Thursday, December 18, 2008

FTP



Documents to read:
1. Manual [ftpd(8)]
2. Documents specific to the installed software
3. FTP mini-howto

Square brackets are used to separate keywords, such as filenames,
programs names etc, from lines of text. They have no other meaning.

File Transfer Protocol: It is the standard method of transferring file
from one system to another.

[ftpd] is the daemon that runs on the server ( Port 21/TCP) . [ftp] is
the client program that the users use to connect to the server.

A number of [ftpd] programs are available as free software.

Some are listed below:
bsd-ftpd - This is a GNU/Linux port of the FTP server from OpenBSD
twoftpd - A FTP server that strives to be secure, simple, and
efficient
ftpd-ssl - This is a ftp server with encryption support
oftpd - A secure anonymous FTP server
vsftpd - The Very Secure FTP server
wu-ftpd - Powerful and widely used FTP server

Configuration of [ wu-ftpd ] in Debian Linux platform is to be carried
out in this experiment.

[wu-ftpd] binary is installed in Assignment-1.
( Filename--> pool/main/w/wu-ftpd/wu-ftpd_2.6.2-3_i386.deb on 2nd CD)

Create a directory [ ftp-config ] in your home directory and carry out
the FTP related experiments in that directory.

Complete Assignment-1.

In Assignment-2, a FTP client program binary is to be installed.
( Filename ---> pool/main/n/netkit-ftp/ftp_0.17-9_i386.deb on 1st CD )

Complete Assignment-2.

The [/etc/wu-ftpd] directory is the default location for [wu-ftpd]
configuration files.

/etc/wu-ftpd/ftpaccess - Is the [ftpd] configuration file.

Directives entered in [ /etc/wu-ftpd/ftpaccess ] file, controls the
operation of [ftpd]. For description of the directives read
[ftpaccess(5)] and [/usr/share/doc/wu-ftpd/examples].

Edit this file for a simple configuration.
#.................. /etc/wu-ftpd/ftpaccess ....................
class all real,guest,anonymous *
# With the class directive, the class-name [all] is declared to
# mean [real or [guest] or [anonymous] users
# The * indicates that they can connect from any host
#................. end of /etc/wu-ftpd/ftpaccess ..............

The effect of this file on the [ftpd] is demonstrated in Assignment-3.

Complete Assignment-3.

[ftpd] offers security features ( marginal, in the in the opinion of
some security experts ) with the use of the following two files in
combination with the above configuration file.

Access control files:

[ftpusers] : The file [ /etc/wu-ftpd/ftpusers ] is a link
to [ /etc/ftpusers ]. Any user, whose name
appears here, is denied FTP login access.

[/etc/wu-ftpd/ftphosts]: Used to deny or allow access to certain
accounts from various hosts.

Restricted Users Access file - [/etc/ftpusers]

By default, all system logins should be denied FTP access, by entering
their names in this file. System users have too much privilege and are
unlikely to need FTP. To deny a user FTP access altogether, his/her
username is entered in this file, on a line by itself.

Edit [/etc/ftpusers] as shown
#.................... [/etc/ftpusers] ...............
# /etc/ftpusers: list of users disallowed FTP access.
# See ftpusers(5).
root
daemon
bin
sumit
#................... end of [/etc/ftpusers] .........
In this example, three system users and one real user [ sumit ] is
denied access. You should add all the system users from [/etc/passwd]
file of your machine, in this file, to deny FTP login to all system
users. The system user [ ftp ] should not appear in this file if
anonymous FTP is to be allowed.

Edit [/etc/wu-ftpd/ftphosts] file as under
#.............. [/etc/wu-ftpd/ftphosts] .................
allow sumit *
# [sumit] is allowed from any host
deny sumit 192.168.10.2
# [sumit] is disallowed from host 192.168.10.2
# Replace 192.168.10.2 with a suitable address for testing
#........... end of [/etc/wu-ftpd/ftphosts] .............

This simple restriction is tested in Assignment-4.

Complete Assignment-4:

To configure [ftpd] for anonymous FTP service, a system user [ftp] is
to be created and a home for anonymous user is to be created. This
home directory tree is to be populated with various needed files. It
is possible but difficult and error prone to do this manually. Utility
program [ addftpuser ] is available to add anonymous FTP user and to
create the home directory tree. You may read [addftpuser(8)].

Anonymous FTP service is installed in Assignment-5.

Complete Assignment-5:

If anonymous FTP is allowed, permissions of files of [ftp-home] must
be minimal to prevent misuse.

In this experiment the following permissions are used. However this is
not secure.


