TFTP & FTP Server on Centos 7

centos_logoIf you ever needed a TFTP or an anonymous FTP server to transfer files, logs, or crash debugs to and from your network devices it can be a little tricky if you don’t have anything setup. There are some free quick programs out there if you are in a pinch for one-time transfers but if you ever wanted to have something in infrastructure that is ready to go for this kind of stuff just follow this tutorial below. I’m using the latest version of Centos 7 minimal, we need to add some house keeping items first so let’s get started!

Install NANO:

yum install nano

Install Firewalld (Seems like Centos 7 1511 does not include it at least the minimal version)

yum install firewalld

Enable firewalld to startup automatically when Centos boots up:

systemctl enable firewalld

Start the firewalld:

systemctl start firewalld

This first part of this tutorial will go over installing TFTP followed by installing the FTP. If you want to skip TFTP installation, i.e you only need FTP, select the link: Install FTP Server on Centos

Add the TFTP rule to the Centos Firewall and reload it:

firewall-cmd --permanent --zone=public --add-service=tftp
firewall-cmd --reload

Install the TFTP server as well as the TFTP client just in case we want to test TFTP locally:

yum install xinetd tftp-server tftp

Enable the TFTP program to startup automatically:

systemctl enable xinetd tftp

Start the TFTP program now:

systemctl start xinetd tftp

Since we have started the TFTP service let’s focus on the configuration file and settings for it.We don’t want this TFTP service to run has root, so let’s create a system account for TFTP.

useradd -s /bin/false -r tftp

This command basically creates a system account which cannot be used to access a shell a.k.a “login”. Depending on how this system was installed your path may be different if you are expecting to store a lot of files. In this tutorial I’m going to be hosting these files under the /var folder. My full path is /var/FileServerRoot/TFTP The folder FileServerRoot is not created by default so I’ll create the folder and put the correct permissions on this folder so that the TFTP system account can get access to it.

Create the FileServerRoot Folder as well as a sub folder under it called TFTP:

mkdir /var/FileServerRoot
mkdir /var/FileServerRoot/TFTP

Apply ownership for the TFTP system account:

chown tftp:tftp /var/FileServerRoot/TFTP/

Permissions should already be rwxr-xr-x for this directory. Next open up the configuration file for the TFTP server located at /etc/xinetd.d/tftp and following the example configuration file below:

nano /etc/xinetd.d/tftp
# default: off
# description: The tftp server serves files using the trivial file transfer \
#       protocol.  The tftp protocol is often used to boot diskless \
#       workstations, download configuration files to network-aware printers, \
#       and to start the installation process for some operating systems.
service tftp
{
        socket_type             = dgram
        protocol                = udp
        wait                    = yes
        user                    = root
        server                  = /usr/sbin/in.tftpd
        server_args             = -c -s /var/FileServerRoot/TFTP -v -v -v -u tftp -p
        disable                 = no
        per_source              = 11
        cps                     = 100 2
        flags                   = IPv4
}

If you are curious of what each server argument means you can take a look here at the man page for TFTP server.

Restart both services for the TFTP server:

systemctl restart xinetd tftp

So after that we have to run more command for SELinux to be happy and the best part is we DON’T turn it off! Right now we are able to download files from the TFTP server but we get a permission denied when we try to upload files. To fix that run this command:

chcon -t tftpdir_rw_t /var/FileServerRoot/TFTP

We now have a functioning TFTP server, all files permissions in this folder should be no more than 664. Although it would work with full permissions TFTP isn’t that secure to begin with, now onto installing the FTP server :).

