Saturday, May 31, 2014

FTP Server

Package name for the FTP server in Linux is vsftpd - Very Secure FTP

# yum install vsftpd -y
#chkconfig vsftpd on
#/etc/init.d/vsftpd start

Open firewall TCP ports of 20 and 21.
Add the following modules to the /etc/sysconfig/iptables-config file
# IPTABLES_MODULES="nf_conntrack_ftp nf_nat_ftp"

By default vsftpd allows anonymous access and download files. Once, you get into the ftp server with #lftp ftp.server.name you can use regular bash commands.
Download and upload files with:
lftp> put somefile.txt  - to upload
lftp> get somefile.txt  - to download

# Public default directory is - /var/ftp/pub

Configuration file is located below location. Configuration file has many useful options to manage FTP server.
#vim /etc/vsftpd/vsftpd.conf

Selinux booleans can be found below, turn on any boolean according to your configuration.

#getsebool -a |grep ftp
or
#semanage boolean -l |grep ftp

Turn on booleans
# setsebool -P allow_ftpd_anon_write on
# setsebool -P allow_ftpd_anon_write off


Posted by at
Labels:

3 comments:

  1. AnonymousJune 3, 2014 at 8:28 PM

    Hi, Bekzot,

    Thanks for doing this.

    For the sake of completeness you might want to list the essential /etc/vsftpd/vsftpd.conf directives that are required for anonymous logins.

    anonymous_enable=YES

    anon_upload_enable=YES #otherwise uploads won't work, despite having set the appropriate SE booleans

    Just in case the exam deliberately removes those firewall modules for passive mode and aren't available for install, you can add the following to your /etc/vsftpd/vsftpd.conf (Though, I think ip_conntrack_ftp is compiled into the kernel as of late, so it's not very likely to have to do this):
    #these ports can be any port that isn't taken, I believe...I'm not sure how many you need in your range
    pasv_enable=YES
    pasv_min_port=10090
    pasv_max_port=10100

    iptables -I INPUT -p tcp --dport 10090:10100 -j ACCEPT && service iptables save && service vsftpd restart

    Also, you'll probably need to setfacl -m d:o:rwx /var/ftp/pub if you plan to upload/download files

    (BTW, instead of using nf_conntrack and nf_nat_ftp, why not just use ip_conntrack_ftp ?)

    There is one thing I'd like to ask you, I have attempted to upload a file as an anonymous user having only set allow_ftpd_anon_write on and was unable to create a file. But only after setting allow_ftpd_full_access on, was I able to upload a file as an anonymous user. In my experience so far, the allow_ftpd_anon_write boolean has no effect on whether an anonymous user is able to upload
    (I am using CentOS 6.5)
    Can you confirm this on your end, am I missing something?

    Thanks

    ReplyDelete
  2. AnonymousJune 4, 2014 at 2:27 PM

    Okay, I'm going to follow up with myself here.

    allow_ftpd_anon_write will only have effect if the context is public_content_rw_t by default /var/ftp/pub will have public_content_t so that's why it had no effect in my use case.

    I'm sure on the exam you might have to create your own directory for vsftpd and then have to change its context to either public_content_t or public_content_rw_t

    allow_ftpd_full_access is only for files and directories that have neither : 'public_content_rw_t' nor 'public_content_t'

    Thanks

    ReplyDelete
  3. AnonymousJune 4, 2014 at 5:43 PM

    Correcting myself here:

    #Also, you'll probably need to setfacl -m d:o:rwx /var/ftp/pub if you plan to upload/download files

    setfacl -m g:ftp:rwx /var/ftp/pub should be good enough in this case, no need for default values, nor to set it for other




    ReplyDelete

Subscribe to: Post Comments (Atom)