FTP archive service.
FTP archives are one of the main information resources on the Internet. In fact, it is a distributed depository of texts, programs, photographs and other information stored as files on various computers around the world.
Information in FTP archives is divided mainly into three categories: Protected information, the access mode of which is determined by its owners and is permitted under a special agreement with the consumer. This type of resource includes commercial archives (for example, commercial versions of programs in archives ftp.microsoft.com), closed national and international non-commercial resources (for example, work on international CES or IAEA projects), private non-commercial information with special access regimes (for example, private charitable foundations). Information resources of limited use, which include, for example, shareware class programs. This class may include resources of limited use or limited duration. Freely distributed information resources or freeware, if we are talking about software. These resources include everything that can be freely obtained online without special registration. This could be documentation, programs, or anything else. It should be noted that freely distributed software does not have a quality certificate, but its developers are open to sharing experiences.
Of the resources listed above, the most interesting are the last two categories, which, as a rule, are formatted as FTP archives.
FTP technology was developed as part of the ARPA project and is intended for the exchange of large amounts of information between machines with different architectures. The design's focus was on ensuring reliable transmission, so from a modern perspective, FTP appears to be overloaded with redundant, rarely used features. The core of the technology is the FTP protocol.
FTP protocol.
FTP (File Transfer Protocol, or “Data Transfer Protocol”) is one of the oldest protocols on the Internet and is included in its standards. The first FTP specifications date back to 1971. Since then, FTP has undergone many modifications and significantly expanded its capabilities. FTP can be used both in user programs and as a special operating system utility.
FTP is designed to solve the problems of sharing access to files on remote hosts, direct or indirect use of resources of remote computers, ensuring client independence from the file systems of remote hosts, and efficient and reliable data transfer.
Data exchange in FTP occurs over a TCP channel. The exchange is based on client-server technology. FTP cannot be used to transfer confidential data because it does not provide security for the transferred information and transfers clear text between the server and the client. The FTP server may require the FTP client to authenticate (that is, the FTP user will be required to enter their ID and password when joining the server). However, the password and user ID will be transmitted from the client to the server in clear text.
FTP operation models.
The simplest model of how the FTP protocol works is shown in Figure 1. In FTP, the connection is initiated by the user's protocol interpreter. The exchange is controlled via a control channel in the TELNET protocol standard. FTP commands are generated by the user's protocol interpreter and sent to the server. The server's responses are also sent to the user via the control channel. In general, the user has the ability to establish contact with the server's protocol interpreter and by means other than the user's protocol interpreter.
FTP commands define the parameters of the data transfer channel and the transfer process itself. They also determine the nature of work with remote and local file systems.
The control session initializes the data link. When organizing a data transmission channel, the sequence of actions is different, different from organizing a control channel. In this case, the server initiates data exchange in accordance with the parameters agreed upon in the management session.
The data channel is established for the same host as the control channel through which the data channel is configured. The data channel can be used for both receiving and transmitting data.
The operating algorithm of the FTP protocol is as follows:
The FTP server uses TCP port 21 as a control connection, which is always in a state of waiting for a connection from the FTP user. After a control connection is established between the “User Protocol Interpreter” module and the server module - “Server Protocol Interpreter”, the user (client) can send commands to the server. FTP commands define the parameters of a data transfer connection: the role of the connection participants (active or passive), the connection port (both for the “User Data Transfer Program” module and for the “Server Data Transfer Program” module), type of transfer, type of data transferred, data structure and control directives indicating the actions that the user wants to perform (for example, save, read, add or delete data or a file, etc.). After all parameters of the data transmission channel have been agreed upon, one of the connection participants, which is passive (for example, the “User Data Transfer Program”), becomes in standby mode for opening a connection to the port specified for data transmission. After this, the active module (for example, “Server Data Transfer Program”) opens the connection and begins data transfer. After the data transfer is completed, the connection between the “Server Data Transfer Program” and the “User Data Transfer Program” is closed, but the control connection of the “Server Protocol Interpreter” and the “User Protocol Interpreter” remains open. The user, without closing the FTP session, can once again open the data transfer channel.
