FTP - File Transfer Protocol

lctseng / Liang-Chi Tseng Server Architecture. Server - Only for passing control information control Only for passing time thatis sent, a distinctEach data TCP is establishedconnectdata ModeActive Passive Mode Created when an FTP whensession isCreated established      Data connection Data File Transfer Protocol Transfer File internet. the over to another computer from one data to transfer Used Client connection Control      Data connection Modes: connection Data FTP connections FTP connections FTP    FTP

Computer Center, CS, NCTU 2 RFCs): ( 8 support for file name 8 support for file - FTP Security Extensions FTP Security for IPv6 and NATsFTP Extensions UTF File Transfer Protocol Transfer File – – – – RFC 2228 RFC 2428 RFC 2640 RFC 959     Request For Comments RequestFor Comments FTP  FTP

Computer Center, CS, NCTU 3 d. , connectto , , send data. , send port 20 portnum User name okay, need passworneedokay,User name in, proceed.User logged Binding sourceBinding client port … Binding on port 21 onBinding connectionAcceptsfrom client, output welcomemessages. 331 230 successful.Command PORT 200 • • • • • • • Server • from port A. portnum port 21 Flow (1) Flow – EPRT |1|ip|portnum| EPRT some requestsSend get return data from Quit Connect to serverConnect #### USER ******** PASS • • • • • • Client • FTP

Computer Center, CS, NCTU 4 . this! kbytes doing ------] privsep ftp user must exist must user ftp before [ 21 FTPd - l - Welcome to Pure to Welcome Options: Options: 0 downloaded 0 and uploaded You Goodbye. You are user number 7 of 1000 allowed. 10007 of number user are You 21. port: Server 16:25.nowtimeis Local here isallowed FTP anonymous Only server. this on welcomealso are connections IPv6 ------list 65000 port to Connecting150 226 total 2 matches 226 quit 221 Logout. 221 host. foreignby closedConnection % telnet freebsd.cs.nctu.edu.tw freebsd.cs.nctu.edu.tw % telnet 140.113.17.209... Trying freebsd.cs.nctu.edu.tw. to Connected '^]'. is character Escape 220 220 220 220 220 inactivity. of minutes 15 after disconnected be will You 220 USER ftp in logged user Anonymous 230 ftp PASS will work Any password 230 |1|140.113.235.135|65000| EPRT successful command PORT 200 Flow (2) Flow – Control Connection  Example  FTP

Computer Center, CS, NCTU 5 distfiles x 852 888 2010 80328 Mar 28 11:39 x 16 888 2010 34 May 11 2008 pub Client must bind the must random port bind the Client port through this to client is sent /home/ftp Files info under Flow (3) Flow - -   – l 65000 xr xr - - - Retrieving Data nc  Example (contd.) Example % drwxr drwxr  FTP

Computer Center, CS, NCTU 6 5: The status5: The systemtheof Server file First code reply 1:Preliminary Positive 2:Completion Positivereply 3:Intermediate Positivereply 4: Transient Negative Completion reply 5: Permanent Negative Completion reply code Second failure0: was The duea tosyntax error to a request information. 1: A reply for 2:relating A reply to connection information 3:relating A reply to accounting and authorization. • • Return Codes  |ip|port| 1 dirname Remove Remove on the fileserver. Retrieves Retrieves (gets)file. server. Storesfileonto (puts) Set to active mode Set to passive mode Return list of file inReturn current dir.listfile of commands, commands, responses Change directoryworking • • • • • • • – DELE QUIT STOR filename STOR | EPRT PASV(EPSV) USER username USER password PASS LIST CWD filename RETR • • • • • • • • • • Commands • FTP

Computer Center, CS, NCTU 7 140,113,17,215,178,110 227 Entering 227 Entering Mode (h1,h2,h3,h4,p1,p2) Passive 229 Entering Extended Passive229 Entering Extended Mode (|||41868|)  h1,h2,h3,h4,p1,p2  Server reply: Server reply: Server reply:   (6bytes) Active Mode vs. Passive Mode (1) Mode Passive vs. Mode Active – FTP client sends “EPSV/PASV” command to sends “EPSV/PASV” to the server, make the server command FTP client and reply the random portbind a random port (>1023) back. connection, to the FTP connect When initializing client the data the FTP port. Server the random port,data from that get EPSV PASV FTP client bind a random port (>1023) and sends the random bind port to FTP and sends the random a random port (>1023) FTP client command. “EPRT” server using client, it binds data connection server initiates the When the FTP FTP the to the random the FTPport 20 and connect to the source port sent by client client. EPRT |1|ip|port| EPRT |2|ipv6|port| IP:port Ex. 140.113.17.215:45678 Ex. 140.113.17.215:45678 ※ • • • • • • • • Passive Mode Passive Active Mode Active   FTP

Computer Center, CS, NCTU 8 Passive mode Active Mode vs. Passive Mode (2) Mode Passive vs. Mode Active Active mode – FTP

Computer Center, CS, NCTU 9 Server (1) . Passive Mode NAT/Firewall Client Server Active Mode When FTP meets NAT/Firewall NAT/Firewall meets FTP When ireless AP ireless NAT/Firewall – W Passive mode can solve this problem. this can solvemode Passive Client   Active mode, NAT/Firewall on client side client on NAT/Firewall mode, Active  FTP

