Configuring an FTP server using vsFTPD
FTP:The Basics:
FTP is the Internet standard File Transfer Protocol that is used to send and receive files over the Internet . It runs over TCP and uses two separate ports for control and data connections between the client and server applications . Control port uses Port 21 which is used for sending control information such as username , password, put/get commands, etc while data files are usually transferred on port 20.
Modes of Running FTP:
FTP runs in two modes : Active and Passive
Active FTP: In active mode , the FTP server initiates a data transfer connection back to the client . This is the flow.
1. FTP client connects from a random unprivileged port (N > 1023) to the FTP server's control port , port 21.
2. The client then starts listening on port N+1 and sends the FTP command PORT N+1 to the FTP server.
3. The server will then connect back to the client's specified data port from its local data port , which is port 20.
Passive FTP: In passive mode , the FTP client initiates both connections to the server. The following is the flow.
1. Here the FTP client opens two random unprivileged ports locally (N > 1023 and N+1).
2. The first port contacts the server on port 21and then issues PASV command . This is unlike issuing a PORT command and allowing the server to connect back to its data port as in Active FTP.
3. The server then opens a random unprivileged port (P > 1023) and sends the PORT P command back to the client.
4. The client then initiates the connection from port N+1 to port P on the server to transfer data.
Pros and Cons with Active and Passive FTP:
The problem with Active and Passive FTP is that we have to write different firewall policies depending on whether we are using Active or Passive FTP.
The problem with Active and Passive FTP is that we have to write different firewall policies depending on whether we are using Active or Passive FTP.
The problem with Active FTP is that the FTP server initiates a connection to FTP client on a random higher port number ( > 1023) instead of a client initiating the connection . Since typically firewalls will not allow incoming connections on a client host , active FTP will fail . Because of this behavior , we have to enable ports > 1023 on the client host. The problem with passive FTP is that the server needs to open a random unprivileged port (P > 1023) where the client connects but most will be blocked by the firewall in most environments. But opening of higher range ports can be minimized by using a range of ports on FTP server.
vsftpd is a GPL licensed FTP server for UNIX like systems . It is said to be a stable , secure and extremely fast FTP server. Highly popular and is deployed in many successful projects as per their website .
Package Name: vsFTPD
About vsFTPD:
vsftpd is a GPL licensed FTP server for UNIX like systems . It is said to be a stable , secure and extremely fast FTP server. Highly popular and is deployed in many successful projects as per their website .
FactFile:
Package Name: vsFTPD
Configuration file : /etc/vsftpd/vsftpd.conf
Ports: 20 ftp-data
21 ftp
21 ftp
Important files: 1) /etc/vsftpd/vsftpd.conf
2) /etc/vsftpd.ftpusers
3) /etc/vsftpd.user_list
4) /etc/vsftpd.chroot_list
Configuring vsFTPD:
There are many documentations available on configuring vsFTPD . I will mainly be demonstrating on configuring vsFTPD for the following features. Please remember to restart the vsftpd service after making any changes in the vsftpd configuration file . I will not be mentioning any more to restart the service. sudo /sbin/service vsftpd restart will help.
Configuring vsFTPD:
There are many documentations available on configuring vsFTPD . I will mainly be demonstrating on configuring vsFTPD for the following features. Please remember to restart the vsftpd service after making any changes in the vsftpd configuration file . I will not be mentioning any more to restart the service. sudo /sbin/service vsftpd restart will help.
1. As Active and Passive FTP
2. Chroot environment for users.
3. Configuring vsFTPD for encrypted communication.
4. Locking down the FTP server.
Active and Passive FTP:
By default , vsFTPD runs in passive mode. To configure it to run in active mode, we have to add the following option in main configuration file /etc/vsftpd/vsftpd.conf
4. Locking down the FTP server.
By default , vsFTPD runs in passive mode. To configure it to run in active mode, we have to add the following option in main configuration file /etc/vsftpd/vsftpd.conf
pasv_enable=NO
Chroot environment for users:
A chroot environment creates a new root directory for the current running process and its children. vsFTPD can be configured to run under chroot environment . When activated , by default, local users will be placed in a chroot jail in their home directory after login . The following are the options to activate chroot environment in vsFTPD .
chroot_list_enable=YES
When activated, local users will be placed in a chroot. jail in their home directory upon login . We can provide a list of users who will be put under chroot environment by putting the usernames in the following file : /etc/vsftpd/chroot_list.This file may be override with the following option chroot_list_file
We can also enable using chroot environment by using the following options.
chroot_local_user=YES
This also creates chroot environment for local users. This option has security implications as per vsftpd manual . To limit the number of users who will be under chroot environment , we have to enable the following option. chroot_list_enable=YESIn this case, the list becomes a list of users which are NOT to be placed in a chroot jail.
