How to configure FTP Server in Redhat Linux

This tutorial explains how to configure FTP Server and FTP client in Linux step by step with practical examples. Learn how to configure anonymous download option in FTP, allow or restricted local users to login in home directories through FTP and use FTP chroot feature to keep users in allowed directories only.

As a linux Administrator you should know

  • FTP stand for File Transfer Protocol.
  • FTP does not require to login directly into the remote host
  • FTP transfer data without encryption
  • vsftpd is the only stand-alone FTP distributed With RHEL
  • vsftpd stand for Very Secure FTP Daemon
  • vsftpd is secure, fast and stable version of FTP
  • vsftpd efficiently handle large numbers of connection securely
  • You should use SFTP instead of FTP while transferring data over public network like Internet

RHCE Exam Objective covered in this tutorial

  • Configure anonymous-only download.

In this tutorial I will use two systems Server and linuxclient from our LAB environment. I will configure FTP Server on Server system and ftp client on linuxclient system. If you want to check the network topology used in this article please check following article. Lab set up for RHCE practice.

Prepare LAB for FTP practice

Configure FTP Server on RHEL

vsftpd package is required for FTP Server. Check whether package is installed or not. If package is missing install it first.

rpm-vsftpd

Configure vsftpd service to start at boot

chkconfig-vsftpd-on

Current status of vsftpd service must be running. Start if it is stopped. Restart vsftpd service whenever you made any change in configuration file.

service-vsftpd-status

FTP Server is by default configured to listen on port 21. Port 21 must be opened if you have configured firewall. The configuration of a firewall for an FTP server is a relatively simple process.

#iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT

iptable-ftp

Create 2 normal user accounts for testing. Create a normal user

create-normal-user

create another normal user

user-add-server

That's all configure we need on server right now.

Configure FTP client on RHEL

From RHEL version 6 you will not be able to run ftp command. By default you will get following error

-bash: ftp: command not found error

ftp-command-not-found

To run ftp command ftp package is required. Install it if it is not installed.

rpm-ftp

Check connectivity with FTP Server.

ping-server

Now try again to run ftp command

ftp-command-sucess

We have successfully connected with FTP server.

LAB Exercises

  • Configure anonymous-only download [RHCE exam objective]
  • Configure FTP server to allow anonymous access, chrooted to /var/ftp
  • Configure FTP Server to all local users except user vikram to ftp in server
  • Download/upload must be allowed for these users and the users must be chrooted on their home directory

Configure anonymous-only download [RHCE exam objective]

Go on Server system and open main ftp configuration file /etc/vsftpd/vsftpd.conf

vi-etc-vsftpd

vsftpd.conf is the main configuration file of FTP server and it contains lot of directives. Configuration of an anonymous-only download is relatively simple. Default configuration of vsftpd.conf already supports anonymous-only download. But it also supports access from local users. All you need to do is disable the directive which allows locally configured users to login with their accounts.

Comment following directives and save the file

local-enable-commented

Restart the vsftpd service

service-vsftpd-restart

When a user connects on the FTP server with anonymous username, actually that user connects on the server as a user named ftp. RHEL automatically create this account with following setting.

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

ftp-user

With these setting users are not allowed to login as the user named ftp. So they need to use anonymous as user name. So whenever an anonymous user logged in, he is taken to ftp user's home directory /var/ftp. So if you want to change the default directory associated with anonymous logins, change the home directory associated with the local user named ftp. Create a file on the root of the ftp directory /var/ftp/pub. This file will be downloaded by anonymous user.

# dd if=/dev/null of=/var/ftp/pub/file bs=1024 count=1000

create test file

If you are running Linux without SELinux that's all setting which we need for this exercise. SELinux is listed in RHCE exam objective. So if you have configured SELinux, also configure following boolean option.

