1 00:00:00,000 --> 00:00:02,883 Welcome to ITProTV, I'm your host Don Pezet. 2 00:00:02,883 --> 00:00:06,466 [CROSSTALK] 3 00:00:06,466 --> 00:00:08,082 [MUSIC] 4 00:00:08,082 --> 00:00:12,150 >> You're watching ITProTV. 5 00:00:12,150 --> 00:00:13,960 >> Hello and thank you for choosing ITProTV, 6 00:00:13,960 --> 00:00:15,800 helping you learn wherever you go. 7 00:00:15,800 --> 00:00:20,318 I'm your host, Zach Memos, as we continue on becoming a Linux server administrator. 8 00:00:20,318 --> 00:00:22,967 We're gonna configuring an FTP server. 9 00:00:22,967 --> 00:00:24,599 That sounds great, doesn't it, and 10 00:00:24,599 --> 00:00:27,254 the person who's gonna let us know how to do that is Don Pezet. 11 00:00:27,254 --> 00:00:28,271 Don, good morning sir. 12 00:00:28,271 --> 00:00:29,456 >> Thanks for having me back Zach. 13 00:00:29,456 --> 00:00:33,773 Yeah, in this episode we're gonna look at the file transfer protocol, or FTP. 14 00:00:33,773 --> 00:00:38,060 It is a increasingly less popular way [LAUGH] of transferring files, but 15 00:00:38,060 --> 00:00:40,785 you certainly can't beat it for ease of use. 16 00:00:40,785 --> 00:00:43,060 So I wanted to walk through an example of how to get that setup. 17 00:00:43,060 --> 00:00:46,836 So right here in this episode we're gonna see how to get FTP put in place. 18 00:00:46,836 --> 00:00:50,287 How we can file that up and use it to be able to transfer files between our servers 19 00:00:50,287 --> 00:00:51,560 and get things up and going. 20 00:00:51,560 --> 00:00:52,461 And for a lot of you, 21 00:00:52,461 --> 00:00:55,608 you may have moved on to other protocols that are a little more secure. 22 00:00:55,608 --> 00:00:59,178 We'll tackle that in another episode as well, but for right now, 23 00:00:59,178 --> 00:01:02,126 just focusing on quick and easy file transfers in FTP. 24 00:01:02,126 --> 00:01:03,930 >> So now that you've got my curiosity going, 25 00:01:03,930 --> 00:01:06,092 what does it take to get an FTP server up and running? 26 00:01:06,092 --> 00:01:09,764 >> All right, well this is another one like, in the olden days [LAUGH]. 27 00:01:09,764 --> 00:01:12,001 >> Olden days again, back then. 28 00:01:12,001 --> 00:01:15,483 >> Most Linux distros included a little package called XI Net, 29 00:01:15,483 --> 00:01:17,266 and it included an FTP server. 30 00:01:17,266 --> 00:01:19,187 And it was all kind of rolled in, but 31 00:01:19,187 --> 00:01:23,041 one of the big problems with FTP is that it transfers data in plain text. 32 00:01:23,041 --> 00:01:26,828 So if anybody's monitoring the network, they can intercept that data, and 33 00:01:26,828 --> 00:01:29,345 now everything's compromised, so that's bad. 34 00:01:29,345 --> 00:01:33,320 So as a result, most people moved on to other file transfer technologies, but 35 00:01:33,320 --> 00:01:34,474 FTP still has a place. 36 00:01:34,474 --> 00:01:38,160 We still use it for a lot of things, there's a lot of systems that require it, 37 00:01:38,160 --> 00:01:41,792 and if you've already encrypted your data, you can ship it across FTP, and 38 00:01:41,792 --> 00:01:44,388 it doesn't matter that FTP doesn't do encryption. 39 00:01:44,388 --> 00:01:48,939 From that standpoint, it's actually a very efficient protocol that is supported by 40 00:01:48,939 --> 00:01:53,612 every operating system that's out there, by Linux, Mac OS, Windows, and if we wanna 41 00:01:53,612 --> 00:01:58,090 get it stood up, on most mono distros, we're gonna have to install an FTP server. 42 00:01:58,090 --> 00:02:00,225 It's not gonna be there by default. 43 00:02:00,225 --> 00:02:05,237 I've been using a Red Hat server for most of this series, and in the Red Hat world, 44 00:02:05,237 --> 00:02:09,250 they really only support one FTP server, and that is the VSFTPD. 45 00:02:09,250 --> 00:02:13,337 So it stands for the Very Secure File Transfer Protocol Demon and 46 00:02:13,337 --> 00:02:17,647 I think it's a bit of a oxymoron that it's a very secure FTP server, 47 00:02:17,647 --> 00:02:19,855 cuz you can only make it so secure. 48 00:02:19,855 --> 00:02:23,807 But it does have some nice features to it and so we're gonna see getting that 49 00:02:23,807 --> 00:02:26,770 installed, and what we need to do to get it configured. 50 00:02:26,770 --> 00:02:29,515 Like most services getting it installed is really not that big of a deal. 51 00:02:29,515 --> 00:02:33,161 So I'll go here on my server, and I'm gonna go ahead and 52 00:02:33,161 --> 00:02:36,740 just bump up to a root shell real quick with pseudo -s. 53 00:02:36,740 --> 00:02:42,714 And I will do a yum install vsftp, and that's gonna reach out, 54 00:02:42,714 --> 00:02:47,356 and find that package, and get that installed. 55 00:02:47,356 --> 00:02:51,894 VSFTPD is not just on Red Hat, obviously Centos and Fedora have it, 56 00:02:51,894 --> 00:02:57,030 Ubuntu, Debian they've got it as well, it's a very common FTP server. 57 00:02:57,030 --> 00:02:59,678 There are other ones that are out there that you're welcome to use, but 58 00:02:59,678 --> 00:03:01,324 this one's considered the best right now. 59 00:03:01,324 --> 00:03:05,730 So, I'll go ahead and say yes to getting installed. 60 00:03:05,730 --> 00:03:07,632 Notice that massive size, 169k. 61 00:03:07,632 --> 00:03:11,678 FTP is very, very old, and so it doesn't take a whole lot to get it up and running, 62 00:03:11,678 --> 00:03:12,745 and doing it's job. 63 00:03:12,745 --> 00:03:15,635 >> [LAUGH] >> FTP was designed in the late 64 00:03:15,635 --> 00:03:16,927 1970s,- >> Wow. 65 00:03:16,927 --> 00:03:18,833 >> And so here we are 40 years later. 66 00:03:18,833 --> 00:03:19,735 >> It was the olden days. 67 00:03:19,735 --> 00:03:20,551 >> It really was. 68 00:03:20,551 --> 00:03:25,230 >> [LAUGH] >> And we still make use of it. 69 00:03:25,230 --> 00:03:28,600 It is efficient for what it does, even though it's not very feature rich. 70 00:03:28,600 --> 00:03:32,811 So, now that it's installed, it's there. 71 00:03:32,811 --> 00:03:35,289 I usually wanna go one step further, and that is, 72 00:03:35,289 --> 00:03:38,891 if I'm gonna set this up I need a way to test it, like a client to connect. 73 00:03:38,891 --> 00:03:41,162 And so I'll typically install one, 74 00:03:41,162 --> 00:03:46,080 and it used to be that you always had an FTP client built right into your disk row. 75 00:03:46,080 --> 00:03:48,604 So, you can just type FTP and connect. 76 00:03:48,604 --> 00:03:53,038 But see I don't have that anymore so, because they don't package FTP so much, 77 00:03:53,038 --> 00:03:55,900 they don't package the FTP client so much either. 78 00:03:55,900 --> 00:03:57,671 So I can choose to install one if I want. 79 00:03:57,671 --> 00:03:59,350 There's a few different ones that are out there. 