🌐 🇵🇱 Polski · 🇬🇧 EN
FTP, or File Transfer Protocol, is a client-server protocol that uses TCP/IP for bidirectional file exchange. FTP is defined by the IETF in the RFC959 document. It is an 8-bit protocol, so it does not require encoding data to 7 bits as is the case with mail protocols. Two TCP connections are used for communication: one for sending commands and the other for data transmission. The connection can operate in two modes: active and passive. In Red Hat systems, the FTP server package is vsftpd. Vsftpd is an FTP server software based on the GPL license. More information can be found at https://security.appspot.com/vsftpd.html
INSTALLING THE VSFTPD PACKAGE
Step 1 - Installing the FTP server package
# yum install -y vsftpd
Step 2 - Verifying that the package is correctly visible in the system
# rpm -qa | grep vsftpd
vsftpd-2.2.2-6.el6_0.1.i686
Step 3 - Setting the FTP server to start with the Linux system
# chkconfig vsftpd on
Step 4 - Verifying that the startup settings are correct
# chkconfig --list vsftpd
vsftpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
vsftpd CONFIGURATION
The main configuration file for vsftpd is located at /etc/vsftpd/vsftpd.conf.
Step 1 - Previewing the default configuration options in vsftpd.conf
# grep -v ^# /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
Step 2 - Understanding what the above options are used for.
anonymous_enable=YES - A default security setting; setting this to "NO" increases security by disabling access for anonymous users.
local_enable=YES - Allows local users to log in
write_enable=YES - Allows users to write to the directory
local_umask=022 - Sets the umask for all added files
dirmessage_enable=YES - Displays directory information
xferlog_enable=YES - Logs file transfer activity to /var/log/xferlog
connect_from_port_20=YES - Directly sets the port to 20
xferlog_std_format=YES - All logs in standard format
listen=YES - Enables the server to listen on a port
pam_service_name=vsftpd - Name used in the PAM service
userlist_enable=YES - Enables the user list control service
tcp_wrappers=YES - Allows TCP protocol queries
userlist_deny=YES - Enables the list of users allowed to log in to the FTP server
All available configuration options that can be set in vsftpd.conf can be found in the system manual pages.
# man vsftpd.conf
IPTABLES_MODULES="ip_conntrack_ftp"
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
iptables: Loading additional modules: ip_conntrack_ftp [ OK ]
IP_CONNTRACK_FTP
To create an FTP connection in active mode, port 21 is used for commands and port 20 for data transfer. It is different in the case of a passive connection, where port 21 is also used for commands, but a port above 1024 is used for data transfer. If it is not specified, it will be a port with an unknown number, which means we do not know what traffic to open on the iptables firewall. For this purpose, the "ip_conntrack_ftp" module was created, whose task is to track which ports are used for data transfer in passive mode and open the appropriate traffic in the iptables firewall. After the transfer is finished, the appropriate port is closed and excluded from the firewall.
To enable the module, add it to the file:
/etc/sysconfig/iptables-config
Then restart the iptables service:
# service iptables restart
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
iptables: Loading additional modules: ip_conntrack_ftp [ OK ]
FIREWALL AND SELINUX CONFIGURATION FOR VSFTPD
Before we start using the FTP server service, we need to introduce iptables rules and SELinux settings.
Let's start with iptables settings, enabling the FTP server to work on ports 20 and 21.
Step 1 - Adding rules to iptables chains
# iptables -I INPUT 5 -p tcp -m tcp --dport 20 -j ACCEPT
# iptables -I INPUT 5 -p tcp -m tcp --dport 21 -j ACCEPT
Step 2 - Saving new rules to the firewall table
# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[OK]
Step 3 - Restarting the iptables service to apply changes
# service iptables restart
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
Now we will set up SELinux options. Below is a list of configurable SELinux options needed for the vsftpd server to work.
