Ubuntu Unleashed 2017 Edition (2017)
Part IV: Ubuntu as a Server
Chapter 27. Remote File Serving with FTP
In This Chapter
Choosing an FTP Server
Installing FTP Software
The FTP User
Configuring the Very Secure FTP Server
Using the ftphosts to Allow or Deny FTP Server Connection
References
File Transfer Protocol (FTP) was once considered the primary method used to transfer files over a network from computer to computer. FTP is still heavily used today, although many graphical FTP clients now supplement the original text-based interface command. As computers have evolved, so has FTP, and Ubuntu includes many ways with which to use a graphical interface to transfer files over FTP.
This chapter contains an overview of the available FTP software included with Ubuntu, along with some details concerning initial setup, configuration, and use of FTP-specific clients. Ubuntu also includes an FTP server software package named vsftpd, the Very Secure FTP Daemon, and a number of associated programs you can use to serve and transfer files with the FTP protocol.
Choosing an FTP Server
FTP uses a client/server model. As a client, FTP accesses a server, and as a server, FTP provides access to files or storage. Just about every computer platform available has software written to enable a computer to act as an FTP server, but Ubuntu provides the average user with the capability to do this without paying hefty licensing fees and without regard for client usage limitations.
There are two types of FTP servers and access: anonymous and standard. A standard FTP server requires an account name and password from anyone trying to access the server. Anonymous servers allow anyone to connect to the server to retrieve files. Anonymous servers provide the most flexibility, but they can also present a security risk. Fortunately, as you will read in this chapter, Ubuntu is set up to use proper file and directory permissions and common-sense default configuration, such as disallowing root to perform an FTP login.
Note
Many Linux users now use OpenSSH and its suite of clients, such as the sftp command, for a more secure solution when transferring files. The OpenSSH suite provides the sshd daemon and enables encrypted remote logins. (See Chapter 19, “Remote Access with SSH, Telnet, and VNC,” for more information.)
Choosing an Authenticated or Anonymous Server
When you are preparing to set up your FTP server, you must first make the decision to install either the authenticated or anonymous service. Authenticated service requires the entry of a valid username and password for access. As previously mentioned, anonymous service allows the use of the username anonymous and an email address as a password for access.
Authenticated FTP servers are used to provide some measure of secure data transfer for remote users but will require maintenance of user accounts given that usernames and passwords are used. Anonymous FTP servers are used when user authentication is not needed or necessary and can be helpful in providing an easily accessible platform for customer support or public distribution of documents, software, or other data.
If you use an anonymous FTP server in your home or business Linux system, it is vital that you properly install and configure it to retain a relatively secure environment. Generally, sites that host anonymous FTP servers place them outside the firewall on a dedicated machine. The dedicated machine contains only the FTP server and should not contain data that cannot be restored quickly. This dedicated-machine setup prevents malicious users who compromise the server from obtaining critical or sensitive data. For an additional, but by no means more secure setup, the FTP portion of the file system can be mounted read-only from a separate hard drive partition or volume, or mounted from read-only media, such as CD-ROM, DVD, or other optical storage.
Ubuntu FTP Server Packages
The Very Secure vsftpd server is licensed under the GNU GPL. The server can be used for personal or business purposes and is the FTP server covered in the remainder of this chapter.
Other FTP Servers
One alternative server is NcFTPd, available from www.ncftp.com. This server provides its own optimized daemon. In addition, NcFTPd has the capability to cache directory listings of the FTP server in memory, thereby increasing the speed at which users can obtain a list of available files and directories. Although NcFTPd has many advantages over some other FTP servers, NcFTPd is not GPL-licensed software, and its licensing fees vary according to the maximum number of simultaneous server connections ($199 for 51 or more concurrent users and $129 for up to 50 concurrent users, but free to education institutions with a compliant domain name).
Note
Do not confuse the ncftp client with ncftpd. The ncftp package included with Ubuntu is the client software, a replacement for ftp, and includes the ncftpget and ncftpput commands for transferring files via the command line or by using a remote file uniform resource locator (URL) address. ncftpd is the FTP server, which can be downloaded from www.ncftpd.com.
Another FTP server package for Linux is ProFTPD, licensed under the GNU GPL. This server works well with most Linux distributions and has been used by a number of Linux sites, including ftp.kernel.org and ftp.sourceforge.net. ProFTPD is actively maintained and updated for bug fixes and security enhancements. Its developers recommend that you use the latest release (1.3.3e at the time of this writing) to avoid exposure to exploits and vulnerabilities. Browse to www.proftpd.org to download a copy.
