Fedora iTOps Tube

Tuesday, November 15, 2011

Installing The TFTP Server Software

Installing The TFTP Server Software

Most Linux software products are available in a precompiled package format. Downloading and installing packages isn't hard. If you need a refresher, Chapter 6, "Installing Linux Software", covers how to do this in detail.


When searching for the Fedora / Redhat file, remember that the TFTP server RPM's filename usually starts with the word "tftp-server" followed by a version number like this: tftp-server-0.33-3.i386.rpm.


With Debian / Ubuntu, the commonly use HPA TFTP server package would have a "tftp-hpa" prefix like this:tftpd-hpa_0.40-4.1ubuntu1_i386.deb.

TFTP

TFTP

Many networking equipment manufacturers allow you to backup live configurations of their devices to centralized servers via the TFTP protocol. TFTP can be used with great versatility as a network management tool and not just for saving files. TFTP servers can be used to upload new configurations to replacement devices after serious hardware failures. They also can be used for uploading new versions of software to be run as network devices. Finally, they can be used to upload even partial configurations such as files containing updated access control lists (ACLs) that restrict access to networks and even the regular application of new passwords.


TFTP may not be an application used regularly in a home, but it will become increasingly important in an expanding small office/home office (SOHO) environment which is why the topic is covered here. The provided TFTP examples use equipment from Cisco Systems, a leading networking hardware manufacturer.

Basic Telnet Security

Basic Telnet Security

There are a number of things you can do to improve the security of telnet. For example, you should also try to ensure that telnet sessions run over secure internal networks or across VPNs to reduce the risk of exposing sensitive data to unauthorized eyes. Check out some other options.


Let Telnet Listen On Another TCP Port


Letting telnet run on an alternate TCP port doesn't encrypt the traffic, but it makes it less likely to be detected as telnet traffic. Remember that this isn't a foolproof strategy; good port scanning programs can detect telnet and other applications running on alternative ports.


1) Edit your /etc/services file and add an entry for a new service. Call it stelnet.


# Local services
stelnet         7777/tcp                        # "secure" telnet

2) Copy the telnet configuration file called /etc/xinetd.d/telnet and call it /etc/xinetd.d/stelnet:


[root@bigboy tmp]# cp /etc/xinetd.d/telnet /etc/xinetd.d/stelnet

3) Edit the new /etc/xinetd.d/stelnet file. Make the new service stelnet and add a port statement for TCP port 7777.


# default: on
# description: The telnet server serves telnet sessions
# unencrypted username/password pairs for authentication.
service stelnet
{
       flags          = REUSE
       socket_type    = stream
       wait           = no
       user           = root
       server         = /usr/sbin/in.telnetd
       log_on_failure += USERID
       disable        = no
       port           = 7777
}

4) Use chkconfig to activate stelnet.


[root@bigboy tmp]# chkconfig stelnet on


5) Check to make sure your server is now listening on port 7777 with the netstat command.


[root@bigboy tmp]# netstat -an | grep 777
tcp   0  0 0.0.0.0:7777       0.0.0.0:*          LISTEN
[root@bigboy tmp]#

You should now be able to log in to the new stelnet server on port 7777. This is done using the telnet command with the TCP port as the second argument.

[root@smallfry tmp]# telnet 192.168.1.100 7777
Trying 192.168.1.100...
Connected to 192.168.1.100.
Escape character is '^]'.
Fedora Core release 2 (Tettnang)
Kernel 2.6.8-1.521 on an i686
login:

Let Telnet Allow Connections From Trusted Addresses


You can restrict telnet logins access to individual remote servers by using the only_from keyword in the telnet configuration file. Here's how.


1) Add a list of trusted servers to the /etc/xinetd.d/telnet file separated by spaces:


# default: on
# description: The telnet server serves telnet sessions
# unencrypted username/password pairs for authentication.
service telnet
{
       flags          = REUSE
       socket_type    = stream
       wait           = no
       user           = root
       server         = /usr/sbin/in.telnetd
       log_on_failure += USERID
       disable        = no
       only_from      = 192.168.1.100 127.0.0.1 192.168.1.200
}

2) Restart telnet.


[root@bigboy tmp]# chkconfig telnet off
[root@bigboy tmp]# chkconfig telnet on

3) Test the telnet session. Servers that are not on the trusted list get the message Connection closed by foreign host.


