1 00:00:00,057 --> 00:00:01,193 Building an FTP server? 2 00:00:01,193 --> 00:00:05,299 Stay tuned to learn about VSFTPD and how to set it up. 3 00:00:05,299 --> 00:00:08,281 >> You're watching IT Pro TV. 4 00:00:08,281 --> 00:00:15,069 [BLANK_AUDIO] 5 00:00:15,069 --> 00:00:18,410 Welcome back, I'm your host, Sophie and I'm here with Don from, [INAUDIBLE]. 6 00:00:18,410 --> 00:00:21,856 Today's episode, we're gonna be diving a little bit into something I'm 7 00:00:21,856 --> 00:00:23,946 definitely gonna struggle to say, VSFTPD. 8 00:00:23,946 --> 00:00:27,032 So, can you give us an overview of what we're talking about? 9 00:00:27,032 --> 00:00:28,504 >> It just rolls right off the tongue, doesn't it? 10 00:00:28,504 --> 00:00:29,135 >> Doesn't it? >> Well, 11 00:00:29,135 --> 00:00:32,590 we're gonna start off with a little overview of the SFTPD and what it is, 12 00:00:32,590 --> 00:00:33,280 what it does. 13 00:00:33,280 --> 00:00:34,924 We'll get a chance to see how to get it installed. 14 00:00:34,924 --> 00:00:39,597 And then more importantly, our real focus today is how we can improve the security 15 00:00:39,597 --> 00:00:42,183 of what is an otherwise unsecured protocol. 16 00:00:42,183 --> 00:00:44,349 So that's what we've got lined up here in this episode. 17 00:00:44,349 --> 00:00:46,340 >> So what can you tell us about VSFTP and 18 00:00:46,340 --> 00:00:49,305 why we would use that as opposed to another FTP server? 19 00:00:49,305 --> 00:00:53,558 >> All right, well, there certainly are a lot of FTP servers and in fact, if you're 20 00:00:53,558 --> 00:00:57,642 running an older Linux distribution, it may have an FTP server built into it. 21 00:00:57,642 --> 00:01:00,592 But when I say older, I really mean like ten years or older, 22 00:01:00,592 --> 00:01:02,845 something you shouldn't be running right? 23 00:01:02,845 --> 00:01:05,324 If you're running a modern Linux distribution, 24 00:01:05,324 --> 00:01:08,048 the odds are it does not have FTP installed by default. 25 00:01:08,048 --> 00:01:11,358 And that's because the file transfer protocol or 26 00:01:11,358 --> 00:01:14,523 FTP does not really include any true security. 27 00:01:14,523 --> 00:01:17,987 It transmits everything in plain text across the network, anybody can 28 00:01:17,987 --> 00:01:22,101 intercept that, see what your password is, they can manipulate files in transit. 29 00:01:22,101 --> 00:01:24,419 It's got a whole laundry list of problems, 30 00:01:24,419 --> 00:01:26,745 of reasons why you wouldn't want to run it. 31 00:01:26,745 --> 00:01:30,672 However, FTP has one big advantage over other protocols and 32 00:01:30,672 --> 00:01:35,369 that's compatibility, everything supports FTP, Mac OS, Windows, 33 00:01:35,369 --> 00:01:40,457 Linux, UNIX, whatever it is, FreeBSD, you name it, they all support FTP. 34 00:01:40,457 --> 00:01:43,367 So it makes it easy to get files between systems. 35 00:01:43,367 --> 00:01:47,503 So, if you're in a situation where you need FTP, you've got to pick an FTP 36 00:01:47,503 --> 00:01:51,855 server, and you want to pick one that at least gives you some kind of security. 37 00:01:51,855 --> 00:01:54,902 And one of those is VSFTPD. 38 00:01:54,902 --> 00:01:59,315 So I've got their web page pulled up right here, VSTPD stands for 39 00:01:59,315 --> 00:02:02,617 the very secure file transfer protocol daemon. 40 00:02:02,617 --> 00:02:06,931 And when you look at their home page, it says, probably the most secure and 41 00:02:06,931 --> 00:02:10,851 fastest FTP server for UNIX like systems that may or may not be true. 42 00:02:10,851 --> 00:02:15,952 But the reality is if you need secure file transfer, you're probably going to 43 00:02:15,952 --> 00:02:20,913 use SFTP a completely different thing which relies on SSH and not FTP at all. 44 00:02:20,913 --> 00:02:24,432 But if you have to pick one, you might as well pick VSFTPD. 45 00:02:24,432 --> 00:02:28,791 It's kind of a neat FTP server because the person who wrote it is 46 00:02:28,791 --> 00:02:32,258 actually a vulnerability tester, a pen tester. 