Ensurepass

22. FTP
22.1 Packages.
1. anonftp
o Not an ftp server.
o Required to setup anonymous ftp.
o Sets up the chroot’d env for anonymous ftp in /var/ftp.
o /var/ftp/bin
o /var/ftp/etc
o /var/ftp/lib
o /var/ftp/pub
o
o Cannot work stand alone, requires wu-ftpd.
2. wu-ftpd
o Actual FTP server software.
o Configuration files.
o xinetd configuration file.
o Documentation.
22.2 Configuration files
1. /etc/ftpaccess
Primary configuration file.
2. /etc/ftpusers
List of users that are not allowed to use ftp. This file is deprecated in RH 7.X. Use deny-uid/deny-gid in /etc/ftpaccess instead.
3. /etc/ftphosts
Access restrictions by user/host. The last rule that matches wins. For example, to deny access to steve from everywhere but 192.168.1.0/24, add the following entries:
deny steve *
allow steve 192.168.1.0/24
4. /etc/ftpconversions
Specify file conversions that are to be performed by the ftp server. It’s commonly used to automatically compress and/or decompress files on the fly for transfer.
5. /etc/ftpgroups
FINISH ME
6. /etc/xinetd.d/wu-ftpd
xinetd configuration file for wu-ftpd.
7. /etc/pam.d/ftp
Pam configuration file for ftp.
22.3 Operation
1. Started by xinetd.
2. Ports: 21 TCP and 20 TCP.
3. Starts as user root, then switches according to login type:
o anonymous: Switches to user ftp.
o user: Switches to the user logging in.
o guest: Switches to user logging in.
22.4 Types of User Accounts
1. Anonymous
o Easy to setup (Automatically configured when anonftp is installed).
o User uses “anonymous” for login and their e-mail address for a password.
o User is chroot’d to /var/ftp by default.
o Cannot upload files by default.
2. Real
o Also easy to setup. Works by default.
o Users use their system logins and passwords to gain access.
o Start out in users home directory.
o User has full access to system.
o Can upload files to any directory where the unix file permissions permit it.
o Can be dangerous to use.
3. Guest
o Requires setup.
o Users use their system logins and passwords to gain access.
o Users are chroot’d to a directory, typically their home directory.
o User only has access to the directories within the chroot’d environment.
o User can upload files if unix file permissions permit it.
o Much safer to use than “Real” user accounts.
22.5 Setting up Guest Users
I this example, we will configure user steve as a guest user.
1. Put /bin/false in /etc/shells so it’s recognized as a valid shell by the ftp server.
2. Change steve’s shell to /bin/false. Use chsh or edit /etc/passwd directly.) This prevents the user from logging in via normal means (telnet, ssh, etc.).
3. Edit /etc/passwd and append “/./” (without quotes) to the end of steve’s home directory.
Change:
steve:x:500:500::/home/steve:/bin/false
To:
steve:x:500:500::/home/steve/./:/bin/false
4. Setup the guest user’s home directory so it works as a chroot’d env:
5. cp -a /var/ftp/bin ~steve
6. cp -a /var/ftp/etc ~steve
7. cp -a /var/ftp/lib ~steve
8. chmod 0750 ~steve
Note that anonftp must be installed in order for the above steps to work.
9. Create the guestgroup specified in /etc/ftpaccess(default is ftpchroot) as a system group.
groupadd -r ftpchroot
10. Edit /etc/group and add user steve to the ftpchroot group.
11. Try to ftp to the server as user steve and see if it worked.
22.6 Anonymous Upload
1. Look for “upload” under the “Permission Capabilities” section in the ftpaccess man page for more information.
2. Create and configure the upload directory:
3. mkdir /var/ftp/incoming
4. chown root.root /var/ftp/incoming
5. chmod 3773 /var/ftp/incoming # Set sticky and setgid bits so no one can
6. # overwrite existing files and all files are
7. # created with the same group as the directory.
8. Add the following entry to /etc/ftpaccess
9. upload /var/ftp /incoming yes root root 0400 nodirs
This states that any user who has a home directory of /var/ftp (e.g. anonymous users), allow uploads into the incoming directory, but don’t let them create directories. Change the ownership too user root, group root with permissions 0400 so anonymous ftp users can’t read the file.
22.7 Virtual Hosts
1. Several domains can be hosted by a single ftp server.
2. Requires an IP per domain. Use separate interfaces or IP aliasing (preferred) on a single interface.
3. Configure /etc/ftpaccess
4. virtual 192.168.1.10 root /var/virtualftp/somedomain.com
5. virtual 192.168.1.10 banner /var/virtualftp/somedomain.com/banner.msg
6. virtual 192.168.1.10 logfile /var/log/virtualftp/somedomain.com/xferlog
7. virtual 192.168.1.10 allow *
Note: The above directories will need to be created if they don’t already exist.
The “root” option specifies the root path for the virtual ftp server. The “banner” options specifies the location of the file containing the banner message that is displayed at login. The “logfile” options specifies where transfers should be logged to. The “allow” option allows all users to login to the virtual ftp server. You could also specify specific users to allow.
The above configuration causes anonymous users to be chroot’d to the “root” of the virtual server. Real users are still placed in their home directory at login. It is recommended that guest users be configured for the virtual domain that chroot to the virtual server’s “root”.
To disable anonymous ftp to the virtual server, specify:
virtual 192.168.1.10 allow private

Download the Ensurepass Latest 2013 RHCE EX300 Practise Test PDF to pass RHCE EX300 exam.

Comments are closed.