This chapter will show you how to convert your Linux box into an FTP server using the VSFTP package. The RedHat software download site runs on VSFTP. By using Linux FTP Server users can easily share files in your network systems.

FTP Overview

File Transfer Protocol (FTP) is a common method of copying files between computer systems. Two TCP ports are used to do this:

FTP Control Channel – TCP Port 21

All commands you send and the ftp server’s responses to those commands will go over the control connection, but any data sent back (such as”ls” directory lists or actual file data in either direction)will go over the data connection.

FTP Data Channel – TCP Port 20

Used for all data sent between the client and server.

Active FTP

Active FTP works as follows:

o Your client connects to the FTP server by establishing an FTPcontrol connection to port 21 of the server. Your commands such as ‘ls’ and ‘get’ are sent over this connection.

o Whenever the client requests data over the control connection,the server initiates data transfer connections back to the client. The source port of these data transfer connections is always port 20 on the server,and the destination port is a high port on the client.

o Thus the ‘ls’ listing that you asked for comes back overthe “port 20 to high port connection”, not the port 21 control connection.

o FTP active mode data transfer therefore does this in a counter intuitive way to the TCP standard as it selects port 20 as it’s source port(not a random high port > 1024) and connects back to the client on a random high port that has been pre-negotiated on the port 21 control connection.

o Active FTP may fail in cases where the client is protected from the Internet via many to one NAT (masquerading). This is because the firewall will not know which of the many servers behind it should receive the return connection.

Passive FTP

Passive FTP works as follows:

o Your client connects to the FTP server by establishing a FTP control connection to port 21 of the server. Your commands such as ‘ls’ and ‘get’ are sent over that connection.

o Whenever the client requests data over the control connection,the client initiates the data transfer connections to the server. The source port of these data transfer connections is always a high port on the client with a destination port of a high port on the server.

o Passive FTP should be viewed as the server never making an active attempt to connect to the client for FTP data transfers.

o Passive FTP works better for clients protected by a firewall as the client always initiates the required connections.

Problems With FTP And Firewalls

FTP frequently fails when the data has to pass through a firewall as FTP uses a wide range of unpredictable TCP ports and firewalls are designed to limit data flows to predictable TCP ports. There are ways to overcome this as explained in the following sections.

Client Protected By A Firewall Problem

Typically firewalls don’t let any incoming connections at all,this will frequently cause active FTP not to function. This type of FTP failure has the following symptoms:

o The active ftp connection appears to work when the client initiates an outbound connection to the server on port 21. The connection appears to hang as soon as you do an “ls” or a “dir” or a”get”. This is because the firewall is blocking the return connection from the server to the client. (From port 20 on the server to a high port on the client)

Solutions

Here are the general firewall rules you’ll need to allow FTP clients through a firewall:

Client Protectedby Firewall – Required Rules for FTP

*Many home based firewall/routers automatically allow traffic for already established connections. This rule may not be necessary in all cases.

** in some cases, you may want to allow all Internet users to have access, not just a specific client server or network.

Server Protected By A Firewall Problem

o Typically firewalls don’t let any connections come in at all. FTP server failure due to firewalls in which the active ftp connection from the client doesn’t appear to work at all

Solutions

Here are the general firewall rules you’ll need to allow FTP severs through a firewall

Server Protectedby Firewall – Required Rules for FTP

*Many home based firewall/routers automatically allow trafficfor already established connections. This rule may not be necessary in all cases.

** in some cases, you may want to allow all Internet users to have access, not just a specific client server or network.

How ToDownload And Install The VSFTP Package

· As explained previously, RedHatsoftware is installed using RPM packages. In version 8.0 of the operatingsystem, the VSFTP RPM file is named:

vsftpd-1.1.0-1.i386.rpm

Downloading and installing RPMs isn’t hard. If you need are fresher, the RPM chapter covers how to do this in detail.

· Now download the file to a directory such as /tmp and install it using the “rpm” command:

[root@bigboy tmp]# rpm -Uvh vsftpd-1.1.0-1.i386.rpm
Preparing… ########################################### [100%]
1:vsftpd     ###########################################[100%]

[root@bigboy tmp]#

How To Get VSFTP Started

The starting and stopping of VSFTP is controlled by xinetd via the /etc/xinetd.d/vsftpd file. VSFTP is deactivated by default, so you’ll have to edit this file to start the program. Make sure the contents look like this. The disable feature must be set to “no” to accept connections.

service ftp
{

disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/vsftpd
nice = 10

}

You will then have to restart xinetd for these changes to take effect using the startup script in the /etc/init.d directory.