47 00:02:32,258 --> 00:02:35,588 It's a security professional named Chris Evans and, wait, 48 00:02:35,588 --> 00:02:38,340 Chris Evans says Captain America, [LAUGH] hang on, 49 00:02:38,340 --> 00:02:41,621 let me check to make sure, his name is actually Chris Evans. 50 00:02:41,621 --> 00:02:43,136 So, [LAUGH] I went wrong for a second there. 51 00:02:43,136 --> 00:02:46,052 So Captain America himself wrote this FTP server and 52 00:02:46,052 --> 00:02:49,241 if you can't trust Captain America, who can you trust? 53 00:02:49,241 --> 00:02:54,036 But basically he built it to be as secure as he could without breaking the FTP 54 00:02:54,036 --> 00:02:54,807 standard. 55 00:02:54,807 --> 00:02:58,651 And he's actually done a really good job if you ever have a chance to kind of read 56 00:02:58,651 --> 00:02:59,816 through the home page, 57 00:02:59,816 --> 00:03:03,894 it's got some interesting things on there where he highlights some of the other FTP 58 00:03:03,894 --> 00:03:07,532 servers that are out there that have had major security exploits in them. 59 00:03:07,532 --> 00:03:12,537 But that his server, his software VSFTPD, has been so stable and 60 00:03:12,537 --> 00:03:18,089 secure that a lot of organizations trusted and you'll see his big list, 61 00:03:18,089 --> 00:03:23,926 red hat, Susie, Debbie and FreeBSD GNU, Gnome, Katie, kernel dot org. 62 00:03:23,926 --> 00:03:30,366 These are just a laundry list of the biggest names in Linux all rely on VSFTPD. 63 00:03:30,366 --> 00:03:32,630 And I always thought it was funny, 64 00:03:32,630 --> 00:03:37,547 ISC is on the list because ISC has their own FTP server, but they used VSFTPD 65 00:03:37,547 --> 00:03:42,172 because that's really a step up from your standard basic FTP server. 66 00:03:42,172 --> 00:03:45,744 So this server has kind of become ubiquitous across the internet, 67 00:03:45,744 --> 00:03:48,613 just about every site that's out there that you hit, 68 00:03:48,613 --> 00:03:51,507 that's running a public FTP server is using VSFTPD. 69 00:03:51,507 --> 00:03:54,757 So that's what we're gonna be looking at here in this episode and that's why we've 70 00:03:54,757 --> 00:03:57,639 kind of picked this one, but also because it's in the exam objectives, so 71 00:03:57,639 --> 00:03:59,265 that makes it a little important as well. 72 00:03:59,265 --> 00:04:02,803 >> So since it is important that we know kind of what this is and how it works, 73 00:04:02,803 --> 00:04:04,493 How do we get VSFTP up and running? 74 00:04:04,493 --> 00:04:09,245 >> Well, it's really easy, I think that really every Linux destro has VSFTPD in 75 00:04:09,245 --> 00:04:13,582 their repositories, so you usually don't have to go and download it. 76 00:04:13,582 --> 00:04:16,388 I mean you can, you can download the source code and compile it and so on. 77 00:04:16,388 --> 00:04:19,320 But there's almost always a package available for 78 00:04:19,320 --> 00:04:22,115 it and on some destro's it's their default, so 79 00:04:22,115 --> 00:04:26,565 they just call it FTPD instead of VSFTPD cuz it's their standard FTP daemon. 80 00:04:26,565 --> 00:04:31,223 But I'm on a boon to 20.4 box and on this one it is actually called VSFTPD. 81 00:04:31,223 --> 00:04:34,005 So if I want to get it installed, 82 00:04:34,005 --> 00:04:38,754 I just need to do a sudo apt install VSFTPD, Like that. 83 00:04:38,754 --> 00:04:42,194 It'll pull it up, It's a very simple application. 84 00:04:42,194 --> 00:04:45,477 So it just depends on one thing ssl dash cert and that's for 85 00:04:45,477 --> 00:04:49,095 some of the security features will see at the end of the episode, 86 00:04:49,095 --> 00:04:53,048 I can just say yes to that and it's going to go ahead get it installed and 87 00:04:53,048 --> 00:04:56,144 now I've got a VSFTPD server, I do need to start it up. 88 00:04:56,144 --> 00:04:59,820 So I'll do a sudo system CTL, I'll say enable. 89 00:04:59,820 --> 00:05:04,630 So it starts at boot time and dash dash now, so it starts, well, right now and 90 00:05:04,630 --> 00:05:08,268 we'll throw in VSFTPD, that's gonna start that one up. 91 00:05:08,268 --> 00:05:12,992 And then one other thing I need to do, FTP is a little bit of a pain to get through 92 00:05:12,992 --> 00:05:16,290 firewalls, so I need to open up some firewall ports. 