212.2. Securing FTP servers

212.2 Securing FTP servers

Weight: 2
Description: Candidates should be able to configure an FTP server for anonymous downloads and uploads. This objective includes precautions to be taken if anonymous uploads are permitted and configuring user access.
Key Knowledge Areas:
    Configuration files, tools and utilities for Pure-FTPd and vsftpd
    Awareness of ProFTPd
    Understanding of passive vs. active FTP connections
Terms and Utilities:
    vsftpd.conf
    important Pure-FTPd command line options

What is FTP?

FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary ( FTP permits anonymous users to connect to a server). We must understand that FTP is unsecure by default, because it transmits user credentials and data without encryption.
If we planning to use FTP, consider configuring FTP connection with SSL/TLS . Otherwise, it’s always better to use secure FTP such as Very Secure FTP (vsftp).

FTP ports

FTP is a TCP based service exclusively. There is no UDP component to FTP. FTP is an unusual service in that it utilizes two ports, a 'data' port and a 'command' port (also known as the control port). Traditionally these are port 21 for the command port and port 20 for the data port. The confusion begins however, when we find that depending on the mode, the data port is not always on port 20!

Active FTP vs Passive FTP

Data is transferred across a separate data channel, but this port varies dependant on the FTP mode being used. Generally there are 2 modes for FTP:
    Active mode
    Passive mode (PASV)
Active Mode : In active mode FTP the client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP commandPORT N+1to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20. This can cause problems if you are behind a firewall / NAT router!
From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened:
    FTP server's port 21 from anywhere (Client initiates connection)
    FTP server's port 21 to ports > 1023 (Server responds to client's control port)
    FTP server's port 20 to ports > 1023 (Server initiates data connection to client's data port)
    FTP server's port 20 from ports > 1023 (Client sends ACKs to server's data port)
Passive FTP : In order to resolve the issue of the server initiating the connection to the client a different method for FTP connections was developed. This was known as passive mode, or PASV, after the command used by the client to tell the server it is in passive mode.
In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1023 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1023) and sends P back to the client in response to the PASV command. The client then initiates the connection from port N+1 to port P on the server to transfer data.
From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened:
    FTP server's port 21 from anywhere (Client initiates connection)
    FTP server's port 21 to ports > 1023 (Server responds to client's control port)
    FTP server's ports > 1023 from anywhere (Client initiates data connection to random port specified by server)
    FTP server's ports > 1023 to remote ports > 1023 (Server sends ACKs (and data) to client's data port)

Summary

The following chart should help admins remember how each FTP mode works:
    Active FTP :
    command : client >1023 -> server 21
    data : client >1023 <- server 20
    Passive FTP :
    command : client >1023 -> server 21
    data : client >1024 -> server >1023

Very Secure FTP(vsftp)

vsftpd (Very Secure FTP Daemon) is a lightweight, stable and secure FTP server for UNIX-like systems. vsftp (as its name says) is not very secure and still dosen't encrypt the connection between client and the server, but that is more secure than standard ftp and many security options have been seen inside its configuration file.
Lets install vsftp (use CentOS7):
1
[[email protected] ~]# yum install vsftpd
Copied!
the initial configuration is okey specially if want to run it in our private network, so lets start the service:
1
[[email protected] ~]# systemctl start vsftpd
2
3
[[email protected] ~]# systemctl status vsftpd
4
● vsftpd.service - Vsftpd ftp daemon
5
Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; disabled; vendor preset: disabled)
6
Active: active (running) since Sun 2018-07-22 01:51:40 EDT; 5s ago
7
Process: 17788 ExecStart=/usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf (code=exited, status=0/SUCCESS)
8
Main PID: 17790 (vsftpd)
9
Tasks: 1
10
Memory: 576.0K
11
CGroup: /system.slice/vsftpd.service
12
└─17790 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
13
14
Jul 22 01:51:40 centos7-1 systemd[1]: Starting Vsftpd ftp daemon...
15
Jul 22 01:51:40 centos7-1 systemd[1]: Started Vsftpd ftp daemon.
Copied!

