Managing FTP servers (212.2)
Managing FTP servers (212.2)¶
Candidates should be able to configure an FTP server for anonymous downloads and uploads. This objective includes configuring user access, and precautions to be taken if anonymous uploads are permitted.
Key Knowledge Areas¶
-
Configuration files, tools and utilities for Pure-FTPd and vsftpd
-
Awareness of ProFTPd
-
Understanding of passive vs. active FTP connections
Terms and Utilities¶
-
vsftpd.conf
-
important Pure-FTPd command line options
FTP connection modes¶
FTP is a service that uses two ports for communication. Port 21 is used for the command port (also known as control port) and port 20 for the data port. FTP has two modes, active and passive FTP. These modes differ in the way connections are initiated. In active mode the client initates the control connection and the server initiates the data connection. In passive mode the client initiates both connections.
Active mode¶
In active mode the client starts an FTP session. This is done by initiating a control connection originating on an unprivileged port (>1023) to port 21 on the server. The client sends the server the IP address and port number on which the client will listen for the data connection. Usually this port is the next port above the used control connections port on the client. The server sends an ACK to the clients command port and actively opens a data connection originating on port 20 to the client. The client sends back an ACK on the data connection.
Active mode example:
-
The client opens up a command channel from client port 1050 to server port 21.
-
The client sends PORT 1051 (1050 + 1) to the server and the server acknowledges on the command channel.
-
The server opens up a data channel from server port 20 to client port 1051.
-
The client acknowledges on the data channel.
Passive mode¶
In situations in which the client is behind a firewall and unable to
accept incoming TCP connections, passive mode may be used. In passive
mode the client starts an FTP session. This is done by initiating a
control connection originating on an unprivileged port (>1023) to port
21 on the server. In this mode the client sends a PASV command to the
server and receives an IP address and port number in return. The server
replies with PORT XXXX where XXXX is the unprivileged port the server
listens for the data connection and passively waits for the data
connection. The client opens the data connection from the next port
above the control connections port to the port specified in the PORT
reply on the server. The server sends back an ACK to the client on the
data connection.
Passive mode example:
-
Client opens up command channel from client port 1050 to server port 21.
-
Client sends PASV command to server on command channel.
-
Server sends back (on command channel) PORT 1234 after starting to listen on that port.
-
Client opens up data channel from client 1050 to server port 1234.
-
Server acknowledges on data channel.
Enabling connections through a firewall¶
To enable passive FTP connections when iptables is used, the "ip_conntrack_ftp" module has to be loaded into the firewall and connections with the state "related" have to be allowed.
vsftpd¶
vsftpd (very secure FTP daemon) is a very popular, versatile, fast and secure FTP server.
Example minimal configuration for anonymous up- and downloads¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
|
Create the ftp user:
1 |
|
Create the FTP directory:
1 |
|
Set up inetd to listen for FTP traffic and start vsftpd. Add the
following line to /etc/inetd.conf
:
1 |
|
Reload the inetd daemon.
An online HTML version of the manual page which lists all vsftpd config options can be found at: Manpage of vsftpd.conf.
When anonymous users should only be allowed to upload files, e.g., for sending files for analysis to remote support, make sure this directory is read-writable by the owner, root, and writeable but not readable by group members and others. This allows the anonymous user to write into the incoming directory but not to change it.
Pure-FTPd¶
Pure-FTPd is a highly flexible, secure and fast FTP server.
Configuration¶
Unlike many daemons, Pure-FTPd doesn't read any configuration file (except for LDAP and SQL when used). Instead, it uses command-line options. For convenience a wrapper is provided which reads a configuration file and starts Pure-FTPd with the right command-line options.
pure-ftpd Specific configuration options of pure-ftpd
can be found at:
Pure-FTPd Configuration
file.
Important command line options¶
pure-ftpd If you want to listen for an incoming connection on a
non-standard port, just append -S
and the port number:
1 |
|
If your system has many IP addresses and you want the FTP server to be reachable on only one of these addresses, let's say 192.168.0.42, just use the following command:
1 |
|
Note
The 21 port number could be left away since this is the default port.
To limit the number of simultaneous connections use the -c
option:
1 |
|
Example minimal configuration for anonymous up- and downloads¶
Create the ftp user:
1 |
|
Create the ftp directory structure with the correct permissions:
1 2 3 4 5 |
|
Change ownership:
1 2 3 4 5 |
|
Set up inetd to listen for FTP traffic and start pure-ftpd
. Add the
following line to /etc/inetd.conf
:
1 |
|
Reload the inetd daemon:
1 |
|
or
1 |
|
Other FTP servers¶
There are numerous FTP servers available and in use on Linux systems. Some alternatives to the servers mentioned above are: wu-ftpd and ProFTPd.
ProFTPd¶
ProFTPd - Professional configurable, secure file transfer protocol server.
1 2 |
|
proftpd
is the Professional File Transfer Protocol (FTP) server
daemon. The server may be invoked by the Internet "super-server"
inetd(8)
each time a connection to the FTP service is made, or
alternatively it can be run as a standalone daemon.
When proftpd
is run in standalone mode and it receives a SIGHUP then
it will reread its configuration file. When run in standalone mode
without the -n option, the main proftpd
daemon writes its process ID
to /var/run/run/proftpd.pid
to make it easy to know which process to
SIGHUP.
See the man page of proftpd
for detailed information on this ftp
server. Detailed information can be found at: The ProFTPd
Project.