It is possible that data may be transferred to a third machine. In this case, the user organizes a control channel with two servers and a direct data channel between them. Control commands go through the user, and data goes directly between the servers. The control channel must be open when transferring data between machines. Otherwise, if it is closed, data transfer will stop. The connection to two servers is shown in Figure 2.
The algorithm works when connecting two FTP servers, neither of which is located on the user’s local host:
The “User Protocol Interpreter” module instructed the server module “Server Protocol Interpreter 1” to work in passive mode, after which the “Server Protocol Interpreter 1” module sent the user the address and port number (N) that he would listen to. The “User Protocol Interpreter” module assigned server module 2 “Server Protocol Interpreter 2” as the active participant in the connection and instructed it to transmit data to the “Server Protocol Interpreter 1” host on port (N). The “User Protocol Interpreter” sent the “Server Protocol Interpreter 1” the command to “save the received data in such and such a file,” and the “Server Protocol Interpreter 2” sent the command “to transfer the contents of such and such a file.” A data flow is formed between the “Server Protocol Interpreter 1” and “Server Protocol Interpreter 2” modules, which is controlled by the client host. Below is a diagram of organizing data transfer between two FTP servers, corresponding to Figure 2. The following notations are used here: User PI - user protocol interpreter; Server1(2) protocol interpreter for server1 (server2).
| User PI (U) ы Server1 (S1) | User PI (U) ы Server2 (S2) |
| U Yu S1: Connect U L S1: 227 Entering Passive Mode. A1, A2, A3, A4, a1, a2 |
U Yu S2 Connect U Y S2: PORT A1, A2, A3, A4, a1, a2 |
| U L S2: 200 Okay | |
| U Yu S1: STOR... | U Yu S2: RETR... |
|
S1 Yu S2: Connect... |
|
The basis for FTP data transfer is the mechanism for establishing connections between the corresponding ports and selecting transfer parameters. Each participant in an FTP connection must support a default data port. By default, the “User Data Transfer Program” uses the same port as for sending commands (let’s call it “U”), and the “Server Data Transfer Program” uses port L-1, where “L” is the control port. However, the participants in the connection use the data ports selected for them by the “User Protocol Interpreter”, since of the control processes participating in the connection, only the “User Protocol Interpreter” can change the data ports of both the “User Protocol Interpreter” and the “User Protocol Interpreter”. Server Data Transfer Programs.”
The passive side of the connection must, before the “start transmission” command is given, “listen” to its data port. The active side, which issues the command to start data transmission, determines the direction of data movement.
Once the connection is established, transmission begins between the “Server Data Transfer Program” and the “User Data Transfer Program.” At the same time, notifications about the receipt of data are transmitted via the “Server Protocol Interpreter” - “User Protocol Interpreter” channel. The FTP protocol requires that the control connection be open while the data link is being transferred. An FTP session is considered closed only after the control connection is closed.
Typically, the FTP server is responsible for opening and closing the data transfer channel. The FTP server must independently close the data transfer channel in the following cases:
The server has finished transmitting data in a format that requires the connection to be closed. The server received a command from the user to “terminate the connection”. The user has changed the data port settings. The control connection was closed. Errors have occurred that make it impossible to resume data transfer.
Protocol commands.
Data transmission control control commands exchanged between the “Server Protocol Interpreter” and the “User Protocol Interpreter” can be divided into three large groups:
System access control commands. Flow control commands. FTP service commands.
Let's look at a few of the most typical teams from each group. Among the system access control commands, the following should be noted:
USER. Typically, this command opens an FTP session between the client and server. The command argument is the name (identifier) of the user to work with the file system. This command can be issued not only at the beginning, but also in the middle of the session if, for example, the user wants to change the identifier on behalf of which actions will be carried out. In this case, all variables related to the old identifier are released. If communication occurs during an ID change, the exchange ends with the old user ID.
PASS. This command is issued after entering the user ID and contains the user password as an argument. Let us remind you that FTP authentication data is transmitted over the network in clear text, so the user must take additional measures to ensure the security of the channel.
CWD. The command allows users to work with various directories of the remote file system. The command argument is a string indicating the path of the remote file system directory in which the user wishes to work.
REIN. Reinitialization command. This command clears all current user variables and resets connection parameters. If data is being transferred at the time the command is issued, the transfer continues and ends with the same parameters.
