Linux Admin Reference – FTP/SFTP Services in Red Hat Enterprise Linux

In Red Hat Enterprise Linux 3 or later FTP service is provided by the vsftpd daemon. vsftpd stands for “Very Secure FTP Daemon” and is an FTP server for Unix-like systems. It supports IPv6 and SSL, as well as explicit and implicit FTPS. The vsftpd daemon provides a standalone service, and it is not controlled by xinetd.

Enable FTP Services in RHEL

Step 1:  Install the vsftpd package:

On Red Hat Enterprise Linux 5 or 6:

# yum -y install vsftpd

On Red Hat Enterprise Linux 3 or 4:

# up2date -i vsftpd

Step 2: Ensure that the GSSFTP service, a sub-service of xinetd is disabled and inactive by issuing these commands:

# chkconfig gssftp off
# service xinetd restart

Step 3: Configure the vsftpd service to be started when the system boots and start the service:

# chkconfig vsftpd on
# service vsftpd start

Configure a non-anonymous FTP server in RHEL

1) Verify that the vsftpd package is installed.

rpm -qa |grep vsftpd

2) If it is not installed, please install it as follows:

For RHEL 3 and RHEL4:

# up2date -i vsftpd

For RHEL 5 and RHEL 6:

# yum install vsftpd

3) Verify the localhost line in /etc/hosts looks like the following:

127.0.0.1 localhost.localdomain localhost

4) Next configure the vsftpd.conf file. NOTE: Back up the vsftpd.conf file

# cd /etc/vsftpd
# cp vsftpd.conf ./vsftpd.conf.ORIG

5) Using an editor, open the file ‘vsftpd.conf’.

[a] If you would like the FTP server to be accessed by anonymous, make sure the following lines are uncommented:

anonymous_enable=YES

Otherwise, to disable anonymous accessing:

anonymous_enable=NO

[b] If you would like the FTP server to be accessed by local user, make sure the following lines are uncommented:

local_enable=YES

Otherwise, to disable local user access:

local_enable=NO

6) Start the ‘vsftpd’ service.

# service vsftpd start

7) To have the vsftpd service persistent across reboot:

# chkconfig vsftpd on

8) Login Test

a) To test the configuration run the following command:

# ftp localhost

b) Login with anonymous user or local user, and specify their password.

c) This should show an ftp prompt. Type ‘bye’ to exit to the command prompt.

Firewall Ports to be opened to all access to FTP server in your Environment

1) FTP Client opens two dynamic ports – a command port (for example port 1025) and a data transfer port (the command port +1 = port 1026).

2) Then the client connects its command port to port 21 on the server, but instead of using a PORT command, it sends a PASV command which tells the server that the connection is set in passive mode.

3) When it reads the PASV command, the server opens a random dynamic port (for example 1027), which is forwarded to port 20 (the server’s default data transfer port), and sends it back to the client.

4) Then the FTP client initiates the connection from its data port (port 1026) to the server’s data port (port 1027) and starts the data transfer.

Hence, from the server side port 21 and 20 should be opened. And there is no need to open 1023 which is a random port opened by server as mentioned in point (3) since it will forward the data to server port 20.

Configure  root access for FTP

Root access is blocked via FTP by default and root access is not recommended. Use these suggestions at your discretion as they are not recommended but may be helpful in certain circumstances.
Step1 :  Add the following to /etc/vsftpd/vsftpd.conf:

chroot_local_user=YES
anon_root=/
local_root=/

Step 2: Comment the root lines out in both of the files listed below (by default they are not):

# cat /etc/vsftpd/user_list

# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
# root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody

# cat /etc/vsftpd/ftpusers

# Users that are not allowed to login via ftp
# root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
Restart vsftpd
# service vsftpd restart

Configure the vsftpd to allow the passive mode connections

Step 1 :  Add the following lines in the /etc/vsftpd/vsftpd.conf configure file:

pasv_enable=YES
pasv_min_port=<port number>
pasv_max_port=<port number>

Step 2:  Then restart the vsftpd service:

# service vsftpd restart

Turn off passive mode for FTP connections

Passive mode can be disabled at vsftpd server side by adding the following line in vsftpd.conf and restart vsftpd service.
pasv_enable=NO

# /etc/init.d/vsftpd restart

To disable passive mode at client end, it should be explicitly specified, as most clients assume “passive mode” as default for ftp connections. For example, on command line ftp client “passive” command can be used to turn ON/OFF passive mode.

ftp 10.65.209.78
Connected to 10.65.209.78.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (10.65.209.78:root): test
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode off.
ftp>


“lftp” client has an option to turn OFF passive mode by default. To disable passive mode on lftp client and set active mode as default run the following command

# echo “set ftp:passive-mode 0” >> /etc/lftp.conf

Configuring vsftpd with SSL/TLS

The following are implementations of secure ftp services and can be installed with standard yum commands

  • vsftpd — A standalone, security oriented implementation of the FTP service
  • gssftpd — A Kerberos-aware xinetd-based FTP daemon that does not transmit authentication information over the network
  • Red Hat Content Accelerator (tux) — A kernel-space Web server with FTP capabilities

Steps to setup SSL encryption for ftp transfers

Note : Below process assumes that we already obtained a certificate ( from CA) to be installed or created a Self signed Certificate. And we are assuiming that we  obtained a certificate file “www.domain.com.crt” from CA .

Procedure to Configure using a CA signed certificate

Step 1: Place a certificate in /etc/pki/tls/certs/www.domain.com.pem.