80 00:03:59,350 --> 00:04:03,100 I know the Red Hat guys, they all love LFTP. 81 00:04:03,100 --> 00:04:05,700 I'm not exactly sure why, but they do. 82 00:04:05,700 --> 00:04:08,260 It's something about it that makes them happy. 83 00:04:08,260 --> 00:04:10,812 There’s GFTP, which is good if you have a GUI. 84 00:04:10,812 --> 00:04:13,760 I'm loaded into a server so I can't use that one. 85 00:04:13,760 --> 00:04:17,180 I'm just gonna use the good, old, classic FTP. 86 00:04:17,180 --> 00:04:20,690 So if you do a package search for a package just called FTP, 87 00:04:20,690 --> 00:04:23,786 it's not an FTP server, it's just an FTP client. 88 00:04:23,786 --> 00:04:26,349 And that will let you test this out and make sure it works, and 89 00:04:26,349 --> 00:04:29,227 if you don't like it, you can always just remove it when your done. 90 00:04:29,227 --> 00:04:30,704 See how it had no dependencies? 91 00:04:30,704 --> 00:04:33,299 It's just that client all by itself, so- >> Just basic, yeah. 92 00:04:33,299 --> 00:04:35,286 >> So really easy to add and remove, and 93 00:04:35,286 --> 00:04:37,992 it's a blazing 61kilobytes in [LAUGH] size too. 94 00:04:37,992 --> 00:04:41,255 >> [LAUGH] >> So this is small stuff to get it 95 00:04:41,255 --> 00:04:47,313 installed, but now I've got it, and I can start up the FTP service. 96 00:04:47,313 --> 00:04:53,327 So I can come in and say systemctl enable vsftpd.service, 97 00:04:53,327 --> 00:04:59,110 and that'll enable it, and then I just need to start it. 98 00:04:59,110 --> 00:05:02,130 Remember, the enable command says I wanna start this service anytime I boot up, 99 00:05:02,130 --> 00:05:04,990 and the start command tells it I wanna start it right now, 100 00:05:04,990 --> 00:05:09,870 cuz I don't wanna reboot, and so now the SFTPD is up, it's running. 101 00:05:09,870 --> 00:05:11,948 I got my client, I could try and connect, but 102 00:05:11,948 --> 00:05:14,709 we do still have a bit more that we need to get kinda working. 103 00:05:14,709 --> 00:05:19,863 But once that's there, yeah, like if I were to try and connect right now I'd 104 00:05:19,863 --> 00:05:25,830 just do ftp 127.0.0.1, I can see, I connect to the server, I get the prompt. 105 00:05:25,830 --> 00:05:29,360 Here's vsftpd version 3.0.2 and now I need to log in. 106 00:05:30,740 --> 00:05:32,870 But I'm testing this locally. 107 00:05:32,870 --> 00:05:35,990 Like with a lot of things I need to allow this through my firewall so 108 00:05:35,990 --> 00:05:38,966 users will be able to connect, and so I need to get that added. 109 00:05:38,966 --> 00:05:44,648 So I'll do a quick Firewall-cmd --add 110 00:05:44,648 --> 00:05:49,357 -service=ftp --permanent so 111 00:05:49,357 --> 00:05:53,261 that it writes that to disk. 112 00:05:53,261 --> 00:05:55,639 And then I'll run it again without permanent, so 113 00:05:55,639 --> 00:05:59,318 that it takes effect right away, and that's gonna open it up on the network so 114 00:05:59,318 --> 00:06:01,488 that users can ftp in, and get things set up. 115 00:06:01,488 --> 00:06:04,272 Now I might not wanna do that right away, cuz there might be some other 116 00:06:04,272 --> 00:06:06,337 configuration I wanna do first before I open it up. 117 00:06:06,337 --> 00:06:09,134 But that's what opens it up on the firewall, and 118 00:06:09,134 --> 00:06:11,943 now network users can connect to the FTP server. 119 00:06:11,943 --> 00:06:15,168 >> So now that it's running, and you just kind of alluded to that, 120 00:06:15,168 --> 00:06:16,810 how do we configure it? 121 00:06:16,810 --> 00:06:21,345 >> Okay, so like a lot of services, we've got a config file that we can reach into 122 00:06:21,345 --> 00:06:24,605 and we can modify a lot of the behavior of the FTP server. 123 00:06:24,605 --> 00:06:28,233 The main configuration for it is in /etc/vsftpd, 124 00:06:28,233 --> 00:06:33,015 that folder right there, and if you take a look in that folder you'll 125 00:06:33,015 --> 00:06:36,159 see there's not a whole heck of a lot in here. 126 00:06:36,159 --> 00:06:40,383 FTP users and user list, I'll explain those a little bit later, those are for 127 00:06:40,383 --> 00:06:41,600 restricting access. 128 00:06:41,600 --> 00:06:46,020 Then there's vsftpd.com, which is the file that actually has the configuration. 129 00:06:46,020 --> 00:06:49,492 That's what we want to modify, and then lastly, 130 00:06:49,492 --> 00:06:54,380 there's a script for migrating old FTP configurations into VSFTPD. 131 00:06:54,380 --> 00:06:58,208 That was important when VSFTPD first came out and became popularized, but 132 00:06:58,208 --> 00:07:00,220 most people don't need that anymore. 133 00:07:00,220 --> 00:07:02,312 This was well over ten years ago. 134 00:07:02,312 --> 00:07:05,650 So I'm gonna go and edit that main file, 135 00:07:05,650 --> 00:07:10,166 the /etc/vsftpd/vsftpd.com, and in that file, 136 00:07:10,166 --> 00:07:16,310 like a lot of these, you'll see where it's really well documented. 137 00:07:16,310 --> 00:07:19,121 It kind of explains what each of the settings are, and 138 00:07:19,121 --> 00:07:21,129 I can just go through and tweak those. 139 00:07:21,129 --> 00:07:24,625 But you might have noticed there's a lot of settings. 140 00:07:24,625 --> 00:07:29,240 There's a ton of options in here, and each of these have a default value, and 141 00:07:29,240 --> 00:07:34,000 those default values might match what you want, but a lot of times they don't. 142 00:07:34,000 --> 00:07:37,000 A lot of times they don't line up with what it is that you're trying to achieve. 143 00:07:37,000 --> 00:07:39,860 So you need to go through and customize this to meet your needs. 144 00:07:39,860 --> 00:07:43,568 Let me show you a couple of ones that I normally work with, 145 00:07:43,568 --> 00:07:48,297 right here at the very beginning, the first one, allow anonymous FTP. 146 00:07:48,297 --> 00:07:54,730 This is enabled by default, so anonymous users are allowed to connect. 147 00:07:54,730 --> 00:07:58,731 Now when they connect, what are they allowed to do? 148 00:07:58,731 --> 00:08:04,815 Well, right down a little bit further we'll see right enable=YES. 149 00:08:04,815 --> 00:08:06,638 Right which is allowing right access. 150 00:08:06,638 --> 00:08:08,970 So, anonymous users could connect, and 151 00:08:08,970 --> 00:08:12,730 anonymous users could start uploading data in the system. 152 00:08:12,730 --> 00:08:16,180 And so that may not be something that I want. 153 00:08:16,180 --> 00:08:16,980 I need to tweak this. 154 00:08:16,980 --> 00:08:18,770 If this is gonna be a private FTP server, 155 00:08:18,770 --> 00:08:20,990 I might want to require a username and password. 