QUIT. The command closes the control channel. If data is being transmitted when a command is issued, the channel is closed after the end of data transmission.
Flow control commands set parameters for data transfer. All parameters described by these commands have default values, so flow control commands are used only when it is necessary to change the value of the default transfer parameters. Flow control commands can be issued in any order, but they must all precede the FTP service commands. The following data flow control commands should be highlighted:
PORT. The command assigns the address and port of the host that will be used as an active participant in the connection over the data link. The command arguments are a 32-bit IP address and a 16-bit connection port number. These values are divided into six 8-bit fields and are represented in decimal form: h1, h2, h3, h4, p1, p2, where hN are the address bytes (high to low) and pN are the port bytes (high to low) .
PASV. This command is sent to the module, which will play a passive role in the data transfer (“listen” to the connection). The response to this command should be a line containing the address and port of the host that is in connection standby mode in the PORT command format - “h1, h2, h3, h4, p1, p2”.
The TYPE, STRU, MODE commands determine, respectively, the type of transmitted data (ASCII, Image and others), the structure or format of data transmission (File, Record, Page), and the transmission method (Stream, Block and others). The use of these commands is very important when building communication in heterogeneous environments and very different operating and file systems of the communicating hosts.
FTP service commands determine the actions that need to be performed with the specified files. Typically, the argument to commands in this group is a file path. The syntax of the specified path must satisfy the file system format requirements of the command handler. The FTP service commands include the following:
RETR. This command tells the Server Data Transfer module to pass a copy of the file specified by this command parameter to the Data Transfer module at the other end of the connection.
STOR. The command instructs the “Server Data Transfer Program” module to receive data over the data link and save it as a file whose name is specified by the parameter of this command. If such a file already exists, it will be replaced with a new one; if not, a new one will be created.
The RNFR and RNTO commands must follow one another. The first command contains the old file name as an argument, the second - the new one. Consecutive application of these commands renames the file.
ABOR. The command instructs the server to interrupt the execution of a previous service command (for example, a file transfer) and close the data channel.
The DELE command deletes the specified file.
The MKD and RMD commands create and delete the directory specified in the argument, respectively.
You can use the LIST and NLST commands to list the files in a specified directory.
All FTP protocol commands are sent by the “User Protocol Interpreter” in text form - one command per line. Each command line - identifier and arguments - ends with the characters
The command handler returns a three-digit code for processing each command. Processing codes form a specific hierarchical structure and, as a rule, a certain command can only return a certain set of codes. The command processing code is followed by a space character -
Below is an example of working with the FTP protocol. Designations: S - server, U - user.
S: 220 Service ready for new user
U: USER Gluk
> S: 331 User name okay, need password
U: PASS murmur
S: 230 User logged in, proceed
U: RETR test.txt
S: 150 File status okay; about to open data connection
<Идет передача файла...>
S: 226 Closing data connection, file transfer successful
U: TYPE I
S: 200 Command okay
U: STOR /home/images/first.my
S: 550 Access denied
U:QUIT
TFTP and SFTP protocols.
The FTP protocol has two “younger brothers”: SFTP - Simple FTP and TFTP - Trivial FTP.
The TFTP protocol is the simplest file transfer protocol. It runs on top of the UDP transport protocol and provides only the most basic file transfer operations, namely writing and reading files. TFTP was designed to be a simple and easy to use protocol. It does not allow calling up a directory listing and does not have any means of authentication, but it can transmit 8-bit information in accordance with all Internet standards.
Since data transfer occurs over UDP, the TFTP protocol implements its own methods for reliable data delivery - acknowledgment packets, numbering of data blocks and acknowledgment packets, etc. Everything is very similar to a simplified version of TCP protocol emulation.
TFTP works with only five commands:
Read request (RRQ) - a request to read. Write request (WRQ) - a request to write. Data (DATA) - data packet. Acknowledgment (ACK) - confirmation. Error (ERROR) - error.
The data transfer process begins with a request from the TFTP client to the server to read or write a file. The connection is established after receiving confirmation of readiness for one of the requests, either write or read.
