© David Both 2020
D. BothUsing and Administering Linux: Volume 3https://doi.org/10.1007/978-1-4842-5485-1_13

13. File Sharing

David Both1 
(1)
Raleigh, NC, USA
 

Objectives

In this chapter, you will learn

  • To describe file sharing and some of its uses

  • To define NFS, FTP, FTPS, SFTP, VSFTP, and SAMBA

  • How to install and configure an SFTPS

  • How to install and configure an NFS server to share files to Linux and Unix hosts

  • How to install and configure a SAMBA server to share files to Windows and Linux hosts

  • To use Midnight Commander as a multi-protocol file sharing client

Introduction

Sharing files has always been one of the main features of networks. Although networks today can do so much more, file sharing1 is still a staple of many networks. The idea is to make files that would otherwise be inaccessible to anyone else but the creator, available on some sort of central server so that others – those people we choose – can also access the same files.

Does this sound familiar? It should, especially if you use a service like Google Drive, DropBox, OneDrive, or any of several others.

Apress, the publisher of this series of books, has a Google Drive set up for all three books, each with several folders such as First Draft, Ready for Technical Edit, Author review, and more. When I finish a chapter, I upload to the First Draft folder. Later, after it has been reviewed by my development and technical editors, I download the annotated chapter file from the Ready for Author Review folder and make my revisions. Eventually the chapters go to the Ready for Production folder from where they are downloaded for processing into the production files that will be used to print this book or to create an ebook of it.

Of course, we are scattered around the world. I am in Raleigh, North Carolina; Klaatu, my Technical Editor, is in New Zealand; Nancy Chen, my Development Editor, is in New York City; Louise Corrigan, my Senior Editor, is in London, UK; production is in India and the Philippines; and so on. Yet we all have instant access to the same newly uploaded or revised files. This is a very well-defined workflow designed around shared folders and the files they contain. It is based on the simple concept of sharing files between hosts on a network.

Many organizations have a need to share files and find using their own servers to do so a better option. After all, the saying, “The cloud is just someone else’s computer,” is true. Using someone else’s computers on the Internet – regardless of what the marketing department names it – places the responsibility for the security and integrity of your data firmly on someone else’s network and their security precautions – none of which you have control over and for which you will be unable to get a detailed technical description.

There are many ways to share files such as NFS, HTTP, SAMBA, and FTP, or FTPS (Secure FTP), and VSFTP (Very Secure FTP). Although SCP (Secure CoPy), which is part of SSH which we covered in Chapter 5 of this volume, can be used for secure file transfers, it is not a file sharing tool. If you have SSH access to a remote computer, you can transfer any files to which you have access between those computers.

The Fedora online documentation2 contains information in the System Administration Guide about SAMBA, FTP, and VSFTP.

File sharing use cases

OK, so file sharing is an obvious thing to do in our highly connected world, but what does that mean? There are different reasons to share files – use cases – and different tools work best for each. Let’s look at some of these use cases and the tools best suited for each. We will then explore some of those tools as we proceed through the rest of this chapter.

  • Downloading files – This type of transaction is one way downloading only. For example, the ISO image files you downloaded from the Fedora download site and the files you can download from the Apress GitHub web site that are a part of this course. Files can be stored on hosts within the local network or on the Internet.

    File downloads can use several protocols, including FTP, FTP over SSL/TLS (FTPS), and SSH File Transfer Protocol (SFTP). Tools like FTP (File Transfer Protocol), SFTP (Simple File Transfer Protocol), wget, and even your web browser can be used to download files. Graphical tools like FileZilla can also be used to download files using many protocols. We will look at FTP and HTTP for downloading files from a central location.

  • Shared access – This type of sharing tends to be about sharing local network access to files for reference purposes. For example, we may all need access to an organizational email and telephone directory. We can open the file for reading and obtain the information we need from the document. We will use NFS (Network File System) and SAMBA for this type of access. Tools like FTP, the SAMBA client, and SSH File Transfer Protocol (SFTP) can be used to download files for local access.

  • In this type of use case, files are usually updated by one person working with a local copy of the file and then uploaded or transferred to the directory from which it will be downloaded or viewed.

  • Simple collaboration – In this type of use case, one user at a time can access the file in its shared location to make changes to it. We can use tools such as NFS (Network File System) and SAMBA for this type of access.

  • Team collaboration – Working on the same shared files – sometimes simultaneously – can be a powerful collaborative tool. Google Drive is an example of this type of sharing. We will not be setting up this type of collaborative file sharing in this course, but there are many commercial tools3 available that can facilitate collaboration like this.

Preparation

We will need to create a place that we can use to share files from during many of these experiments. So we need to do a little preparation. All FTP services including VSFTP use the /var/ftp directory, and we will add files to that directory after we install VSFTP in Experiment 13-2.

Experiment 13-1

Perform this experiment as the root user on StudentVM2. In this experiment, we create a directory named “/var/shared” for a mount point and a small logical volume to mount there to contain the data.

We now create a new filesystem and mountpoint. Start by creating a new filesystem to export. Remember that NFS can only export complete filesystems. We intentionally left some space unallocated in the volume group fedora_studentvm1 when we initially installed Linux. We will use a bit of that space to create our NFS share. Verify the total amount of space left on the volume group.
[root@studentvm2 ~]# vgs
  VG                #PV #LV #SN Attr   VSize   VFree
  fedora_studentvm1   1   6   0 wz--n- <59.00g <21.00g
[root@studentvm2 ~]#
The remaining 21GB is more than enough space to create the new logical volume. Create a new LV with a size of 1GB and a name of shared.
[root@studentvm2 ~]# lvcreate -L 1G fedora_studentvm1 -n shared
Create the filesystem.
[root@studentvm2 ~]# mkfs -t ext4 /dev/mapper/fedora_studentvm1-shared
mke2fs 1.44.6 (5-Mar-2019)
Creating filesystem with 262144 4k blocks and 65536 inodes
Filesystem UUID: dba1207b-c36e-468b-82d8-666231143ef6
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376
Allocating group tables: done
Writing inode tables: done
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done
Add a label to the filesystem.
[root@studentvm2 ~]# e2label /dev/mapper/fedora_studentvm1-shared shared
Create the mountpoint.
[root@studentvm2 ~]# mkdir /var/shared
Add the following line to rge end of the /etc/fstab file.
LABEL=shared   /var/shared    ext4    defaults   0 0
Mount the filesystem.
[root@studentvm2 etc]# mount /var/shared/
Copy some files into the new filesystem or create a few files. You just want something in the filesystem so you can see them when the filesystem is accessed by a remote host. I copied some files from the root directory and created some text files with a bit of content. Only a couple dozen or so will be needed. I used the following CLI program to do that.
[root@studentvm2 shared]# cd /var/shared ; I=0 ; for I in `seq -w 1 25` ; do echo "This is file $I" > file-$I.txt ; done ; ll
total 188
-rw------- 1 root root  2118 Aug  1 21:11 anaconda-ks.cfg
-rw-r--r-- 1 root root 39514 Aug  1 21:11 Chapter-36.tgz
-rw-r--r-- 1 root root    16 Aug  7 16:35 file-01.txt
-rw-r--r-- 1 root root    16 Aug  7 16:35 file-02.txt
-rw-r--r-- 1 root root    16 Aug  7 16:35 file-03.txt
-rw-r--r-- 1 root root    16 Aug  7 16:35 file-04.txt
-rw-r--r-- 1 root root    16 Aug  7 16:35 file-05.txt
-rw-r--r-- 1 root root    16 Aug  7 16:35 file-06.txt
-rw-r--r-- 1 root root    16 Aug  7 16:35 file-07.txt
-rw-r--r-- 1 root root    16 Aug  7 16:35 file-08.txt
-rw-r--r-- 1 root root    16 Aug  7 16:35 file-09.txt
-rw-r--r-- 1 root root    16 Aug  7 16:35 file-10.txt
-rw-r--r-- 1 root root    16 Aug  7 16:35 file-11.txt
-rw-r--r-- 1 root root    16 Aug  7 16:35 file-12.txt
-rw-r--r-- 1 root root    16 Aug  7 16:35 file-13.txt
-rw-r--r-- 1 root root    16 Aug  7 16:35 file-14.txt
-rw-r--r-- 1 root root    16 Aug  7 16:35 file-15.txt
-rw-r--r-- 1 root root    16 Aug  7 16:35 file-16.txt
-rw-r--r-- 1 root root    16 Aug  7 16:35 file-17.txt
-rw-r--r-- 1 root root    16 Aug  7 16:35 file-18.txt
-rw-r--r-- 1 root root    16 Aug  7 16:35 file-19.txt
-rw-r--r-- 1 root root    16 Aug  7 16:35 file-20.txt
-rw-r--r-- 1 root root    16 Aug  7 16:35 file-21.txt
-rw-r--r-- 1 root root    16 Aug  7 16:35 file-22.txt
-rw-r--r-- 1 root root    16 Aug  7 16:35 file-23.txt
-rw-r--r-- 1 root root    16 Aug  7 16:35 file-24.txt
-rw-r--r-- 1 root root    16 Aug  7 16:35 file-25.txt
-rw-r--r-- 1 root root   469 Aug  1 21:11 ifcfg-enp0s3
-rw-r--r-- 1 root root   370 Aug  1 21:11 ifcfg-enp0s3.bak
-rw-r--r-- 1 root root   340 Aug  1 21:11 ifcfg-enp0s8.bak
-rw------- 1 root root  3123 Aug  1 21:11 imapd.pem
-rw-r--r-- 1 root root  2196 Aug  1 21:11 initial-setup-ks.cfg
drwx------ 2 root root 16384 Aug  1 21:05 lost+found
-rwxr-x--- 1 root root   272 Aug  1 21:11 restartmail
-rw-r--r-- 1 root root    10 Aug  1 21:11 testfile.txt
[root@studentvm2 shared]#

We will use this directory and its contents for several experiments using different file sharing tools.