156 00:08:20,990 --> 00:08:27,045 And I would want to set allow anonymous enable equals no and turn that off right? 157 00:08:27,045 --> 00:08:28,070 >> [LAUGH] >> And they give you a warning, 158 00:08:28,070 --> 00:08:30,710 that if you just comment it out, the default is yes. 159 00:08:30,710 --> 00:08:33,600 All these values in here are the default values. 160 00:08:33,600 --> 00:08:38,390 So, I need to override that and sometimes I like to leave it in 161 00:08:38,390 --> 00:08:44,590 here and comment out the default line and add my own line. 162 00:08:44,590 --> 00:08:47,790 That way I can remember what the default was. 163 00:08:47,790 --> 00:08:52,750 So now when I look at it I can see I set it to no but the default was yes. 164 00:08:52,750 --> 00:08:55,120 So I can kind of remember that. 165 00:08:55,120 --> 00:08:57,660 We've got local enable equals yes. 166 00:08:57,660 --> 00:09:01,660 And that means do I want my local users to be able to access the system? 167 00:09:01,660 --> 00:09:05,540 These are the users that are defined in slash etc slash pass wd. 168 00:09:05,540 --> 00:09:07,240 That's how the local uniques users. 169 00:09:07,240 --> 00:09:11,240 If I'm going to require authentication, anonymous enable equals no. 170 00:09:11,240 --> 00:09:15,810 So if I require authentication, where do the user names and passwords come from? 171 00:09:15,810 --> 00:09:19,930 Well, they come from your local users, the slash ATC, 172 00:09:19,930 --> 00:09:23,440 slash pass WD file and we need to enable that. 173 00:09:23,440 --> 00:09:26,660 If I set this to no, I'm not allowing anonymous, and 174 00:09:26,660 --> 00:09:31,360 I'm not allowing my users, I just made a server that doesn't work. 175 00:09:31,360 --> 00:09:34,170 But if I wanna force the server to be anonymous, 176 00:09:34,170 --> 00:09:36,410 maybe I only want anonymous people to connect. 177 00:09:36,410 --> 00:09:40,070 I would say anonymous enable equals yes, and local enable equals no. 178 00:09:40,070 --> 00:09:42,890 And that way my users can't provide their own credentials and 179 00:09:42,890 --> 00:09:44,280 start running around the server. 180 00:09:44,280 --> 00:09:46,320 Okay so again, 181 00:09:46,320 --> 00:09:50,400 we have to kind of tailor this to meet the needs of what we're trying to achieve. 182 00:09:50,400 --> 00:09:52,590 Same thing goes down here for this right enable. 183 00:09:52,590 --> 00:09:58,260 By default, it's going to obey the access control lists in the file system 184 00:09:58,260 --> 00:09:59,880 If a user is authenticated. 185 00:09:59,880 --> 00:10:03,000 If a user is anonymous, that creates a bit of a problem, right? 186 00:10:03,000 --> 00:10:06,370 And there might be permissions on the file system for the other group and so 187 00:10:06,370 --> 00:10:07,880 they get access to that. 188 00:10:07,880 --> 00:10:11,140 But I might want to just completely block rights for 189 00:10:11,140 --> 00:10:13,430 the whole server regardless of ACLs. 190 00:10:13,430 --> 00:10:16,350 And so we can change that right here with write enable. 191 00:10:17,620 --> 00:10:21,770 After that the rest of these options are not ones that we normally 192 00:10:21,770 --> 00:10:23,260 have to manipulate too much. 193 00:10:23,260 --> 00:10:27,460 You will notice this option here for anonymous uploads. 194 00:10:27,460 --> 00:10:28,910 So we can enable the ability for 195 00:10:28,910 --> 00:10:32,670 anonymous uploads that would be like an anonymous user writing into the system. 196 00:10:32,670 --> 00:10:38,430 If I leave right enable yes, and then I set a non-upload enable to no, 197 00:10:38,430 --> 00:10:41,970 then that will effectively make it where authenticated users can write but 198 00:10:41,970 --> 00:10:43,230 anonymous users can't. 199 00:10:43,230 --> 00:10:48,250 So we can kind of find that right mixture that makes what we needed. 200 00:10:48,250 --> 00:10:50,980 And notice that upload is talking about files specifically, 201 00:10:50,980 --> 00:10:53,090 make directory is a separate entry. 202 00:10:53,090 --> 00:10:54,160 If I wanna create folders, 203 00:10:54,160 --> 00:10:57,740 you're not really uploading a folder, you're making it there on the server. 204 00:10:57,740 --> 00:11:00,130 So those are a few other things. 205 00:11:00,130 --> 00:11:03,920 The other setting I want to point out is I believe way down here towards the bottom 206 00:11:03,920 --> 00:11:07,470 lets jump down here, and its the listen command and 207 00:11:07,470 --> 00:11:13,280 what we'll find is right here, listen. 208 00:11:13,280 --> 00:11:17,280 Notice how it says when the listen directive is enabled vsftpd runs in 209 00:11:17,280 --> 00:11:21,230 standalone mode And listens on IPv4 sockets. 210 00:11:21,230 --> 00:11:24,650 So right now it's set to no, what does that mean? 211 00:11:24,650 --> 00:11:29,680 Well, it means that vsftpd is running as a service. 212 00:11:29,680 --> 00:11:31,620 So I started it as a service. 213 00:11:31,620 --> 00:11:35,930 And it's going to attach to whatever interfaces the service tells it to. 214 00:11:35,930 --> 00:11:40,520 But if I change this to listen yes, then I can come through and I can start to 215 00:11:40,520 --> 00:11:46,100 specify a listen address which they don't actually show an example of in here. 216 00:11:46,100 --> 00:11:47,120 But it would look like this. 217 00:11:47,120 --> 00:11:50,855 If I changed this to listen yes I can then come in and say, 218 00:11:50,855 --> 00:11:56,695 listen_address= and then I could specify particular IP addresses. 219 00:11:56,695 --> 00:11:58,420 >> Mm-hm. >> And if I have five network adapters, 220 00:11:58,420 --> 00:12:01,240 maybe I only wanna listen on one particular network adapter. 221 00:12:01,240 --> 00:12:02,540 So I could punch it in. 222 00:12:02,540 --> 00:12:04,710 Like that and so now it's going to be tied to that. 223 00:12:04,710 --> 00:12:07,160 Otherwise, if I leave it in the default with this listen no, 224 00:12:08,340 --> 00:12:09,450 it doesn't mean it's not listening. 225 00:12:09,450 --> 00:12:11,720 Obviously I was able to connect to it a moment ago. 226 00:12:11,720 --> 00:12:14,770 It just means that it's going to bond to every adapter and 227 00:12:14,770 --> 00:12:17,658 listen in on every particular resource that's available. 228 00:12:17,658 --> 00:12:21,970 That's another setting that we can kind of manipulate and change right there. 229 00:12:21,970 --> 00:12:26,150 A few different basic configuration changes to get in place but once those 230 00:12:26,150 --> 00:12:31,090 are done, now I've got the server functioning the way I want it to function. 231 00:12:31,090 --> 00:12:32,800 And we should be good to go, right? 232 00:12:32,800 --> 00:12:36,550 So really I guess all I changed here is I turned off anonymous users and 233 00:12:36,550 --> 00:12:38,630 I'm allowing local users to authenticate. 