How FTP works
Step a: Client connects to server on port 21.
Step b: Server responds and ask for authentication.
Step c: Client decides whether to connect passively or actively and authenticate with credentials (user name password).
Step d: If it is an active connection, server opens port 20 for data transfer and gives ftp prompt after successful authentication.
Step e: Client call for file and server initiates file transfer.
Why FTP uses two ports
As we already discussed FTP uses 21 port for control and 20 for data transfer, this is because of many reasons such as
- Separate data transfer path so that you can still use control port do some communication with server.
- Can initiate multiple data connections without control interruptions.
- Server decides when to send data which will minimize any increase of load on server.
Difference between an Active FTP and Passive FTP server
FTP is a tricky protocol which uses two ports one as command port (21) and other as data port (For active FTP it is 20 and for passive port it is grater then 10000). So it boils down to which port is used for data transfer.
We will set-up and configure ftp server in CentOS 6.7. This procedure is same for all Redhat based distributions like Centos, Fedora, Scientific Linux, Oracle Linux etc.
Installing FTP server in Centos
Step 1: We will use below host name and IP address for our test machine to setup FTP server
Server IP: 192.168.0.9
Host Name: ftp.linuxnix.com
Just edit file /etc/hosts
#vi /etc/hosts
and add the line on bottom and save
192.168.0.9 ftp.linuxnix.com
Step 2: Install vsftpd (very secure FTP daemon) package.
#yum install vsftpd ftp
Configuring FTP server in Linux Centos
Step 3: Configure vsftpd package. We will edit /etc/vsftpd/vsftpd.conf you can do this with gedit (If installed) or vi command.
#vi /etc/vsftpd/vsftpd.conf
Change the line which contain anonymous_enable=YES to anonymous_enable=NO. This will permit any one to access FTP server with authentication.
anonymous_enable=YES
Uncomment the following line
local_enable=YES allow users in /etc/passwd to login
write_enable=YES allow users to write files. “NO” will permit only to read.
Change the line chroot_local_user=NO to chroot_local_user=YES. This will permit local user as FTP account. If you add an user, it will be treated as a FTP account as well.
The local user directory will be the FTP directory.
chroot_local_user=YES
Save the file.
Step 4: Permit Home user to FTP account
Permit FTP account directory as user home directory.
#setsebool ftp_home_dir on
Step 5: Open firewall or IP Table update so that our FTP server is accessed through 21 port.
We can do this with one of the two ways.
- a) First Way:Edit the file /etc/sysconfig/iptablesand add the line (Like the picture)
-A INPUT -m state –state NEW -m tcp -p tcp –dport 21 -j ACCEPT
than
#service iptables restart
- b) or Second way: Through setup command.
#setup
Than the screen will come as shown below.
Select FTP
Save
Actually this will add the above line to iptables file.
Step 6: Start FTP service once you do all the above edits.
#service vsftpd start
To enable this service at boot time, you have to execute below chkconfig command.
#chkconfig vsftpd on
Step 7: Now the FTP server is live. We can check with ftp command. Just create a test account to do the testing.
#useradd linuxnix
#passwd linuxnix
Changing password for user rejaul.
New password: <Enter Password for user>
Now we will login to ftp
ftp ftp.linuxnix.com
# ftp localhost
Trying ::1…
ftp: connect to address ::1Connection refused
Trying 127.0.0.1…
Connected to localhost (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (localhost:root): lftp ftp.linuxnix.com
331 Please specify the password.
Password: <Enter Password for user>
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
Now FTP server is ready and you do multiple file transfers from FTP as well. You can also browse your ftp server from web browser after typing below line in address bar.
ftp://ftp.linuxnix.com
User Name and password will be asked. Than you will find the file and directory tree.
Error:
systemctl [1]:Failed to start IPv4 firewall with ip tables
Explanation:
With RHEL 7 / CentOS 7, firewalld was introduced to manage iptables. IMHO, firewalld is more suited for workstations than for server environments.
It is possible to go back to a more classic iptables setup. First, stop and mask the firewalld service:
systemctl stop firewalld
systemctl mask firewalld
Then, install the iptables-services package:
yum install iptables-services
Enable the service at boot-time:
systemctl enable iptables
Managing the service
systemctl [stop|start|restart] iptables
Saving your firewall rules can be done as follows:
service iptables save
or
/usr/libexec/iptables/iptables.init save
Steps:
Sequence of steps:-
service iptables save
systemctl stop firewalld
systemctl disable firewalld
systemctl start iptables
systemctl status iptables
systemctl enable iptables
OR
FTP Server Configuration with Firewall:
How to setup vsftpd FTP file Server on Redhat 7 Linux
In this short config we will install FTP file Server on RHEL7 Linux using vsftpd. We will stick to the default vsftpd configuration which enables user accounts on our existing RHEL7 Linux system to login via FTP from a remote location, list and transfer files. Let’s begin by the installation:
To install FTP server on Redhat 7 Linux we can use either tftp-server or vsftpd daemon. In this guide we use vsftpd:
[root@rhel7 ~]# yum install vsftpd
Next, we can start the vsftpd service by using a service command:
[root@rhel7 ~]# service vsftpd start
Redirecting to /bin/systemctl start vsftpd.service
To make the FTP service startup persistent after system reboot use:
[root@rhel7 ~]# systemctl enable vsftpd
ln -s ‘/usr/lib/systemd/system/vsftpd.service’ ‘/etc/systemd/system/multi-user.target.wants/vsftpd.service’
Check and see whether port 21 is open. Do not worry if you do not see IPv4 of this port open as its IPv6 bind.
