The Node

Posts Tagged ‘ftp’

If you serve (or want to serve) in the cloister of the server room, you don’t really want to be fumbling around with DVDs. One of the fundamental skills you need in order to work with Linux professionally (or indeed any enterprise operating system) is to be able to perform network installations of new servers.
This typically involves a minimal installation media, either a USB key drive or a boot CD. Either way, this boot media will only be around 10MB in size. This is used to boot the machine into a minimal Linux OS whose sole purpose is to facilitate connecting to a master server which holds the rest of the installation. This means you could apply whatever kernel patches or whatever you liked in one centralised location and install it across an entire network. The master server itself can be pretty much any server protocol that can handle files, such as NFS, NIS, FTP and even HTTP.

In this example, we’ll use a typical enterprise-ready Linux distribution, CentOS. This is essentially the free version of Red Hat Enterprise Linux (RHEL) with the Red Hat branding removed. While there has been a certain amount of snide comment within the open source community about the apparent delay to the release of CentOS 6.0 while RHEL 6.0 has been out for weeks, we’ll have to settle for the current version of 5.6.
I’ve discussed both NFS and FTP before but in this example we’ll use FTP, which is still commonly used in internal networks to throw files around. I’ll also assume you have another Linux server with a wired network connection to act as the installation server.

So, the first thing to do is to get the boot media ISO file from CentOS, which you can grab here. Choose either i386 (32-bit) or x86_64 (64-bit) architecture and choose a suitable mirror server geographically near you. Once you’ve got one, scroll down until you see the ISO file called CentOS-5.6-i386-netinstall.iso and download it to Windows, Ubuntu or whatever you want :-)

So, now you have an ISO file. You can burn this little disk image to a USB key drive or a CD using your favourite tool.
Next, you’ll need to download the full installation media. As this is going to be installed on your installation server, we’ll assume this server has a Internet connection. Therefore, it would be easiest to download the installation media directly to the server. Choose either the DVD ISO for direct download or via something like BitTorrent. Here, we’ll just use wget, which is a handy little command line HTTP file grabber. Copy the hyperlinks and simply use: -

wget http://mirror.ox.ac.uk/sites/mirror.centos.org/5.6/isos/i386/CentOS-5.6-i386-bin-1of7.iso

Do this for each CD ISO in turn from 1 to 7. Personally, I found it easier to use BitTorrent to get the one DVD ISO image, but whatever…:-)

For the purposes of this exercise, I’ll assume you’ve got a login-authenticated, non-anonymous FTP server set up and the FTP user is mapped to /home/ftp-user. If you’re not sure how to do this, check out my vsFTP post or check out Google. The next step is to mount the ISO files and copy the contents to your FTP directory. We’ll obviously need a directory for the installation media on the FTP server, so I’ll create one called “inst”.

mkdir /home/ftp-user/inst

I’ll use the example location of /mnt/iso-* for the mount point for each CD ISO image. As mount points needs to be pre-existing directories, I’ll create them first. If you’ve downloaded the DVD ISO image, the following step only needs to be performed once for the DVD image file and it’s corresponding mount point directory.


mkdir /mnt/iso-1
mkdir /mnt/iso-2
mkdir /mnt/iso-3
mkdir /mnt/iso-4
mkdir /mnt/iso-5
mkdir /mnt/iso-6
mkdir /mnt/iso-7
mount -o loop -t iso9660 /tmp/CentOS-5.6-i386-bin-1of7.iso /mnt/iso-1
..and so on.


You can use “df -h” or “mount” to verify that the ISO image(s) have been mounted. Then you need to copy the /mnt/iso-* directory contents to your FTP server. We’ll call the FTP installation server installation.org and we’ll put it in a directory called “inst”.

cp -R /mnt/iso-*/* /home/ftp-user/inst

Once the install data is copied out of the ISO image files to our “inst” directory, you can umount the ISO files.

umount /mnt/iso-*

Depending on how you’ve set up your FTP server, you’ll probably want to change the ownership of the files to the FTP user. Do so with: -

chown -R ftp-user.ftp-user /home/ftp-user/inst

Once you’ve copied the directory contents of /mnt/iso-* to /home/ftp-user/inst

Okay, so at this point you should have a boot disk image on a CD or USB key drive and the full installation media on your FTP server under “inst”.

Fire up the machine you wish to install CentOS 5.6 onto. For this to work, you’ll need to have a wired ethernet connection to the network which the FTP server is on, wireless won’t work as this is only started with NetworkManager under a runlevel 5 X-Windows session. The boot disk image will only allow network installs with the bare minimum of network services available as all it’s going to do is use /dev/eth0 (your network device) to request a DHCP IP address from the network and connect to our installation server.
Depending on your boot order set in your machine’s BIOS, you should be able to get the boot disk to boot before the BIOS checks the hard disk for an operating system, i.e. you USB/CD drive should be checked for a boot image before it checks any other media like the hard disk. Obviously you can now get fancy network cards that will do this step automatically in hardware for network installations, but we’ll assume you don’t have one of these :-)

The boot disk should now load a cut-down Linux kernel. You can choose either graphical or text based installation. The important thing is to choose network installation from the list of options and then FTP for the protocol used. The host to connect to will be our “installation.org” hostname and the directory will be “inst”. Check the non-anonymous login checkbox and enter the username and password for the FTP user and hit OK. The network installation process should now proceed and you’ll get pretty much the same partitioning and software packaging options that you would with a regular media installation. That’s it!

