Changes

Jump to: navigation, search

OPS335 FTP Lab

621 bytes removed, 19:33, 18 March 2013
Updating for F17
==VSFTP Setup==
This lab will show you how to set up an FTP server inside a VM guest on a Fedora 16 17 host.
Since you'll be using a VM as the FTP server, you'll only require one lab PC. Remember, these are not group labs - please work individually.
===Background Information:===
FTP uses 2 TCP ports. The first, usually port 21, is used to send commands to the server (ls, cd, get, put, etc.) and to receive command replies from the server. The second, usually sometimes port 20, is used to send a file to the server during an upload or to receive a file from the server during a download.
*FTP can work in 2 modes: Active or Passive.
**In active mode the client connects to the server on port 21. The server then connects back to the client from port 20. In both connections, the ports used on the client are insecure high-numbered ports ( greater than 1023 ).
===Configure your VM===
*Power up your PC (the gateway with host name f16f17), login as your user-id, open a terminal window and "su" to root.
*Check the settings on your firewall. Ensure that you can still use the services you have configured in previous labs.
*Check your firewall using the "iptables-save" command.
*Still as root you need to install an ftp client. Use this command: "yum install ftp".
*Login to your VM01 and ensure you have the firewall set up to allow the services you have previously configured (e.g. DNS, mail). If those services are not functioning, fix them (or your firewall) now.
Before preceeding to the next part ensure your gateway is working properly and that your server has full access to the Internet. Try some of these commands on your VM /guest:
ping 192.168.X.1
host cbc.ca
also use lynx from your vm to ensure you can view internal and external web sites.
{{Admon/important|Known bug|To fix a known bug in bash, run the following command: su -c 'yum reinstall bash'. If you do not run this command, you will not be able to ftp using your local user accounts (but will be able to use anonymous access).}}
===Set up your FTP Server (Passive Mode)===
#*Anonymous users should be able to login and download any files (permissions allowing) from the directory /var/ftp/pub.
#*Anonymous uploading should not be allowed.
#*Local users should be allowed to login to their own Prevent local accounts and upload/download their own filesfrom logging in.#*The FTP Greeting Banner should be set to "Welcome to my OPS335 FTP Server".#*Set the server to listen on IPv4 sockets, not IPv6.#*Set the maximum number of concurrent client connections to 5030.#*Set the maximum transfer rate for anonymous users to 110912 130318 bytes per second.#*Set the connection timeout for all clients to 90 secondstwo minutes.
#*Enable file transfer logging.
#*Limit the range of ports passive mode is allowed to use to 40335 13335 to 4088513885.
#You'll now have to modify your vm01 firewall to allow NEW tcp connections on port 21, and tcp connections on the same ports vsftp is will use for data connections.
#You'll need to set SELinux to permissive mode: setenforce 0.
#You'll also need to tell SElinux to allow ftp access to users' home directories with: setsebool ftp_home_dir 1
#*Note that this may take a minute to run.
#Verify that the ftp connection tracking module is installed in your kernel with the "lsmod" command. If it is not, you'll have to install it with the command: "modprobe nf_conntrack_ftp".
 
#Start your ftp server.
#From the command line of your vm, create a new file (or several) in /var/ftp/pub.#At this point you should test your FTP server from other hosts within your intranet. It should work properly for both allow anonymous and local usersto retrieve files. From a terminal window on the gateway try these activities:#*ftp as anonymous using the login 'ftp' to your VM, then list and get filesthe file you created.#*ftp as your user name on your VM, then list, get and put files.
===Configure the Firewall===
*Now configure your firewall (using iptables) on the gateway machine to allow FTP clients through to the vm01 FTP server.*You'll need to automatically forward packets with destination port 21 , and those being used for passive connections, to your VM machine(similar to what you have done with other traffic in earlier labs). *Test your firewall by logging into a second PC (try both Windows and Linux) and attempt an FTP connection to your gateway PC. Test both local the anonymous user as well as anonymous connections's ability to list and get files again.
===Set up your FTP Server (Active Mode)===
{{Admon/important|Obsolete| Note that the material in this step is obsolete. Active mode is considered a security risk to the client. Many ftp clients do not even support active mode anymore. Note how you would perform these steps, but do not do them.}}
#Edit /etc/vsftpd/vsftpd.conf and disable Passive mode (so now only Active mode is enabled) and then restart vsftpd.
#Test your firewall by logging into a second PC (try both Windows and Linux) and attempt an FTP connection to your gateway PC. Test both local user as well as anonymous connections.
==Completing the Lab==
Answer the following questions and and email them to your teacher in ASCII text format.
#What parameters would did you use to force vsftp to use active mode only.#What version number of vsftpd are you using.
#What parameters would you set to configure vsftp to use ssl for authentication.
#Certain If you wanted to allow your local users to access their files through ftp, what parameters have notes in the man page saying they should only be used if would you are certain you know set, and what would you are doing. List two of these and explain, in your own words, why they have such warnings (e.g. why they represent a significant security risk).set them to?
Peter.callaghan
932
edits
Retrieved from "https://wiki.cdot.senecapolytechnic.ca/wiki/Special:MobileDiff/94743"

Navigation menu