/home/ftp 555 with root ownership
/home/ftp/bin 111 with root ownership
/home/ftp/bin/ls 111 with root ownership
/home/ftp/lib 111 with root ownership
/home/ftp/etc 111 with root ownership
/home/ftp/etc/passwd 444 with root ownership
/home/ftp/pub 773 with root ownership
/home/ftp/pub/incoming 773 with root ownership
/home/ftp/pub/outgoing 755 with root ownership

Allowing uploading in [ incoming ] directory is not a good idea as it
opens a way for denial of service (DoS) attack. A hacker can use up
disk space by uploading large junk files. Allowing down-loads from
[incoming] directory is also not safe as illegal files can be stored
in your computer for later retrieval. Uploading into [ incoming ]
directory is disallowed by default.
For relatively secure uploading, read document
[/usr/share/doc/wu-ftpd/upload.configuration.HOWTO.gz]

A simple configuration for anonymous FTP is done in Assignment-6.

Complete Assignment-6:


Security issue:
FTP server is a must for any intranet/LAN to allow file
transfer among computers. As such, one FTP server has to run
in any LAN. Anonymous FTP servers are used widely also in
INTERNET.
However FTP server has some security deficiencies.

FTP uses standard username/password authentication. As a result
the server cannot reliably ascertain whether a given user is
really who he or she claims to be.

By default passwords are transmitted in plain text. This allows
attackers to capture passwords, with sniffers.

FTP sessions are not encrypted and therefore offers no privacy.
See optional Assignment-2.
----------------------------------------------------

Assignment-1:
FTP server installation

If any [ftpd] daemon is running kill it SIGKILL

Remove any previously installed [ftpd] if any.
# dpkg -r ftpd
or
# dpkg -r wu-ftpd

Remove manually, the non-empty related directories if any
# rm -rf /var/log/wu-ftpd
# rm -rf /etc/wu-ftpd

Try to connect to the FTP server in localhost and record output
$ ftp localhost



Bring the [ftpd] package in your home directory and install
# dpkg -i ./wu-ftpd_2.6.2-3_i386.deb

A typical screen output might be:

Selecting previously deselected package wu-ftpd.
(Reading database .. 43842 files and directories currently installed.)
Unpacking wu-ftpd (from ./wu-ftpd_2.6.2-3_i386.deb) ...
Setting up wu-ftpd (2.6.2-3) ...
-- end of screen output --
Check with [$ ps ax | grep ftpd]

Was the [ftpd] daemon started automatically ? ( Y / N )

Assignment-2:
FTP client installation.
Remove FTP client program, if any and record screen output

# dpkg -r ftp

Try to connect to the FTP server in localhost and record output
$ ftp localhost



Bring the package in your home directory and install
# dpkg -i ./ftp_0.17-9_i386.deb

Typical screen output might be:

# dpkg -i ftp_0.17-9_i386.deb
Selecting previously deselected package ftp.
(Reading database .. 43882 files and directories currently installed.)
Unpacking ftp (from ftp_0.17-9_i386.deb) ...
Setting up ftp (0.17-9) ...
-- end of screen output --
Try to connect to the FTP server in localhost and examine output
$ ftp localhost

The [ftpd] is started with

# /etc/init.d/wu-ftpd restart
Check with the following and record the output.
$ ps ax | grep ftpd
Output -->

Become [you] and try to login to FTP with password

# su you
you $ ftp localhost

Was the login successful for [you] ? ( Y / N )

Assignment-3:
Restart [ftpd] to read changes in configuration file.

# /etc/init.d/wu-ftpd restart

Become [you] and try to login to FTP with password

# su you
you $ ftp localhost

Was the login successful for [you] ? ( Y / N )
Exit FTP session
ftp> bye

Assignment-4:
Restart [ftpd]
# /etc/init.d/wu-ftpd restart

Become [sumit] and try to login to FTP
# su sumit
sumit $ ftp localhost

Was the login successful for [sumit] ? ( Y / N )

Remove or comment the line [sumit] from [/etc/ftpusers] file.
Restart [ftpd].
As [sumit] try to login to FTP

sumit $ ftp localhost

Was the login successful for [sumit] ? ( Y / N )

Try FTP login from hosts other than 192.168.10.2 (192.168 )
as [sumit]
Was the login successful for [sumit] ? ( Y / N )

Try FTP login from 192.168.10.2(192.168 ) as [sumit]
Was the login successful for [sumit] ? ( Y / N )

Assignment-5: Configuration of [ftpd] for Anonymous FTP service

Remove any previously installed anonymous FTP service, if any

# rmftpuser

A typical screen output might be:
Are you sure you want to remove the anonymous FTP user? [Y/n]
The anonymous FTP user has been successfully removed.
Do you want to remove the anonymous FTP directory, too? [Y/n] y
The anonymous FTP directory has also been removed.
-- end of screen output --

Add anonymous FTP service. Allow anonymous uploading. Accept default
FTP home directory as [/home/ftp].

