Thursday, June 30, 2016

TELNET

                      # Telnet is used for remote login



SERVER


CLIENT
yum install telnet-*
No need telnet service’s
/etc/xinet.d/
telnet – is tool / utility / command
telnet  - edite & disable
telnet < server ip>
service xinetd reload
telnet 192.168.1.14
netstat -tulnp | grep -i 23  ---check port
no need to open 23 port
netstat –an | grep –i 23 ---check port
telnet 192.168.1.14 – used random port (Non-priviliged parts – above 1024 port
used) 1 to 1023 ---priviliged port
netstat –vatnp | grep –I 23 ---check port
Check PID  /   Port
Total Ports no - 65535
1024 to 65535 is called non priviliged
by default root login disabled in telnet
telnet 192.168.1.14
telnet – check port / remote login
Login – Champu – User through login
If you want root used
su - root
telnet is not secure
ssh is used for remote login
ssh – secure socket host


Telnet VS ssh
# Telnet – telnet transfer the ip packet in clear text mode

# ssh – Secure socket host
            ssh is transfer the ip packet in encryption  mode
            [ Public license key + Private key ]

---------------------------------------------------------------------------------------------------------------------

TELNET

[root@Localhost ~]# yum install -y telnet-* 

[root@Localhost ~]# rpm -qa | grep telnet  --- check Telnet Package 
telnet-0.17-48.el6.x86_64
telnet-server-0.17-48.el6.x86_64
---------------------------------------------------------------------------------------------------------------------
[root@Localhost xinetd.d]# cd /etc/xinetd.d   -- telnet is base service of xinetd
[root@Localhost xinetd.d]# ls
chargen-dgram   daytime-stream  echo-dgram   swat           time-dgram
chargen-stream  discard-dgram   echo-stream  tcpmux-server  time-stream
daytime-dgram   discard-stream  rsync        telnet
---------------------------------------------------------------------------------------------------------------------
[root@Localhost xinetd.d]# vim telnet   --- edit telnet file & disable telnet service

service telnet
{
        flags                    = REUSE
        socket_type         = stream
        wait                     = no
        user                     = root
        server                  = /usr/sbin/in.telnetd
        log_on_failure  += USERID
        disable         = no     --------------------- type “no” for disable service
}
---------------------------------------------------------------------------------------------------------------------
[root@Localhost xinetd.d]# service xinetd reload   ----   reload xinetd service
Reloading configuration:                                   [  OK  ]
---------------------------------------------------------------------------------------------------------------------
[root@Localhost xinetd.d]#  netstat -tulnp | grep -i 23  -- check telnet port

[root@Localhost xinetd.d]# netstat -an | grep -i 23
tcp        0      0 :::23                       :::*                        LISTEN      9876/xinetd    

---------------------------------------------------------------------------------------------------------------------

FTP SERVER

FTP SERVER SIDE
FTP PORT ---- 21/22
FTP VS NFS
FTP VS Filesystem
Files ---- Client
NFS  ----  File sharing
FTP ---- TCP

Below Application Server Runs on FTP

Linux Application

1 --- - WUFTP
2  ---  VSFTP -----very secure file transfer protocols
3  ----  SFTP  ----- secure file tramnsfer protocols (very secure)
4  ----- PROFTP

Windows Application

1 ----FTP Server
---------------------------------------------------------------------------------------------------------------------

[root@Localhost /]# yum install vsftpd-*   ----Installed  FTP  Server
[root@Localhost /]# cd /var/ftp/  -----root path of ftp
[root@Localhost ftp]# ls
Pub  ----------------------------------------------public folder
---------------------------------------------------------------------------------------------------------------------
[root@Localhost home]#  rpm -qa | grep -i  vsftp   -------check package
vsftpd-2.2.2-14.el6.x86_64  ------installed package
---------------------------------------------------------------------------------------------------------------------[root@Localhost home]# rpm -ql vsftpd-2.2.2-14.el6.x86_64  -----check how many files installed 
/etc/logrotate.d/vsftpd
/etc/pam.d/vsftpd
/etc/rc.d/init.d/vsftpd ----------------------- imp 
/etc/vsftpd  ----------------------------------- imp
/etc/vsftpd/ftpusers-------------------------- black user
/etc/vsftpd/user_list  ------------------------ block user list
/etc/vsftpd/vsftpd.conf  -------------------- config file
/etc/vsftpd/vsftpd_conf_migrate.sh
/usr/sbin/vsftpd  -----------------------------  main file (imp) root path (binary file)
/usr/share/doc/vsftpd-2.2.2/INSTALL
/usr/share/doc/vsftpd-2.2.2/LICENSE
/usr/share/doc/vsftpd-2.2.2/README
/usr/share/doc/vsftpd-2.2.2/vsftpd.xinetd
/usr/share/man/man5/vsftpd.conf.5.gz
/usr/share/man/man8/vsftpd.8.gz
/var/ftp  -----------------------------------------   FTP PATH
/var/ftp/pub  ------------------------------------   FTP Public folder Path
---------------------------------------------------------------------------------------------------------------------