234 00:12:38,630 --> 00:12:40,380 So that's kinda how mine is setup. 235 00:12:40,380 --> 00:12:43,850 Again, yours will be setup however it is that you want it to be. 236 00:12:43,850 --> 00:12:44,430 >> That's awesome. 237 00:12:44,430 --> 00:12:47,610 So when users connect, what data do they see sir. 238 00:12:47,610 --> 00:12:48,740 >> All right so 239 00:12:48,740 --> 00:12:52,370 when a user's gonna connect, well first off I just made some changes. 240 00:12:52,370 --> 00:12:53,840 And I forgot to restart the server. 241 00:12:53,840 --> 00:12:56,190 So let me restart that service again real quick. 242 00:12:56,190 --> 00:13:01,324 I'll do a system ctl restart vsftpd.service. 243 00:13:01,324 --> 00:13:02,680 And so we'll let that restart real quick, there we go. 244 00:13:02,680 --> 00:13:05,890 Anytime you change the config file you need to restart the service so 245 00:13:05,890 --> 00:13:07,630 that'll happen, which means you're kicking users out. 246 00:13:07,630 --> 00:13:08,610 So be aware of that. 247 00:13:08,610 --> 00:13:12,450 There's not really a way to gracefully restart vsftp. 248 00:13:12,450 --> 00:13:15,610 But now if a user connects what are they gonna see? 249 00:13:15,610 --> 00:13:19,600 Well, if they were anonymous users they are gonna see something a little 250 00:13:19,600 --> 00:13:21,210 bit different when they connect. 251 00:13:21,210 --> 00:13:28,832 When a user logs in what they're going to see is the /var/ftp folder. 252 00:13:28,832 --> 00:13:34,920 So /var/ftp, that is considered the home folder for FTP. 253 00:13:34,920 --> 00:13:39,193 And in Inside of that you'll see a folder called Pub. 254 00:13:39,193 --> 00:13:41,920 And that's cuz youre the Public folder. 255 00:13:41,920 --> 00:13:46,180 And so normally, the Public folder will have anonymous access and 256 00:13:46,180 --> 00:13:49,080 then a regular user when they log in they would see Pub but 257 00:13:49,080 --> 00:13:52,580 they would also be able to see their home directory so they can browse them. 258 00:13:52,580 --> 00:13:54,820 An anonymous user wouldnt see users home directories but 259 00:13:54,820 --> 00:13:59,170 a user would and I didn't actually turn on the home directory option, 260 00:13:59,170 --> 00:14:02,590 because FTP's not really secure, so we don't usually wanna use it for that. 261 00:14:02,590 --> 00:14:06,060 But you might've noticed that option when I was in the config file. 262 00:14:06,060 --> 00:14:10,910 Let me go back into the config file, and kinda hunt for it here. 263 00:14:10,910 --> 00:14:15,630 We'll see right here, whether we want it to allow local users to log in. 264 00:14:15,630 --> 00:14:19,130 And see how it says that we have to set that SD Linux option for 265 00:14:19,130 --> 00:14:24,140 FTP home directory that we have to allow that access, that it will actually try and 266 00:14:24,140 --> 00:14:27,580 provide that access to their home directory and give them that. 267 00:14:27,580 --> 00:14:30,680 And a anonymous user wouldn't see that. 268 00:14:30,680 --> 00:14:33,740 Now, I've disabled anonymous users in my system. 269 00:14:33,740 --> 00:14:41,420 So if I were to FTP in right now and authenticate with my user account, right? 270 00:14:41,420 --> 00:14:43,730 I go and log in, I get a successful log in. 271 00:14:43,730 --> 00:14:47,000 And if I do a PWD, see where I'm at? 272 00:14:47,000 --> 00:14:49,070 Slash home slash deposet. 273 00:14:49,070 --> 00:14:52,220 I'm not in slash var, slash FTP. 274 00:14:52,220 --> 00:14:54,730 That's what an anonymous user would see. 275 00:14:54,730 --> 00:14:57,370 An authenticated user will see their home directory. 276 00:14:57,370 --> 00:14:58,830 And here I am in my home directory. 277 00:14:58,830 --> 00:15:01,570 If I had a documents folder or pictures or 278 00:15:01,570 --> 00:15:03,670 whatever I'd see all that stuff right here. 279 00:15:03,670 --> 00:15:10,000 And then I could always switch out into another directory like /var/ftp. 280 00:15:10,000 --> 00:15:11,420 And I'll see it right there. 281 00:15:11,420 --> 00:15:13,110 And there's the pub folder and I have access. 282 00:15:13,110 --> 00:15:16,310 But really because I authenticated with my user account 283 00:15:16,310 --> 00:15:20,410 I have access to whatever I would normally have access to, right? 284 00:15:20,410 --> 00:15:23,585 I can browse into /etc, I can browse all over the file system 285 00:15:23,585 --> 00:15:24,120 >> Mm-hm. 286 00:15:24,120 --> 00:15:29,540 >> And if I have access in the file system, then I have access in FTP as well. 287 00:15:29,540 --> 00:15:33,240 And because it's non-secure, that's where the real risk of this starts to come in, 288 00:15:33,240 --> 00:15:36,580 is if I start pulling files they're being transferred in plain text. 289 00:15:36,580 --> 00:15:38,680 So that's why a lot of people will disable this. 290 00:15:38,680 --> 00:15:41,490 But at this point I am connected and I can see it. 291 00:15:41,490 --> 00:15:43,220 If I was an anonymous user though? 292 00:15:43,220 --> 00:15:47,140 I would just see /var/ftp and what's inside of it. 293 00:15:47,140 --> 00:15:50,290 I would see the pub folder and then the other things inside of it If you've 294 00:15:50,290 --> 00:15:52,860 ever connected to a Internet FTP server, you're probably familiar with that. 295 00:15:52,860 --> 00:15:55,819 You see that pub folder and other things. 296 00:15:55,819 --> 00:15:59,550 So, for example, here, you know what, let me do, 297 00:15:59,550 --> 00:16:02,811 here I will FTP to one of the universities here. 298 00:16:02,811 --> 00:16:04,742 I'll do usf.edu. 299 00:16:04,742 --> 00:16:07,269 So, I'm going to retail to their server, 300 00:16:07,269 --> 00:16:10,650 and I'm going to log in as an anonymous user, all right? 301 00:16:10,650 --> 00:16:13,730 And they usually executed their email address simple password. 302 00:16:13,730 --> 00:16:19,680 What I connect, I can see some folders and there's that prompt folder, right? 303 00:16:19,680 --> 00:16:23,870 And I don't see a hole I'm in there slash var slash ftp. 304 00:16:23,870 --> 00:16:24,480 >> Right. 305 00:16:24,480 --> 00:16:25,755 >> And that I can go in to pub, and 306 00:16:25,755 --> 00:16:28,980 I start to see the things that they've shared out at the end of the resource 307 00:16:28,980 --> 00:16:33,430 Sources like that so that's the way that works and the users get their access. 308 00:16:34,970 --> 00:16:38,500 There are some things that we can kind of manipulate and change that, 309 00:16:38,500 --> 00:16:40,900 but for the most part that's kind of the behavior that we want for FTP. 310 00:16:40,900 --> 00:16:43,750 If you're anonymous you get this particular set of files we're going to 311 00:16:43,750 --> 00:16:45,980 make available, if you're a regular user, 312 00:16:45,980 --> 00:16:48,960 you get the same access you'd have if you were sitting down at the machine. 