A

Vocational Training project report on

Redhat Enterprise Linux 6 At Rooman Technologies

Submitted to CHHATTISGARH SWAMI VIVEKANAND TECHNICAL UNIVERSITY, Bhilai (C.G.)

Prepared by:

Computer Science & Engineering Branch(6th Sem) Training Period: 1st June to 5th July

Bhilai Institute Of Technology, Durg

Acknowledgement
The success of any work depends largely on the encouragement and guidelines of many others. I take this opportunity to express my gratitude to the people who have been instrumental in the successful completion of this vocation training. We acknowledge our gratitude and thank to Mr. Kshitij Singhai, for his help and teachings during our vocational training period.

Last but not the least; we thank my teachers, friends and our family members for their constant encouragement.

INDEX

Chapter

Title Acknowledgement

Page No.

1.

Introduction to networks

1.1 Computer Networks 1.2 Network Topology 1.3 Communication Media 1.4 Communication Protocol 1.5 IP Addressing 1.6 OSI Layer Architecture 1.7 Network Devices 2. Introduction to LINUX 2.1 Directory Structure 2.2 vi Editor 2.3 User Management 2.4 Processes 2.5 Process Scheduling 2.6 Disk Partitioning 2.7 Redhat Package Manager 3. <Project Title> 3.1 FTP Server 3.2 vsftpd conf File

3.3 FTP Security

1. Introduction to networks
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information. Where at least one process in one device is able to send/receive data to/from at least one process residing in a remote device, then the two devices are said to be in a network. Simply, more than one computer interconnected through a communication media for information interchange is called a computer network.

1.1 Computer Networks

Computer Networks may be classified on the basis of geographical area in two broad categories. 1. Local Area Network (LAN) 2. Wide Area Network (WAN) 3. Metropolitan Area Network (MAN) 1.1.1 Local Area Network Networks used to interconnect computers in a single room, rooms within a building or buildings on one site are called Local Area Network (LAN). LAN transmits data with a speed of several megabits per second (106 bits per second). The transmission medium is normally coaxial cables. LAN links computers, i.e., software and hardware, in the same area for the purpose of sharing information.

1.1.2 Wide Area Network The term Wide Area Network (WAN) is used to describe a computer network spanning a regional, national or global area. For example, for a large company the head quarters might be at Delhi and regional branches at Bombay, Madras, Bangalore and Calcutta. Here regional centers are connected to head quarters through WAN. Therefore the transmission mediums used are normally telephone lines, microwaves and satellite links. 1.1.3 Metropolitan Area Network A metropolitan area network (MAN) is a computer network that usually spans a city or a large campus. A MAN usually interconnects a number of local area networks (LANs) using a highcapacity backbone technology, such as fiber-optical links, and provides up-link services to wide area networks (or WAN) and the internet.

1.2 Network Topology

Network topology is the layout pattern of interconnections of the various elements (links, nodes, etc.) of a computer or biological network. Topology can be understood as the shape or structure of a network. This shape does not necessarily correspond to the actual physical design of the devices on the computer network. Network topologies are categorized into the following basic types:

Bus Ring Star Tree Mesh

1.3 Communication Media

Data can be communicated from one terminal to the central computer to other terminals through different media. These media are known as data communication channels. Cable is the most popular and widely used medium to transmit data from one location to another. It includes telephone line, coaxial cable, twisted pair cable etc. Telephone lines are less expensive and easy method of transmitting data. But data is transmitted in analog through air via boosters rather than cables. This type of transmission is same as the television and radio transmission. There are two categories of transmission media used in computer communications.