When opening a connection, each party selects (randomly) a unique identifier - TID, which is also used by UDP as the connection port. Each forwarded packet is associated with two TIDs corresponding to each side of the connection. The initial request is sent by the TF TP connection initiator to UDP port 69 (initialization port), which specifies the connection port. Further exchange already occurs through the ports chosen by the participants in the data transfer.
If the server allows the request, the exchange is opened and the specified file is transferred (in 512-byte blocks). Each packet of transmitted data contains one block (512 bytes) and the block number in the transmitted stream. The arrival of each block to the destination host must be confirmed by an ACK (acknowledgment) packet, with the number of the received block. Only after receiving the confirmation packet will the next data packet be sent.
If the packet length is less than 512 bytes, this serves as a signal to close the communication channel. If a packet is lost during transmission, after a certain period of time the server will resend this data packet.
Three types of situations cause erroneous packets to be sent:
The request was not confirmed, for example, the file was not found, there are no access rights, etc. The packet format is incorrect, for example, a switching error occurred. Loss of access to a required resource.
If there are a large number of error messages, the connection may be closed at the initiative of one of the parties.
The TFTP transaction scheme is as follows:
Host A sends a WRQ request to Host B. The source port is TIDA, the destination port is 69. The packet contains the file name, transfer type. Host B sends an ACK (block number - 0) to host A. Source port is TIDB, destination port is TIDA. Host A sends (over the TIDA to TIDB connection) a DATA command and a data block. The packet also contains the block number.
The SFTP file transfer protocol is popular when the user needs a protocol that is slightly more flexible and reliable than TFTP and not as complex and cumbersome as FTP.
SFTP supports mechanisms for user authentication, file transfer, directory browsing, changing the current directory, renaming and deleting files. For most operations that the user carries out with a remote FTP server, this service is quite sufficient. SFTP can carry an 8-bit data stream and, like TFTP, uses only one connection channel - for both commands and data. Unlike TFTP, SFTP runs over TCP, port 115.
SFTP commands are sent one at a time, after receiving a processing response from the previous command. All commands consist of four ASCII characters and a space character that separates the command from its arguments. The server response consists of a response code and a text message. Each command and response must end with the symbol
Data sharing predates the Internet. But the emergence of the World Wide Web has expanded the scope of information exchange tasks. The FTP protocol is the main one, along with mail and www.
It provides information transfer rather than file access. FTP transmission was not inherently secure, but the FTPS protocol, operating over an encrypted SSL protocol channel, ensures data transmission is secure. This allows you to protect both commands and transmitted data.
Description of the FTPS protocol
FTPS servers provide public key certificates. They are typically created using Unix tools or adapted Windows tools such as OpenSSL.
Each certificate must be signed by a certificate authority. Otherwise, the FTPS client generates a warning.
Data can be encoded at the link level (commands and/or data). The FTPS protocol uses two connections:
- one transmits data;
- another is commands to the server and the server’s responses to them.
If SSL-based encryption is applied, the port number information for communication will not be available.
FTP access is the application of a set of rules that describe computer connections and the management of connections, files, and file transfers.
The protocol defines how different computers can simultaneously (remotely) use files on a shared network. The Internet protocol FTP is designed to allow different computing platforms running different operating systems to efficiently exchange any type of file.
The FTPS protocol allows you to exchange both binary and text files, and the encoding format does not matter much. It is important that it is understandable to the sending and receiving parties.
Operation of the FTPS server
Typically, a connection via FTPS is carried out using special programs, in particular, WinSCP, Far, Total Comander, FileZilla, etc. The connection line looks like this:
- Protocol:// Name@Host: password@host. ru: 21.
Each program that provides the connection offers you to fill out the relevant fields in its own way. But for any connection you need to know:
- connection name (login, nickname);
- password for connection;
- FTP/FTPS hostname;
- port number.
Anonymous connections via FTP/FTPS are also possible, but they do not have much practical significance.
The FTPS client can establish a connection to the server in explicit or implicit modes.
In the first case, a normal FTP connection is first established. To send sensitive information such as passwords, the client sends a request to switch to a secure FTP connection. After successful negotiation (SSL), a secure command channel is established between the parties to the connection (server, client).
And in the second case, the client and server begin exchanging data in a secure mode. Text information is transmitted in an encrypted format.