[root@smallfry tmp]# telnet 192.168.1.100
Trying 192.168.1.100...
Connected to 192.168.1.100.
Escape character is '^]'.
Connection closed by foreign host.
[root@smallfry tmp]#


Setting Up A Telnet Server

Setting Up A Telnet Server

Setting up the telnet server is easy to do, but the procedure differs between Linux distributions.

Redhat / Fedora

To set up a Telnet server use the chkconfig command to activate Telnet.


[root@bigboy tmp]# chkconfig telnet on

You can also use the chkconfig --list command to verify that telnet will be started on the next reboot.


[root@bigboy tmp]# chkconfig --list | grep telnet
       telnet: on
[root@bigboy tmp]#

Use the chkconfig command to deactivate telnet, even after the next reboot.


[root@bigboy tmp]# chkconfig telnet off

Debian / Ubuntu

In Debian / Ubuntu, the Telnet server runs using the inetd, not the xinetd daemon, and uses a single/etc/inetd.conf configuration to manage the activation of the daemons it controls.

To stop Telnet you need only to edit the configuration file, comment out the Telnet server line, and restartinetd as seen in this example:


root@u-bigboy:~# vi /etc/inetd.conf 
...
...
...

#
# File: /etc/inetd.conf 
#

#telnet         stream  tcp     nowait  telnetd.telnetd /usr/sbin/tcpd  /usr/sbin/in.telnetd

...
...
...

root@u-bigboy:~# /etc/init.d/inetd restart
 * Restarting internet superserver...
   ...done.
root@u-bigboy:~# netstat -a | grep telnet
root@u-bigboy:~#


Note: The xinetd package provides much more flexibility than its inetd equivalent. xinetd allows you to restrict connections to specific source IP addresses and allows you to specify the TCP port and server IP address on which to listen. You may want to convert your system to use the xinetd package for Telnet by installing xinetd and creating your own custom /etc/xinetd.d/telnet configuration file. The rest of the examples in this chapter assume that the more versatile xinetd is being used.


Note: You can test whether the Telnet process is running with the following command which is used to check the TCP/UDP ports on which your server is listening, if it isn't running then there will be no response.


[root@bigboy tmp]# netstat -a | grep telnet
tcp        0        0        *:telnet        *:*        LISTEN 
[root@bigboy tmp]#



Installing The Telnet Server Software

Installing The Telnet Server Software

Older versions of RedHat had the Telnet server installed by default. Fedora Linux doesn't do this and you will have to install it yourself.

Most Linux software products are available in a precompiled package format. Downloading and installing packages isn't hard. If you need a refresher, Chapter 6, "Installing Linux Software", covers how to do this in detail.


When searching for the file, remember that the Telnet server RPM's filename usually starts with the word "telnet-server" followed by a version number as in telnet-server-0.17-28.i386.rpm.


With Debian / Ubuntu, the Telnet server package would have a "telnetd" prefix like this: telnetd_0.17-32_i386.deb.

Using The Telnet Client

Using The Telnet Client

The command to do remote logins via telnet from the command line is simple. You enter the word telnet and then the IP address or server name to which you want to connect.

Here is an example of someone logging into a remote server named smallfry from server bigboy. The user looks at the routing table and then logs out.


[root@bigboy tmp]# telnet 192.168.1.105
Trying 192.168.1.105...
Connected to 192.168.1.105.
Escape character is '^]'.

Linux 2.4.18-14 (smallfry.my-site.com) (10:35 on Sunday, 05 January 2003)

Login: peter
Password:
Last login: Fri Nov 22 23:29:44 on ttyS0
You have new mail.
[peter@smallfry peter]$
[peter@smallfry peter]$ netstat -nr
Kernel IP routing table
Destination     Gateway       Genmask         Flags  MSS Window irtt Iface
255.255.255.255 0.0.0.0       255.255.255.255 UH     40  0      0    wlan0
192.168.1.0     0.0.0.0       255.255.255.0   U      40  0      0    wlan0
127.0.0.0       0.0.0.0       255.0.0.0       U      40  0      0    lo
0.0.0.0         192.168.1.1   0.0.0.0         UG     40  0      0    wlan0
[peter@smallfry peter]$ exit
logout

Connection closed by foreign host.
[root@bigboy tmp]#


Telnet

Telnet

Telnet is a program that allows users to log into your server and get a command prompt just as if they were logged into the VGA console. The Telnet server RPM is installed and disabled by default on Fedora Linux.


One of the disadvantages of Telnet is that the data is sent as clear text. This means that it is possible for someone to use a network analyzer to peek into your data packets and see your username and password. A more secure method for remote logins would be via Secure Shell (SSH) which uses varying degrees of encryption.


