Configuring the FTP Server
General Introduction
FTP Overview
File Transfer Protocol (FTP) is one of the earliest transmission protocols on the Internet. It is used to transfer files between the server and client. FTP allows users to access files on a remote system using a set of standard commands without logging in to the remote system. In addition, the FTP server provides the following functions:
Subscriber classification
By default, the FTP server classifies users into real users, guest users, and anonymous users based on the login status. The three types of users have different access permissions. Real users have complete access permissions, while anonymous users have only the permission to downloading resources.
Command records and log file records
FTP can use the syslogd to record data, including historical commands and user transmission data (such as the transmission time and file size). Users can obtain log information from the /var/log/ directory.
Restricting the access scope of users
FTP can limit the work scope of a user to the home directory of the user. After a user logs in to the system through FTP, the root directory displayed by the system is the home directory of the user. This environment is called change root (chroot for short). In this way, users can access only the main directory, but not important directories such as /etc, /home, and /usr/local. This protects the system and keeps the system secure.
Port Used by the FTP Server
The FTP service requires multiple network ports. The server uses the following ports:
- Command channel. The default port number is 21.
- Data channel. The default port number is 20.
Port 21 is used to receive connection requests from the FTP client, and port 20 is used by the FTP server to proactively connect to the FTP client.
Introduction to vsftpd
FTP has a long history and uses the unencrypted transmission mode, and is therefore considered insecure. This section describes the Very Secure FTP Daemon (vsftpd), to use FTP in a more secure way.
The vsftpd is introduced to build a security-centric FTP server. The vsftpd is designed with the following features:
- The startup user of the vsftpd service is a common user who has low system permission. In addition, the vsftpd service uses chroot to change the root directory, preventing the risk of misusing system tools.
- Any vsftpd command that requires high execution permission is controlled by a special upper-layer program. The upper-layer program has low permission and does not affect the system.
- vsftpd integrates most of the extra commands (such as dir, ls, and cd) used by FTP. Generally, the system does not need to provide extra commands, which are secure for the system.
Using vsftpd
Installing vsftpd
To use the vsftpd service, you need to install the vsftpd software. If the yum source has been configured, run the following command as the root user to install the vsftpd service:
dnf install vsftpd
Service Management
To start, stop, or restart the vsftpd service, run the corresponding command as the root user.
Starting vsftpd services
systemctl start vsftpd
You can run the netstat command to check whether communication port 21 is enabled. If the following information is displayed, the vsftpd service has been enabled.
$ netstat -tulnp | grep 21 tcp6 0 0 :::21 :::* LISTEN 19716/vsftpd
NOTE:
If the netstat command does not exist, run the dnf install net-tools command to install the net-tools software and then run the netstat command.Stopping the vsftpd services
systemctl stop vsftpd
Restarting the vsftpd service
systemctl restart vsftpd
Configuring vsftpd
vsftpd Configuration Files
You can modify the vsftpd configuration file to control user permissions. Table 1 describes the vsftpd configuration files. You can modify the configuration files as required. You can run the man command to view more parameter meanings.
Table 1 vsftpd configuration files
Default Configuration Description
NOTE:
The configuration content in this document is for reference only. You can modify the content based on the site requirements (for example, security hardening requirements).
In the openEuler system, vsftpd does not open to anonymous users by default. Run the vim command to view the main configuration file. The content is as follows:
$ vim /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
Table 2 describes the parameters.
Table 2 Parameter description
Setting the Local Time
Overview
In the openEuler system, vsftpd uses the Greenwich Mean Time (GMT) time by default, which may be different from the local time. For example, the GMT time is 8 hours later than the Beijing time. You need to change the GMT time to the local time. Otherwise, the server time and client time are inconsistent, which may cause errors during file upload and download.
Setting Method
To set the vsftpd time to the local time, perform the following steps as the root user:
Open the vsftpd.conf file and change the value of use_localtime to YES. Run the following command:
vim /etc/vsftpd/vsftpd.conf
Modify the file contents as follows:
use_localtime=YES
Restart the vsftpd service.
systemctl restart vsftpd
Set the vsftpd service to start automatically upon power-on.
systemctl enable vsftpd
Configuring Welcome Information
You are advised to configure a welcome information file for the vsftpd service. To configure the welcome.txt file of the vsftp service, perform the following steps as the root user:
Open the vsftpd.conf configuration file, add the welcome information to the file, save the file, and exit.
vim /etc/vsftpd/vsftpd.conf
The following configuration lines need to be added:
banner_file=/etc/vsftpd/welcome.txt
Create welcome information. Specifically, open the welcome.txt file, write the welcome information, save the file, and exit.
vim /etc/vsftpd/welcome.txt
The following is an example:
Welcome to this FTP server!
