File Transfer Protocol
File Transfer Protocol (FTP) is a common method of copying files between computer systems. Two TCP ports are used to do this: FTP Control Channel - TCP Port 21. All commands you send and the ftp server's responses to those commands will go over the control connection, but any data sent back (such as 'ls' directory lists or actual file data in either direction) will go over the data connection. FTP Data Channel - TCP Port 20 Used for all data sent between the client and server.
FTP Overview
Active FTP
Active FTP works as follows:
Your client connects to the FTP server by establishing an FTP control connection to port 21 of the server. Your commands such as ’ls’ and ‘get’ are sent over this connection.
Whenever the client requests data over the control connection, the server initiates data transfer connections back to the client. The source port of these data transfer connections is always port 20 on the server, and the destination port is a high port on the client.
Thus the ’ls’ listing that you asked for comes back over the “port 20 to high port connection”, not the port 21 control connection.
FTP active mode data transfer therefore does this in a counter intuitive way to the TCP standard as it selects port 20 as it’s source port (not a random high port > 1024) and connects back to the client on a random high port that has been pre-negotiated on the port 21 control connection.
Linux FTP Server Setup
Active FTP may fail in cases where the client is protected from the Internet via many to one NAT (masquerading). This is because the firewall will not know which of the many servers behind it should receive the return connection.
Passive FTP
Passive FTP works as follows:
Your client connects to the FTP server by establishing a FTP control connection to port 21 of the server. Your commands such as ’ls’ and ‘get’ are sent over that connection. Whenever the client requests data over the control connection; the client initiates the datat ransfer connections to the server. The source port of these data transfer connections is always a high port on the client with a destination port of a high port on the server.
Passive FTP should be viewed as the server never making an active attempt to connect to the client for FTP data transfers.Passive FTP works better for clients protected by a firewall as the client always initiates the required connections.
How to Download and Install the VSFTP Package
Red Hat software is installed using RPM packages, VSFTP RPM file is named: vsftpd-1.1.0-1.i386.rpm Downloading and installing RPMs isn‘t hard.
Now download the file to a directory such as /tmp and install it using the rpm
command:
[root@wil0 tmp]# rpm -Uvh vsftpd-1.1.0-1.i386.rpm
Preparing... ################################### [100%]
1:vsftpd ###################################### [100%]
[root@wil0 tmp]#
How to Get VSFTP Started:
The starting and stopping of VSFTP is controlled by xinetd via the /etc/xinetd.d/vsftpd file. VSFTP is deactivated by default, so you‘ll have to edit this file to start the program. Make sure the contents look like this. The disable feature must be set to “no” to accept connections.
service ftp
{
disable = no socket_type = stream wait = no
user = root
server = /usr/sbin/vsftpd nice = 10
}
You will then have to restart xinetd for these changes to take effect using the startup script in the
/etc/init.d directory.
root@wil0~]# /etc/init.d/xinetd restart Stopping xinetd: [OK]
Starting xinetd: [OK]
[root@wil0~]#
Naturally, to disable VSFTP once again, you‘ll have to edit /etc/xinetd.d/vsftpd, set disable
to yes
and restart xinetd.
Testing To See If VSFTP Is Running
You can always test whether the VSFTP process is running by using the net stat–a command which lists all the TCP and UDP ports on which the server is listening for traffic. The example below shows the expected output, there would be no output at all if VSFTP wasn‘t running.
[root@wil0~]#netstat -a | grep ftp tcp 0 0 *:ftp *:* LISTEN
[root@wil0~]#
What Is Anonymous?
Anonymous FTP is used by web sites that need to exchange files with numerous unknown remote users. Common uses include downloading software updates and MP3s to uploading diagnostic information for a technical support engineer‘s attention.
Unlike regular FTP where you login with a user specific username, anonymous FTP only requires a username of ‘anonymous’ and your email address for the password. Once logged in to a VSFTP server, you‘ll automatically have access to only the default anonymous FTP directory /var/ftp and all its subdirectories.
The /etc/vsftpd.conf File
FTP Security Issues
The /etc/vsftpd/ftpusers File
For added security you may restrict FTP access to certain users by adding them to the list of users in this file. Do not delete entries from the default list, it is best to add. Anonymous Upload If you want remote users to write data to your FTP server then it is recommended you create a write-only directory within /var/ftp/pub. This will allow your users to upload, but not access other files uploaded by other users. Here are the commands to do this:
[root@wil0~]#mkdir /var/ftp/pub/upload [root@wil0~]#chmod 733
/var/ftp/pub/upload
FTP Greeting Banner
Change the default greeting banner in /etc/vsftpd.conf
to make it harder for malicious users to determine the type of system you have.
ftpd_banner= New Banner Here
Using SCP As Secure Alternative To FTP
One of the disadvantages of FTP is that it does not encrypt your username and password. This could make your user account vulnerable to an unauthorized attack from a person eaves dropping on the network connection. Secure Copy (SCP) provides encryption and could be considered as an alternative to FTP for trusted users. SCP however does not support anonymous services, a feature that FTP does.