Docstoc

NETW240-Week-6-Lab-2-Secure-FTP

Document Sample
NETW240-Week-6-Lab-2-Secure-FTP Powered By Docstoc
					                                 NETW-240
             Network Operating Systems, UNIX / Linux with Lab
            Week 6 Lab 2: Setting Up a Secure FTP Server – 1 hour

Objectives:

     Understanding the responsibilities for administering content sites.

     Updating the /etc/hosts file to identify remote hosts and servers.

     Performing an ftp server installation

     Configuring parameters, access permissions, and options for an ftp server.

     Learning how to connect to an ftp server as a real account and a guest
      account.

     Learning to establish a secure telnet session with an nfs server

Resources Needed

     One classroom workstation, lab workstation, or home PC.

     One NETW-240 hard drive loaded with Red Hat Fedora Linux or iLab
      access.

     One set of Fedora Linux CD’s or one Fedora Linux DVD or iLab access.

     One Cat 5e patch cable or iLab access.

     One Cisco Catalyst switch (per class) or iLab access.

     Week 6 Lab 2 assignment with attached answer sheet.

Deliverables:

     Updating /etc/hosts to identify local and remote hosts and servers.

     Identifying critical system files for configuring and displaying site
      messages.

     Installing and configuring a secure ftp server.

     Performing a secure telnet session to an nfs server.


NETW240 Week 6 - Lab 2 Setting Up Secure FTP   -1-
     Completion of steps and questions included in the Procedures below

     Submittal of the lab question and answer sheet to the instructor for
      grading.



Background:

We will continue to learn to install and configure TCP/IP servers. Each server
allows local, remote, and guest user access. It is our responsibility as system
administrators to safeguard our system’s resources and information. A legal
statement should be displayed to users accessing the system. Legal messages
should be approved by your organization’s legal department. An example of a
warning message follows:

        Warning: You are accessing a secure site and confidential information.
        Access is restricted to authorized persons ONLY. Unauthorized access or
        use is not permitted and constitutes a crime punishable by law. Violators
        will be prosecuted.

Warning messages should be displayed before a user logs into the system. We
will learn to add warning messages in today’s lab. This is only one part of an
effective security policy.


File Transfer Protocol:

File Transfer Protocol (FTP) is a TCP/IP application designed to transfer files
across a network from one host to another. The first implementation of FTP was
in 1971 for minicomputers and mainframes running the UNIX operating system.
FTP works on the client/server model by allowing remote clients to move up and
down a server’s directory structure to find and download files of interest. Today,
WWW search engines find files on Internet servers running FTP. By clicking on a
link, we are actually using FTP to transfer files to our computer.

Any Linux system can operate as an ftp server by running the ftp daemon. A
special user account in /etc/passwd will allow remote users to login as
“anonymous.” The password for anonymous is the remote user’s e-mail address.
A major disadvantage of FTP is the fact that it does not encrypt an authorized
user’s name and password leaving it open to sniffer capture and unauthorized
use. To prevent this from occurring, we will be installing a version of FTP named,
Very Secure FTP (vsFTP).




NETW240 Week 6 - Lab 2 Setting Up Secure FTP   -2-
As a UNIX system administrator, it is your responsibility to set up FTP directories
so that files people need are accessible without compromising the security on the
rest of your system.

Procedures:         See Chapter 20, Setting Up an FTP Server


    1. To access ftp and nfs servers, an entry must be made in your /etc/host
       file. Notice the server named picasso. It has an alias of “pi” so users can
       use pi instead of an IP address or FQDN when communicating across the
       network.

        iLab users may use a server name that is not picasso

    2. Using the visual editor (vi), verify that all hosts on the network are added
       in /etc/hosts (this should have been completed in an earlier lab exercise):

127.0.0.1                                  localhost.localdomain                 localhost
192.168.240.200                           picasso.unix.net                              pi
192.168.240.12                            host12.unix.net                             h12
192.168.240.35                            host35.unix.net                             h35
“          (make an entry for            all workstations sharing your switch)


    3. After verifying entries in /etc/hosts for all hosts on the network, you
       should be able to ping everyone on the network.

    4. Using the ping command, ping picasso

                 ping      pi

    Note: If you can not ping anyone on the network. Begin setting up your
    vsFTP server in order to remain current with your lab. After setting up vsFTP,
    troubleshoot your connectivity problem.