Active and passive FTP
Working with an FTP server can be of two types:
- Active. Then the transfer of information is initiated, the client listens to the TCP port and transmits data to the server: which port it is listening on. The server opens a TCP connection to the port specified by the client. The data is then sent through this connection.
- Passive. The client notifies the server that it is ready to transmit data, and the server begins to monitor a non-special TCP port, telling the client which one it is. The client then opens a TCP connection to the port specified by the server, and data exchange occurs through this connection.
FTP connection
It is customary to use special programs that provide the FTP transfer protocol to access FTP resources. But sometimes you need to gain full control over the server and use the commands of this protocol according to your own plan.
In particular, this can be done in a Windows environment by entering the command:
- ftp "Server Name".
As a result, you will be prompted to enter a name and password known to the Server Name server. Naturally, there are no quotation marks or Russian letters in this name. That is, this is the usual name of a web resource that acts as an FTP server.
It should be noted that an FTP server can provide more than one access and have more than one resource. Typically, a name/password pair provides access to a specific file system of a specific file archive or site.
By and large, FTP has long been used to access the site’s file system, and not for downloading/uploading stored data. Transferring them is still relevant, but recently tools for working with websites have increasingly been developed that allow the development of web resources on a local server and ensure synchronization of the local file system with the system of the same name located on the hosting.
In this context, FTP access provides access to the root of the site, allowing you to manipulate its pages: edit, add, delete.
Example: Connecting to an FTP server
In this example (yellow background), the ftp command is entered on the client computer in the Windows operating system. The server reports its data and prompts you to provide a username. In this case (green background), the name is “SCi_WMiX_22G(a)wmix.isv.by”.
Access is not anonymous and the server requests a password. To check, after a successful connection, enter the “ls” command - view the current directory.
Typically, the FTP network protocol is not used at such a low level. It is much more convenient to use special programs designed for this. Almost all of them provide a convenient and secure connection and make it possible to transfer/receive files, create folders, navigate through them, delete them and perform ordinary operations in the usual way, as on a local file system.
FTP/FTPS Commands
The FTPS protocol is being improved, so the exact list of commands and their names (obtained in a search on Internet resources) will not always correspond to the tool that you have to use to access the FTP resource.
The best way to determine the list of available options is to issue the help command.
By the way, using the FTP protocol is unsafe from the point of view of Internet attacks: commands and data are transmitted openly. Everything is secure in the FTPS protocol. However, you need to keep in mind that user actions do not provide the ability to roll back.
By deleting or moving a file, creating a folder in the wrong location or with an incorrect name, you can damage the file system of the FTP server. Actually, the server cannot be damaged. But the access it provides to a specific file system should be used correctly.
Abbreviation FTP comes from English F ile T transfer P rotocol (file transfer protocol) is an application layer protocol for exchanging files over the TCP/IP transport protocol between two computers, an FTP client and an FTP server. This is one of the oldest, and yet still actively used protocol.The FTP protocol is designed to solve the following problems:
The FTP server waits for connections from FTP clients on TCP port 21 and, after establishing a connection, accepts and processes FTP commands, which are regular text strings. The commands define connection parameters, the type of data transferred, and actions in relation to files and directories. After agreeing on the transmission parameters, one of the exchange participants enters passive mode, waiting for incoming connections for the data exchange channel, and the second establishes a connection to this port and begins transmission. Once the transfer is complete, the data connection is closed, but the control connection remains open, allowing you to continue the FTP session and create a new data transfer session.
The FTP protocol can be used not only to transfer data between a client and a server, but also between two servers. In this case, the FTP client establishes a control connection with both FTP servers, switches one of them to passive mode, and the second to active, creating a data transfer channel between them.
An FTP client is a program that connects to an FTP server and performs the necessary operations to view the contents of the server's directories and receive, transfer, and delete files or folders. Such a program can be a regular browser, operating system components, or specially developed software products, such as a popular download manager. Download Master or multifunctional free FileZilla FTP Client.
The FTP protocol was developed back in the days when the client and server interacted directly, without any intermediate transformations of TCP packets, and in standard mode it assumes the ability to create a TCP connection not only at the initiative of the client, but also at the initiative of the server from TCP port 20 on TCP - client port, the number of which is transmitted during the creation of a data session.
