Table of Contents
In this lab, we shall be covering the File Transfer Protocol (FTP) briefly, before going on to the main part of the lab, which is Web Caching.
You will need to make some modifications to
DNS. Add an alias for
points to Server1 for both IPv4 and IPv6. There is no well-known
hostname used for caches, although “cache” and “proxy” would be
suitable choices, so add an alias for “cache” to point to Server1 as
well; this will help prevent having to touch a lot of clients if we
later decide to move the proxy cache.
Remember that names in DNS are generally always lowercase, although DNS is case-insensitive. Reload the DNS zones and test. Take a screenshot of your updated zone files and of your testing.
Providing FTP services is common, but don’t provide anonymous FTP without being aware of the issues first. As we’ll see later in the course, it may be simple, but it’s not something to be taken lightly.
Depending on the particular FTP server implementation, default access policies will vary: some might allow only anonymous and deny users by default; some might allow users but deny anonymous by default… and I’m pretty sure the software we’re using has switched from one to the other in Ubuntu 10.04 LTS. Beware that FTP is a clear text protocol. There are cryptographic extensions to the FTP protocol (such as ftps), but they are not widespread.
Under Debian-based systems vsftpd (Very Secure FTP Daemon) is often used. Install the package now, on Server1. Verify that the daemon is running, and listening on the FTP port.
To find packages, you can use apt-cache search
string. For example to search
for the package that contains vsftpd, you might search use
apt-cache search vsftp. In this case, you will
find that one of the output lines says
vsftpd - The Very
Secure FTP Daemon.
Edit (as root) the vsFTPd configuration file
/etc/vsftpd.conf. Make the following policy
changes; you’ll have to figure out for yourself which options to
Allow both users and guests (anonymous) to log in.
Allow users (not guests) to write (upload) files etc. By default, the ability to write to anything is disabled.
Set the banner text to “This is the localdomain FTP service.”
Logs of what has been transferred must be enabled.
Look at the manual page for
and find out more about the
Find out where the anonymous files are to be found on the
server. Have a look in
When you have made the modifications and answered the questions, restart the FTP service.
Create the file
(note the dot) and put it in some text such as the
Currently there is nothing here, but if there were, you would probably find a guide to the layout of the FTP server.
While you are there, create a small file; the name doesn’t matter, you’ll use it for testing the retrieval and display of files.
$sudo sh -c 'echo hello > /srv/ftp/test'
Restart vsFTPd, and try connecting to the FTP server from Client1; we’ll first try logging in as the anonymous (guest) user.
ftp ftp.localdomainConnected to ftp.localdomain. 220 Welcome to the localdomain FTP service Name (ftp.localdomain:mal):
anonymous331 Please specify the password. Password:
Your email address230-Currently there is nothing here, but if there 230-were, you would probably find a guide to the layout. 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>
ls200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 0 0 413 May 07 02:02 test 226 Directory send OK. ftp>
get testlocal: test remote: test 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for test (6 bytes). 226 File send OK. 413 bytes received in 0.03 secs (12.4 kB/s) ftp>
In the above transcript, I was greeted by the FTP service, and I logged in anonomously using my email address as the password. This is just so the administrator can see who has been using the server. Some FTP administrators ban clients that use known-default email addresses, and vsftpd can easily support this policy. After logging in, I obtained a directory listing and retrieved a file. I then disconnected. This is fairly basic stuff, but we haven’t tested that local users can log in yet.
Make files on client and server for testing
hostname > ~/file_to_upload.txt
hostname > ~/file_to_download.txt
ftp ftp.localdomainConnected to ftp.localdomain. 220 This is the localdomain FTP service Name (ftp.localdomain:mal):
mal331 Please specify the password. Password:
mal’s password230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>
ls200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 1000 1000 7 May 07 02:33 file_to_download.txt 226 Directory send OK. ftp>
get file_to_download.txtlocal: file_to_download.txt remote: file_to_download.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for file_to_download.txt (7 bytes). 226 File send OK. 7 bytes received in 0.02 secs (0.3 kB/s) ftp>
put file_to_upload.txtlocal: file_to_upload.txt remote: file_to_upload.txt 200 PORT command successful. Consider using PASV. 150 Ok to send data. 226 File receive OK. 8 bytes sent in 0.00 secs (12.5 kB/s) ftp>
There are two modes that FTP uses to
transfer files. The first is
binary, the other
ascii. When it is set to
ascii, it will translate line-endings sequences,
transferring from a Windows machine to a Unix system. Binary mode
makes no such transformation.
Two other commands of note are
passive. Passive (PASV) mode
is used when you are behind a firewall, and the incoming data
connection from the internet is disallowed. So instead of the server
connecting to the client to establish the data connection (the
PORT protocol command), the client connects to
This lab is optional, but these questions will help you to test your understanding.
Describe the default authentication policy that was supplied in the Ubuntu 10.04 LTS version of vsFTPd. Why might a policy that allows only anonymous users (denying authentication of users by default) be preferable from a security point-of-view?
You must have a screenshot showing that you have been able to log in as a normal user and download/upload files.
Take a screenshot of wireshark following the TCP ftp-control stream (or tcpdump -A …) showing at least the authentication process.