Install FTP Server on Centos 7

Alight let’s install the FTP server on Centos and include the FTP client just in case we want to test locally:

yum install vsftpd ftp

Now let’s start looking at the firewall settings, and configuration settings to make this FTP anonymous for both uploads and downloads. Add an FTP rule to firewall and reload it:

firewall-cmd --permanent --zone=public --add-service=ftp
firewall-cmd --reload

Enable the vsftpd to startup apon boot:

systemctl enable vsftpd

Let’s create the FTP folder and in this example its going to be under the FileServerRoot we created earlier with TFTP or if you skiped the TFTP installation just create a Root directory first followed by creating the FTP folder.

mkdir /var/FileServerRoot/
mkdir /var/FileServerRoot/FTP

We have to change permissions on the FTP folder to the following:

chmod 555 /var/FileServerRoot/FTP

We are also going to make two more folders under the FTP folder called upload and download to keep things organized:

mkdir /var/FileServerRoot/FTP/upload
mkdir /var/FileServerRoot/FTP/download

Change ownership of these folder to the FTP account which is built in:

chown ftp:ftp /var/FileServerRoot/FTP/upload
chown ftp:ftp /var/FileServerRoot/FTP/download

Let’s make a backup of the configuration file that runs FTP (Just in case)

cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.orig

Open up the configuration file with nano at /etc/vsftpq/vsftpd.conf and make the following edits towards the top of the file:

# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
# When SELinux is enforcing check for SE bool ftp_home_dir
local_enable=NO
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
anon_upload_enable=YES
#

At the end of file put the following:

# Point users at the Public directory
anon_root=/var/FileServerRoot/FTP/
#
# Stop prompting for a password on the command line.
no_anon_password=YES
#
# Show the user and group as ftp:ftp, regardless of the owner.
hide_ids=YES
#
# Limit the range of ports that can be used for passive FTP
pasv_min_port=40000
pasv_max_port=50000

We are almost done we have to make some changes to SELinux before we are good to go. We have to install Policy Core Utils:

yum install policycoreutils-python

We are now making changes to SELinux to allow anonymous downloads:

semanage fcontext -a -t public_content_t "/var/FileServerRoot/FTP(/.*)?"

Next command to run:

restorecon -R -v /var/FileServerRoot/FTP

– Output –

restorecon reset /var/FileServerRoot/FTP context unconfined_u:object_r:var_t:s0->unconfined_u:object_r:public_content_t:s0
restorecon reset /var/FileServerRoot/FTP/upload context unconfined_u:object_r:var_t:s0->unconfined_u:object_r:public_content_t:s0
restorecon reset /var/FileServerRoot/FTP/download context unconfined_u:object_r:var_t:s0->unconfined_u:object_r:public_content_t:s0

Now let’s make changes to SELinux to allow anonymous uploads:

semanage fcontext -a -t public_content_rw_t "/var/FileServerRoot/FTP/upload(/.*)?"

Next command to run:

restorecon -R -v /var/FileServerRoot/FTP/upload

-Output –

restorecon reset /var/FileServerRoot/FTP/upload context unconfined_u:object_r:public_content_t:s0->unconfined_u:object_r:public_content_rw_t:s0

One more command to run:

semanage boolean -m --on allow_ftpd_anon_write

That should be it! Let’s restart the server to make sure everything comes back online including the TFTP part that we finished earlier.

shutdown -r now

If you have a TFTP and FTP client go ahead and test it out when the server reboots. If you run into some issues some troubleshooting tips are:

  • Check SELinux, if you are getting file permissions errors when uploading or downloading and permissions look this is likely SELinuix. It it can be a little picky which is why you’ll read a lot of people just disable it. You can disable SELinux Temporarily (Turns back on when you reboot) to check if TFTP or FTP works by running:
setenforce 0
  • If you are having problems with anonymous FTP, like downloading or uploading check security context by running:
ls -Z
  • For FTP to work the context output should like something below:
[root@localhost ~]# ls -Z /var/FileServerRoot/FTP/
drwxr-xr-x. ftp ftp unconfined_u:object_r:public_content_t:s0 download
drwxr-xr-x. ftp ftp unconfined_u:object_r:public_content_rw_t:s0 upload
[root@localhost ~]#

Keep in mind we just created a system that is open to any TFTP and FTP connection. Reads and writes are anonymous so if there is a need to control what/who can access your server over your network/internet its recommended to in put ACLs in place to block unwanted connections. Otherwise you might be on list like this one, in which the entire IPv4 address space was scanned to find what responds anonymously on TCP port 21. That’s all I got for now, as always I hope this information helpful!

Leave a Reply...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s