The realities of today are such that such a TCP connection from server to client is in the vast majority of cases impossible, or very difficult to implement due to the fact that in most cases, network address translation technology is used to connect to the Internet NAT(Network Address Translation) when the client does not have a network interface available to create a direct TCP connection from the Internet. A typical diagram of a standard Internet connection looks like this:
Internet connection is made through a special device - Router(router with NAT function) that has at least two network ports - one connected to the provider’s network, having a network interface with a routed IP address (the so-called “white IP”), for example 212.248.22.144, and a port with a network interface for connecting local network devices with a private, non-routable IP address, for example 192.168.1.1 (“gray IP”). When creating connections from local network network devices to external network nodes, IP packets are sent to the router, which performs address and port translation so that the sender's address becomes his white IP address. The translation results are saved and when a response packet is received, a reverse address translation is performed. Thus, the router ensures the forwarding of TCP/IP packets from any local network devices to external networks and the return forwarding of received response packets. But in cases where a packet that is not related to TCP response packets is received at the input of a network interface connected to the provider’s network, the following reaction options are possible for the router software:
The packet is ignored because there is no network service to process it.
The packet is received and processed by the network service of the router itself, if such a service exists and is waiting for an incoming connection (“listening”) on the port whose number is indicated in the received packet.
The packet is forwarded to a server on the local network that expects this type of incoming connections in accordance with the port mapping rules specified in the router settings.
Therefore, at present, the main mode of operation using the FTP protocol has become the so-called “passive mode”, in which TCP connections are made only from the client to the TCP port of the server. The active mode is used in cases where it is possible to connect TCP from the server to client ports, for example, when they are on the same local network. The FTP connection mode is selected using special commands:
PASV- the client sends a command to perform data exchange in passive mode. The server will return the address and port to which you need to connect to receive or transmit data. Example of a fragment of an FTP session with passive mode set:
PASSV- command to switch to passive mode transmitted by the FTP client to the FTP server
227 Entering Passive Mode (212,248,22,144,195,89)- FTP server response, where 227 is the response code, a text message about switching to passive mode and in brackets the IP address and port number that will be used to create a data transmission channel. The address and port number are displayed as decimal numbers separated by a comma. The first 4 numbers are the IP address (212.248.22.144), the remaining 2 numbers specify the port number, which is calculated by the formula - the first number is multiplied by 256 and the second number is added to the result, in this example the port number is 195 * 256 +89 = 50017
PORT Client IP address port number- the client sends a command to establish a session in active mode. The IP address and port number are specified in the same format as in the previous example, for example PORT 212.248.22.144,195,89 To organize data transfer, the server itself connects to the client on the specified port.
Installing and configuring FileZilla FTP Server.
You can download the FileZilla Server installation package for your version of the operating system at
The server installation is performed in the standard way, with the exception of the item with the selection of server control panel settings:
This is the main server management tool through which all necessary settings are made. By default, the control panel operates on a loopback interface without password access. If necessary, for example, if remote control of the FTP server is required, these settings can be changed.
Once the installation is complete, an invitation window will open to connect to the server:
After entering the IP address, port number and password (if you specified them during the installation process), the FileZilla Server control panel opens:
At the top of the window there is the main menu and control panel buttons. Below there are two areas - server information messages and statistical information. Overall, FileZilla Servver's FTP control panel is quite simple and easy to use. Main menu items:
File- operating modes of the FTP server control panel. Contains sub-items
- Connect to Server- connect to the server
- Disconnect- disconnect from the server
- Quit- shutdown of the control panel.
Server- FTP server management. Contains subparagraphs:
- Active- start/stop FTP server. If the checkbox is checked, the FTP server is started, if unchecked, it is stopped.
- Lock- prohibit/allow connections to the server. When the checkbox is checked, new connections to the server are prohibited.
Edit- editing settings. Sub-items:
- Settings- basic server settings.
- Users- FTP server user settings
- Groups- user group settings.
As an example, let's configure the server for the following conditions:
Solving the problem of dynamic IP address.
