21.2. FTP
The File Transfer Protocol (
FTP
) is one of the oldest and most commonly used protocols found on the Internet today. Its purpose is to reliably transfer files between computer hosts on a network without requiring the user to log directly in to the remote host or to have knowledge of how to use the remote system. It allows users to access files on remote systems using a standard set of simple commands.
This section outlines the basics of the
FTP
protocol and introduces vsftpd
, the primary FTP
server shipped with Red Hat Enterprise Linux.
21.2.1. The File Transfer Protocol
FTP uses a client-server architecture to transfer files using the
TCP
network protocol. Because FTP
is a rather old protocol, it uses unencrypted user name and password authentication. For this reason, it is considered an insecure protocol and should not be used unless absolutely necessary. However, because FTP
is so prevalent on the Internet, it is often required for sharing files to the public. System administrators, therefore, should be aware of FTP
's unique characteristics.
This section describes how to configure vsftpd to establish connections secured by
TLS
and how to secure an FTP
server with the help of SELinux. A good substitute for FTP
is sftp from the OpenSSH suite of tools. For information about configuring OpenSSH and about the SSH
protocol in general, see Chapter 14, OpenSSH.
Unlike most protocols used on the Internet,
FTP
requires multiple network ports to work properly. When an FTP
client application initiates a connection to an FTP
server, it opens port 21
on the server — known as the command port. This port is used to issue all commands to the server. Any data requested from the server is returned to the client via a data port. The port number for data connections, and the way in which data connections are initialized, vary depending upon whether the client requests the data in active or passive mode.
The following defines these modes:
- active mode
- Active mode is the original method used by the
FTP
protocol for transferring data to the client application. When an active-mode data transfer is initiated by theFTP
client, the server opens a connection from port20
on the server to theIP
address and a random, unprivileged port (greater than1024
) specified by the client. This arrangement means that the client machine must be allowed to accept connections over any port above1024
. With the growth of insecure networks, such as the Internet, the use of firewalls for protecting client machines is now prevalent. Because these client-side firewalls often deny incoming connections from active-modeFTP
servers, passive mode was devised. - passive mode
- Passive mode, like active mode, is initiated by the
FTP
client application. When requesting data from the server, theFTP
client indicates it wants to access the data in passive mode and the server provides theIP
address and a random, unprivileged port (greater than1024
) on the server. The client then connects to that port on the server to download the requested information.While passive mode does resolve issues for client-side firewall interference with data connections, it can complicate administration of the server-side firewall. You can reduce the number of open ports on a server by limiting the range of unprivileged ports on theFTP
server. This also simplifies the process of configuring firewall rules for the server. See Section 21.2.2.6.8, “Network Options” for more information about limiting passive ports.