20 July 2010

Checklist: RO FTP server setup

Setting up a new RO FTP server setup

The primary usage case is we describe is how to deploy a read-only FTP server with no end user accounts, to be used for distribution of content (here, to be a 'hotfix' archive for publicly accessible binary updates, accessible through yum). We need this to work around a temporarily broken update in CentOS space. We can also use it to add additioanl packages under and under the mediation of the rpm package database

We start with a hardened PMman instance. A secondary purpose of this post is to work from first principles through adding a proper local 'forked packages' archive for CentOS users to follow as a worked example. At all times, we will strive to follow proper sysadmin 'best practices' discpline under SElinux, wrappers and iptables

  1. Install and enable vsftpd which is the package holding the stock ftp daemon -- yum can do this trivially

    yum install vsftpd

    Then enable the ftp server:

    /sbin/chkconfig vsftpd on

    and create a pilot file to look for in later testing:

    mkdir -p /var/ftp/pub/mirror
    echo test > /var/ftp/pub/mirror/README.txt
  2. Run updates, just 'because' and as a matter of good sysadmin

    yum update
    yum clean all
  3. Open wrappers to permit anonymous FTP connections. We edit /etc/hosts.allow and add:

    vsftpd: ALL@ALL
  4. Amend the iptables rules to allow ftp. The file /etc/services reminds us that FTP normally lives at TCP port 21

    1. Add to /etc/sysconfig/iptables-config to include 'ip_conntrack_ftp' in the list of 'IPTABLES_MODULES='

      IPTABLES_MODULES="ip_conntrack_ftp "
    2. and then, in /etc/sysconfig/iptables we add a line to pass FTP content:

      -A RH-Firewall-1-INPUT -m state --state \
         NEW -m tcp -p tcp --dport 21 -j ACCEPT

      [Note: We use the backslash convention here, but iptables does not support this in its config files]

  5. Run the unit through a reboot, both to 'set' the updates by stopping use of any libraries held open through that update, and also to ensure that it works as expected after a 'hands off reboot'

  6. Test from a remote host that FTP works as expected

    [herrold@centos-5 ~]$ lftp
    lftp> cd /pub/mirror
    cd ok, cwd=/pub/mirror
    lftp> ls
    -rw-r--r-- 1 0 0 5 Jul 20 16:56 README.txt
    lftp> cat README.txt
    5 bytes transferred
    lftp> exit
    [herrold@centos-5 ~]$

    ... great

At this point, we have a working RO anonymous ftp server, and can populate it with content.