Changes

FOCUS[[Category: VSFTP SetupOPS335]][[Category:OPS335 Labs]]

==VSFTP Setup==This lab will show you how to set up an FTP server inside a VM guest on a Fedora 13 hostand provide you with experience identifying configuration parameters that meet your requirements. Since youYou'll be using a VM your Centos host as the FTP serverand connecting to it from your VMs and from other machines.===Background Information:===FTP uses 2 TCP ports. The first, usually port 21, is used to send commands to the server (ls, cd, get, put, etc.) and to receive command replies from the server. The second, you'll only require one lab PCsometimes port 20, is used to send a file to the server during an upload or to receive a file from the server during a download.*FTP can work in 2 modes: Active or Passive. **In active mode the client connects to the server on port 21. The server then connects back to the client from port 20. In both connections, the ports used on the client are insecure high-numbered ports ( greater than 1023 ).**In passive mode the client first connects to the server on port 21 and makes a second connection to a high-numbered port. RememberAs with active mode, these the ports used on the client are not group labs insecure high- please work individuallynumbered ports ( greater than 1023 ).FTP can be set up so that anonymous users (users without accounts on the server) may download and possibly upload files.<br />Background Information[[Image:Passive-ftp.png]][[Image:Active-ftp.png]]

FTP uses 2 TCP ports. The first===Configure your VM===*Power up your PC (the gateway with host name host), usually port 21login as your user-id, is used open a terminal window and "su" to send commands root.*Check the settings on your firewall. Ensure that you can still use the services you have configured in previous labs.*Now make sure you are connected to the server (ls, cd, get, put, etcInternet. Start Firefox and authenticate yourself into the network.) *Login to your VM1 and ensure you have the firewall set up to receive command replies from allow the serverservices you have previously configured (e.g. The secondDNS, usually port 20apache). If those services are not functioning, is used to send a file fix them (or your firewall) now.Before preceeding to the next part ensure your gateway is working properly and that your server during an upload or has access to receive a file the Internet. Try some of these commands on your VM/guest: ping 192.168.X.1 host cbc.caalso use lynx from the server during a downloadyour vm to ensure you can view internal and external web sites.

===Set up your FTP can work Server (Passive Mode)===*On your Centos host you should not need to install vsftpd. If it is not present, install it. yum install vsftpd#Edit the config file (/etc/vsftpd/vsftpd.conf) to implement the following:#*Anonymous users should be able to login and download any files (permissions allowing) from the directory /var/ftp/pub. #*Anonymous uploading should not be allowed. #*Prevent local accounts from logging in 2 modes.#*The FTP Greeting Banner should be set to "Welcome to my OPS335 FTP Server".#*Set the server to listen on IPv4 sockets, not IPv6.#*Set the maximum number of concurrent client connections to 30.#*Set the maximum transfer rate for anonymous users to 140300 bytes per second.#*Set the connection timeout for idle clients to two minutes.#*Enable file transfer logging.#*Limit the range of ports passive mode is allowed to use to 14335 to 14935.#You'll now have to modify your firewall to allow NEW tcp connections on port 21, and tcp connections on the same ports vsftp is will use for data connections.#Verify that the ftp connection tracking module is installed in your kernel with the "lsmod" command. If it is not, you'll have to install it with the command: Active "modprobe nf_conntrack_ftp".#Start your ftp server.#From the command line of your server, create a new file (or Passiveseveral) in /var/ftp/pub.#Change the ownership of the /var/ftp/pub directory to the user ftp.#At this point you should test your FTP server from other hosts within your intranet. It should allow anonymous users to retrieve files. From one of your VMs try these activities:#*ftp using the login 'ftp' to your host, then list and get the file you created.#*Try logging is as a user that exists on that machine.

In active mode the client connects to ===Connecting from outside your intranet===*Now configure your firewall (using iptables) on the server on port 21. The server then connects back gateway machine to the client allow FTP clients from port 20. In both connections, the ports used on the client are insecure high-numbered ports outside your network ( greater than 1023 if you did not already do so). In passive mode the client first connects to the server on port 21 and makes *Test your firewall by logging into a second PC (try both Windows and Linux) and attempt an FTP connection to a high-numbered portyour gateway PC. As with active mode, Test the ports used on the client are insecure high-numbered ports ( greater than 1023 )anonymous user's ability to list and get files again.