Files Installed with vsftpd

There are some vsftp configuration files inside /etc/vsftp directry:
1
[[email protected] ~]# cd /etc/vsftpd/
2
[[email protected] vsftpd]# ls -l
3
total 20
4
-rw-------. 1 root root 125 Aug 3 2017 ftpusers
5
-rw-------. 1 root root 361 Aug 3 2017 user_list
6
-rw-------. 1 root root 5030 Aug 3 2017 vsftpd.conf
7
-rwxr--r--. 1 root root 338 Aug 3 2017 vsftpd_conf_migrate.sh
Copied!
    /etc/vsftpd/user_list — This file can be configured to either deny or allow access to the users listed, depending on whether the userlist_deny directive is set to YES (default) or NO in /etc/vsftpd/vsftpd.conf. If /etc/vsftpd.user_list is used to grant access to users, the usernames listed must not appear in /etc/vsftpd/ftpusers.
1
[[email protected] vsftpd]# cat user_list
2
# vsftpd userlist
3
# If userlist_deny=NO, only allow users in this file
4
# If userlist_deny=YES (default), never allow users in this file, and
5
# do not even prompt for a password.
6
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
7
# for users that are denied.
8
root
9
bin
10
daemon
11
adm
12
lp
13
sync
14
shutdown
15
halt
16
mail
17
news
18
uucp
19
operator
20
games
21
nobody
Copied!
    /etc/vsftpd/ftpusers — A list of users not allowed to log into vsftpd. By default, this list includes the root, bin, and daemon users, among others.
1
[[email protected] vsftpd]# cat ftpusers
2
# Users that are not allowed to login via ftp
3
root
4
bin
5
daemon
6
adm
7
lp
8
sync
9
shutdown
10
halt
11
mail
12
news
13
uucp
14
operator
15
games
16
nobody
Copied!
This file is used by vsftpd pam module /etc/pam.d/vsftpd .
    /etc/pam.d/vsftpd — The Pluggable Authentication Modules (PAM) configuration file for vsftpd. This file defines the requirements a user must meet to login to the FTP server. (We have talked about previously in pam course)
1
[[email protected] ~]# cat /etc/pam.d/vsftpd
2
#%PAM-1.0
3
session optional pam_keyinit.so force revoke
4
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
5
auth required pam_shells.so
6
auth include password-auth
7
account include password-auth
8
session required pam_loginuid.so
9
session include password-auth
Copied!
    /etc/vsftpd/vsftpd.conf
The configuration file for vsftpd.
1
[[email protected] vsftpd]# cat vsftpd.conf
2
# Example config file /etc/vsftpd/vsftpd.conf
3
#
4
# The default compiled in settings are fairly paranoid. This sample file
5
# loosens things up a bit, to make the ftp daemon more usable.
6
# Please see vsftpd.conf.5 for all compiled in defaults.
7
#
8
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
9
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
10
# capabilities.
11
#
12
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
13
anonymous_enable=YES
14
#
15
# Uncomment this to allow local users to log in.
16
# When SELinux is enforcing check for SE bool ftp_home_dir
17
local_enable=YES
18
#
19
# Uncomment this to enable any form of FTP write command.
20
write_enable=YES
21
#
22
# Default umask for local users is 077. You may wish to change this to 022,
23
# if your users expect that (022 is used by most other ftpd's)
24
local_umask=022
25
#
26
# Uncomment this to allow the anonymous FTP user to upload files. This only
27
# has an effect if the above global write enable is activated. Also, you will
28
# obviously need to create a directory writable by the FTP user.
29
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
30
#anon_upload_enable=YES
31
#
32
# Uncomment this if you want the anonymous FTP user to be able to create
33
# new directories.
34
#anon_mkdir_write_enable=YES
35
#
36
# Activate directory messages - messages given to remote users when they
37
# go into a certain directory.
38
dirmessage_enable=YES
39
#
40
# Activate logging of uploads/downloads.
41
xferlog_enable=YES
42
#
43
# Make sure PORT transfer connections originate from port 20 (ftp-data).
44
connect_from_port_20=YES
45
#
46
# If you want, you can arrange for uploaded anonymous files to be owned by
47
# a different user. Note! Using "root" for uploaded files is not
48
# recommended!
49
#chown_uploads=YES
50
#chown_username=whoever
51
#
52
# You may override where the log file goes if you like. The default is shown
53
# below.
54
#xferlog_file=/var/log/xferlog
55
#
56
# If you want, you can have your log file in standard ftpd xferlog format.
57
# Note that the default log file location is /var/log/xferlog in this case.
58
xferlog_std_format=YES
59
#
60
# You may change the default value for timing out an idle session.
61
#idle_session_timeout=600
62
#
63
# You may change the default value for timing out a data connection.
64
#data_connection_timeout=120
65
#
66
# It is recommended that you define on your system a unique user which the
67
# ftp server can use as a totally isolated and unprivileged user.
68
#nopriv_user=ftpsecure
69
#
70
# Enable this and the server will recognise asynchronous ABOR requests. Not
71
# recommended for security (the code is non-trivial). Not enabling it,
72
# however, may confuse older FTP clients.
73
#async_abor_enable=YES
74
#
75
# By default the server will pretend to allow ASCII mode but in fact ignore
76
# the request. Turn on the below options to have the server actually do ASCII
77
# mangling on files when in ASCII mode.
78
# Beware that on some FTP servers, ASCII support allows a denial of service
79