93 00:05:16,290 --> 00:05:21,989 Most protocols use one ports, FTP can actually use many different ports, 94 00:05:21,989 --> 00:05:28,701 at a minimum, it's going to use two ports, TCP port 20 and TCP port 21, all right? 95 00:05:28,701 --> 00:05:32,893 However, most modern FTP clients will also use what's called 96 00:05:32,893 --> 00:05:37,252 a passive mode transfer which can use any number above 1025. 97 00:05:37,252 --> 00:05:38,267 So that means like, 98 00:05:38,267 --> 00:05:42,102 I don't know 50,000 possible other port numbers that are out there. 99 00:05:42,102 --> 00:05:45,540 So when we can figure this, one thing we want to do is constrain that number of 100 00:05:45,540 --> 00:05:48,249 ports to limit it and allow that through the firewall also. 101 00:05:48,249 --> 00:05:52,072 So I'm gonna start with sudo UFW allow ftp, and 102 00:05:52,072 --> 00:05:55,237 that's gonna add the standard ports. 103 00:05:55,237 --> 00:05:59,013 So if I do sudo UFW status, you can see where it's added. 104 00:05:59,013 --> 00:06:03,960 I said 20 and 21, it did 21 and 22, 22, I already had in place. 105 00:06:03,960 --> 00:06:06,550 Never mind, 22 is SSH, I gotta keep this straight. 106 00:06:06,550 --> 00:06:09,310 So it's adding 21 it didn't add 20 and 107 00:06:09,310 --> 00:06:14,763 that's okay because I know my passive mode transfer is gonna take the place of 20. 108 00:06:14,763 --> 00:06:18,027 It used to be that commands were sent over 21 then the data transfer 109 00:06:18,027 --> 00:06:19,070 happened over 20. 110 00:06:19,070 --> 00:06:21,129 Now commands are sent over 21 and 111 00:06:21,129 --> 00:06:26,173 then every data transfer is sent over the passive ports that are 1025 or higher. 112 00:06:26,173 --> 00:06:31,564 Well if I need to disable passive mode then I'll need to allow port 20 as well. 113 00:06:31,564 --> 00:06:36,345 And my little alias didn't do it so I can come through and 114 00:06:36,345 --> 00:06:39,518 say, sudo UFW allow 20 slash TCP. 115 00:06:39,518 --> 00:06:41,944 And that would be added to the list. 116 00:06:41,944 --> 00:06:44,168 The passive side is a little more difficult though. 117 00:06:44,168 --> 00:06:48,493 I usually restricted to about 10,000 ports and I pick a range that's easy for 118 00:06:48,493 --> 00:06:52,096 me to remember, which is typically 10,000 to 20,000. 119 00:06:52,096 --> 00:06:55,756 So if I want to allow that I can type, 120 00:06:55,756 --> 00:07:01,627 sudo UFW allow 10,000;20,000 slash TCP. 121 00:07:01,627 --> 00:07:05,991 So that's gonna allow this huge range of ports which we're gonna 122 00:07:05,991 --> 00:07:07,668 be attaching to VSFTPD. 123 00:07:07,668 --> 00:07:10,869 And just so I don't forget I'm gonna add a little comment to that. 124 00:07:10,869 --> 00:07:15,732 So I can just remember that s for VSFTPD, passive mode and I use spaces, so 125 00:07:15,732 --> 00:07:20,212 I need to put that in quotes and just so I can remember why I made that. 126 00:07:20,212 --> 00:07:22,377 So when I do a sudo UFW status and take a look, 127 00:07:22,377 --> 00:07:25,145 now I know exactly why I've got those entered in there. 128 00:07:25,145 --> 00:07:30,280 But at this point my server is up and running, I've got TCP 20, 21 open. 129 00:07:30,280 --> 00:07:32,472 I've got a range from my passive ports. 130 00:07:32,472 --> 00:07:34,971 I've now got an up and running FTP server. 131 00:07:34,971 --> 00:07:37,232 >> So is that default configuration suitable? 132 00:07:37,232 --> 00:07:40,101 Can we just stick with that or do we need to kind of configure it first? 133 00:07:40,101 --> 00:07:43,376 >> Well, it's up to you, so the default configuration does actually work but 134 00:07:43,376 --> 00:07:45,999 it probably doesn't achieve your security goals, right? 135 00:07:45,999 --> 00:07:48,239 So it's pretty insecure by default. 