FTP can ==Completing the Lab==In completing this lab you have gained experience using a service that has multiple modes. You have practiced researching configuration parameters to find the ones you need. This will be an invaluable skill, as you will not usually have anyone telling you specifically which parameters to set, or what values to set up so that anonymous users (users without accounts on the server) may download and possibly upload filesthem to.

PART AExploration questions: Build your VMPower up your PC (the gateway with host name f13), login as joker, open a terminal window and "su -" #What parameters did you use to root.Setup a default Desktop firewall. You can do this from the System->Administration->Firewall menu by stopping the firewall and then selecting the Desktop option force vsftp to make a new oneuse active mode only.Once your Desktop firewall is set up #What version number of vsftpd are you'll need to restart the libvirtd service. Use the command "service libvirtd restart". Check your firewall using the "iptables-save" command. You should get something that looks like this . Still as root #What parameters would you need to install an ftp client. Use this command: "yum install ftp".Now make sure you are connected to the Internet. Start Firefox and authenticate yourself with your LEARN password.Use virt-manager to create a new Virtual Machine (VM) named vm01.Login to your VM and ensure you have the default Fedora Desktop firewall set up. Your firewall should look something line this .Before preceeding to PART B ensure your gateway is working properly and that your server has full access configure vsftp to the Internet. Try some of these commands on your VM guest:ping 192.168.122.1host cbc.caalso start Firefox in the guest and ensure it can view outside web sites.PART B: Set up your FTP Server (Passive Mode)Still on vm01 use yum to install vsftpd and edit the config file (/etc/vsftpd/vsftpd.conf) to implement the following:Anonymous users should be able to login and download any files (permissions allowing) from the /var/ftp/pub. Anonymous uploading should not be allowed. Local users should be allowed to login to their own accounts and upload/download their own files.The FTP Greeting Banner should be set to "Welcome to OPS335 FTP Server".Set the maximum number of concurrent client connections to 50.Set the maximum transfer rate ssl for anonymous users to 131072 bytes per secondauthentication.Set the connection timeout for all clients to 90 seconds.Enable file transfer logging.You'll now have to modify your vm01 firewall #If you wanted to allow NEW tcp connections on port 21.You'll also need to set SELinux to permissive mode: setenforce 0.Finally you'll have to install the ftp connection tracking module into your kernel. Use this command: "modprobe nf_conntrack_ftp". To verify that your kernel module is installed you can use the "lsmod" command.At this point you should test your FTP server from hosts within your intranet. It should work properly for both anonymous and local users. From a terminal window on the gateway try these activities:ftp as joker on your VM, then list, get and put files.ftp as anonymous to your VM, then list and get access their files.PART C: Configure the FirewallNow configure your firewall (using iptables) on the gateway to allow FTP clients through to the vm01 FTP server.You'll need to forward packets with destination port 21 to your VM machine. Test your firewall by logging into a second PC (try both Windows and Linux) and attempt an FTP connection to your gateway PC. Test both local user as well as anonymous connections.PART D: Set up your FTP Server (Active Mode)Edit /etc/vsftpd/vsftpd.conf and disable Passive mode (so now only Active mode is enabled) and then restart vsftpd.Test your firewall by logging into a second PC (try both Windows and Linux) and attempt an FTP connection to your gateway PC. Test both local user as well as anonymous connections.PART E: Log Packets with NetfilterOn the firewall/gateway add iptables log rules to monitor ftp traffic (control , what parameters would you set, and data) for the following:PREROUTING chain of nat tableFORWARD chain of filter tablePOSTROUTING chain of nat tableOn vm01 add iptables log rules to monitor ftp traffic (control and data) for the following:PREROUTING chain of nat tableINPUT chain of filter tableOUTPUT chain of filter tablePOSTROUTING chain of nat tableNow repeat step 2 of PART D while monitoring your packets using "tail -f /var/log/messages" on both the gateway/firewall and vm01. PART F: Answer the following questions and and email what would you set them to your teacher in ASCII text format.What is your full name and 9-digit Seneca student ID?Hand in your output from the following commands on the FTP server:cat /etc/vsftpd/vsftpd.conf | grep -v ^# | awk 'NF>0'cat /var/log/xferlogiptables-saveHand in your output from the following commands on the gateway:iptables-saveShow the log files on both the gateway (f13) and the server (vm01) generated in step 3 of PART E.