313 00:16:48,960 --> 00:16:53,630 >> So is there a way after all this to monitor people's access? 314 00:16:53,630 --> 00:16:56,440 >> Yeah and you know if you're allowing users to login, 315 00:16:56,440 --> 00:16:58,635 you probably want to be able to monitor to keep track, 316 00:16:58,635 --> 00:17:01,560 because if somebody starts poking around the file system looking for 317 00:17:01,560 --> 00:17:05,330 stuff they shouldn't be looking for, you want to keep a record of that. 318 00:17:05,330 --> 00:17:08,270 Logging for this is I believe it's turned off by default. 319 00:17:08,270 --> 00:17:09,010 Let's go and check. 320 00:17:09,010 --> 00:17:11,870 I'm going to go back into the configuration file. 321 00:17:11,870 --> 00:17:16,800 So /etc/vsftpd/vsftpd.com. 322 00:17:16,800 --> 00:17:21,370 And in here's a little entry for transfer logs. 323 00:17:21,370 --> 00:17:23,790 It's actually called x for log if I can find it, 324 00:17:23,790 --> 00:17:25,670 I would scroll right past it, right here. 325 00:17:25,670 --> 00:17:29,120 See how it says activate logging of uploads and downloads, x for 326 00:17:29,120 --> 00:17:30,910 log enable equals yes. 327 00:17:30,910 --> 00:17:33,180 I was wrong, it is turned on by default. 328 00:17:33,180 --> 00:17:34,650 The logging is on. 329 00:17:34,650 --> 00:17:38,320 Double check that though because I've seen systems where it is off by default. 330 00:17:38,320 --> 00:17:44,360 You need to turn it on before the users get in otherwise it defeats the purpose. 331 00:17:44,360 --> 00:17:45,830 That'll turn on transfer logging, so 332 00:17:45,830 --> 00:17:49,020 now any time a user accesses a file, it'll get logged. 333 00:17:49,020 --> 00:17:50,960 If they upload something, it'll get logged. 334 00:17:50,960 --> 00:17:55,156 And right down beneath that, it tells us where it's going to store that. 335 00:17:55,156 --> 00:17:57,430 /var/log/extralog. 336 00:17:57,430 --> 00:18:00,670 Right, and so that's where the transfer log is going be stored, and so 337 00:18:00,670 --> 00:18:01,420 we can browse in there. 338 00:18:01,420 --> 00:18:04,510 There's a few other options in here that'll let us tweak the format 339 00:18:04,510 --> 00:18:05,215 of that file. 340 00:18:05,215 --> 00:18:07,470 Because there's a few different ways it can be stored, but 341 00:18:07,470 --> 00:18:10,250 otherwise it's going to log that data in there. 342 00:18:10,250 --> 00:18:15,310 And I doubt I have anything, because I haven't actually transferred anything yet. 343 00:18:15,310 --> 00:18:19,970 But let's take a look at my log file and see if it's got anything in it. 344 00:18:19,970 --> 00:18:20,690 Yeah, it's empty. 345 00:18:20,690 --> 00:18:23,150 I haven't actually transferred any files, right? 346 00:18:23,150 --> 00:18:25,610 But if I start to transfer files, they'll get logged in there and 347 00:18:25,610 --> 00:18:28,970 now I can keep a record of who accessed what and when. 348 00:18:28,970 --> 00:18:35,268 So it's a nice little documented trail right there in /var/log /xferlog. 349 00:18:35,268 --> 00:18:39,640 >> So is this also a way to tell how many users are actually in FTP? 350 00:18:39,640 --> 00:18:42,440 >> You could, yeah, you would actually, 351 00:18:42,440 --> 00:18:45,600 well you won't see somebody if they just logged in or sitting there. 352 00:18:45,600 --> 00:18:46,100 Right? >> Right. 353 00:18:46,100 --> 00:18:47,440 >> If they were just kinda like browsing 354 00:18:47,440 --> 00:18:49,470 through the file systems. >> So they have to be active? 355 00:18:49,470 --> 00:18:51,870 >> Right, in transference, we would know that. 356 00:18:51,870 --> 00:18:55,950 Otherwise, if you want to see how many people are connected, do a netstat. 357 00:18:55,950 --> 00:18:58,070 Netstat -an and it will show every connection that you got. 358 00:18:58,070 --> 00:18:59,500 >> There you go. 359 00:18:59,500 --> 00:19:00,400 >> Port 21. 360 00:19:00,400 --> 00:19:04,790 Remember that FTP actually uses two ports, port 20 and port 21. 361 00:19:04,790 --> 00:19:07,670 You connect on 21 and it does data transfers on 20. 362 00:19:07,670 --> 00:19:10,470 We can just look for how many connections we have on 21, and 363 00:19:10,470 --> 00:19:13,740 that will tell you how many people are connected to the servers. 364 00:19:13,740 --> 00:19:16,370 There are a few different ways to get that data, but 365 00:19:16,370 --> 00:19:18,470 that information is all right out there. 366 00:19:18,470 --> 00:19:22,750 >> So the next step, is there a way to restrict who is in the server? 367 00:19:22,750 --> 00:19:25,680 >> Yeah, yeah, you know so with local users turned on like I've got, 368 00:19:25,680 --> 00:19:29,250 right now anybody, who has a local user could connect. 369 00:19:29,250 --> 00:19:33,830 So if I take a look at /etc/pastwd, 370 00:19:33,830 --> 00:19:37,010 I don't have a bunch of users created do I? 371 00:19:37,010 --> 00:19:39,550 Just D Pazet, of course these are all defaults, but 372 00:19:39,550 --> 00:19:44,860 if I had 50 users, all 50 would be able to use FTP and I might not want that. 373 00:19:44,860 --> 00:19:48,200 So there's a few ways to kind of restrict this. 374 00:19:48,200 --> 00:19:52,310 And so we can go in and kind of change that behavior if we want. 375 00:19:52,310 --> 00:19:54,995 Inside of the configuration file, let me get back to that, 376 00:19:54,995 --> 00:19:59,785 [COUGH] there was an entry In here that referred to a user list. 377 00:19:59,785 --> 00:20:05,935 And let me just find it and that’s not it. 378 00:20:05,935 --> 00:20:10,245 There should be an entry in here that refers to the user list. 379 00:20:10,245 --> 00:20:13,515 And it’s not in here. 380 00:20:13,515 --> 00:20:14,685 All right we'll have to add it. 381 00:20:14,685 --> 00:20:16,776 So there’s an extra entry that we can add. 382 00:20:16,776 --> 00:20:18,559 >> [LAUGH] >> I thought it was in here. 383 00:20:18,559 --> 00:20:20,120 But we can tack on to this. 384 00:20:20,120 --> 00:20:23,460 That lets us manipulate who's allowed to access the system. 385 00:20:23,460 --> 00:20:28,150 And so I'm going to add an entry in here that says user_list equals, and 386 00:20:28,150 --> 00:20:33,220 then in the user list, I'm sorry, it's userlist_enable equals, 387 00:20:33,220 --> 00:20:36,230 and then I can set it to either yes or no, all right. 