BOUNDED/GUIDED MEDIA UNBOUNDED/UNGUIDED MEDIA

1.4 Communication Protocol

While there is no generally accepted formal definition of "protocol" in computer science an informal definition, based on the previous, could be "a set of procedures to be followed when communicating". In computer science the word algorithm is a synonym for the word procedure so a protocol is to communications what an algorithm is to mathematics. Communicating systems use well-defined formats for exchanging messages. Each message has an exact meaning intended to provoke a defined response of the receiver. A protocol therefore describes the syntax, semantics, and synchronization of communication. A programming language describes the same for computations, so there is a close analogy between protocols and programming languages: protocols are to communications what programming languages are to computations. Various communication protocols are NetBEUI TCP/IP AppleTalk

1.5 IP Addressing
IP address is an identifier for a computer or device on a TCP/IP network. Networks using the TCP/IP protocol route messages based on the IP address of the destination. The format of an IP address is a 32-bit numeric address written as four numbers separated by periods. Each number can be zero to 255. For example, 1.160.10.240 could be an IP address. The four numbers in an IP address are used in different ways to identify a particular network and a host on that network. Four regional Internet registries -- ARIN, RIPE NCC, LACNIC and APNIC -- assign Internet addresses from the following three classes. Class A - supports 16 million hosts on each of 126 networks Class B - supports 65,000 hosts on each of 16,000 networks Class C - supports 254 hosts on each of 2 million networks The number of unassigned Internet addresses is running out, so a new classless scheme called CIDR is gradually replacing the system based on classes A, B, and C and is tied to adoption of IPv6.

1.6 OSI Layer Architecture

The OSI, or Open System Interconnection, model defines a networking framework for implementing protocols in seven layers. Control is passed from one layer to the next, starting at the application layer in one station, and proceeding to the bottom layer, over the channel to the next station and back up the hierarchy. The OSI, or Open System Interconnection, model defines a networking framework for implementing protocols in seven layers. Control is passed from one layer to the next, starting at the

application layer in one station, and proceeding to the bottom layer, over the channel to the next station and back up the hierarchy. Application (Layer 7) This layer supports application and end-user processes. Presentation (Layer 6) This layer provides independence from differences in data representation (e.g., encryption) by translating from application to network format, and vice versa. Session (Layer 5) This layer establishes, manages and terminates connections between applications. Transport (Layer 4) This layer provides transparent transfer of data between end systems, or hosts, and is responsible for end-to-end error recovery and flow control. It ensures complete data transfer. Network (Layer 3) This layer provides switching and routing technologies, creating logical paths, known as virtual circuits, for transmitting data from node to node. Data Link (Layer 2) At this layer, data packets are encoded and decoded into bits. It furnishes transmission protocol knowledge and management and handles errors in the physical layer, flow control and frame synchronization. Physical (Layer 1) This layer conveys the bit stream - electrical impulse, light or radio signal -- through the network at the electrical and mechanical level. It provides the hardware means of sending and receiving data on a carrier.

1.7 Network Devices

The various network devices areNIC

In computer networking, a NIC provides the hardware interface between a computer and a network. A NIC technically is network adapter hardware in the form factor of an add-in card such as a PCI or PCMCIA card. In new computers, many NICs are now pre-installed by the manufacturer. All NICs feature a speed rating such as 11 Mbps, 54 Mbps or 100 Mbps that suggest the general performance of the unit. Repeaters Network repeaters regenerate incoming electrical, wireless or optical signals. With physical media like Ethernet or Wi-Fi, data transmissions can only span a limited distance before the quality of the signal degrades. Repeaters attempt to preserve signal integrity and extend the distance over which data can safely travel. Bridge A bridge device filters data traffic at a network boundary. Bridges reduce the amount of traffic on a LAN by dividing it into two segments. Bridges operate at the data link layer (Layer 2) of the OSI model. Bridges inspect incoming traffic and decide whether to forward or discard it. An Ethernet bridge, for example, inspects each incoming Ethernet frame - including the source and destination MAC addresses, and sometimes the frame size - in making individual forwarding decisions. Hub In computer networking, a hub is a small, simple, inexpensive device that joins multiple computers together. Many network hubs available today support the Ethernet standard. Other types including USB hubs also exist, but Ethernet is the type traditionally used in home networking Ethernet hubs vary in the speed (network data rate or bandwidth) they support. Some years ago, Ethernet hubs offered only 10 Mbps rated speeds. Newer types of hubs offer 100 Mbps Ethernet. Some support both 10 Mbps and 100 Mbps (so-called dual-speed or 10/100 hubs). Switch A network switch is a small hardware device that joins multiple computers together within one local area network (LAN). Technically, network switches operate at layer two (Data Link Layer) of the OSI model. Network switches appear nearly identical to network hubs, but a switch generally contains more intelligence (and a slightly higher price tag) than a hub. Unlike hubs, network switches are capable of inspecting data packets as they are received, determining the source and destination device of each packet, and forwarding them appropriately.