Encrypted Authentication:
To , enable secure connections , vsFTPD has to be compiled with openSSL support .To check for openSSL support , use the following command.
This confirms that vsFTPD has been compiled with openSSL support.
To enable secure connections, we have to enable the following option. Please make sure that your vsFTPD is compiled with SSL.
This will support secure connections via SSL . Both control and data communications will be encrypted. We also need to generate a digital certificate to identify the FTP server . In this case we will create a self-signed certificate and need to put the certificate location in the main config file . To generate a self signed certificate, we need to do the following:
$ cd /etc/pki/tls/certs
It will ask some simple questions to identify the host in order to generate the certificate . After providing all the answers a certificate will be created and we need to put the certificate location in vsftpd config file . The following is the option .
$ rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem
We will need a client with SSL support too . lftp , gFTP , FileZilla are such FTP clients which supports SSL . The following commands can be used with lftp to establish a secure connection with the FTP server.
To , enable secure connections , vsFTPD has to be compiled with openSSL support .To check for openSSL support , use the following command.
ldd /usr/local/sbin/vsftpd | grep ssl
libssl.so.4 => /lib/libssl.so.4 (0x008d1000)
libssl.so.4 => /lib/libssl.so.4 (0x008d1000)
This confirms that vsFTPD has been compiled with openSSL support.
To enable secure connections, we have to enable the following option. Please make sure that your vsFTPD is compiled with SSL.
ssl_enable=YES
$ cd /etc/pki/tls/certs
$ make vsftpd.pem
$ rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem
We will need a client with SSL support too . lftp , gFTP , FileZilla are such FTP clients which supports SSL . The following commands can be used with lftp to establish a secure connection with the FTP server.
$ lftp
lftp :~> connect test.example.com : To connect to FTP server
lftp :~> connect test.example.com : To connect to FTP server
lftp test.example.com:~>user <uname>:To login as non anonymous user
lftp test.example.com:~>set ftp:ssl-protect-data true : To enable the ftp client for encrypted data
transfer if the server does not allow non encrypted data transfer
lftp test.example.com:~>ftp:ssl-force true : if true , refuse to send FTP commands in clear text
when server does not support SSL
Locking down the FTP server:
vsFTPD supports restricted number of FTP commands in order to lock down the server to respond to only few commands . We can use the cmds_allowed option in the main configuration file to achieve this. This options specifies a comma separated list of FTP commands which will be allowed
on the FTP server. Note that USER, PASS and QUIT are always allowed .
cmds_allowed=PASV,LIST
Let's see now with an example the impact of this option. We have only allowed PASV and LIST command which will help us to list files. Any command like RETR i.e to download files will fail.
$ ftp -d 10.66.74.141
Connected to 10.66.74.141.
220 (vsFTPd 2.0.5)
---> AUTH GSSAPI
530 Please login with USER and PASS.
---> AUTH KERBEROS_V4
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (10.66.74.141:testftp):
---> USER testftp
331 Please specify the password.
Password:
---> PASS XXXX
230 Login successful.
cmds.c:276: verbose=1 debug=1 overbose=1
---> SYST
550 Permission denied.
ftp> ls
ftp: setsockopt (ignored): Permission denied
---> PASV
227 Entering Passive Mode (10,66,74,141,136,83)
---> LIST
150 Here comes the directory listing.
drwxr-xr-x 2 500 500 4096 Nov 18 06:22 Desktop
-rw-r--r-- 1 500 500 16 Nov 18 10:25 test
drwxrwxr-x 3 500 500 4096 Nov 17 06:47 tools
-rw-r--r-- 1 0 0 66134 Nov 19 05:27 wireshark.out
drwxr-xr-x 2 500 500 4096 Nov 17 05:38 yum.repos.d
226 Directory send OK.
ftp> get test
local: test remote: test
ftp: setsockopt (ignored): Permission denied
---> PASV
227 Entering Passive Mode (10,66,74,141,146,227)
---> RETR test
550 Permission denied.
ftp>
In the above example , we can see that we are able to do a LIST command , but when we try to download a file ,the RETR command failed .
Conclusion:
Thus , in this post we had seen how to configure an FTP server in a secured manner . We had seen many options in order to harden the server. There was a wrong notion among many people , that vsFTPD does not support encryption , but we had seen , if compiled with libssl , then we can achive encryption with vsFTPD. Read more about vsFTPD security at http://vsftpd.beasts.org/#security . Also , go through the manual page to know about more options .
Comments
123.hp.com/setup 227