388 00:20:36,230 --> 00:20:39,020 And I am screwing this one up. 389 00:20:39,020 --> 00:20:43,354 Its user underscore, sorry, 390 00:20:43,354 --> 00:20:49,630 user [LAUGH] user list underscore enable equals yes, there we go. 391 00:20:49,630 --> 00:20:51,280 >> That’s it. >> That’s the setting supposed to be 392 00:20:51,280 --> 00:20:54,420 there, which means I searched for it wrong. 393 00:20:54,420 --> 00:20:57,660 I thought it was in here. 394 00:20:57,660 --> 00:20:59,501 There it is. Way down at the bottom. 395 00:20:59,501 --> 00:21:01,550 >> [LAUGH] Initially you said it was down there. 396 00:21:01,550 --> 00:21:02,350 >> Sorry about that guys. 397 00:21:02,350 --> 00:21:03,980 All the way down at the bottom. 398 00:21:03,980 --> 00:21:05,080 User list enabled equals yes. 399 00:21:05,080 --> 00:21:05,710 So it was already set. 400 00:21:05,710 --> 00:21:07,690 I didn't have to scroll that up. 401 00:21:07,690 --> 00:21:12,290 This setting right here is telling it that we have a file called a user list, and 402 00:21:12,290 --> 00:21:16,880 the user list is dictating who I want to be allowed to access the system. 403 00:21:16,880 --> 00:21:19,250 Well, it's kind of funny, because there's two different settings here. 404 00:21:19,250 --> 00:21:19,780 It can be yes or no. 405 00:21:19,780 --> 00:21:23,910 And if it's set to yes then what's going to happen. 406 00:21:23,910 --> 00:21:26,288 Actually what's going to happen is I'm going to screw the system up, 407 00:21:26,288 --> 00:21:28,200 because I've got two different userlist entries now. 408 00:21:28,200 --> 00:21:29,620 So let me get rid of the one that I added. 409 00:21:29,620 --> 00:21:31,620 So I'll just get rid of that one. 410 00:21:31,620 --> 00:21:34,340 So right now userlist is set to yes. 411 00:21:34,340 --> 00:21:38,996 And what that means is that whenever somebody connects, 412 00:21:38,996 --> 00:21:43,847 it's going to take a look at /etc/vsftpd/user_list, 413 00:21:43,847 --> 00:21:47,800 it's going to take a look at that file. 414 00:21:47,800 --> 00:21:51,900 And if I look at that file, it's not very spectacular, because it should be empty. 415 00:21:51,900 --> 00:21:54,510 And it's not empty, actually. 416 00:21:54,510 --> 00:21:56,560 So when I pull up that user list, 417 00:21:56,560 --> 00:22:01,450 this is a list of users that are not being allowed access. 418 00:22:01,450 --> 00:22:03,470 These are users that are being blocked. 419 00:22:03,470 --> 00:22:07,670 See root, bin, daemon, adm, these are service accounts, right? 420 00:22:07,670 --> 00:22:10,720 Service accounts we don't want to be able to log in. 421 00:22:10,720 --> 00:22:12,520 My user account, D Pezet, is not in this list. 422 00:22:12,520 --> 00:22:17,540 So I'm not being blocked, so this is blocking people from accessing the system. 423 00:22:17,540 --> 00:22:19,380 And notice the two different settings here. 424 00:22:19,380 --> 00:22:24,910 User list deny equals no, or user list deny equals yes, right? 425 00:22:24,910 --> 00:22:26,630 Deny equals yes is the default. 426 00:22:26,630 --> 00:22:32,410 And that means, anybody in this list gets denied, everybody else gets allowed. 427 00:22:32,410 --> 00:22:36,800 So right now, anybody I add to that past WD file is going to be allowed. 428 00:22:36,800 --> 00:22:42,070 If I want the opposite behavior, if I want to block everybody, and 429 00:22:42,070 --> 00:22:49,190 only approve specific people, than I would set userlist_deny to equal no. 430 00:22:49,190 --> 00:22:51,900 And then what would happen is this list would 431 00:22:51,900 --> 00:22:55,310 just be the people I want to allow, right? 432 00:22:55,310 --> 00:22:56,370 So it's a different behavior. 433 00:22:56,370 --> 00:22:57,640 I'm kind of reversing it. 434 00:22:57,640 --> 00:22:59,170 So you need to think about your goal. 435 00:22:59,170 --> 00:23:02,260 Do you want most of your users to be able to log in or 436 00:23:02,260 --> 00:23:04,190 are you setting it up just for you to use? 437 00:23:04,190 --> 00:23:07,830 Maybe I want FTP to run on this server just for me to use. 438 00:23:07,830 --> 00:23:12,800 So I would set userlist_deny to null, and I would change this list to 439 00:23:12,800 --> 00:23:15,820 just have my username in it, just D Pezet and that's it. 440 00:23:15,820 --> 00:23:19,640 And now I would be able to use it, everybody else would be denied. 441 00:23:19,640 --> 00:23:22,580 So that's one way that we can go in and we can kind of restrict this. 442 00:23:22,580 --> 00:23:26,470 It's got two different modes though, and that gets a little confusing. 443 00:23:26,470 --> 00:23:29,300 So there is some risk with this if you mis-configure it, 444 00:23:29,300 --> 00:23:32,390 you could configure it the wrong way and that could kind of mess things up right. 445 00:23:32,390 --> 00:23:33,720 So, there was another file, 446 00:23:33,720 --> 00:23:38,170 you might have noticed this FTP users file right here, okay? 447 00:23:38,170 --> 00:23:42,399 The FTP users file overrides that user list and 448 00:23:42,399 --> 00:23:47,061 you can put people inside of the FTP users file, and 449 00:23:47,061 --> 00:23:54,233 these people will always be blocked regardless of the status of the user list. 450 00:23:54,233 --> 00:23:58,185 One of the user list is enabled or disabled, whether it user list deny is yes 451 00:23:58,185 --> 00:24:02,660 or no, these people always be blocked and if you look Here's the service accounts. 452 00:24:02,660 --> 00:24:06,953 I actually expected user list to be empty because I knew that FTP users is 453 00:24:06,953 --> 00:24:08,360 populated. 454 00:24:08,360 --> 00:24:12,170 So these are people that are expressly not allowed to log in. 455 00:24:12,170 --> 00:24:14,630 So I've kind of got it written down in configuration here. 456 00:24:14,630 --> 00:24:19,060 I don't need the other people in my user list file like I've got. 457 00:24:19,060 --> 00:24:21,680 But this allows us to restrict that access and 458 00:24:21,680 --> 00:24:24,370 make sure, you don't want your root user logging in. 459 00:24:24,370 --> 00:24:26,690 Because their password's gonna be sent in plain text and 460 00:24:26,690 --> 00:24:28,440 that would be really bad, right? 461 00:24:28,440 --> 00:24:30,010 These other people are services. 462 00:24:30,010 --> 00:24:32,080 You don't want services logging in, that doesn't make sense, 463 00:24:32,080 --> 00:24:32,980 they shouldn't do that. 464 00:24:32,980 --> 00:24:35,130 So these are just an increased attack surface. 465 00:24:35,130 --> 00:24:37,060 So let's just block them all right here, and 466 00:24:37,060 --> 00:24:40,720 it stops people from being able to access the system and use those accounts. 467 00:24:40,720 --> 00:24:44,330 So that's another way that we can do that. 468 00:24:44,330 --> 00:24:47,660 One more thing that's worth pointing out here is remember that when I logged in as 469 00:24:47,660 --> 00:24:50,000 myself I had access to the whole file system. 