7.11. Configuring an FTP Server
7.11.1. How Do I Do That?
To view the contents of /var/ftp with a browser, go to ftp://<hostname>/. To access files in a home directory, use the URL ftp://<user>@<hostname>/ (the browser will ask for your password) or ftp://<user>:<password>@<hostname>/.
$ ftp ftp> open ftp.fedorabook.com Connected to 172.16.97.100. 220 (vsFTPd 2.0.4) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (ftp.fedorabook.com:chris): anonymous Password: firstname.lastname@example.org 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (172,16,97,100,237,192) 150 Here comes the directory listing. drwxr-xr-x 2 0 0 4096 Mar 09 16:41 fedora-core-5 drwxr-xr-x 2 0 0 4096 Mar 09 16:41 fedora-core-6 drwxr-xr-x 2 0 0 4096 Mar 09 16:41 fedora-linux drwxr-xr-x 2 0 0 4096 Mar 09 16:42 images drwxr-xr-x 2 0 0 4096 Mar 09 04:46 pub drwxr-xr-x 2 0 0 4096 Mar 09 16:41 rawhide 226 Directory send OK. ftp> cd images 250-This directory contains images for the book "Fedora Linux". 250- 250 Directory successfully changed. ftp> ls *http* 227 Entering Passive Mode (172,16,97,100,240,225) 150 Here comes the directory listing. -rw-r--r-- 1 0 0 49931 Mar 09 16:44 fen-chapter07-system-config-httpd-tab2.png -rw-r--r-- 1 0 0 27119 Mar 09 16:44 fen-chapter07-system-config-httpd.png 226 Directory send OK. ftp> get fen-chapter07-system-config-httpd-tab2.png local: fen-chapter07-system-config-httpd-tab2.png remote: fen-chapter07-system-config-httpd-tab2.png 227 Entering Passive Mode (172,16,97,100,214,160) 150 Opening BINARY mode data connection for fen-chapter07-system-config-httpd-tab2.png (49931 bytes). 226 File send OK. 49931 bytes received in 0.017 seconds (2.9e+03 Kbytes/s) ftp> quit 221 Goodbye.
vsftpd is configured using the files in /etc/vsftpd. The main configuration file is /etc/vsftpd/vsftpd.conf and permits all local users (except for system users such as root, bin, and so forth) to have read/write access to their home directories, and all anonymous users to have read-only access to /var/ftp.
These are the most commonly changed configuration entries, along with the default values (as set in the Fedora default configuration file or in the program's internal defaults):
You can restrict FTP access to specific local users by adding their usernames into the file /etc/vsftpd/ftpusers or /etc/vsftpd/user_list.
7.11.2. How Does It Work?
FTP is a disaster from a security perspective, since transmitted data (including the username and password) are sent in plain text and can be intercepted by anyone snooping on the network. Nonetheless, it's a useful protocol for the public download of large files.
vsftp was designed from the ground up to be as secure as possible because many of the preceding FTP servers were notoriously insecure. It uses simple code along with techniques such as changing the root directory (chroot) to limit the damage that can be caused if the server is compromised.
FTP is a very old protocolso old, in fact, that in its original form, it predates TCP/IP! In order to work around some network transport limitations, traditional FTP uses two connections between the client and the server: one for data and one for controlling commands and responses. The control connection originates at the client, and the data connection originates at the server. For years this architecture has caused headaches in firewall configuration.
FTP also supports passive (PASV) operation, which uses a single connection for both control and data. Almost all modern client programs support passive operation as the default mode of operation, as an automatic fallback option, or as a manually configured option.
vsftpd logs data transfers in the file /var/log/xferlog.
7.11.3. What About...
220.127.116.11. ...secure FTP?
7.11.4. Where Can I Learn More?