136 00:07:48,239 --> 00:07:52,327 And there's actually one problem right now is I've created this range of ports to use 137 00:07:52,327 --> 00:07:55,192 for passive connections, VSFTPD doesn't know that yet. 138 00:07:55,192 --> 00:07:56,687 I need to tell it that range. 139 00:07:56,687 --> 00:07:59,529 So at a minimum I wanna configure the passive port range, but 140 00:07:59,529 --> 00:08:01,930 there's a few other things I want to modify. 141 00:08:01,930 --> 00:08:05,690 Fortunately, vsftpd's configuration is pretty easy to work with. 142 00:08:05,690 --> 00:08:12,550 I'm gonna do a sudoedit/etc/vsftpd.com. 143 00:08:12,550 --> 00:08:16,182 Notice it doesn't have a sub-folder of its own, it's just right inside of /etc. 144 00:08:16,182 --> 00:08:20,330 That's kinda a little bit different than most of the software we've seen. 145 00:08:20,330 --> 00:08:22,620 And when we go in there, it's a well documented file. 146 00:08:22,620 --> 00:08:26,341 It's got a lot of information in here on how we want it configured and 147 00:08:26,341 --> 00:08:28,190 this is where we make decisions. 148 00:08:28,190 --> 00:08:32,380 Do I want it to run on IPv4, or IPv4 and IPV6? 149 00:08:32,380 --> 00:08:35,754 You'll notice mine says listen=NO, that might make you think, hey, 150 00:08:35,754 --> 00:08:37,369 it's not listening on any ports. 151 00:08:37,369 --> 00:08:41,330 But there's an entry down here that says listen_IPv56=YES. 152 00:08:41,330 --> 00:08:45,481 Well that one implies that we're listening on IPv4 as well. 153 00:08:45,481 --> 00:08:47,537 So this is gonna make sure that I am listening, 154 00:08:47,537 --> 00:08:49,614 even though that first line says listen=NO. 155 00:08:49,614 --> 00:08:51,900 It's why it's important to read the documentation. 156 00:08:51,900 --> 00:08:53,908 Sometimes doesn't behave the way we expect it to. 157 00:08:53,908 --> 00:08:56,290 Do other things we might want to change in here. 158 00:08:56,290 --> 00:08:59,321 I might want to restrict the IP addresses that I listen on. 159 00:08:59,321 --> 00:09:03,965 So if I have more than one network adapter, I could come in and 160 00:09:03,965 --> 00:09:06,528 I could say listen_address=. 161 00:09:06,528 --> 00:09:09,851 And then specify the address that I wanna listen on. 162 00:09:09,851 --> 00:09:13,561 So that's gonna kind of tie it down to a single adapter that'll help with firewall 163 00:09:13,561 --> 00:09:14,280 rules as well. 164 00:09:14,280 --> 00:09:17,445 In my case, I've only got one adapter so I actually don't need that. 165 00:09:17,445 --> 00:09:18,710 So I can just leave it off. 166 00:09:18,710 --> 00:09:20,830 Let's see, what else do we wanna do? 167 00:09:20,830 --> 00:09:23,759 Anonymous_enable=NO. 168 00:09:23,759 --> 00:09:28,732 Anonymous users are turned off by default, that may be what I want. 169 00:09:28,732 --> 00:09:32,361 With the default configuration regular users can connect in and 170 00:09:32,361 --> 00:09:34,789 get to the system anonymous users cannot. 171 00:09:34,789 --> 00:09:39,163 But if I'm trying to set up a public FTP server, I need anonymous users to 172 00:09:39,163 --> 00:09:42,766 be able to get in there, so I'll need to change that to YES. 173 00:09:42,766 --> 00:09:45,020 Now anonymous people will gain access. 174 00:09:45,020 --> 00:09:47,607 Regular users can still organize themselves, but 175 00:09:47,607 --> 00:09:50,030 anonymous users can connect as well. 176 00:09:50,030 --> 00:09:53,844 A few other things, we'll see local_enable= YES. 177 00:09:53,844 --> 00:09:55,920 That is, do I want local users to be able to connect? 178 00:09:55,920 --> 00:09:58,139 Maybe I don't, maybe I only want anonymous and so I could set local enable to NO. 179 00:09:58,139 --> 00:10:02,956 And now it would just be anonymous users that get access to the system. 180 00:10:02,956 --> 00:10:05,970 The next line here is probably one of the more important ones. 181 00:10:05,970 --> 00:10:09,950 Write_enable=YES, by default. 182 00:10:09,950 --> 00:10:12,769 Vsftpd is read only. 183 00:10:12,769 --> 00:10:17,156 When people connect, they can download files, but they can't upload. 