2. Introduction to Linux
Linux is a free open-source operating system based on Unix. Linux was originally created by Linus Torvalds with the assistance of developers from around the globe. Linux is free to download, edit and distribute. Linux is a very powerful operating system and it is gradually becoming popular throughout the world. Linux was originally developed as a free operating system for Intel x86based personal computers. It has since been ported to more computer hardware platforms than any other operating system. It is a leading operating system on servers and other big iron systems such as mainframe computers and supercomputers more than 90% of today's 500 fastest supercomputers run some variant of Linux, including the 10 fastest. Linux also runs on embedded systems (devices where the operating system is typically built into the firmware and highly tailored to the system) such as mobile phones, tablet computers, network routers, televisions and video game consoles; the Android system in wide use on mobile devices is built on the Linux kernel.

Advantages of Linux
Low cost Stability Performance Networking Flexibility Compatibility Wider Choice Fast and easy installation Better use of hard disk Multitasking Security Open source.

Presently, Linux is successfully being used by several millions of users worldwide. The composition of user groups varies from private users, training companies, universities, research centers right through to commercial users and companies, who view Linux as a real alternative to other operating systems. VARIANTS Caldera Linux Corel Linux Debian Linux Kondara Linux Red Hat Linux Mandrake Linux Slackware Linux SuSE Linux Turbolinux Vector Linux

2.1 Directory Structure

One of the most noticable differences between Linux and Windows is the directory structure. Not only is the format different, but the logic of where to find things is different. In Windows, we use this format to access a directory D:\Folder\subfolder\file.txt In Linux, this is the basic format /Folder/subfolder/file.txt It can be noticed that the slashes are forward slashes in Linux versus backslashes in Windows. Also, there is no drive name (C:, D:, etc.) in Linux. At boot, the root partition' is mounted at /. All files, folders, devices and drives are mounted under /. Though it is not apparent from this example, it is important to note that files and folders in Linux are case sensitive. /Folder/subfolder/file.txt is not the same as /folder/subfolder/file.txt. The Directory Structure in Unix & Linux are a unified Directory Structure where in all the directories are unified under the "/" Root file system. Irrespective of where the File System is physically mounted all the directories are arranged hierarchically under the Root file system. The Linux Directory Structure follows the "Filesystem Hierarchy Structure (FHS)" maintained by the Free Standards Group although most of the distributions sometimes tend to deviate from the standards.

Lets have a quick stroll across the different directories under the Linux Filesystem Hierarchy "/" Root The Directory Structure starts with the Root file system "/" and is indeed the root directory for the whole structure.The partition where / (the root directory) will be located on a UNIX or UNIXcompatible system. /boot The /boot directory contains the Boot loader files including Grub or Lilo, the Kernel, initrd and system.map config files. /sys This contains the Kernel, Firmware and system related files. /sbin Contains the essential System Binaries and System Administration tools essential for the system operation and performance /bin Contains the essential binaries for users and those utilities that are required in single user mode. Examples, include cat, ls, cp etc. /lib Contains the library files for all the binaries held in the /sbin & /bin directories /dev The /dev directory contains the essential system files and drivers. /etc The /etc/directory contain essential System configuration files including /etc/hosts, /etc/resolv.conf, nsswitch.conf, defaults and network configuration files. These are mostly host specific system and application configuration files. /home All the user home directories are held under this directory with the exception of the root home directory which is kept under /root directory. This directory holds users files, personal settings like .profile etc.

