Setting up an FTP server

[viking60]

I cannot describe this better than than the Arch Wiki but maybe I can add something that makes it more accessible

Please note that I will not go into particulars regarding Virtual DNS or DNS forwarding and it's likes because there are different services and different setups in different routers.
This is vital to provide your server to the "outside".
In general I use http://no-ip.com you will find how to set it up with many routers. You may also have to call your ISP - as I had to - in order to forward port 80 (maybe that will apply for port 21 too) because they were using it so choosing it in my router settings did fail.

When all goes well you will have your domain name and can use that for your ftp server or serving your web pages from home.
vsftpd will work fine with it.

So I decided to go for a secure FTP server and what better than the one called vsftpd or Very Secure FTP Daemon? vsftpd will be in your repos.

This is a FTP server that can be configured in the CLI and has defaults that will make it work pretty much right out of the box.
Now you simply will have to enable and start the ftp server:

Code: Select all

sudo systemctl enable vsftpd.service

and

Code: Select all

sudo systemctl start vsftpd.service

The file to edit is

Code: Select all

/etc/vsftpd.conf

this location may slightly vary in different distros, but you only need to find that one file.
Distros like Mageia have the config file in /etc/vsftpd/vsftpd.conf

And here you pretty much go in and uncomment:

Code: Select all

write_enable=YES
local_enable=YES
local_umask=022


And that is pretty much it. Anonymous users will be allowed by default. The local_enable makes sure you can use the login as you linux user so you do not have to log in as an anonymous user - I will get back to that.

Go to another box and log in with your favorite ftp client I use Filezilla.

I write the ip of the box I want to access and press enter. This will log me in as anonymous without a password which is set up by vsftpd by default.
The files are served in

Code: Select all

 /srv/ftp

by default - so that is where you put your content.
It works!
Next we will make sure that clients stay within their area...

[viking60]

Next we want to put our clients that will have access to the ftp server in "Jail" meaning that they stay in their confined area without possibility to break out.

We also want to make sure that we the Gods of this computer can log in with our userid's and surf it all without this restriction.

We need to create a chroot environment for that and that takes to lines in /etc/vsftpd.conf

Code: Select all

chroot_local_user=YES
chroot_list_enable=YES


This file is well commented and here you will see a warning; make sure that both of the above are uncommented.
Also make sure that

Code: Select all

chroot_list_file=/etc/vsftpd.chroot_list

is uncommented.

Now it is time to make you the God of this FTP server while the rest are in Jail.

Edit vsftpd.chroot_list like this:

Code: Select all

sudo nano /etc/vsftpd.chroot_list

This will probably give you an empty file so all you have to do is to write you linux user in there - in my case viking60.

Save the file with only your userid and you are done.

Now you can access your ftp server with your linux login and password (on the computer you are logging in to) - and browse everything - or simply as an anonymous user.

As an anonymous user you have no chance of going anywhere else. If you have logged in with your ID you will get to your home (~/).

To check the security of this I simply removed my user-name from /etc/vsftpd.chroot_list and after that I was completely unable to log in as my user.
This server will also not accept root access and refuse to log in if you have chmoded /srv/ftp to 777. If you need to chmod; 755 will do.

Remember to restart your ftp server after every config change:

Code: Select all

sudo systemctl restart vsftpd.service

An FTP server is not as secure as SSH or SFTP (pretty much the same thing; SFTP is ftp on top of SSH) so that is the better alternative.

You can use FTP clients like Filezilla with SSH/SFTP on port 22 (default).
You can also use the CLI to log into external boxes with SFTP.
Instead of

Code: Select all

ssh berserk@viking-server

you can use

Code: Select all

sftp berserk@viking-server

The only advantage I have found with using SFTP over SSH is that I can toggle between my local and remote computer:
When logged in to the remote box I can se my home path there with

Code: Select all

pwd

If I enter an "l" in front of it I get the path on my local box:

Code: Select all

lpwd

Simply but an "l" (for local) in front of your commands to see your local content.

[R_Head]

Nice , will try it when I get the chance.

[viking60]

I must confess that I only have tested this on Manjaro. I started to play around with it on Mageia but I do not have it working there - as of now.

[jkerr82508]

On Mageia, I use drakwizard, which sets up a proftpd server with a couple of mouse clicks.

Jim

[viking60]

Thanks Jim.

That might be a good idea.
Even if vsftpd is considered to be safer we are still talking about ftp which is inherently insecure. And as I understand proftpd is possible to set up with SFTP (SSH).
In addition I see that vsftpd has quite a bug history in Mageia.
I take it you use the drakwizard for that - which means it will have to be installed first (it wasn't here).
As root:

Code: Select all

urpmi drakwizard

I will give proftpd a try in Mageia....
It really just was to start the drakwizard and pick ftp server and basically clicking through the defaults.
After that I have proftpd assigned to port 21:

Code: Select all

[root@localhost viking]
fuser -v 21/tcp
                     USER        PID ACCESS COMMAND
21/tcp:              nobody     2595 F.... proftpd


I cannot access it from the "outside" though - I access the VM from Filezilla (or CLI) from my main box. This works with vsftpd on manjaro so I will re-install and pick the internet option and the intranet one...
Disabling the firewall...
No luck. It is the same as with vsftpd. This might have something to do with the VirtualBox config (dunno what though).
When I log in on the VM with

Code: Select all

ftp localhost

I get access both with vsftpd and proftpd.

