0 evaluări0% au considerat acest document util (0 voturi)
58 vizualizări16 pagini
The document provides steps to install and configure an FTP server on a Linux system using vsftpd. It includes instructions on installing vsftpd, configuring the vsftpd.conf file to enable FTP access for a test user, creating directories for the user, and testing FTP access via a client. It also discusses adding SSL/TLS encryption to secure the FTP connection.
The document provides steps to install and configure an FTP server on a Linux system using vsftpd. It includes instructions on installing vsftpd, configuring the vsftpd.conf file to enable FTP access for a test user, creating directories for the user, and testing FTP access via a client. It also discusses adding SSL/TLS encryption to secure the FTP connection.
The document provides steps to install and configure an FTP server on a Linux system using vsftpd. It includes instructions on installing vsftpd, configuring the vsftpd.conf file to enable FTP access for a test user, creating directories for the user, and testing FTP access via a client. It also discusses adding SSL/TLS encryption to secure the FTP connection.
Prepared By -anooja joy Step 1 » Update repositories . sudo apt-get update
Step 2 » Install VsFTPD package using the below command.
sudo apt-get install vsftpd
Step 3 >> Restart vsftpd service using the below command.
sudo systemctl restart vsftpd Step 4 >> Check whether your ftp is woorking properly by executing ftp –p 172.17.14.105 OUTPUT Connetcted to 172.17.14.105 220(vsFTPd 3.0.3) Name(172.17.14.105:KJSCE): Enter login credentials: username: kjsce pwd: kjsce Step 5>> copy the configuration file so we can start with a blank configuration, saving the original as a backup. sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.orig ADDING USERS IN FTP sudo adduser test • Enter the password twice and other details like. – Full name – room number – work phone – homephone – other • Tee command is used to store and view (both at the same time) the output of any other command. echo “test" | sudo tee -a /etc/vsftpd.userlist OUTPUT test USER DIRECTORY CONFIGURATION • FTP is generally more secure when users are restricted to a specific directory. When chroot is enabled for local users, they are restricted to their home directory by default. • STRATEGY: We will create an ftp directory to serve as the chroot and a writable files directory to hold the actual files. • Create a ftp folder inside home directory set its ownership, and be sure to remove write permissions with the following commands: sudo mkdir /home/test/ftp sudo chown nobody:nogroup /home/test/ftp sudo chmod a-w /home/test/ftp Let's verify the permissions: sudo ls -la /home/test/ftp Output total 8 4 dr-xr-xr-x 2 nobody nogroup 4096 Aug 24 21:29 . 4 drwxr-xr-x 3 test test 4096 Aug 24 21:29 USER DIRECTORY CONIGURATION • create the directory files where files can be uploaded and assign ownership to the user: sudo mkdir /home/test/ftp/files sudo chown test:test /home/test/ftp/files • A permissions check on the files directory should return the following: sudo ls -la /home/test/ftp Output total 12 dr-xr-xr-x 3 nobody nogroup 4096 Aug 26 14:01 . drwxr-xr-x 3 test test 4096 Aug 26 13:59 .. drwxr-xr-x 2 test test 4096 Aug 26 14:01 files • Add a test.txt file to use which we test later on: echo "vsftpd test file" | sudo tee /home/test/ftp/files/test.txt OUTPUT vsftpd test file Modifying configuration files STRATEGY: allow a single user with a local shell account to connect with FTP. Step 1 » sudo gedit etc/vsftpd.conf After installation open /etc/vsftpd.conf file and make changes as follows. Uncomment the below lines write_enable=YES » allow the user to upload files local_umask=022 » prevent access to the other folders outside the Home directory. chroot_local_user=YES » prevent the FTP-connected user from accessing any files or commands outside the directory tree. user_sub_token=$USER » insert the username in our local_root directory path so our configuration will work for this user and any future users that might be added. local_root=/home/$USER/ftp pasv_min_port=40000 » limit the range of ports that can be used for passive FTP to make sure enough connections are available: pasv_max_port=50000 userlist_enable=YES » access is given to a user only when they are explicitly added to a list rather than by default: userlist_file=/etc/vsftpd.userlist userlist_deny=NO anonymous_enable=NO local_enable=YES ascii_upload_enable=YES ascii_download_enable=YES ftpd_banner=Welcome to OSL Lab FTP service. ##Uncomment and enter your Welcome message - Not necessary, It's optional. use_localtime=YES ##Add this line the end. Step 4 » Restart vsftpd service using the below command. sudo systemctl restart vsftpd Testing FTP Access by downloading file ftp -p 203.0.113.0 Output Connected to 203.0.113.0. 220 (vsFTPd 3.0.3) Name (203.0.113.0:default): test (Try for :anonymous , sudo_user[it should fail) 331 Please specify the password. Password: your_user's_password 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. List Current File: This command list the names of the files in the current remote directory ftp>ls Change Directory: To change directory on the remote machine use cd command: ftp> cd files // change diectory OUTPUT directory changed successfully DOWNLOAD/COPY: Download / Copy one file at a time from the remote ftp server to the local machine use get command: ftp> get test.txt //downloading file Output 227 Entering Passive Mode (203,0,113,0,169,12). 150 Opening BINARY mode data connection for test.txt (16 bytes). 226 Transfer complete. 16 bytes received in 0.0101 seconds (1588 bytes/s) ftp>Bye FILE TRANSFER • Upload One File: To copy one file at a time from the local systems to the remote ftp server. upload the file test.txt with a new name upload.txt to test write permissions: ftp> put test.txt upload.txt Output 227 Entering Passive Mode (203,0,113,0,164,71). 