DragonFly BSD

FTP

FTP Server on Dragonfly

The FTP protocol is a true BSD heritage and it originated in the 1970's at Berkeley University. FTP (file transfer protocol) is widely used to copy files from one host to another. FTP is based on the client-server model. Thus, if a user needs to make changes to the file he/she must download from the server. Depending on how a user wants to share the files, the FTP server can be configured to provide anonymous access or access chrooted to users home directory. Anonymous ftp server are configured to provide an access to a repository or files to be shared with the world. On the other hand chrooted ftp server is configured to let a person access his/her dedicated space.

Other challenge is whether to configure it in active mode or passive mode.

Active Mode - In active mode FTP the client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20. The main problem with active mode FTP actually falls on the client side. The FTP client doesn't make the actual connection to the data port of the server--it simply tells the server what port it is listening on and the server connects back to the specified port on the client. From the client side firewall this appears to be an outside system initiating a connection to an internal client - something that is usually blocked.

Passive Mode - In order to resolve the issue of the server initiating the connection to the client a different method for FTP connections was developed. This was known as passive mode, or PASV, after the command used by the client to tell the server it is in passive mode. In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. Although the client contacts to the server supplying both the ports, the server opens a random unprivileged port (P > 1023) and sends the PORT P command back to the client. The client then initiates the connection from the port N+1 to port P on the server for data transfer. The biggest issue is the need to allow any remote connection to high numbered ports on the server.

Setting Up FTP Services

Adding the FTP user account

First you need a ftp account on your system. This account should not have a usable password. We will set the login directory to /home/ftp but it's totally your choice. when using anonymous ftp, the ftp daemon will chroot itself in the /home/ftp directory. We also need to add a shell to be provided to ftp user. The account can be added with the adduser(8) or pw(8).

# echo /usr/bin/false >> /etc/shells


# adduser
Username : ftp 
Full name []: anonymous ftp 
Uid (Leave empty for default): <Enter>
Login group ftp [ftp]: <Enter>
Login group is "ftp". Invite ftp into other groups? []: <Enter>
Login class [default]: <Enter>
Shell (sh csh tcsh false nologin) [sh]: false 
Home directory [home/ftp]: <Enter>
Lock out the account after creation? [n]: no 

Username : ftp 
Password : 
Full Name : anonymous ftp 
Uid : 1002
Class : default 
Groups : ftp 
Home : /home/ftp 
Shell : /usr/bin/false 
Locked : no 
OK? (yes/no) : yes 
adduser: INFO: Successfully added (ftp) to the user database. 
Add another user? (yes/no): no 
Goodbye!

Note: For chrooted user ftp server you need to enter a password , change the full name and make a separate home directory

Alternate way to add user would be:

# groupadd -g 1000 ftp 
# useradd -u 500 -g ftp -c 'anonymous FTP user' -s /usr/bin/false -d /home/ftp -m ftp 

Note: For chrooted user ftp server you need to enter a password, change the comment i.e. the string in single quotes and make a separate home directory. This is shown below -

# groupadd -g 1000 ftp 
# useradd -u 500 -g dfly -c 'dfly' -s /usr/bin/false -d /var/www/htdocs/dfly -m dfly

#passwd dfly
New Password:  
Retype New Password: 

#echo 'openunix'  >>  /etc/ftpchroot

Directory Setup

Along with the user, this created the directory /home/ftp. We need to change the permissions to make it equip for the anonymous user (it is totally administrators choice).

/home/ftp - This is the main directory. It should be owned by root and have permissions of 555.

/home/ftp/etc - This is entirely optional and not recommended, as it only serves to give out information on users which exist on your box. If you want your anonymous ftp directory to appear to have real users attached to your files, you should copy /etc/pwd.db and /etc/group to this directory. This directory should be mode 511, and the two files should be mode 444. These are used to give owner names as opposed to numbers. There are no passwords stored in pwd.db, they are all in spwd.db, so don't copy that over.

/home/ftp/pub - This is a standard directory to place files in which you wish to share. This directory should also be mode 555.

# cd /home/ftp 
# mkdir pub 
# mkdir etc 

# chmod 555 /home/ftp
# chmod 555 etc pub 

Configuring The Server

*/etc/ftpwelcome* – Welcome message to the people connected to ftp server before login. 
*/etc/motd* – Contains a message displayed to the client after login.
*/etc/ftpchroot* – Lists users who have permission to login into their chrooted directories. 
*/etc/ftpusers* – Lists users disallowed any ftp access.
*/etc/ftpd.conf* – Contains various configuration options and fine tuning 

Starting The FTP Server

You have two ways to start the server and both are listed down. ftpd(8) and inetd(8) should be referred for more information.

Starting via inet

You can add following line or even check for the existence of similar one in the file /etc/inetd.conf

ftp stream tcp nowait root /usr/libexec/ftpd ftpd -options

Following are the options you need to consider:

-A – anonymous access allowed.
-l – logs access, if repeated logs more details such as transfers, etc.
-D – runs as a daemon (standalone).
-S – logs all anonymous access.

If you wish to start the inetd - internet super server during system boot, add the following line into /etc/rc.conf

inetd_enable = "YES"

Want to Start immediately:

#/etc/rc.d/inetd start

Starting standalone

Open the file /etc/rc.conf and add the entries:

ftpd_enable = "YES"
ftpd_flags = "-options"

Packet Filtering Setting

A packet filter setting for example can be configured as follows, concerning FTP in passive mode. em0 is the interface used for traffic flow (on my guest OS), port 21 is running and then two ranges of ports, here some people would definitely not be happy about the number of ports opened to the attacker. You can use netstat(1) for more detail information about routing, packet flow, address family used, etc.

# netstat -rn
em0=“internet“ 
tcp_services="{ 21 1023:1060 50000: 65535 }" 

Client Side of FTP

Their are numerous ftp clients available. Now-a-days any browser can be use as ftp client. Nautilus and Konqueror can also be used for complex ftp transfers.

Done

Congrats! Now you have a working FTP server. You can go on with sharing files and making your FTP server more secure.