/media A generic mount point for removable media like CD-ROM, USB, Floppies etc /mnt A generic mount point for temporary file systems. This comes handy particulary when troubleshooting from CDROM etc wherein you might have to mount the Root file system and edit configurations. /opt A rarely used directory in Linux for Optional Software Packages. This is extensively used in UNIX OS like Sun Solaris where the software packages are installed /usr A sub hierarchy to the root file system which is a User data directory. Contains user specific utilities and applications. You will again see a lot of important but not critical file systems are mounted. Here you would again find a bin, sbin & lib directory which contains non-critical user and system binaries and related libraries and a share directory. Also found here are the include directory with include files /var The /var directory is mostly mounted as a separate filesystem under the root where in all the variable content like logs, spool files for printers, crontab at jobs, mail, running process, lock files etc. Care has to be taken in planning this file system and maintenance as this can fill up pretty quickly and when the FileSystem is full can cause system and application operational issues. /tmp A temporary file system which hold temporary files which are cleared at system reboot. There is also a /var/tmp directory which holds temporary files too. the only difference between the two is that /var/tmp directory holds files that are protected at system reboot. In other words, /var/tmp files are not flushed upon a reboot. Then you have the virtual (psuedo) file system /proc which resides in the memory and is mounted under the Root holding kernel and process stats in text file formats.

2.2 vi Editor
vi is a screen-oriented text editor originally created for the Unix operating system. The portable subset of the behavior of vi and programs based on it, and the ex editor language supported within these programs, is described by (and thus standardized by) the Single Unix Specification and POSIX.

vi is a modal editor: it operates in either insert mode (where typed text becomes part of the document) or normal mode (where keystrokes are interpreted as commands that control the edit session). For example, typing i while in normal mode switches the editor to insert mode, but typing i again at this point places an "i" character in the document. From insert mode, pressing the escape key switches the editor back to normal mode. A perceived advantage of vi's separation of text entry and command modes is that both text editing and command operations can be performed without requiring the removal of the user's hands from the home row. As non-modal editors usually have to reserve all keys with letters and symbols for the printing of characters, any special commands for actions other than adding text to the buffer must be assigned to keys which do not produce characters, such as function keys, or combinations of modifier keys such as Ctrl, and Alt with regular keys. Vi has the advantage that most ordinary keys are connected to some kind of command for positioning, altering text, searching and so forth, either singly or in key combinations. Many commands can be touch typed without the use of Shift, Ctrl or Alt. Other types of editors generally require the user to move their hands from the home row when touch typing:

To use a mouse to select text, commands, or menu items in a GUI editor. To the arrow keys or editing functions (Home / End or Function Keys). To invoke commands using modifier keys in conjunction with the standard typewriter keys.

2.3 User Management

The control of users and groups is a core element of Red Hat Enterprise Linux system administration. While users can be either people or accounts which exist for specific applications to use, groups are logical expressions of organization, tying users together for a common purpose. Users within a group can read, write, or execute files owned by that group. Each user is associated with a unique numerical identification number called a user ID (UID). Likewise, each group is associated with a group ID (GID). A user who creates a file is also the owner and group owner of that file. The file is assigned separate read, write, and execute permissions for the owner, the group, and everyone else. The file owner can be changed only by root, and access permissions can be changed by both the root user and file owner. Additionally, Red Hat Enterprise Linux supports access control lists (ACLs) for files and directories which allow permissions for specific users outside of the owner to be set. To add a new user to the system, typing the following at a shell prompt as root: useradd [options] username where options are command line. By default, the useradd command creates a locked user account. To unlock the account, run the following command as root to assign a password: passwd username To add a new group to the system, type the following at a shell prompt as root: groupadd [options] group_name where options are command line options