184 00:10:17,156 --> 00:10:20,612 If you wanna maintain a secure FTP server, that's one way to do it, 185 00:10:20,612 --> 00:10:24,143 just don't allow people to upload stuff and that saves a lot of pain. 186 00:10:24,143 --> 00:10:27,798 But if we want people to upload will need to enable this and 187 00:10:27,798 --> 00:10:32,993 we can do that by just uncommenting that line and now write_enable is set to YES. 188 00:10:32,993 --> 00:10:36,623 It does not grant write permission to anonymous users. 189 00:10:36,623 --> 00:10:40,240 The file system has permissions too that still apply. 190 00:10:40,240 --> 00:10:43,115 The anonymous user will not be allowed to write no matter what, 191 00:10:43,115 --> 00:10:46,330 unless you really blow your security stack out the window. 192 00:10:46,330 --> 00:10:47,744 Let's see what else. 193 00:10:47,744 --> 00:10:50,634 The only other thing I need to worry about are my passive ports and 194 00:10:50,634 --> 00:10:53,266 if I remember that's actually not in the configuration. 195 00:10:53,266 --> 00:10:54,630 So I'm have to add that in. 196 00:10:54,630 --> 00:10:57,160 I'm just kinda scanning across the configuration here 197 00:10:57,160 --> 00:10:59,390 to see if passive jumps out at me and it doesn't. 198 00:10:59,390 --> 00:11:02,981 So I'm just gonna go to the very bottom of the file and I'm gonna add three lines. 199 00:11:02,981 --> 00:11:08,703 First off, pasv_enable=YES. 200 00:11:08,703 --> 00:11:11,440 I wanna make sure that passive mode is enabled. 201 00:11:11,440 --> 00:11:14,522 Most modern FTP clients expect that to work. 202 00:11:14,522 --> 00:11:22,140 Then I'm gonna say pasv-min-port=10,000. 203 00:11:22,140 --> 00:11:30,030 And then pasv_max_ports=20,000. 204 00:11:30,030 --> 00:11:33,031 So now it knows the range of ports that I wanted to use. 205 00:11:33,031 --> 00:11:34,230 So I'll put that in place. 206 00:11:34,230 --> 00:11:36,552 I'm gonna go ahead and save that file. 207 00:11:36,552 --> 00:11:42,390 And then I'll do a system CTL restart vsftpd that's gonna restart it. 208 00:11:42,390 --> 00:11:44,816 And now I've got a pretty decent configuration, 209 00:11:44,816 --> 00:11:47,369 anonymous users can get in regular users can get in. 210 00:11:47,369 --> 00:11:48,813 The system is up and running. 211 00:11:48,813 --> 00:11:52,408 >> And when those users do connect, what data are they able to see? 212 00:11:52,408 --> 00:11:53,884 >> It depends on who they are. 213 00:11:53,884 --> 00:11:57,880 So if they're a regular user, when they log in, they'll see their home directory. 214 00:11:57,880 --> 00:12:00,841 So I've got a user account on here, I've got a home directory. 215 00:12:00,841 --> 00:12:03,468 So when I log in I should see /home/dpezet. 216 00:12:03,468 --> 00:12:04,699 I'm a user. 217 00:12:04,699 --> 00:12:12,230 But if I'm an anonymous user, what I'll see is the contents of /srv/ftp. 218 00:12:12,230 --> 00:12:14,903 So /srv/ftp is an empty folder by default and 219 00:12:14,903 --> 00:12:17,919 it's designed to hold stuff for anonymous users. 220 00:12:17,919 --> 00:12:20,730 So I'm gonna create a file in here. 221 00:12:20,730 --> 00:12:25,410 I'll just call it anonymous-content.txt. 222 00:12:25,410 --> 00:12:28,401 So there we go, I need to be an administrator for that. 223 00:12:28,401 --> 00:12:29,560 So I'll just drop it in there. 224 00:12:29,560 --> 00:12:32,560 So now I've got a file in there and that's for anonymous users. 225 00:12:32,560 --> 00:12:35,066 And then I'm gonna go into my home folder and 226 00:12:35,066 --> 00:12:39,630 I'll create a file here which I'll just call donpezet-content. 227 00:12:39,630 --> 00:12:42,120 And so now I've got that one as well. 228 00:12:42,120 --> 00:12:45,442 So now I can kinda see where I've got some files. 229 00:12:45,442 --> 00:12:48,186 So when I remote in and connect, I can tell where I'm connected to. 230 00:12:48,186 --> 00:12:54,207 If I fire up a client like here, I'll fire up old file zilla. 231 00:12:54,207 --> 00:12:59,430 And I'll connect to that server so 10.22.0.51. 232 00:12:59,430 --> 00:13:07,600 I'm gonna log in as Deepzet, I'll punch in my password which is, password 123. 