http://www.ietf.org/rfc/rfc0959.txt number=959 in Font

Generate ECC200 in Font http://www.ietf.org/rfc/rfc0959.txt number=959

You do have some alternatives to FTP Indeed, for the process of transferring files between . systems, other mechanisms are considerably more secure. These include sftp or scp from the OpenSSH toolkit (as discussed in 3). If the remote systems are configured correctly, then you can use SSH to upload files to remote systems such as Web servers without requiring an FTP port to be open on them. I recommend you look at these options rather than use FTP . If you must use FTP then in this chapter I will try to provide a secure as possible imple, mentation of an FTP server. I will show you how FTP works and how best to firewall it. Additionally, I will take you through installing a secure anonymous FTP server, show you a local user authenticated FTP server, and cover support for FTP over SSL/TLS. As part of this, I will also demonstrate how to chroot your FTP server and mitigate the risk of DoS attacks.

FTP has two key components: a client and a server. This chapter will focus on the server component of FTP FTP is a stateful protocol, meaning that connections between clients and . servers are created and kept open during an FTP session. Commands that are issued to the FTP server (for example, to upload a file or list files in a directory) are executed consecutively. If a command arrives while another command is being executed, then the new command is queued and will execute when the current command has been completed.

When making an FTP connection, two types of connections are initiated. They are a control connection, also called a command, and a data connection. When you connect an FTP client to an FTP server, a single control connection is established by default using the TCP port 21. This connection is used for the authentication process, for sending commands, and for receiving response messages from the remote server. It does not do the actual sending and receiving of information or files. The data connection handles sending and receiving files. A data connection is established only when a file needs to be transferred and is closed at the end of the transfer. Two types of data connection exist: active mode and passive mode. Active connections use the PORT command and are initiated by the remote server, and the client listens for the connection. Passive connections use the PASV command; the client initiates the connection to the remote server, and the server listens for the data connections. When the client starts a transfer, it tells the server what type of connection it wants to make. In modern FTP clients and servers, the most common connection type is passive connections. In active mode, the client connects from a random source port in the ephemeral port range (see 2) to the FTP control port 21. All commands and response codes are sent on this control connection. When you actually want to transfer a file, the remote FTP server will initiate a connection from the FTP data port 20 on the server system back to a destination port in the ephemeral port range on the client. This destination port is negotiated by the port 21 control connection. Often, the destination port used is one port number higher than the source port on the client. Figure 10-1 shows an active mode connection.

Active mode connections often have issues with firewalls. On the server side with an active mode connection, you need to have the TCP ports 20 and 21 open on your firewall. On the client side, you need the range of ephemeral ports open. Often opening these ports is hard to do if your FTP client is behind a firewall. In a secure firewall configuration, these ports should generally be closed. Additionally, because the remote server initiates the connection, many firewalls will drop the connection because they are designed to accept only established connections on specific limited ports. Finally, if you are behind a firewall that uses many-to-one Network Address Translation (NAT), it is often impossible for the firewall to determine which internal IP address initiated the FTP connection. This is caused by the firewall s inability to correlate the control and data connections. As a result of the issues active mode connections have with firewalls, passive mode connections were introduced. In passive mode, the client initiates both sides of the connection. First, the client initiates the control connection from a random ephemeral port on the client to the destination port of 21 on the remote server. When it needs to make a data connection, the client will issue the PASV command. The server will respond by opening a random ephemeral port on the server and pass this port number back to the client via the control connection. The client will then open a random ephemeral source port on the client and initiate a connection between that port and the destination remote port provided by the FTP server. Figure 10-2 shows a passive mode FTP connection.