# mv www.domain.com.crt /etc/pki/tls/certs/www.domain.com.pem

Step 2: Modify owner and permission it so that root is the only user that can read this file:

# chmod 600 /etc/pki/tls/certs/www.domain.com.pem
# chown root:root /etc/pki/tls/certs/www.domain.com.pem

Step 3: Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf, append or modify the options as shown below:

ssl_enable=YES
allow_anon_ssl=YES
force_local_data_ssl=NO
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

rsa_cert_file=/etc/pki/tls/certs/www.domain.com.pem
rsa_private_key_file=/etc/pki/tls/private/www.domain.com.key

# Uncomment ssl_request_cert option if SSL/TLS connection is used by IBM’s zOS ftp client
# read man vsftpd.conf for further information
#ssl_request_cert=NO

Note: The above directives enable SSL for local users but disable SSL for anonymous connections and force SSL for data transfers and logins.

Step 4: Restart the vsftpd service.

# service vsftpd restart

Procedure to Configure using a self signed certificate

Step 1 : Generate a self signed certificate in /etc/vsftpd directory

To Create a self signed certificate on Red Hat Enterprise Linux 4

# cd /usr/share/ssl/certs
# make /etc/vsftpd/vsftpd.pem

To Create a self signed certificate on Red Hat Enterprise Linux 5, 6

# cd /etc/pki/tls/certs/
# make /etc/vsftpd/vsftpd.pem

Step 2:  Modify permission it so that root is the only user that can read this file:

# chmod 600 /etc/vsftpd/vsftpd.pem

Step 3: Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf, append or modify the options as shown below.

ssl_enable=YES
allow_anon_ssl=YES
force_local_data_ssl=NO
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

rsa_cert_file=/etc/vsftpd/vsftpd.pem

# Uncomment ssl_request_cert option if SSL/TLS connection is used by IBM’s zOS ftp client
# read man vsftpd.conf for further information
#ssl_request_cert=NO


Note: The above directives enable SSL for local users but disable SSL for anonymous connections and force SSL for data transfers and logins. For a more detailed description on the available directives, please check vsftpd.conf man page. (man vsftpd.conf)

Step 4: Restart the vsftpd service.

# service vsftpd restart

Notes :

  • Use a client that does support the ftps protocol, for Linux, gftp does this quite well, however it initially rejects self-signed server certificates. This can be fixed by disabling the “Verify SSL Peer” setting in options. When making connections, be sure to select the FTPS protocol.
  • For Windows, the SmartFTP client is also capable of TLS/SSL connections. The FTP server firstly needs to be configured as a “Favourite Site”, then the properties need to adjusted to use the “FTP over SSL Explicit” protocol. Save the changes and connect.
  • To Connect the ftp over TLS/SSL: Install the FireFTP plugin over FireFox, restart FireFox. Try to connect “ftps://IP”.

Configure vsftpd to allow anonymous user to upload and delete files

By default the anonymous user can’t allow to upload a file to the /var/ftp/pub directory. Sometimes it needs a directory to upload and delete shared file.

Below is the procedure to configure ftp that allows the anonymous user to upload and delete file.

1. Create the shared directory in /var/ftp/pub and change its permission to 777.

# cd /var/ftp/pub
# mkdir sharing
# chgrp ftp sharing
# chmod 770 sharing

2. Modify /etc/vsftpd/vsftpd.conf to permit anonymous user to upload and delete file.

# vim /etc/vsftpd/vsftpd.conf

anonymous_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES

Note: the pararmter anon\_other\_write_enable needs to be added by manual. The anonymous users will be allowed to perform write operations other than upload and create directory, such as deletion and renaming.

3. Restart the vsftp service

# service vsftpd restart

4. Verify that Upload and delete operation working with ftp connection

# ftp ftpservername

Connected to localhost.localdomain.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (localhost:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,105,145)
150 Here comes the directory listing.
drwxr-xr-x 3 0 0 4096 Feb 21 17:18 pub
226 Directory send OK.
ftp> cd pub/sharing
250 Directory successfully changed.
ftp> put a
local: a remote: a
227 Entering Passive Mode (127,0,0,1,168,5)
150 Ok to send data.
226 File receive OK.
ftp> ls
227 Entering Passive Mode (127,0,0,1,232,122)
150 Here comes the directory listing.
-rw——- 1 14 50 0 Feb 21 17:22 a
ftp> delete a
250 Delete operation successful.
ftp> ls
227 Entering Passive Mode (127,0,0,1,69,55)
150 Here comes the directory listing.
226 Directory send OK.

Notes that it is not allowed to upload file to root directory of anonymous user directly for security requirement

Enable logging for sftp server? [ RHEL5/RHEL6]

1. Edit /etc/ssh/sshd_config file,   locate the Subsystem line and add logging option.

Subsystem sftp internal-sftp -f AUTHPRIV -l VERBOSE

2. Restart ssh service

# service sshd restart

Below Step-3 is only for Chroot SFTP server

Step 3: In addition to the above Step1 , just modify syslogd configuration to add the logging socket inside the chroot directory

# vi /etc/sysconfig/syslog

Find line that read as follows:

SYSLOGD_OPTIONS=”-m 0″

Append -a /chroot_dir/dev/log (replace chroot_dir with the exact chroot directory)

SYSLOGD_OPTIONS=”-m 0 -a /chroot_dir/dev/log 

4. Restart syslog:

# service syslog restart

Ramdev

Ramdev

I have started unixadminschool.com ( aka gurkulindia.com) in 2009 as my own personal reference blog, and later sometime i have realized that my leanings might be helpful for other unixadmins if I manage my knowledge-base in more user friendly format. And the result is today's' unixadminschool.com. You can connect me at - https://www.linkedin.com/in/unixadminschool/

You may also like...

1 Response

  1. September 16, 2015

    […] Read – FTP/SFTP Services Reference Guide […]

What is in your mind, about this post ? Leave a Reply

Close
  Our next learning article is ready, subscribe it in your email

What is your Learning Goal for Next Six Months ? Talk to us