Computer Center, CS, NCTU 10 Server NAT/Firewall Active Mode Client Server NAT/Firewall Passive Mode When FTP meets NAT/Firewall (2) NAT/Firewall meets FTP When – Active mode can solve this problem. can solvemodeActive Client • Passive mode, NAT/Firewall on Server side. mode, NAT/Firewall Passive  FTP

Computer Center, CS, NCTU 11 Server NAT/Firewall Passive Mode NAT/Firewall Client Server NAT/Firewall proxy running on NAT/Firewall proxy running - ftp Active Mode When FTP meets NAT/Firewall (3) NAT/Firewall meets FTP When To be explain in firewall To be explain in firewall course (NA) NAT/Firewall  – Solution: Client • Real Problem: Firewall on both sides. Firewall Problem: Real  FTP

Computer Center, CS, NCTU 12 (SFTP) FTPES) 、 . (FTPS commands are encrypted while transmitting. while are encrypted commands connection, connection, but poor performance. One Only performance Better an SSH connection. session over FTP a normal Tunneling and are encrypted Both commands data transmitting. while We need encryption. We       FTP over SSH FTP Protocol Transfer SSH File As we seen, FTP connections (both command and data) are data) and command (both connections As we FTP seen, text. in clear transmitted network? the somebody sniffing What if TLS over FTP • • • • • Solutions Security concern Security Security -   FTP

Computer Center, CS, NCTU 13 wide. - 8 for filenames support - FTPd Virtual Users, andUsers, Unix authentication Virtual eXchange Protocol)(File FXP TLS over FTP UTF A small, easy to set up, fast and secure FTP server FTP and secure up, fast to set easy small, A chrootSupport systemand on clients, Restrictions syslogwith logging Verbose restrictions with more Anonymous FTP - • • • • • • • • • Introduction Intro (1) Intro -  Pure

Computer Center, CS, NCTU 14 ftpd - /ports/ftp/pure usr (2) FTPd Ports: / Ports: available alsoPackage is Options - • • • Installation Intro Intro -  Pure

Computer Center, CS, NCTU 15 ) ftpd.pem - messages) rc.conf / /private/pure etc ssl / in / in etc : / ="YES" ="YES" Default ( the language of output the language of output Change ( options pureftpd_enable (3) FTPd Add TLS_CERTFILE LANG Other - • • • • Startup: Intro Intro -  Pure

Computer Center, CS, NCTU 16 ftpd.conf.sample - /pure /* etc ftpd - /local/ usr ftpd.conf - /pure etc /local/share/doc/pure usr /local/ All options are explained clearly this in file. See / – – usr Configuration sample: sample: / Configuration Other documents   FTPd File: / Documents - • • Configurations: Configurations (1) Configurations -  Pure

Computer Center, CS, NCTU 17 /pureftpd.pdb etc /local/ 8 8 - - There are more configuration there! There are more configuration usr yes 0 no no / yes yes 133:022 140.113.0.0 yes 2 UTF UTF FTPd CreateHomeDir TLS FileSystemCharset ClientCharset TrustedGID AnonymousOnly NoAnonymous PureDB UnixAuthentication AntiWarez Umask TrustedIP ChrootEveryone - Configurations(2) - Pure

Computer Center, CS, NCTU 18 Users - pw(8) - ftpwho pw * - - - FTPd pure See README.Virtual List info of users who are currently connecting to the FTP server. FTP to the connecting who are currentlyof users info List PureDB Users informat Virtual Manage - • • • • pure pure pure Tools -    Pure

Computer Center, CS, NCTU 19 . system accounts system Users up your user. their own home directory. own home their ratios, bandwidth. ratios, have the same system same the and share Users accounts without messing without accounts chrooted users individual quotas, are only - FTPd They FTP Store Virtual - • • • • Virtual Users Virtual Anonymous Anonymous Anonymous Users and Virtual Virtual and UsersAnonymous -   Pure

Computer Center, CS, NCTU 20 xferlog /log/ var ? ] ftpd.pem - ftpd.pem - keeps ftp logs in / logs keeps ftp syslogd : (?@?) [ERROR] Unable to find the 'ftp' account'ftp' the to find [ERROR] Unable : (?@?) exist: doesn't file that but [ERROR] Sorry, : (?@?) /private/pure ftpd ftpd ssl - - / If you set TLS = 2, then thisTLS file is needed. youset If See README.TLS It’s ok, but you may need it for Anonymous FTP Account. Anonymous FTP ok,you may but need forit It’s    etc FTPd [/ How a pure to generate In default, pure pure - • • • • Most frequent problems Most frequent Logs Location Problem Shooting Problem -   Pure

Computer Center, CS, NCTU 21 TLS FTPd download manager - - client, support TLS support client, ​Pure web client, support client, PureFTPd platform FTP FTP platform - commandline WebUI , ftp/curl , like command line ftp line command like - FTPd - mget lftp wget pureadmin PHP for web based interface PHP Multithreaded Multithreaded cross graphical A Management utility for the for the utility Management Shell Net via HTTP(S) FTP and the files from Retrieve • • • • • • Pure FileZilla ftp/ ftp/ ftp/ ftp/ More Tools More -       FTP

Computer Center, CS, NCTU 22