212.2. Securing FTP servers
212.2 Securing FTP servers
Weight: 2
Description: Candidates should be able to configure an FTP server for anonymous downloads and uploads. This objective includes precautions to be taken if anonymous uploads are permitted and configuring user access.
Key Knowledge Areas:
Configuration files, tools and utilities for Pure-FTPd and vsftpd
Awareness of ProFTPd
Understanding of passive vs. active FTP connections
Terms and Utilities:
vsftpd.conf
important Pure-FTPd command line options
What is FTP?
FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary ( FTP permits anonymous users to connect to a server). We must understand that FTP is unsecure by default, because it transmits user credentials and data without encryption.
If we planning to use FTP, consider configuring FTP connection with SSL/TLS . Otherwise, it’s always better to use secure FTP such as Very Secure FTP (vsftp).
FTP ports
FTP is a TCP based service exclusively. There is no UDP component to FTP. FTP is an unusual service in that it utilizes two ports, a 'data' port and a 'command' port (also known as the control port). Traditionally these are port 21 for the command port and port 20 for the data port. The confusion begins however, when we find that depending on the mode, the data port is not always on port 20!
Active FTP vs Passive FTP
Data is transferred across a separate data channel, but this port varies dependant on the FTP mode being used. Generally there are 2 modes for FTP:
Active mode
Passive mode (PASV)
Active Mode : In active mode FTP the client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP commandPORT N+1
to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20. This can cause problems if you are behind a firewall / NAT router!
From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened:
FTP server's port 21 from anywhere (Client initiates connection)
FTP server's port 21 to ports > 1023 (Server responds to client's control port)
FTP server's port 20 to ports > 1023 (Server initiates data connection to client's data port)
FTP server's port 20 from ports > 1023 (Client sends ACKs to server's data port)
Passive FTP : In order to resolve the issue of the server initiating the connection to the client a different method for FTP connections was developed. This was known as passive mode, or PASV, after the command used by the client to tell the server it is in passive mode.
In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1023 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1023) and sends P back to the client in response to the PASV command. The client then initiates the connection from port N+1 to port P on the server to transfer data.
From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened:
FTP server's port 21 from anywhere (Client initiates connection)
FTP server's port 21 to ports > 1023 (Server responds to client's control port)
FTP server's ports > 1023 from anywhere (Client initiates data connection to random port specified by server)
FTP server's ports > 1023 to remote ports > 1023 (Server sends ACKs (and data) to client's data port)
Summary
The following chart should help admins remember how each FTP mode works:
Active FTP :
command : client >1023 -> server 21
data : client >1023 <- server 20
Passive FTP :
command : client >1023 -> server 21
data : client >1024 -> server >1023
Very Secure FTP(vsftp)
vsftpd (Very Secure FTP Daemon) is a lightweight, stable and secure FTP server for UNIX-like systems. vsftp (as its name says) is not very secure and still dosen't encrypt the connection between client and the server, but that is more secure than standard ftp and many security options have been seen inside its configuration file.
Lets install vsftp (use CentOS7):
the initial configuration is okey specially if want to run it in our private network, so lets start the service:
Files Installed with vsftpd
There are some vsftp configuration files inside /etc/vsftp directry:
/etc/vsftpd/user_list — This file can be configured to either deny or allow access to the users listed, depending on whether the userlist_deny directive is set to YES (default) or NO in /etc/vsftpd/vsftpd.conf. If /etc/vsftpd.user_list is used to grant access to users, the usernames listed must not appear in /etc/vsftpd/ftpusers.
/etc/vsftpd/ftpusers — A list of users not allowed to log into vsftpd. By default, this list includes the root, bin, and daemon users, among others.
This file is used by vsftpd pam module /etc/pam.d/vsftpd .
/etc/pam.d/vsftpd — The Pluggable Authentication Modules (PAM) configuration file for vsftpd. This file defines the requirements a user must meet to login to the FTP server. (We have talked about previously in pam course)
/etc/vsftpd/vsftpd.conf
The configuration file for vsftpd.