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
80
# predicted this attack and has always been safe, reporting the size of the
81
# raw file.
82
# ASCII mangling is a horrible feature of the protocol.
83
#ascii_upload_enable=YES
84
#ascii_download_enable=YES
85
#
86
# You may fully customise the login banner string:
87
#ftpd_banner=Welcome to blah FTP service.
88
#
89
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
90
# useful for combatting certain DoS attacks.
91
#deny_email_enable=YES
92
# (default follows)
93
#banned_email_file=/etc/vsftpd/banned_emails
94
#
95
# You may specify an explicit list of local users to chroot() to their home
96
# directory. If chroot_local_user is YES, then this list becomes a list of
97
# users to NOT chroot().
98
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
99
# the user does not have write access to the top level directory within the
100
# chroot)
101
#chroot_local_user=YES
102
#chroot_list_enable=YES
103
# (default follows)
104
#chroot_list_file=/etc/vsftpd/chroot_list
105
#
106
# You may activate the "-R" option to the builtin ls. This is disabled by
107
# default to avoid remote users being able to cause excessive I/O on large
108
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
109
# the presence of the "-R" option, so there is a strong case for enabling it.
110
#ls_recurse_enable=YES
111
#
112
# When "listen" directive is enabled, vsftpd runs in standalone mode and
113
# listens on IPv4 sockets. This directive cannot be used in conjunction
114
# with the listen_ipv6 directive.
115
listen=NO
116
#
117
# This directive enables listening on IPv6 sockets. By default, listening
118
# on the IPv6 "any" address (::) will accept connections from both IPv6
119
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
120
# sockets. If you want that (perhaps because you want to listen on specific
121
# addresses) then you must run two copies of vsftpd with two configuration
122
# files.
123
# Make sure, that one of the listen options is commented !!
124
listen_ipv6=YES
125
126
pam_service_name=vsftpd
127
userlist_enable=YES
128
tcp_wrappers=YES
Copied!
The most important ones are:
anonymous_enable — When enabled, anonymous users are allowed to log in. The usernames anonymous and ftp are accepted.The default value is YES.
anon_upload_enable — When enabled in conjunction with the write_enable directive, anonymous users are allowed to upload files within a parent directory which has write permissions.The default value is NO.
local_enable — When enabled, local users are allowed to log into the system. The default value is YES.
write_enable — When enabled, FTP commands which can change the file system are allowed, such as DELE, RNFR, and STOR. The default value is YES.
local_umask — Specifies the umask value for file creation. Note that the default value is in octal form (a numerical system with a base of eight), which includes a "0" prefix. Otherwise the value is treated as a base-10 integer.
anon_mkdir_write_enable — When enabled in conjunction with the write_enable directive, anonymous users are allowed to create new directories within a parent directory which has write permissions.
dirmessage_enable — When enabled, a message is displayed whenever a user enters a directory with a message file. This message resides within the current directory. The name of this file is specified in the message_file directive and is .message by default.
connect_from_port_20 — When enabled, vsftpd runs with enough privileges to open port 20 on the server during active mode data transfers. Disabling this option allows vsftpd to run with less privileges, but may be incompatible with some FTP clients.
pam_service_name — Specifies the PAM service name for vsftpd.The default value is ftp. Note, in Fedora, the value is set to vsftpd.The default value is NO. Note, in Fedora, the value is set to YES.
userlist_enable — When enabled, the users listed in the file specified by the userlist_file directive are denied access. Because access is denied before the client is asked for a password, users are prevented from submitting unencrypted passwords over the network.
ftpd_banner — When enabled, the string specified within this directive is displayed when a connection is established to the server. This option can be overridden by the banner_file directive.By default vsftpd displays its standard banner.
banner_file — Specifies the file containing text displayed when a connection is established to the server. This option overrides any text specified in the ftpd_banner directive.
anon_max_rate — Specifies the maximum data transfer rate for anonymous users in bytes per second.The default value is 0, which does not limit the transfer rate.
tcp_wrappers — If enabled, and vsftpd was compiled with tcp_wrappers support, incoming connections will be fed through tcp_wrappers access control. Furthermore, there is a mechanism for per-IP based configuration. If tcp_wrappers sets the VSFTPD_LOAD_CONF environment variable, then the vsftpd session will try and load the vsftpd configuration file specified in this variable. the Default is set to YES.
local_root — Specifies the directory vsftpd changes to after a local user logs in.There is no default value for this directive.
anon_root — Specifies the directory vsftpd changes to after an anonymous user logs in. There is no default value for this directive.