2.4 Processes
Processes carry out tasks within the operating system. A program is a set of machine code instructions and data stored on in an executable image on disk and is, as such, a passive entity; a process can be thought of as a computer program in action. It is a dynamic entity, constantly changing as the machine code instructions are executed by the processor. As well as the program's instructions and data, the process also includes the program counter and all of the CPU's registers as well as the process stacks containing temporary data such as routine parameters, return addresses and saved variables. The current executing program, or process, includes all of the current activity in the microprocessor. Linux is a multiprocessing operating system, processes are separate tasks each with their own rights and responsibilities. If one process crashes it will not cause another process in the system to crash. Each individual process runs in its own virtual address space and is not capable of interacting with another process except through secure, kernel managed mechanisms. Processes communicate with each other and with the kernel to coordinate their activities. To see information about the currently running processes, including their process identification numbers (PIDs), we use ps command. Both Linux and UNIX support ps command to display information about all running process. ps command gives a snapshot of the current processes. ps command Type the following ps command to display all running process: # ps aux | less Where,

-A: select all processes a: select all processes on a terminal, including those of other users x: select processes without controlling ttys

Task: see every process on the system # ps -A # ps -e Task: See every process except those running as root # ps -U root -u root -N Task: See process run by user # ps -u <username>

Even on Linux it sometimes happens that processes wear out their welcome and stick around longer than you would like them to. They simply ignore your request to close up and go away. But there is a possibility of terminating it safely. The kill command works together with the ps command With the ps command (ps stands for "process status") you find out the identity of the program you want to get rid of. Then kill will finish it off. The kill Command Now, if you want to terminate for example the emacs process you would look up the process identifier (PID) in the above table (3216), and say: $ kill -9 3216 The -9 will ensure "execution". A convenient short cut is the Alt-Ctrl-Esc key combination, which allows you to simply click on the application you want to kill.

2.5 Process Scheduling

Cron job are used to schedule commands to be executed periodically. You can setup commands or scripts, which will repeatedly run at a set time. Cron is one of the most useful tool in Linux or UNIX like operating systems. The cron service (daemon) runs in the background and constantly checks the /etc/crontab file, /etc/cron.*/ directories. It also checks the /var/spool/cron/ directory crontab is the command used to install, deinstall or list the tables (cron configuration file) used to drive the cron daemon in Vixie Cron. Each user can have their own crontab file, and though these are files in /var/spool/cron/crontabs, they are not intended to be edited directly. You need to use crontab command for editing or setting up your own cron jobs. Different Types of cron Configuration There are two different types of configuration files:
1. The UNIX / Linux system crontab : Usually, used by system services and critical jobs

that requires root like privileges. The sixth field (see below for field description) is the name of a user for the command to run as. This gives the system crontab the ability to run commands as any user. 2. The user crontabs: User can installer their own jobs using the crontab command. The sixth field is the command to run, and all commands run as the user who created the crontab

To edit your crontab file, type the following command at the UNIX / Linux shell prompt: $ crontab -e Syntax of crontab (Field Description) The cron job looks as follows for user jobs: 1 2 3 4 5 /path/to/command arg1 arg2 OR 1 2 3 4 5 /root/backup.sh Where,

1: Minute (0-59) 2: Hours (0-23) 3: Day (0-31) 4: Month (0-12 [12 == December]) 5: Day of the week(0-7 [7 or 0 == sunday]) /path/to/command - Script or command name to schedule

2.6 Disk Partitioning

Partitioning is a means to divide a single hard drive into many logical drives. A partition is a contiguous set of blocks on a drive that are treated as an independant disk. A partition table is an index that relates sections of the hard drive to partitions. Why have multiple partitions?

Encapsulate your data. Since file system corruption is local to a partition, you stand to lose only some of your data if an accident occurs. Increase disk space efficiency. You can format partitions with varying block sizes, depending on your usage. If your data is in a large number of small files (less than 1k) and your partition uses 4k sized blocks, you are wasting 3k for every file. In general, you waste on average one half of a block for every file, so matching block size to the average size of your files is important if you have many files. Limit data growth. Runaway processes or maniacal users can consume so much disk space that the operating system no longer has room on the hard drive for its bookkeeping operations. This will lead to disaster. By segregating space, you ensure that things other than the operating system die when allocated disk space is exhausted.