470 00:24:50,000 --> 00:24:53,470 So anything that I had permission to in the file system I had permission 471 00:24:53,470 --> 00:24:54,970 to in FTP. 472 00:24:54,970 --> 00:24:59,914 Well I can actually leverage SE Linux to control what access I have. 473 00:24:59,914 --> 00:25:02,214 And there's a few ways that we can leverage that. 474 00:25:02,214 --> 00:25:08,920 But inside of the VSFTPD configuration file. 475 00:25:08,920 --> 00:25:14,140 If you go in there there's an option in there about CH root. 476 00:25:14,140 --> 00:25:15,850 And let me just find it here. 477 00:25:15,850 --> 00:25:20,570 Here it is, C.H root local user equals yes, C.H root list enabled equals yes. 478 00:25:20,570 --> 00:25:24,440 These different settings right here and what these are doing is saying when 479 00:25:24,440 --> 00:25:29,620 somebody FTPs in we can change their root instead of their root for 480 00:25:29,620 --> 00:25:35,580 the file system being Slash, I could make it where /home/dpezet was my root, 481 00:25:35,580 --> 00:25:38,460 and so when I logged in, that's all I would see. 482 00:25:38,460 --> 00:25:41,450 I wouldn't be able to navigate outside of that file system. 483 00:25:41,450 --> 00:25:44,150 I would just be stuck right there in my home directory. 484 00:25:44,150 --> 00:25:47,270 And so by enabling chroot local user yes, 485 00:25:47,270 --> 00:25:49,920 by taking away that little hash mark, I can do that. 486 00:25:49,920 --> 00:25:54,010 I can tie people just right to that one folder and 487 00:25:54,010 --> 00:25:57,610 now I don't have to worry about them roaming the file system and 488 00:25:57,610 --> 00:25:59,700 worry about checking the transfer logs and all that. 489 00:25:59,700 --> 00:26:01,650 Because they're just tied to their home directory. 490 00:26:01,650 --> 00:26:06,420 So that's another way that we can kind of restrict the file system. 491 00:26:06,420 --> 00:26:08,260 And I said SELinux. 492 00:26:08,260 --> 00:26:11,480 SELinux does play a part in this, but this setting will actually work 493 00:26:11,480 --> 00:26:14,220 even without SELinux, so you don't have to have it. 494 00:26:14,220 --> 00:26:18,002 But if you do SE Linux will actually help to enforce that home directory lock down. 495 00:26:18,002 --> 00:26:19,746 And so they kind of work together. 496 00:26:19,746 --> 00:26:22,829 So it's another neat way that we can kind of restrict things and 497 00:26:22,829 --> 00:26:24,640 get that tied together. 498 00:26:24,640 --> 00:26:28,390 >> Don, does SE Linux interfere with VFSTP? 499 00:26:28,390 --> 00:26:31,983 >> It does, so here it's kind of working together supporting us. 500 00:26:31,983 --> 00:26:37,072 But it will actually interfere with people's access to the rest of the file 501 00:26:37,072 --> 00:26:42,600 system because the VSFTP demon it's only got access to so much stuff right. 502 00:26:42,600 --> 00:26:46,490 For regular users it's not a problem because it's running under the regular 503 00:26:46,490 --> 00:26:51,790 user context but for anonymous users, SE Linux can cause a lot of trouble right? 504 00:26:51,790 --> 00:26:56,522 If you look at slash var slash ftp, if I were to look at 505 00:26:56,522 --> 00:27:02,210 the SE Linux context of that folder, right? 506 00:27:02,210 --> 00:27:03,667 Look at the context for it. 507 00:27:03,667 --> 00:27:07,500 It's public_content_t. 508 00:27:07,500 --> 00:27:09,620 That context right there, okay? 509 00:27:09,620 --> 00:27:13,930 Anonymous users will only be able to access folders 510 00:27:13,930 --> 00:27:17,870 that have the public_content_t context type. 511 00:27:17,870 --> 00:27:21,100 If it doesn't have that SE Linux will block them. 512 00:27:21,100 --> 00:27:25,940 So if I wanna give my anonymous users access to some other folder, 513 00:27:25,940 --> 00:27:27,960 I'll need to change the security context. 514 00:27:27,960 --> 00:27:30,620 And remember we can do that with chcon. 515 00:27:30,620 --> 00:27:33,880 You can say chcon -r to make it recursive. 516 00:27:33,880 --> 00:27:36,800 And then we can point that at a folder. 517 00:27:36,800 --> 00:27:43,560 We can say -t public_content_t to tell it the context type that we wanna change to. 518 00:27:43,560 --> 00:27:46,710 And then after that we just tell it whatever the path is 519 00:27:46,710 --> 00:27:48,050 that we're trying to authorize. 520 00:27:48,050 --> 00:27:51,860 And that's going to allow anonymous users to be able to get into that path as well. 521 00:27:51,860 --> 00:27:54,500 If you're not using anonymous user like I turned it off on mine 522 00:27:54,500 --> 00:27:56,360 then I effectively don't have to worry about SE Linux. 523 00:27:56,360 --> 00:27:58,438 It's not really going to mess with anything that I've got. 524 00:27:58,438 --> 00:28:02,035 But if I'm doing anonymous users it does become a bit of a problem and 525 00:28:02,035 --> 00:28:04,319 that's what we'll have to sort through. 526 00:28:04,319 --> 00:28:07,224 >> Don I've been wanting to ask this question for a while. 527 00:28:07,224 --> 00:28:11,456 Can we use encryption in VFSTP? 528 00:28:11,456 --> 00:28:15,680 >> So yes the short answer is yes right? 529 00:28:15,680 --> 00:28:16,200 >> But. 530 00:28:16,200 --> 00:28:18,903 [LAUGH] >> But we had that question in the chat 531 00:28:18,903 --> 00:28:23,090 room there Stanley was asking does FTP always send the password in the clear. 532 00:28:23,090 --> 00:28:25,570 And the answer is normally yes. 533 00:28:25,570 --> 00:28:29,680 By default FTP is sending everything in plain text including your passwords, and 534 00:28:29,680 --> 00:28:31,120 that's bad. 535 00:28:31,120 --> 00:28:34,330 So in the early days, they tried to come up with a solution for it. 536 00:28:34,330 --> 00:28:39,900 And the solution they came up with was let's stick SSL onto FTP, right. 537 00:28:39,900 --> 00:28:45,650 And so they created FTPS or file transfer protocol/secure software layer. 538 00:28:45,650 --> 00:28:50,760 And FTPS was really just using our web security standards on top of FTP. 539 00:28:50,760 --> 00:28:55,230 And you might have noticed the option as I was scrolling through the config file. 540 00:28:55,230 --> 00:28:56,430 I kind of went fast. 541 00:28:56,430 --> 00:29:00,570 But if we hunt in here wow the option doesn't even show up. 542 00:29:00,570 --> 00:29:03,940 All right so I'm not seeing the option but you can come in here and add. 543 00:29:03,940 --> 00:29:07,109 I'll just go down to the bottom and show you what it would look like. 544 00:29:07,109 --> 00:29:11,785 We can come in here and we can add and 545 00:29:11,785 --> 00:29:16,467 say SSL underscore enable = yes. 546 00:29:16,467 --> 00:29:20,238 And then after that we would follow it up with a series of other commands that would 547 00:29:20,238 --> 00:29:23,953 tell it where to find the certificate file, and whether we require the SSL, and 548 00:29:23,953 --> 00:29:26,320 so on we could specify these other things. 