[root@rhel7 ~]# netstat -tanp | grep LISTEN
We also need to open firewall port otherwise we will see a following error message when we try to connect:
ftp: connect: No route to host
ftp>
To open a port 21 on Redhat 7 linux use the following commands. The port we remain open to public even after system restart:
[root@rhel7 ~]# firewall-cmd –zone=public –add-port=21/tcp –permanent
success
[root@rhel7 ~]# firewall-cmd –reload
success
At this point we should be able to connect from a remote host where the IP address of our FTP service is 10.1.1.110:
$ ftp 10.1.1.110
Connected to 10.1.1.110 (10.1.1.110).
220 (vsFTPd 3.0.2)
Name (10.1.1.110:lrendek): rhel7
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
The next configuration we need to perform is to enable iptables module ip_conntrack_ftp otherwise we will see a following error message query our FTP server after successful login:
ftp> ls
227 Entering Passive Mode (10,1,1,110,166,190).
ftp: connect: No route to host
ftp>
As a temporary solution we use modprobe to load the ip_conntrack_ftp module:
[root@rhel7 ~]# modprobe ip_conntrack_ftp
See this page for a more permanent solution on how to load ip_conntrack_ftp module after reboot.
The last configuration we need to perform is to enable selinux FTP context for user directories currently on the system otherwise we will not be able to read/write or transfer any files between FTP server and FTP client:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put ftp-test.txt
local: ftp-test.txt remote: ftp-test.txt
227 Entering Passive Mode (10,1,1,110,125,139).
553 Could not create file.
To enable selinux FTP home directory context to allow read and write commands. For this we use setsebool command:
[root@rhel7 ~]# setsebool -P ftp_home_dir=1
The above will set selinux FTP home directory context permanently -P after reboot.
ftp> put ftp-test.txt
local: ftp-test.txt remote: ftp-test.txt
227 Entering Passive Mode (10,1,1,110,174,219).
150 Ok to send data.
226 Transfer complete.
Now you have your FTP server setup. For more configuration options see the main vsftpd FTP server configuration file/etc/vsftpd/vsftpd.conf. When making a changes to the configuration file make sure to apply them by restarting FTP service:
[root@rhel7 ~]# service vsftpd restart
Redirecting to /bin/systemctl restart vsftpd.service
Error:
Failed to Login
Solution:
500 OOPS: vsftpd: refusing to run with writable root inside chroot()
allow_writeable_chroot=YES
I added it at the last line of this file /etc/vsftpd/vsftpd.conf
NOTE:
Cat /etc/vsftpd/vsftpd.conf:
seccomp_sandbox=no
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
chroot_list_enable=NO
secure_chroot_dir=/var/run/vsftpd/empty
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
allow_writeable_chroot=YES
local_root=/var/ftp
7.1. Configuring user access
With the vsftpd FTP server you have the option to leave the FTP service authentication for only anonymous access or you can allow users , defined in /etc/passwd or in relevant access list, to login.
7.1.1. Anonymous FTP access
By default the vsftpd FTP server is configured for an anonymous access only. If this is what your intention is for the FTP server to be used for, you can make anonymous access even easier by disabling the password requirement. The most secure option for the FTP server is not to allow users authenticate with the password in a simple clear text format. To disable the requirement for an anonymous password simply edit the FTP server’s configuration file /etc/vsftpd.conf and set directive no_anon_password to NO:
no_anon_password=YES
7.1.2. Local users FTP access
By now your server should be set to disallow any access except for an anonymous user. Set local_enable directive in the configuration file /etc/vsftpd.conf to allow login all users defined in /etc/passwd. The default is NO.
local_enable=YES
Now any user defined in /etc/passwd will be able to login with their relevant passwords.
$ ftp localhost
Connected to localhost.
220 (vsFTPd 2.3.5)
Name (localhost:root): lubos
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.
