Wednesday, January 30, 2008

FTP server installation and introduction

Setting up an FTP server is very simple. The steps are as follows
-----------------------------------------------------------------

* Download the rpm.
* Install the rpm.
* Edit the .conf file.
* Start the ftp server.
* Test the connection.

Download the RPM
----------------

There are many ftp servers available for Linux. Most ftp servers do the same thing so the choice is really up to you. The ftp server that I like to use is vsftpd. The rpm is usually available from the installation discs or can be downloaded from rpmfind or just use google. vsftpd is used by many large companies as the ftp server of choice and is very secure (it's part of the name so it must be true, right?).

Install the ftp server.
-----------------------

First check to see if VSFTPD is already installed on your machine, this is easily done by using:

root@cartman> rpm -q vsftpd

The system will tell you if the server is installed or not. If you get this message 'package vsftpd is not installed' then you will need to install the ftp server.

First download the latest version of VSFTPD from your preferred mirror and save it to e.g. /tmp on the server. The ftp directory structure required for your repository is unlikely to exist yet so you will need to create the repository directories that you planned out above, for example:


root@cartman> mkdir -p /var/ftp/pub/9/updates/

(the -p flag tells mkdir to create the whole tree of directories as required).

To install/upgrade the ftp server run the following as root:

root@cartman>rpm -Uvh /tmp/vsftpd-1.1.3-8.i386.rpm

Note that one will want this rpm to be in a repository the server itself uses to yum update from in the long run. It is very likely to be in a primary distribution repository you mirror, but you may have to put it in a local/update repository you maintain yourself from some other source.

(You can of course use rpm -ivh vsftpd-1.1.3-8.i386.rpm to install the package if the package is not already installed. The flag -U is for upgrade and -i is for install. No big deal, they will both work if the package does not exist on your system, IMHO -U is just better practise. It is not a good idea to use rpm -i if a previous version of the package already exists on your system.)



Edit the vsftpd.conf file
-------------------------

After the ftp package has been installed you will need to edit the vsftp.conf file. This is usually found at /etc/vsftpd/vsftpd.conf. If it is not here then just run:

jdip@cartman>rpm -ql vsftpd

and look in the list where the .conf file is. To edit the .conf file you can use kate, gedit, vi or any other text editor. This is the configuration file for the ftp server. You will need to be root to change the file:

root@cartman>vi /etc/vftp/vsftp.conf

If your network is secure and behind a firewall then you can leave the following option in the .conf file. This option allows for anonymous ftp access to your server:

# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES

You can also change the welcome message of the ftp server.

# You may fully customise the login banner string:
ftpd_banner=Welcome to yum FTP service.

If you want increased security for your ftp server then set the flag anonymous_enable=NO. This will force the user to log into the ftp server to get access to the packages. If you want to use this option then you will need to create a yum user on the server that can be used by the yum client to access the server. It is prudent to make users log into the ftp server, but if this is your private server then it may not be necessary.

Save the .conf file.

You will need to (re)start the service to activate the changes to the ftp server (see next section).


Start the server
----------------

If you installed VSFTPD from the rpm then VSFTPD can be started as a service:

root@cartman>service vsftpd restart

You should get this message:

Shutting down vsftpd: [ OK ] or [ FAILED ]
Starting vsftpd for vsftpd: [ OK ]

You will want your ftp server to start every time you start Linux so it is also prudent to run:

root@cartman>chkconfig vsftpd on
root@cartman>chkconfig --list vsftpd

You should get a message that looks like this:

vsftpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Your ftp server will now start every time you start Linux on this machine. The ftp server is up and waiting for connections.



Testing the FTP server
----------------------

It is a good idea to test that the ftp server is working correctly. This is easily done by logging onto the ftp server:

jdip@cartman>ftp 127.0.0.1
Connected to 127.0.0.1 (127.0.0.1).
220 Welcome to yum FTP service.
Name (127.0.0.1:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

If you type ls at the prompt you will see that you are in the 'pub' directory. This is /var/ftp/pub. This path (and the full path of the repository you're setting up) are important to remember for when you use rsync to build the mirrors, for when you use yum-arch to "yummify" the repository (see below), and for setting up a local yum.conf for your local clients so that they can update from this ftp-based repository.

That is it. The ftp server is running and waiting for connections. Skip ahead to where it describes how to get and install yum and yummify the repository.

