Section 7.11. Configuring an FTP Server

7.11. Configuring an FTP Server

File Transfer Protocol (FTP) is a long-established Internet protocol for downloading files. In Fedora, you can use the Very Safe FTP program, vsftp, to serve data via FTP.

7.11.1. How Do I Do That?

To serve content via FTP, just install the vsftpd package and place the content that you wish to make publicly available in the /var/ftp directory.

If you are using a firewall, you will need to open the FTP ports in the firewall.

To view the contents of /var/ftp with a browser, go to ftp://<hostname>/. To access files in a home directory, use the URL ftp://<user>@<hostname>/ (the browser will ask for your password) or ftp://<user>:<password>@<hostname>/.

To access the contents of /var/ftp using a command-line FTP client program, log in as anonymous and use your email address as your password:

$ ftp ftp> open ftp.fedorabook.com Connected to 172.16.97.100. 220 (vsFTPd 2.0.4) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (ftp.fedorabook.com:chris):                    anonymous Password:                    chris@fedorabook.com 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (172,16,97,100,237,192) 150 Here comes the directory listing. drwxr-xr-x    2 0        0            4096 Mar 09 16:41 fedora-core-5 drwxr-xr-x    2 0        0            4096 Mar 09 16:41 fedora-core-6 drwxr-xr-x    2 0        0            4096 Mar 09 16:41 fedora-linux drwxr-xr-x    2 0        0            4096 Mar 09 16:42 images drwxr-xr-x    2 0        0            4096 Mar 09 04:46 pub drwxr-xr-x    2 0        0            4096 Mar 09 16:41 rawhide 226 Directory send OK. ftp> cd images 250-This directory contains images for the book "Fedora Linux". 250- 250 Directory successfully changed. ftp> ls *http* 227 Entering Passive Mode (172,16,97,100,240,225) 150 Here comes the directory listing. -rw-r--r--    1 0        0           49931 Mar 09 16:44 fen-chapter07-system-config-httpd-tab2.png -rw-r--r--    1 0        0           27119 Mar 09 16:44 fen-chapter07-system-config-httpd.png 226 Directory send OK. ftp> get fen-chapter07-system-config-httpd-tab2.png local: fen-chapter07-system-config-httpd-tab2.png remote: fen-chapter07-system-config-httpd-tab2.png 227 Entering Passive Mode (172,16,97,100,214,160) 150 Opening BINARY mode data connection for fen-chapter07-system-config-httpd-tab2.png (49931 bytes). 226 File send OK. 49931 bytes received in 0.017 seconds (2.9e+03 Kbytes/s) ftp> quit 221 Goodbye.

To access a home directory using an FTP client, enter the user ID and password of the Fedora account.

vsftpd is configured using the files in /etc/vsftpd. The main configuration file is /etc/vsftpd/vsftpd.conf and permits all local users (except for system users such as root, bin, and so forth) to have read/write access to their home directories, and all anonymous users to have read-only access to /var/ftp.

These are the most commonly changed configuration entries, along with the default values (as set in the Fedora default configuration file or in the program's internal defaults):

anonymous_enable= YES

Enables anonymous login. Change the value to NO to disable access to /var/ftp.

write_enable= YES

Permits file uploads.

anon_upload_enable= NO and anon_mkdir_write_enable= NO

Permits anonymous users to upload files and create directories. write_enable=YES must also be present and at least one of the directories in /var/ftp must be writable in order for this to work.

dirmessage_enable= NO and message_file= .message

Enables the display of descriptive messages when a user enters a directory; this is usually used to explain the directory contents, usage instructions, contact information, or copyright and licensing details. There is an example of this in the character-mode transfer shown earlier, highlighted in bold. The text of the message is normally contained in the file .message within the directory, but the filename may be set to any value you choose. Some client programs will display these messages to the remote client, and somesuch as the Firefox web browserwill not.

banner_file= filename

Configures a file that contains a banner message that will be sent to clients when they connect to the server.

ascii_upload_enable= NO and ascii_download_enable= NO

FTP has the ability to automatically change end-of-line characters to compensate for differences between Linux/Unix, Windows, and Macintosh computers using ASCII mode. The author of vsftpd, Chris Evans, considers this to be a bug in the protocol rather than a feature, and it is true that ASCII mode has mangled many, many binary files. If you want to use ASCII mode, enable these options.

ls_recurse_enable= NO

Controls the use of recursive directory listings. Some very nice clients, such as ncftp, assume that this is enabled.

use_localtime= NO

Enables the display of times in the local time zone instead of GMT.

You can restrict FTP access to specific local users by adding their usernames into the file /etc/vsftpd/ftpusers or /etc/vsftpd/user_list.

7.11.2. How Does It Work?

FTP is a disaster from a security perspective, since transmitted data (including the username and password) are sent in plain text and can be intercepted by anyone snooping on the network. Nonetheless, it's a useful protocol for the public download of large files.

vsftp was designed from the ground up to be as secure as possible because many of the preceding FTP servers were notoriously insecure. It uses simple code along with techniques such as changing the root directory (chroot) to limit the damage that can be caused if the server is compromised.

FTP is a very old protocolso old, in fact, that in its original form, it predates TCP/IP! In order to work around some network transport limitations, traditional FTP uses two connections between the client and the server: one for data and one for controlling commands and responses. The control connection originates at the client, and the data connection originates at the server. For years this architecture has caused headaches in firewall configuration.

FTP also supports passive (PASV) operation, which uses a single connection for both control and data. Almost all modern client programs support passive operation as the default mode of operation, as an automatic fallback option, or as a manually configured option.

vsftpd logs data transfers in the file /var/log/xferlog.

7.11.3. What About...

7.11.3.1. ...secure FTP?

There are two types of secure FTP:

SFTP

An FTP extension to the secure shell (SSH) protocol. This is installed by default on Fedora systems as part of the SSH service; the command name is sftp. SSH also provides secure copy (scp), which is in many cases more convenient than SFTP.

FTPS

FTP over the Secure Socket Layer (SSL). SSL is a general encryption layer that can be used to protect many types of connections, including HTTP, IMAP, and POP3 (which are known as HTTPS, IMAPS, and POP3S when used with SSL). I recommend the use of SFTP over FTPS, but vsftpd is capable of handling FTPS connections if security certificates are installed; refer to the vsftpd documentation for details.

7.11.4. Where Can I Learn More?

• The manpages for vsftpd, vsftpd.conf, and ftp

• The manpages for sshd, scp, and sftp

• RFC 959: http://www.ietf.org/rfc/rfc0959.txt