A partition is labeled to host a certain kind of file system (not to be confused with a volume label. Such a file system could be the linux standard ext2 file system or linux swap space, or even foreign file systems like (Microsoft) NTFS or (Sun) UFS. There is a numerical code associated with each partition type. For example, the code for ext2 is 0x83 and linux swap is 0x82. To see a list of partition types and their codes, execute /sbin/sfdisk T

Primary Partitions
The number of partitions on an Intel-based system was limited from the very beginning: The original partition table was installed as part of the boot sector and held space for only four partition entries. These partitions are now called primary partitions.

Logical Partitions
One primary partition of a hard drive may be subpartitioned. These are logical partitions. This effectively allows us to skirt the historical four partition limitation. The primary partition used to house the logical partitions is called an extended partition and it has its own file system type (0x05). Unlike primary partitions, logical partitions must be contiguous. Each logical partition contains a pointer to the next logical partition, which implies that the number of logical partitions is unlimited. However, linux imposes limits on the total number of any type of partition on a drive, so this effectively limits the number of logical partitions. This is at most 15 partitions total on an SCSI disk and 63 total on an IDE disk.

Swap Partitions
Every process running on your computer is allocated a number of blocks of RAM. These blocks are called pages. The set of in-memory pages which will be referenced by the processor in the very near future is called a "working set." Linux tries to predict these memory accesses (assuming that recently used pages will be used again in the near future) and keeps these pages in RAM if possible. If you have too many processes running on a machine, the kernel will try to free up RAM by writing pages to disk. This is what swap space is for. It effectively increases the amount of memory you have available. However, disk I/O is about a hundred times slower than reading from and writing to RAM. Consider this emergency memory and not extra memory. If memory becomes so scarce that the kernel pages out from the working set of one process in order to page in for another, the machine is said to be thrashing. Some readers might have inadvertenly experienced this: the hard drive is grinding away like crazy, but the computer is slow to the point of being unusable. Swap space is something you need to have, but it is no substitute for sufficient RAM.

2.7 RPM
rpm is a powerful Package Manager, which can be used to build, install, query, verify, update, and erase individual software packages. A package consists of an archive of files and meta-data used to install and erase the archive files. The meta-data includes helper scripts, file attributes, and descriptive information about the package. Packages come in two varieties: binary packages, used to encapsulate software to be installed, and source packages, containing the source code and recipe necessary to produce binary packages. RPM command is used for installing, uninstalling, upgrading, querying, listing, and checking RPM packages on your Linux system. RPM stands for Red Hat Package Manager. With root privilege, you can use the rpm command with appropriate options to manage the RPM software packages. rpm command and options

-i : install a package -v : verbose -h : print hash marks as the package archive is unpacked.

3. <Project Title>

File Transfer Protocol (FTP) is a standard network protocol used to transfer files from one host to another host over a TCP-based network, such as the Internet. It is often used to upload web pages and other documents from a private development machine to a public web-hosting server. FTP is built on a client-server architecture and uses separate control and data connections between the client and the server.FTP users may authenticate themselves using a clear-text sign-in protocol, normally in the form of a username and password, but can connect anonymously if the server is configured to allow it. For secure transmission that hides (encrypts) the username and password, and encrypts the content, SSH File Transfer Protocol may be used. The first FTP client applications were interactive command-line tools, implementing standard commands and syntax. Graphical user interfaces have since been developed for many of the popular desktop operating systems in use today, including general web design programs like Microsoft Expression Web, and specialist FTP clients such as CuteFTP.

3.1 FTP Server

The File Transfer Protocol (FTP) is used as one of the most common means of copying files between servers over the Internet. Most web based download sites use the built in FTP capabilities of web browsers and therefore most server oriented operating systems usually include an FTP server application as part of the software suite. Linux is no exception. This chapter will show you how to convert your Linux box into an FTP server using the default Very Secure FTP Daemon (VSFTPD) package included in Fedora.

