Setting Up an FTP Server | Beginning Fedora 2

If you want to enable other users to download files from a location on your server s hard disk, and/or to upload files to that location, one solution is to install an FTP server . You can think of an FTP server essentially as an area of disk space that is used for storing files, plus the software and configuration required to allow other users to upload and download files. When users want to upload or download from your FTP server, they use a program called an FTP client .

These communications between FTP server and FTP client take place using the File Transfer Protocol (FTP) . FTP is a TCP protocol that is designed specifically for the transfer of files over a network, and it s one of the oldest Internet protocols still in widespread use. The availability of so many different FTP client programs, and the fact that many operating systems come with FTP software preinstalled , are indications of how relevant FTP still is today.

FTP is not considered a secure protocol because communication between the FTP client and server are unencrypted. Consequently, Secure FTP (SFTP) is also becoming popular (and, indeed, is part of the openssh package that comes with Fedora 2). You can also configure your FTP server in other ways, for example, by forcing users to log in, or by using access control lists (ACLs) to allow different rights to different groups of users.

Note	You need to take security precautions if you plan to expose your FTP server on the Internet. There s also information on this subject, and on the FTP protocol in general, at RFCs 959 and 2577 ( ftp://ftp.rfc-editor.org/in-notes/rfc959.txt and ftp://ftp.rfc-editor.org/in-notes/rfc2577.txt ).

In fact, many FTP servers still allow anonymous FTP access, which means that the FTP server allows any user to access its disk space and download its files. Anonymous FTP access is used mostly to enable users to access freely available documents and files via the Internet without access control.

In spite of the security issues, FTP remains popular ”it s fast and easy to use, and it is the Internet standard protocol for file transfer.

FTP Servers in the Fedora Linux Distribution

A number of FTP servers are available for Fedora Linux 2:

vsftpd is a simplified FTP server implementation. It is designed to be a very secure FTP server, and can also be configured to allow anonymous access. We explore vsftpd in this section.
TUX is a kernel-based, threaded, extremely high-performance HTTP server that also has FTP capabilities. TUX is perhaps the best in terms of performance, but offers less functionality than other FTP server software. TUX is installed by default with Fedora 2.
wu- ftpd is a highly configurable and full-featured FTP daemon that was popular in earlier versions of Red Hat Linux, but has since given way to the more security-conscious vsftpd .
gssftpd is a kerberized FTP daemon, which means that it is suitable for use with the Kerberos authentication system.

All of these FTP servers ship as part of the Fedora Linux 2 distribution. However, we will consider only the first of these, vsftpd , here.

Installing the vsftpd FTP Server

The easiest way to install the vsftpd FTP Server package is via the RPM GUI Tool. After you ve started the tool (for example, by selecting Main Menu>System Settings>Add/Remove Applications), find the FTP Server package group , which is listed under the Servers category. Check the Details.

Note	You can click Details to see the package details. You will see that the package group contains only one package vsftpd ”it s under the Required Packages banner (see Figure 9-8). Figure 9-8

Click Install Packages to begin installation of the vsftpd FTP server. You ll be prompted to insert the Fedora 2 installation discs as necessary.

Starting Your FTP Server

To start the FTP service (and enable users to upload and download files), you can use the Service Configuration Tool. To launch the tool, select Main Menu>System Settings>Server Settings>Services, or type the following command at the command line:

   $ system-config-services

You ll be prompted for the root password, unless you re already logged on as root. To start the vsftpd FTP Server, select the vsftpd entry in the list and then click the Start button (see Figure 9-9).

Figure 9-9

Again, if you want the FTP service to start automatically next time you reboot your machine, then select the check box to indicate so. Then select File>Save Changes to save your new settings.