ftp client commands

The standard ftp program is the original ftp client. It comes standard with most Linux distributions. It first appeared in 4.2BSD, which was developed by the University of California, Berkeley.
1
[[email protected] vsftpd]# yum search ftp | grep client
2
[[email protected] vsftpd]# yum install ftp.x86_64
Copied!
Now lets take a quick look at the use full ftp client commands.

Establishing an FTP connection:

1
ftp example.com
2
ftp 192.168.10.133
Copied!
Most FTP servers logins are password protected, so the server will ask us for a 'username'and a'password'. (If you connect to a so-called anonymous FTP server, then try to use "anonymous" as username and an empty password ):
1
Name: user1
2
Password:
3
230 Login successful.
4
Remote system type is UNIX.
5
Using binary mode to transfer files.
Copied!

Listing directories with security settings:

1
ftp> ls
2
229 Entering Extended Passive Mode (|||59162|).
3
150 Here comes the directory listing.
4
drwxrwxr-x 3 1001 1001 19 May 27 05:19 mail
5
226 Directory send OK.
Copied!

Changing Directories:

1
ftp> cd /home
2
250 Directory successfully changed.
Copied!

Downloading files with FTP:

Before downloading a file, we should set the local FTP file download directory by using 'lcd' command:
1
ftp> lcd /home/user1/
2
Local directory now /home/user1
Copied!
If we dont specify the download directory, the file will be downloaded to the current directory where you were at the time you started the FTP session.
Now, we can use the command 'get' command to download a file, the usage is:
1
ftp> get mail
Copied!
The file will be downloaded to the directory previously set with the 'lcd' command.

Uploading Files with FTP:

1
put file
Copied!
To upload several files we can use the mput command similar to the mget example from above:
1
mput *.xls
Copied!

Closing the FTP connection:

1
bye
2
exit
3
quit
Copied!