FTP Overview
FTP relies on a pair of TCP ports to get the job done. It operates in two connection channels as I'll explain: FTP Control Channel, TCP Port 21: All commands you send and the ftp server's responses to those commands will go over the control connection, but any data sent back (such as "ls" directory lists or actual file data in either direction) will go over the data connection. FTP Data Channel, TCP Port 20: This port is used for all subsequent data transfers between the client and server. In addition to these channels, there are several varieties of FTP.

Types of FTP
From a networking perspective, the two main types of FTP are active and passive. In active FTP, the FTP server initiates a data transfer connection back to the client. For passive FTP, the connection is initiated from the FTP client. These are illustrated in Figure 15-1.

Figure 15-1 Active And Passive FTP Illustrated

From a user management perspective there are also two types of FTP: regular FTP in which files are transferred using the username and password of a regular user FTP server, and anonymous FTP in which general access is provided to the FTP server using a well known universal login method. Take a closer look at each type.

Active FTP
The sequence of events for active FTP is:
1. Your client connects to the FTP server by establishing an FTP control connection to port 21 of the server. Your commands such as 'ls' and 'get' are sent over this connection. 2. Whenever the client requests data over the control connection, the server initiates data transfer connections back to the client. The source port of these data transfer connections is always port 20 on the server, and the destination port is a high port (greater than 1024) on the client. 3. Thus the ls listing that you asked for comes back over the port 20 to high port connection, not the port 21 control connection.

FTP active mode therefore transfers data in a counter intuitive way to the TCP standard, as it selects port 20 as it's source port (not a random high port that's greater than 1024) and connects back to the client on a random high port that has been pre-negotiated on the port 21 control connection. Active FTP may fail in cases where the client is protected from the Internet via many to one NAT (masquerading). This is because the firewall will not know which of the many servers behind it should receive the return connection.

Passive FTP
Passive FTP works differently: 1. Your client connects to the FTP server by establishing an FTP control connection to port 21 of the server. Your commands such as ls and get are sent over that connection. 2. Whenever the client requests data over the control connection, the client initiates the data transfer connections to the server. The source port of these data transfer connections is always a high port on the client with a destination port of a high port on the server. Passive FTP should be viewed as the server never making an active attempt to connect to the client for FTP data transfers. Because client always initiates the required connections, passive FTP works better for clients protected by a firewall. As Windows defaults to active FTP, and Linux defaults to passive, you'll probably have to accommodate both forms when deciding upon a security policy for your FTP server.

Regular FTP
By default, the VSFTPD package allows regular Linux users to copy files to and from their home directories with an FTP client using their Linux usernames and passwords as their login credentials. VSFTPD also has the option of allowing this type of access to only a group of Linux users, enabling you to restrict the addition of new files to your system to authorized personnel. The disadvantage of regular FTP is that it isn't suitable for general download distribution of software as everyone either has to get a unique Linux user account or has to use a shared username and password. Anonymous FTP allows you to avoid this difficulty.

Anonymous FTP
Anonymous FTP is the choice of Web sites that need to exchange files with numerous unknown remote users. Common uses include downloading software updates and MP3s and uploading diagnostic information for a technical support engineers' attention. Unlike regular FTP where you login with a preconfigured Linux username and password, anonymous FTP requires only a username of anonymous and your email address for the password. Once logged in to a VSFTPD

server, you automatically have access to only the default anonymous FTP directory (/var/ftp in the case of VSFTPD) and all its subdirectories.

3.2 Vsftpd conf File

VSFTPD only reads the contents of its vsftpd.conf configuration file only when it starts, so you'll have to restart VSFTPD each time you edit the file in order for the changes to take effect. The file may be located in either the /etc or the /etc/vsftpd directories depending on your Linux distribution. This file uses a number of default settings you need to know about.

