS on an FTP server.
# setsebool -P ftp_home_directory 1
Supports FTP read/write access to user home directories.
In addition any directory that is going to be used on read-write FTP operations it must be labelled as 'public_content_rw_t' SElinux attribute in order to work correctly in SElinux targered mode .
# chcon -R -t public_content_rw_t /var/pub/ftp
FTP anonymous server
In this section we are going to configure a FTP server on rhel6 server and only allow anonymous login. Only downloading data from FTP server must be allowed files, uploading must be forbidden.
# cat /etc/vsftpd/vsftp.conf | grep -v ^#
anonymous_enable=YES
local_enable=NO
write_enable=NO
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
Configure the firewall as defined on 'FTP Security'. If SElinux is running on targered mode the easy way applied in this case is give full access to the ftpd daemon on SElinux context :
# setsebool -P allow_ftpd_full_access 1
Lets create a file on the root of the ftp directory /var/ftp/pub. This file will be downloaded by anonymous user.
# dd if=/dev/null of=/var/ftp/pub/file bs=1024 count=1000
And finally restart the ftp service. Make sure the service starts correctly watching logs on /var/log/messages.
# /etc/init.d/vsftpd restart
From another host login to the FTP server on rhel6 as anonymous user using the FTP client 'lftp'. Download file created previously and verify that uploading is forbidden.
node01> lftp 192.168.1.10
lftp 192.168.1.10:~> cd pub
cd ok, cwd=/pub
lftp 192.168.1.10:/pub> ls
-rw-r--r-- 1 0 0 10240000 Feb 22 20:36 file
lftp 192.168.1.10:/pub> get file
10240000 bytes transferred
By default the FTP client 'lftp' login as anonymous. From there file has been downloaded correctly. Lets try to download a file :
lftp 192.168.1.10:/pub> put anaconda-ks.cfg
put: Access failed: 550 Permission denied. (anaconda-ks.cfg)
Uploads are not allowed.
lftp 192.168.1.10:/> cd /var
cd: Access failed: 550 Failed to change directory. (/var)
Navigate outside the FTP server is not allowed.
Try to login as other user as anonymous and verify that only anonymous logins are permitted.
node01> lftp -u john
Password:
lftp john@:~> ls
ls: Not connected
The same is we try as root and other users ... only anonymous logins are allowed.
FTP non-anonymous server
In this case we are going to configure an FTP server on rhel6 that must only allow logins to all system users less the listed on /etc/vsftpd/user_list . Download/upload must be allowed for these users.
cat /etc/vsftpd/vsftpd.conf | grep -v ^#
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
Configure the firewall as defined on 'FTP Security'. In this case we are going to configure ftpd to run on SElinux environment. This is not the easy way as in previous example :
# setsebool -P allow_ftpd_full_access 0
# setsebool -P allow_ftpd_anon_write 1
# setsebool -P allow_ftpd_use_cifs 1
# setsebool -P allow_ftpd_use_nfs 1
# setsebool -P ftp_home_dir 1
Lets create a file on 'john' /home dir of the ftp directory /home/john. This file will be downloaded by user john.
# cp /var/ftp/pub/file /home/john
# chown john:john /home/john/file
And finally restart the ftp service. Make sure the service starts correctly watching logs on /var/log/messages.
# /etc/init.d/vsftpd restart
From another host login to the FTP server on rhel6 as 'john' user using the FTP client 'lftp'. Download file created previously and verify that uploading is allowed on john /home.
node01> lftp -u john 192.168.1.10
Password:
lftp john@192.168.1.10:~> ls
-rw-r--r-- 1 1001 1001 10240000 Feb 22 22:08 file
lftp john@192.168.1.10:~> get file
10240000 bytes transferred
lftp john@192.168.1.10:~> put install.log
21820 bytes transferred
lftp john@192.168.1.10:~> ls
-rw-r--r-- 1 1001 1001 10240000 Feb 22 22:08 file
-rw-r--r-- 1 1001 1001 21820 Feb 23 20:06 install.log
lftp john@192.168.1.10:~> cd /var
lftp john@192.168.1.10:/var>
As can be seen 'john' user can download/upload files on /home/john through FTP. But 'john' still has access to directories outside his home, on Lab1 we will configure the FTP server to chroot users onto his home directory.
Users listed on /etc/vsftpd/user_list are not allowed to login on FTP server :
node01> lftp -u root 192.168.1.10
Password: lftp root@192.168.1.10:~> dir
`ls' at 0 [Delaying before reconnect: 20]
...
FTP Client
As has been seen in previous sections the lftp RPM can be used as FTP Client.
# yum install lftp
In order to login as user 'john' on FTP server 192.168.1.10 :
lftp -u john 192.168.1.10
Password:
lftp john@192.168.1.10:~>
If no user is specified the FTP login is done using the anonymous user.
In order to execute a remote command on the FTP server as 'ls' :
lftp john@192.168.1.10:~> ls
-rw-r--r-- 1 1001 1001 10240000 Feb 22 22:08 file
-rw-r--r-- 1 1001 1001 21820 Feb 23 20:06 install.log
In order to execute a local command on the FTP client as 'ls' :
lftp john@192.168.1.10:~> ! ls
file install.log install.log.syslog test
To download a file from FTP server use 'get' command :
lftp john@192.168.1.10:~> get file
10240000 bytes transferred
To upload a file from FTP client to the FTP server use 'put' command :
lftp john@192.168.1.10:~> put install.log
21820 bytes transferred
More info on 'man lftp'.