The most important ones are:
anonymous_enable — When enabled, anonymous users are allowed to log in. The usernames anonymous and ftp are accepted.The default value is YES.
anon_upload_enable — When enabled in conjunction with the write_enable directive, anonymous users are allowed to upload files within a parent directory which has write permissions.The default value is NO.
local_enable — When enabled, local users are allowed to log into the system. The default value is YES.
write_enable — When enabled, FTP commands which can change the file system are allowed, such as DELE, RNFR, and STOR. The default value is YES.
local_umask — Specifies the umask value for file creation. Note that the default value is in octal form (a numerical system with a base of eight), which includes a "0" prefix. Otherwise the value is treated as a base-10 integer.
anon_mkdir_write_enable — When enabled in conjunction with the write_enable directive, anonymous users are allowed to create new directories within a parent directory which has write permissions.
dirmessage_enable — When enabled, a message is displayed whenever a user enters a directory with a message file. This message resides within the current directory. The name of this file is specified in the message_file directive and is .message by default.
connect_from_port_20 — When enabled, vsftpd runs with enough privileges to open port 20 on the server during active mode data transfers. Disabling this option allows vsftpd to run with less privileges, but may be incompatible with some FTP clients.
pam_service_name — Specifies the PAM service name for vsftpd.The default value is ftp. Note, in Fedora, the value is set to vsftpd.The default value is NO. Note, in Fedora, the value is set to YES.
userlist_enable — When enabled, the users listed in the file specified by the userlist_file directive are denied access. Because access is denied before the client is asked for a password, users are prevented from submitting unencrypted passwords over the network.
ftpd_banner — When enabled, the string specified within this directive is displayed when a connection is established to the server. This option can be overridden by the banner_file directive.By default vsftpd displays its standard banner.
banner_file — Specifies the file containing text displayed when a connection is established to the server. This option overrides any text specified in the ftpd_banner directive.
anon_max_rate — Specifies the maximum data transfer rate for anonymous users in bytes per second.The default value is 0, which does not limit the transfer rate.
tcp_wrappers — If enabled, and vsftpd was compiled with tcp_wrappers support, incoming connections will be fed through tcp_wrappers access control. Furthermore, there is a mechanism for per-IP based configuration. If tcp_wrappers sets the VSFTPD_LOAD_CONF environment variable, then the vsftpd session will try and load the vsftpd configuration file specified in this variable. the Default is set to YES.
local_root — Specifies the directory vsftpd changes to after a local user logs in.There is no default value for this directive.
anon_root — Specifies the directory vsftpd changes to after an anonymous user logs in. There is no default value for this directive.
ftp client commands
The standard ftp program is the original ftp client. It comes standard with most Linux distributions. It first appeared in 4.2BSD, which was developed by the University of California, Berkeley.
Now lets take a quick look at the use full ftp client commands.
Establishing an FTP connection:
Most FTP servers logins are password protected, so the server will ask us for a 'username'and a'password'. (If you connect to a so-called anonymous FTP server, then try to use "anonymous" as username and an empty password ):
Listing directories with security settings:
Changing Directories:
Downloading files with FTP:
Before downloading a file, we should set the local FTP file download directory by using 'lcd' command:
If we dont specify the download directory, the file will be downloaded to the current directory where you were at the time you started the FTP session.
Now, we can use the command 'get' command to download a file, the usage is:
The file will be downloaded to the directory previously set with the 'lcd' command.
Uploading Files with FTP:
To upload several files we can use the mput command similar to the mget example from above:
Closing the FTP connection:
pureftpd
Pure-FTPd is a free (BSD license) FTP Server with a strong focus on software security. It can be compiled and run on a variety of Unix-like computer operating systems but it mostly used in debian based distroes how ever CentOS has it in its repository.
You probably think of pure-ftpd configuration file:
pure-ftpd is not configuration based ftp server, try cat pure-ftpd.conf
. The configuration inside are for background service stuff and are out side the thing we need to know for LPIC2 exam.
pureftpd is driven by configuration that is done by the command line .There are some items which are configured by default when we start pure-ftpd as a service. We are goinng to take a look at those items and some additional item which are required for LPIC2 exam.
Now lets start working with pure-ftpd .Use pure-ftpd command line tool for starting pure-ftpd daemon:
-B says start pure-ftpd starts as a background service in a Daemon mode , -S is used to bind ftp service to specific host (if multiple servers are exist)and a port, and -e enable Anonymouse access.
and check it out:
and some more usefull pure-ftpd command switches:
pure-ftpd switches
Description
-c
Number of cuncurrence connections in total
-C
Number of Maximum concurrence connections from a Host
-e
Enable Anonymouse access
-E
Disable Anonymouse access. Only authenticated users.
-M
Allow anonymous users to create directories.
-I
Change the maximum idle time in minutes(defualt=15)
as an example lets disable anounymous access:
ok if you like to see the full list:
Proftpd
ProFTPD is an Open Source FTP Server and one of the most used, secure and reliable file transfer daemons on Unix environments, due to its file configurations simplicity speed and easy setup(CentOS)
Proftp has its own configuration file and that looks like Apache configurations:
That is enouhg for lpic2 exam.
FTP Server Recommendations
If you want to run a FTP server at scale with many users: vsftpd
If you have just a few users and want a simple, secure FTP server: PureFTPd
If you want a server with the most flexible configuration options and external modules: ProFTPd
Last updated