It s also possible to start and stop these FTP services from the command line, using the service command to start and stop the vsftpd script:

   # service vsftpd start   Starting vsftpd:                                                 [  OK  ]   # service vsftpd stop   Stopping vsftpd:                                                 [  OK  ]

If you run the script without an option, the resulting usage message reveals all the available options:

   # service vsftpd   Usage: vsftpd {startstoprestartcondrestartstatus}

Testing Your FTP Server

Now you ve set up your FTP server and started the service, we ll adopt the role of the client to quickly test that the service is working. From a command line, issue the ftp command to start an FTP session, naming your FTP server as the server that you want to connect to:

 $ ftp 192.168.0.99 Connected to 192.168.0.99 (192.168.0.99). 220 (vsFTPd 1.2.1) Name (192.168.0.99:kapil):

Recall that 192.168.0.99 is the IP address of the Linux server. You should get a Name login prompt such as the one shown here ”this is enough to confirm that the vsftpd server is running. Press Ctrl+C to terminate this FTP session and return to the command line.

Using Your FTP Server

Having installed and ( briefly ) tested your FTP server, you can begin to use it; this section demonstrates a few uses. There are a number of configuration issues to consider, and this section takes a look at five of the most important ones:

Configuring for anonymous FTP server file download
Configuring for anonymous FTP server file upload
Creating a system account for per-user access to the FTP server
Disabling local system user accounts
Blocking FTP access for user accounts

It also shows you how to configure an FTP greeting banner.

Configuring an Anonymous FTP Server for File Download

Anonymous users cannot read from just any directory on your Linux server. By default, the vsftpd package creates a directory tree starting at /var/ftp , and enables anonymous read access to this directory and the directory structure beneath it.

To demonstrate this, let s start by placing a test file on the FTP server so that other users can download it. Then, let s adopt the role of one of these users, and run a client FTP session to access the FTP server, examine the contents of the FTP site, and download a copy of the test file.

Setting Up the FTP Server

All you need to do here is place some test content somewhere under the /var/ftp directory, so that other users can access it. The owner of the /var/ftp is the root account, and, by default, is the only one with permission to write to the directory. (Recall from Chapter 5 that the owner , group , and others can all have different privileges on a directory or file.)

To start, use a command line to switch to the root user:

   $ su -   Password:

Place whatever content you want under the /var/ftp directory. For example, you can easily use a command such as echo to create a simple test file:

   # cd /var/ftp/pub     # echo "This is the contents of a test file!" > test.txt

Here, we ve created the file test.txt and placed it in the /pub subdirectory.

Using an FTP Client to Test Anonymous Read Access

Now you can test for anonymous read access by using an FTP client to try to grab a copy of this test file via an FTP connection. You can use any FTP client, and you can test from a Windows or Linux machine ”provided the client machine can see the FTP server across a network. (You can even use your Linux server as a client, if you have only one machine.)

For example, in both Windows and Linux, you can use the ftp program at the command line. The following example uses the ftp program as FTP client to connect to the FTP server, examine the contents of the FTP site, and then download the file test.txt .

Start by connecting to the FTP server. When you re prompted for a username, specify anonymous (as shown) or ftp to indicate that you want anonymous access:

   $ ftp 192.168.0.99   Connected to 192.168.0.99 (192.168.0.99). 220 (vsFTPd 1.2.1)   Name (192.168.0.99:kapil): anonymous   331 Please specify the password. Password: 230 Login successful. Have fun. Remote system type is UNIX. Using binary mode to transfer files.

Now, you can start to examine the contents of the FTP site that are available to users with anonymous access. For example, the following uses the ls command to examine the contents of the FTP root directory (which happens to be the directory /var/ftp on the server):

   ftp>ls   227 Entering Passive Mode (192,168,0,99,69,34) 150 Here comes the directory listing. drwxr-r-x    2 0        0           4096 Feb 28 13:40 pub 226 Directory send OK.

This shows that the root directory contains just one subdirectory, called pub . Now, use cd to change to this directory, and list its contents:

   ftp> cd pub   250 Directory successfully changed.   ftp> ls -al   227 Entering Passive Mode (192,168,0,99,56,125) 150 Here comes the directory listing. drwxr-xr--x   2  0        0              4096 Feb 28 13:40 . drwxr-xr-x    3  0        0              4096 Feb 27 19:15 .. -rw-r--r--    1  0        0                22 Feb 28 13:30 test.txt 226 Directory send OK.