ftp_home_dir
Allows the FTP server to read and write files in users' home directories
allow_ftpd_full_access
Allows local users to log in to the FTP server and read/write all system files
allow_ftpd_use_nfs
Allows the FTP server to use NFS
allow_ftpd_anon_write
Allows uploading files to the FTP server that are publicly available to other users
ftp_connect_db
Allows logging in to a MySQL database via the FTP server
allow_ftpd_use_cifs
Allows the FTP server to use CIFS
http_enable_ftp_server
Allows listing httpd files via the FTP port
Now we will allow users to write and read files in the system
Step 1 - Securing access by disabling full access to system files
# getsebool -a | grep ftpd_full
allow_ftpd_full_access --> off
Step 2 - Disabling SELinux protection
# setsebool -P allow_ftpd_full_access=1
Step 3 - Verifying the changes made
# getsebool -a | grep ftpd_full
allow_ftpd_full_access --> on
BASIC SECURITY FOR VSFTPD
After configuring SELinux settings for the vsftpd service, you should also configure basic security. The FTP protocol supports two different types of file transfer. The first type is Active mode, which uses port 20 to connect to the client. The second type is passive mode, using a manually configured port above 1024. Since we have two types of file transfer to choose from, we must decide which one we will use and, according to our choice, correct the configuration settings and open the appropriate ports in the firewall (iptables). Returning to the configuration options, the option setting port 20 (connect_from_port_20) is set by default and defines the default file transfer type as active mode.
Let's see what other basic security options are available. We can prevent anonymous users from logging in to the FTP server by setting the annonymous_enable switch to "NO". The "local_enable" option, which is enabled by default for the FTP server after installation, allows local users to log in to the FTP service; this is a safer solution than disabling this option and maintaining a separate list of users allowed to log in to the FTP server.
ACCESS FOR SPECIFIC USERS
The next step to increase the security of the FTP service is to establish a list of users who can or cannot log in to the FTP server. The userlist_enable option is set to "YES" by default after installation and allows the vsftpd service to check logging-in users against the list located in the /etc/vsftpd/user_file file. If this option is used in conjunction with the additional userlist_deny option, all users whose logins are on the list have their access blocked and are prevented from logging in to the FTP service. If, however, we set userlist_deny with the "=NO" parameter, only users on the list can log in. These options allow for more precise management of users and their rights to log in using the FTP service.
Step 1 - Creating the user_file
# vim /etc/vsftpd/user_file
In the file, enter the login of the user who should have the ability to log in to the FTP service.
Step 2 - Changing SELinux boolean variables
Check which variables are available for the vsftpd service:
# getsebool -a | ftp
-bash: ftp: command not found
[root@station1 ftp]# getsebool -a | grep ftp
allow_ftpd_anon_write --> on
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_connect_db --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
Step 1 - Creating the user_file
# vim /etc/vsftpd/user_file
In the file, enter the login of the user who should have the ability to log in to the FTP service.
Step 2 - Changing SELinux boolean variables
Check which variables are available for the vsftpd service:
# getsebool -a | ftp
-bash: ftp: command not found
[root@station1 ftp]# getsebool -a | grep ftp
allow_ftpd_anon_write --> on
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_connect_db --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
Change the appropriate variable so that local users can log in via FTP to their home directories:
# setsebool -P ftp_home_dir on
Re-verifying the changes made:
# getsebool -a | grep ftp
allow_ftpd_anon_write --> on
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
ftpd_connect_db --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
Now users can log in to their home directories using FTP.
Remember that the user account must exist in the system!
Blocking users from the /etc/vsftpd/user_file list
Step 1 - Adding an entry in the /etc/vsftpd/vsftpd.conf file
# vim /etc/vsftpd/vsftpd.conf
In the last lines of the file, add the entry:
userlist_deny=NO
Save the file and restart the service
service vsftpd restart
Now users whose logins are in the /etc/vsftpd/user_file file will not be able to log in to the FTP server service.
ACCESS FROM SPECIFIC HOSTS
Another situation may be providing FTP access in such a way that the restriction covers not only selected users but also the machines (hosts) from which those users can connect.
In such a situation, one way is to use the files:
In such a situation, one way is to use the files:
- /etc/hosts.allow
- /etc/hosts.deny
In these files, we can set which hosts will have access to a given service running on a given machine. Thus, an entry in the hosts.deny file like:
# cat /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
vsftpd: ALL
Means that all hosts other than the local one are denied access to the vsftpd service.
Now, if we want, we can enable access for a selected host by adding the appropriate entry in the hosts.allow file like:
# cat /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
vsftpd: 192.168.56.102
Such an entry enables the vsftpd service for users logging in from the machine with IP address 192.168.56.102, or this entry could look like host1.example.com.
If access to the FTP service is to be possible only from the local machine and from one selected host, such a setting can be made using iptables configuration, allowing traffic from the selected machine on port 21 to the FTP server.