549 00:29:26,320 --> 00:29:29,960 All right and that would create a more secure version of VSFTP. 550 00:29:29,960 --> 00:29:35,203 Now you might ask yourself why is that option not here? 551 00:29:35,203 --> 00:29:36,284 >> Why is this option not here? 552 00:29:36,284 --> 00:29:37,577 [LAUGH] >> And 553 00:29:37,577 --> 00:29:41,805 the short answer is that FTTPS is very uncommon. 554 00:29:41,805 --> 00:29:44,085 It is not supported by many clients. 555 00:29:44,085 --> 00:29:46,115 So if you have clients like Filezilla? 556 00:29:46,115 --> 00:29:48,155 It doesn't have FTPS support. 557 00:29:48,155 --> 00:29:51,655 And Filezilla is probably one of the most popular FTP clients out there. 558 00:29:51,655 --> 00:29:57,145 So, it's not very widely supported and is not very efficient, it's not great. 559 00:29:57,145 --> 00:30:00,840 It's great for web pages, the SSL is great for web pages because it's small content. 560 00:30:00,840 --> 00:30:04,700 With FTP it could be large data sets and it's just not very efficient so 561 00:30:04,700 --> 00:30:06,850 it didn't catch on and it kinda died out so 562 00:30:06,850 --> 00:30:10,840 much to the point that the sample config is not even here in this file right. 563 00:30:10,840 --> 00:30:18,550 So instead FTPS was very rapidly replaced with SFTP. 564 00:30:18,550 --> 00:30:24,350 SFTP is secure file transfer protocol And SFTP is actually using two things. 565 00:30:24,350 --> 00:30:29,900 It uses SSH to build a tunnel, and then it uses FTP to transfer files on top of it. 566 00:30:29,900 --> 00:30:34,580 And really it kind of works inline with another protocol called SCP, 567 00:30:34,580 --> 00:30:35,970 Secure Copy Protocol. 568 00:30:35,970 --> 00:30:37,810 Those both use SSH. 569 00:30:37,810 --> 00:30:39,990 So SSH is taking care of the encryption. 570 00:30:39,990 --> 00:30:43,170 It's very efficient at it and builds a nice secure communication, 571 00:30:43,170 --> 00:30:45,200 does certificate based authentication. 572 00:30:45,200 --> 00:30:48,505 And then you're able to move your file transfer over and it's very secure. 573 00:30:48,505 --> 00:30:53,595 So the short answer is yes we could make VSFPT do encryption but 574 00:30:53,595 --> 00:30:55,515 the long answer is you don't want to do that. 575 00:30:55,515 --> 00:30:58,085 You don't want to do that because it's not widely supported and 576 00:30:58,085 --> 00:31:01,035 you're gonna have a hard time finding clients that can connect to it. 577 00:31:01,035 --> 00:31:05,635 So instead if you wanna do a secure connection, you wanna do SFPT instead. 578 00:31:05,635 --> 00:31:08,755 And we're gonna tackle that in a separate episode, actually the next episode we film 579 00:31:08,755 --> 00:31:13,730 I'll show you how to set up an SFPT server and that's kinda the way of the future. 580 00:31:13,730 --> 00:31:16,734 Now, you might ask yourself- >> [LAUGH] 581 00:31:16,734 --> 00:31:18,370 >> If that's the way of the future, 582 00:31:18,370 --> 00:31:21,590 why did we just waste all this time talking about regular old FTP? 583 00:31:21,590 --> 00:31:23,804 And the answer to that is, 584 00:31:23,804 --> 00:31:29,553 secure file transfer protocol requires a username and a password. 585 00:31:29,553 --> 00:31:30,234 Or a certificate. 586 00:31:30,234 --> 00:31:35,890 So there is no anonymous authentication with SFTP, you can't do that. 587 00:31:35,890 --> 00:31:39,540 If I have files that I want to make available to anonymous users. 588 00:31:39,540 --> 00:31:42,790 If I'm a software company and I want people to be able to download content, 589 00:31:42,790 --> 00:31:47,200 having an anonymous public access FTP server is one of the most efficient and 590 00:31:47,200 --> 00:31:49,130 widely supported ways to do it. 591 00:31:49,130 --> 00:31:53,010 And that's how we see FTP servers used the most today. 592 00:31:53,010 --> 00:31:57,365 Dell has all of their drivers available for download via an FTP site. 593 00:31:57,365 --> 00:32:00,915 Microsoft had all their security patches via an FTP site. 594 00:32:00,915 --> 00:32:03,130 Now they've got it all behind their wall. 595 00:32:03,130 --> 00:32:07,330 But a lot of vendors still do that, they make things 596 00:32:07,330 --> 00:32:11,760 publicly available via an FTP site so you can get them and quickly transfer them. 597 00:32:11,760 --> 00:32:14,030 Secure FTP requires authentication. 598 00:32:14,030 --> 00:32:17,420 That's not good for anonymous connectivity like that. 599 00:32:17,420 --> 00:32:19,690 You could create a shared username and password, but 600 00:32:19,690 --> 00:32:22,200 now other people could attack that. 601 00:32:22,200 --> 00:32:25,370 And find a way to decrypt that data, cuz there's a shared account, right? 602 00:32:25,370 --> 00:32:26,990 So that defeats the whole purpose. 603 00:32:26,990 --> 00:32:32,250 So if we want secure personal communications, SFTP is the way to go. 604 00:32:32,250 --> 00:32:35,590 If we want public anonymous communications, 605 00:32:35,590 --> 00:32:37,480 regular FTP is the way to go. 606 00:32:37,480 --> 00:32:40,720 So that's kind of the deciding factor there, but we'll cover both, 607 00:32:40,720 --> 00:32:42,730 we'll cover FSTP in a follow up episode. 608 00:32:42,730 --> 00:32:45,460 >> That's because Don you're amazing, and you are so very through, 609 00:32:45,460 --> 00:32:48,570 configuring an FTP Server. 610 00:32:48,570 --> 00:32:50,570 Anything else you would like to add? 611 00:32:50,570 --> 00:32:53,680 >> The main thing is once this is up and running you just need to monitor it, 612 00:32:53,680 --> 00:32:57,565 keep track of it and just make sure you pay attention to that user list, 613 00:32:57,565 --> 00:32:59,430 updating permissions and privileges. 614 00:32:59,430 --> 00:33:01,006 After that it pretty much just runs itself. 615 00:33:01,006 --> 00:33:04,515 >> Thanks Don, becoming a Linux server administrator, 616 00:33:04,515 --> 00:33:07,915 there are lots of videos in this series, make sure you watch each and 617 00:33:07,915 --> 00:33:09,615 every episode, you'll be very glad that you did. 618 00:33:09,615 --> 00:33:15,445 And thank you for watching ITProTV, remember a good IT pro is always learning. 619 00:33:15,445 --> 00:33:17,125 I'm Zach Memos. 620 00:33:17,125 --> 00:33:17,802 >> And I'm Don Pezet. 621 00:33:17,802 --> 00:33:19,859 >> And we'll see you soon. 622 00:33:19,859 --> 00:33:25,713 [MUSIC] 623 00:33:25,713 --> 00:33:28,694 >> Thank you for watching ITPro.TV.