CompTIA Linux+ XK0-005 – Unit 14 – FTP and Email Services part 1

1. FTP and Email Services

Now, in this unit, we’re going to talk about some other services, not as popular perhaps as the web services, but you could argue that they might be, and that is the FTP and email service. So now, again, our goal is not to get into the nitty gritty about all of these different servers and exchanges and the administration of them, butn how to install them, configure them, and test them, and to make sure we understand how they work. So that’s our goal. We’ll configure, test, and user FTP services, and then we’ll talk about, or use the term investigate the different types of components that make an email service.

2. Topic A: FTP Services

So our first topic is going to be to talk about the FTP services, or what we call the file Transfer protocol. Now, FTP is still a very popular method by which we can store files on a server, have users authenticate, and allow them to either upload or download whatever files they have permissions to look at.

3. FTP

All right, so FTP’s job then is for the transfer of files. That means, the way I described it, it is a server and client type of technology. Now, as a server client, it could have its own authentication method, meaning it can have its own database of users, or it can utilize other authentication services that we’ve talked about before to be able to help authenticate who somebody is before they come in there and download or upload files. In fact, many web servers require that you actually use FTP to transfer new content to the web server for the purpose of people looking at them through the Http protocol. Now, in this case, there are many different types of FTP daemons that you can use to install on Linux.

There is the Washington University FTP daemon that you’d see as the W Ftpd. The very secure FTP. Damon pro FTP. Damon pure FTP daemon. And I’ll bet if I Googled it, I could probably find tons of other FTP services that are able to run on Linux. So it is a very common service, almost always a free service. Very rarely are you going to find somebody who actually wants you to pay for the ability to have an FTP server on your raw system. So it’s easy to acquire, easy to setup. The only thing you have to do then is make sure everybody knows where your FTP server is. And it has very minimal configuration. When you really come down and think about it.

4. Demo – Installing an FTP Server

All right, we are going to use the Synaptic package manager to install the FTP server. And what we’re going to do is we’re going to search for this Woo Ftpd. So there it is. And we’re going to come over here and take this Pro Ftpd daemon and pop that in there, click on apply and apply. And then we’re going to get that thing up and running, and it’s going to be a notice it’s Pro FTP. We’re going to get up and get that thing running as a standalone server, close it down, and just like that, we’ve installed the FTP. Damon now, you may want to go check again under the Init D to make sure that it started later on if you don’t get to work or if you make any configuration changes. But that’s how easy it is to go out there and install any one of these many packages that are available to you on the Synaptic package manager.

5. Configuration

So as we talk about the configuration, here’s basically what you’re going to deal with. You’re going to have to go in to the FTP access and make the information available about the access. Now, you might think, well, that’s users. Well, there’s another configuration file called FTP Users where we can put in the user information about who is allowed to have their connections. But FTP is a hierarchical file file system, and so you basically have to say which directory and which files are available through FTP. In other words, FTP opens up like a file share. Like we talked about with NFS. It’s opening up a file share that people can access, but it’s doing it through a different process.

Now, you can also determine, as I said, which users have access. You can also, through the FTP hosts file, go out there and say which particular hosts can make the connections in. Again, a part of the security is not to let everybody into your FTP server. Now, just as an example of why this is important, I was working with a friend, another colleague, who decided to put an FTP server on his home computer. Home computer not even really a server, but to put it on there and open it up so that I could get in there and download a file that I needed. His firewall log showed over 15,000 hits on his FTP server in the first day that he turned it on as a home user.

That meant that there were that many people scanning ports, looking to see what was there and potentially trying to get into his FTP server. And as a home user, you’re really not that important. If you’re a bank military organization, you’re going to have even more people trying to get in, and it’s just amazing. So when you turn these things on, you probably do want to configure the users and hosts to make sure you’re specific about the people they can authenticate and where they have to be. There’s also the message files that you can use that allow you to be able to send out pre program precanned messages, people based on errors or permissions or whatever else you want it to set up and say.

6. Demo – Configuring the FTP Server

All right, let’s take a look at some of these settings that we’re using for our FTP. And what I’m going to do is do a quick listing of anything in the Etsy folder. And it looks like all we have is just a list of FTP users. So let’s take a look at who those users are with the Cat command. And it looks like pretty straightforward, just all the users that I have, which is root and and then some of these system options. Okay, now if I wanted to, I could also have created a FTP host account, just letting you know that there isn’t one there by default. Had there been, then you could also limit the access as far as who can get into that particular location or that server.

Now I’m going to go double tab here and get to this Pro Ftpd under the Etsy. And we’ll see that there are some configuration files that we could work with to add to the types of things that we are allowed to do. For instance, if I do the Cat command and follow this path, again, Etsy Pro Ftpd and then do the Pro FTV configuration file. Here is a configuration file that shows you whether or not we want to allow the anonymous connections in if we want to be brave. I like that and comment, if you’re brave, to change some of the permissions of the files that you store in the FTP server. And again, it’s different with every version of FTP servers out there.