Yet another FTP server package is Bsdftpd-ssl, which is based on the BSD ftpd (and distributed under the BSD license). Bsdftpd-ssl offers simultaneous standard and secure access using security extensions; secure access requires a special client. For more details, browse to http://bsdftpd-ssl.sc.ru.
Previously, this book covered an FTP server called wu-ftp. We had some concerns about it, such as the fact that when testing it to update this chapter, we discovered it runs as root by default and therefore presents a significant security risk. For that reason, and the fact that the package seems to be abandoned and no longer maintained by its authors, we are not covering it in this edition.
Finally, another alternative is to use Apache (and HTTP) for serving files. Using a web server to provide data downloads can reduce the need to monitor and maintain a separate software service (or directories) on your server. This approach to serving files also reduces system resource requirements and gives remote users a bit more flexibility when downloading (such as enabling them to download multiple files at once). See Chapter 24, “Apache Web Server Management,” for more information about using Apache.
Installing FTP Software
As part of the standard installation, the client software for FTP is already installed. You can verify that some FTP-related software is installed on your system by using dpkg, grep, and sort commands in this query:
Click here to view code image
matthew@seymour:~$ dpkg --get-selections | grep ftp | sort
ftp install
lftp install
The preceding output is from a fresh installation of Ubuntu 11.10, and what you see are basic FTP clients. These allow you to use FTP to connect to other computers to interact with remote files. You need an FTP server to allow other systems to interact with files on your computer. This chapter covers one FTP server application, vsftpd.
If vsftpd is not installed, install the package vsftpd from the Ubuntu repositories. For more information about installing packages, see Chapter 9, “Managing Software.”
Note
If you host an FTP server connected to the Internet, make it a habit to always install security updates and bug fixes for your server software.
The FTP User
Instead of files being uploaded or managed by a current user when anonymous connections are made to your FTP server, an FTP user is created when vsftp is installed. This user is not a normal user per se, but a name for anonymous FTP users. The FTP user entry in /etc/passwd looks like this:
Click here to view code image
ftp:x:116:124:ftp daemon,,,:/srv/ftp:/bin/false
The numbers differ on each system because they depend on the number of configured users on the system, but the rest of the information is the same.
Note
The FTP user, as discussed here, applies to anonymous FTP configurations and server setup. Our FTP user is configured to use /srv/ftp as the default directory. Other Linux distributions may use a different default directory, such as /usr/local/ftp, for FTP files and anonymous users.
This entry follows the standard /etc/passwd entry: username, password, user ID, group ID, comment field, home directory, and shell. To learn more about /etc/password, see the section “Configuring Your Firewall” in Chapter 20, “Securing Your Machines.”
Each of the items in this entry is separated by colons. In the preceding example, you can see that the Ubuntu system hosting the server uses shadowed password (indicated by the X in the traditional password field). The shadow password system is important because it adds an additional level of security to Ubuntu; the shadow password system is normally installed during the Ubuntu installation.
The FTP server software uses this user account to assign permissions to users connecting to the server. By using a default shell of /bin/false for anonymous FTP users versus /bin/bash or some other standard, interactive shell, an anonymous FTP user will be unable to log in as a regular user. /bin/false is not a shell, but a program usually assigned to an account that has been locked. As root inspection of the /etc/shadow file shows (see Listing 27.1), it is not possible to log in to this account, denoted by the * as the password.
LISTING 27.1 Shadow Password File ftp User Entry
Click here to view code image
# cat /etc/shadow
bin:*:11899:0:99999:7:::
daemon:*:11899:0:99999:7:::
adm:*:11899:0:99999:7:::
lp:*:11899:0:99999:7:::
...
ftp:*:12276:0:99999:7:::
...
The shadow file (only a portion of which is shown in Listing 26.1) contains additional information not found in the standard /etc/passwd file, such as account expiration, password expiration, whether the account is locked, and the encrypted password. The * in the password field indicates that the account is not a standard login account; thus, it does not have a password.
Although shadow passwords are in use on the system, passwords are not transmitted in a secure manner when using FTP. Because FTP was written before the necessity of encryption and security, it does not provide the mechanics necessary to send encrypted passwords. Account information is sent in plain text on FTP servers; anyone with enough technical knowledge and a network sniffer can find the password for the account you connect to on the server. Many sites use an anonymous-only FTP server specifically to prevent normal account passwords from being transmitted over the Internet.
