WikiOld

User Tools

Site Tools

Trace:
eduardo:linux:ftp

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
eduardo:linux:ftp [2015/02/11 11:20] eduardoeduardo:linux:ftp [2024/02/23 08:20] (current) – external edit 127.0.0.1
Line 1: Line 1:
 +====== FTP ======
  
 +===== FTP Server =====
 +
 +You’ll need to configure the ip_conntrack_ftp iptables module to load. On Redhat/CentOS just edit /etc/sysconfig/iptables-config and add “ip_conntrack_ftp” to the IPTABLES_MODULES like this:
 +
 +<code>
 +IPTABLES_MODULES="ip_conntrack_ftp"
 +</code>
 +
 +Open firewall rule on port 21. Edit /etc/sysconfig/iptables. Make sure it appears before any reject statement.
 +
 +<code>
 +*filter
 +:INPUT ACCEPT [0:0]
 +:FORWARD ACCEPT [0:0]
 +:OUTPUT ACCEPT [343:31474]
 +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 +-A INPUT -p icmp -j ACCEPT
 +-A INPUT -i lo -j ACCEPT
 +-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
 +-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
 +-A INPUT -j REJECT --reject-with icmp-host-prohibited
 +-A FORWARD -j REJECT --reject-with icmp-host-prohibited
 +</code>
 +
 +Restart iptable
 +
 +<code>
 +[bash]# service iptables restart
 +</code>
 +
 +vsftpd package is required for FTP Server. Check whether package is installed or not. If package is missing install it first.
 +
 +<code>
 +[bash]# yum install vsftpd
 +</code>
 +
 +Configure vsftpd service to start at boot
 +
 +<code>
 +[bash]# chkconfig --level 2345 vsftpd on
 +[bash]# service vsftpd restart
 +</code>
 +
 +==== Normal User Login ====
 +
 +Default configuration of vsftpd.conf already supports access from local users. However if you are running SELinux, you might run into the following error on login:
 +
 +<code>
 +"500 OOPS: cannot change directory ..."
 +</code>
 +
 +Either disable SELinux or run the following commands
 +
 +<code>
 +[bash]# /usr/sbin/setsebool -P ftp_home_dir 1
 +</code>
 +
 +Restrict user from changing from their root directory. Edit /etc/vsftpd/vsftpd.conf
 +
 +<code>
 +chroot_local_user=YES
 +</code>
 +
 +Or if you want to disable normal user login. Edit /etc/vsftpd/vsftpd.conf and comment out the line.
 +
 +<code>
 +# local_enable=YES
 +</code>
 +
 +==== Anonymous Login ====
 +
 +Default configuration of vsftpd.conf already supports anonymous-only download. But it also supports access from local users. When a user connects on the FTP server with anonymous username, actually that user connects on the server as a user named ftp. RHEL6 automatically create this account with following setting.
 +
 +<code>
 +ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
 +</code>
 +
 +With these setting users are not allowed to login as the user named ftp. So they need to use anonymous as user name. So whenever an anonymous user logged in, he is taken to ftp user's home directory /var/ftp. So if you want to change the default directory associated with anonymous logins, change the home directory associated with the local user named ftp. Create a file on the root of the ftp directory /var/ftp/pub. This file will be downloaded by anonymous user.
 +
 +<code>
 +[bash]# dd if=/dev/null of=/var/ftp/pub/file bs=1024 count=1000
 +</code>
 +
 +If you are running Linux without SELinux that's all setting which we need for this exercise. SELinux is listed in RHCE6 exam objective. So if you have configured SELinux, also configure following boolean option.
 +
 +<code>
 +[bash]# chcon -R -t public_content_t /var/ftp/pub/
 +</code>
 +
 +However if you want to disable anonymous login if needed. Edit /etc/vsftpd/vsftpd.conf
 +
 +<code>
 +anonymous_enable=NO
 +</code>
 +
 +===== FTP Client =====
 +
 +To install ftp client
 +
 +<code>
 +[bash]# yum install ftp
 +</code>