In some cases, I could have login banners, lists of who to deny and many other options. And it all just depends on the server and the types of configuration files. So again, when I listed the files, you can see that there were some LDAP configurations, some SQL, some TLS stuff. So these are just the configuration files you would work with depending on the FTP server. This is a Pro FTP that I’m using, and there are many hundreds, I would almost want to say several hundred FTP servers out there that you can use, download, install, and be able to provide those services you just want to know about. What are your options, especially for security?

7. Security

All right. Security, as I just mentioned, is probably a big issue when it comes to the working with FTP. Now, you have some options with the ch root and what we call the ch root jail. Now, the ch root command is a core Linux function that provides security. With that command, you can set up what we call a jail within a program and services run. What does that mean? That means we can contain programs, programs and services within that jail. A program will only be allowed to see a portion of your file system. So again, if you remember what I said about FTP, FTP is like having a file share. You’re letting somebody see a directory.

But if they can see that directory, do you want them to see all the child directories, all those sub directories that fall underneath it? Do you want them to be able to change directory and go to some other location in your file system by having that access? And the answer is no, you don’t. You want to give them only what you think is important to them. And through the use of creating a ch root jail, you can allow the program to only see the portion of the file system that they are supposed to be able to work with. That way you can have a virtual FTP and email service in your environment that won’t have access to other parts of more critical file systems.

It basically helps FTP prevent users from getting to those critical areas because FTP will simply say, it’s not that I don’t believe your authentication, it’s just that I don’t believe those other files exist. If you don’t set that up, you potentially run the risk of a person figuring out your file system, especially since it’s so common with every distribution that they’re going to be able to move in and put potentially cripple your system or create new environments that they can get into other locations and just cause you all sorts of grief. So FTP, when you install it, should have the chrut gel created so that you limit the access that FTP has to the file system.

8. Security B

Now, one of the other things you have to deal with on FTP is, do I allow anonymous access? All right? We allow anonymous access with most of our web pages. I mean, we do we want anybody to come in and look at our content, maybe order from our catalogs, whatever you want them to do. The purpose of your web server was to get people there. And you know what? We don’t want to log in to every single web page. We’re maybe not even happy that we we have to look at advertisements on every web page, let alone log in. So anonymous access could be common to the security needs of FTP.

So that’s another reason why you want to create a ch root jail, because we want to make sure that those people who haven’t even authenticated so we don’t even know anything more about them other than the IP address they’re coming from. If they get into our FTP server, we want to keep them within that directory structure. Now, we also want to make sure that if we’re copying files, that we configure file security. Now, file security is a big deal. Just because you can get to a file and download it doesn’t mean that I really want you to. So we’re going to deal with that.And if you are downloading a file, we have to remember that all FTP is done in clear text.

So you may even want to consider what we call a secure FTP or even go into a new issue called the SCP, the Secure copy protocol. Anyway, all of that will be done in your setup for anonymous connections, the directory structure, the jail, making sure the files have the proper security so that people can’t get a file that they don’t have permission to, especially anonymous.And I think also important is that we don’t allow anonymous people to upload files because you know what they could be a hacker, uploading malware, Trojans, viruses, and all sorts of other bad things.

We want to be able to also edit your FTP configuration files again so that we can create the user accounts that we can set up more information about, again, the size of the directory, all of that sort of stuff is a part of the planning of FTP. And when that’s all said and done, when you start making these changes, remember, you’re going to have to be able to restart the daemon, because generally these changes don’t take effect until you reboot the FTP service. And always test this thing to make sure it’s working the way you want it to work before you actually put it out into production.

9. FTP Clients

Now, as a user trying to get into your FTP server, I need what’s called an FTP client. That’s actually very easy to do. There are as many free clients as there are FTP services. FileZilla is probably one of the more popular ones. It’s the one I use. I like FileZilla because it allows me to do secure connections and or unsecured connections, and it stores those connections and stores my information. So it’s easy with a single click to make a connection and upload or download files. Conqueror. Casablanca, gFTP, gannome. Commanders. There’s so many different types of programs you can use, or if you’re a good programmer, you can write your own.

It’s a very common protocol. All we need to be able to do is provide the address or the URL of where the FTP server is. Make sure we know which port we’re using. By the way, that’s one of the things you can also configure in your FTP configurations. It does not have to use the default ports if you don’t want it to anyway. Set all that information up. Maybe authentication, maybe not types of authentication. Again, all of that are settings that you’ll work with on these clients to be able to make the connections to the FTP server.

10. Active Mode

Now, FTP has two modes that we often will work with. One’s called active mode, one’s called passive mode. Now, some of you may have studied lots of security and you’ve said, you know what, FTP, I got it. That’s port 21. Got to have my firewall permit, port 21. If that’s the only port you permit, you don’t have FTP, because that just allows me to make the connection to authenticate, to set up the request to put or get files. But I need port 20 open so the actual transfer of data can occur. Now, that’s an important concept. Many firewalls today have these things they call ALGs application layer gateways.

And what they do is they dynamically open up port 20 once they see port 21. The reason that’s important in security and again, here I go off base. Again, the reason it’s important is that I don’t want to permanently leave port 20 open because that’s another hole through my firewall. So if you connect to me on port 21 and I permit it, then ALG says open port 20 so that the back and forth communication could go. Now, active mode is basically where the client is going to contact the servers with whatever port assignments they were given, and the server is going to contact the client on that same control port that’s port 21.