As a last bit of preparation, open a root terminal session on StudentVM1 and use tcpdump to monitor the data stream on enp0s3. Place the terminal session in a place on the desktop where it can be seen while performing the rest of these experiments. Be sure to monitor the data stream in this terminal session.

FTP and FTPS

FTP (File Transfer Protocol)4 is an old and insecure method for sharing files. This lack of security is because the data transfer stream is not encrypted and so any data transferred may be easily read if intercepted. Because of its lack of security, FTP has been upgraded with a newer, secure version, FTPS.5 FTPS merely adds a security layer over FTP and is called FTP over SSL (Secure Socket Layer). With FTPS, one can do the same things as with FTP but in a more secure manner.

Fedora does provide an FTP server written in Java. This is not the historical Washington University FTP server, wu-ftpd. Fedora does not provide either a recent version of the wu-ftpd server or a version of an FTPS server, so we will not cover those.

VSFTP

Fedora does provide version 3.0.3 of the VSFTP (Very Secure FTP)6 server for Fedora 29 and 30. This is the most recent version as of July 2015. VSFTP is the primary FTP server provided with current Fedora releases although it is not installed by default. VSFTP, like other FTP services, provides the ability for FTP clients to download files from a server. It is not a collaboration service.

VSFTP is more secure because it provides encryption using SSL and it provides significant protection from privilege escalation. Developed from scratch by Chris Evans with security in mind, VSFTP minimizes the use of elevated privileges and uses unprivileged threads for most tasks. You can read the details at the web site in footnote 6.

VSFTP scales up very nicely compared to other FTP servers. One user quoted on the VSFTP web site says that they have a single VSFTP server running and that over a 24-hour period served 2.6 TeraBytes of data with more than 1,500 concurrent users at times. VSFTP, like other FTP servers, does allow anonymous downloads as well as logged in FTP users with passwords.

Installation and preparation of VSFTP

So let’s install and configure VSFTP.

Experiment 13-2

Perform this experiment as the root user on StudentVM2. In this experiment, we will share the files in /var/shared using VSFTP. First we install VSFTP.
[root@studentvm2 ~]# dnf -y install vsftpd

For now, turn off iptables on StudentVM2. This is so we can configure and test VSFTP without the firewall getting in the way. FTP servers of all types have special needs for firewalls. Taking this out of the equation for now simplifies our initial setup and configuration.

The files served by any FTP server are located in /var/ftp. The /var/ftp/pub directory is for files served to anonymous users. These directories were created during the installation of VSFTP so all we need to do is add some files.
[root@studentvm2 ~]# cd /var/ftp ; I=0 ; for I in `seq -w 1 25` ; do echo "This is file $I" > FTP-file-$I.txt ; done ; ll
total 104
-rw-r--r-- 1 root root   16 Aug  7 21:14 FTP-file-01.txt
-rw-r--r-- 1 root root   16 Aug  7 21:14 FTP-file-02.txt
-rw-r--r-- 1 root root   16 Aug  7 21:14 FTP-file-03.txt
-rw-r--r-- 1 root root   16 Aug  7 21:14 FTP-file-04.txt
-rw-r--r-- 1 root root   16 Aug  7 21:14 FTP-file-05.txt
-rw-r--r-- 1 root root   16 Aug  7 21:14 FTP-file-06.txt
-rw-r--r-- 1 root root   16 Aug  7 21:14 FTP-file-07.txt
-rw-r--r-- 1 root root   16 Aug  7 21:14 FTP-file-08.txt
-rw-r--r-- 1 root root   16 Aug  7 21:14 FTP-file-09.txt
-rw-r--r-- 1 root root   16 Aug  7 21:14 FTP-file-10.txt
-rw-r--r-- 1 root root   16 Aug  7 21:14 FTP-file-11.txt
-rw-r--r-- 1 root root   16 Aug  7 21:14 FTP-file-12.txt
-rw-r--r-- 1 root root   16 Aug  7 21:14 FTP-file-13.txt
-rw-r--r-- 1 root root   16 Aug  7 21:14 FTP-file-14.txt
-rw-r--r-- 1 root root   16 Aug  7 21:14 FTP-file-15.txt
-rw-r--r-- 1 root root   16 Aug  7 21:14 FTP-file-16.txt
-rw-r--r-- 1 root root   16 Aug  7 21:14 FTP-file-17.txt
-rw-r--r-- 1 root root   16 Aug  7 21:14 FTP-file-18.txt
-rw-r--r-- 1 root root   16 Aug  7 21:14 FTP-file-19.txt
-rw-r--r-- 1 root root   16 Aug  7 21:14 FTP-file-20.txt
-rw-r--r-- 1 root root   16 Aug  7 21:14 FTP-file-21.txt
-rw-r--r-- 1 root root   16 Aug  7 21:14 FTP-file-22.txt
-rw-r--r-- 1 root root   16 Aug  7 21:14 FTP-file-23.txt
-rw-r--r-- 1 root root   16 Aug  7 21:14 FTP-file-24.txt
-rw-r--r-- 1 root root   16 Aug  7 21:14 FTP-file-25.txt
drwxr-xr-x 2 root root 4096 Jul 25  2018 pub
[root@studentvm2 ftp]#

VSFTP is configured using the file, /etc/vsftpd/vsftpd.conf. This file is well commented, so I suggest you read it to understand what can be configured with it.

The default configuration is designed to listen to IPV6 only,7 but it will work for us on IPV4 with only a couple changes. Near the bottom of the file, locate and change listen=NO to listen=YES. This allows vsftp to listen on IPv4. Then turn off IPv6 by changing listen_ipv6=YES to listen_ipv6=NO.

Start the vsftpd service and verify the result.
[root@studentvm2 ftp]# systemctl start vsftpd
[root@studentvm2 ftp]# systemctl status vsftpd
• vsftpd.service - Vsftpd ftp daemon
   Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2019-08-07 21:28:45 EDT; 8s ago
  Process: 13362 ExecStart=/usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf (code=exited, status=0/SUCCESS)
 Main PID: 13363 (vsftpd)
    Tasks: 1 (limit: 4696)
   Memory: 496.0K
   CGroup: /system.slice/vsftpd.service
           └─13363 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
Aug 07 21:28:45 studentvm2.example.com systemd[1]: Starting Vsftpd ftp daemon...
Aug 07 21:28:45 studentvm2.example.com systemd[1]: Started Vsftpd ftp daemon.
[root@studentvm2 ftp]#

The FTP client

Now that the server is configured, we can install the FTP client on StudentVM1 and then test file downloads. When doing downloads, the files are downloaded to the PWD that was in effect when you started the FTP client, unless you specify a different download directory.

