Open main menu

CDOT Wiki β


OPS335 FTP Lab

282 bytes added, 18:02, 30 November 2015
Clarifying instructions
[[Category:OPS335]][[Category:OPS335 Labs]]
==VSFTP Setup==
This lab will show you how to set up an FTP server inside a VM guest on a Fedora 13 hostand provide you with experience identifying configuration parameters that meet your requirements. Since youYou'll be using a VM your Centos host as the FTP server, you'll only require one lab PC. Remember, these are not group labs - please work individuallyand connecting to it from your VMs and from other machines.
===Background Information:===
FTP uses 2 TCP ports. The first, usually port 21, is used to send commands to the server (ls, cd, get, put, etc.) and to receive command replies from the server. The second, usually sometimes port 20, is used to send a file to the server during an upload or to receive a file from the server during a download.
*FTP can work in 2 modes: Active or Passive.
**In active mode the client connects to the server on port 21. The server then connects back to the client from port 20. In both connections, the ports used on the client are insecure high-numbered ports ( greater than 1023 ).
**In passive mode the client first connects to the server on port 21 and makes a second connection to a high-numbered port. As with active mode, the ports used on the client are insecure high-numbered ports ( greater than 1023 ).
FTP can be set up so that anonymous users (users without accounts on the server) may download and possibly upload files.<br />
===Build Configure your VM===*Power up your PC (the gateway with host name f13host), login as jokeryour user-id, open a terminal window and "su -" to root.*Setup a default Desktop Check the settings on your firewall. You Ensure that you can do this from the System->Administration->Firewall menu by stopping still use the firewall and then selecting the Desktop option to make a new one.*Once your Desktop firewall is set up services you'll need to restart the libvirtd service. Use the command "service libvirtd restart". *Check your firewall using the "iptables-save" command.*Still as root you need to install an ftp client. Use this command: "yum install ftp"have configured in previous labs.*Now make sure you are connected to the Internet. Start Firefox and authenticate yourself with your LEARN password.*Use virt-manager to create a new Virtual Machine (VM) named vm01into the network.*Login to your VM VM1 and ensure you have the default Fedora Desktop firewall set upto allow the services you have previously configured (e.g. DNS, apache). If those services are not functioning, fix them (or your firewall) now.Before preceeding to the next part ensure your gateway is working properly and that your server has full access to the Internet. Try some of these commands on your VM /guest: ping 192.168.122X.1
also start Firefox in the guest and use lynx from your vm to ensure it you can view outside internal and external web sites.
===Set up your FTP Server (Passive Mode)===
#Still on vm01 use *On your Centos host you should not need to install vsftpd. If it is not present, install it. yum to install vsftpd and edit #Edit the config file (/etc/vsftpd/vsftpd.conf) to implement the following:#*Anonymous users should be able to login and download any files (permissions allowing) from the directory /var/ftp/pub.
#*Anonymous uploading should not be allowed.
#*Local users should be allowed to login to their own Prevent local accounts and upload/download their own filesfrom logging in.#*The FTP Greeting Banner should be set to "Welcome to my OPS335 FTP Server".#*Set the server to listen on IPv4 sockets, not IPv6.#*Set the maximum number of concurrent client connections to 5030.#*Set the maximum transfer rate for anonymous users to 131072 140300 bytes per second.#*Set the connection timeout for all idle clients to 90 secondstwo minutes.#*Enable file transfer logging.#*Limit the range of ports passive mode is allowed to use to 14335 to 14935.#You'll now have to modify your vm01 firewall to allow NEW tcp connections on port 21, and tcp connections on the same ports vsftp is will use for data connections.#You'll also need to set SELinux to permissive mode: setenforce 0Verify that the ftp connection tracking module is installed in your kernel with the "lsmod" command.#Finally If it is not, you'll have to install it with the ftp connection tracking module into your kernel. Use this command: "modprobe nf_conntrack_ftp". To verify that #Start your kernel module is installed you can use ftp server.#From the "lsmod" commandline of your server, create a new file (or several) in /var/ftp/pub.#Change the ownership of the /var/ftp/pub directory to the user ftp.#At this point you should test your FTP server from other hosts within your intranet. It should work properly for both allow anonymous and local usersto retrieve files. From a terminal window on the gateway one of your VMs try these activities:#*ftp as joker on using the login 'ftp' to your VMhost, then list, and get and put filesthe file you created.#*ftp Try logging is as anonymous to your VM, then list and get filesa user that exists on that machine. ===Configure the FirewallConnecting from outside your intranet===*Now configure your firewall (using iptables) on the gateway machine to allow FTP clients through to the vm01 FTP server.*You'll need to forward packets with destination port 21 to from outside your VM machinenetwork (if you did not already do so). *Test your firewall by logging into a second PC (try both Windows and Linux) and attempt an FTP connection to your gateway PC. Test both local the anonymous user as well as anonymous connections's ability to list and get files again
===Set up your FTP Server (Active Mode)===
#Edit /etc/vsftpd/vsftpd.conf and disable Passive mode (so now only Active , ensure active mode is enabled) , and then restart vsftpd.#Add any iptables rules necessary to allow active connections.
#Test your firewall by logging into a second PC (try both Windows and Linux) and attempt an FTP connection to your gateway PC. Test both local user as well as anonymous connections.
 ===Log Packets with Netfilteriptables===#On the firewall/gateway add iptables log rules to monitor ftp traffic (control and data) for the following:#*PREROUTING chain of nat table#*FORWARD chain of filter table#*POSTROUTING chain from outside your network in both of nat table#On vm01 add iptables log rules to monitor ftp traffic (control and data) for the following:#*PREROUTING chain of nat table.
#*INPUT chain of filter table
#*OUTPUT chain of filter table
#*POSTROUTING chain of nat table#Now repeat step 2 of PART D while While monitoring your packets using "tail -f /var/log/messages" on - test your firewall logs by connecting from one of your VMs, and then by logging into a second PC (try both the Windows and Linux) and attempt an FTP connection to your gateway/firewall and vm01PC. Test both local user as well as anonymous connections.  
==Completing the Lab==
Answer In completing this lab you have gained experience using a service that has multiple modes. You have practiced researching configuration parameters to find the following questions and and email ones you need. This will be an invaluable skill, as you will not usually have anyone telling you specifically which parameters to set, or what values to set them to your teacher in ASCII text format.#What is your full name and 9-digit Seneca student ID?#Hand in your output from the following commands on the FTP serverExploration questions:#*cat /etc/vsftpd/vsftpdWhat parameters did you use to force vsftp to use active mode only.conf | grep -v ^# | awk 'NF>0'#*cat /var/log/xferlogWhat version number of vsftpd are you using.#*iptables-saveWhat parameters would you set to configure vsftp to use ssl for authentication.#Hand in If you wanted to allow your output from the following commands on the gateway:#*iptables-save#Show the log local users to access their files on both the gateway (f13) through ftp, what parameters would you set, and the server (vm01) generated in step 3 of PART E.what would you set them to?