That’s the setup, if you would, of the communication request. Now, this is going to require inbound connections to the client to be able to make this happen. So in general, we need to make sure security on both sides allows this connection. Now, notice what I said. The client is contacting the server. The server is contacting the client. It is a back and forth communication process. And if successful, then our information transfers on port 20. 

11. Passive Mode

Now, in the passive mode of FTP, the client is going to contact the server with whatever port assignment it’s going to give, and the server will respond with its control port number. The client can then connect to that server on that port, and then it requires the server to have all of those ports that it’s providing open, but not the client. In other words, there’s not really a back and forth type of information. So I contact the server with whatever port I need. It tells me which is the control port, make that connection, and then I begin the transfer of information. Passive mode does not mean that I can’t still have authentication. It just means the manner in which the communications occur is different than active mode. Most of you are going to find that your FTP service today almost always run in passive mode.

12. Transfer Types

Now, as we begin to transfer files, there are two types of modes that we can set up for FTP. Now, the good news is, with most of these clients that you use, you don’t have to deal with the type of mode. You don’t have to choose ASCII mode or binary mode. It just does the transfer. But if it’s in ASCII mode, then you’re basically transferring data as ASCII characters. An ASCII character, ASP CII I don’t even remember what it stands for. Now you can go Google that. That character code is a numeric reference for every letter of the alphabet. In other words, each single byte, a number from zero to 255 represents some sort of character. And they have different bytes for the lower case and the uppercase version of each of these.

So when we’re transferring this information, we’re literally just transferring all of these bytes, each number representing a character, and that becomes the file as a very simple or simplistic form of transferring data. Not very good. If it’s a picture or an executable program or something else, that’s binary mode. In binary mode, we transfer the data as a binary value. We don’t have to translate the data. In other words, I don’t have to take each of those values, translate them to a character, because guess what? Those numerical references don’t refer to letters. Maybe they do, but we don’t know that it’s a file as a whole. So we often call the binary mode. We might also call it an image mode. 

13. Demo – Transferring Files with FTP

All right, we’re going to connect to a random well, actually not quite so random, but we’re going to change to an FTP server that allows us to have an anonymous access and we’re going to download a picture just so you can get the idea of how this works. Now I’m going to log on as anonymous, provided I can spell that correctly. And now that I’m here, we’re going to change, change directories to the Pub Linux logos. Penguins command successful. Good. LS shows me a list of all these little penguins that are out there, all these little happy pictures, and we’re going to use the Getraytux JPEG picture. Bring that over here.

And there you can see I did the Get connection. And now that I’ve got that Get connection, we’re going to go take a look real quick to see if under places and home folder if we indeed have it. And there we have let me unhighlight it. We have the raytux JPEG. So that was pretty nice. That was easy to get to. Now we’re going to go into the ASCII mode by entering ASCII back here at my FTP window. And now we’re going to get the Get Linux w penguin GIF or GIF, depending on how you pronounce that, another one of these little files. We’re going to grab that one.

We’ll go take a look at the same folder that we have. And now you notice that this Penguin GIF doesn’t look like a picture. It actually looks like a file. If I were to try to open it, well, let’s try it with Image Viewer. It tells me it can’t because it doesn’t look like an image anymore. If I open it with G Edit or some other type of program. In this case, it doesn’t look like any of these are set up for me to work with. So let’s get a list of the files here and we’re going to look for the text editor. So open it up with a text editor and even that can’t open it up because it doesn’t seem to work very well.

So you can see that without downloading files like JPEGs and programs as an actual binary, then we have problems with those commands. They just don’t like what we see. So it is important that you probably type in binary if you’re just not sure before you download something of a binary nature. If it’s just a regular text file, then you can go with the ASCII. But there the download was fine, but the format was causing that picture to be corrupted both by my text editor and by my picture manager. All right, so that was our FTP connections type quit when you’re done. You get the little goodbye message and you are out of the FTP server.

14. Secure FTP

Now, as I mentioned, FTP is an insecure language. Insecure means not that the authentication is poor, we can have very strong authentication, but that the transfer of data. My request and the data being transferred is done in clear text, which means anybody who can sniff the traffic can capture the files and my authentication information and it just makes things very bad. So we often want to secure the connection between yourself, the client and the server. And one of the common ways to do that is with either Secure Shell or Secure FTP. Basically what we’re saying is we want to encrypt the session as we would any other secure communication like online banking. It also then means that we don’t have to worry about using plaintext passwords, which bythe way, you should never do.

And it has to have another port open because Secure Shell makes a connection on port 22. Now, Secure Shell is again a way of making a connection and to be able to provide authentication information through that encrypted session. Now, you’re going to have to have a couple of other clients to be able to work with the Secure Shell or Secure FTP. Two very easy to find clients that you can use, probably the most popular is called Putty. Putty is free, downloaded. It has all of the capabilities of doing telnet, SSH, SFTP, FTP, all of those cool things that you need, all built into one very easy to use interface. Another one that is also popular, not as much as Putty is opensssh.