Now, we ll attempt to download the test.txt file we ve just located. To do this, use the get command:

   ftp> get test.txt   local: test.txt remote: test.txt 227 Entering Passive Mode (192,168,0,99,98,207) 150 Opening BINARY mode data connection for test.txt (22 bytes). 226 File send OK.

When the file is successfully downloaded, you should find it in your present working directory.

Finally, end the session:
```
   ftp> bye   221 Goodbye.   $   
```

For more information about anonymous FTP, refer to RFC 1635, which can be found at ftp://ftp.rfc-editor.org/in-notes/rfc1635.txt .

Configuring an Anonymous FTP Server for File Upload

In much the same way, anonymous FTP users can write only to the directories that you allow them to write to. By default, vsftpd does not allow users to upload to the FTP server at all; you must first configure the server to allow anonymous users write access to some directory.

So, we ll set up the FTP server for anonymous write access first; then we ll test it again using an FTP client.

Setting Up the FTP Server for Anonymous Write Access

There are four steps here. We ll need to create the folder, set the appropriate permissions, and then enable uploading in the FTP server configuration:

Create a writeable directory. Again, you ll need the root account for this. Create a directory called /upload (in the /var/ftp/pub directory):
```
   # cd /var/ftp/pub     # mkdir upload   
```
Set the permission of the upload directory so that it allows write-only access to anonymous FTP users (so that they can write to the directory but not to download from it ”this restricts file sharing among FTP users). To do this, first use the chgrp command to change the group associated with the upload directory:
```
   # chgrp ftp upload   
```
Now, the owner of the folder is still root, but the directory s group is ftp ”the set of FTP users. Now use the chmod command to assign read/write/execute access to the owner, write access only to the group, and deny access to other users:
```
   # chmod -R u=rwx,g=wx,o-rxw upload   
```
Finally, you must configure the vsftpd server to allow anonymous upload. To do this, simply edit the configuration file, /etc/vsftpd/vsftpd.conf . Open this file using gedit (or your favorite text editor), and locate the following lines:
```
 # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. #anon_upload_enable=YES 
```
Just remove the leading hash ( #) character in the last line, and save the file:
```
   anon_upload_enable=YES   
```
Restart the vsftpd service by using the Restart button in the Server Configuration dialog box, or typing the following at the command line:
```
   # service vsftpd restart   
```

That s it. Now you re ready to test this configuration.

Using an FTP Client to Test Anonymous Write Access

Let s test our configuration with another simple session on our FTP client:

Connect to the client and log in (with the username anonymous or ftp ) as you did before:

   $ ftp 192.168.0.99   Connected to 192.168.0.99 (192.168.0.99). 220 (vsFTPd 1.2.1)   Name (192.168.0.99:kapil): anonymous

   Password:   230 Login successful. Have fun. Remote system type is UNIX. Using binary mode to transfer files.

Change to the pub/upload directory. Try to list its contents ”you ll find that you can t because that s the way you configured the permissions on the upload directory:

   ftp> cd /pub/upload   250 Directory successfully changed.   ftp> ls   227 Entering Passive Mode (192,168,0,99,95,148) 150 Here comes the directory listing. 226 Transfer done (but failed to open directory).

However, you can upload a file. To prove it, use the put command to upload a simple file, like this:

   ftp> put uploadtest.txt   local: uploadtest.txt remote: uploadtest.txt 227 Entering Passive Mode (192,168,0,99,133,229) 150 Ok to send data. 226 File receive OK. 40 bytes send in 0.000101 secs (2.1e+02 Kbytes/sec)

Now you can close the FTP session:
```
   ftp> bye   221 Goodbye.   #   
```

Now you can go back to your FTP server and check the contents of the /var/ftp/pub/upload directory. You should find the uploadtest.txt file that was just uploaded from the client.