ANONYMOUS FILE DOWNLOAD AND UPLOAD USING FTP
If we want the FTP service to allow anonymous users (i.e., those who log in to the server as user "anonymous" without a password or by providing an email address as a password) to download and upload files using the FTP server, we must perform the appropriate configuration by editing the configuration file and setting the appropriate permissions and contexts for the directories.
Step 1 - Editing the main configuration file /etc/vsftpd/vsftpd.conf
In the /etc/vsftpd/vsftpd.conf file, we configure the ability to use the FTP server for anonymous users as follows:
# grep -v ^# /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
local_enable=NO
write_enable=YES
local_umask=022
anon_upload_enable=YES
anon_mkdir_write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
ANONYMOUS FILE DOWNLOAD AND UPLOAD USING FTP
If we want the FTP service to allow anonymous users (i.e., those who log in to the server as user "anonymous" without a password or by providing an email address as a password) to download and upload files using the FTP server, we must perform the appropriate configuration by editing the configuration file and setting the appropriate permissions and contexts for the directories.
Step 1 - Editing the main configuration file /etc/vsftpd/vsftpd.conf
In the /etc/vsftpd/vsftpd.conf file, we configure the ability to use the FTP server for anonymous users as follows:
# grep -v ^# /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
local_enable=NO
write_enable=YES
local_umask=022
anon_upload_enable=YES
anon_mkdir_write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
So we ensure that access for anonymous users is enabled and that they have the ability to upload files to the FTP server.
Step 2 - Creating directories for downloading and uploading files
In the /var/ftp location, we create two directories:
# mkdir download
#mkdir upload
Step 3 - Checking contexts on directories
ls - Z
unconfined_u:object_r:public_content_t:s0 download
unconfined_u:object_r:public_content_t:s0 upload
Step 2 - Creating directories for downloading and uploading files
In the /var/ftp location, we create two directories:
# mkdir download
#mkdir upload
Step 3 - Checking contexts on directories
ls - Z
unconfined_u:object_r:public_content_t:s0 download
unconfined_u:object_r:public_content_t:s0 upload
Step 4 - Setting the correct contexts
If we have the default FTP server directory /var/ftp/pub available, we can transfer its contexts to the newly created directories
# chcon --reference pub/ download/
# chcon --reference /pub upload/
resulting in:
# ls -Z
system_u:object_r:public_content_t:s0 download
system_u:object_r:public_content_t:s0 upload
Step 5 - Changing the context of the directory for uploading files to the FTP server
If we want anonymous users to be able to upload their files to the upload directory, one more context change is needed.
# chcon -t public_content_rw_t upload/
checking the context:
# ls -Z
system_u:object_r:public_content_rw_t:s0 upload
The /upload directory should allow uploading files to the server but prevent downloading those already uploaded.
# chmod 777 upload/
If we want files to remain invisible to the user after uploading, we set permissions that deny read access:
# chmod 753 upload/
or
# chmod 733 upload/
For the user to be able to upload and simultaneously see the list of files, we leave the permissions
# chmod 777 upload/
despite the permissions allowing read, write, and execute, it will not be possible to download files or modify those already uploaded.
If we have the default FTP server directory /var/ftp/pub available, we can transfer its contexts to the newly created directories
# chcon --reference pub/ download/
# chcon --reference /pub upload/
resulting in:
# ls -Z
system_u:object_r:public_content_t:s0 download
system_u:object_r:public_content_t:s0 upload
Step 5 - Changing the context of the directory for uploading files to the FTP server
If we want anonymous users to be able to upload their files to the upload directory, one more context change is needed.
# chcon -t public_content_rw_t upload/
checking the context:
# ls -Z
system_u:object_r:public_content_rw_t:s0 upload
Step 6 - System directory permissions
The /download directory should allow downloading files located in it, but not allow uploading to it or modification.
# chmod 755 download
The /upload directory should allow uploading files to the server but prevent downloading those already uploaded.
# chmod 777 upload/
If we want files to remain invisible to the user after uploading, we set permissions that deny read access:
# chmod 753 upload/
or
# chmod 733 upload/
For the user to be able to upload and simultaneously see the list of files, we leave the permissions
# chmod 777 upload/
despite the permissions allowing read, write, and execute, it will not be possible to download files or modify those already uploaded.

Comments