FTP stands for File Transfer Protocol. Normal internet users access webpages via ‘http’ protocol. Here, in FTP we only deal with files.
FTP is a protocol used to transfer files from one host to another. A FTP server has files for sharing or downloading, and the client uses it to download files at his side. To use any ftp server enter ‘ftp://’server IP address‘ in address bar.
Linux allows you to create your own FTP server. The default directory, where you need to put files for sharing is ‘/var/ftp/pub‘ in red hat based Operating Systems, and ‘srv/ftp‘ in Debian based operating Systems.
You can configure FTP server such that, Anonymous users can use it or you can allow selected sets of users. Here we will learn how to configure authenticated FTP server only for selected users.
To configure it follow these steps :
Yum install vsftpd -y
If your don’t have FTP, install thevsftpd package.cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftp.conf.bak
vi /etc/vsftpd/vsftpd.conf
– Create a backup file of orignial configuration file ‘/etc/vsftpd/vsftpd.conf’
– open the configuration file- Change ‘anonymous_enable=NO’
‘local_enable=YES’
Uncomment and Disable the anonymous login option so that no anonymous user can reach your server.
Uncomment and Change Local_enable to YES so that local users you define can reach the FTP server. service vsftpd restart
Since you made changes in the configuration file, restart the service.groupadd ftp-users
mkdir /home/ftp-users
– Add a group named ftp-users. The users who will use this server will belong to this group.
– Create a directory of the same group name, here ftp-users. The files which you want to share on FTPshould be put under this directory.useradd -g ftp-users -d /home/ftp-users/ user1
Add users , and make their default directory /home/ftp-users.
To add new user to a group ‘-g’ switch is used.
To specify which directory we want to be the user’s home directory, ‘-d’ switch is used.passwd user1
Create a password for new user.cp -r /var/* /home/ftp-users
Copy the files you want clients to download, in ftp-users directory. Here ‘/var’is copied in ftp-users.chown root:ftp-users /home/ftp-users
chmod 0740 /home/ftp-users/*
– Give ftp-users group the ownership of /home/ftp-users.
– Change permissions of the files inside ftp-users.- Check your IP
- Enter ftp://192.168.222.128
Enter ftp:// followed by your IP. - Enter username password and check.
You can do it this way or just add a user and set his password. Then, the files you need to share are in default location ‘/var/ftp/pub‘.
Check your selinux status (use getenforce
).
If your SELinux is in enforcing mode. Change it to permissive. If you want enforcing mode, you may get Error 500.
If you get that error try ‘getsebool -a | grep ftp
‘ and if the first line is ‘allow ftp_home-dir –> off‘ ,
set it to ON using ‘setsebool -P ftp_home_dir on
‘.
How to Secure your FTP Server?
If you created a FTP server with User authentication, you can try clicking on ‘Up to Higher level directory.‘
When you click on it, it will take you one directory up, That is to ‘/home‘ and if you again click on it, it will take up to ‘/‘. So, in short any user trying to use your FTP server can see your ‘/‘ and other file-systems.
This is a very serious issue, and should not be left unsolved.
To secure your FTP server all you need to do is uncomment line number 100 ‘chroot_local_user=YES‘
and then restart vsftpd service. Then users can only access their own home directory.
However, if you have 5 users, and you wish to put restrictions only on user 1, user 2 and user 3.
Then Comment line number 100
‘chroot_local_user=YES‘ and uncomment line number 101 and 103
‘chroot_list_enable=YES‘ and ‘chroot_list_file=/etc/vsftpd/chroot_list‘
What you’re actually doing is :
First: Enabling ‘chroot‘ only for a list of users.
Second: you’re telling FTP server where the file exists..
Create a file in ‘/etc/vsftpd‘ with name ‘chroot_list‘ and add users (here user1, user2, user3) in this file.
So only for users in this file ‘chroot‘ will be enabled.
If you don’t comment ‘chroot_local_user=YES‘ then ‘chroot’ will be enabled for all users.