Overview of FTP

The File Transfer Protocol (FTP) is a standardized network protocol used for transferring computer files between a client and server over a TCP/IP network. It operates on a client-server model architecture and provides commands for file upload, download, directory listing, and file management.

• Purpose: Facilitates bidirectional file transfer (upload and download) between systems.
• Architecture: Client-server model using TCP for reliable transmission.
• Default Ports: Port 21 for command/control connections. Port 20 is used for data connections in active mode.
• Common Software: vsftpd (Very Secure FTP Daemon) is a prevalent server implementation on Linux.

Client Tools for FTP Access

Various tools are available for connecting to FTP servers.

• Linux: Command-line clients like ftp and lftp. lftp typically attempts anonymous login first and supports directory downloads.
• Windows: Graphical clients such as FileZilla, FlashFXP, or integrated browser support.

FTP Operational Modes

FTP uses two distinct modes to establish data connections: Active and Passive.

Active Mode

In active mode, the server initiates the data connection back to the client.

1. The client opens a random command port (N > 1023) and a random data port (M > 1023). It connects to the server's port 21 from its command port.
2. The server's command port (21) responds to the client's command port (N).
3. The server's data port (20) initiates a connection to the client's specified data port (M).
4. The client's data port (M) acknowledges the connection.

Passive Mode (Default)

In passive mode, the client initiates both the command and data connections to the server.

1. The client opens a random command port (N > 1023) and a random data port (M > 1023). It connects to the server's port 21 from its command port.
2. The server's command port (21) responds and also opens a random high-numbered data port (P > 1023), informing the client of this port.
3. The client then initiates a data connection from its data port (M) too the server's new data port (P).
4. The server acknowledges the connection on port P.

Passive mode is often the default as it works better with client-side firewalls.

Deploying an FTP Server

Here is a process for deploying a vsftpd server on a Linux system.

1. Disable Firewall and SELinux (for initial setup/testing).

# Stop and disable the firewall
systemctl stop firewalld
systemctl disable firewalld
# Temporarily disable SELinux
setenforce 0
# Permanently disable SELinux
# Edit /etc/selinux/config and set SELINUX=disabled

2. Configure YUM Repository. For a local DVD/CD source:

mount /dev/cdrom /mnt
yum clean all
yum makecache

3. Install the vsftpd Package.

yum install -y vsftpd

4. Start and Enable the Service.

systemctl start vsftpd
systemctl enable vsftpd

5. Test Connectivity. Determine the server's IP address and connect from a client using a browser (ftp://server_ip/), a Windows Explorer address bar, or an FTP client.

Understanding vsftpd Configuration

The configuration files for vsftpd provide control over its behavior.

Key Files (located via rpm -ql vsftpd):

• /etc/vsftpd/vsftpd.conf: Main configuration file.
• /etc/vsftpd/ftpusers: List of users denied FTP access.
• /etc/vsftpd/user_list: User list whose function depends on the userlist_enable directive.
• /var/ftp/: Default root directory for anonymous users.

To view the active configuration lines (excluding comments):

grep -v '^#' /etc/vsftpd/vsftpd.conf | grep -v '^$'

For detailed parameter explanations, consult the manual: man 5 vsftpd.conf.

Practical Configuration Scenario: A Support File Server

Requirements:

1. Support staff must authenticate with credentials (support/securepass).
2. Anonymous access is prohibtied.
3. All support documents are stored in /data/support_docs.
4. The support user is confined to this directory and cannot navigate outside.

Implementation Steps:

1. Create the User Account.

useradd support
echo 'securepass' | passwd --stdin support

2. Disable Anonymous Access. Edit /etc/vsftpd/vsftpd.conf:

anonymous_enable=NO

3. Define the User's Root Directory. First, create the directory and set ownership:

mkdir -p /data/support_docs
chown support:support /data/support_docs

Then, edit the configuration file:

local_root=/data/support_docs

4. Restrict User to Home Directory (Chroot). In the configuration file, add or set:

chroot_local_user=YES

Note: For security, some configurations may also require adding allow_writeable_chroot=YES if the user needs write access within the chroot, but evaluate this carefully. A better practice is to keep the directory non-world-writable and manage permissions correctly. 5. Apply Configuration Changes.

systemctl restart vsftpd

After completing these steps, the support user can log in via FTP and will be restricted to the /data/support_docs directory.