Certification Objective 10.03-The File Transfer Protocol and vsFTPd | Linux Patch Management: Keeping Linux Systems Up To Date

The File Transfer Protocol is one of the original network applications developed with the TCP/IP protocol suite. It follows the standard model for network services, as FTP requires a client and a server. The FTP client is installed by default on most operating systems, including Red Hat Enterprise Linux. If you've installed the FTP Server package group, you've installed the default Red Hat FTP Server, the very secure FTP (vsFTP) daemon.

In this section, you'll look solely at the vsFTP server. The lftp client was examined in Chapter 1, and other FTP servers are not supported on RHEL 5.

Installing the Very Secure FTP Server

The only FTP server included with RHEL is vsFTP. If it isn't already installed, you could use a GUI tool to install it. But the simplest method, based on a proper connection to the Red Hat Network or a rebuild repository, is with the following command:

 # yum install vsftpd

In the following sections, I'll show you how to start the vsFTP service the next time you reboot your computer, how it's already configured by default, and how to secure it by user. If you want to limit access to vsFTP by computer or network, you can use the tcp_wrappers system (which works even though vsFTP is not an inetd service), a firewall, or even SELinux, as described in Chapter 15.

Configuring SELinux Support for vsFTP

There are five directives associated with making a vsFTP server work with SELinux in targeted mode:

allow_ftpd_anon_write supports the writing of files to directories configured with the public_content_rw_t SELinux setting.
allow_ftpd_use_cifs allows the use of files shared via CIFS on an FTP server.
allow_ftpd_use_nfs allows the use of files shared via NFS on an FTP server.
ftp_is_daemon is required for a stand-alone FTP server daemon (as opposed to an xinetd service).
ftp_home_directory supports FTP read/write access to user home directories.

To set these directives, use the setsebool command. For example, to activate read-write access from FTP on user home directories, run the following command:

 # setsebool -P ftp_home_directory 1

Starting on Reboot

Once vsFTP is installed, make sure it starts the next time you boot Linux. If it doesn't start when the person who grades your Red Hat exam reboots your computer, you may not get credit for your work configuring an FTP server.

The most straightforward way to make sure the FTP server starts the next time you boot Linux is with the chkconfig command. You'll need to set it to start in at least runlevels 3 and 5, with a command such as this:

 # chkconfig vsftpd on

To see if the chkconfig command worked, use the --list switch:

 # chkconfig --list vsftpd

If you want to start the vsFTP server, just start the service script with the following command:

 # service vsftpd start

vsFTP Server Security

Despite its name, if you configure vsFTP incorrectly, you could end up providing access to the top-level root directory, with regular accounts. To start securing your system you can configure vsFTP to disable logins from regular users. You can configure vsFTP through the vsftpd.conf configuration file, in the /etc/vsftpd directory.

The commands in this file are straightforward. I urge you to read the file for yourself; the comments make many of the commands self-explanatory. You can examine a few of these commands in Table 10-3. I focus here on those commands that you might change to enhance the security of your system. The commands in the default vsftpd.conf file are just a small fraction of the commands that you can use. You can review the RHEL Deployment Guide available online at www.redhat.com/docs/manuals/enterprise for detailed information.

Table 10-3: Some vsFTP Server Configuration Commands
Command	Description
anonymous_enable=YES	If you don't want anonymous access, you'll have to set this to NO.
local_enable=YES	If you don't want regular users to log in, comment this out by adding a pound (#) character at the beginning of the line.
write_enable=YES	If you don't want remote users writing to your directories, comment out this command.
#chroot_list_enable=YES	If you set chroot_local_user=YES (see the discussion that follows), you can configure users who are allowed to roam through your directories by activating this command.
pam_service_name=vsftpd	Configures Pluggable Authentication Modules (PAM) security. For more information, see Chapter 6.
userlist_enable=YES	Don't change this! This keeps users such as root from logging into your system.
tcp_wrappers=YES	Supports the use of security commands in /etc/hosts.allow and /etc/hosts.deny. See Chapter 15.

By default, vsFTP is configured to disable logins from sensitive users such as root, bin, and mail. The userlist_enable=YES command points to a list of disabled users in /etc/vsftpd/user_list. As vsFTP also uses Pluggable Authentication Modules (PAM) for security, it also disables the users in /etc/vsftpd/ftpusers. The lists of users in the default versions of these files are identical.

If you want regular users to log into your FTP server, you should add the chroot_ local_user=YES directive. This helps secure your system by keeping regular users from navigating to your top-level root directory (/).

On the Job

If you set chroot_local_user=YES, be careful. Red Hat documentation suggests security issues related to users who can upload to the server; one risk is loading scripts that allow root-level access.

A couple of useful features for users help welcome them to your server. The following command provides a message for users who are logging into your system:

 ftpd_banner=Welcome to blah FTP service

This next message looks for a .message file in each directory and sends it to the client:

 dirmessage_enable=YES

Unfortunately, these messages don't work for users who log into your system using a client such as lftp.

Access by root and many service users is disabled by default. If you try to log in as root using lftp, it will look like you're connected. But when you try to do something as root, you'll see messages delaying your commands "before reconnect."

Exercise 10-3: Configuring a Basic vsFTP Server

In this exercise, you'll install and activate a basic vsFTP server on your RHEL system. Ideally, you should also have a second computer, but this isn't absolutely necessary here. This exercise assumes that you've at least configured FTP access through any existing firewall. If you've enabled SELinux, and want to support an FTP server just for downloads, you'll also need to modify SELinux policies to "Allow Ftpd To Run Directly Without Inetd" and "Allow Ftpd To Read/Write Files In The User Home Directories", which corresponds to the boolean ftp_is_daemon and ftp_home_dir options described earlier. For more information on using the SELinux Management Tool, see Chapter 15.

Check your system to determine whether the vsFTP server is installed. The easiest way is with the following command:
```
 # rpm -q vsftpd 
```
If it isn't already installed, use the techniques discussed earlier to install the vsFTP RPM package.
Activate the vsFTP server with the service vsftpd start command.
Make sure this server is automatically activated the next time you boot Linux with the following command:
```
 # chkconfig vsftpd on 
```
Log into the vsFTP server as a regular user. You should preferably log in from a remote computer.
Once you're logged in, run the cd ‥ command twice (remember the space between the command and the two dots). Explore the local directory. You should see a danger here, as this is the root directory for the FTP server computer.
Close the FTP client session.
If you're concerned about the security issues, deactivate the vsFTP server. The best way to secure your system from FTP-based attacks is to uninstall the vsFTP server. However, if you need a vsFTP server, work with the lab at the end of the chapter.