[root@aqua tmp]#  /etc/init.d/xinetd restart

Stopping xinetd: [  OK  ]

Starting xinetd: [  OK  ]

[root@aqua tmp]#

Naturally, to disable VSFTP once again, you’ll have to edit /etc/xinetd.d/vsftpd,set “disable” to “yes” and restart xinetd.

Testing To See If VSFTP Is Running

You can always test whether the VSFTP process is running byusing the netstat –a command which lists all the TCP and UDP ports on which the server is listening for traffic. The example below shows the expected output, there would be no output at all if VSFTP wasn’t running.

[root@bigboy root]# netstat -a | grep ftp
tcp       0       0       *:ftp        *:*        LISTEN
[root@bigboy root]#

What Is Anonymous FTP?

Anonymous FTP is used by web sites that need to exchange fileswith numerous unknown remote users. Common uses include downloading software updates and MP3s to uploading diagnostic information for a technical support engineer’s attention. Unlike regular FTP where you login with a user-specific username, anonymous FTP only requires a username of “anonymous” and your email address for the password. Once logged in to a VSFTP server, you’ll automatically have access to only the default anonymous FTP directory /var/ftpand all its subdirectories.

As seen in the chapter on RPMs, using anonymous FTP as a remote user is fairly straight forward. VSFTP can be configured to support user based and or anonymous FTP in its configuration  file.

The /etc/vsftpd.conf File

VSFTP only reads the contents of its /etc/vsftpd.conf configurationfile when it starts, so you’ll have to restart xinetd each time you edit the file in order for the changes to take effect.

This file uses a number of default settings you need to know.By default, VSFTP runs as an anonymous FTP server. Unless you want any remote user to log into to your default FTP directory using a username of “anonymous”and a password that’s the same as their email address, I would suggest turning this off. The configuration file’s anonymous_enable instruction can becommented out by using a “#” to disable this feature. You’ll also want to simultaneously enable local users to be able to log in by uncommenting the local_enable instruction.

By default VSFTP only allows anonymous FTP downloads to remote users, not uploads from them. Also by default, VSFTP doesn’t allow remote usersto create directories on your FTP server and it logs FTP access to the /var/log/vsftpd.loglog file.

The configuration file is fairly straight forward as you cansee in the snippet below. Remove/add the “#” at the beginning of theline to “activate/deactivate” the feature on each line.

# Allow anonymous FTP?
anonymous_enable=YES
…

…

# Uncomment this to allow local users to log in.
local_enable=YES
…

…

# Uncomment this to enable any form of FTP write command.

# (Needed even if you want local users to be able to uploadfiles)
write_enable=YES
…

…

# Uncomment to allow the anonymous FTP user to upload files. Thisonly
# has an effect if global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
…

…

# Uncomment this if you want the anonymous FTP user to be ableto create
# new directories.
#anon_mkdir_write_enable=YES
…

…

# Activate logging of uploads/downloads.
xferlog_enable=YES
…

…

# You may override where the log file goes if you like.

# The default is shown# below.
#xferlog_file=/var/log/vsftpd.log

FTP Security Issues

The /etc/vsftpd.ftpusersFile

For added security you may restrict FTP access to certain usersby adding them to the list of users in this file. Do not delete entries from the default list, it is best to add.

Anonymous Upload

If you want remote users to write data to your FTP server then it is recommended you create a write-only directory within /var/ftp/pub.This will allow your users to upload, but not access other files uploaded by other users. Here are the commands to do this:

[root@bigboy tmp]# mkdir /var/ftp/pub/upload
[root@bigboy tmp]# chmod 733 /var/ftp/pub/upload

FTP Greeting Banner

Change the default greeting banner in /etc/vsftpd.confto make it harder for malicious users to determine the type of system you have.

ftpd_banner= New Banner Here

Using SCP As SecureAlternative To FTP

One of the disadvantages of FTP is that it does not encryptyour username and password. This could make your user account vulnerable to an unauthorized attack from a person eavesdropping on the network connection.Secure Copy (SCP) provides encryption and could be considered as an alternative to FTP for trusted users. SCP however does not support anonymous services, a feature that FTP does.

Other related articles:

