FTP installation and configuration in linux

FTP installation and configuration in linux :

________________________________________

Follow us on Facebook

Follow us on Google+

________________________________________

Introduction:

Increasingly, FTP (File Transfer Protocol) is criticized for its lack of security compared to other transfer protocols secure, as scp. It is still widely used and Fedora provides default vsftpd (Very Secure File Transfer Protocol Daemon) as a server for this protocol.
Like most other FTP (ProFTPD, pure-ftpd), vsftpd runs virtual users, that is to say the ability to create user accounts without them are system users (they are in fact all "mapped" on a user system dedicated to this). The peculiarity is that vsftpd uses PAM for authentication of users. We therefore many authentication options that WFP offers.
This documentation describes a configuration of vsftpd in standalone mode, with user authentication system and virtual users. The login information will be stored in these choices in a database format berkeley, or a mysql database. This documentation has been tested on Fedora 7, Fedora 8, 9 and preview Centos 5.0/5.1, but should work on earlier versions.

Connection diagrams :

The following two diagrams are intended to highlight the connection tracking ip_conntrack for these 2 modes to better understand the exchange of data between the server and FTP client, allowing to implement rules for iptables firewall.

The diagrams show the use of two distinct channels:

control channel: it allows the client and server to exchange commands for the protocol, and also identify.

data channel: as the name implies, it is used to exchange data between the two positions. It is on the implementation of this channel differs passive mode and active mode.

Installation :

Preparation and pre-requisite equipment

To install a vsftpd server must have the following:

      Server on Linux / Fedora Core.

     INTERNET access.

     Of disk space for the different areas ftp (anonymous or not) that you want to implement.

Installation packages in the system yum

# yum install vsftpd

verification

Ask RPM to list to verify the installation of packages.
# rpm-qa vsftpd *
vsftpd-2.0.1-5

Configuration :

Ihere are a number of configuration options, varying server behavior in very different ways. Reading the man page for vsftpd is indispensable for secure configuration.
The configuration file for vsftpd is in / etc / vsftpd and vsftpd.conf is called. We start from an empty configuration, so we move to the folder, and then rename the file:

$ Su -
# Cd / etc / vsftpd
# Mv vsftpd.conf vsftpd.conf.default

We then create a folder that will contain the user-specific configurations:

# Mkdir vsftpd_user_conf

ftpusers and user_list
These two files have the same purpose: banning users. Indeed it both contain a list of users for which the ftp server will reject any connection. Why two files (with identical content)?

The first (ftpusers) is used in the PAM configuration made default on Fedora and CentOS. A connection to a user, PAM has read this file and if the login is used in this file, the connection is refused.

The second (user_list) is used directly by vsftpd. It can have two uses: either only users in this file have the right to connect or access is always denied.

We do not care to have a list of authorized users (second case), since these will be managed with a base of virtual users. It is therefore unnecessary to have two systems of prohibition. My choice would be to follow the default settings made by CentOS and Fedora, that is to say use PAM, so delete the file user_list unnecessary. And yet this is not the solution I used. In fact there is a small difference in how to reject users. If root (present in both files by default) logs:

First case (ftpusers): the PAM system will not react, and the password will be requested. From there, even if it is correct, WFP will refuse the connection as "root" is present in the ftpusers file.

Second case (user_list) Vsftpd going to react differently. When the login is requested, and the user will type "root", it will cut the connection directly, without even asking the password.C'est une subtilité, mais je préfère ce comportement. Le protocole FTP envoyant les données en clair, cela évite par exemple d'envoyer le mot de passe root pour rien. Je vais donc utiliser le fichier user_list plutôt que ftpusers, même si ce n'est pas le choix par défaut fait pour Fedora et Centos.

# Port d'ecoute listen_port=21 # Banniere de bienvenue ftpd_banner=Bienvenue sur mon ftp perso # Fichier de config PAM pam_service_name=vsftpd # Mode "standalone" listen=YES # Je ne veux pas de connexion anonyme anonymous_enable=Yes # On autorise les connexions des utilisateurs locaux. C'est indispensable # pour que les utilisateurs virtuels (mappes sur un utilisateur local) # puissent se connecter (les "vrais" utilisateurs locaux sont ensuite desactives # avec le fichier user_list local_enable=YES # Fichier de users userlist_file=/etc/vsftpd/user_list # Chargement de la liste userlist_file userlist_enable=YES # On refuse les utilisateurs de la liste userlist_deny=YES # trop restrictif, un utilisateur virtuel pourra ainsi telecharger un fichier meme s'il n'est pas world readable anon_world_readable_only=NO # Refus des commandes influant sur le systeme de fichier (STOR, DELE, RNFR, RNTO, MKD, RMD, APPE and SITE) write_enable=Yes # Refus des droits d'ecriture pour les anonymes (et donc utilisateurs virtuels) par défaut # les autorisations seront données au cas par cas : # pas d'upload anon_upload_enable=NO # pas de creation de repertoire anon_mkdir_write_enable=NO # pas de creation, suppression, renommage de repertoire ... anon_other_write_enable=NO # On fait en sorte que les utilisateurs "guest" (non-anonymes) soient mappés sur le compte local "ftp" guest_enable=YES guest_username=ftp # chroot des utilisateurs chroot_local_user=YES # Nombre maximum de connexion simultanees max_clients=50 # Nombre maximum de connexion venant de la meme IP max_per_ip=4 # Dossier de configuration specifique des utilisateurs user_config_dir=/etc/vsftpd/vsftpd_user_conf # On active le log xferlog_enable=YES Petit résumé :
It listens on port 21

It is standalone

We refuse anonymous users

We accept the system users and virtual users

Virtual users are mapped to the system user "ftp"

Users do not have write permissions by default

They are chrooted to / var / ftp

/ etc / vsftpd / vsftpd_user_conf / will file for virtual users configurations

/ etc / vsftpd / user_list contain the list of denied users (for which we will not even ask the password)

For greater safety, reduces the rights to the configuration file:

# Chmod 600 / etc / vsftpd / vsftpd.conf

User creation system:

This user owns the files and folders that will create virtual users.
# groupadd ftpclient
# useradd -g ftpclient -d /home/ftpclient ftpclient

# passwd ftpclient
# chown ftpclient:ftpclient /home/ftpclient

# chmod 700 /home/ftpclient

Démarrer le service vsftpd

Once the configuration file replaced, it restarts the FTP server by typing as root:
# / Etc / init.d / vsftpd start
To start, stop and restart the service, the respective commands are (always superuser):
# service vsftpd start
# service vsftpd restart
# service vsftpd stop

Test server

order
1-Open the prompt
2-Type -> ftp targetMachineIP
I use ftp 192.168.1.5 in this case,
3-type user name and password
I use root root123

if what you provide is true that you are connected!

It is possible to connect to an FTP server using the FTP module content in Internet Explorer or Firefox
To access a server that requires a user name and a password, type the address as follows:
ftp://login:password @ server address
login:represents the user name
password: password

Exemple: ftp://ftpclient:ftpclient@menara.ma
ou
Exemple: ftp://ftpclient:ftpclient@192.168.1.5

If your login is correct then you can access your files!