Quick-and-Dirty FTP Service
Conscientious Linux administrators take the time to carefully install, set up, and configure a production FTP server before offering public service or opening up for business on the Internet. However, you can set up a server very quickly on a secure LAN by completing a few simple steps:
1. Ensure that the FTP server package is installed, networking is enabled, and firewall rules on the server allow FTP access. See Chapter 18, “Networking,” to learn about firewalling.
2. If anonymous access to server files is desired, create and populate the /srv/ftp/public directory. Do this by mounting or copying your content, such as directories and files, under this directory. You don’t want to use symlinks, however, because a clever anonymous user could easily use that against you to access other parts of your file system. If you are new to this, copy your content into the directory.
3. Edit and then save the appropriate configuration file (such as /etc.vsftpd.conf for vsftpd) to enable access.
4. You must then start or restart the FTP server like this: sudo service vsftpd restart.
You can use the service to start, stop, restart, and query the vsftpd server. You must have root permission to use the vsftpd script to control the server, but any user can query the server (to see whether it is running and to see its process ID number) using the status keyword, like this:
Click here to view code image
matthew@seymour:~$ sudo service vsftpd status
You can also use a shorter version just for finding the status of the FTP daemon, as follows:
Click here to view code image
matthew@seymour:~$ status vsftpd
Administrator permissions are not required to use the status command, so we do not need to use sudo.
Configuring the Very Secure FTP Server
The Very Secure FTP server offers simplicity, security, and speed. It has been used by a number of sites, such as ftp.debian.org, ftp.gnu.org, rpmfind.net, and ftp.gimp.org. Note that despite its name, the Very Secure FTP server does not enable use of encrypted usernames or passwords.
Its main configuration file is vsftpd.conf, which resides under the /etc directory. The server has a number of features and default policies, but you can override these by changing the installed configuration file.
By default, anonymous logins are disabled. Users are not allowed to download or upload files, create new directories, or delete or rename files. The configuration file installed by Ubuntu allows local users (that is, users with a login and shell account) to log in and then access their /home directory. This configuration presents potential security risks because usernames and passwords are passed without encryption over a network. The best policy is to deny your users access to the server from their user accounts. To change these and other settings, edit the well-commented config file at /etc/vsftp.conf. For example, to change these two settings, edit the following lines:
Click here to view code image
# Allow anonymous FTP? (Disabled by default)
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
If you want to allow anonymous use of your FTP server, change NO to YES in the first couplet. As you can see in the second couplet, in Ubuntu 10.10, the local user setting was changed by Ubuntu from the default setting that did not allow local users to log in. We suggest commenting the line back out by placing a # at the front if you are going to run an anonymous FTP server. The default settings here work great if you are only allowing one user FTP access on the back end of a web server, for example, which is becoming the more common use for FTP, at least until we can convince the world to move to using SSH. See the “Telnet Versus SSH” section in Chapter 19, “Remote Access with SSH, Telnet, and VNC,” and replace Telnet with FTP for an idea about why this would be a good move.
Controlling Anonymous Access
Toggling anonymous access features for your FTP server is done by editing the vsftpd.conf file and changing related entries to YES or NO in the file. Settings to control how the server works for anonymous logins include the following:
anonymous_enable—Disabled by default. Use a setting of YES and then restart the server to turn on anonymous access.
anon_mkdir_write_enable—Allows or disallows creating of new directories.
anon_other_write_enable—Allows or disallows deleting or renaming of files and directories.
anon_upload_enable—Controls whether anonymous users can upload files (also depends on the global write_enable setting). This is a potential security and liability hazard and should rarely be used; if enabled, consistently monitor any designated upload directory.
anon_world_readable_only—Allows only anonymous users to download files with world-readable (444) permission.
After making any changes to your FTP server configuration file, make sure to restart the server; this forces vsftpd to reread its settings.
Other vsftpd Server Configuration Files
You can edit vsftpd.conf to enable, disable, and configure many features and settings of the vsftpd server, such as user access, filtering of bogus passwords, and access logging. Some features might require the creation and configuration of other files, such as the following:
/etc/vsftpd.user_list—Used by the userlistnable and the userlist_deny options; the file contains a list of usernames to be denied access to the server.
/etc/vsftpd.chroot_list—Used by the chroot_listnable and chroot_local_user options, this file contains a list of users who are either allowed or denied access to a home directory. An alternative file can be specified by using the chroot_list_file option.
