Network Operating Systems, UNIX / Linux with Lab
Week 6 Lab 2: Setting Up a Secure FTP Server – 1 hour
Understanding the responsibilities for administering content sites.
Updating the /etc/hosts file to identify remote hosts and servers.
Performing an ftp server installation
Configuring parameters, access permissions, and options for an ftp server.
Learning how to connect to an ftp server as a real account and a guest
Learning to establish a secure telnet session with an nfs server
One classroom workstation, lab workstation, or home PC.
One NETW-240 hard drive loaded with Red Hat Fedora Linux or iLab
One set of Fedora Linux CD’s or one Fedora Linux DVD or iLab access.
One Cat 5e patch cable or iLab access.
One Cisco Catalyst switch (per class) or iLab access.
Week 6 Lab 2 assignment with attached answer sheet.
Updating /etc/hosts to identify local and remote hosts and servers.
Identifying critical system files for configuring and displaying site
Installing and configuring a secure ftp server.
Performing a secure telnet session to an nfs server.
NETW240 Week 6 - Lab 2 Setting Up Secure FTP -1-
Completion of steps and questions included in the Procedures below
Submittal of the lab question and answer sheet to the instructor for
We will continue to learn to install and configure TCP/IP servers. Each server
allows local, remote, and guest user access. It is our responsibility as system
administrators to safeguard our system’s resources and information. A legal
statement should be displayed to users accessing the system. Legal messages
should be approved by your organization’s legal department. An example of a
warning message follows:
Warning: You are accessing a secure site and confidential information.
Access is restricted to authorized persons ONLY. Unauthorized access or
use is not permitted and constitutes a crime punishable by law. Violators
will be prosecuted.
Warning messages should be displayed before a user logs into the system. We
will learn to add warning messages in today’s lab. This is only one part of an
effective security policy.
File Transfer Protocol:
File Transfer Protocol (FTP) is a TCP/IP application designed to transfer files
across a network from one host to another. The first implementation of FTP was
in 1971 for minicomputers and mainframes running the UNIX operating system.
FTP works on the client/server model by allowing remote clients to move up and
down a server’s directory structure to find and download files of interest. Today,
WWW search engines find files on Internet servers running FTP. By clicking on a
link, we are actually using FTP to transfer files to our computer.
Any Linux system can operate as an ftp server by running the ftp daemon. A
special user account in /etc/passwd will allow remote users to login as
“anonymous.” The password for anonymous is the remote user’s e-mail address.
A major disadvantage of FTP is the fact that it does not encrypt an authorized
user’s name and password leaving it open to sniffer capture and unauthorized
use. To prevent this from occurring, we will be installing a version of FTP named,
Very Secure FTP (vsFTP).
NETW240 Week 6 - Lab 2 Setting Up Secure FTP -2-
As a UNIX system administrator, it is your responsibility to set up FTP directories
so that files people need are accessible without compromising the security on the
rest of your system.
Procedures: See Chapter 20, Setting Up an FTP Server
1. To access ftp and nfs servers, an entry must be made in your /etc/host
file. Notice the server named picasso. It has an alias of “pi” so users can
use pi instead of an IP address or FQDN when communicating across the
iLab users may use a server name that is not picasso
2. Using the visual editor (vi), verify that all hosts on the network are added
in /etc/hosts (this should have been completed in an earlier lab exercise):
127.0.0.1 localhost.localdomain localhost
192.168.240.200 picasso.unix.net pi
192.168.240.12 host12.unix.net h12
192.168.240.35 host35.unix.net h35
“ (make an entry for all workstations sharing your switch)
3. After verifying entries in /etc/hosts for all hosts on the network, you
should be able to ping everyone on the network.
4. Using the ping command, ping picasso
Note: If you can not ping anyone on the network. Begin setting up your
vsFTP server in order to remain current with your lab. After setting up vsFTP,
troubleshoot your connectivity problem.
Configuring the FTP Server
5. Verify that the ftp user account is listed in etc/passwd. This user account
assigns anonymous (or guest) FTP users to user ID 14 and group ID 50.
This restricts their permissions and their ability to ‘cd’ out of the ftp
cat /etc/passwd | grep “ftp”
NETW240 Week 6 - Lab 2 Setting Up Secure FTP -3-
The following entry should be displayed:
Note: Users who are classified as “real users’ already have a legitimate
user account on an ftp server. These users can log in to the ftp site using
their assigned user name and password.
6. Use the rpm command to verify that the vsFTP software package is
installed on your workstation:
rpm -q vsftp
7. If vsftpd is not listed, try running chkconfig with the ftpd daemon:
chkconfig --list ftpd
8. If neither vsftp nor ftpd are displayed, you will need to load vsftp from
your CD or DVD set. Use the earlier “rpm” lab to work through this
9. Use the check configuration (chkconfig) command to enable the vsftpd
chkconfig vsftpd on
10. Use the services command to start the vsftp server:
service vsftpd start
11. Try to login to the vsftp server as “anonymous” using an email address of
“email@example.com” for the password:
NETW240 Week 6 - Lab 2 Setting Up Secure FTP -4-
ftp localhost (if localhost can not be found, use “lo” )
connected to your host
220 (vsftp 2.0.3)
530 Please login with User and Pass
Name (localhost) : anonymous
331 Please specify password.
230 login successful.
Remote system type is UNIX.
Using binary mode to transfer files
12. If the previous step was successful, remember that we did not see a
warning message to alert users that unauthorized activity on our ftp site is
illegal. To display a message, use the visual editor to open a session with
a file named “.message” in the /var/ftp directory:
13. Add the following notice in the .message file. Do not use the echo
command since .message displays all content to anonymous ftp guests.