ALTERNATIVE STEP
----------------

#yum install ftpserver


CREATE FTP USER TO A DIRECTORY
-------------------------------

#useradd -d "directory name" user_name
#passwd user_name

COMMANDS
--------


[root@bigboy tmp]# /etc/init.d/vsftpd start
[root@bigboy tmp]# /etc/init.d/vsftpd stop
[root@bigboy tmp]# /etc/init.d/vsftpd restart

[root@bigboy tmp]# chkconfig vsftpd on

root@u-bigboy:/tmp# sysv-rc-conf on

Testing the Status of VSFTPD
------------------------------

[root@bigboy root]# netstat -a | grep ftp
tcp 0 0 *:ftp *:* LISTEN
[root@bigboy root]#



FTP Security Issues
---------------------

FTP has a number of security drawbacks, but you can overcome them in some cases. You can restrict an individual Linux user's access to non-anonymous FTP, and you can change the configuration to not display the FTP server's software version information, but unfortunately, though very convenient, FTP logins and data transfers are not encrypted.
The /etc/vsftpd.ftpusers File

For added security, you may restrict FTP access to certain users by adding them to the list of users in the /etc/vsftpd.ftpusers file. The VSFTPD package creates this file with a number of entries for privileged users that normally shouldn't have FTP access. As FTP doesn't encrypt passwords, thereby increasing the risk of data or passwords being compromised, it is a good idea to let these entries remain and add new entries for additional security.


Anonymous Upload
-----------------

If you want remote users to write data to your FTP server, then you should create a write-only directory within /var/ftp/pub. This will allow your users to upload but not access other files uploaded by other users. The commands you need are:

[root@bigboy tmp]# mkdir /var/ftp/pub/upload
[root@bigboy tmp]# chmod 722 /var/ftp/pub/upload

FTP Greeting Banner
-------------------

Change the default greeting banner in the vsftpd.conf file to make it harder for malicious users to determine the type of system you have. The directive in this file is.

ftpd_banner= New Banner Here


Troubleshooting FTP
----------------------

You should always test your FTP installation by attempting to use an FTP client to log in to your FTP server to transfer sample files.

The most common sources of day-to-day failures are incorrect usernames and passwords.

Initial setup failures could be caused by firewalls along the path between the client and server blocking some or all types of FTP traffic. Typical symptoms of this are either connection timeouts or the ability to use the ls command to view the contents of a directory without the ability to either upload or download files. Follow the firewall rule guidelines to help overcome this problem. Connection problems could also be the result of typical network issues outlined in Chapter 4, "Simple Network Troubleshooting".
Tutorial

FTP has many uses, one of which is allowing numerous unknown users to download files. You have to be careful, because you run the risk of accidentally allowing unknown persons to upload files to your server. This sort of unintended activity can quickly fill up your hard drive with illegal software, images, and music for the world to download, which in turn can clog your server's Internet access and drive up your bandwidth charges.
FTP Users with Only Read Access to a Shared Directory

In this example, anonymous FTP is not desired, but a group of trusted users need to have read only access to a directory for downloading files. Here are the steps:

1) Disable anonymous FTP. Comment out the anonymous_enable line in the vsftpd.conf file like this:

# Allow anonymous FTP?
anonymous_enable=NO

2) Enable individual logins by making sure you have the local_enable line uncommented in the vsftpd.conf file like this:

# Uncomment this to allow local users to log in.
local_enable=YES

3) Start VSFTP.

[root@bigboy tmp]# service vsftpd start

4) Create a user group and shared directory. In this case, use /home/ftp-users and a user group name of ftp-users for the remote users

[root@bigboy tmp]# groupadd ftp-users
[root@bigboy tmp]# mkdir /home/ftp-docs

5) Make the directory accessible to the ftp-users group.

[root@bigboy tmp]# chmod 750 /home/ftp-docs
[root@bigboy tmp]# chown root:ftp-users /home/ftp-docs

6) Add users, and make their default directory /home/ftp-docs

[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user1
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user2
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user3
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user4
[root@bigboy tmp]# passwd user1
[root@bigboy tmp]# passwd user2
[root@bigboy tmp]# passwd user3
[root@bigboy tmp]# passwd user4

7) Copy files to be downloaded by your users into the /home/ftp-docs directory

8) Change the permissions of the files in the /home/ftp-docs directory for read only access by the group

[root@bigboy tmp]# chown root:ftp-users /home/ftp-docs/*
[root@bigboy tmp]# chmod 740 /home/ftp-docs/*

Users should now be able to log in via FTP to the server using their new usernames and passwords. If you absolutely don't want any FTP users to be able to write to any directory, then you should set the write_enable line in your vsftpd.conf file to no:

write_enable = NO

Remember, you must restart VSFTPD for the configuration file changes to take effect.

No comments: