13. Configuring FTP Services in Knoppix Estimated Time: 45 minutes Objective In this lab, the student will configure Knoppix as an FTP server. Equipment The following equipment is required for this exercise: o A computer running Knoppix 3.9 or greater. Scenario The Marketing Director of the XYZ Company has requested an FTP site so employees in the Marketing and Sales Department will be able to access and download files when away from the office. An FTP site must be created on the server for them to access. Procedures First, a user will be added to the system, since FTP normally does not allow root to login to FTP. In the first part of this lab, the student will build the content that will be on the FTP server. In Knoppix, the FTP service is not started by default, so in the next step the student will start the internet daemon to start the FTP service. By default, Knoppix allows logins from localhost only (127.0.0.1). The student will verify that this works. The next part of the lab requires a LAN connection to another host. In this part of this lab, the student will edit two configuration files that will allow a remote host to login. It will also be necessary to set up the NIC for use on the network. The student will then verify that a remote host can login to the Knoppix FTP server. The procedures for starting the FTP service and the Telnet service in Knoppix are similar but not identical. Preliminary step First, click the Knoppix Penguin icon, to get to the root shell. Assign yourself a root password with the passwd command, and enter the password twice. passwd Changing password for user root. Enter new UNIX password: Retype new UNIX password: The password will be successfully updated. Step 1: Adding a user that can login to FTP 1. The FTP server requires a user to have a home directory, and it also requires the path to the user s shell to be listed in the user s entry in /etc/passwd. Two options are needed with the useradd command to accomplish this. Create a user account, based on your name. For example, root could create an account for Maria Chavez like this: useradd m s /bin/bash mchavez 2. As root, assign your new account a password in this way. For Maria s case, she would type (while logged in as root): passwd mchavez Changing password for user mchavez. Enter new UNIX password: Retype new UNIX password: Type it twice and it will be accepted. In Knoppix, passwords are locked by default. That is why mchavez couldn t create her own password immediately after her user account was created. Root has to do it. 3. Look at the /etc/passwd file to see that the path to the user s shell (the bash shell) appears. Type: tail /etc/passwd
The end of the mchavez line will have /bin/bash. Step 2: Create a file that will be accessible by an ftp user The student will be logging into their home directory. Create a file there. Type: touch /home/mchavez/testfile or use the directory corresponding to your username. Step 3: Start the internet daemon Most daemons have start, stop and restart commands. If the internet daemon has not been started previously during this Knoppix session, start is used. If it is running, and you want it to re-read some altered configuration files, restart is used. Login with the root account. The internet daemon can only be started by root. Type: /etc/init.d/inetd start Step 4: Testing the FTP Server with a local login 1. To test if the FTP services are working properly from a terminal window, type: ftp localhost This command will use the system to access the FTP services on the same system. The Linux system will attempt to make a FTP connection to the system through the local loopback address 127.0.0.1. It will run through the login procedure and prompt the user to enter a username and password. 2. Login using the student account you have created (do not use the root account to log on). When prompted, type the student account name and password. 3. If you receive a welcome message from the FTP server, then you have successfully configured your Knoppix server for FTP access. Example of a successful FTP login 4. To see the current working directory, type: pwd
5. To see the files in the current directory, type: ls a Do you see the file you created earlier (testfile)? Y 6. To exit the FTP session, type: bye Step 5: Editing configuration files Two configuration files must be edited to allow logins to a Knoppix server from a remote host. 1. Using vi, edit the file /etc/hosts.allow, that has these contents. /etc/hosts.allow: list of hosts that are allowed to access the system. See the manual pages hosts_access(5), hosts_options(5) and /usr/doc/netbase/portmapper.txt.gz Example: ALL: LOCAL @some_netgroup ALL:.foobar.edu EXCEPT terminalserver.foobar.edu If you're going to protect the portmapper use the name "portmap" for the daemon name. Remember that you can only use the keyword "ALL" and IP addresses (NOT host or domain names) for the portmapper. See portmap(8) and /usr/doc/netbase/portmapper.txt.gz for further information. ssh sshd : ALL@ALL : ALLOW ALL : 127.0.0.1 LOCAL : ALLOW ALL : ALL@ALL : DENY As root, type: vi /etc/hosts.allow Navigate down to the last line: ALL : ALL@ALL : DENY Move the cursor to the D of DENY. Press x four times to remove the word DENY. Press i to enter insert mode. Type ALLOW in uppercase. ALL : ALL@ALL : ALLOW Press ESC to exit insert mode. Type :wq to exit and save the file. 2. Using vi, edit the file /etc/hosts.deny, that has these contents. /etc/hosts.deny: list of hosts that are _not_ allowed to access the system. See the manual pages hosts_access(5), hosts_options(5) and /usr/doc/netbase/portmapper.txt.gz Example: ALL: some.host.name,.some.domain ALL EXCEPT in.fingerd: other.host.name,.other.domain If you're going to protect the portmapper use the name "portmap" for the daemon name. Remember that you can only use the keyword "ALL" and IP addresses (NOT host or domain names) for the portmapper. See portmap(8) and /usr/doc/netbase/portmapper.txt.gz for further information.