# addftpuser

A typical screen output might be:

Enter the name of the FTP home directory: [/home/ftp] /home/ftp

Do you want to create a directory for user uploads? [n] y

Please look at /etc/wu-ftpd/ftpaccess and its manual page for further
information on how to make /pub/incoming more secure.
Adding system user ftp...
Adding new group ftp (107).
Adding new user ftp (107) with group ftp.
Creating home directory /home/ftp.

Anonymous FTP users will only see UID and GID numbers, instead of
names, because the libnss_files.so library hasn't been installed.

It is not installed by default, since there is no easy way to find out
what version we need to install.

If you want to install it manually, it should be placed in
/home/ftp/lib owned by root, and with permissions of 444 (r--r--r--)
cp: cannot stat `/etc/wu-ftpd/pathmsg': No such file or directory
cp: cannot stat `/etc/wu-ftpd/welcome.msg': No such file or directory
-- end of screen output --
If [tree] command is installed see the anonymous FTP directory tree.
# tree /home/ftp

Create a directory [outgoing] in [pub]. Set appropriate permissions.

Assignment-6:

A simple anonymous FTP server configuration.

Edit the file [/etc/wu-ftpd/ftpaccess] to add a few more directives.
#................ /etc/wu-ftpd/ftpaccess file .......................
class all real,guest,anonymous *
class anonftp anonymous *
banner /etc/wu-ftpd//pathmsg
upload /home/ftp * no # superfluous- this is the default
upload /home/ftp /pub/incoming yes root root 0440 nodirs
noretrieve /home/ftp/incoming
#.............. end of /etc/wu-ftpd/ftpaccess file ..................

The second line--> class anonftp anonymous *
Class-name [anonftp] is declared as [ anonymous ] class. [anonftp] can
login from any host.

The third line--> banner /etc/wu-ftpd/pathmsg
The contents of file [/etc/wu-ftpd/pathmsg] is displayed when users
connect and before they login. Create a file [ /etc/wu-ftpd/pathmsg ]
and enter a SINGLE line in it.
.......................... snip ......................................
System Administration Lab, CEMK, CSE -- FTP Admin sumit@localhost
.......................... snip ......................................
Replace [sumit] with your username.

The fourth line--> upload /home/ftp * no
By default [ftpd] does not allow uploads from anonymous users. As if
the above line is already entered in [/etc/wu-ftp/ftpaccess] file.

The fifth line
upload /home/ftp /pub/incoming yes root root 0440 nodirs
For any user whose home directory is the anonymous FTP area,
[/home/ftp], allow uploads into the directory [/home/ftp/pub/incoming]
but do not allow the creation of new directories. Make all files
uploaded, owned by [root], group [root] and mark them read-only.

The sixth line--> noretrieve /home/ftp/incoming
Prevent down-loads from [/home/ftp/incoming] directory.

Start [ftpd]
# /etc/init.d/wu-ftpd restart

Login as [ ftp ] with password [ sumit@ ] and upload some files in the
FTP server, from localhost.
Was uploads possible ? ( Y / N )

Try to display a list of files uploaded.
Were uploads visible ? ( Y / N )

Try to create a directory in the upload directory
Was directory creation possible ? ( Y / N )

Try to delete file/files uploaded
Was deletion possible ? ( Y / N )

Repeat some of above from another host.

As superuser keep some files ( binary or text ) in the directory
[ /home/ftp/pub/outgoing ] for anyone to down-load.

Test anonymous down-loading from the FTP server configured by you.

Optional Assignments:

1. Add the following features to your FTP server by adding suitable
directives in the file [/etc/wu-ftpd/ftpaccess]. Read [ ftpaccess ]
to see the available directives.

(a) Allow two anonymous FTP logins at a time during 10 AM to 12 AM.
If this limit is exceeded, show suitable message to the new
connection attempt.
(b) Send notification to FTP Administrator when any anonymous
uploading occurs.
(c) Set your email address as the address of the ftp archive
maintainer.
(d) Set a limit of 20 Kilo-byte for upload by anonymous user.

(e) Inform the logged in user in FTP , an impending shutdown.

(f) Add a guest user with a line in [ /etc/passwd ] file. The home
directory is to be [/home/ftp/pub].


You should add and test as many features as possible. For security
reasons use and test the following directives
chmod no guest,anonymous
delete no guest,anonymous
overwrite no guest,anonymous
rename no guest,anonymous
passwd-check rfc822 warn

2. Down-load the source code of latest stable release of a FTP server
daemon program, with encryption support.
Compile, configure, install and test.

Feedback:
Please point out mistakes/corrections and suggest which
portions should be removed, added, expanded etc etc. ...bkc
.......................... end of ftp.txt ............................