The Very Secure FTP Service

FTP, the File Transfer Protocol, is one of the original network applications developed with the TCP/IP protocol suite. It follows the standard model for network services, as FTP requires a client and a server. The FTP client is installed by default on most operating systems, including Red Hat Enterprise Linux. If you've installed the FTP Server package group, you've installed the default Red Hat FTP Server, the very secure FTP (vsFTP) daemon.

1、FTP Client (lftp)
The original FTP client software was a basic command line, text-oriented client application that offered a simple but efficient interface. Most Web browsers offer a graphical interface and can also be used as an FTP client.
Any FTP client allows you to view the directory tree and files. Using ftp as a client is easy. You could use the ftp command to connect to a server such as ftp.redhat.com with the following command:
# ftp ftp.redhat.com
The FTP client listed in the Red Hat Exam Prep guide is lftp. You can use it to connect to the FTP server of your choice. It automatically attempts an anonymous login. It also supports command completion, which can especially help you access files and directories with longer names

Standard FTP Client Commands

Command	Description
cd	Changes the current working directory at the remote host
ls	Lists files at the remote host
get	Retrieves one file from the remote host
mget	Retrieves many files from the remote host with wildcards or full filenames
put	Uploads one file from your computer to the remote host
mput	Uploads a group of files to the remote host
pwd	Lists the current working directory on the remote host
quit	Ends the FTP session
!ls	Lists files on your host computer in the current directory[local]
lcd	Changes the local host directory for upload/download
!pwd	Lists the current working directory on local host computer

2、Almost all commands in FTP mode are run at the remote host, similar to a Telnet session. You can also run commands locally from the FTP prompt. When you start the command with an exclamation point (!), you can run regular shell commands.
This is only a subset of the commands available through lftp. Typing the help command will give you a full list of the available commands. The command help cmd yields a brief description of the command itself.
One graphical FTP client for Linux is GNOME FTP (GFTP). GNOME FTP provides an easy-to-use GUI interface to FTP.
And with GFTP you don't even need to know a single FTP command. If you have installed the gftp RPM, you can start the GFTP client from a GUI command line with the gftp command. Alternatively, you can start it from the Red Hat GNOME or KDE desktop with the Main Menu | Internet | More Internet Applications | gFTP command.

Installing the Very Secure FTP Server
# rpm -Uvh /mnt/inst/RedHat/RPMS/vsftpd-1.2.0-4.i386.rpm
Starting on Reboot
# chkconfig --level 35 vsftpd on
# chkconfig --list vsftpd
If you want to start the vsFTP server, just start the service script with the following command:
# service vsftpd start

Basic FTP Server Configuration

 Assume you have a vsFTP server on a computer named Enterprise3. To connect anonymously using the lftp client, you'd run the following command:
# lftp Enterprise3
This opens a connection in the /var/ftp directory. It looks like a top-level root directory to the lftp client. Alternatively, if you wanted to connect to the account of user michael, you'd add just a little more:
# lftp -u michael Enterprise3
This opens a connection to the /home/michael directory. Unfortunately, the default is dangerous, as users who log in with a real username can navigate to the top-level root directory

vsFTP Server Security
So now you know that vsFTP can be dangerous. But you can help secure your system by configuring vsFTP to disable logins from regular users. Naturally, you can configure vsFTP through the vsftpd.conf configuration file, in the /etc/vsftpd directory

Some vsFTP Server Configuration Commands

Command	Description
anonymous_enable=YES	If you don't want anonymous access, you'll have to set this to NO.
local_enable=YES	If you don't want regular users to log in, comment this out by adding a pound (#) character.
write_enable=YES	If you don't want remote users writing to your directories, comment out this command.
#chroot_list_enable=YES	If you set chroot_local_user=YES (see discussion that follows), you can configure users who are allowed to roam through your directories by activating this command.
pam_service_name=vsftpd	Configures Pluggable Authentication Module (PAM) security.
userlist_enable=YES	Don't change this! This keeps users such as root from logging into your system.
tcp_wrappers=yes	Supports the use of security commands in /etc/hosts.allow and /etc/hosts.deny.

3、By default, vsFTP is configured to disable logins from sensitive users such as root, bin, and mail. The userlist_enable=YES command points to a list of disabled users in /etc/vsftpd.user_list.
    As vsFTP also uses Pluggable Authentication Modules (PAM) for security, it also disables the users in /etc/vsftpd.ftpusers. The list of users in the default versions of this file are identical.
    If you want regular users to log into your FTP server, you should add the chroot_local_user=YES command. This helps secure your system by keeping regular users from navigating to your top-level root directory (/).
A couple of useful features for users help welcome them to your server. The following command provides a message for users who are logging into your system:
ftpd_banner=Welcome to blah FTP service
This next message looks for a .message file in each directory and sends it to the client:
dirmessage_enable=YES
Unfortunately, these messages don't work for users who log into your system using a client such as lftp.
Access by root and many service users are disabled by default. If you try to log in as root using lftp, it will look like you're connected. But when you try to do something as root, you'll see messages delaying your commands 'before reconnect.'

4、Exercise
# rpm -q vsftpd
# service vsftpd start
# chkconfig --level 35 vsftpd on
Once you're logged in, run the cd .. command twice (remember the space between the command and the two dots). Explore the local directory. You should see a danger here, as this is the root directory for the FTP server computer.