[root@Localhost home]# rpm -qc vsftpd-2.2.2-14.el6.x86_64   ----check config file
/etc/logrotate.d/vsftpd
/etc/pam.d/vsftpd
/etc/vsftpd/ftpusers
/etc/vsftpd/user_list
/etc/vsftpd/vsftpd.conf    -------------------FTP Config file check
---------------------------------------------------------------------------------------------------------------------
[root@Localhost home]# rpm -qd vsftpd-2.2.2-14.el6.x86_64   ------check documentation files 
/usr/share/doc/vsftpd-2.2.2/AUDIT
/usr/share/doc/vsftpd-2.2.2/BENCHMARKS
/usr/share/doc/vsftpd-2.2.2/BUGS
/usr/share/doc/vsftpd-2.2.2/COPYING
/usr/share/doc/vsftpd-2.2.2/Changelog
/usr/share/doc/vsftpd-2.2.2/EXAMPLE/INTERNET_SITE/README
/usr/share/doc/vsftpd-2.2.2/EXAMPLE/INTERNET_SITE/README.configuration
/usr/share/doc/vsftpd-2.2.2/EXAMPLE/INTERNET_SITE/vsftpd.conf
/usr/share/doc/vsftpd-2.2.2/EXAMPLE/INTERNET_SITE/vsftpd.xinetd
/usr/share/doc/vsftpd-2.2.2/EXAMPLE/INTERNET_SITE_NOINETD/README
/usr/share/doc/vsftpd-2.2.2/EXAMPLE/INTERNET_SITE_NOINETD/README.configuration
---------------------------------------------------------------------------------------------------------------------
[root@Localhost home]# rpm -qi vsftpd-2.2.2-14.el6.x86_64  ----Information of vsftp
Name        : vsftpd                       Relocations: (not relocatable)
Version     : 2.2.2                             Vendor: CentOS
Release     : 14.el6                        Build Date: Thu 23 Jul 2015 05:49:50 PM PDT
Install Date: Sun 24 Jan 2016 10:27:46 PM PST      Build Host: c6b8.bsys.dev.centos.org
Group       : System Environment/Daemons    Source RPM: vsftpd-2.2.2-14.el6.src.rpm
Size        : 339540                           License: GPLv2 with exceptions
Signature   : RSA/SHA1, Fri 24 Jul 2015 01:41:15 PM PDT, Key ID 0946fca2c105b9de
Packager    : CentOS BuildSystem <http://bugs.centos.org>
URL         : http://vsftpd.beasts.org/
Summary     : Very Secure Ftp Daemon
Description :
vsftpd is a Very Secure FTP daemon. It was written completely from scratch.
---------------------------------------------------------------------------------------------------------------------
[root@Localhost home]# /etc/init.d//vsftpd restart  -----------ftp service start
Shutting down vsftpd:                                      [  OK  ]
Starting vsftpd for vsftpd:                                [  OK  ]

[root@Localhost home]# chkconfig vsftpd on   ------on  service  permanently

Start server means to load binary to ram ------start process 
---------------------------------------------------------------------------------------------------------------------
Binary files are always important in Linux
---------------------------------------------------------------------------------------------------------------------
usage:   chkconfig [--list] [--type <type>] [name]
         chkconfig --add <name>
         chkconfig --del <name>
         chkconfig --override <name>
         chkconfig [--level <levels>] [--type <type>] <name> <on|off|reset|resetpriorities>


[root@Localhost home]# chkconfig --level 2345 vsftpd on   ------on  service  permanently 
-------------------------------------------------------------------------------------------------------------------- 
/var/ftp  -----------------------------------------   FTP ROOT PATH  --- IMP PATH
/var/ftp/pub  ------------------------------------   FTP Public folder Path
/usr/sbin/vsftpd  -----------------------------  main file (imp) root path  --this binary load in ram
---------------------------------------------------------------------------------------------------------------------   
                                                 TCP VS UDP
TCP  ------No Packet loss ,                    |  UDP ----packet loss
TCP-----SYN----ACK-----Finish           |  UDP ----send packet –it will not wait for ACK.
TCP ------ Connection oriented            |   UDP --- connection less       
TCP  ---slow ---Adv----no packet loss |  UDP  ----fast ----Disc. Adv. ----Packet loss


IP Packet ---Encapsulate ---(TCP | UDP)




---------------------------------------------------------------------------------------------------------------------     
                 
TCP ------FTP------HTTP------SSH

UDP-------DNS------NFS--------Voice Massager eq. skype, yahoo, gtalk ect.

