File transfer protocol ( FTP )
File transfer protocol is used in multi platform such as Windows, Linux and Unix. It is easy to upload and download files. Easy to share the big size files using FTP.
Lets see how to configure the FTP server.
Configure vsftpd service to start at boot
Current status of vsftpd service must be running. Start if it is stopped. Restart vsftpd service whenever you made any change in configuration file.
FTP Server is by default configured to listen on port 21. Port 21 must be opened if you have configured firewall. The configuration of a firewall for an FTP server is a relatively simple process.
Create 2 normal user accounts for testing. Create a normal user
create another normal user
That's all configure we need on server right now.
To run ftp command ftp package is required. Install it if it is not installed.
Check connectivity with FTP Server.
Now try again to run ftp command
We have successfully connected with FTP server.
LAB Exercises
vsftpd.conf is the main configuration file of FTP server and it contains lot of directives. Configuration of an anonymous-only download is relatively simple. Default configuration of vsftpd.conf already supports anonymous-only download. But it also supports access from local users.
All you need to do is disable the directive which allows locally configured users to login with their accounts.
Comment following directives and save the file
Restart the vsftpd service
When a user connects on the FTP server with anonymous username, actually that user connects on the server as a user named ftp. RHEL6 automatically create this account with following setting.
With these setting users are not allowed to login as the user named ftp. So they need to use anonymous as user name. So whenever an anonymous user logged in, he is taken to ftp user's home directory /var/ftp. So if you want to change the default directory associated with anonymous logins, change the home directory associated with the local user named ftp. Create a file on the root of the
ftp directory /var/ftp/pub. This file will be downloaded by anonymous user.
If you are running Linux without SELinux that's all setting which we need for this exercise. SELinux is listed in RHCE6 exam objective. So if you have configured SELinux, also configure following boolean option.
In this exercise we are asked to configure anonymous download only. So we should be
Create a sample file
Login from anonymous again and try to upload
Try to login form normal user
Restrict anonymous user to ftp directory.
To test this login form anonymous user again
Try to change parent directory
Comment anonymous_login=YES, uncomment local_enable and save the file
open /etc/vsftpd/user_list file
Users listed on /etc/vsftpd/user_list are not allowed to login on FTP server. Add user vikarm in it. This file also have an entry for root user that why root user is denied from FTP login. If you want to enable root user for ftp session just remove its entry from this file [Enable root for FTP session is not recommended in any circumstances, change at your own risk].
Configure SELinux to allow upload/download in user's home directory
Restart the vsftpd service
Login from normal user sanjay and create a example_file
Come back on linuxclient system and try to login from user vikram
Now try to login from user sanjay
upload/download file
Login again from normal user and try to change parent directory
It allows you to navigate the / directory which serious security issue.
Uncomment following directive and save the file
Restart the vsftpd restart
Come back on linux client system and login form sanjay and try again to change directory to /
Now normal user will not be able to navigate outside the home directory.
Enable local users login with their regular password
Users are restricted in their home directory
Enables write operations on FTP
If write is enabled permissions will be based on the value of umask
Enable anonymous user to upload file
Allow anonymous users to create directories
Set FTP banner
Configures Pluggable Authentication Modules (PAM) security for FTP
block users listed in /etc/vsftpd/user_list
Supports the use of security commands in /etc/hosts.allow and /etc/hosts.deny through tcpwrappers
vsftpd daemons will run on a SElinux context without any restriction
Supports the writing of files to directories configured with the public_content_rw_t SELinux setting
Allows the use of files shared via CIFS on an FTP server
Allows the use of files shared via NFS on an FTP server
Supports FTP read/write access to user home directories
Any directory that is going to be used on read FTP operations it must be labelled as public_content_rw_t
Any directory that is going to be used on read-write FTP operations it must be labelled as public_content_rw_t
Lets see how to configure the FTP server.
As a Linux Administrator you should know
- FTP stand for File Transfer Protocol.
- FTP does not require to login directly into the remote host
- FTP transfer data without encryption
- vsftpd is the only stand-alone FTP distributed With RHEL 6
- vsftpd stand for Very Secure FTP Daemon
- vsftpd is secure, fast and stable version of FTP
- vsftpd efficiently handle large numbers of connection securely
- You should use SFTP instead of FTP while transferring data over public network like Internet
- Configure anonymous-only download.
CONFIGURE FTP SERVER ON RHEL6
vsftpd package is required for FTP Server. Check whether package is installed or not. If package is missing install it first.Configure vsftpd service to start at boot
Current status of vsftpd service must be running. Start if it is stopped. Restart vsftpd service whenever you made any change in configuration file.
FTP Server is by default configured to listen on port 21. Port 21 must be opened if you have configured firewall. The configuration of a firewall for an FTP server is a relatively simple process.
#iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
Create 2 normal user accounts for testing. Create a normal user
create another normal user
That's all configure we need on server right now.
