FTP SERVER
SIDE
FTP
PORT ---- 21/22
FTP
VS NFS
FTP
VS Filesystem
Files
---- Client
NFS ----
File sharing
FTP
---- TCP
Below
Application Server Runs on FTP
Linux
Application
1
--- - WUFTP
2 ---
VSFTP -----very secure file transfer protocols
3 ----
SFTP ----- secure file tramnsfer
protocols (very secure)
4 ----- PROFTP
Windows
Application
1
----FTP Server
---------------------------------------------------------------------------------------------------------------------
[root@Localhost
/]# yum install vsftpd-* ----Installed FTP
Server
[root@Localhost
/]# cd /var/ftp/ -----root path of ftp
[root@Localhost
ftp]# ls
Pub
----------------------------------------------public folder
---------------------------------------------------------------------------------------------------------------------
[root@Localhost
home]# rpm -qa | grep -i vsftp -------check package
vsftpd-2.2.2-14.el6.x86_64 ------installed package
---------------------------------------------------------------------------------------------------------------------[root@Localhost
home]# rpm -ql
vsftpd-2.2.2-14.el6.x86_64 -----check how many files installed
/etc/logrotate.d/vsftpd
/etc/pam.d/vsftpd
/etc/rc.d/init.d/vsftpd
----------------------- imp
/etc/vsftpd ----------------------------------- imp
/etc/vsftpd/ftpusers--------------------------
black user
/etc/vsftpd/user_list ------------------------ block user list
/etc/vsftpd/vsftpd.conf -------------------- config file
/etc/vsftpd/vsftpd_conf_migrate.sh
/usr/sbin/vsftpd ----------------------------- main file (imp) root path (binary file)
/usr/share/doc/vsftpd-2.2.2/INSTALL
/usr/share/doc/vsftpd-2.2.2/LICENSE
/usr/share/doc/vsftpd-2.2.2/README
/usr/share/doc/vsftpd-2.2.2/vsftpd.xinetd
/usr/share/man/man5/vsftpd.conf.5.gz
/usr/share/man/man8/vsftpd.8.gz
/var/ftp
----------------------------------------- FTP PATH
/var/ftp/pub ------------------------------------ FTP Public folder Path
---------------------------------------------------------------------------------------------------------------------
[root@Localhost
home]# rpm -qc
vsftpd-2.2.2-14.el6.x86_64 ----check config file
/etc/logrotate.d/vsftpd
/etc/pam.d/vsftpd
/etc/vsftpd/ftpusers
/etc/vsftpd/user_list
/etc/vsftpd/vsftpd.conf -------------------FTP Config file check
---------------------------------------------------------------------------------------------------------------------
[root@Localhost
home]# rpm -qd
vsftpd-2.2.2-14.el6.x86_64 ------check documentation files
/usr/share/doc/vsftpd-2.2.2/AUDIT
/usr/share/doc/vsftpd-2.2.2/BENCHMARKS
/usr/share/doc/vsftpd-2.2.2/BUGS
/usr/share/doc/vsftpd-2.2.2/COPYING
/usr/share/doc/vsftpd-2.2.2/Changelog
/usr/share/doc/vsftpd-2.2.2/EXAMPLE/INTERNET_SITE/README
/usr/share/doc/vsftpd-2.2.2/EXAMPLE/INTERNET_SITE/README.configuration
/usr/share/doc/vsftpd-2.2.2/EXAMPLE/INTERNET_SITE/vsftpd.conf
/usr/share/doc/vsftpd-2.2.2/EXAMPLE/INTERNET_SITE/vsftpd.xinetd
/usr/share/doc/vsftpd-2.2.2/EXAMPLE/INTERNET_SITE_NOINETD/README
/usr/share/doc/vsftpd-2.2.2/EXAMPLE/INTERNET_SITE_NOINETD/README.configuration
---------------------------------------------------------------------------------------------------------------------
[root@Localhost
home]# rpm -qi
vsftpd-2.2.2-14.el6.x86_64 ----Information of vsftp
Name : vsftpd Relocations: (not
relocatable)
Version : 2.2.2 Vendor: CentOS
Release : 14.el6 Build Date: Thu 23 Jul
2015 05:49:50 PM PDT
Install
Date: Sun 24 Jan 2016 10:27:46 PM PST
Build Host: c6b8.bsys.dev.centos.org
Group : System Environment/Daemons Source RPM: vsftpd-2.2.2-14.el6.src.rpm
Size : 339540 License: GPLv2 with
exceptions
Signature : RSA/SHA1, Fri 24 Jul 2015 01:41:15 PM PDT,
Key ID 0946fca2c105b9de
Packager : CentOS BuildSystem
<http://bugs.centos.org>
URL : http://vsftpd.beasts.org/
Summary : Very Secure Ftp Daemon
Description
:
vsftpd
is a Very Secure FTP daemon. It was written completely from scratch.
