|
|
 |
|
| |
NOTE: CentOS Enterprise Linux is built from the Red Hat Enterprise Linux source code. Other than logo and name changes CentOS Enterprise Linux is compatible with the equivalent Red Hat version. This document applies equally to both Red Hat and CentOS Enterprise Linux.
Chapter 15. FTP
File Transfer Protocol (FTP) is one of the oldest and most
commonly used protocols found on the Internet today. Its purpose is
to reliably transfer files between computer hosts on a network
without requiring the user to log directly into the remote host or
have knowledge of how to use the remote system. It allows users to
access files on remote systems using a standard set of simple
commands.
This chapter outlines the basics of the FTP protocol, as well as
configuration options for the primary FTP server shipped with Red
Hat Enterprise Linux, vsftpd.
FTP uses a client server architecture to transfer files using
the TCP network protocol. Because FTP is an older protocol, it uses
unencrypted username and password authentication. For this reason,
it is considered an insecure protocol and should not be used unless
absolutely necessary. A good substitute for FTP is sftp from the OpenSSH suite of tools. For
information about configuring OpenSSH, refer to the chapter titled
OpenSSH in Red Hat
Enterprise Linux System Administration Guide. For more
information about the SSH protocol, refer to Chapter 20 SSH Protocol.
However, because FTP is so prevalent on the Internet, it is
often required to share files to the public. System administrators,
therefore, should be aware of the FTP protocol's unique
characteristics.
Unlike most protocols used on the Internet, FTP requires
multiple network ports to work properly. When an FTP client
application initiates a connection to an FTP server, it opens port
21 on the server — known as the command
port. This port is used to issue all commands to the server.
Any data requested from the server is returned to the client via a
data port. The port number for data
connections, and the way in which data connections are initialized,
vary depending upon whether the client requests the data in
active or passive
mode.
The following defines these modes:
- active mode
-
Active mode is the original method used by the FTP protocol for
transferring data to the client application. When an active mode
data transfer is initiated by the FTP client, the server opens a
connection from port 20 on the server to the IP address and a
random, unprivileged port (greater than 1024) specified by the
client. This arrangement means that the client machine must be
allowed to accept connections over any port above 1024. With the
growth of insecure networks, such as the Internet, the use of
firewalls to protect client machines is now prevalent. Because
these client-side firewalls often deny incoming connections from
active mode FTP servers, passive mode was devised.
- passive mode
-
Passive mode, like active mode, is initiated by the FTP client
application. When requesting data from the server, the FTP client
indicates it wants to access the data in passive mode and the
server provides the IP address and a random, unprivileged port
(greater than 1024) on the server. The client then connects to that
port on the server to download the requested information.
While passive mode resolves issues for client-side firewall
interference with data connections, it can complicate
administration of the server-side firewall. Limiting the range of
unprivileged ports offered for passive connections in the FTP
server's configuration file is one way to reduce the number of open
ports on a server and simplify the task of creating firewall rules
for the server. Refer to Section 15.5.8
Network Options for more about limiting passive
ports.
|
|
|