FTP or File Transfer Protocol has been around almost as long as the Internet itself. It’s rarely used anymore, having been superseded by more secure file transfer protocols such as SFTP (FTP over SSH). However, it is still worth knowing about FTP and how to set up your Linux server to support it should you want to. The easiest FTP daemon to run on modern distributions is vsFTPd or Very Secure File Transfer Protocol Daemon.

First, of course, you need to make sure you’ve got the vsFTPd daemon installed on your system. Under Fedora, you can install it with: -

yum install vsftpd

Under Ubuntu, you can install it with: -

sudo apt-get install vsftpd

Once this is done, you have to configure it for use. The location of the configuration file is usually in /etc/vsftpd/vsftpd.conf, but you might find it under /etc/vsftpd.conf under certain Debian-basd distributions.

You may want anonymous logins and simple downloading ability for your FTP server, in which case you’d add the following directives to your vsftpd.conf file:-


anonymous_enable=YES
write_enable=NO


This gives anonymous, download only FTP services. However, at least for me, it’s more useful to enable local users with write access using something like: -


anonymous_enable=NO
write_enable=YES
local_enable=YES
chroot_local_user=YES


You may want more finite control over uploads to your FTP. You can set specific users to have either read-only access under vsFTPd or both read and write. Although the vsftpd.conf file only has “write_enable=YES/NO”, which applies to all users regardless, you can stop file deletions from a directory by removing write permission from the directory itself – normal Linux permissions should work fine for vsFTPd.

This allows user with regular shell accounts to FTP into their home directories and upload/download files. However, the “chroot_local_user=YES” directive means that they cannot use FTP to browse the local file system outside of their own directory, which is a good measure. For example, in a normal FTP client program, you couldn’t click on “parent directory” and start wandering around the file system – always a good security measure and prevents exposing your file system to any FTP users you may have – doubly so if you’re enabling anonymous FTP access.


chroot_local_user=YES
chroot_list_enable=NO


The above enforces a chroot jail for all users. But sometimes, you may want to just have a chroot jail for some users and not others. If you add the following directive, this will enable selective chroot jails.


chroot_local_user=NO
chroot_list_enable=YES


If you then create the file /etc/vsftpd/vsftpd.chroot_list (/etc/vsftpd.chroot_list for Debian users) with a list of the jailed users, one per line, only those users are chrooted by default.

The other option you might want is to allow only some system users to login to FTP. This can be achieved with: -


userlist_deny=YES
userlist_file=/etc/vsftpd/vsftpd.denied_users


If you then create the file “vsftpd.denied_users” with a list of users which are not allowed to login, only users not present on this list will have FTP access.

Since we’re sort of talking about security here, I think it’s a good idea to have a dedicated FTP user. One created without a shell login. FTP is a rich and obvious target for hackers and if by chance, the FTP user is compromised, this won’t give somebody shell access to your Linux server. Assuming you login to your Linux shell account with SSH (as you should if you don’t – Telnet is not very secure these days), you can edit your SSH configuration to deny shell access to yor FTP user.


vi /etc/ssh/sshd_config


and add the following: -


DenyUsers ftpuser1 ftpuser2


…and so on. If your FTP server is going to connect to the Internet, it’s also wise to enable encryption for your FTP connections too with something like: -


ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
rsa_cert_file=/etc/vsftpd/vsftpd.pem


There is no need to create an SSL certificate for this. vsFTPd uses the certificate Linux creates upon installation, the “snake-oil” certificate used by the OpenSSL package, which saves time and energy.

Depending on how you anticipate people accessing your FTP server, it’s a good idea to have passive connections enabled – this can sometime help prevent connection errors when attempting to list the contents of directories, especially if you think you’ll be accessing the FTP via a browser using ftp:// instead of http:// – this happened to me to start with, so it appears to be a good idea :-)


pasv_enable=YES
pasv_promiscuous=YES
pasv_min_port=25000
pasv_max_port=25004


Additional directives you might find useful for the vsftpd.conf file are: -


# Show hidden files and the "." and ".." folders.
force_dot_files=YES

# Maximum number of connecting clients
max_clients=20


Once you’ve setup vsFTPd how you want it, you’ll need to start the vsFTPd server.


service vsftpd start


You can also have vsFTPd start on boot by using the chkconfig command.


chkconfig --level 345 vsftpd on
chkconfig --list vsftpd
vsftpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off


vsFTPd is now enabled for runlevels 2, 3, 4 and 5. The last thing to do is to add some rules to your iptables firewall configuration as otherwise you’ll have a hard time connecting!


iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT


You may also need to add the following iptables modules to your /etc/sysconfig/iptables-config file which allow passive mode FTP from behind iptables firewalls without having those ports exposed to the outside world (ie. having to open those ports): -


IPTABLES_MODULES="nf_conntrack_ftp"
IPTABLES_MODULES="ip_nat_ftp"


Obviously, you’ll need to add NAT rules to your router as well to forward connections from the outside world on these ports to your FTP server, but since the way to do that for each model of router varies, I won’t be discussing that here.

You can then access your new FTP server either through your browser with ftp://yournamename.com or through an FTP client, such as command line tools included in almost all *nix operating systems or Windows: -


ftp yourhostname.com


If you’re using a command-line FTP client, you might find a list of FTP commands useful.

Well, that’s a quick overview of vsFTPd’s configuration and features – I hope you enjoyed it :-)