VSFTPD runs as an anonymous FTP server. Unless you want any remote user to log into to your default FTP directory using a username of anonymous and a password that's the same as their email address, I would suggest turning this off. The configuration file's anonymous_enable directive can be set to no to disable this feature. You'll also need to simultaneously enable local users to be able to log in by removing the comment symbol (#) before the local_enable instruction. VSFTPD allows only anonymous FTP downloads to remote users, not uploads from them. This can be changed by modifying the anon_upload_enable directive. VSFTPD doesn't allow anonymous users to create directories on your FTP server. You can change this by modifying the anon_mkdir_write_enable directive. VSFTPD logs FTP access to the /var/log/vsftpd.log log file. You can change this by modifying the xferlog_file directive. By default VSFTPD expects files for anonymous FTP to be placed in the /var/ftp directory. You can change this by modifying the anon_root directive. There is always the risk with anonymous FTP that users will discover a way to write files to your anonymous FTP directory. You run the risk of filling up your /var partition if you use the default setting. It is best to make the anonymous FTP directory reside in its own dedicated partition.

The configuration file is fairly straight forward as you can see in the snippet below where we enable anonymous FTP and individual accounts simultaneously.
# Allow anonymous FTP? anonymous_enable=YES ... # The directory which vsftpd will try to change # into after an anonymous login. (Default = /var/ftp) anon_root=/data/directory ... # Uncomment this to allow local users to log in. local_enable=YES ... # Uncomment this to enable any form of FTP write command. # (Needed even if you want local users to be able to upload files) write_enable=YES ... # Uncomment to allow the anonymous FTP user to upload files. This only

# has an effect if global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. #anon_upload_enable=YES ... # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES ... # Activate logging of uploads/downloads. xferlog_enable=YES ... # You may override where the log file goes if you like. # The default is shown below. xferlog_file=/var/log/vsftpd.log ...

To activate or deactivate a feature, remove or add the # at the beginning of the appropriate line.

Other vsftpd.conf Options

There are many other options you can add to this file:

Limiting the maximum number of client connections (max_clients) Limiting the number of connections by source IP address (max_per_ip) The maximum rate of data transfer per anonymous login. (anon_max_rate) The maximum rate of data transfer per non-anonymous login. (local_max_rate)

To start, stop, and restart vsftpd after booting the service command is the same: user@ubuntu:~$ sudo service vsftpd start user@ubuntu:~$ sudo service vsftpd stop user@ubuntu:~$ sudo service vsftpd restart To determine whether vsftpd is running you can issue either of these two commands. The first will give a status message. The second will return the process ID numbers of the vsftpd daemons. user@ubuntu:~$ sudo service vsftpd status user@ubuntu:~$ pgrep vsftpd Note: Remember to run the sysv-rc-conf command at least once to ensure vsftpd starts automatically on your next reboot. You can always test whether the VSFTPD process is running by using the netstat -a command which lists all the TCP and UDP ports on which the server is listening for traffic. This example shows the expected output. [root@bigboy root]# netstat -a | grep ftp

If VSFTPD wasn't running, there would be no output at all.

3.3 FTP Security

FTP has a number of security drawbacks, but you can overcome them in some cases. You can restrict an individual Linux user's access to non-anonymous FTP, and you can change the configuration to not display the FTP server's software version information, but unfortunately, though very convenient, FTP logins and data transfers are not encrypted. The /etc/vsftpd.ftpusers File For added security, you may restrict FTP access to certain users by adding them to the list of users in the /etc/vsftpd.ftpusers file. The VSFTPD package creates this file with a number of entries for privileged users that normally shouldn't have FTP access. As FTP doesn't encrypt passwords, thereby increasing the risk of data or passwords being compromised, it is a good idea to let these entries remain and add new entries for additional security. Anonymous Upload If you want remote users to write data to your FTP server, then you should create a write-only directory within /var/ftp/pub. This will allow your users to upload but not access other files uploaded by other users. The commands you need are:
[root@bigboy tmp]# mkdir /var/ftp/pub/upload [root@bigboy tmp]# chmod 722 /var/ftp/pub/upload

Using SCP as Secure Alternative to FTP

One of the disadvantages of FTP is that it does not encrypt your username and password. This could make your user account vulnerable to an unauthorized attack from a person eavesdropping on the network connection. Secure Copy (SCP) and Secure FTP (SFTP) provide encryption and could be considered as an alternative to FTP for trusted users. SCP does not support anonymous services, however, a feature that FTP does support.