setting up ftp server under Suse 10.1?
Hello, group! My new employer insists on having an FTP service running on one of our servers, despite warnings that we should use scp instead. i've never set up an ftp server, i'm looking for help... Yast has a TFTP setup module, but it is very bare. It doesn't allow any configuration options except to enable/disable it and open/close the appropriate firewall port. After poking around a bit i can see that it wants to run tftp via xinetd, but: a) i can't see where to configure it, e.g., which users are allowed to ftp in. b) Connecting over ftp times out if i have the SuseFirewall running (even though the tftp port has been opened). If the SuseFirewall is shut down the connect fails immediately, which leads me to believe that xinetd is not getting the request or is immediately denying it. My /etc/xinetd.d/tftp file looks like (comment lines excluded): service tftp { socket_type = dgram protocol = udp wait = yes user = root server = /usr/sbin/in.tftpd server_args = -s /tftpboot disable = no } The directory /tftpboot does exist but is empty. i would like to (need to) configure it such that the machine's users can log in and are directed to their own home directories. Looking at the tftp log in Yast shows this: Aug 26 16:13:38 syntax xinetd[20988]: Reading included configuration file: /etc/xinetd.d/tftp [file=/etc/xinetd.d/tftp] [line=17] However, line 17 is the last line and it is empty. ??? The machine is behind a firewall which redirects the ftp port to the Linux box on which tftp is running. Do we need to open/forward another range of ports on the firewall? Any tips would be appreciated. i am not averse to installing another ftp server package, if that's necessary. PS: despite how tempting it will be for many of you, please don't preach to me about the insecurity of ftp. i'm fully aware of this. The Boss wants ftp, so ftp he gets. The first time the machine is cracked via ftp, i'll tell him "i told you so" and will then get my way (only ssh/scp connections). -- ----- stephan@s11n.net http://s11n.net "...pleasure is a grace and is not obedient to the commands of the will." -- Alan W. Watts
On Saturday 26 August 2006 16:25, stephan beal wrote:
Yast has a TFTP setup module, but it is very bare. It doesn't allow any configuration options except to enable/disable it and open/close the appropriate firewall port. After poking around a bit i can see that it wants to run tftp via xinetd, but:
Problem solved: someone pointed out to me that tftp is not ftp. After installing vsftpd it more or less works. (i can connect but can't upload/download. It appears to be a firewall problem, but i'm waiting on the local admin to disable the firewall so i can test.) -- ----- stephan@s11n.net http://s11n.net "...pleasure is a grace and is not obedient to the commands of the will." -- Alan W. Watts
On Saturday 26 August 2006 10:49, stephan beal wrote: Problem solved: someone pointed out to me that tftp is not ftp. After installing vsftpd it more or less works. (i can connect but can't upload/download. It appears to be a firewall problem, but i'm waiting on the local admin to disable the firewall so i can test.) ************************************************************************************** The firewall needs to be specifically configured for FTP; on the Cisco pix enter fixup protocol ftp 21 (this is enabled by default). Alternatively, use passive mode FTP, which negates the need for firewall reconfiguration. Standard FTP commands run over port 21, file xfers use port 20; this is why the connection works, but data xfer does not. == Here's the tech scoop from Cisco == Standard mode FTP (also called classic mode FTP) uses two channels for communication. When a client behind a firewall initiates an FTP connection from their host, it opens a standard TCP channel from one of its high-order ports (TCP source port >1023) to destination TCP port 21 on the outside server. This connection is referred to as the control channel. When the client requests data from the server, it tells the server to send the data to a given high-order port. The server acknowledges the request and initiates an inbound connection from its own port 20 to the high-order port that the client requested. This connection is referred to as the data channel (port 20 FTP-DATA). In the past, it was difficult to allow this inbound connection through the firewall to the requested port on the client without permanently opening port 20 connections from outside servers to inside clients for outbound FTP connections. This creates a huge potential vulnerability by allowing any inbound traffic from any host on the Internet with a TCP source port of 20, regardless of the intent! Passive mode FTP also uses two channels for communications. The control channel works the same as in a standard FTP connection, but the data channel setup works differently. When requesting data from the server, the client asks the server if it accepts PASV connections. If the server accepts PASV connections, it sends the client a high-order port number to use for the data channel. The client then initiates the data connection from its own high-order port to the port that the server sent. Because the client initiates both the command and data connections, early firewalls could easily support this without exposing inside clients to attack.
On Sat, 26 Aug 2006 17:49:07 +0200 stephan beal <stephan@s11n.net> wrote:
Problem solved: someone pointed out to me that tftp is not ftp. After installing vsftpd it more or less works. (i can connect but can't upload/download. It appears to be a firewall problem, but i'm waiting on the local admin to disable the firewall so i can test.) Just one more comment on this. remember that your user id and password are send in the clear. However using ftp for anonymous transfers is usually not that much of a security risk. -- Jerry Feldman <gaf@blu.org> Boston Linux and Unix user group http://www.blu.org PGP key id:C5061EA9 PGP Key fingerprint:053C 73EC 3AC1 5C44 3E14 9245 FB00 3ED5 C506 1EA9
participants (3)
-
Jerry Feldman -
stephan beal -
Wade Jones