Experiment 13-3

As root on StudentVM1, install the ftp client.
[root@studentvm1 ~]$ dnf -y install ftp
No configuration is required for the client, so we can go right to our first test. Because we are the student user on StudentVM1 and there is also a student user on StudentVM2, we can use that account for our FTP login.
[student@studentvm1 ~]$ ftp studentvm2
Connected to studentvm2 (192.168.56.1).
220 (vsFTPd 3.0.3)
Name (studentvm2:student): <Press Enter>
331 Please specify the password.
Password:<Enter password>
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
Help is available if you need it.
ftp> help
Commands may be abbreviated.  Commands are:
!          debug         mdir          sendport      site
$          dir           mget          put           size
account    disconnect    mkdir         pwd           status
append     exit          mls           quit          struct
ascii      form          mode          quote         system
bell       get           modtime       recv          sunique
binary     glob          mput          reget         tenex
bye        hash          newer         rstatus       tick
case       help          nmap          rhelp         trace
cd         idle          nlist         rename        type
cdup       image         ntrans        reset         user
chmod      lcd           open          restart       umask
close      ls            prompt        rmdir         verbose
cr         macdef        passive       runique       ?
delete     mdelete       proxy         send
ftp> help ls
ls         list contents of remote directory
ftp> help get
get        receive file
ftp>
Now list the files in the remote directory.
ftp> ls
227 Entering Passive Mode (192,168,56,1,226,161).
150 Here comes the directory listing.
drwxr-xr-x    2 1000     1000         4096 Dec 24  2018 Desktop
drwxr-xr-x    2 1000     1000         4096 Dec 22  2018 Documents
drwxr-xr-x    2 1000     1000         4096 Dec 22  2018 Downloads
drwxr-xr-x    2 1000     1000         4096 Aug 02 12:11 Mail
drwxr-xr-x    2 1000     1000         4096 Dec 22  2018 Music
drwxr-xr-x    2 1000     1000         4096 Dec 22  2018 Pictures
drwxr-xr-x    2 1000     1000         4096 Dec 22  2018 Public
drwxr-xr-x    2 1000     1000         4096 Dec 22  2018 Templates
drwxr-xr-x    2 1000     1000         4096 Dec 22  2018 Videos
-rw-------    1 1000     1000            2 Jul 01 15:01 dead.letter
-rw-rw-r--    1 1000     1000       256000 Jun 19 12:16 random.txt
-rw-rw-r--    1 1000     1000       256000 Jun 20 12:26 textfile.txt
226 Directory send OK.

This is a listing of the home directory for the student user on the remote host, StudentVM2. This is the default action when doing a login on a remote host. For now, let’s just go with this and download a file to our account on StudentVM2.

If you have been doing all of the experiments in this course, there should be a file named random.txt in the student home directory of StudentVM2. Download that file – or another one if you do not have random.txt.
ftp> get random.txt
local: random.txt remote: random.txt
227 Entering Passive Mode (192,168,56,1,33,129).
150 Opening BINARY mode data connection for random.txt (256000 bytes).
226 Transfer complete.
256000 bytes received in 0.0413 secs (6193.45 Kbytes/sec)
Verify that the file was downloaded as the student user on StudentVM1.
[student@studentvm1 ~]$ ll
total 1504
drwxrwxr-x  2 student student   4096 Mar  2 08:21 chapter25
drwxrwxr-x  2 student student   4096 Mar 21 15:27 chapter26
<snip>
-rw-rw-r--  1 student student 256000 Aug  8 12:16 random.txt
<snip>
drwxr-xr-x. 2 student student   4096 Dec 22  2018 Videos
[student@studentvm1 ~]$

We now know that the VSFTP server is working, but we still have a few bits to work out.

Firewall configuration for FTP

We still need to reactivate our firewall and configure it to allow FTP services through it.

Before we do that, let’s look at how FTP protocols work in order to understand the problem it generates for configuring the firewall. FTP has two modes that can be used for file transfer: active and passive. These two modes work a bit differently, and the difference is important to SysAdmins and the configuration of the firewall. The web site Slacksite.com8 has an excellent explanation of active vs. passive FTP connections and the issues had by each. The Fedora documentation9 has a good explanation of VSFTP and other file sharing tools.

Active mode

The active mode of FTP is the one which causes problems. This short description will help illustrate why that is the case.
  1. 1.

    The FTP client initiates a connection to the server from a randomly selected, high-numbered, unprivileged10 TCP port – we will use port number 1547 for this explanation – to the destination port number 21 on the server. Port 1547 is the control port for the client, and port 21 is the server’s FTP control port. The client sends the command port 1547 to the server to indicate the number of the control port.

     
  2. 2.

    The server acknowledges this by sending an ACK reply to the client from port 21 to port 1547.

     
  3. 3.

    The server now initiates a data connection from its port 20 to port 1548 on the client. The protocol always assumes that the data port is one higher than the control port. This step is the cause of the problem because the server initiates a connection to the client.

     
  4. 4.

    If the server can reach port 1548 and initiate the connection, the client sends an ACK to the server.

     
Remember the following lines from the filter table in our firewall rules?
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
<snip>
-A INPUT -j REJECT --reject-with icmp-host-prohibited

These two lines work together to prevent connections from the outside world being made to the local host – whether server or client. If any other host attempts to open a connection to our client host, StudentVM1, the first line of the INPUT chain will not be matched so the rest of the rules in the INPUT chain are checked. Because no rule matches port 1548, the last rule in this chain rejects the attempted connection. This is why we get “No route to host” error messages, as you will see in the next experiment.

The ports that the client can use for the command and data connections are randomly selected from the range 1024 to 65536. This means we would need to open up all of those ports which creates a severe vulnerability and opens our host up to attack.

Passive mode

In passive mode, FTP works a bit differently as client initiates all of the connections. This means that the “state related, established” rule in our firewall would have a record of the connection and allow the server’s response packet through. We can also specify a much-limited range of non-privileged ports for use by FTP when making the data connections.

Let’s see how that works. For this illustration, let’s assume that ports 65000 through 65534 are to be used for FTP. We will configure this in the next experiment.
  1. 1.

    The FTP client initiates a connection to the server from a randomly selected, high-numbered, unprivileged TCP port within the specified range – we will use port number 4048 for this explanation – to the destination port number 21 on the server. Port 4048 is the control port for the client, and port 21 is the server’s FTP control port. The client sends the PASV (passive) command to the server. Note that the control port number does not need to be within the defined range and the client would not know that range in any event.

     
  2. 2.

    The server acknowledges this by sending an ACK reply to the client from port 21 to port 4048. The reply from the server contains the number of the data port from the defined range so that the client will know where to listen for the data stream. We will use port 65248 for the data connection.

     
  3. 3.

    The client now initiates a data connection from its port 4049, the data port, to port 65248 on the server.

     
  4. 4.

    If the client can reach port 65248 and initiate the connection, the server sends an ACK to the client and the data transfer can begin.

     

If the server is expected to handle very large amounts of FTP traffic, the size of the range of ports defined on the VSFTP server will need to be much larger than we have defined here. The key is that we can control this range and create firewall rules on the server to accommodate this.

Setting the firewall rules

Now that we know that the client establishes both the control and data connections to the FTP server, we can create a much more restrictive set of firewall rules. This is aided by the fact that we can control the range of ports used by the server to which send the data.

Experiment 13-4

We need to configure our firewall for FTP, and this gets a bit complex because of the way that the FTP protocols work.

In active mode, VSFTP uses the standard TCP ports for FTP, 20 and 21, but we are using passive mode which only requires port 21 on the privileged port range. We need to open our firewall to those two ports. Port 20 is for data transfer and port 21 is for command transfer. As root on StudentVM2, add entries for that in the firewall.

Now try an FTP session.
[student@studentvm1 ~]$ ftp studentvm2
Connected to studentvm2 (192.168.56.1).
220 (vsFTPd 3.0.3)
Name (studentvm2:student): <Enter>
331 Please specify the password.
Password:<Password>
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,56,1,177,55).
ftp: connect: No route to host
ftp> bye
221 Goodbye.
[student@studentvm1 ~]$

But there is still a problem because we get an error with this. The “No route to host” error indicates a firewall problem. The reason for this, as we have seen, is that the FTP protocol uses random high TCP ports as part of its connection and we need to open a wide range of ports on the server, StudentVM2, in order to allow these communication channels.

We can solve this in part by limiting the range of high-numbered ports in the vsftpd.conf file. Add the following lines to the end of that file. Then restart VSFTPD.
# Added to limit passive port ranges for better firewall control.
pasv_min_port=65000
pasv_max_port=65534
The second part of the solution is to add the following line to the INPUT chain of the Filter table in the iptables file. You can also delete the rule to allow port 20 because that is not needed in passive mode. Restore the iptables rules.
# FTP High ports
-A INPUT -p tcp -m state --state NEW -m tcp --dport 65000:65534 -j ACCEPT

As the student user on StudentVM1, use FTP to connect to StudentVM2 again. Use the ls command to verify that the FTP connection is now working as it should.

Statefulness prevents crackers from accessing our server through the high-numbered open ports. If the client has not initiated the connection to the FTP server, and some random host from the Internet attempts to initiate a connection to our server, even on those now open ports, it will be unable to do so. This is because our server did not initiate the connection and there is no record of a connection so this new connection attempt is rejected.

Anonymous FTP access

When logged in to a remote host using a valid account, such as student, the user has access to every directory and file on that host that they would if logged in locally. This is a major security issue if we were to give out accounts to just anyone. We need a way to limit FTP access.

Anonymous FTP access is the tool that can help with that. This is the type of access most of us are familiar with when we download files from a remote FTP server. It is called anonymous because anyone accessing the share files can do so without a unique account on the server. All that is required to access an anonymous FTP site is a generic username. Most FTP servers use “anonymous” or “ftp” for the username. No password is required. But this also opens up our public FTP directory to access by everyone on the Internet.