FTP Authentication via System Accounts

You ve seen some examples using anonymous access to the vsftpd FTP server (via the anonymous or ftp username), but what happens if a user has a system account and tries to gain access? By default, vsftpd allows this, and gives the user access to their home directory this way. For example, suppose your system has an account for the user called kapil. This user can use an FTP client to log in and gain access to their home directory, /home/kapil , via vsftpd , like this:

   # ftp 192.168.0.99   Connected to 192.168.0.99 (192.168.0.99). 220 (vsFTPd 1.2.1) Name (192.168.0.99:none): kapil 331 Please specify the password.   Password:   230 Login successful. Have fun. Remote system type is UNIX. Using binary mode to transfer files.   ftp> ls   ...lists contents of /home/kapil directory...

This can be useful if your situation demands it. For example, you could set a machine up as a dedicated FTP server and create an account for each user that needs to perform FTP:

   # useradd -m -d /home/linux4biz     # passwd linux4biz   Changing password for user linux4biz. New password:  Retype new password:  passwd: all authentication tokens updated successfully.

You assign each user his or her own individual FTP space.

Disabling Local System User Accounts for FTP

By default, these users would have the same permissions to read, write, and execute the contents of their home directory via FTP that they would have if they were accessing the directory by sitting at the computer. More importantly, authentication via FTP is not encrypted, so allowing FTP access via user accounts is actually not a good way to allow access to your system if you ve got anything sensitive to protect.

Therefore, in most situations it s recommended that you disable FTP access via user accounts. This is easy to do ”just change the appropriate setting in the configuration file, /etc/vsftpd/vsftpd.conf . When you open the file, locate the following lines:

   # Uncomment this to allow local users to log in.     local_enable=YES

Change the directive to read as follows :

   local_enable=NO

Then restart the vsftpd service using the Server Configuration dialog box, or by typing the following at the command line:

   # service vsftpd restart

Now, if you try using an FTP client to gain FTP access via a system user account, you ll be refused :

   $ ftp 192.168.0.99   Connected to 192.168.0.99 (192.168.0.99). 220 (vsFTPd 1.2.1)   Name (192.168.0.99:none): linux4biz   530 This FTP server is anonymous only. Login failed.

Blocking FTP Access for User Accounts

Alternatively, you can deny FTP access to individual users (rather than to all users). You control this using the /etc/vsftpd.ftpusers file, which contains the list of users that are not allowed FTP access to the server.

To try this, first change the local_enable directive back from NO to YES , in /etc/vsftpd/vsftpd.conf , to enable FTP access via system accounts:

 # Uncomment this to allow local users to log in.   local_enable=YES

Then, open the /etc/vsftpd.ftpusers file (using root privileges), add an account name at the bottom, and save the file. There s no need to restart the vsftpd service; changes to the /etc/vsftpd.ftpusers file take effect immediately.

Then use the account to try to gain FTP access via an FTP client:

   # ftp 192.168.0.99   Connected to 192.168.0.99 (192.168.0.99). 220 (vsFTPd 1.2.1)   Name (192.168.0.99:none): linux4biz   331 Please specify the password. Password: 530 Login incorrect. Login failed.

Configuring an FTP Greeting Banner

Once you ve installed the vsftpd FTP server, there are all sorts of ways you can configure it to behave as you want. Here s a simple example. You can change the default greeting message that the FTP server issues to clients on connection simply by changing the value of the ftpd_banner directive in /etc/vsftpd/vsftpd.conf . For example, try changing it to this:

 # You may fully customize the login banner string:   ftpd_banner=Welcome to the Wrox Press FTP service.

Then restart the vsftpd service so that the change takes effect. Use your FTP client to log in to the FTP server, and you ll be greeted with this new message:

   $ ftp 192.168.0.99   Connected to 192.168.0.99 (192.168.0.99). 220 Welcome to the Wrox Press FTP service. ...

For more information on the vsftpd FTP server, and all the configuration possibilities, refer to the man pages by typing man vsftpd and man vsftpd.conf . You can also find more information on the vsftpd FTP server at http://vsftpd.beasts.org/ .