Contact for queries :


  UpComing Live WebEx Workshop Series

Firewall and SELinux Configuration for FTP Server

Before you can begin using the FTP service, you need to make some firewall adjustments and SELinux changes. Let’s start with the firewall rules. FTP uses both TCP ports 20 and 21, which you can open on the firewall.
Step 1. Use the iptables command to create your firewall rules:

# iptables -I INPUT 5 -p tcp -m tcp —dport 20 -j ACCEPT
# iptables -I INPUT 5 -p tcp -m tcp —dport 21 -j ACCEPT

Step 2. Save the rules you just created:

# service iptables save

Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
Step 3. Restart the firewall service for the changes to take effect:

# service iptables restart
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]

Now that the firewall rules are taken care of, let’s move on to SELinux.
Real World Information :   It is possible to get your FTP server to interact over a single firewall port. This is possible because of the different ways that FTP functions (active versus passive), but because this isn’t a requirement for the exams, we don’t discuss it here. Depending on what features you are trying to configure, you need to adjust SELinux accordingly.
For now, let’s enable the system users to have read/write access to the system.
Step 1. Query for the Boolean value you need to change:

# getsebool -a | grep ftpd_full
allow_ftpd_full_access –> off

Step 2. Disable the SELinux protection:

# setsebool -P allow_ftpd_full_access=1

Step 3. Verify that the Boolean has changed:

# getsebool -a | grep ftpd_full
allow_ftpd_full_access –> off

If you need to enable additional features for your FTP server, make sure to disable SELinux protection for that feature.
One of the features you need to be able to set up is anonymous access to your FTP server. For this feature to function properly, you need to make sure that you adjust the allow_ftpd_anon_write Boolean. This allows you to have anonymous users upload files. This capability can be dangerous because there is no way to track which user is uploading or writing files. It is recommended to leave this option disabled unless you know what you’re doing.

Configuring FTP Security using Host-based Access lists

When dealing with security for FTP, you can run into a little trouble if you don’t plan things out ahead of time.
The FTP protocol supports two different types of file transfers.

  • The first is known as active mode, which uses port 20 to connect back to the client.
  • The second is known as passive mode, which uses a custom-defined range of ports above 1024.

Because there are two different modes for FTP, you need to decide which mode you want to use so that you can configure the correct security settings and open the correct ports on the firewall. Back in the  configuration section, the option connect_from_port_20 is set to YES by default. This means that, by default, active mode is used for the vsftpd service.
Let’s look at some other options that can be used for basic security. You can disable the anonymous_enable option to prevent nonauthorized users from accessing the FTP server. The local_enable option, which is enabled by default, allows local system users to log in to the FTP server. Keeping this option is usually safe option so that you don’t need to maintain a second list of users that you want to be able to log in to the FTP server.
There is one other security step you should take for the FTP server.

The userlist_enable option, which is set to YES by default, allows the vsftpd service to consult the /etc/vsftpd/user_list file.

When this option is used in conjunction with the userlist_deny option, all users in this file are denied access to the server and not even prompted for a password. This prevents them from submitting clear-text passwords over the network.
If you want to change this setting, however, you could set the userlist_deny option to NO. Then all users except for those listed in /etc/vsftpd/user_list are denied access.
This setting is useful if you want only select individuals to be able to log in and not all your system users.
Here is what the file contains by default:

# cat user_list
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.

As you can see, this file can get very confusing with options quickly, which is why you should plan out ahead of time what you want your FTP server policy to be.
Real World Information :  The file called /etc/vsftpd/ftpusers denies access to log in to the FTP server no matter what. A few system users are populated in this file when the vsftpd service is installed.
If you want to ban a user, you can use this file. The difference is that users in this file are not allowed to log in but still receive a login and password prompt allowing them to submit their credentials over the network in clear-text.

November 16, 2015

0 responses on "Firewall and SELinux Configuration for FTP Server"

Leave a Message

Your email address will not be published. Required fields are marked *


IGURKUL I.T. Training Hub offering various Career Certification courses in Computer Networking, Unix, Linux, Cloud Computing and DevOps Technologies. With its rich experience in IT training service sector, iGURKUL has been able to set Industry best practices in IT Training for the past five years.

In Past five years, more than 5000 professionals have been trained by iGURKUL for System administration, Cloud Computing and DevOps Skill set through our Online Training portal And , each day , more than 10000 working professionals from all over the globe visiting our knowledge base for the best practices and Knowledge learning.

copyright protected - 2011 © igurkul I.T. solutions. All rights reserved.