Experiment 13-5

We need to alter the vsftpd.conf file to allow anonymous FTP access.

As root on StudentVM2, edit vsftpd.conf. Find the statement anonymous_enable=NO and change it to anonymous_enable=YES. Then restart the VSFTPD service.

As the student user on StudentVM1, test the result by entering “anonymous” as the user account in the Name field. When prompted for the password, just press the Enter key.
[student@studentvm1 ~]$ ftp studentvm2
Connected to studentvm2 (192.168.56.1).
220 (vsFTPd 3.0.3)
Name (studentvm2:student): anonymous
331 Please specify the password.
Password:<Enter>
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,56,1,254,134).
150 Here comes the directory listing.
-rw-r--r--    1 65534    65534          16 Aug 08 01:14 FTP-file-01.txt
-rw-r--r--    1 65534    65534          16 Aug 08 01:14 FTP-file-02.txt
-rw-r--r--    1 65534    65534          16 Aug 08 01:14 FTP-file-03.txt
-rw-r--r--    1 65534    65534          16 Aug 08 01:14 FTP-file-04.txt
<snip>
-rw-r--r--    1 65534    65534          16 Aug 08 01:14 FTP-file-24.txt
-rw-r--r--    1 65534    65534          16 Aug 08 01:14 FTP-file-25.txt
drwxr-xr-x    2 65534    65534        4096 Jul 25  2018 pub
226 Directory send OK.
ftp>

Notice that the VSFTP server logs us into the /var/ftp directory. Download one of the files from there and verify that it was transferred to your PWD.

Close the FTP connection.

Securing VSFTP with encryption

The final bit of security we can use with VSFTP is to encrypt the data while it is being transferred. For this, we need to create a certificate that can be used with FTP. We have already created a certificate for email and this will be similar.

Experiment 13-6

Start this experiment as the root user on StudentVM2.

Generate a self-signed certificate for IMAP. The openssl program can be used to create a certificate that we can use with FTP like the ones that we created in Chapter 8 of this volume for SMTP and IMAP. Enter the requested data as shown in bold. Do this as root in root’s home directory. This command does not specify a time limit for the certificate so it never expires.
[root@studentvm2 ~]# openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.key -out /etc/ssl/certs/vsftpd.crt
.............................................................................................................................................+++++
..........................+++++
writing new private key to 'vsftpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:North Carolina
Locality Name (eg, city) [Default City]:Raleigh
Organization Name (eg, company) [Default Company Ltd]:<Enter>
Organizational Unit Name (eg, section) []:<Enter>
Common Name (eg, your name or your server's hostname) []:studentvm2.example.com
Email Address []:[email protected]
This command places the key file and the certificate in the correct locations. Edit the vsftpd.conf file and add the following lines at the bottom. My comments are intended to describe the function of each line but are not required to be in the csftpd.conf file. I like to keep them there so I can refresh my memory later, if need be.
# Configuration statements required for data encryption
# Defines the location of the certification file
rsa_cert_file=/etc/ssl/certs/vsftpd.crt
# Defines the location of the key file for the certification
rsa_private_key_file=/etc/ssl/private/vsftpd.key
# Enables SSL support
ssl_enable=YES
# We will not allow SSL used for anonymous users.
# Since this is usually the general public, what would be the point?
allow_anon_ssl=NO
# Local data connections will always use SSL.
force_local_data_ssl=YES
# Local logins will always use SSL. This is for the control port.
force_local_logins_ssl=YES
# Strong encryption with fewer vulnerabilities using TLS version 1.
ssl_tlsv1=YES
# Not secure enough so we won't use SSL versions or 3.
ssl_sslv2=NO
ssl_sslv3=NO
# Improves security by helping prevent man-in-the-middle attacks.
# May cause connections to drop out so set to NO if that occurs.
require_ssl_reuse=YES
# Requires stronger encryption.
ssl_ciphers=HIGH
Restart the vsftpd service. First log into an FTP session from StudentVM1 as an anonymous user that should work. Now log in as the student user and see what happens.
[student@studentvm1 ~]$ ftp studentvm2
Connected to studentvm2 (192.168.56.1).
220 (vsFTPd 3.0.3)
Name (studentvm2:student): <Enter>
530 Non-anonymous sessions must use encryption.
Login failed.
421 Service not available, remote server has closed connection
ftp>

But the command line FTP client does not support encryption. So is this encryption useless from the command line? Just wait.

Leave the VSFTP server running because we will use it in another experiment later in this chapter.

We now have the server set up to support encryption. The problem is that the Linux command-line ftp program does not support encryption. This means that using the FTP client from the command line is still not secure. This is one of the issues with FTP. There is a command line solution that we will explore later in this chapter.

NFS

The Network File System (NFS) was created by Sun Microsystems to share disk resources and the files they contain among many hosts. NFS is based upon the version of the RPC11 (Remote Procedure Call) protocol developed by Sun.

One advantage of NFS as a means to share files is that the client hosts can mount the shares in the same way as they would any local filesystem. This means that files do not need to be downloaded; they can be accessed directly on the server by file managers and modified remotely by application programs. This is simple collaboration in that only a single user at a time should modify the file, although it may be simultaneously viewed by multiple users. NFS does not provide a locking mechanism to prevent multiple users from simultaneously editing files and overwriting each other’s changes.

This section guides you through the tasks of exporting a filesystem and mounting an NFS remote filesystem.

NFS server

The NFS server is designed to share filesystems of the host acting as a server to a network so that NFS clients can mount the shared filesystems and access the files contained in them. The question of where in the filesystem structure to place filesystems that are to be exported has different answers. Some SysAdmins place them at the root (/) of the filesystem, while others add them to a mount point in /var. For these experiments, we will place them in /var.

Experiment 13-7

Perform this experiment as the root user on StudentVM2. We first need to verify that some packages are installed. Check with the dnf list command.
[root@studentvm2 ~]# dnf list rpcbind nfs-utils
Last metadata expiration check: 0:00:25 ago on Thu 01 Aug 2019 03:24:12 PM EDT.
Installed Packages
nfs-utils.x86_64         1:2.3.3-1.rc2.fc29                        @updates
rpcbind.x86_64           1.2.5-0.fc29                              @anaconda

The results on my VM show that these packages are already installed. If not, do so now.

Configure the /etc/exports file which is empty by default. It is only necessary to add one line for each filesystem to be exported. Add the following lines to export the /shared filesystem.
# Exports file for studentvm1
/var/shared          *(rw,sync,all_squash)

The rw option means to share it as read/write; the sync option means that the directory should be synced after changes are made and before other read requests are fulfilled. This helps to ensure that the most recent version of altered or new files are available as soon as the changes are made. The all_squash option changes the shared versions of files to the anonymous user ownership of nobody.nobody. The ownership in the shared directory on the server does not change, only the apparent ownership at the client end.

Restart and enable the RPC services and NFS.
[root@studentvm2 etc]# for I in rpcbind nfs-server ; do systemctl enable $I.service ; systemctl start $I.service ; done
Created symlink /etc/systemd/system/multi-user.target.wants/rpcbind.service → /usr/lib/systemd/system/rpcbind.service.
Created symlink /etc/systemd/system/multi-user.target.wants/nfs-server.service → /usr/lib/systemd/system/nfs-server.service.
And export the defined filesystem. The a option means to export all configured directories, and the v option means verbose so that we can see the result.
[root@studentvm2 etc]# exportfs -av
exporting *:/var/shared
[root@studentvm2 etc]#
Now verify that the filesystem has been shared and can be seen locally. The e option means to show the host’s list of exported directories.
[root@studentvm2 etc]# showmount -e localhost
Export list for localhost:
/var/shared *
[root@studentvm2 etc]#
Now do the same as root on StudentVM1. You will receive an error.
[root@studentvm1 ~]# showmount -e studentvm2
clnt_create: RPC: Unable to receive
[root@studentvm1 ~]#
We must add firewall rules to allow other hosts to access the NFS share. NFS can use many ports, so we need to know which ones are being used. Use the following command on StudentVM2 to determine the ports being used by NFS and the related RPC services.
[root@studentvm2 etc]# rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  57516  status
    100024    1   tcp  58993  status
    100005    1   udp  20048  mountd
    100005    1   tcp  20048  mountd
    100005    2   udp  20048  mountd
    100005    2   tcp  20048  mountd
    100005    3   udp  20048  mountd
    100005    3   tcp  20048  mountd
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    3   tcp   2049  nfs_acl
    100021    1   udp  46887  nlockmgr
    100021    3   udp  46887  nlockmgr
    100021    4   udp  46887  nlockmgr
    100021    1   tcp  32933  nlockmgr
    100021    3   tcp  32933  nlockmgr
    100021    4   tcp  32933  nlockmgr
[root@studentvm2 etc]#

Note that the status ports are likely to change when the server reboots. You should be prepared for that in a production environment.