how to check Linux port is open

[root@Localhost ftp]# nmap -sT -O localhost

root@Localhost ftp]# cat /etc/services | grep 21
ardusuni        1834/tcp                # ARDUS Unicast

[root@Localhost ftp]# netstat -anp | grep 21
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      14524/vsftpd
  
[root@Localhost ftp]# lsof -i | grep 21
clock-app  2405 root   21u  IPv4 398523      0t0  TCP 192.168.5.159:59062->182.19.89.106:http (CLOSE_WAIT)

To display the list of open ports, enter:

[root@Localhost ftp]# lsof -i
COMMAND     PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
sshd       1888 root    3u  IPv4  13512      0t0  TCP *:ssh (LISTEN)
sshd       1888 root    4u  IPv6  13514      0t0  TCP *:ssh (LISTEN)
master     1968 root   12u  IPv4  13727      0t0  TCP localhost:smtp (LISTEN)
master     1968 root   13u  IPv6  13729      0t0  TCP localhost:smtp (LISTEN)
---------------------------------------------------------------------------------------------------------------------
root@Localhost ftp]# /usr/sbin/vsftpd --------  Absolute path  & we can start vsftpd from this path (IMP)

FTP  ------ 3 types of users
1)  anonymous  -------user name & password  –anonymous
2)  Local User  ------- ( VLU )   -----default users of FTP
3)  Virtual

( How to disable anonymous user )

Before edit vsftpd.config file capy : cp /etctvsftpd/vsftpd.conf vsftpd.conf.dafult

[root@Localhost ftp]#  vi /etc/vsftpd/vsftpd.conf  ------ config file of FTP

# Example config file /etc/vsftpd/vsftpd.conf
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=no   --------Disable anonymous user
#
# Uncomment this to allow local users to log in.
local_enable=YES   -----always yes
chroot_root_user=yes          
# Uncomment this to enable any form of FTP write command.
write_enable=YES ----- to enble / disable upload
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022  ----- default permission
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# The target log file can be vsftpd_log_file or xferlog_file.
# This depends on setting xferlog_std_format parameter
xferlog_enable=YES   ---enble ftp logs
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES   ----port no 
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# The name of log file when xferlog_enable=YES and xferlog_std_format=YES
# WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log
xferlog_file=/var/log/xferlog   ----- ftp logs path
#
# Switches between logging into vsftpd_log_file and xferlog_file files.
# NO writes to vsftpd_log_file, YES to xferlog_file
xferlog_std_format=YES   ------ logs enble
#
# You may fully customise the login banner string:
# ftpd_banner=Welcome to blah FTP service.    ------FTP Banner
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_local_user=YES  -----add this entry for local user
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
#user_list_deny=yes  -- add this tag
write_enable=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

 ---------------------------------------------------------------------------------------------------------------------
# Uncomment this to allow local users to log in.
local_enable=YES
chroot_local_usr=yes

 --------------------------------------------------------------------------------------------------------------------- 
[root@Localhost home]# /etc/init.d//vsftpd restart --- Kill the service & load the binary

[root@Localhost home]# /etc/init.d//vsftpd reload ---  reload the serive

[root@Localhost home]# systemctl start vsftpd  ---  start the serive 

---------------------------------------------------------------------------------------------------------------------
[root@ ftp]# cp -rv abc data /home/tushar/ ---- copy from ftp folder to user tushar home dir.
`abc' -> `/home/tushar/abc'
`data' -> `/home/tushar/data'
---------------------------------------------------------------------------------------------------------------------
 Anonymous user enable --open without id & passwd but background used anonymous id & passwd

---------------------------------------------------------------------------------------------------------------------
Permission
Chroot   -----change path to “ / “ 
/home/champu   (chroot) (gail)
FTP user   --------(chroot)
HUP signal
Kill –HUP < pid no >
Kill –i  5275

BLOCK FTP USER
# cd /etc/vsftped  ---- go to vsftped folder
# vi ftpusers ------ edit and add user name to block user
# user_list  -------  user block   ----  Condition based
---------------------------------------------------------------------------------------------------------------------
# mkdir  /data
# cd /data
# dump 5GB data in data files
# useradd –d /data ftpuser
# passwd ftpuser
# ******

Tow Types of FTP
Activte and Passive FTP
# Linux by default passive ftp

---------------------------------------------------------------------------------------------------------------------
FTP Client

Browser   ------windows and linux
Gftp   -------linux app   ( f2  ---type name --- gftp)
ftp  and lftp  -------command line
filezilla  ------windows app
kasablanca

ftp :// < server ip >
ftp:// 192.168.1.14  ------server ip

Command line ftp server access
1)       ftp 
2)       Lftp

#ftp 192.168.1.14  -----server ip
#usernem and passed  ------ftp user name & password

