Chapter 7. FTP

Table of Contents

Introduction to vsftpd
FTP Installation
FTP Configuration
FTP Service Enable & Restart
FTP Firewall
FTP Kernel Module
FTP Access
FTP Logs
FTP Check Point

Introduction to vsftpd Top of Page

The default Red Hat (and subsequently CentOS) FTP server is vsftpd . vsftpd stands for "Very Secure File Transfer Protocol Daemon", which it is.

[Caution] The FTP Protocol is Insecure by Nature

Calling vsftpd "very secure" can be a bit confusing. The "secure" part refers to the daemon , not the FTP Protocol . FTP sends passwords and user names in clear text, making them vulnerable to capture by unscrupulous snooping.

The FTP Protocol passes all traffic in clear text, including user names and passwords. FTP can be secured in various ways, perhaps the most popular is using sftp or scp, both of which are subsets of SSH commands.

FTP Installation

The following sequence of commands will install the vsftpd package. Issue each command as indicated. NOTE that your mileage may vary depending on the individual configuration of your machine.

Figure 7.1. FTP Installation Image #1

FTP Installation Image #1

The screenshot above shows the result of issuing the command `rpm -qa | grep ftp`. This command queries all the installed packages on the machine, and filters the output of that command for any package that contains the sequence of characters "ftp". Note that the return has no mention of the daemon, only clients. This indicates that the vsftpd package is not installed.

Figure 7.2. FTP Installation Image #2

FTP Installation Image #2

Next, we have queried package repositories with the `yum` command: `yum search vsftpd`. This command tells us if the vsftpd package is available for install. Note that there is a solid return with the appropriate information.

Figure 7.3. FTP Installation Image #3

FTP Installation Image #3

The next command in the sequence is `yum -y install vsftpd`, which successfully installs the vsftpd package. The '-y' flag to the `yum` command automatically answers yes to any prompt that would be issued during the install sequence.

We now have successfully installed the vsftpd package. If you were successful, please continue. If you were not successful, do not proceed until you can determine what went wrong, and why the process did not work.

FTP Configuration Top of Page

The FTP daemon can be configured in many ways. For the purposes of this class, we will use a few of the many options available to vsftpd. The main configuration files for vsftpd are in '/etc/vsftpd'.

First, and foremost, as shown below, we need to make a backup of the configuration file that was installed with the package for future reference. In the command below, we have named the file with a '.init' extension, which tells us that this copy of the file is the pristine, initial version of the file. The command is `cat vsftpd.conf > vsftpd.conf.init`.

Figure 7.4. FTP Configuration Image #1

FTP Configuration Image #1

The steps above are typical for our course. We've backed up the initial config file.

Figure 7.5. FTP Configuration Image #2

FTP Configuration Image #2

At this point we need to edit the file to customize the 'vsftpd' service for our machine. Note that the working location within the shell has changed. Issue the command `vi vsftpd.conf` or use the editor of your choice. Alter the directives as indicated below.

Figure 7.6. FTP Configuration Image #3

FTP Configuration Image #3

There are two directives we want to change at this time. They are shown in the screenshot above, and listed below.

    anonymous_enable=NO     # forbids the 'anonymous' user access to ftp services
    local_enable=YES        # enables ftp access for users with accounts on the system

Among other uses for FTP, the directives above will permit a user to log in via FTP and upload various web files, etc.

FTP Service Enable & Restart Top of Page

Figure 7.7. FTP Service Enable & Restart

FTP Service Enable & Restart

The image above shows several steps when configuring vsfptd. At this point, we're interested in the last two, which will 'start' and 'enable' the service. The commands are outlined below.

    `systemctl start vsftpd`        # starts the vsftpd service
    `systemctl enable vsftpd`       # ensures that vsftpd will start at boot time
                                    # 
                                    # additional useful commands
    `systemctl status vsftpd`       # check the status of the vsftpd service
    `systemctl restart vsftpd`      # restart the vsftpd service - will reload a changed config file
    `systemctl stop vsftpd`         # stop the vsftpd service
    `systemctl is-enabled vsftpd`   # check to see if the service is enabled to start at machine boot    
    

The commands that are shown above will perform the actions indicated. These commands are common to most services on the system.

FTP Firewall Top of Page

Now that we have the FTP daemon installed and configured, we need to open the firewall to allow incoming traffic. The following series of commands will accomplish this task. The FTP protocol works off port 21, so that's the one we need to open. In some older configurations, it's also necessary to open port 20. Opening only port 21 should be sufficient for what we need in this class, given the version of vsftpd that we're installing.

Figure 7.8. FTP Firewall

FTP Firewall

    `firewall-cmd --add-port=21/tcp --permanent`            # opens port 21 for ftp traffic
    `firewall-cmd --reload`                                 # loads the new firewall rule
    `iptables -vnL | grep 21`       # shows that port 21 is open and ready to receive connections
    

FTP Kernel Module Top of Page

There's another step that needs to be taken to make FTP connections available. The commands listed below will load a "connection tracking" module that will allow the firewall to maintain persistence for incoming connections. Follow the steps below to load this module.

Figure 7.9. FTP Kernel Module

FTP Kernel Module

    `cd /etc/modules-load.d`                        # change to the appropriate directory
    `echo "nf_conntrack_ftp" > nf_conntrack.conf`   # creates the file that tells the kernel to load the required module
    `ls -al`                                        # shows that the file now exists
    `cat nf_conntrack.conf`                         # shows the contents of the new file
    

Once these steps are completed, the system should be ready to accept FTP connections.

FTP Access Top of Page

With all of the above, we should be able to access the server via FTP. This will necessitate that you have an FTP client installed on your regular desktop or another machine. It's possible to use an FTP client that offers a GUI front end, which is preferable by many. FileZilla is one of the most popular. At any rate, if you enter the configuration parameters as required, then attempt to access the Rackspace VM, you should be able to connect and upload files as necessary.

Figure 7.10. FTP Access

FTP Access

The screenshot above shows a connection being made with `lftp`. Note that upon login, a directory listing was output on the remote machine. Then the `bye` FTP command was issued to terminate the connection.

FTP Logs Top of Page

We can view and monitor FTP traffic through the log files that are dedicated to this service. The following will help with analyzing the vsftpd log files.

  1. Inside the config file the vsftpd_log_file directive establishes the log file, which defaults to '/var/log/vsftpd.log'. Review this log file to see vsftpd activity.
  2. There are many other options to enhance vsftpd logging. See the vsfptd man page for more details.

FTP Check Point Top of Page

Once you have all of the items in this chapter configured and working properly, send me an email. I will need the username and password of the regular user on your system. I'll log in to your system via FTP to verify that it's all in place.