233 00:13:07,600 --> 00:13:12,553 And then I want to tell it, oops I want to tell it that 234 00:13:12,553 --> 00:13:16,601 I'm using port 21 and we'll connect. 235 00:13:16,601 --> 00:13:19,430 We don't need to save passwords today. 236 00:13:19,430 --> 00:13:23,270 And it's warning me that this is a plaintext connection FTP is not secure but 237 00:13:23,270 --> 00:13:24,051 that's fine. 238 00:13:24,051 --> 00:13:26,868 So I connect and sure enough I see home dpezet and 239 00:13:26,868 --> 00:13:29,481 there's that dpezet content right there. 240 00:13:29,481 --> 00:13:36,053 I'm seeing my home folder but if I reconnect and if I leave the user name and 241 00:13:36,053 --> 00:13:40,827 password blank, when I do that, let me disconnect. 242 00:13:40,827 --> 00:13:42,212 Now I'm gonna connect anonymously. 243 00:13:42,212 --> 00:13:44,830 And what I see is something different. 244 00:13:44,830 --> 00:13:47,930 Now I see that anonymous content file right there in that other folder. 245 00:13:47,930 --> 00:13:51,689 So it just depends on the user context, what I'm gonna see when I log in. 246 00:13:51,689 --> 00:13:53,341 >> So once people are in the system, 247 00:13:53,341 --> 00:13:56,653 is there a way that you're able to monitor what files they access? 248 00:13:56,653 --> 00:13:59,541 >> You can, yeah, so it logs a lot of this. 249 00:13:59,541 --> 00:14:01,141 It should be logging by default. 250 00:14:01,141 --> 00:14:02,771 I haven't actually transferred anything. 251 00:14:02,771 --> 00:14:06,020 So maybe I should, I don't know download something. 252 00:14:06,020 --> 00:14:08,126 I'll download this anonymous file. 253 00:14:08,126 --> 00:14:09,582 So I'll just double click on that. 254 00:14:09,582 --> 00:14:15,015 Let me reconnect as my actual user account and I'll download that file. 255 00:14:15,015 --> 00:14:19,498 So when we start going through and doing all of this, you're transferring files, 256 00:14:19,498 --> 00:14:20,990 you're grabbing things. 257 00:14:20,990 --> 00:14:22,586 It should be logging that, we can check, 258 00:14:22,586 --> 00:14:25,480 I guess I should have checked that before I started downloading the files. 259 00:14:25,480 --> 00:14:29,608 Let me go back into editing my configuration, so 260 00:14:29,608 --> 00:14:33,730 I'll do a sudoedit/etc/vsftpd.com. 261 00:14:33,730 --> 00:14:37,170 And in here there's an entry for a transfer log. 262 00:14:37,170 --> 00:14:41,061 And that log it's just called xfer. 263 00:14:41,061 --> 00:14:44,230 So let me search for that and see if we can find it, right here. 264 00:14:44,230 --> 00:14:46,231 Xferlog-enable. 265 00:14:46,231 --> 00:14:47,011 Sounds southern right there. 266 00:14:47,011 --> 00:14:47,640 The xfer. 267 00:14:47,640 --> 00:14:49,291 >> [LAUGH] >> So the xferlog or 268 00:14:49,291 --> 00:14:51,201 transfer log equal=YES. 269 00:14:51,201 --> 00:14:52,611 So it is logging by default. 270 00:14:52,611 --> 00:14:54,510 So it should have logged the access that I just gave. 271 00:14:54,510 --> 00:15:01,140 If I go into /var/log and take a look, I can see vsftpd.log right there. 272 00:15:01,140 --> 00:15:06,321 And I'm gonna tail that file and I need to be an administrator. 273 00:15:06,321 --> 00:15:07,021 So let me sudo that. 274 00:15:07,021 --> 00:15:10,100 So I'm doing sudo tail vsftpd.log. 275 00:15:10,100 --> 00:15:13,007 And right here at the end I can see the access coming in. 276 00:15:13,007 --> 00:15:15,930 I came in from 10.222.0.50. 277 00:15:15,930 --> 00:15:18,098 That's my laptops address. 278 00:15:18,098 --> 00:15:21,017 And I connect, it shows my anonymous one. 279 00:15:21,017 --> 00:15:24,506 And I can see where I've downloaded that text file. 280 00:15:24,506 --> 00:15:29,421 Let's see, we've got, right here is the anonymous-content.text file that 281 00:15:29,421 --> 00:15:33,261 I downloaded, in here's the donpozet-content.txt file. 282 00:15:33,261 --> 00:15:36,665 So I can see exactly what has been kind of done on my server. 283 00:15:36,665 --> 00:15:39,628 >> Now FTP transfers data in the clear. 284 00:15:39,628 --> 00:15:42,485 So can we make vsftpd use encryption? 