Add the necessary lines to your IPTables rule set to allow NFS and RPC access to your studentvm1 host. All of these rules are for RPC and NFS-related ports. Be sure you add IPTables rules for both TCP and UDP protocols where required.

You could add the firewall rules by entering them individually; however, we won’t do it that way because there is a much easier way, especially since we can create a simple command line program that gives a list of the ports used by RPC and NFS. By looking at the preceding list, you can see that both TCP and UDP protocols are used on every required port. Let’s look at the list of unique ports.
[root@studentvm2 etc]# rpcinfo -p | awk '{print $4}' | grep -v port | uniq | sort -n
111
2049
20048
43099
47354
57516
58993
[root@studentvm2 etc]#

The following command line program will generate the rules we need to add to our firewall, but it will not change the running rule set. We could do that but then we would have to save the active rule set to the /etc/sysconfig/iptables file. That would overwrite any comment lines we might have added to the saved rule set. We will generate the new rules to STDOUT, save them as a separate file, import them into the iptables file, and then use iptables-restore to “restore” the iptables file into the active rule set.

You could enter the CLI program all on one line, but that would be a very long line. Entering it on separate lines makes it easier to read and understand.

Pressing the Enter key after the “; do” in the first line tells the Bash shell that there are more lines to come. The greater than sign (>) prompts you for the next line of input. Press the Enter key after each line and you will be prompted for another line. No part of the command line program is executed until the terminating done statement is entered. At that time, the entire CLI program is run.

We use the uniq command to ensure that only one rule is added per port and protocol. Make the root home directory the PWD.
[root@studentvm2 ~]# for I in `rpcinfo -p | awk '{print $4}' | grep -v port | uniq | sort -n`;do
> echo "-A INPUT -p tcp -m state --state NEW -m tcp --dport $I -j ACCEPT" >> new-rules
> echo "-A INPUT -p udp -m state --state NEW -m udp --dport $I -j ACCEPT" >> new-rules
> done
[root@studentvm2 ~]# cat new-rules
-A INPUT -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 111 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 2049 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 20048 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 20048 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 43099 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 43099 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 47354 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 47354 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 57516 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 57516 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 58993 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 58993 -j ACCEPT
[root@studentvm2 ~]#
Now that we have a new rule set, let’s edit /etc/sysconfig/iptables and insert them in an appropriate location. Open /etc/sysconfig/iptables in Vim and place the cursor on the line immediately before the following line:
-A INPUT -j REJECT --reject-with icmp-host-prohibited
Ensure you are in command mode. Now we will use the (r)ead command to insert the new-rules file after the line on which the cursor resides. Enter the following Vim command.
:r /root/new-rules
Save the revised iptables file which should now look like this. Note that I have a couple rules I was testing commented out because I did not need them but wanted to maintain them in the file for reference. These types of things are why we are adding these rules into the file rather than inserting them directly into the active rule set and then saving that rule set. That would overwrite any of our comments.
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*nat
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.56.0/24 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
# -A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
# -A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 111 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 2049 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 20048 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 20048 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 43099 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 43099 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 47354 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 47354 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 57516 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 57516 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 58993 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 58993 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp0s8 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Now activate the new rule set. As root, make /etc/sysconfig the PWD and use the following command.
[root@studentvm2 sysconfig]# iptables-restore iptables
Verify that the new rules are in place and active.
[root@studentvm2 sysconfig]# iptables-save

The NFS server is now properly configured.

NFS client

Now we can connect to the NFS share from the client, StudentVM1.

Experiment 13-8

Mounting a remote NFS filesystem is easy. Now let’s test whether StudentVM1 can see the shared directory. Do this as root on StudentVM1.
[root@studentvm1 ~]# showmount -e studentvm2
Export list for studentvm2:
/var/shared *
[root@studentvm1 ~]#
As root on StudentVM1, mount the remote export on the /mnt mount point with the following command. The t option is used to specify that this is an NFS4 filesystem that is being mounted. All recent versions of Fedora use NFS4 which is a more secure and flexible version than NFS3.
[root@studentvm1 ~]# mount -t nfs4 studentvm2:/var/shared /mnt
[root@studentvm1 ~]# ll /mnt
total 88
-rw------- 1 root root  2118 Aug  1 21:11 anaconda-ks.cfg
-rw-r--r-- 1 root root 39514 Aug  1 21:11 Chapter-36.tgz
-rw-r--r-- 1 root root   469 Aug  1 21:11 ifcfg-enp0s3
-rw-r--r-- 1 root root   370 Aug  1 21:11 ifcfg-enp0s3.bak
-rw-r--r-- 1 root root   340 Aug  1 21:11 ifcfg-enp0s8.bak
-rw------- 1 root root  3123 Aug  1 21:11 imapd.pem
-rw-r--r-- 1 root root  2196 Aug  1 21:11 initial-setup-ks.cfg
drwx------ 2 root root 16384 Aug  1 21:05 lost+found
-rwxr-x--- 1 root root   272 Aug  1 21:11 restartmail
-rw-r--r-- 1 root root    10 Aug  1 21:11 testfile.txt
[root@studentvm1 ~]#

Use the mount command on StudentVM1 to verify that the remote filesystem has been mounted. List the contents of /mnt to verify that the files are there as they should be.

Unmount the NFS. Create a mount point (directory) called /shared. Add the following line to the end of the /etc/fstab file.
studentvm2:/var/shared /shared      nfs4     defaults        0 0
Mount the NFS export and verify that the mount occurred correctly.
[root@studentvm1 ~]# mount /shared
[root@studentvm1 ~]# ll /shared
total 88
-rw------- 1 root root  2118 Aug  1 21:11 anaconda-ks.cfg
-rw-r--r-- 1 root root 39514 Aug  1 21:11 Chapter-36.tgz
-rw-r--r-- 1 root root   469 Aug  1 21:11 ifcfg-enp0s3
-rw-r--r-- 1 root root   370 Aug  1 21:11 ifcfg-enp0s3.bak
-rw-r--r-- 1 root root   340 Aug  1 21:11 ifcfg-enp0s8.bak
-rw------- 1 root root  3123 Aug  1 21:11 imapd.pem
-rw-r--r-- 1 root root  2196 Aug  1 21:11 initial-setup-ks.cfg
drwx------ 2 root root 16384 Aug  1 21:05 lost+found
-rwxr-x--- 1 root root   272 Aug  1 21:11 restartmail
-rw-r--r-- 1 root root    10 Aug  1 21:11 testfile.txt
[root@studentvm1 ~]#

Unmount the /shared directory.

Cleanup

Let’s do a little cleanup before we move on to SAMBA.

Experiment 13-9

Perform this experiment as root.

Unmount the NFS on all hosts where it has been mounted. On your studentvm2 host, run the command exportfs -uav to unexport all exported filesystems. Unmount /shared on your studentvm2 host.

Stop the RPC and NFS services. We did not enable them, so they should not start on boot.

This completes cleanup of NFS.

SAMBA

The Samba12 file sharing service provides a way to share files located on a Linux server with Windows systems. SAMBA is based on the Server Message Block (SMB) protocols. Originally developed by IBM, Microsoft used SMB as the primary protocol in their networking services. SMB is now known as Common Internet File System (CIFS).

SAMBA is the Linux implementation of the CIFS protocol. CIFS provides multiuser remote access and file locking to prevent multiple users from simultaneously altering the file and overwriting previous changes.

We will create a scenario in which we want to use SAMBA to share some files with Windows computers. Of course, Linux systems can also be SAMBA clients so that will make our testing easy since we do not have Windows computer from which to test in our virtual network.

Experiment 13-10

Start this experiment as root on StudentVM2. First install the required Samba packages. The Samba client should be already installed, it was on my VM, but this will ensure that it is, in addition to installing the SAMBA server.
[root@studentvm2 ~]# dnf -y install samba samba-client

Create a directory /acs which will be the shared directory. Create or copy a few files into the /acs directory so that they can be shared. I copied some files from my /root directory, which will be different from the ones in your root directory, and then generated a few additional text files using a Bash program. But not too many – no more than a dozen more files would be good.

Make /etc/samba the PWD. The smb.conf.example file contains comments and examples describing how to configure SAMBA to share various resources such as public and private directories, printers, and home directories. Read through this file to get an idea what is possible with SAMBA.