# chcon -R -t public_content_t /var/ftp/pub/

chcon-var-ftp-pub

In this exercise we are asked to configure anonymous download only. So we should be

  • Able to download anonymous
  • Fail to upload
  • Fail to login form other account except anonymous

Go on linuxclient system and login to the FTP server as anonymous user and download test_file

download-test-file

Most commonly commands used on ftp prompt are

put  To upload files on server
get  To download files from server
mput To upload all files
mget To download all files
?    To see all available command on ftp prompts
cd   To change remote directory
lcd  To change local directory.

Create a sample file

sample-file

Login from anonymous again and try to upload

upload-denied

Try to login form normal user

normal-user-denied

Restrict anonymous user to ftp directory.

To test this login form anonymous user again

anonymous-login-sucess

Try to change parent directory

chrooted-ftp

Configure FTP Server to all local users except user vikram to ftp in server

FTP non-anonymous server

In this exercise we will configure FTP server that allow local users logins to their home directories. Download/upload must be allowed for these users. Go on server system and open /etc/vsftpd/vsftpd.conf file

vi-etc-vsftpd

Comment anonymous_login=YES, uncomment local_enable and save the file

enable-local-login

open /etc/vsftpd/user_list file

user list

Users listed on /etc/vsftpd/user_list are not allowed to login on FTP server. Add user vikarm in it. This file also have an entry for root user that why root user is denied from FTP login. If you want to enable root user for ftp session just remove its entry from this file [Enable root for FTP session is not recommended in any circumstances, change at your own risk].

user-list-file

Configure SELinux to allow upload/download in user's home directory

setsebools-ftp-home-dir

Restart the vsftpd service

service-vsftpd-restart

Login from normal user sanjay and create a example_file

example-file

Come back on linuxclient system and try to login from user vikram

ftp-login-denied

Now try to login from user sanjay

sanjay-login-sucess

upload/download file

download-upload

Login again from normal user and try to change parent directory

sanjay-full-access

It allows you to navigate the / directory which serious security issue.

Configure FTP to chroot local users in their home directory

Go on server and open /etc/vsftpd/vsftpd.conf file

vi-etc-vsftpd

Uncomment following directive and save the file

chroot_local_user=YES

chroot-enable

Restart the vsftpd restart

service-vsftpd-restart

Come back on linux client system and login form sanjay and try again to change directory to /

chroot-sanjay

Now normal user will not be able to navigate outside the home directory.

Important directives of vsftpd.conf

anonymous_enable=YES

Enable anonymous login

local_enable=YES

Enable local users login with their regular password

chroot_local_user=YES

Users are restricted in their home directory

write_enable=YES

Enables write operations on FTP

local_umask=022

If write is enabled permissions will be based on the value of umask

#anon_upload_enable=YES

Enable anonymous user to upload file

#anon_mkdir_write_enable=YES

Allow anonymous users to create directories

ftpd_banner=Welcome to blah FTP service

Set FTP banner

pam_service_name=vsftpd

Configures Pluggable Authentication Modules (PAM) security for FTP

userlist_enable=YES

block users listed in /etc/vsftpd/user_list

tcp_wrappers=YES

Supports the use of security commands in /etc/hosts.allow and /etc/hosts.deny through tcpwrappers

SElinux boolean associated with vsftpd daemons

There are five SElinux boolean associated with vsftpd daemons

# setsebool  allow_ftpd_full_access 1

vsftpd daemons will run on a SElinux context without any restriction

# setsebool  allow_ftpd_anon_write 1

Supports the writing of files to directories configured with the public_content_rw_t SELinux setting

# setsebool  allow_ftpd_use_cifs  1

Allows the use of files shared via CIFS on an FTP server

# setsebool  allow_ftpd_use_nfs  1

Allows the use of files shared via NFS on an FTP server

# setsebool  ftp_home_directory  1

Supports FTP read/write access to user home directories

# chcon -R -t public_content_t /var/ftp/pub/

Any directory that is going to be used on read FTP operations it must be labelled as public_content_rw_t

# chcon -R -t public_content_rw_t /var/pub/ftp

Any directory that is going to be used on read-write FTP operations it must be labelled as public_content_rw_t

ComputerNetworkingNotes Linux Tutorials How to configure FTP Server in Redhat Linux