pureftpd

Pure-FTPd is a free (BSD license) FTP Server with a strong focus on software security. It can be compiled and run on a variety of Unix-like computer operating systems but it mostly used in debian based distroes how ever CentOS has it in its repository.
1
[email protected]:~# apt install pure-ftpd
Copied!
You probably think of pure-ftpd configuration file:
1
[[email protected] ~]# cd /etc/pure-ftpd/
2
[[email protected]7-2 pure-ftpd]# ls -l
3
total 24
4
-rw-r--r--. 1 root root 11567 Dec 23 2015 pure-ftpd.conf
5
-rw-r--r--. 1 root root 2009 Jul 8 2012 pureftpd-ldap.conf
6
-rw-r--r--. 1 root root 3445 Jul 9 2015 pureftpd-mysql.conf
7
-rw-r--r--. 1 root root 2966 Jul 9 2015 pureftpd-pgsql.conf
Copied!
pure-ftpd is not configuration based ftp server, try cat pure-ftpd.conf . The configuration inside are for background service stuff and are out side the thing we need to know for LPIC2 exam.
pureftpd is driven by configuration that is done by the command line .There are some items which are configured by default when we start pure-ftpd as a service. We are goinng to take a look at those items and some additional item which are required for LPIC2 exam.
Now lets start working with pure-ftpd .Use pure-ftpd command line tool for starting pure-ftpd daemon:
1
[[email protected] pure-ftpd]# which pure-ftpd
2
/sbin/pure-ftpd
3
4
[[email protected] pure-ftpd]# pure-ftpd -B -S localhost,21 -e
Copied!
-B says start pure-ftpd starts as a background service in a Daemon mode , -S is used to bind ftp service to specific host (if multiple servers are exist)and a port, and -e enable Anonymouse access.
1
[[email protected] pure-ftpd]# ps aux | grep pure-ftpd
2
root 15051 0.0 0.0 202480 1888 ? Ss 03:12 0:00 pure-ftpd (SERVER)
3
root 15053 0.0 0.0 112660 972 pts/0 R+ 03:12 0:00 grep --color=auto pure-ftpd
Copied!
and check it out:
1
[[email protected] pure-ftpd]# ftp localhost
2
Trying ::1...
3
Connected to localhost (::1).
4
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
5
220-You are user number 2 of 50 allowed.
6
220-Local time is now 03:23. Server port: 21.
7
220-Only anonymous FTP is allowed here
8
220 You will be disconnected after 15 minutes of inactivity.
9
Name (localhost:root): anonymous
10
230 Anonymous user logged in
11
Remote system type is UNIX.
12
Using binary mode to transfer files.
13
ftp>
Copied!
and some more usefull pure-ftpd command switches:
pure-ftpd switches
Description
-c
Number of cuncurrence connections in total
-C
Number of Maximum concurrence connections from a Host
-e
Enable Anonymouse access
-E
Disable Anonymouse access. Only authenticated users.
-M
Allow anonymous users to create directories.
-I
Change the maximum idle time in minutes(defualt=15)
as an example lets disable anounymous access:
1
[[email protected] pure-ftpd]# killall pure-ftpd
2
[[email protected] pure-ftpd]# ps aux | grep pure-ftpd
3
root 15872 0.0 0.0 112660 972 pts/0 R+ 03:33 0:00 grep --color=auto pure-ftpd
4
5
[[email protected] pure-ftpd]# pure-ftpd -B -S localhost,21 -E
Copied!
1
[[email protected] pure-ftpd]# ftp localhost
2
Trying ::1...
3
Connected to localhost (::1).
4
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
5
220-You are user number 1 of 50 allowed.
6
220-Local time is now 03:34. Server port: 21.
7
220-This is a private system - No anonymous login
8
220 You will be disconnected after 15 minutes of inactivity.
9
Name (localhost:root): user
10
331 User user OK. Password required
11
Password:
12
230 OK. Current directory is /home/user
13
Remote system type is UNIX.
14
Using binary mode to transfer files.
15
ftp>
Copied!
ok if you like to see the full list:
1
[[email protected] pure-ftpd]# pure-ftpd -h
2
pure-ftpd v1.0.42 [privsep]
3
4
-0 --notruncate
5
-1 --logpid
6
-2 --certfile <opt>
7
-4 --ipv4only
8
-6 --ipv6only
9
-8 --fscharset <opt>
10
-9 --clientcharset <opt>
11
-A --chrooteveryone
12
-a --trustedgid <opt>
13
-b --brokenclientscompatibility
14
-B --daemonize
15
-C --maxclientsperip <opt>
16
-c --maxclientsnumber <opt>
17
-d --verboselog
18
-D --displaydotfiles
19
-e --anonymousonly
20
-E --noanonymous
21
-f --syslogfacility <opt>
22
-F --fortunesfile <opt>
23
-g --pidfile <opt>
24
-G --norename
25
-h --help
26
-H --dontresolve
27
-I --maxidletime <opt>
28
-i --anonymouscantupload
29
-j --createhomedir
30
-K --keepallfiles
31
-k --maxdiskusagepct <opt>
32
-l --login <opt>
33
-L --limitrecursion <opt>
34
-M --anonymouscancreatedirs
35
-m --maxload <opt>
36
-N --natmode
37
-n --quota <opt>
38
-o --uploadscript
39
-O --altlog <opt>
40
-p --passiveportrange <opt>
41
-P --forcepassiveip <opt>
42
-q --anonymousratio <opt>
43
-Q --userratio <opt>
44
-r --autorename
45
-R --nochmod
46
-s --antiwarez
47
-S --bind <opt>
48
-t --anonymousbandwidth <opt>
49
-T --userbandwidth <opt>
50
-U --umask <opt>
51
-u --minuid <opt>
52
-V --trustedip <opt>
53
-w --allowuserfxp
54
-W --allowanonymousfxp
55
-x --prohibitdotfileswrite
56
-X --prohibitdotfilesread
57
-y --peruserlimits <opt>
58
-Y --tls <opt>
59
-J --tlsciphersuite <opt>
60
-z --allowdotfiles
61
-Z --customerproof
Copied!

Proftpd

ProFTPD is an Open Source FTP Server and one of the most used, secure and reliable file transfer daemons on Unix environments, due to its file configurations simplicity speed and easy setup(CentOS)
1
[[email protected] pure-ftpd]# yum install proftpd.x86_64
Copied!
Proftp has its own configuration file and that looks like Apache configurations:
1
[[email protected] etc]# cat /etc/proftpd.conf
Copied!
That is enouhg for lpic2 exam.

FTP Server Recommendations

    If you want to run a FTP server at scale with many users: vsftpd
    If you have just a few users and want a simple, secure FTP server: PureFTPd
    If you want a server with the most flexible configuration options and external modules: ProFTPd
Last modified 2yr ago