Open main menu

CDOT Wiki β

Changes

OPS335 FTP Lab

331 bytes removed, 21:00, 2 January 2014
Updated for Winter 2014 semester. Moved the service onto the host. Took out some things that no longer apply.
==VSFTP Setup==
This lab will show you how to set up an FTP server inside a VM guest on a Fedora 17 hostand provide you with experience identifying configuration parameters that meet your requirements. Since youYou'll be using a VM your Centos host as the FTP server, you'll only require one lab PC. Remember, these are not group labs - please work individuallyand connecting to it from your VMs and from other machines.
===Background Information:===
FTP uses 2 TCP ports. The first, usually port 21, is used to send commands to the server (ls, cd, get, put, etc.) and to receive command replies from the server. The second, sometimes port 20, is used to send a file to the server during an upload or to receive a file from the server during a download.
===Configure your VM===
*Power up your PC (the gateway with host name f17host), login as your user-id, open a terminal window and "su" to root.
*Check the settings on your firewall. Ensure that you can still use the services you have configured in previous labs.
*Check your firewall using the "iptables-save" command.
*Now make sure you are connected to the Internet. Start Firefox and authenticate yourself into the network.
*Still as root you need to install an ftp client. Use this command: "yum install ftp".
*Login to your VM01 and ensure you have the firewall set up to allow the services you have previously configured (e.g. DNS, mail). If those services are not functioning, fix them (or your firewall) now.
Before preceeding to the next part ensure your gateway is working properly and that your server has access to the Internet. Try some of these commands on your VM/guest:
===Set up your FTP Server (Passive Mode)===
{{Admon/important|Warning|As of Fedora core 3.5.0-2.fc17.x86_64, There is a parameter that *On your Centos host you must set for should not need to install vsftpd to work.}}seccomp_sandbox=NO you can read more about If it is not present, install it [https://bugzilla.redhat.com/show_bug.cgi?id=845980 here]#Still on vm01 use yum to install vsftpd and edit #Edit the config file (/etc/vsftpd/vsftpd.conf) to implement the following:
#*Anonymous users should be able to login and download any files (permissions allowing) from the directory /var/ftp/pub.
#*Anonymous uploading should not be allowed.
#*Set the server to listen on IPv4 sockets, not IPv6.
#*Set the maximum number of concurrent client connections to 30.
#*Set the maximum transfer rate for anonymous users to 130318 140100 bytes per second.#*Set the connection timeout for all idle clients to two minutes.
#*Enable file transfer logging.
#*Limit the range of ports passive mode is allowed to use to 13335 14335 to 1388514835.#You'll now have to modify your vm01 firewall to allow NEW tcp connections on port 21, and tcp connections on the same ports vsftp is will use for data connections.
#Verify that the ftp connection tracking module is installed in your kernel with the "lsmod" command. If it is not, you'll have to install it with the command: "modprobe nf_conntrack_ftp".
#Start your ftp server.
#At this point you should test your FTP server from other hosts within your intranet. It should allow anonymous users to retrieve files. From a terminal window on the gateway try these activities:
#*ftp using the login 'ftp' to your VM, then list and get the file you created.
#*Try logging is as a user that exists on that machine.
===Configure the FirewallConnecting from outside your intranet===*Now configure your firewall (using iptables) on the gateway machine to allow FTP clients through to the vm01 FTP server.*You'll need to automatically forward packets with destination port 21, and those being used for passive connections, to from outside your VM machine network (similar to what if you have done with other traffic in earlier labsdid not already do so).
*Test your firewall by logging into a second PC (try both Windows and Linux) and attempt an FTP connection to your gateway PC. Test the anonymous user's ability to list and get files again.
{{Admon/important|Warning|When testing the ability to ftp to someone else's machine, temporarily remove the iptables rules that are redirecting ftp traffic to your VM.}}
===Set up your FTP Server (Active Mode)===
#Edit /etc/vsftpd/vsftpd.conf and disable Passive mode (so now only Active , ensure active mode is enabled) , and then restart vsftpd.#Add any iptables rules necessary to allow active connections.
#Test your firewall by logging into a second PC (try both Windows and Linux) and attempt an FTP connection to your gateway PC. Test both local user as well as anonymous connections.
===Log Packets with iptables===
#On the firewall/gateway add iptables log rules to monitor ftp traffic (control and data) for the following:#*PREROUTING chain of nat table#*FORWARD chain of filter table#*POSTROUTING chain from outside your network in both of nat table#On vm01 add iptables log rules to monitor ftp traffic (control and data) for the following:.
#*INPUT chain of filter table
#*OUTPUT chain of filter table
#*While monitoring your packets using "tail -f /var/log/messages" - test your firewall logs by connecting from one of your VMs, and then by logging into a second PC (try both Windows and Linux) and attempt an FTP connection to your gateway PC. Test both local user as well as anonymous connections.
==Completing the Lab==
In completing this lab you have gained experience using a service that has multiple modes. You have practiced researching configuration parameters to find the ones you need. This will be an invaluable skill, as you will not usually have anyone telling you specifically which parameters to set, or what values to set them to.  Answer the following questions and and email them to your teacher in ASCII text format.
#What parameters did you use to force vsftp to use active mode only.
#What version number of vsftpd are you using.
#What parameters would you set to configure vsftp to use ssl for authentication.
#If you wanted to allow your local users to access their files through ftp, what parameters would you set, and what would you set them to?
932
edits