285 00:15:42,485 --> 00:15:45,005 >> You can, yeah, you generally don't want to and 286 00:15:45,005 --> 00:15:47,043 let me explain what I'm saying there. 287 00:15:47,043 --> 00:15:50,072 It's not that we don't want encryption, it's just that FTP sucks at it. 288 00:15:50,072 --> 00:15:52,051 [LAUGH] So we want to use something that's a little bit better. 289 00:15:52,051 --> 00:15:55,150 Almost every Linux sort of runs SSH. 290 00:15:55,150 --> 00:16:01,121 And so that means you can use SFTP, which is secure file transfer protocol. 291 00:16:01,121 --> 00:16:02,872 It's FTP run on top of SSH. 292 00:16:02,872 --> 00:16:04,676 That is very secure. 293 00:16:04,676 --> 00:16:07,537 Nobody can intercept and modify your traffic and transit and 294 00:16:07,537 --> 00:16:09,340 it's built into every Linux system. 295 00:16:09,340 --> 00:16:11,016 You don't need an FTP server for that. 296 00:16:11,016 --> 00:16:14,568 I don't have to install the SFTDP I just need SSH running and 297 00:16:14,568 --> 00:16:15,997 I can use SFTP, right. 298 00:16:15,997 --> 00:16:19,384 So that's what most people will use if they want encrypted data. 299 00:16:19,384 --> 00:16:21,083 But if you have to use FTP, 300 00:16:21,083 --> 00:16:25,734 if you've got some compatibility reason where you've gotta use FTP. 301 00:16:25,734 --> 00:16:29,841 You can tell it to use what's called FTPS and 302 00:16:29,841 --> 00:16:34,066 that is FTP over SSL very confusing, right? 303 00:16:34,066 --> 00:16:39,399 SFTP is on top of SSH, FTPS is on top of SSL. 304 00:16:39,399 --> 00:16:43,627 So we're basically relying on transport layer security or 305 00:16:43,627 --> 00:16:48,286 TLS to give us SSL security on or underneath FTP for our transfer. 306 00:16:48,286 --> 00:16:52,151 It's not very common, not many people use it, but the functionality is there and 307 00:16:52,151 --> 00:16:53,558 it's pretty easy to turn on. 308 00:16:53,558 --> 00:17:00,347 Let me go back into my config file so I'll sue to edit slash ETC slash VSFPD dot com. 309 00:17:00,347 --> 00:17:04,442 And I'm gonna look for a setting which is called SSL and 310 00:17:04,442 --> 00:17:07,123 we'll see if it's in here, it is. 311 00:17:07,123 --> 00:17:09,594 So right here you'll see the settings for SSL and 312 00:17:09,594 --> 00:17:12,435 there's three settings that really matter to us here. 313 00:17:12,435 --> 00:17:18,161 So one setting is SSL underscore enable and right now mine says equals no. 314 00:17:18,161 --> 00:17:21,581 So it's not turned on, I'm not doing encryption, right. 315 00:17:21,581 --> 00:17:26,709 So if I wanna the easiest thing for me here is to just type yes, right. 316 00:17:26,709 --> 00:17:29,904 So now we will, but the two lines before are kinda important. 317 00:17:29,904 --> 00:17:32,140 We need to provide a certificate and 318 00:17:32,140 --> 00:17:35,204 a private key to be able to do proper encryption. 319 00:17:35,204 --> 00:17:39,715 Now, it's gonna default to a boon to snake oil search which are just temporary search 320 00:17:39,715 --> 00:17:41,107 you shouldn't count on. 321 00:17:41,107 --> 00:17:43,476 I need to go and get real certificates. 322 00:17:43,476 --> 00:17:45,756 Get them generated to either use let's encrypt or 323 00:17:45,756 --> 00:17:47,990 any of the number of other services we've seen. 324 00:17:47,990 --> 00:17:50,007 And get those certificates put in place and 325 00:17:50,007 --> 00:17:51,976 then I can configure the SFTP to use them. 326 00:17:51,976 --> 00:17:54,632 But for right now I'm just gonna go ahead and use the snake oil ones. 327 00:17:54,632 --> 00:17:59,041 I will get out of my config I'm gonna restart. 328 00:17:59,041 --> 00:18:03,870 VSFTP so I'll do sudoku system CTL restart. 329 00:18:03,870 --> 00:18:07,052 VSFTPD so we'll let that restart. 330 00:18:07,052 --> 00:18:09,627 Then I can go back over to FileZilla and 331 00:18:09,627 --> 00:18:13,094 in FileZilla I've been doing a quick connection. 332 00:18:13,094 --> 00:18:14,895 Let me do a real connection this time. 333 00:18:14,895 --> 00:18:19,454 So when I define a site in FileZilla I give it a site name so 334 00:18:19,454 --> 00:18:22,270 I'll call this my Ubuntu server. 