---------------------------------------------------------------------------------------------------------------------
[root@Localhost
home]# /etc/init.d//vsftpd restart -----------ftp service start
Shutting
down vsftpd: [ OK ]
Starting
vsftpd for vsftpd: [ OK ]
[root@Localhost
home]# chkconfig vsftpd on ------on
service permanently
Start server
means to load binary to ram ------start process
---------------------------------------------------------------------------------------------------------------------
Binary files are
always important in Linux
---------------------------------------------------------------------------------------------------------------------
usage: chkconfig [--list] [--type <type>]
[name]
chkconfig --add <name>
chkconfig --del <name>
chkconfig --override <name>
chkconfig [--level <levels>]
[--type <type>] <name> <on|off|reset|resetpriorities>
[root@Localhost
home]# chkconfig --level 2345 vsftpd
on ------on service
permanently
--------------------------------------------------------------------------------------------------------------------
/var/ftp
----------------------------------------- FTP ROOT PATH --- IMP PATH
/var/ftp/pub ------------------------------------ FTP Public folder Path
/usr/sbin/vsftpd ----------------------------- main file (imp) root path --this binary load in ram
---------------------------------------------------------------------------------------------------------------------
TCP VS UDP
TCP ------No Packet loss , | UDP ----packet loss
TCP-----SYN----ACK-----Finish |
UDP ----send packet –it will not wait for ACK.
TCP
------ Connection oriented
| UDP --- connection less
TCP ---slow ---Adv----no packet loss | UDP
----fast ----Disc. Adv. ----Packet loss
IP Packet
---Encapsulate ---(TCP | UDP)
---------------------------------------------------------------------------------------------------------------------
TCP
------FTP------HTTP------SSH
UDP-------DNS------NFS--------Voice
Massager eq. skype, yahoo, gtalk ect.
how to check
Linux port is open
[root@Localhost
ftp]# nmap -sT -O localhost
root@Localhost
ftp]# cat /etc/services | grep 21
ardusuni 1834/tcp # ARDUS Unicast
[root@Localhost
ftp]# netstat -anp | grep 21
tcp 0
0 0.0.0.0:21 0.0.0.0:* LISTEN 14524/vsftpd
[root@Localhost
ftp]# lsof -i | grep 21
clock-app 2405 root
21u IPv4 398523 0t0
TCP 192.168.5.159:59062->182.19.89.106:http (CLOSE_WAIT)
To display the list of open ports, enter:
[root@Localhost
ftp]# lsof -i
COMMAND PID USER
FD TYPE DEVICE SIZE/OFF NODE
NAME
sshd 1888 root 3u
IPv4 13512 0t0
TCP *:ssh (LISTEN)
sshd 1888 root 4u
IPv6 13514 0t0
TCP *:ssh (LISTEN)
master 1968 root
12u IPv4 13727
0t0 TCP localhost:smtp (LISTEN)
master 1968 root
13u IPv6 13729
0t0 TCP localhost:smtp (LISTEN)
---------------------------------------------------------------------------------------------------------------------
root@Localhost
ftp]# /usr/sbin/vsftpd -------- Absolute path
& we can start vsftpd from this path (IMP)
FTP ------ 3 types of users
1) anonymous
-------user name & password
–anonymous
2) Local User
------- ( VLU ) -----default
users of FTP
3) Virtual
( How to disable
anonymous user )
Before edit
vsftpd.config file capy : cp /etctvsftpd/vsftpd.conf vsftpd.conf.dafult
[root@Localhost
ftp]# vi /etc/vsftpd/vsftpd.conf
------ config file of FTP
#
Example config file /etc/vsftpd/vsftpd.conf
#
Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=no --------Disable anonymous user
#
#
Uncomment this to allow local users to log in.
local_enable=YES -----always yes
chroot_root_user=yes
#
Uncomment this to enable any form of FTP write command.
write_enable=YES
----- to enble / disable upload
#
#
Default umask for local users is 077. You may wish to change this to 022,
#
if your users expect that (022 is used by most other ftpd's)
local_umask=022 ----- default permission
#
#
Activate directory messages - messages given to remote users when they
#
go into a certain directory.
dirmessage_enable=YES
#
#
The target log file can be vsftpd_log_file or xferlog_file.