In spite of this, the older Telnet application remains popular. Many network devices don't have SSH clients, making telnet the only means of accessing other devices and servers from them. I'll show you how to limit your exposure to Telnet's insecurities are mentioned later in this chapter.

Controlling xinetd-Managed Applications

Controlling xinetd-Managed Applications

Xinetd-managed applications all store their configuration files in the /etc/xinetd.d directory. Each configuration file has a disable statement that you can set to yes or no. This governs whether xinetd is allowed to start them or not.

You don't have to edit these files to activate or deactivate the application. The chkconfig command does that for you automatically will also stops or starts the application accordingly too! Here is an example of the activation and deactivation of the Samba SWAT web GUI management application.


[root@bigboy tmp]# chkconfig swat on
[root@bigboy tmp]# chkconfig swat off


Controlling xinetd

Controlling xinetd

The starting and stopping of the xinetd daemon is controlled by the by scripts in the /etc/init.d directory and its behavior at boot time is controlled by chkconfig.

You can start/stop/restart xinetd after booting by using the following commands:


[root@bigboy tmp]# service xinetd start
[root@bigboy tmp]# service xinetd stop
[root@bigboy tmp]# service xinetd restart


To get xinetd configured to start at boot you can use the chkconfig command.


[root@bigboy tmp]# chkconfig xinetd on

Managing xinetd Programs

Managing xinetd Programs

The xinetd RPM is installed by default in Fedora Linux and uses /etc/xinetd.conf as its main configuration file. Fortunately you usually don't have to edit this file so that day to day xinetd operation is frequently limited to only starting and stopping xinetd managed applications.

Introduction

Introduction

Many network enabled Linux applications don't rely on themselves to provide restricted access or bind to a particular TCP port; instead they often offload a lot of this work to a program suite made just for this purpose, xinetd.

Conclusion

Conclusion

FTP is a very useful software application that can have enormous benefit to a Web site or to collaborative computing in which files need to be shared between business partners. Although insecure, it is universally accessible, because FTP clients are a part of all operating systems and Web browsers. If data encryption security is of great importance to you, then you should probably consider SCP as a possible alternative. You can find more information on it in Chapter 17, "Secure Remote Logins and File Copying".

Sample Login Session To Test Functionality

Sample Login Session To Test Functionality

Here is a simple test procedure you can use to make sure everything is working correctly:


1) Check for the presence of a test file on the ftp client server.


[root@smallfry tmp]# ll

total 1

-rw-r--r-- 1 root root 0 Jan 4 09:08 testfile

[root@smallfry tmp]#


2) Connect to bigboy via FTP


[root@smallfry tmp]# ftp 192.168.1.100
Connected to 192.168.1.100 (192.168.1.100)
220 ready, dude (vsFTPd 1.1.0: beat me, break me)
Name (192.168.1.100:root): user1
331 Please specify the password.
Password:
230 Login successful. Have fun.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

As expected, we can't do an upload transfer of testfile to bigboy.

ftp> put testfile
local: testfile remote: testfile
227 Entering Passive Mode (192,168,1,100,181,210)
553 Could not create file.
ftp>

But we can view and download a copy of the VSFTPD RPM located on the FTP server bigboy.

ftp> ls
227 Entering Passive Mode (192,168,1,100,35,173)
150 Here comes the directory listing.
-rwxr----- 1 0 502 76288 Jan 04 17:06 vsftpd-1.1.0-1.i386.rpm
226 Directory send OK.
ftp> get vsftpd-1.1.0-1.i386.rpm vsftpd-1.1.0-1.i386.rpm.tmp
local: vsftpd-1.1.0-1.i386.rpm.tmp remote: vsftpd-1.1.0-1.i386.rpm
227 Entering Passive Mode (192,168,1,100,44,156)
150 Opening BINARY mode data connection for vsftpd-1.1.0-1.i386.rpm (76288 bytes).
226 File send OK.
76288 bytes received in 0.499 secs (1.5e+02 Kbytes/sec)
ftp> exit
221 Goodbye.
[root@smallfry tmp]#

As expected, anonymous FTP fails.

[root@smallfry tmp]# ftp 192.168.1.100
Connected to 192.168.1.100 (192.168.1.100)
220 ready, dude (vsFTPd 1.1.0: beat me, break me)
Name (192.168.1.100:root): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> quit
221 Goodbye.
[root@smallfry tmp]#

Now that testing is complete, you can make this a regular part of your FTP server's operation.


