Just install the package.
Firewall configuration: allow
DNS and FTP pass through.system-config-selinux to turn off SELinux if you allow clients to upload files.
chkconfig --level 35 on
/etc/vsftpd/vsftpd.conf
anonymous_enable=YES
listen=YES
service vsftpd start
You can access your FTP server.
=====
default ftp root
anon_root=/var/ftp/
Default ftp user
ftp_username=ftp
===
/etc/vsftpd/vsftpd.conf
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
ascii_upload_enable=YES anon_upload_enable=YES
===
You must enable both ascii_upload_enable=YES and anon_upload_enable=YES. If you don't, unrecognised variable anon_upload_enable message shows.
====
Test
mkdir /var/ftp/pub/upload
chmod o+rw /var/ftp/pub/upload
At any ftp client:
ftp mylinux.test.com
ftp>cd pub/uploadftp>put /etc/resolv.conf resolv.conf
===
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
anon_mkdir_write_enable=YES
============
Active FTP
- Client connects to the FTP server by establishing an FTP control connection to port 21 of the server. The commands, such as 'ls' and 'get', are sent over this connection.
- Whenever the client requests data over the control connection, the server initiates data transfer connections back to the client. The server port is always 20, and the client(destination) port is a high port (greater than 1024).
Active FTP may fail. By default, the firewall blocks any traffic initiates from outside. It is very hard to configure the firewall to suit the case because you don't know which port to open.
Passive FTP
Passive FTP works differently:
- Client connects to the FTP server on port 21 of the server. Your commands such as ls and get are sent over that connection.
- Whenever the client requests data over the control connection, the client initiates the data transfer connections to the server. Client (port >1023) initiates data connection to random port (>1023) specified by server
Passive FTP should be viewed as the server never making an active attempt to connect to the client for FTP data transfers. Because client always initiates the required connections, passive FTP works better for clients protected by a firewall.
As Windows defaults to active FTP, and Linux defaults to passive,
FTP is a TCP based service exclusively.Active FTP :
command : client >1023 -> server 21
data : client >1023 <- server 20
Passive FTP :
command : client >1023 -> server 21Enable passive FTP on Internet Explorer
data : client >1023 -> server >1023
Tools--Internet Options-- Advanced -- unckeck Enable folder view for FTP sites -- Check Use Passive FTP
IIS
Setting the Passive Connection Port Range
FTP clients connect to FTP servers through a well-known service port, TCP port 21, and establish a control channel for sending requests and receiving replies. For actual file data transfers, a second connection is established: a data channel. By default, the server connects back to the client to establish the data connection, which is an active-mode connection. However, to support clients that are behind firewalls and cannot accept incoming connections, the FTP protocol allows the client to connect to the server to establish the data channel, which is a passive-mode connection. Passive-mode connections are established through the following process: the client requests a passive mode (PASV), the server replies with a unique port number, and the client connects to that port.
By default, the FTP server allocates ports for passive-mode connections from the WinSock dynamic range, 1024 to 5000. If the server itself is behind a firewall, the 1024 to 5000 port range must be open for incoming connections at the firewall. This requirement can expose the server to potential attack because many applications share the WinSock dynamic port range. To reduce the attack surface, you can configure the FTP service to allocate ports for passive-mode connections from a port range above 5000, which allows you to assign a port range to be used exclusively by FTP passive-mode connections and to create firewall and router policies that open that range for incoming TCP connections.
To set the port range for passive-mode connections, edit the PassivePortRange property in the metabase. When you set the port range, consider the number of anticipated concurrent file transfers because each client might need a distinct port. For performance reasons, the port range should be at least two times the number of anticipated concurrent file transfers.
Windows command line:
adsutil.vbs set /MSFTPSVC/PassivePortRange "5200-5600"
Your server side firewall must have all the ports between 5200-5600 open.