#
This depends on setting xferlog_std_format parameter
xferlog_enable=YES ---enble ftp logs
#
#
Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES ----port no
#
If you want, you can arrange for uploaded anonymous files to be owned by
#
a different user. Note! Using "root" for uploaded files is not
#
recommended!
#chown_uploads=YES
#chown_username=whoever
#
#
The name of log file when xferlog_enable=YES and xferlog_std_format=YES
#
WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log
xferlog_file=/var/log/xferlog ----- ftp logs path
#
#
Switches between logging into vsftpd_log_file and xferlog_file files.
#
NO writes to vsftpd_log_file, YES to xferlog_file
xferlog_std_format=YES ------ logs enble
#
#
You may fully customise the login banner string:
#
ftpd_banner=Welcome to blah FTP service. ------FTP Banner
#
#
You may specify a file of disallowed anonymous e-mail addresses. Apparently
#
useful for combatting certain DoS attacks.
#deny_email_enable=YES
#
(default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
#
You may specify an explicit list of local users to chroot() to their home
#
directory. If chroot_local_user is YES, then this list becomes a list of
#
users to NOT chroot().
chroot_local_user=YES -----add this entry for local user
#chroot_list_enable=YES
#
(default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
#
You may activate the "-R" option to the builtin ls. This is disabled
by
#
default to avoid remote users being able to cause excessive I/O on large
#
sites. However, some broken FTP clients such as "ncftp" and
"mirror" assume
#
the presence of the "-R" option, so there is a strong case for
enabling it.
#ls_recurse_enable=YES
#
#
When "listen" directive is enabled, vsftpd runs in standalone mode
and
#
listens on IPv4 sockets. This directive cannot be used in conjunction
#
with the listen_ipv6 directive.
listen=YES
#
#user_list_deny=yes -- add this tag
write_enable=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
---------------------------------------------------------------------------------------------------------------------
#
Uncomment this to allow local users to log in.
local_enable=YES
chroot_local_usr=yes
---------------------------------------------------------------------------------------------------------------------
[root@Localhost
home]# /etc/init.d//vsftpd restart
--- Kill the service & load the binary
[root@Localhost
home]# /etc/init.d//vsftpd reload
--- reload the serive
[root@Localhost
home]# systemctl start vsftpd --- start the serive
---------------------------------------------------------------------------------------------------------------------
[root@
ftp]# cp -rv abc data /home/tushar/ ----
copy from ftp folder to user tushar home dir.
`abc'
-> `/home/tushar/abc'
`data'
-> `/home/tushar/data'
---------------------------------------------------------------------------------------------------------------------
Anonymous user enable --open without id
& passwd but background used anonymous id & passwd
---------------------------------------------------------------------------------------------------------------------
Permission
Chroot
-----change path to “ / “
/home/champu
(chroot) (gail)
FTP user
--------(chroot)
HUP signal
Kill –HUP < pid no >
Kill –i 5275
BLOCK
FTP USER
# cd /etc/vsftped
---- go to vsftped folder
# vi ftpusers
------ edit and add user name to block user
# user_list -------
user block ---- Condition based
---------------------------------------------------------------------------------------------------------------------
# mkdir /data
# cd /data
# dump 5GB
data in data files
# useradd –d
/data ftpuser
# passwd
ftpuser
# ******
Tow Types of FTP
Activte and Passive FTP
#
Linux by default passive ftp
---------------------------------------------------------------------------------------------------------------------
FTP Client
Browser ------windows and linux
Gftp -------linux app ( f2
---type name --- gftp)
ftp and lftp
-------command line
filezilla ------windows app
kasablanca
ftp :// < server ip >
ftp:// 192.168.1.14 ------server ip
Command line ftp server access
1) ftp
2) Lftp
#ftp 192.168.1.14 -----server ip
#usernem and passed ------ftp user name & password
#help -----we can used help under the ftp console
#mget abc ------download
#mput abc ----- upload
Same as used ----lftp
---------------------------------------------------------------------------------------------------------------------
Active FTP
The sequence of events for active FTP is:
1. Your client connects to
the FTP server by establishing an FTP control connection to port 21 of the
server. Your commands such as 'ls' and 'get' are sent over this connection.
2. Whenever the client
requests data over the control connection, the server initiates data transfer
connections back to the client. The source port of these data transfer
connections is always port 20 on the server, and the destination port is a high
port (greater than 1024) on the client.