7.1.3. User Access list
First create an access list to be used with the vsFTPd FTP server. Normally, you would define such list in /etc/ directory. Use some arbitrary file name and list all user names in this file, which you wish to allow or deny access. For example, let’s define a new list with a single user “lubos”:
echo lubos > /etc/vsftpd.userlist
Next, define a new user list in the configuration file /etc/vsftpd.conf and enable userlist_enable directive:
userlist_file=/etc/vsftpd.userlist
userlist_enable=YES
userlist_deny=NO
Simply, just by defining and enabling a user list any users listed in /etc/vsftpd.userlist will have access denied to your FTP server.
To reverse this option and only allow users listed in /etc/vsftpd.userlist set userlist_deny configuration directive to NO. By doing so you only allow users defined in /etc/vsftpd.userlist to access your system. The format of /etc/vsftpd.userlist file is one user per line.
$ ftp localhost
Connected to localhost.
220 (vsFTPd 2.3.5)
Name (localhost:root): lubos
530 Permission denied.
Login failed.
ftp>
7.2. Changing default port number
By default any FTP server listens on standard port 21 for user authentication and port 20 for data transfer. The vsFTPd FTP server is no exception. To change default listening port simply change your /etc/vsftpd.conf configuration file and alter directive listen_port. Thus, to change your FTP server to listen to on port 2121 simply add the following directive to you configuration file:
listen_port=2121
followed by the FTP server restart.
However, this only applies if you run vsFPTd in stand-alone mode. In case that you run your FTP server in a normal mode using the xinetdsuperserver and you wish to change listening port to 2121, edit line FTP line /etc/services file and change it from 21 to 2121 and restartxinetd.
$ sudo service xinetd restart
Now, you should be able to see your FTP server to listen on port 2121:
$ netstat -ant | grep 2121
tcp 0 0 0.0.0.0:2121 0.0.0.0:* LISTEN
7.3. Other Configuration Options
The vsFTPd server comes with a number of configuration options to suit your needs. Here we list some other worth to mention configuration options:
- max_clients– This option sets the maximum number of users allowed to use your FTP server at the same time. 0 = unlimited.
- max_per_ip– set the maximum number of users from the same IP address
- download_enable– if set to NO any download request will be denied
- Conclusion
Currently vsFTPd comes with around 125 configuration options. This makes this FTP server to be extremely versatile and at the same time very easy to use and configure. Whether you are setting up the FTP server for local home use, within a company or on some remote server, be sure that vsFTPd will accommodate you. The vsFTPd FTP server can also be turned to sftp, but this we will discuss in the next tutorial, so do not forget to subscribe to our RSS.
FTP Comments :
File Transfer Protocol (FTP) is a network protocol used to copy a file from one computer to another over the Internet or LAN. FTP follows a client-server architecture which utilizes separate control and data connections between the ftp client and server. The default port for ftp is 21.
WARNING! These examples uses outdated insecure ftp protocol / client and if executed you are open to various attacks including password snooping. I strongly recommend that you use sftp, the secure version of FTP. Just type sftp instead of ftp and all of the following commands should work with sftp client too.
ftp: Internet File Transfer Program
Use the following syntax to connect to transfer files to and from a remote network ftp site:
ftp ftp.example.com
ftp 1.2.3.4
ftp user@ftp.example.com
You must know ftp username and password for user-based password authentication or with anonymous user access use ftp as both username and password. In this example, you are connecting to ftp.freebsd.org with anonymous user access (open the terminal and type the following command):
$ ftp ftp.freebsd.org
Sample session:
Trying 87.51.34.132…
Connected to ftp.freebsd.org.
220 ftp.beastie.tdk.net FTP server (Version 6.00LS) ready.
Name (ftp.freebsd.org:vivek): ftp
331 Guest login ok, send your email address as password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
When you enter your own loginname and password for the ftp.example.com server, it returns the prompt
ftp>
You need to type all commands in front of the ftp> prompt.
Task: List Current File
Type the ls command at ftp> prompt:
ftp> ls
Sample outputs:
229 Entering Extended Passive Mode (|||60692|)
150 Opening ASCII mode data connection for ‘/bin/ls’.
total 10
drwxrwxr-x 2 0 5 512 Jul 19 2007 .snap
drwx—— 2 0 0 2048 Jul 19 2007 lost+found
drwxr-xr-x 3 1006 1006 512 Sep 21 2009 pub
drwxr-xr-x 3 1006 1006 512 Jun 5 2007 sup
drwxr-xr-x 4 1006 0 512 Sep 18 2009 www
226 Transfer complete.
ftp>
The above will list the names of the files in the current remote directory (the last name is file or dir name).