The PARANOID wildcard matches any host whose name does not match its address. ALL: PARANOID As root, type: vi /etc/hosts.allow Navigate down to the last line: ALL: PARANOID Comment this line out with a symbol. Press i to enter insert mode. Type in uppercase. ALL: PARANOID Press ESC to exit insert mode. Type :wq to exit and save the file. Step 6: Restarting the internet daemon (inetd) Login with the root account. The internet daemon can only be started with the root account. Since the internet daemon is already running, use the restart command. Type: /etc/init.d/inetd restart The server should now accept logins from remote hosts Restarting the internet daemon Step 7: Configuring the NIC In order to make a connection to the Knoppix server, its NIC, called eth0, must be configured and enabled. Select an IP address, network mask and broadcast address for your Knoppix server that is compatible with the other hosts on the network. Ask your instructor if you have questions. Then type: ifconfig eth0 192.168.0.3 netmask 255.255.255.0 broadcast 192.168.0.255 up Use numbers that are appropriate to your system. Remember to type the word up at the end of the line. That enables the eth0 card. Step 8: Testing the FTP server with a remote login 1. To login to a Knoppix server, you need to know its internet address. You assigned it in the previous step, but make sure it is correct, and that the NIC is running. At the server s terminal window, Type: ifconfig In the eth0 portion of the output, find the line that contains a part similar to this: inet addr: 192.168.0.3 (the address may be different) UP BROADCAST RUNNING Write down the IP address of eth0 on your Knoppix server.
(Answers depend on student computer configuration) 2. To test if the FTP services are working properly, go to a computer that has a LAN connection to the Knoppix server. You can use a Windows command window (Start, Run, cmd), or a Linux system. If it is a Linux system, create a temporary user for the FTP purposes: adduser ftpclient 3. Give the new ftpclient a password: passwd ftpclient It is not necessary to have the same user account that you created on the Knoppix server. Login to the remote system as the user ftpclient. 4. Connect to the remote Knoppix FTP server. Type: ftp 192.168.0.3 (use the proper IP address) The remote system will attempt to make an FTP connection to the Knoppix system through the network. It will prompt the user to enter a username and password. 5. Login to the FTP server using the account name you created on the Knoppix system earlier in this lab, for example mchavez (do not use the root account to log on). 6. Because Knoppix is CD-based, expect a delay of several seconds before you see a response from the server. If you receive a welcome message from the FTP server, then you have successfully configured your Knoppix server for FTP access. 7. To see the current working directory, type: pwd 8. To see the files in the current directory, type: ls a Do you see the file you created earlier (testfile)? Y 9. Retrieve the file testfile from the Knoppix server by typing: get testfile This will bring the file to the computer being used. Did you get a message saying that the file was received? Y 10. To verify that the file has been received, open another terminal window on the client system. Type ls /home/ftpclient Was the file received? Y/N Y With a windows FTP client, testfile may be placed in your user name directory under Documents and Settings. 11. To exit the FTP session, type: bye
Troubleshooting In this lab, the IP address for the Knoppix server was statically assigned. In a corporate setting, if you have trouble connecting to the FTP site, check the IP address on the FTP server. If the network s IP addresses are assigned dynamically with a DHCP server, then the IP address might change from time to time. It is a good idea to assign the FTP server a static IP address so that the IP address does not change. Having the IP address changing all the time could create a lot of administrative costs and trouble from users and customers who will be calling and saying they cannot access the FTP site anymore. If there is difficulty with the Linux FTP client, try a windows computer. In addition to the command line ftp, a Windows system can easily connect to a Linux FTP server by using a popular program called WS_FTP. If you are familiar with WS_FTP, try to connect to the Linux system and download the file directly to the PC. Reflection If you are setting up an FTP server in a business or corporate network, routers and firewalls will have to be configured to allow FTP access to the FTP server. Remember that the IP address of the FTP server might not be a public IP address and therefore will not be directly connected to the network. In this case, configure the router to forward incoming FTP requests to the proper computer on which the FTP server resides. Keep in mind that the IP address of the Web or FTP must be statically assigned.