FTP

FTP (File Transfer Protocol) is a TCP protocol used for downloading files between computers, and it works on a client/server model. The server component, called the FTP daemon, listens for client requests, handles logins, and manages the connection throughout the session. FTP supports two access modes:

1. Anonymous: Users log in using a default account (usually "anonymous" or "ftp") and provide an email address as the password.

2. Authenticated: Users must have an account and password, but this method is insecure and not recommended.

FTP does not encrypt data or credentials, making it vulnerable to interception. For secure file transfers, SFTP (SSH File Transfer Protocol) should be used. FTP also limits access to server directories based on the permissions of the login account, usually hiding the root directory and showing only the FTP home directory.

---

Installing FTP

we can install the FTP daemon using the following commands :

$> sudo apt install vsftpd

After installation the FTP create the default ftp user and the home directory under /srv/ftp & If you wish to change this location, to /srv/files/ftp for example, simply create a directory in another location and change the ftp user’s home directory:

sudo mkdir -p /srv/files/ftp
sudo usermod -d /srv/files/ftp ftp 

---

Configuring FTP

The config file of ftp is located on /etc/vsftpd.conf we can make default config changes. Now we will edit some configs to make the use cases given below.

Disbaling ANONYMOUS Reads/Writes over FTP

To disable the anonymous access we can edit the config file and set the anonymous_enable & anon_upload_enable to NO .

$> sudo nano /etc/vsftpd.conf

# Allow anonymous FTP? (Disabled by default).
anonymous_enable=NO 
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
anon_upload_enable=NO

This will ensure that only the authenticated users can access the FTP connections to harden the linux security.

---

UFW Configuration

If the environment where ufw is enabled we need to make certain changes to make ftp work smoothly

sudo ufw allow ftp 
## SPECIFIC IP 
sudo ufw allow from 10.10.10.100 to any port 21
sudo ufw allow from 10.10.10.100 to any port 20

By default the FTP servers use the passive mode connections to enable NAT & traversing firewalls for the connections, we need to config the passive_start & passive_end ports to allow them from the firewall to allow FTP completely from UFW

sudo nano /etc/vsftpd.conf

We will need to add the following lines into the config file

pasv_min_port=10000
pasv_max_port=10100

Now we will restart the service to apply the changes

sudo systemctl restart vsftpd.service

Now we will edit the firewall rule to allow this port range for FTP connections so that we can secure the connections using authenticated FTP & UFW

sudo ufw allow 10000:10100/tcp

Now we can see that the authenticated users can connect with ftp

---

Downloading Files locally using FTP

We can either use terminal or softwares like filezilla to download files from the remote ftp server or even from the browser.

$> ftp <IP ADDRESS>
## DOWNLOADING FILES LOCALLY
get <localfile> <remotepath>

We can also use tools like Filezilla & mobaXterm to get the GUI exprience to download and upload files via FTP

---

Uploading files via FTP

We need to do some config file changes to enable remote file upload on the ftp server

sudo nano /etc/vsftpd.conf

Look for the configuration FTP write and uncomment and set the write_enabled parameter value to YES

# Uncomment this to enable any form of FTP write command.
write_enable=YES

Restart the service to apply the changes

sudo systemctl restart vsftpd.service

Uploading files on the remote FTP server

ftp <IP ADDRESS>
## CONNECTION ESTABLISHED
fget <local_file_path> <remote_path>

To upload files we can also use GUI tools like filezilla & mobaXterm to make it easier

---

Securing FTP - Limiting users to Home directory

There are options in /etc/vsftpd.conf to help make vsftpd more secure. For example users can be limited to their home directories by uncommenting:

chroot_local_user=YES

You can also limit a specific list of users to just their home directories:

chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

After uncommenting the above options, create a /etc/vsftpd.chroot_list containing a list of users one per line. Then restart vsftpd:

sudo systemctl restart vsftpd.service

Also, the /etc/ftpusers file is a list of users that are disallowed FTP access. The default list includes root, daemon, nobody, etc. To disable FTP access for additional users simply add them to the list.

---

Encrypting FTP Connections

FTP can also be encrypted using FTPS. Different from SFTP, FTPS is FTP over Secure Socket Layer (SSL). SFTP is a FTP like session over an encrypted SSH connection. A major difference is that users of SFTP need to have a shell account on the system, instead of a nologin shell. Providing all users with a shell may not be ideal for some environments, such as a shared web host. However, it is possible to restrict such accounts to only SFTP and disable shell interaction.

To configure FTPS, edit /etc/vsftpd.conf and at the bottom add:

ssl_enable=YES

Also, notice the certificate and key related options:

rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

By default these options are set to the certificate and key provided by the ssl-cert package. In a production environment these should be replaced with a certificate and key generated for the specific host.

The below screenshots confirms that the FTPS is configured and now the connections is encrypted between the sender & the reciever with SSL/TLS