Chapter 7. FTP

Table of Contents

Introduction to vsftpd
FTP Installation
FTP Configuration
FTP Firewall
FTP Access
FTP Logs
FTP Check Point

Introduction to vsftpd

The default Red Hat (and subsequently CentOS) FTP server is vsftpd . vsftpd stands for "very secure file transfer protocol daemon", which it is.

[Caution] The FTP Protocol is Insecure by Nature

Calling vsftpd "very secure" can be a bit confusing. The "secure" part refers to the daemon , not the FTP Protocol . FTP sends passwords and user names in clear text, making them vulnerable to capture by unscrupulous snooping.

The FTP Protocol passes all traffic in clear text, including user names and passwords. FTP can be secured in various ways, perhaps the most popular is using sftp or scp, both of which are subsets of SSH commands.

FTP Installation

The following sequence of commands will install the vsftpd package. Issue each command as indicated. NOTE that your mileage may vary depending on the individual configuration of your machine.

Figure 7.1. FTP Installation Image #1

FTP Installation Image #1

The screenshot above shows the result of issuing the command `rpm -qa | grep ftp`. This command queries all the installed packages on the machine, and filters the output of that command for any package that contains the sequence of characters "ftp". Note that the return has no mention of the daemon, only clients. This indicates that the vsftpd package is not installed.

Figure 7.2. FTP Installation Image #2

FTP Installation Image #2

Next, we have queried package repositories with the `yum` command: `yum search vsftpd`. This command tells us if the vsftpd package is available for install. Note that there is a solid return with the appropriate information.

Figure 7.3. FTP Installation Image #3

FTP Installation Image #3

The next command in the sequence is `yum -y install vsftpd`, which successfully installs the vsftpd package. The '-y' flag to the `yum` command automatically answers yes to any prompt that would be issued during the install sequence.

We now have successfully installed the vsftpd package. If you were successful, please continue. If you were not successful, do not proceed until you can determine what went wrong, and why the process did not work.

FTP Configuration

The FTP daemon can be configured in many ways. For the purposes of this class, we will use a few of the many options available to vsftpd. The main configuration files for vsftpd are in '/etc/vsftpd'.

First, and foremost, as shown below, we need to make a backup of the configuration file that was installed with the package for future reference. In the command below, we have named the file with a '.init' extension, which tells us that this copy of the file is the pristine, initial version of the file. The command is `cat vsftpd.conf > vsftpd.conf.init`.

Figure 7.4. FTP Configuration Image #1

FTP Configuration Image #1

Figure 7.5. FTP Configuration Image #2

FTP Configuration Image #2

At this point we need to edit the file to customize the 'vsftpd' service for our machine. Note that the working location within the shell has changed. Issue the command `vi vsftpd.conf` or use the editor of your choice. Alter the directives as indicated below.

Figure 7.6. FTP Configuration Image #3

FTP Configuration Image #3

There are two directives we want to change at this time. They are shown in the screenshot above, and listed below.

    anonymous_enable=NO     # forbids the 'anonymous' user access to ftp services
    local_enable=YES        # enables ftp access for users with accounts on the system

Among other uses for FTP, the directives above will permit a user to log in via FTP and upload various web files, etc.

Figure 7.7. FTP `chkconfig`

FTP `chkconfig`

Next, as shown in the image above, we want to ensure that the vsftpd daemon starts when the system is booted.

    `chkconfig --list vsftpd`       # shows current startup status of vsftpd
    `chkconfig vsftpd on`           # ensures that vsftpd will start at boot time

Figure 7.8. FTP Service Restart

FTP Service Restart

Finally, we start the vsftpd service with the command `service vsftpd restart`. Note that the `restart` command failed on the shutdown part. This is to be expected, since the service was not initially running. Once the service is running, the `restart` command works as expected.

FTP Firewall

Now that we have the FTP daemon installed and configured, we need to open the firewall to allow incoming traffic. The following series of commands will accomplish this task. The FTP protocol works off port 21, so that's the one we need to open. In some older configurations, it's also necessary to open port 20. Opening only port 21 should be sufficient for what we need in this class, given the version of vsftpd that we're installing.

Figure 7.9. FTP Firewall Image #1

FTP Firewall Image #1

In the screenshot above port 21 is not listed, therefore that port is not open. The command to check the firewall is `iptables - vnL`. This step is a check or verification that port 21 is not open. If it's not already open, we can proceed as shown below to open it.

Figure 7.10. FTP Firewall Image #2

FTP Firewall Image #2

We'll use the firewall configuration utility that is invoked by the command `system-config-firewall-tui`. You can see in the screenshot above that the firewall is Enabled, and I have selected Customize. Once these selections are made, press ENTER to continue.

Figure 7.11. FTP Firewall Image #3

FTP Firewall Image #3

In the screenshot shown above, it's a matter of scrolling down to place a check next to FTP, then tab to Close. Once again, press ENTER. The screenshot above should match what the step that you take.

Figure 7.12. FTP Firewall Image #4

FTP Firewall Image #4

We're now back where we started in the terminal user interface, shown in the screenshot above. Once again, the firewall is Enabled, I have tabbed through to OK. Press ENTER.

Figure 7.13. FTP Firewall Image #5

FTP Firewall Image #5

The screenshot above shows that we are issued a warning. This is customary, in that we will overwrite the existing firewall configuration in order to open port 21. Make sure Yes is enabled, then press ENTER.

Figure 7.14. FTP Firewall Image #6

FTP Firewall Image #6

Now we're back where we started before configuring the firewall. Once again issue the command `iptables -vnL`. As shown in the screenshot above, you should now see port 21 open in the list. If this is true, congratulations: you have just configured the firewall. If port 21 is not listed in the output, do not proceed until you figure out why.

FTP Access

With all of the above, we should be able to access the server via FTP. This will necessitate that you have an FTP client installed on your regular desktop or another machine. It's possible to use an FTP client that offers a GUI front end, which is preferable by many. FileZilla is one of the most popular. At any rate, if you enter the configuration parameters as required, then attempt to access the Rackspace VM, you should be able to connect and upload files as necessary.

Figure 7.15. FTP Access Image #1

FTP Access Image #1

The screenshot above shows a connection being made with `lftp`. Note that upon login, a directory listing was output on the remote machine. Then the `bye` FTP command was issued to terminate the connection.

FTP Logs

We can view and monitor FTP traffic through the log files that are dedicated to this service. The following will help with analyzing the vsftpd log files.

  1. Inside the config file the vsftpd_log_file directive establishes the log file, which defaults to '/var/log/vsftpd.log'. Review this log file to see vsftpd activity.
  2. There are many other options to enhance vsftpd logging. See the vsfptd man page for more details.

FTP Check Point

Once you have all of the items in this chapter configured and working properly, send me an email. I will need the username and password of the regular user on your system. I'll log in to your system via FTP to verify that it's all in place.