FTP Users with Only Read Access to a Shared Directory

FTP Users with Only Read Access to a Shared Directory

In this example, anonymous FTP is not desired, but a group of trusted users need to have read only access to a directory for downloading files. Here are the steps:


1) Disable anonymous FTP. Comment out the anonymous_enable line in the vsftpd.conf file like this:


# Allow anonymous FTP?
anonymous_enable=NO


2) Enable individual logins by making sure you have the local_enable line uncommented in the vsftpd.conf file like this:


# Uncomment this to allow local users to log in.
local_enable=YES


3) Start VSFTP.


[root@bigboy tmp]# service vsftpd start


4) Create a user group and shared directory. In this case, use /home/ftp-users and a user group name of ftp-users for the remote users


[root@bigboy tmp]# groupadd ftp-users
[root@bigboy tmp]# mkdir /home/ftp-docs

5) Make the directory accessible to the ftp-users group.


[root@bigboy tmp]# chmod 750 /home/ftp-docs
[root@bigboy tmp]# chown root:ftp-users /home/ftp-docs

6) Add users, and make their default directory /home/ftp-docs


[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user1
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user2
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user3
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user4
[root@bigboy tmp]# passwd user1
[root@bigboy tmp]# passwd user2
[root@bigboy tmp]# passwd user3
[root@bigboy tmp]# passwd user4

7) Copy files to be downloaded by your users into the /home/ftp-docs directory


8) Change the permissions of the files in the /home/ftp-docs directory for read only access by the group


[root@bigboy tmp]# chown root:ftp-users /home/ftp-docs/*
[root@bigboy tmp]# chmod 740 /home/ftp-docs/*

Users should now be able to log in via FTP to the server using their new usernames and passwords. If you absolutely don't want any FTP users to be able to write to any directory, then you should set the write_enable line in your vsftpd.conf file to no:


write_enable = NO


Remember, you must restart VSFTPD for the configuration file changes to take effect.


Tutorial

Tutorial

FTP has many uses, one of which is allowing numerous unknown users to download files. You have to be careful, because you run the risk of accidentally allowing unknown persons to upload files to your server. This sort of unintended activity can quickly fill up your hard drive with illegal software, images, and music for the world to download, which in turn can clog your server's Internet access and drive up your bandwidth charges.

Troubleshooting FTP

Troubleshooting FTP

You should always test your FTP installation by attempting to use an FTP client to log in to your FTP server to transfer sample files.

The most common sources of day-to-day failures are incorrect usernames and passwords.


Initial setup failures could be caused by firewalls along the path between the client and server blocking some or all types of FTP traffic. Typical symptoms of this are either connection timeouts or the ability to use the ls command to view the contents of a directory without the ability to either upload or download files. Follow the firewall rule guidelines to help overcome this problem. Connection problems could also be the result of typical network issues outlined in Chapter 4, "Simple Network Troubleshooting".


FTP Security Issues

FTP Security Issues

FTP has a number of security drawbacks, but you can overcome them in some cases. You can restrict an individual Linux user's access to non-anonymous FTP, and you can change the configuration to not display the FTP server's software version information, but unfortunately, though very convenient, FTP logins and data transfers are not encrypted.


The /etc/vsftpd.ftpusers File

For added security, you may restrict FTP access to certain users by adding them to the list of users in the /etc/vsftpd.ftpusers file. The VSFTPD package creates this file with a number of entries for privileged users that normally shouldn't have FTP access. As FTP doesn't encrypt passwords, thereby increasing the risk of data or passwords being compromised, it is a good idea to let these entries remain and add new entries for additional security.


Anonymous Upload

If you want remote users to write data to your FTP server, then you should create a write-only directory within /var/ftp/pub. This will allow your users to upload but not access other files uploaded by other users. The commands you need are:


[root@bigboy tmp]# mkdir /var/ftp/pub/upload
[root@bigboy tmp]# chmod 722 /var/ftp/pub/upload

FTP Greeting Banner

Change the default greeting banner in the vsftpd.conf file to make it harder for malicious users to determine the type of system you have. The directive in this file is.


ftpd_banner= New Banner Here

Using SCP As Secure Alternative To FTP

One of the disadvantages of FTP is that it does not encrypt your username and password. This could make your user account vulnerable to an unauthorized attack from a person eavesdropping on the network connection. Secure Copy (SCP) and Secure FTP (SFTP) provide encryption and could be considered as an alternative to FTP for trusted users. SCP does not support anonymous services, however, a feature that FTP does support.