However, the smb.conf file is the one to which we need to add our shared directory. The smb.conf file is a minimal version of smb.conf.example. It has a few starter samples, but we should start our configuration file from scratch. Create a new, empty smb.conf and add the following lines.
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
    workgroup = WORKGROUP
    security = user
    passdb backend = tdbsam
# A publicly accessible directory for ACS files that is read/write
[ACS]
    comment = ACS Directory
    path = /acs
    public = yes
    writable = yes
    printable = no
    browseable = yes
Save the smb.conf file but do not exit from the editor. In another terminal session as root, test the syntax of the smb.conf file. It is not necessary to make /etc/samba the PWD.
[root@studentvm2 ~]# testparm
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[ACS]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions<Enter>
# Global parameters
        server string = Samba Server Version %v
        workgroup = WORKGROUP
        idmap config * : backend = tdb
[ACS]
        comment = ACS Directory
        guest ok = Yes
        path = /acs
        read only = No
[root@studentvm2 ~]#
We need to open the firewall for Samba. Add rules to the firewall INPUT chain of the filter table that will allow the following TCP ports through the firewall. We do not need to add the UDP ports.

  • 137

  • 138

  • 139

  • 445

I suggest doing this by adding the rules in the iptables file and then “restoring” the revised file.

Although it is not required in a Linux environment, the NETBIOS name service is required for SAMBA to fully function in a Windows or mixed Linux and Windows environment. So start both the smb and nmb services.
[root@studentvm2 ~]# systemctl start smb ; systemctl start nmb

You should also ensure that these services start on boot in a production environment, but it is not required for this experiment.

Create a user ID and password for the user “student” using the pdbedit command. Use “lockout” for the password.
[root@studentvm2 ~]# pdbedit -a student
new password:<Enter password>
retype new password:<Enter password>
Unix username:        student
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-1995892852-683670545-3750803719-1000
Primary Group SID:    S-1-5-21-1995892852-683670545-3750803719-513
Full Name:            Student User
Home Directory:       \studentvm2student
HomeDir Drive:
Logon Script:
Profile Path:         \studentvm2studentprofile
Domain:               STUDENTVM2
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Wed, 06 Feb 2036 10:06:39 EST
Kickoff time:         Wed, 06 Feb 2036 10:06:39 EST
Password last set:    Tue, 06 Aug 2019 09:02:13 EDT
Password can change:  Tue, 06 Aug 2019 09:02:13 EDT
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[root@studentvm2 ~]#
Now we can perform a quick test of our SAMBA share. As the user student on StudentVM2, use the smbclient command to display the shares on the localhost.
[student@studentvm2 ~]$ smbclient -L localhost
Unable to initialize messaging context
Enter WORKGROUPstudent's password: <Enter password>
    Sharename       Type      Comment
    ---------       ----      -------
    ACS             Disk      ACS Directory
    IPC$            IPC       IPC Service (Samba 4.9.11)
Reconnecting with SMB1 for workgroup listing.
    Server               Comment
    ---------            -------
    Workgroup            Master
    ---------            -------
    WORKGROUP            STUDENTVM2
[student@studentvm2 ~]$

We now have the basics working.

Now that SAMBA is working, let’s make a few additions to the smb.conf file. Our basic installation has caused SAMBA to use the local hosts hostname for the workgroup name and that may be incorrect. We may want to use the name of an existing workgroup or create one with a more meaningful name. We can add that information and also add some additional security to our SAMBA installation.

Experiment 13-11

Perform this experiment as root on StudentVM2. Copy the following lines from smb.conf.example to the smb.conf file and place it above the ACS stanza.
        workgroup = MYGROUP
        server string = Samba Server Version %v
;       netbios name = MYSERVER
;       interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
;       hosts allow = 127. 192.168.12. 192.168.13.
Make the changes highlighted below in this listing which shows the entire file.
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
[global]
        workgroup = TESTGROUP
        server string = StudentVM1 - Samba Server Version %v
;       netbios name = MYSERVER
       interfaces = lo enp0s8 192.168.56.1/24
;       hosts allow = 127. 192.168.12. 192.168.13.
# A publicly accessible directory for ACS files that is read/write
[ACS]
        comment = ACS Directory
        path = /acs
        public = yes
        writable = yes
        printable = no
        browseable = yes

We have renamed the workgroup and added a bit more information to the server string. We also added the [global] stanza identifier to positively identify the global section of the file. Lastly, we specified the internal network interface on which SAMBA should listen. This enhances security by limiting the sources from which SAMBA clients can connect. We could also limit connections to specific hosts.

Now check the smb.conf file again.
[root@studentvm2 ~]# testparm
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[ACS]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions<Enter>
# Global parameters
[global]
        interfaces = lo enp0s8 192.168.56.1/24
        server string = StudentVM1 - Samba Server Version %v
        workgroup = TESTGROUP
        idmap config * : backend = tdb
[ACS]
        comment = ACS Directory
        guest ok = Yes
        path = /acs
        read only = No
[root@studentvm2 ~]#
We must restart the smb service or the change to the workgroup name will not take effect, so do that. Now let’s do another quick test as the student user.
[student@studentvm2 ~]$ smbclient -L localhost
Unable to initialize messaging context
Enter TESTGROUPstudent's password:
    Sharename    Type   Comment
    ---------    ----   -------
    ACS          Disk   ACS Directory
    IPC$         IPC    IPC Service (StudentVM1 - Samba Server Version 4.9.11)
Reconnecting with SMB1 for workgroup listing.
    Server               Comment
    ---------            -------
    Workgroup            Master
    ---------            -------
    TESTGROUP            STUDENTVM2
[student@studentvm2 ~]$

This looks good, but there is an error that I ran into and I suspect that you did, too. Internet searches discovered many references to this and similar errors but I never found a solution to it. This does not seem to affect the remaining experiments, so you can safely ignore this message.

Using the SAMBA client

Linux has a SAMBA client that allows us to connect with a Linux server using SAMBA to share directories, as well as providing client access to Windows systems that have shared directories.

Experiment 13-12

As the user student on the StudentVM1 host, make your home directory (~) the PWD. Then log in to the remote share on your student host. The -U option specifies the user ID under which we log in.
[student@studentvm1 /]# smbclient //studentvm2/acs -U student
Enter SAMBAstudent's password: <Enter password>
Try "help" to get a list of possible commands.
smb: >
Issue dir, the Windows equivalent of an ls command, to view a listing of the files you placed in the shared directory.
smb: > dir
  .                                   D        0  Tue Aug  6 15:25:18 2019
  ..                                  D        0  Tue Aug  6 07:59:56 2019
  file0.txt                           N       15  Tue Aug  6 15:25:18 2019
  file10.txt                          N       16  Tue Aug  6 15:25:18 2019
  file5.txt                           N       15  Tue Aug  6 15:25:18 2019
  file11.txt                          N       16  Tue Aug  6 15:25:18 2019
  file13.txt                          N       16  Tue Aug  6 15:25:18 2019
  file14.txt                          N       16  Tue Aug  6 15:25:18 2019
  file12.txt                          N       16  Tue Aug  6 15:25:18 2019
  file6.txt                           N       15  Tue Aug  6 15:25:18 2019
  imapd.pem                           N     3123  Tue Aug  6 15:15:07 2019
  new-rules                           N      946  Tue Aug  6 15:15:07 2019
  testfile.txt                        N       10  Tue Aug  6 15:15:07 2019
  ifcfg-enp0s8.bak                    N      340  Tue Aug  6 15:15:07 2019
  ifcfg-enp0s3.bak                    N      370  Tue Aug  6 15:15:07 2019
  file1.txt                           N       15  Tue Aug  6 15:25:18 2019
  file3.txt                           N       15  Tue Aug  6 15:25:18 2019
  file8.txt                           N       15  Tue Aug  6 15:25:18 2019
  restartmail                         N      272  Tue Aug  6 15:15:07 2019
  file9.txt                           N       15  Tue Aug  6 15:25:18 2019
  file7.txt                           N       15  Tue Aug  6 15:25:18 2019
  ifcfg-enp0s3                        N      469  Tue Aug  6 15:15:07 2019
  file2.txt                           N       15  Tue Aug  6 15:25:18 2019
  anaconda-ks.cfg                     N     2118  Tue Aug  6 15:15:07 2019
  file4.txt                           N       15  Tue Aug  6 15:25:18 2019
  initial-setup-ks.cfg                N     2196  Tue Aug  6 15:15:07 2019
  Chapter-36.tgz                      N    39514  Tue Aug  6 15:15:07 2019
                1998672 blocks of size 1024. 1833760 blocks available
smb: >

We have a number of commands available in this remote SAMBA session. Use the help command to view them and help <commandname> to get more information about the individual commands.

Download one of the files from the remote shared directory. Don’t exit from this session yet.
smb: > get file4.txt
getting file file4.txt of size 15 as file4.txt (4.9 KiloBytes/sec) (average 4.9 KiloBytes/sec)
smb: >

In another terminal session as the student user on StudentVM1, list the contents of the home directory. The file you downloaded should be there.

Using the smbclient in this way is much like using FTP. We have a view into a shared directory and the files it contains and we can perform a few operations including a download. We also have the ability to mount a SAMBA share on a mount point. This gives us much more flexible functionality because the shared directory becomes part of the filesystem.