Trying to set up SFTP (sshd) now...
Drakwizard makes the job easy again:

Code: Select all

fuser -v 22/tcp
                     USER        PID ACCESS COMMAND
22/tcp:              root       1566 F.... sshd


Same problem with logging in from the outside though

If this is VB-setup related (Most likely !)then this is a great way of setting it up - if not... drakwizard does not work....
Comparing VB settings to my Manjaro VB network settings....

[viking60]

We have a result.
Yes it was my VB settings that stopped ftp access - both vsftpd and proftpd work.
In Mageia the files for vsftpd are served in /var/ftp/
It creates a pub subfolder.

It is real easy to use the control center of the Mandriva family - MCC - to install both openSSH and FTP servers. Just make sure that drakwizard is installed.

The FTP server in drakwizard will install a server with your local userid (passwd file) and log you into your home.
You can check to have root access during install otherwise you will be confined to that home ~/ after install.

Anonymous access is denied by default (which makes a lot of sense but not all that peachy if you make that "share with the world" server).

The ftp server setup is a part of the Mageia Control Panel so it does make sense to simply use that and pick "sharing" to set up the ftp server.

If you install openssh with the drakwizard in Mageia you can use Filezilla and log in with port 22 - which is way more preferable in terms of security.


I like the vsftpd server because I can make myself God and put anonymous users in jail So I would go for that one even on Mageia.
If you need to log in on your box via ftp with your username then the Mageia Control Center install will be perfect for you.
I believe vsftpd is considered to be more secure than Proftpd too.

Ways to access your ftp files:
Via CLI (- if you are a CLI guy you will know howto)
Via a client like Filezilla as shown with pics above
Directly via the browser with ftp://ip/path

Via your file manager like thunar, pcmanfm, Nautilus and whatever they are called.

[jkerr82508]

If you want to allow anonymous logins, then just copy /etc/proftpd-anonymous.conf to /etc/proftpd.d. I usually do that as well as allowing logins only from machines on my LAN (the "intranet only" option in the wizard). With logins restricted in this way, in order to allow a vbox vm to access the server it's necessary to set up the vm with bridged networking, so that it's IP will be in the same sub-net as the ftp server.

Jim

[R_Head]

Can you change the directory? I do not really like to share the root partition and use my secondary storage drive instead.

[viking60]

Can you change the directory? I do not really like to share the root partition and use my secondary storage drive instead.

I think this is the FTP root not your Linux root session. Meaning the area you choose to make available.
Edit: after testing it it looks like activating root access lets the Linux root user log in.

If you want to allow anonymous logins, then just copy /etc/proftpd-anonymous.conf to /etc/proftpd.d. I usually do that as well as allowing logins only from machines on my LAN (the "intranet only" option in the wizard). With logins restricted in this way, in order to allow a vbox vm to access the server it's necessary to set up the vm with bridged networking, so that it's IP will be in the same sub-net as the ftp server.

Jim

Jup Bridged networking it is. So this Mageia working server is in a VM here. Kind of the opposite of your description but it works both ways.


I think your tips are the best for the Mageia users

I have this uneasy non trusting feeling because I have no idea exactly what "intranet" does - I put my people in jail directly in the config file while I am the only one not confined to the restricted area. That theoretically makes me able to serve that file that the world needs - and I have made - to the world.

Makes me feel powerfull


In any case we have something for every taste here now.

[jkerr82508]

I have no idea exactly what "intranet" does.

It adds the following to /etc/proftpd.conf

<Global>
<Limit LOGIN>
Order allow,deny
Allow from 192.168.0. 127.0.0.1
Deny from all
</Limit>
<Global>

(The IP range allowed being dependent on the IP address of the server.)

Jim

[viking60]

Thanks. That is indeed the local net. So that will do.
Do you have a solution to serving a file to anonymous users in a confined (jailed) environment?
(I only have that going with vsftpd under Mageia).
Edit:
copying proftpd-anonymous.conf to /etc worked like a charm I just need to make sure that they cannot break out of /var/ftp where the proftpd data are.
It looks like it is pretty impossible though so I will say that It works in proftpd too.

I guess activating the root thing will change that - checking it out.....

Proftpd works exactly like vsftpd if you have everything activated including root access. after having copied the anonymous file like jkerr describes above it works fine with anonymous access and the anonymous user cannot surf anywhere else than on the server (/var/ftp/pub).
If you log inn with your Linux Username and Password you will have access to your /home but not the Linux root.

Root access seems to let you log in with the Linux root user so don't activate that.
For that you should use SFTP/SSH (port 22 or some other port you have set).
Both servers seem to work pretty much in the same way.

For Mageia users the steps are easy:

Install drakwizard
Pick set up FTP under sharing.
If you want both anonymous and your user to be able to access; copy the anonymous file like this:
As root


Code: Select all

cp /etc/proftpd-anonymous.conf  /etc/proftpd.d


And that is pretty much it.