/etc/vsftpd.banned_emails—A list of anonymous password entries used to deny access if the deny_email_enable setting is enabled. An alternative file can be specified by using the banned_email option.
/var/log/vsftpd.log—Data transfer information is captured to this file if logging is enabled using the xferlog_enable setting.
Tip
Whenever you’re editing the FTP server files, make a backup file first. Also, it is always a good idea to comment out (using a pound sign, #, at the beginning of a line) what is changed instead of deleting or overwriting entries. Follow these comments with a brief description explaining why the change was made. This leaves a nice audit trail of what was done, by whom, when, and why. If you have any problems with the configuration, these comments and details can help you troubleshoot and return to valid entries if necessary. You can use the dpkg command or other Linux tools (such as mc) to extract a fresh copy of a configuration file from the software’s package archive. Be aware, however, that the extracted version replaces the current version and overwrites your configuration changes.
Default vsftpd Behaviors
The contents of a file named .message (if it exists in the current directory) are displayed when a user enters the directory. This feature is enabled in the configuration file. FTP users are not allowed to perform recursive directory listings, which helps reduce bandwidth.
Other default settings are that specific user login controls are not set, but you can configure the controls to deny access to one or more users.
The data transfer rate for anonymous client access is unlimited, but you can set a maximum rate (in bytes per second) by using the anon_max_rate setting in vsftpd.conf. This can be useful for throttling bandwidth use during periods of heavy access, but waiting until heavy use occurs to change the setting could cause problems because you would kill any current connections when you restart the FTP server daemon. If you anticipate heavy FTP usage, change this setting before it happens or during a scheduled maintenance cycle. Another default is that remote clients will be logged out after five minutes of idle activity or a stalled data transfer. You can set idle and stalled connection timeouts by uncommenting idle_session_timeout and setting the time in seconds before idle sessions are disconnected.
Other settings that might be important for managing your system’s resources (networking bandwidth or memory) when offering FTP access include the following:
dirlistnable—Toggles directory listings on or off.
dirmessage_enable—Toggles display of a message when the user enters a directory. A related setting is ls_recurse_enable, which you can use to disallow recursive directory listings.
download_enable—Toggles downloading on or off.
max_clients—Sets a limit on the maximum number of connections.
max_per_ip—Sets a limit on the number of connections from the same IP address.
Using the ftphosts File to Allow or Deny FTP Server Connection
You can create a file in /etc called ftphosts to allow or deny specific users or addresses from connecting to the FTP server. The format of the file is the word allow or deny, optionally followed by a username, followed by an IP or a DNS address:
allow username address
deny username address
Listing 27.2 shows a sample configuration of this file.
LISTING 27.2 ftphosts Configuration File for Allowing or Denying Users
Click here to view code image
# Example host access file
#
# Everything after a '#' is treated as comment,
# empty lines are ignored
allow fatima 208.164.186.1 208.164.186.2 208.164.186.4
deny richard 208.164.186.5
allow jane ubuntuforums.org
deny john naughtysite.net
allow ahmed 192.168.101.*
allow ahmed *.ubuntu.com
allow ahmed *.matthewhelmke.net
deny anonymous 201.*
The * is a wildcard that matches any combination of that address. For example, allow ahmed *.matthewhelmke.net allows the user ahmed to log in to the FTP server from any address that contains the domain name matthewhelmke.net. Similarly, the anonymous user is not allowed to access the FTP if the user is coming from a 201 public Class C IP address. You should set the permissions on this file to 600.
Changes made to your system’s FTP server configuration files only become active after you restart inetd because configuration files are only parsed at startup. To restart inetd as root, issue the command /etc/init.d/inetutils-inetd restart. This makes a call to the same shell script that is called at system startup and shutdown for any runlevel to start or stop the inet daemon. inetd should report its status as follows:
Click here to view code image
matthew@seymour:~$ sudo /etc/init.d/inetutils-inetd restart
Stopping internet superserver inetd: [ OK ]
Starting internet superserver inetd: [ OK ]
After it is restarted, the FTP server is accessible to all incoming requests.
References
www.cert.org/—Computer Emergency Response Team.
www.openssh.com/—The OpenSSH home page and source for the latest version of OpenSSH and its component clients, such as sftp.
http://vsftpd.beasts.org/—Home page for the vsftd FTP server.
https://help.ubuntu.com/community/FtpServer—Ubuntu community documentation for setting up and using an FTP server.
https://help.ubuntu.com/14.04/serverguide/ftp-server.html—Official Ubuntu documentation for setting up and using vsftp.