Experiment 13-13

Start this experiment as the root user on StudentVM1. Verify that the cifs-utils package is installed. If it is not, install it now.

Using the same mount command we use for mounting any other filesystem, mount the /acs share on /mnt. The list the content.
[root@studentvm1 ~]# mount -t cifs //studentvm2/acs /mnt
Password for root@//studentvm2/acs:  *******
[root@studentvm1 ~]# ll /mnt
total 25600
-rwxr-xr-x 1 root root  2118 Aug  6 15:15 anaconda-ks.cfg
-rwxr-xr-x 1 root root 39514 Aug  6 15:15 Chapter-36.tgz
-rwxr-xr-x 1 root root    15 Aug  6 15:25 file0.txt
-rwxr-xr-x 1 root root    16 Aug  6 15:25 file10.txt
-rwxr-xr-x 1 root root    16 Aug  6 15:25 file11.txt
-rwxr-xr-x 1 root root    16 Aug  6 15:25 file12.txt
-rwxr-xr-x 1 root root    16 Aug  6 15:25 file13.txt
-rwxr-xr-x 1 root root    16 Aug  6 15:25 file14.txt
-rwxr-xr-x 1 root root    15 Aug  6 15:25 file1.txt
-rwxr-xr-x 1 root root    15 Aug  6 15:25 file2.txt
-rwxr-xr-x 1 root root    15 Aug  6 15:25 file3.txt
-rwxr-xr-x 1 root root    15 Aug  6 15:25 file4.txt
-rwxr-xr-x 1 root root    15 Aug  6 15:25 file5.txt
-rwxr-xr-x 1 root root    15 Aug  6 15:25 file6.txt
-rwxr-xr-x 1 root root    15 Aug  6 15:25 file7.txt
-rwxr-xr-x 1 root root    15 Aug  6 15:25 file8.txt
-rwxr-xr-x 1 root root    15 Aug  6 15:25 file9.txt
-rwxr-xr-x 1 root root   469 Aug  6 15:15 ifcfg-enp0s3
-rwxr-xr-x 1 root root   370 Aug  6 15:15 ifcfg-enp0s3.bak
-rwxr-xr-x 1 root root   340 Aug  6 15:15 ifcfg-enp0s8.bak
-rwxr-xr-x 1 root root  3123 Aug  6 15:15 imapd.pem
-rwxr-xr-x 1 root root  2196 Aug  6 15:15 initial-setup-ks.cfg
-rwxr-xr-x 1 root root   946 Aug  6 15:15 new-rules
-rwxr-xr-x 1 root root   272 Aug  6 15:15 restartmail
-rwxr-xr-x 1 root root    10 Aug  6 15:15 testfile.txt
[root@studentvm1 ~]#

Edit one of the files you created in an earlier experiment. This illustrates that the mounted SAMBA share works just as any other mounted filesystem.

We could have created a new mount point and added it to the fstab file, but this works just as well for our current purposes. Leave SAMBA running for the next experiment.

Midnight Commander

We have already explored the use of Midnight Commander as a file manager. It is also an excellent client for FTP, SFTP, SMB (CIFS), and SSH. It can be used with those protocols to connect to remote hosts in one panel and to copy files from and between the remote and local hosts. It can be used to display the content of remote files and to delete them.

SSH is a powerful tool, and when used in conjunction with a file manager like Midnight Commander (MC), the pair can be used as a simple and easy file sharing system using a protocol called FISH. The advantage of this is that it uses tools we have already installed and requires no additional configuration.

This is also the most secure method I know for sharing files. The login or key-based authentication sequence is encrypted as are all data transfers. This is not just the default configuration; it is the only way in which SSH works. There is not a choice about using authentication and beginning to end encryption so it cannot be bypassed.

The FISH protocol was developed by Pavel Machek in 1998 specifically for Midnight Commander. FISH stands for “Files transferred over Shell protocol.” However, MC also connects with servers using FTP, SFTP, and SAMBA, so it is very versatile. I have found it needs no special configuration, unlike some other clients.

Experiment 13-14

Perform this experiment as the student user on StudentVM1. In this experiment, we will connect to the server using various file sharing protocols.

In a terminal session as the student user on StudentVM1, launch Midnight Commander. Press F9 and then the arrow keys until the Right panel menu is highlighted. Then use the down arrow key to highlight FTP link … as shown in Figure 13-1. Press the Enter key to initiate the connection.
../images/473483_1_En_13_Chapter/473483_1_En_13_Fig1_HTML.png
Figure 13-1

Select the FTP link to connect with the VSFTP server in standard FTP mode

Type studentvm2 in the FTP to machine filed, as shown in Figure 13-2, and press the Enter key.
../images/473483_1_En_13_Chapter/473483_1_En_13_Fig2_HTML.png
Figure 13-2.

Using Midnight Commander to access a remote host with FTP

Figure 13-3 shows Midnight Commander with the student user’s home directory on StudentVM1, the local host, in the left panel, and the anonymous FTP connection to StudentVM2 in the right panel.
../images/473483_1_En_13_Chapter/473483_1_En_13_Fig3_HTML.png
Figure 13-3

The student user’s home directory on the local host is in the left panel, and the anonymous FTP directory on StudentVM2 is shown in the right panel of Midnight Commander

Copy files between the directories. Can you do it from the local host to the server?

To exit the connection to the server, enter the cd command. This takes you back to the student user’s home directory on the local host.

Now use the SFTP menu item to connect to the server. The only difference in making the connection is that you need to enter the password for the student user on the server. The connection is then opened with the root directory (/) as the PWD. Make /var/shared the PWD. We are not entering this directory using NFS, but rather SFTP.

Experiment with this SFTP environment for a bit. Download a file or two to your home directory. Then try uploading files to various directories on the server, such as /var/shared, your home directory, and the /acs directory. When finished, you can again use the cd command with no arguments to exit from the remote connection.

Now connect to the server using the Shell link option. Use this link to perform the same tasks as with the previous links.

Midnight Commander and SAMBA

Despite the fact that MC looks like it should support connected to SAMBA shares – the man page and the MC Help facility both say it can be done and how – I cannot get it to work. This is true even when the smbclient command works properly as in Experiment 13-12.

After some extensive Internet searches, I found that there is a bug13 reported on this problem and that fixes are to be included in a “future” release. So we will skip any testing of MC with SAMBA shares.

Apache web server

We can also download files using the Apache web server we created in Chapter 10. This requires only a little additional work and no changes to the Apache configuration. Apache is like FTP, a tool for downloading files. It does not provide any collaborative functionality.

Experiment 13-15

In this experiment, we will add some files to the Apache download directory and test the results. As the root user on StudentVM2 ensure that Apache, httpd, is running. If not, start it.

In the /var/www2/html directory, create a new directory, downloads, if it does not already exist. Then set the ownership to apache.apache. Make the new downloads directory the PWD and copy or create some new files for content. I used the following command line program to create a few files.
[root@studentvm2 downloads]# for I in `seq -w 0 45` ; do echo "This is file for web download $I" > file-$I.txt ; done
As the student user on StudentVM1, open Firefox and navigate to www2.example.com/downloads. The web page should look like that in Figure 13-4. You can click the field names to change the sort although it won’t make much difference since the files are all the same size and created at the same time. However, if you click the Name field a couple times, it reverses the direction of the sort. You might also want to add some files with different characteristics to try with different sorts.
../images/473483_1_En_13_Chapter/473483_1_En_13_Fig4_HTML.jpg
Figure 13-4

Using the Apache web server to share files displays a sortable index

Right click a couple files and select Save link as from the pop-up menu to download them. The default directory for downloads is ~/Downloads. Look for the downloaded files there.

We also have a couple command-line tools, wget and curl, to use for downloading files from web sites. Let’s look first at wget which should already be installed. We touched on the wget command briefly in Volume 1, Chapter 12, and we installed and used it to download companion files for this course from the Apress Git repository.