Configuring the FTP Server

    5. Verify that the ftp user account is listed in etc/passwd. This user account
       assigns anonymous (or guest) FTP users to user ID 14 and group ID 50.
       This restricts their permissions and their ability to ‘cd’ out of the ftp
       directory.


                 cat /etc/passwd | grep “ftp”


NETW240 Week 6 - Lab 2 Setting Up Secure FTP    -3-
    The following entry should be displayed:


                 ftp:x:14:50:ftp user:/var/ftp:/sbin/nologin


        Note: Users who are classified as “real users’ already have a legitimate
        user account on an ftp server. These users can log in to the ftp site using
        their assigned user name and password.

    6. Use the rpm command to verify that the vsFTP software package is
       installed on your workstation:

                 rpm -q vsftp

    7. If vsftpd is not listed, try running chkconfig with the ftpd daemon:


                 chkconfig        --list       ftpd


    8. If neither vsftp nor ftpd are displayed, you will need to load vsftp from
       your CD or DVD set. Use the earlier “rpm” lab to work through this
       process.


    9. Use the check configuration (chkconfig) command to enable the vsftpd
       server:


                 chkconfig         vsftpd         on


    10. Use the services command to start the vsftp server:


                 service        vsftpd          start


    11. Try to login to the vsftp server as “anonymous” using an email address of
        “root@unix.net” for the password:




NETW240 Week 6 - Lab 2 Setting Up Secure FTP          -4-
                 ftp    localhost      (if localhost can not be found, use “lo” )
                 connected to your host
                 220 (vsftp 2.0.3)
                 530 Please login with User and Pass
                 Name (localhost) : anonymous
                 331 Please specify password.
                 Password: ************
                 230 login successful.
                 Remote system type is UNIX.
                 Using binary mode to transfer files
                 ftp>

    12. If the previous step was successful, remember that we did not see a
        warning message to alert users that unauthorized activity on our ftp site is
        illegal. To display a message, use the visual editor to open a session with
        a file named “.message” in the /var/ftp directory:

                 cd      /var/ftp

                 vi     .message

    13. Add the following notice in the .message file. Do not use the echo
        command since .message displays all content to anonymous ftp guests.
        Centering must be done using the space bar.


               Warning – Proprietary FTP Site – Authorized Use Only
  Violators will be prosecuted under Title 18 US Code 1030 and Title 18 US Code
2701
                For access or other information, contact root@unix.net

=================================================

    14. To test your message, login to the ftp site as anonymous. You should see
        your message after entering a password.


    15. While in the /var/ftp directory, list all files currently in ftp:

                 ls     -l        /var/ftp


                 You should see the following output:



NETW240 Week 6 - Lab 2 Setting Up Secure FTP   -5-
        drwxr-xr-x 1          root    root     1024    Aug 9 11:30   pub


    16. Some FTP sites have an “incoming'' directory where users can upload files
       to a shared directory. It is not recommend that a company’s ftp site allow
       uploads from the public. Incoming directories are inevitably abused by
       pirated-software traders, illicit content providers, and other illegal
       “parking-lot” intruders.


    Note: Under US Federal Law, a company is responsible for all content posted
    on its ftp or web site.

    17. A file named vsftpd.conf is located in the /etc/vsftpd directory. Use the cat
        command to view the contents of this configuration file:

        cat        /etc/vsftpd/vsftpd.conf        |    less



Notice that its parameters that can be uncommented to activate certain services.

    18. Two more files, vsftpd.user_list and vsftp_ftpusers, can be used to restrict
        specific users from accessing the vsftp site. Use the cat command to view
        the content and makeup of these files.

    Security – TCP Wrappers

    19. TCP Wrappers is a UNIX security mechanism that will deny or allow access
        to TCP services. We can prevent unauthorized access to our vsftp server
        using TCP Wrappers. TCP Wrappers consists of two files located in the
        /etc directory. The hosts.deny file prevents certain users from accessing
        TCP services while the hosts.allow authorizes users to access TCP
        services.