Configuring the Login Permission of a System Account
Generally, users need to restrict the login permission of some accounts. You can set the restriction as required.
By default, vsftpd manages and restricts user identities based on user lists stored in two files. FTP requests from a user in any of the files will be denied.
- /etc/vsftpd/user_list can be used as an allowlist, blocklist, or invalid list, which is determined by the userlist_enable and userlist_deny parameters.
- /etc/vsftpd/ftpusers can be used as a blocklist only, regardless of the parameters.
Verifying Whether the FTP Service Is Successfully Set Up
You can use the FTP client provided by openEuler for verification. The command and output are as follows. Enter the user name (an existing user in the system) and password as prompted. If the message "Login successful" is displayed, the FTP server is successfully set up.
$ ftp localhost
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
220-Welcome to this FTP server!
220
Name (localhost:root): USERNAME
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bye
221 Goodbye.
NOTE:
If the ftp command does not exist, run the dnf install ftp command as the root user to install the ftp software and then run the ftp command.
Configuring a Firewall
To open the FTP service to the Internet, you need to configure the firewall and SElinux as the root user.
$ firewall-cmd --add-service=ftp --permanent
success
$ firewall-cmd --reload
success
$ setsebool -P ftpd_full_access on
File Transmission
Overview
This section describes how to transfer files after the vsftpd service is started.
Connecting to the Server
Command Format
ftp [hostname | ip-address]
hostname indicates the name of the server, and ip-address indicates the IP address of the server.
Requirements
Run the following command on the command-line interface (CLI) of the openEuler OS:
ftp ip-address
Enter the user name and password as prompted. If the following information is displayed after the authentication is successful, the FTP connection is successful. In this case, you have accessed the directory of the connected server.
ftp>
At this prompt, you can enter different commands to perform related operations.
Display the current path of the server.
ftp>pwd
Display the local path. You can upload the files in this path to the corresponding location on the FTP server.
ftp>lcd
Exit the current window and return to the local Linux terminal.
ftp>!
Downloading a File
Generally, the get or mget command is used to download files.
How to Use get
Function description: Transfers files from a remote host to a local host.
Command format: get [remote-file] [local-file]
remote-file indicates a remote file, and local-file indicates a local file.
For example, run the following command to obtain the /home/openEuler/openEuler.htm file on the remote server to the local directory /home/myopenEuler/ and change the file name to myopenEuler.htm
ftp> get /home/openEuler/openEuler.htm /home/myopenEuler/myopenEuler.htm
How to Use mget
Function description: Receives a batch of files from the remote host to the local host.
Command format: mget [remote-file]
remote-file indicates a remote file.
For example, to obtain all files in the /home/openEuler/ directory on the server, run the following command:
ftp> cd /home/openEuler/ ftp> mget *.*
NOTE:
- In this case, a message is displayed each time a file is downloaded. To block the prompt information, run the prompt off command before running the mget *.* command.
- The files are downloaded to the current directory on the Linux host. For example, if you run the ftp command in /home/myopenEuler/, all files are downloaded to /home/myopenEuler/.
Uploading a File
Generally, the put or mput command is used to upload files.
How to Use put
Function: Transfers a local file to a remote host.
Command format: put [local-file] [remote-file]
remote-file indicates a remote file, and local-file indicates a local file.
For example, run the following command to transfer the local myopenEuler.htm file to the remote host /home/openEuler/ and change the file name to openEuler.htm:
ftp> put myopenEuler.htm /home/openEuler/openEuler.htm
How to Use mput
Function: Transfers a batch of files from the local host to a remote host.
Command format: mput [local-file]
local-file indicates a local file.
For example, run the following command to upload all HTM files in the local directory to the /home/openEuler/ directory on the server:
ftp> cd /home/openEuler/ ftp> mput *.htm
Deleting a File
Generally, the delete or mdelete command is used to delete a file.
How to Use delete
Function description: Deletes one or more files from the remote server.
Command format: delete [remote-file]
remote-file indicates a remote file.
For example, to delete the /home/openEuler/openEuler.htm from the remote server, run the following command:
ftp> cd /home/openEuler/ ftp> delete openEuler.htm
How to Use mdelete
Function description: Deletes files from a remote server. This function is used to delete files in batches.
Command format: mdelete [remote-file]
remote-file indicates a remote file.
For example, to delete all files whose names start with a from the /home/openEuler/ directory on the remote server, run the following command:
ftp> cd /home/openEuler/ ftp> mdelete a*
Disconnecting from the Server
Run the bye command to disconnect from the server.
ftp> bye