#help  -----we can used help under the ftp console
#mget  abc ------download
#mput  abc ----- upload

Same as used  ----lftp



---------------------------------------------------------------------------------------------------------------------
Active FTP
The sequence of events for active FTP is:
1.     Your client connects to the FTP server by establishing an FTP control connection to port 21 of the server. Your commands such as 'ls' and 'get' are sent over this connection.
2.     Whenever the client requests data over the control connection, the server initiates data transfer connections back to the client. The source port of these data transfer connections is always port 20 on the server, and the destination port is a high port (greater than 1024) on the client.
3.     Thus the ls listing that you asked for comes back over the port 20 to high port connection, not the port 21 control connection.
FTP active mode therefore transfers data in a counter intuitive way to the TCP standard, as it selects port 20 as it's source port (not a random high port that's greater than 1024) and connects back to the client on a random high port that has been pre-negotiated on the port 21 control connection.
Active FTP may fail in cases where the client is protected from the Internet via many to one NAT (masquerading). This is because the firewall will not know which of the many servers behind it should receive the return connection.
---------------------------------------------------------------------------------------------------------------------
Passive FTP
Passive FTP works differently:
1.     Your client connects to the FTP server by establishing an FTP control connection to port 21 of the server. Your commands such as ls and get are sent over that connection.
2.     Whenever the client requests data over the control connection, the client initiates the data transfer connections to the server. The source port of these data transfer connections is always a high port on the client with a destination port of a high port on the server.
Passive FTP should be viewed as the server never making an active attempt to connect to the client for FTP data transfers. Because client always initiates the required connections, passive FTP works better for clients protected by a firewall.
As Windows defaults to active FTP, and Linux defaults to passive, you'll probably have to accommodate both forms when deciding upon a security policy for your FTP server.

 ---------------------------------------------------------------------------------------------------------------------

Regular FTP

By default, the VSFTPD package allows regular Linux users to copy files to and from their home directories with an FTP client using their Linux usernames and passwords as their login credentials.
VSFTPD also has the option of allowing this type of access to only a group of Linux users, enabling you to restrict the addition of new files to your system to authorized personnel.
The disadvantage of regular FTP is that it isn't suitable for general download distribution of software as everyone either has to get a unique Linux user account or has to use a shared username and password. Anonymous FTP allows you to avoid this difficulty.
---------------------------------------------------------------------------------------------------------------------

Anonymous FTP

Anonymous FTP is the choice of Web sites that need to exchange files with numerous unknown remote users. Common uses include downloading software updates and MP3s and uploading diagnostic information for a technical support engineers' attention. Unlike regular FTP where you login with a preconfigured Linux username and password, anonymous FTP requires only a username of anonymous and your email address for the password. Once logged in to a VSFTPD server, you automatically have access to only the default anonymous FTP directory (/var/ftp in the case of VSFTPD) and all its subdirectories.
As seen in Chapter 6, "Installing Linux Software", using anonymous FTP as a remote user is fairly straight forward. VSFTPD can be configured to support user-based and or anonymous FTP in its configuration file which you'll see later.

Problems With FTP And Firewalls

FTP frequently fails when the data has to pass through a firewall, because firewalls are designed to limit data flows to predictable TCP ports and FTP uses a wide range of unpredictable TCP ports. You have a choice of methods to overcome this.
Note: The Appendix II, "Codes, Scripts, and Configurations", contains examples of how to configure the VSFTPD Linux firewall to function with both active and passive FTP.

Client Protected By A Firewall Problem
Typically firewalls don't allow any incoming connections at all, which frequently blocks active FTP from functioning. With this type of FTP failure, the active FTP connection appears to work when the client initiates an outbound connection to the server on port 21. The connection then appears to hang, however, as soon as you use the ls, dir, or get commands. The reason is that the firewall is blocking the return connection from the server to the client (from port 20 on the server to a high port on the client). If a firewall allows all outbound connections to the Internet, then passive FTP clients behind a firewall will usually work correctly as the clients initiate all the FTP connections.
§  Solution
Table 15-1 shows the general rules you'll need to allow FTP clients through a firewall:
§  Solution
Table 15-2 Rules needed to allow FTP servers through a firewall.
Method
Source Address
Source Port
Destination Address
Destination Port
Connection Type
Allow incoming control connections to server
Control Channel
FTP client / network 2
High1
FTP server
21
New
FTP server
21
FTP client / network 2
High
Established3
Allow server to establish data channel to remote client
Active FTP
FTP server
20
FTP client / network 2
High
New
FTP client / network 2
High
FTP server
20
Established3
Passive FTP
FTP client / network 2
High
FTP server
High
New
FTP server
High
FTP client / network 2
High
Established 3