335 00:18:22,270 --> 00:18:24,010 And then over here I picked the protocol. 336 00:18:24,010 --> 00:18:27,978 Now if I drop that down, there's two protocols, FTP and SFTP. 337 00:18:27,978 --> 00:18:33,789 SFTP is the one that uses SSH, I'm gonna choose regular old FTP. 338 00:18:33,789 --> 00:18:37,497 And then right beneath that I've got the encryption option. 339 00:18:37,497 --> 00:18:43,313 And there's four options here use explicit FTP over TLS if available. 340 00:18:43,313 --> 00:18:47,834 So if it's available use TLS if not go plain text. 341 00:18:47,834 --> 00:18:49,900 Then we got require explicit or implicit. 342 00:18:49,900 --> 00:18:55,793 Explicit means either have to use it or I get disconnected. 343 00:18:55,793 --> 00:18:58,834 Implicit means when I get connected the server already assumes 344 00:18:58,834 --> 00:19:00,218 that I've got it turned on. 345 00:19:00,218 --> 00:19:02,399 It's kinda just two different modes for getting it enabled. 346 00:19:02,399 --> 00:19:06,068 Usually it'll automatically negotiate so don't worry about it too much. 347 00:19:06,068 --> 00:19:08,557 And then the last one I just hey just go plaintext just go ahead. 348 00:19:08,557 --> 00:19:09,574 And do plain insecure and 349 00:19:09,574 --> 00:19:12,344 I get a little yellow triangle telling me that's the wrong choice. 350 00:19:12,344 --> 00:19:17,014 So I'm gonna stick with use explicit FTP if it's available and 351 00:19:17,014 --> 00:19:21,433 then I can specify my host which is 10222.0.51. 352 00:19:21,433 --> 00:19:24,393 I'll leave the port blank on this one it will go with the defaults. 353 00:19:24,393 --> 00:19:27,669 And I can choose to be anonymous or I can actually log in I'll choose normal. 354 00:19:27,669 --> 00:19:33,739 I'm gonna log in with my user account and I'll go ahead and hit connect on that. 355 00:19:33,739 --> 00:19:36,239 So it's telling me that I haven't saved the password so 356 00:19:36,239 --> 00:19:37,632 it's gonna prompt me anyway. 357 00:19:37,632 --> 00:19:39,054 So we'll go ahead and 358 00:19:39,054 --> 00:19:43,648 get connected when I connect the first time it sees the certificate. 359 00:19:43,648 --> 00:19:46,433 And it says hey I don't trust the certificate by default. 360 00:19:46,433 --> 00:19:49,456 Do you trust it and this is one of the snake oil search that's why it's 361 00:19:49,456 --> 00:19:52,031 not trusted but I'll say yeah hey I always trust that one. 362 00:19:52,031 --> 00:19:56,121 I love it and then we'll just hit okay on that and now I connect up. 363 00:19:56,121 --> 00:20:00,367 And I can see right here in my connection log TLS connection established. 364 00:20:00,367 --> 00:20:03,395 I now have an encrypted connection to that server. 365 00:20:03,395 --> 00:20:05,608 So when I transfer files over the network, 366 00:20:05,608 --> 00:20:08,814 they're just as secure as when I go to web pages and use https. 367 00:20:08,814 --> 00:20:10,842 It's the same technology. 368 00:20:10,842 --> 00:20:14,292 >> This is a great introduction to VSFTPD. 369 00:20:14,292 --> 00:20:16,813 See if I can say that five times fast and some of its features, 370 00:20:16,813 --> 00:20:18,850 we've gotta look at the installation process. 371 00:20:18,850 --> 00:20:21,503 And configuring some of those security options as well. 372 00:20:21,503 --> 00:20:23,058 And we're not quite done with this so don't go away. 373 00:20:23,058 --> 00:20:26,409 We've got another episode coming up that's kinda related to this topic, right? 374 00:20:26,409 --> 00:20:27,674 We've got more of this coming up. 375 00:20:27,674 --> 00:20:29,224 >> Yeah, we're gonna take one more FTP server so 376 00:20:29,224 --> 00:20:30,468 we can see some different examples. 377 00:20:30,468 --> 00:20:31,169 Stay tuned for it. 378 00:20:31,169 --> 00:20:31,934 >> All right, awesome. 379 00:20:31,934 --> 00:20:33,568 Well then thanks so much for watching this episode. 380 00:20:33,568 --> 00:20:36,034 We'll see you next time. 381 00:20:36,034 --> 00:20:39,731 >> Thank you for watching IT PRO T V.