FTP: Basic Set Up

This page will provide the skills for a basic ftp server set up.  When you install VSFTPD you will automatically have FTP accounts enabled for all local users and an anonymous account will be set up for all other users.

Lesson 1 / Lesson 3

1. Install VSFTPD
yum install vsftpd

2. Start the Daemon
The FTP daemon is called vsftpd, note the "d" on the end is to indicate that it is a daemon that will listed for connections.

service vsftpd start

Now set it up so it will start on reboot.
chkconfig --level 35 vsftpd on


3. Configure the Firewall
In order to access the firewall use the lokkit command.

lokkit



Note that the standard firewall is simple but does provide instant security until you may set up something different.  Also note that you can turn on and off SELinux from the firewall configuration.

Be sure to select the FTP option and save.

4. Configure TCP_WRAPPERS
Tcp_wrappers consists of two files, /etc/hosts.deny where you will deny everything and /etc/hosts.allow where you will only allow those IP subnets or addresses that you want to acces your FTP server. Tcp_wrappers works with /etc/xinetd.d to create a more secure service approach. The safest thing to do when you are not using a service is to remove it from your server. However, there a lot of times when you will use services that you need to protect. When xinetd receives a request for a service on your server, it will forward the request to tcp_wrappers. Tcp_wrappers then looks at /etc/hosts.deny and /etc/hosts.allow and tries to find a match. If it finds a match in hosts.allow access is allowed and if it finds a match in hosts.deny access is denied. In addition, if it does not find a match access is granted!!! If you use tcp_wrappers you also have a great deal of flexibility and control over IP Addresses and domains. There are two files that we will use to control what happens with tcp_wrappers, /etc/hosts.deny and /etc/hosts.allow. These two files are very simple to use. Here is how you should configure /etc/hosts.deny all of the time:

#######################
ALL: ALL
#######################
The concept is simple, deny everything and then only allow what you want. This is the safest way to use tcp_wrappers. Remember, if tcp_wrappers does not find a match in either hosts.deny or hosts.allow access is granted, that is why you must make sure there is a match in hosts.deny.

When you configure /etc/hosts.allow you have a lot of options. You have several Wildcards that you can use:


ALL                          always matches
LOCAL                    matches host name, not domain name              
UNKNOWN            matches when the host name or IP is unknown due to a problem
KNOWN                 matches when the host or IP is known
PARANOID                    matches when the host does not match it’s IP

Patterns can also be used for matches. For example, .myserver.com will match with me.myserver.com and you.myserver.com. The leading period is used to match everything on the right side of the host name. Also 192.168.5. matches all the addresses on 192.168.5.0/255.255.255.0 because the trailing period will match from the left.

The hosts.allow uses daemonlist : client list : option : option The daemons will be placed on the line and followed by the clients and options, separated by a colon. Here are a few examples:

ALL: 192.168.4.23: DENY
This example will deny all access to the computer at IP address 192.168.4.23.

SSH: 192.168.5.0/24: ALLOW
This example will permit access to all computers on the network to SSH.

VSFTPD: ALL: ALLOW
This will allow all users who connect to this server access to FTP.

VSFTPD: ALL EXCEPT myserver.com
This will permit FTP access to everyone except those computers on the myserver.com network.

Example:

# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
ALL:    127.0.0.1
SSHD:   12.32.45.89
VSFTPD:  ALL

5. Test the Anonymous Login
Create a file called “mytext” in /var/ftp/pub directory.  You will now login to verify that the file is available to anonymous users.

Login as an anonymous user.
ftp localhost
username: anonymous
password:  any_email_address

cd into the pub directory and then view the file with ls.  Terminate the session with quit.

6. Test Local User FTP
Create a user and place several files in the user's home directory.  Now login as the user.  You should land in the /home/user_name  directory not in the anonymous directory.  Use ls to verify you can see the user files in the home directory.  

Login as an local user.
ftp localhost
username: user_name
password:  user_password