As the student user on StudentVM1, make ~/Downloads the PWD. Delete all of the files in this directory. Use wget to download a single file. Use a file that you have in your html/downloads directory; I will use file-27.txt.
[student@studentvm1 Downloads]$ wget http://www2.example.com/downloads/file-27.txt
--2019-08-12 11:04:24--  http://www2.example.com/downloads/file-27.txt
Resolving www2.example.com (www2.example.com)... 192.168.56.1
Connecting to www2.example.com (www2.example.com)|192.168.56.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 33 [text/plain]
Saving to: 'file-27.txt'
file-27.txt             100%[=============================>]      33  --.-KB/s    in 0s
2019-08-12 11:04:24 (5.03 MB/s) - 'file-27.txt' saved [33/33]
[student@studentvm1 Downloads]$ ll
total 4
-rw-rw-r-- 1 student student 33 Aug 12 08:50 file-27.txt
[student@studentvm1 Downloads]$
Now download several files that match a file glob pattern.
[student@studentvm1 Downloads]$ wget http://www2.example.com/downloads/file-*
Warning: wildcards not supported in HTTP.
--2019-08-12 11:14:41--  http://www2.example.com/downloads/file-*
Resolving www2.example.com (www2.example.com)... 192.168.56.1
Connecting to www2.example.com (www2.example.com)|192.168.56.1|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2019-08-12 11:14:41 ERROR 404: Not Found.
You will see the warning message that wildcards (globbing) are not supported using the HTTPD protocol. The wget utility can be used to download using FTP as well as HTTPD, and sets are supported when using FTP. Ensure that the VSFTP server is running on StudentVM2 and download some files using wild cards from the anonymous FTP site.
[student@studentvm1 Downloads]$ wget ftp://studentvm2.example.com/FTP-file-1*.txt

The curl utility can use regular expressions such as sets to download multiple files for many protocols. The curl tool supports all of the following protocols: DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET, and TFTP. It can also handle user IDs and passwords, as well as certificates. As a result, it can be used in a great many situations where a single downloading solution is desirable, such as in scripts. It is an excellent tool for use in scripted automation.

The curl utility is already installed so we do not need to do that. Download one file using the syntax below. The -O (uppercase alpha character O, not zero) specifies that the file name used in the download, file-12.txt, is the file name to be used to save the file locally.
 [student@studentvm1 Downloads]$ curl -O http://www2.example.com/downloads/file-12.txt ; ll
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    33  100    33    0     0  11000      0 --:--:-- --:--:-- --:--:-- 11000
total 4
-rw-rw-r-- 1 student student 33 Aug 12 11:47 file-12.txt
What happens if you do not use the -O option when doing the preceding download? The alternate form of doing a download is to use the -o (lowercase alpha) option to specify the output file name.
[student@studentvm1 Downloads]$ curl http://www2.example.com/downloads/file-13.txt -o file-13.txt ; ll
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    33  100    33    0     0   6600      0 --:--:-- --:--:-- --:--:--  6600
total 8
-rw-rw-r-- 1 student student 33 Aug 12 11:47 file-12.txt
-rw-rw-r-- 1 student student 33 Aug 12 11:53 file-13.txt
[student@studentvm1 Downloads]$
This requires more typing than using -O and more code in a script so, unless there is a specific reason not to, I suggest using the -O option. Note the use of the set [0-9] instead of file globs, ? or *.
[student@studentvm1 Downloads]$ curl -O http://www2.example.com/downloads/file-1[0-9].txt
<snip>
[student@studentvm1 Downloads]$ ll
total 40
-rw-rw-r-- 1 student student 33 Aug 12 12:46 file-10.txt
-rw-rw-r-- 1 student student 33 Aug 12 12:46 file-11.txt
-rw-rw-r-- 1 student student 33 Aug 12 12:46 file-12.txt
-rw-rw-r-- 1 student student 33 Aug 12 12:46 file-13.txt
-rw-rw-r-- 1 student student 33 Aug 12 12:46 file-14.txt
-rw-rw-r-- 1 student student 33 Aug 12 12:46 file-15.txt
-rw-rw-r-- 1 student student 33 Aug 12 12:46 file-16.txt
-rw-rw-r-- 1 student student 33 Aug 12 12:46 file-17.txt
-rw-rw-r-- 1 student student 33 Aug 12 12:46 file-18.txt
-rw-rw-r-- 1 student student 33 Aug 12 12:46 file-19.txt
[student@studentvm1 Downloads]$
Download a file using FTP.
[student@studentvm1 Downloads]$ curl -O ftp://studentvm2.example.com/FTP-file-02.txt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    16  100    16    0     0    410      0 --:--:-- --:--:-- --:--:--   421
[student@studentvm1 Downloads]$ ll
total 48
-rw-rw-r-- 1 student student  33 Aug 12 12:46  file-10.txt
-rw-rw-r-- 1 student student  33 Aug 12 12:46  file-11.txt
-rw-rw-r-- 1 student student  33 Aug 12 12:46  file-12.txt
-rw-rw-r-- 1 student student  33 Aug 12 12:46  file-13.txt
-rw-rw-r-- 1 student student  33 Aug 12 12:46  file-14.txt
-rw-rw-r-- 1 student student  33 Aug 12 12:46  file-15.txt
-rw-rw-r-- 1 student student  33 Aug 12 12:46  file-16.txt
-rw-rw-r-- 1 student student  33 Aug 12 12:46  file-17.txt
-rw-rw-r-- 1 student student  33 Aug 12 12:46  file-18.txt
-rw-rw-r-- 1 student student  33 Aug 12 12:46  file-19.txt
-rw-rw-r-- 1 student student  16 Aug 12 13:57  FTP-file-02.txt
[student@studentvm1 Downloads]$
And now do multiple files over FTP with a set.
[student@studentvm1 Downloads]$ curl -O ftp://studentvm2.example.com/FTP-file-2[1-3].txt
[1/3]: ftp://studentvm2.example.com/FTP-file-21.txt --> FTP-file-21.txt
--_curl_--ftp://studentvm2.example.com/FTP-file-21.txt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    16  100    16    0     0    410      0 --:--:-- --:--:-- --:--:--   410
[2/3]: ftp://studentvm2.example.com/FTP-file-22.txt --> FTP-file-22.txt
--_curl_--ftp://studentvm2.example.com/FTP-file-22.txt
100    16  100    16    0     0   8000      0 --:--:-- --:--:-- --:--:--  8000
[3/3]: ftp://studentvm2.example.com/FTP-file-23.txt --> FTP-file-23.txt
--_curl_--ftp://studentvm2.example.com/FTP-file-23.txt
100    16  100    16    0     0   8000      0 --:--:-- --:--:-- --:--:--  8000
[student@studentvm1 Downloads]$ ll
total 12
-rw-rw-r-- 1 student student 16 Aug 12 14:00 FTP-file-21.txt
-rw-rw-r-- 1 student student 16 Aug 12 14:00 FTP-file-22.txt
-rw-rw-r-- 1 student student 16 Aug 12 14:00 FTP-file-23.txt
[student@studentvm1 Downloads]$

So we have discovered that wget can use file globs but not REGEXes like sets when downloading FTP. It cannot use any form of glob or REGEX with HTTPD. The curl utility can use REGEXes but not file globs – at least on the protocols we have tested.

The wget and curl man pages have good descriptions and examples of their many features.

Chapter summary

This chapter has shown us some tools for sharing files on a file server. We used FTP, SAMBA, and NFS on StudentVM2 to share directories with users on StudentVM1. FTP in any form, SAMBA, and NFS all require some nontrivial setup to work in a nonsecure mode. Even more work is required to provide a secure environment on those that support it.

We have also seen that tools we already have available, SSH and Midnight Commander can work together to provide a very powerful, secure, and flexible yet easy-to-use file sharing solution that just works. Midnight Commander can be used without SSH to access FTP sites and with SSL to access VSFTP sites. MC can also be used with SSH to connect to a shell session on a remote host, one which one has a user account. We have also explored wget and curl as command line tools for downloading files with HTTPD and FTP protocols. The curl utility can download using many different types of protocols and it can use regular expressions to do so.

There are a lot of options available to us to share files as well as to use for downloading those files. We have not covered all of them, but the ones we did cover should give you a good start.

Exercises

Perform these exercises to complete this chapter.
  1. 1.

    Monitor the packet data stream on StudentVM1 as you use FTP to connect to the VSFTP server. Examine the resulting TCP conversation and identify the components of the FTP initiation sequence.

     
  2. 2.

    As root on your student host, mount the NFS export on /mnt. Change the PWD to the stuff subdirectory and verify that the files you copied to it are there.

     
  3. 3.

    Attempt to add a new file. What message do you get?

     
  4. 4.

    Create mount new point and an entry in the fstab for the ACS share created on StudentVM1 and mount the filesystem as a test. Reboot StudentVM1 and verify that /acs is mounted during startup.

     
  5. 5.

    Monitor the packet data stream on StudentVM1 as you use Midnight Commander as the student user on StudentVM1 to connect to StudentVM2 using various methods. Use FTP, SFTP, a shell link, and an SMB link. Observe which of these connections are encrypted and which are not.

     
  6. 6.

    Configure the VSFTP server to allow anonymous uploads.

     
  7. 7.

    Use Midnight Commander to copy files from the student account on StudentVM1 to the VSFTP server.

     
  8. 8.

    Why did you not need a user ID and password in Experiment 13-14 when using Midnight Commander to connect to the server using a shell link?

     
  9. 9.

    What directory is the PWD when you open a shell link to the server?

     
  10. 10.

    Use wget to download some files from our FTP server.

     

Be sure to shut down all file sharing client and server tools and services after completing these exercises.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.222.117.4