Configure FTP client on RHEL 6
From RHEL version 6 you will not be able to run ftp command. By default you will get following error
-bash: ftp: command not found error
To run ftp command ftp package is required. Install it if it is not installed.
Check connectivity with FTP Server.
Now try again to run ftp command
We have successfully connected with FTP server.
LAB Exercises
- Configure anonymous-only download [RHCE 6 exam objective]
- Configure FTP server to allow anonymous access, chrooted to /var/ftp
- Configure FTP Server to all local users except user vikram to ftp in server
- Download/upload must be allowed for these users and the users must be chrooted on their home directory
Configure anonymous-only download [RHCE 6 exam objective]
Go on Server system and open main ftp configuration file /etc/vsftpd/vsftpd.confvsftpd.conf is the main configuration file of FTP server and it contains lot of directives. Configuration of an anonymous-only download is relatively simple. Default configuration of vsftpd.conf already supports anonymous-only download. But it also supports access from local users.
All you need to do is disable the directive which allows locally configured users to login with their accounts.
Comment following directives and save the file
Restart the vsftpd service
When a user connects on the FTP server with anonymous username, actually that user connects on the server as a user named ftp. RHEL6 automatically create this account with following setting.
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
With these setting users are not allowed to login as the user named ftp. So they need to use anonymous as user name. So whenever an anonymous user logged in, he is taken to ftp user's home directory /var/ftp. So if you want to change the default directory associated with anonymous logins, change the home directory associated with the local user named ftp. Create a file on the root of the
ftp directory /var/ftp/pub. This file will be downloaded by anonymous user.
# dd if=/dev/null of=/var/ftp/pub/file bs=1024 count=1000
If you are running Linux without SELinux that's all setting which we need for this exercise. SELinux is listed in RHCE6 exam objective. So if you have configured SELinux, also configure following boolean option.
# chcon -R -t public_content_t /var/ftp/pub/
In this exercise we are asked to configure anonymous download only. So we should be
- Able to download anonymous
- Fail to upload
- Fail to login form other account except anonymous
Most commonly commands used on ftp prompt are
put To upload files on server
get To download files from server
mput To upload all files
mget To download all files
? To see all available command on ftp prompts
cd To change remote directory
lcd To change local directory.
Create a sample file
Login from anonymous again and try to upload
Try to login form normal user
Restrict anonymous user to ftp directory.
To test this login form anonymous user again
Try to change parent directory
Configure FTP Server to all local users except user vikram to ftp in server
FTP non-anonymous server
In this exercise we will configure FTP server that allow local users logins to their home directories. Download/upload must be allowed for these users. Go on server system and open /etc/vsftpd/vsftpd.conf fileComment anonymous_login=YES, uncomment local_enable and save the file
open /etc/vsftpd/user_list file
Users listed on /etc/vsftpd/user_list are not allowed to login on FTP server. Add user vikarm in it. This file also have an entry for root user that why root user is denied from FTP login. If you want to enable root user for ftp session just remove its entry from this file [Enable root for FTP session is not recommended in any circumstances, change at your own risk].
Configure SELinux to allow upload/download in user's home directory
Restart the vsftpd service
Login from normal user sanjay and create a example_file
Come back on linuxclient system and try to login from user vikram
Now try to login from user sanjay
upload/download file
Login again from normal user and try to change parent directory
It allows you to navigate the / directory which serious security issue.
Configure FTP to chroot local users in their home directory
Go on server and open /etc/vsftpd/vsftpd.conf fileUncomment following directive and save the file
chroot_local_user=YES
Restart the vsftpd restart
Come back on linux client system and login form sanjay and try again to change directory to /
Now normal user will not be able to navigate outside the home directory.
Important directives of vsftpd.conf
anonymous_enable=YES
Enable anonymous loginlocal_enable=YES
chroot_local_user=YES
write_enable=YES
local_umask=022
#anon_upload_enable=YES
#anon_mkdir_write_enable=YES
ftpd_banner=Welcome to blah FTP service
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
SElinux boolean associated with vsftpd daemons
There are five SElinux boolean associated with vsftpd daemons
# setsebool allow_ftpd_full_access 1
vsftpd daemons will run on a SElinux context without any restriction
# setsebool allow_ftpd_anon_write 1
Supports the writing of files to directories configured with the public_content_rw_t SELinux setting
# setsebool allow_ftpd_use_cifs 1
Allows the use of files shared via CIFS on an FTP server
# setsebool allow_ftpd_use_nfs 1
Allows the use of files shared via NFS on an FTP server
# setsebool ftp_home_directory 1
Supports FTP read/write access to user home directories
# chcon -R -t public_content_t /var/ftp/pub/
Any directory that is going to be used on read FTP operations it must be labelled as public_content_rw_t
# chcon -R -t public_content_rw_t /var/pub/ftp
Any directory that is going to be used on read-write FTP operations it must be labelled as public_content_rw_t
No comments:
Post a Comment