Centering must be done using the space bar.
Warning – Proprietary FTP Site – Authorized Use Only
Violators will be prosecuted under Title 18 US Code 1030 and Title 18 US Code
For access or other information, contact firstname.lastname@example.org
14. To test your message, login to the ftp site as anonymous. You should see
your message after entering a password.
15. While in the /var/ftp directory, list all files currently in ftp:
ls -l /var/ftp
You should see the following output:
NETW240 Week 6 - Lab 2 Setting Up Secure FTP -5-
drwxr-xr-x 1 root root 1024 Aug 9 11:30 pub
16. Some FTP sites have an “incoming'' directory where users can upload files
to a shared directory. It is not recommend that a company’s ftp site allow
uploads from the public. Incoming directories are inevitably abused by
pirated-software traders, illicit content providers, and other illegal
Note: Under US Federal Law, a company is responsible for all content posted
on its ftp or web site.
17. A file named vsftpd.conf is located in the /etc/vsftpd directory. Use the cat
command to view the contents of this configuration file:
cat /etc/vsftpd/vsftpd.conf | less
Notice that its parameters that can be uncommented to activate certain services.
18. Two more files, vsftpd.user_list and vsftp_ftpusers, can be used to restrict
specific users from accessing the vsftp site. Use the cat command to view
the content and makeup of these files.
Security – TCP Wrappers
19. TCP Wrappers is a UNIX security mechanism that will deny or allow access
to TCP services. We can prevent unauthorized access to our vsftp server
using TCP Wrappers. TCP Wrappers consists of two files located in the
/etc directory. The hosts.deny file prevents certain users from accessing
TCP services while the hosts.allow authorizes users to access TCP
20. Use the visual editor (vi) to add an implicit deny statement to the
21. Using insert mode, modify the hosts.deny file by adding the following
NETW240 Week 6 - Lab 2 Setting Up Secure FTP -6-
Note: this statement denies access to all TCP services for all users. It
follows the implicit deny statement found in a firewall access control list.
All users are denied access if not granted access in the hosts.allow file.
22. After modifying the hosts.deny file, write and quit your vi session.
23. Try to login to the vsftp server as “anonymous” using an email address of
“email@example.com” for the password:
Note: the hosts.deny statement, ALL: ALL blocked your attempt to login
to the ftp server. An “Access Denied” error message appeared.
24. Using the visual editor (vi), modify the hosts.allow file to allow access to
25. Using insert mode, modify the hosts.allow file by adding the following
Note: the hosts.allow statement grants access to all FTP services for the
user localhost.localdomain. All other users attempting to ftp in will be
denied access by the hosts.deny statement of ALL: ALL.
26. After modifying the hosts.allow file, write and quit your vi session.
27. Try to login to the vsftp server as “anonymous” using an email address of
“firstname.lastname@example.org” for the password:
Note: This time you were able to login to the ftp server.
NETW240 Week 6 - Lab 2 Setting Up Secure FTP -7-
28. Using the on-line UNIX help utility (man), view other suggestions for
writing allow and deny statements for TCP Wrappers:
Note: Try adding - ALL: 192.168.240.0/24. See if a lab partner
can ftp into your site. Find a solution that allows a lab partner to
access your ftp server.
Using Secure Shell (ssh):
29. Use secure shell (ssh) for secure communications between network hosts.
The service command can be used to start the ssh daemon:
service sshd start
30. Enter ssh on the command-line (instead of ftp) to initiate a session with a
remote server followed by the server’s name. Use “localhost” for the
server’s name as we did earlier with vsftp:
ssh localhost (if “localhost” does not work, use “lo”)
Note: The first time you connect to a remote computer using ssh
(or scp), the command will try to establish the authenticity of the
remote host. It will display the RSA key fingerprint and ask you if
you want to continue. If you type yes, ssh (or scp) will not question
the authenticity of that host again.
31. Before you are prompted for a password, a message appears asking if you
want to continue. An RSA fingerprint will be displayed. Type “Yes” to
32. When prompted for a password, enter your “root” password since the
remote host knows you as the current user on your system. Your root
password should be “fedora.”
password: (use “fedora” for your password)
NETW240 Week 6 - Lab 2 Setting Up Secure FTP -8-
33. Once you are logged on to the remote server (in our case, your are in
your own workstation), use the secure copy (scp) command to copy files
scp findit.sh /root
Note: Use the man command to find out more about scp.
34. Type “exit” to end your secure connection with localhost.
35. This completes Week 6 Lab 2 – please complete the answer sheet and
turn it in to the lab instructor for grading. Shutdown your system and
return all equipment to the classroom storage cabinet. Please disconnect
all Cat 5e patch cables from the patch-panel and switch. Install the
Windows hard drive and boot windows.
iLab users can log off now.
NETW240 Week 6 - Lab 2 Setting Up Secure FTP -9-
Network Operating Systems, UNIX / Linux with Lab
Week 6 Lab 2: Setting Up a Secure FTP Server – Answer Sheet
1. Explain who is responsible for the security on a Unix/Linux system.
2. Explain how all users accessing a server site can be warned that action will
be taken against unauthorized intrusion.
3. Explain what service “TCP Wrappers” performs, and list the names of its
two configurable files.
4. Explain what the default login and password are for any public ftp server.
5. Explain what benefit is derived by using secure shell (ssh) to connect to an
NETW240 Week 6 - Lab 2 Setting Up Secure FTP - 10 -