3. Thus the ls listing that
you asked for comes back over the port 20 to high port connection, not the port
21 control connection.
FTP active mode therefore transfers data in a
counter intuitive way to the TCP standard, as it selects port 20 as it's source
port (not a random high port that's greater than 1024) and connects back to the
client on a random high port that has been pre-negotiated on the port 21
control connection.
Active FTP may fail in cases where the client is
protected from the Internet via many to one NAT (masquerading). This is because
the firewall will not know which of the many servers behind it should receive
the return connection.
---------------------------------------------------------------------------------------------------------------------
Passive FTP
Passive FTP works differently:
1. Your client connects to
the FTP server by establishing an FTP control connection to port 21 of the
server. Your commands such as ls and get are sent over that connection.
2. Whenever the client
requests data over the control connection, the client initiates the data
transfer connections to the server. The source port of these data transfer
connections is always a high port on the client with a destination port of a
high port on the server.
Passive FTP should be viewed as the server never
making an active attempt to connect to the client for FTP data transfers.
Because client always initiates the required connections, passive FTP works
better for clients protected by a firewall.
As Windows defaults to active FTP, and Linux
defaults to passive, you'll probably have to accommodate both forms when
deciding upon a security policy for your FTP server.
---------------------------------------------------------------------------------------------------------------------
Regular FTP
By default, the
VSFTPD package allows regular Linux users to copy files to and from their home
directories with an FTP client using their Linux usernames and passwords as
their login credentials.
VSFTPD also has the
option of allowing this type of access to only a group of Linux users, enabling
you to restrict the addition of new files to your system to authorized
personnel.
The disadvantage of
regular FTP is that it isn't suitable for general download distribution of
software as everyone either has to get a unique Linux user account or has to
use a shared username and password. Anonymous FTP allows you to avoid this
difficulty.
---------------------------------------------------------------------------------------------------------------------
Anonymous FTP
Anonymous FTP is the
choice of Web sites that need to exchange files with numerous unknown remote
users. Common uses include downloading software updates and MP3s and uploading
diagnostic information for a technical support engineers' attention. Unlike
regular FTP where you login with a preconfigured Linux username and password,
anonymous FTP requires only a username of anonymous and your email address for
the password. Once logged in to a VSFTPD server, you automatically have access
to only the default anonymous FTP directory (/var/ftp in the case of VSFTPD)
and all its subdirectories.
As seen in Chapter
6, "Installing
Linux Software", using anonymous FTP
as a remote user is fairly straight forward. VSFTPD can be configured to
support user-based and or anonymous FTP in its configuration file which you'll
see later.
Problems With FTP And Firewalls
FTP frequently fails
when the data has to pass through a firewall, because firewalls are designed to
limit data flows to predictable TCP ports and FTP uses a wide range of
unpredictable TCP ports. You have a choice of methods to overcome this.
Note: The Appendix
II, "Codes, Scripts, and Configurations", contains examples of how to configure the VSFTPD Linux
firewall to function with both active and passive FTP.
Client Protected By A Firewall Problem
Typically firewalls
don't allow any incoming connections at all, which frequently blocks active FTP
from functioning. With this type of FTP failure, the active FTP connection
appears to work when the client initiates an outbound connection to the server
on port 21. The connection then appears to hang, however, as soon as you use
the ls, dir, or get commands. The reason is that the firewall is blocking the
return connection from the server to the client (from port 20 on the server to
a high port on the client). If a firewall allows all outbound connections to
the Internet, then passive FTP clients behind a firewall will usually work
correctly as the clients initiate all the FTP connections.
§ Solution
Table 15-1 shows the
general rules you'll need to allow FTP clients through a firewall:
§ Solution
Table 15-2 Rules needed to allow FTP servers
through a firewall.
Method
|
Source Address
|
Source Port
|
Destination Address
|
Destination Port
|
Connection Type
|
Allow incoming control connections to server
|
Control Channel
|
FTP client / network 2
|
High1
|
FTP server
|
21
|
New
|
FTP server
|
21
|
FTP client / network 2
|
High
|
Established3
|
Allow server to establish data channel to remote client
|
Active FTP
|
FTP server
|
20
|
FTP client / network 2
|
High
|
New
|
FTP client / network 2
|
High
|
FTP server
|
20
|
Established3
|
Passive FTP
|
FTP client / network 2
|
High
|
FTP server
|
High
|
New
|
FTP server
|
High
|
FTP client / network 2
|
High
|
Established 3
|