Friday, 1 July 2011

FTP -- Configure anonymous-only download

This objective has mostly been covered here. This time I tried from a different server to test the server and I had this strange behaviour:
ftp 10.168.20.233
Connected to 10.168.20.233 (10.168.20.233).
220 (vsFTPd 2.2.2)
Name (10.168.20.233:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,168,20,233,38,221).
ftp: connect: No route to host
ftp> cd pub
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (10,168,20,233,161,152).
ftp: connect: No route to host
ftp> pwd
257 "/pub"
After a bit of hunt, I discovered that the ip_conntrack_ftp module is needed for passive mode to work properly, thus:
modprobe ip_conntrack_ftp; service vsftpd restart
It works fine now:
ftp 10.168.20.233
Connected to 10.168.20.233 (10.168.20.233).
220 (vsFTPd 2.2.2)
Name (10.168.20.233:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,168,20,233,141,198).
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 May 26  2010 pub
226 Directory send OK.
Now, we just need to make it permanent, which requires a script to be written. Note that this needs to have a .modules extension and be placed in the /etc/sysconfig/modules directory:
#!/bin/sh
exec /sbin/modprobe ip_conntrack_ftp >/dev/null 2>&1
I have called mine ip_conntrack_ftp.modules thus in order to make it executable, I issue this command:
chmod +x  /etc/sysconfig/modules/ip_conntrack_ftp.modules
Note that there are no SELinux settings related to this objective and that in order to prevent hosts from accessing the service you should use an iptables rule. User based authentication is enabled by default, as local users are enabled by default (local_enable=YES), but in order to allow access to them you will need to set this SELinux setting:
setsebool -P ftp_home_dir 1
To me this conflicts with the objective of configuring anonymous-only download, but would seem to satisfy Configure host-based and user-based security for the service, so it's hard to say for sure

No comments:

Post a Comment