Task: Change Directory
To change directory on the remote machine use cd command:
ftp> cd dirName
To change to pub directory, enter:
ftp> cd pub
Sample outputs:
250 CWD command successful.
Task: Download / Copy file
To copy one file at a time from the remote ftp server to the local system use get command:
get fileName
get fileName newFileName
In this example, download file resume.pdf in the current remote directory to (or on top of) a file with the same name, resume.pdf, in your current local directory:
ftp> get resume.pdf
Sample outputs:
local: resume.pdf remote: resume.pdf
229 Entering Extended Passive Mode (|||55093|)
150 Opening BINARY mode data connection for ‘resume.pdf’ (53077 bytes).
100% |****************************************************************| 53077 12.58 KiB/s 00:00 ETA
226 Transfer complete.
53077 bytes received in 00:04 (12.57 KiB/s)
In this example, copies file data.tar.gz in the current remote directory to (or on top of) a file named backup.tar.gz in your current local directory:
ftp> get data.tar.gz backup.tar.gz
Change Local Directory
To change directory on your local system, enter:
ftp> lcd /path/to/new/dir
ftp> lcd /tmp
Sample outputs:
Local directory now: /tmp
Print local directory:
ftp> lpwd
Sample outputs:
/tmp
The lpwd command prints current download directory for local systems. However, to find out the pathname of the current directory on the remote ftp server, enter:
ftp> pwd
Sample outputs:
Remote directory: /pub/FreeBSD
Task: Download Multiple Files
You need to use mget command as follows to copy multiple files from the remote ftp server to the local system. You may be prompted for a yes/no (Y/N) answer before transferring each file (you can disable prompt by passing the -i option to ftp client). To download all files, enter:
ftp> mget *
To download all perl files (ending with .pl extension), enter:
ftp> mget *.pl
Task: Turn On / Off Interactive Prompting
The ftp command prompt sets interactive prompting; “on” which enables prompting so that you can verify of each step of the multiple commands, “off” allows the commands to act unimpeded:
ftp> prompt on
ftp> mput *.php
ftp> prompt off
ftp> mget *.py
Task: Delete File
To delete a file in the current remote directory use delete command:
ftp> delete fileName
ftp> delete output.jpg
Task: Upload One File
To copy one file at a time from the local systems to the remote ftp server, enter:
ftp> put fileName
In this example, upload logo.jpg, enter:
ftp> put logo.jpg
Task: Upload Multiple Files
To copy multiple files from the local system to the remote ftp server use mput command. Again, you may be prompted for a yes/no (y/n) answer before transferring each file. In this example, upload all files from the current system:
ftp> mput *
ftp> mput *.pl
Task: Create a Directory
To make a new directory, enter:
ftp> mkdir dirName
ftp> mkdir scripts
ftp> cd scripts
ftp> pwd
Task: Delete a Directory
To remove or delete a directory, enter:
ftp> rmdir dirName
ftp> rmdir images
ftp> ls
Task: Set The Mode Of File Transfer
To set the mode of file transfer to ASCII, enter:
ftp> ascii
Please note that ascii is the default and good for text files. To set the mode of file transfer to binary, enter:
ftp> binary
The binary mode is recommended for almost all sort of files including images, zip files and much more. The binary mode provides less chance of a transmission error.
Task: Connect To Another FTP Server
To open a connection with another ftp server, enter:
ftp> open ftp.nixcraft.net.in
The above command opens a new FTP connection with ftp.nixcraft.net.in. You must provide a username and password for a ftp.nixcraft.net.in account. However, a username and password can be skipped for an anonymous FTP connection.
Task: Exit the FTP Session
Type quit or bye, enter:
ftp> quit
OR
ftp> bye
Sample outputs:
221 Goodbye.
How Do I Find Out More Information About The FTP Commands?
Type ? or help to get more information about the FTP commands:
ftp> ?
ftp> help
Sample outputs:
Commands may be abbreviated. Commands are:
! delete idle mode pmlsd reset system $ dir image modtime preserve restart tenex account disconnect cd more progress rhelp throttle append edit less mput prompt rmdir trace ascii epsv4 lpage mreget proxy rstatus type bell exit lpwd msend put runique umask binary features ls newer pwd send unset bye fget macdef nlist quit sendport usage case form mdelete nmap quote set user cd ftp mdir ntrans rate site verbose cdup gate mget open rcvbuf size xferbuf chmod get mkdir page recv sndbuf ? close glob mls passive reget status cr hash mlsd pdir remopts struct debug help mlst pls rename sunique
To get a short description about each command, enter:
ftp> help commandName
ftp> help chmod
Sample outputs:
chmod change file permissions of remote file
ftp> help ls
Sample outputs:
ls list contents of remote path
FTP Through A Browser
If you do not want to type the commands, than use a browser such as Safari, Firefox and type the following:
ftp://ftpUserName@ftp.nixcraft.net.in
ftp://ftp.freebsd.org/
ftp://ftp@ftp.freebsd.org/
ftp://userName:Password@ftp.nixcraft.net.in/
ftp://ftp:ftp@ftp.freebsd.org/
Sample outputs:
FTP through a browser