• Featured Living Room FIVE – It’s time to showcase another SnapStream Digital Living Room. This one was submitted to us by Jason C., Cisbmet1 on Flickr. He has a big screen TV with his entertainment components stacked neatly beside it in a glass case. …
• Ubuntu Linux FTP Server Setup Guide (ProFTPD) | JCortes Web – If you are a web designer, such as myself, you know the importance of having access to a web server through FTP. I just recently set up an FTP server on my.
• Linux Dedicated Server – Linux Dedicated Server For Uploading Sites Online Linux Mail Server, Linux Ftp Server, Linux Dns Server, Redhat Linux Ftp Server – Dns Server Configuration In Linux, Linux Dns Server Configuration- Li. read more …
• Setup and Secure a Linux FTP Server – 1 – LinuxIntro. com Linux Videos, Software, Linux Forums, Linux Installation, Linux Tutorials, Linux Lessons, howto, Wireless, Examples, Fedora, Ubuntu.
• Need help with logging into my Linux ftp server? – [12:35:34] SmartFTP v2.0.1002.2 [12:35:34] Resolving host name “**.***.***.***” [12:35:34] Connecting to **.***.***.*** Port: 22 [12:35:34] Connected to **.***.***.***. [12:35:34] SSH-1.99-OpenSSH_4.2 …
• How to setup a Linux ftp server with proftpd – How to setup a Linux ftp server with proftpd, installation and configuration.
• Your top ten linux commands – Your top ten linux commands, top 10 commands in your command history.

Network Security

Secure network is vitally important for most network systems.Whilst email viruses and denial-of-service attacks (DoS attack) maycause us headaches on our home systems, for businesses, these sorts of attacks can cripple a network for days – costing businesses hundreds of millions each year in lost revenue. Not to mention corporate legitimate to clients.

Creating secure network to prevent this type ofmalicious attack is usually of paramount importance for network administrators, and while most invest heavily in some forms of security measures there is often vulnerabilities inadvertently left exposed. Aswe always heards that security is as secure as the weakest link.

Firewalls are the best place to begin when you are trying to develop a secure network. A firewall can be implemented in either hardware or software, or most commonly a combination of both. Firewalls are used to prevent unauthorized users from accessing private networks connected to the Internet, especially local intranets. All traffic entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified criteria. If the packet do not meet security criteria then the system will not allowed those packets entering network system.

Anti-virus software works in two ways. Firstly it acts similarly to a firewall by blocking anything that is identified in its database as possibly malicious (viruses, Trojans, spyware etc). Secondly Anti-virus software is used to detect, and remove existing malware on a network systems or workstation.

You can build your own firewall by using linux, there is a lot of tutorial and white papers on how to build your simple yet powerful firewall by using open source programs. Many company start their simple security by using linux server as their first line of defense.

One of the most over-looked aspects of secure network is time synchronization. Network administrators either fail to realise the importance of synchronization between all devices on a network or the system simply don’t work. Failing to synchronize a network is often a common security issue. Not only can malicious users take advantage of computers running at different times but if a network is struck by an attack, identifying and rectifying the problem can be near impossible if every device is running on a different time.

Even when a network administrator is aware of the importance of time synchronization they often make a common security mistake when attempting to synchronize their network. Instead of investing in a dedicated time server that receives a secure source of UTC (Coordinated Universal Time) externally from their network using atomic clock sources like GPS, some network administrators opt to use a shortcut and use a source of Internet time.

There are two major security issues in using the Internet as a timeserver. Firstly, to allow the time code through the network a UDP port(123) has to be left open in the firewall. This can be taken advantage of by malicious users who can use this open port as an entrance to the network system. Secondly, the inbuilt security measure used by the time protocol NTP, known as authentication, doesn’t work across the Internet which means that NTP has no guarantee the time signal is coming from where it is supposed to.

To ensure that you have a secure network, isn’t it time you invested in an external dedicated NTP time server?

Other related articles:

• Kevin Rose at FOWA: DIGG Adopts OpenID – It’s definitely time to declare OpenID a winner and the hope for a single-sign on world a reality. This Digg news comes just after Microsoft and AOL announced their support as well. Yahoo, LiveJournal, and Wikipedia are among the other services that have previously announced adoption.
• George Willman: Patents for the Startup « www.brendonwilson.com – This is part of my set of notes from the Startup School 2006 sessions at Stanford. There are two major sets of issues with intellectual property: avoiding.
• A Web 2.0 Documentation Idea Gone Wrong | I’d Rather Be Writing … – Many of us want to integrate innovative Web 2.0 practices into our online help. But if we create blogs, wikis, or other interactive features outside the help file, users may never use them. I’ve been using SharePoint 2007 as a file …
• Society of Payment Security Professionals – Payment Security Blog … – The “Ultra Secure” Network Architecture. May 16th, 2007 by Jeff Hall Posted in Compliance, PCI DSS, Web Applications. network.jpg This is a somewhat self-serving post because it is related to an article I already wrote for my employer. …
• Coffee Shop Wireless Router | Arizona Coffee – Here’s an interesting device (~ $600). It’s a wireless router that enables you to run a public WiFi connection as well as a private network. I’m sure most.
• Felipe Alfaro Solana » Blog Archive » WPA Enterprise – This document explains how to set up WPA/WPA2 Enterprise using EAP-TTLS (with PAP) as the authentication mechanism. Introduction. The original IEEE 802.11 standard defined two basic security mechanisms: Open System Authentication, which …