[Optional] File Transfer and Web Caching

Table of Contents

1. File Transfer Protocol (FTP)
1.1. Assessment
1.2. FTP Resources
2. Web Caching with Squid
2.1. Transparent Proxies
2.2. [Reference Only] Proxy Autodetection
2.3. Basic Squid Configuration
2.4. [Optional] User-based Access Control
2.5. Assessment
2.6. Resources

In this lab, we shall be covering the File Transfer Protocol (FTP) briefly, before going on to the main part of the lab, which is Web Caching.

You will need to make some modifications to DNS. Add an alias for ftp that points to Server1 for both IPv4 and IPv6. There is no well-known hostname used for caches, although “cache” and “proxy” would be suitable choices, so add an alias for “cache” to point to Server1 as well; this will help prevent having to touch a lot of clients if we later decide to move the proxy cache.

Remember that names in DNS are generally always lowercase, although DNS is case-insensitive. Reload the DNS zones and test. Take a screenshot of your updated zone files and of your testing.

1. File Transfer Protocol (FTP)

Providing FTP services is common, but don’t provide anonymous FTP without being aware of the issues first. As we’ll see later in the course, it may be simple, but it’s not something to be taken lightly.

Depending on the particular FTP server implementation, default access policies will vary: some might allow only anonymous and deny users by default; some might allow users but deny anonymous by default… and I’m pretty sure the software we’re using has switched from one to the other in Ubuntu 10.04 LTS. Beware that FTP is a clear text protocol. There are cryptographic extensions to the FTP protocol (such as ftps)[73], but they are not widespread.

Under Debian-based systems vsftpd (Very Secure FTP Daemon) is often used. Install the package now, on Server1. Verify that the daemon is running, and listening on the FTP port.

Finding packages using apt-cache search

To find packages, you can use apt-cache search string. For example to search for the package that contains vsftpd, you might search use apt-cache search vsftp. In this case, you will find that one of the output lines says vsftpd - The Very Secure FTP Daemon.

Edit (as root) the vsFTPd configuration file /etc/vsftpd.conf. Make the following policy changes; you’ll have to figure out for yourself which options to change.

  • Allow both users and guests (anonymous) to log in.

  • Allow users (not guests) to write (upload) files etc. By default, the ability to write to anything is disabled.

  • Set the banner text to “This is the localdomain FTP service.”

  • Logs of what has been transferred must be enabled.

  • Look at the manual page for vsftpd.conf(5), and find out more about the dirmessage_enable option.

  • Find out where the anonymous files are to be found on the server. Have a look in /usr/share/doc/vsftpd/README.Debian

  • When you have made the modifications and answered the questions, restart the FTP service.

  • Create the file /srv/ftp/.message (note the dot) and put it in some text such as the following.

    Currently there is nothing here, but if there were, you would
    probably find a guide to the layout of the FTP server.

    While you are there, create a small file; the name doesn’t matter, you’ll use it for testing the retrieval and display of files.

    $ sudo sh -c 'echo hello > /srv/ftp/test'

Restart vsFTPd, and try connecting to the FTP server from Client1; we’ll first try logging in as the anonymous (guest) user.

$ ftp ftp.localdomain
Connected to ftp.localdomain.
220 Welcome to the localdomain FTP service
Name (ftp.localdomain:mal): anonymous
331 Please specify the password.
Password: Your email address
230-Currently there is nothing here, but if there
230-were, you would probably find a guide to the layout.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             413 May 07 02:02 test
226 Directory send OK.
ftp> get test
local: test remote: test
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for test (6 bytes).
226 File send OK.
413 bytes received in 0.03 secs (12.4 kB/s)
ftp> bye
221 Goodbye.

In the above transcript, I was greeted by the FTP service, and I logged in anonomously using my email address as the password. This is just so the administrator can see who has been using the server. Some FTP administrators ban clients that use known-default email addresses, and vsftpd can easily support this policy. After logging in, I obtained a directory listing and retrieved a file. I then disconnected. This is fairly basic stuff, but we haven’t tested that local users can log in yet.

Make files on client and server for testing
client1$ hostname > ~/file_to_upload.txt
server1$ hostname > ~/file_to_download.txt

client1$ ftp ftp.localdomain
Connected to ftp.localdomain.
220 This is the localdomain FTP service
Name (ftp.localdomain:mal): mal
331 Please specify the password.
Password: mal’s password
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 1000     1000            7 May 07 02:33 file_to_download.txt
226 Directory send OK.
ftp> get file_to_download.txt
local: file_to_download.txt remote: file_to_download.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for file_to_download.txt (7 bytes).
226 File send OK.
7 bytes received in 0.02 secs (0.3 kB/s)
ftp> put file_to_upload.txt
local: file_to_upload.txt remote: file_to_upload.txt
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 File receive OK.
8 bytes sent in 0.00 secs (12.5 kB/s)
ftp> bye
221 Goodbye.

There are two modes that FTP uses to transfer files. The first is binary, the other ascii[74]. When it is set to ascii, it will translate line-endings sequences, such as \r\n to \n when transferring from a Windows machine to a Unix system. Binary mode makes no such transformation.

Two other commands of note are active and passive. Passive (PASV) mode is used when you are behind a firewall, and the incoming data connection from the internet is disallowed. So instead of the server connecting to the client to establish the data connection (the PORT protocol command), the client connects to the server.

1.1. Assessment

This lab is optional, but these questions will help you to test your understanding.

1.1.1.

Describe the default authentication policy that was supplied in the Ubuntu 10.04 LTS version of vsFTPd. Why might a policy that allows only anonymous users (denying authentication of users by default) be preferable from a security point-of-view?

1.1.2.

You must have a screenshot showing that you have been able to log in as a normal user and download/upload files.

1.1.3.

Take a screenshot of wireshark following the TCP ftp-control stream (or tcpdump -A …) showing at least the authentication process.

1.2. FTP Resources

RFC 2577: FTP Security Considerations

Worth reading to find out how FTP can be abused and what you can do to mitigate it.



[73] Note: sftp is in no way similar to FTP, except as a user interface.

[74] There is also ebcdic, which you would only be likely to see on IBM mainframes.