    20. Use the visual editor (vi) to add an implicit deny statement to the
        hosts.deny file:

                         vi          /etc/hosts.deny

    21. Using insert mode, modify the hosts.deny file by adding the following
        content:

                         ALL: ALL



NETW240 Week 6 - Lab 2 Setting Up Secure FTP    -6-
        Note: this statement denies access to all TCP services for all users. It
        follows the implicit deny statement found in a firewall access control list.
        All users are denied access if not granted access in the hosts.allow file.

    22. After modifying the hosts.deny file, write and quit your vi session.


    23. Try to login to the vsftp server as “anonymous” using an email address of
        “root@unix.net” for the password:

                         ftp      localhost

        Note: the hosts.deny statement, ALL: ALL blocked your attempt to login
        to the ftp server. An “Access Denied” error message appeared.


    24. Using the visual editor (vi), modify the hosts.allow file to allow access to
        localhost:

                         vi          /etc/hosts.allow

    25. Using insert mode, modify the hosts.allow file by adding the following
        content:

                         ALL: localhost.localdomain

        Note: the hosts.allow statement grants access to all FTP services for the
        user localhost.localdomain. All other users attempting to ftp in will be
        denied access by the hosts.deny statement of ALL: ALL.

    26. After modifying the hosts.allow file, write and quit your vi session.


    27. Try to login to the vsftp server as “anonymous” using an email address of
        “root@unix.net” for the password:

                         ftp      localhost

        Note: This time you were able to login to the ftp server.




NETW240 Week 6 - Lab 2 Setting Up Secure FTP   -7-
    28. Using the on-line UNIX help utility (man), view other suggestions for
        writing allow and deny statements for TCP Wrappers:

                         man        hosts.allow

                 Note: Try adding - ALL: 192.168.240.0/24. See if a lab partner
                 can ftp into your site. Find a solution that allows a lab partner to
                 access your ftp server.


Using Secure Shell (ssh):

    29. Use secure shell (ssh) for secure communications between network hosts.
        The service command can be used to start the ssh daemon:


                         service      sshd     start


    30. Enter ssh on the command-line (instead of ftp) to initiate a session with a
        remote server followed by the server’s name. Use “localhost” for the
        server’s name as we did earlier with vsftp:


                 ssh          localhost             (if “localhost” does not work, use “lo”)

                 Note: The first time you connect to a remote computer using ssh
                 (or scp), the command will try to establish the authenticity of the
                 remote host. It will display the RSA key fingerprint and ask you if
                 you want to continue. If you type yes, ssh (or scp) will not question
                 the authenticity of that host again.

    31. Before you are prompted for a password, a message appears asking if you
        want to continue. An RSA fingerprint will be displayed. Type “Yes” to
        access localhost.


    32. When prompted for a password, enter your “root” password since the
        remote host knows you as the current user on your system. Your root
        password should be “fedora.”

                 password:                        (use “fedora” for your password)




NETW240 Week 6 - Lab 2 Setting Up Secure FTP      -8-
    33. Once you are logged on to the remote server (in our case, your are in
        your own workstation), use the secure copy (scp) command to copy files
        between hosts:


                 cd      /root/bin


                 scp      findit.sh /root


        Note: Use the man command to find out more about scp.



    34. Type “exit” to end your secure connection with localhost.



    35. This completes Week 6 Lab 2 – please complete the answer sheet and
        turn it in to the lab instructor for grading. Shutdown your system and
        return all equipment to the classroom storage cabinet. Please disconnect
        all Cat 5e patch cables from the patch-panel and switch. Install the
        Windows hard drive and boot windows.

       iLab users can log off now.




NETW240 Week 6 - Lab 2 Setting Up Secure FTP   -9-
                               NETW-240
          Network Operating Systems, UNIX / Linux with Lab
      Week 6 Lab 2: Setting Up a Secure FTP Server – Answer Sheet

Name                                                          Date

    1. Explain who is responsible for the security on a Unix/Linux system.




    2. Explain how all users accessing a server site can be warned that action will
        be taken against unauthorized intrusion.




    3. Explain what service “TCP Wrappers” performs, and list the names of its
        two configurable files.




    4. Explain what the default login and password are for any public ftp server.




    5. Explain what benefit is derived by using secure shell (ssh) to connect to an
        ftp site.




NETW240 Week 6 - Lab 2 Setting Up Secure FTP   - 10 -

				
DOCUMENT INFO
Categories:
Tags:
Stats:
views:11
posted:4/1/2012
language:English
pages:10