150 Ok to send data. 226 Transfer complete. 16 bytes sent in 0.000894 seconds (17897 bytes/s) Close the connection: ftp> bye ACCESS FTP via browser • Open up your Web browser, and navigate to URL: ftp://ftp-server-ip/. ie. ftp://172.17.15.10/. or ftp://username@FTP-Server-IP- Address/. And then, enter the password of the FTP user. • Enter the FTP username and password, and click Login. • You can now download or view the FTP server’s contents. OTHER WAYS OF ACCESS Connect To Another FTP Server: To open a connection with another ftp server. ftp> open 172.17.15.86 ACCESSING FTP server from other client sudo telnet localhost 21 • To exit from FTP console, just type: quit. • Go to the remote system, and open up the Terminal, and access the FTP server as shown below. ftp 192.168.43.2 • type the following in the terminal and see that vsftpd is listening on the port 21 for any incoming FTP connection. sudo netstat -ntaulp | grep vsftpd Change Local Directory Create a Local Directory: To make a new directory. ftp> mkdir dirName ftp> mkdir scripts ftp> cd scripts ftp> pwd Delete a Directory: Purpose is to remove or delete a directory. ftp> rmdir dirName ftp> rmdir images Change Local Directory: To change directory on your local system: ftp> lcd /path/to/new/dir ftp> lcd /tmp Print local directory: The lpwd command prints current download directory for local systems ftp> lpwd Present working directory: pwd: To find out the pathname of the current directory on the remote ftp server, enter: ftp> pwd Turn On / Off Interactive Prompting: Download Multiple To copy multiple files from the remote ftp server to the local system. ftp> mget * To download all perl files (ending with .pl extension) ftp> mget *.pl Turn On / Off Interactive Prompting: The ftp command prompt sets interactive prompting; “on” which enables prompting so that you can verify of each step of the multiple commands, “off” allows the commands to act unimpeded. ftp> prompt on ftp> mput *.php ftp> prompt off ftp> mget *.py Delete File: To delete a file in the current remote directory use delete command. ftp> delete fileName ftp> delete output.jpg Set The Mode Of File Transfer: The binary mode is recommended for almost all sort of files including images, zip files and much more. The binary mode provides less chance of a transmission error. To set the mode of file transfer to ASCII ftp> ascii To set the mode of file transfer to binary. ftp> binary SECURE FTP • For secure transmission that protects the username and password, and encrypts the content, FTP is often secured with SSL/TLS (FTPS). The two most common methods of securely transmitting information between two computers are the (i) Secure Shell (SSH) and (ii) Transport Layer Security (TLS), and its predecessor Secure Sockets Layer (SSL), cryptographic protocols. Both are public-key cryptography tunneling protocols that aim to create a secure, confidential exchange of data and connection across a network (particularly the internet). • FTP does not encrypt any data in transit, including user credentials, we'll enable TTL/SSL to provide that encryption. The first step is to create the SSL certificates for use with vsftpd. • We'll use openssl to create a new certificate and use the -days flag to make it valid for one year. In the same command, we'll add a private 2048-bit RSA key. Then by setting both the -keyout and -out flags to the same value, the private key and the certificate will be located in the same file. We'll do this with the following command: sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem • You'll be prompted to provide address information for your certificate. Substitute your own information for the questions below: Generating a 2048 bit RSA private key ……… writing new private key to '/etc/ssl/private/vsftpd.pem' ----- Y ou are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:IN State or Province Name (full name) [Some-State]:MH Locality Name (eg, city) []:Mumbai Organization Name (eg, company) [Internet Widgits Pty Ltd]:KJSCE Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []: Once you've created the certificates, open the vsftpd configuration file again: sudo gedit /etc/vsftpd.conf Toward the bottom of the file, you should two lines that begin with rsa_. Comment them out so they look like: # rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem # rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key Below them, add the following lines which point to the certificate and private key we just created: rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem After that, we will force the use of SSL, which will prevent clients that can't deal with TLS from connecting. This is necessary in order to ensure all traffic is encrypted but may force your FTP user to change clients. Change ssl_enable to YES: ssl_enable=YES After that, add the following lines to explicitly deny anonymous connections over SSL and to require SSL for both data transfer and logins: allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES After this we'll configure the server to use TLS, the preferred successor to SSL by adding the following lines: ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO Finally, we will add two more options. First, we will not require SSL reuse because it can break many FTP clients. We will require "high" encryption cipher suites, which currently means key lengths equal to or greater than 128 bits: require_ssl_reuse=NO ssl_ciphers=HIGH • save and close the file. restart the server for the changes to take effect: • sudo systemctl restart vsftpd we will no longer be able to connect with an insecure command-line client. If you try ftp -p 203.0.113.0 When you login with test You will get Login failed message