This problem does not require a solution in cases where, when connecting to the Internet, a static IP address is used, or a dynamic one, but in accordance with the provider’s settings, it is almost always the same. Otherwise, you can use a technology called Dynamic DNS (DDNS) . This technology allows you to update the IP address information on the DNS server almost in real time, and access the router (and services behind it) by the registered name, without paying attention to changes in the dynamic IP.
To implement this technology for free, you will need to register with some dynamic DNS service and install client software to update the DNS record if the corresponding IP address changes. Dynamic DNS support is usually provided by network equipment manufacturers (D-Link, Zyxel, etc.), some hosting and specialized companies, such as the well-known DynDNS. However, after in the second half of 2014, all services that were provided to registered users free of charge for non-commercial use became paid, the most popular solution, perhaps, was the use of dynamic DNS based on the service No-IP.org, which provides free support services for 2 nodes with dynamic IP. To use the service for free, you will need to register and periodically (approximately once a month) visit the site to update information about the dynamic IP nodes used. If you skip updating the node data, the service is suspended, and accordingly, it will become impossible to connect to the node by name. When using the service for a fee, no update is required.
Almost all modern routers (modems) have built-in support for a dynamic DNS client. Its setup is usually very simple - you fill in the fields with the user name and password, as well as the host name received when registering with the DDNS service. Example for Zyxel P660RU2
Using the DDNS client built into the router/modem is preferable to the DNS data update utility running in the OS environment, since it allows you to implement additional capabilities, such as managing the router via the Internet when the computer is turned off and remotely turning on the power supply to computers behind NAT using technology Wake On Lan.
In those cases where it is not possible to use the built-in DDNS client, you will have to make do with application software - a client program for supporting dynamic DNS. Such a program periodically connects to a server that maintains a registered domain name associated with the router through which the Internet connection is made, and calls the IP update procedure when it changes. The server settings are made in such a way that the comparison of the DNS name and the IP address of the Internet connection is completed in a very short time, and the dynamic nature of the address has virtually no effect on the performance of services associated with the DNS name.
The procedure is as follows:
We go to the website No-IP.org. To work with an existing or new account, use the button "Sign In"(top right side of the page).
Create, if it has not yet been created, your account - click "Create Account". The registration form changes periodically, but it is mandatory to enter the desired username, password and your E-mail. An email with a link to confirm registration is sent to the e-mail specified during registration. When registering, select free access - click the button Free Sign Up after filling out all the required form fields. After successful registration, log into the site and add an entry for your node - click the button "Add Hosts"
In fact, you only need to enter the selected host name, in this case - myhost8.ddns.net. There is no need to change any other parameters. Then you need to download and install special software - Dynamic Update Client(DUC), the link to which is located on the main page of the site. After the installation of DUC is completed, it will launch and an authorization window will open, where you need to enter the username or E-mail and password received when registering on the no-ip.org website. Then press the button Edit Hosta and check the box next to the previously created host name (myhost8.ddns.net). Now, the selected host name will always correspond to the “white IP address” of your Internet connection. If you are having trouble updating your IP address, check to see if your DUC client's network activity is being blocked by a firewall.
Setting up an FTP server
Using non-standard port numbers for an FTP server is not at all necessary if the provider does not use traffic filtering, or you do not care about scanning ports for vulnerabilities and trying to guess passwords. In this article, the use of an FTP server with non-standard TCP ports is presented as one of the possible options.
FileZilla Server settings are made through the "Edit" - "Settings" menu
Window General Settings intended for general FTP server settings.
In the "Listen on this port" field you can specify the port number for incoming TCP connections. By default, this field is set to 21 , and to use a non-standard number you need to specify the selected value, for example - 12321 . Using a non-standard TCP port has some inconvenience, since it requires specifying its value when creating a session:
If the server is planned to be used both with access from the Internet and on the local network, it makes sense to leave the standard value 21, and use a non-standard port number for connections from the Internet, setting up redirection of packets arriving on port 12321 of the router to port 21 of the FTP server in local network. With this setup, there is no need to specify a port number for FTP sessions within the local network.
Other parameters are for tuning performance and session timeouts. They can be left unchanged. The remaining sections of general settings can also be left as default:
Welcome Message- text that is sent to the client upon connection.
IP Binding- on which network interface client connections will be expected. By default - on any, but you can specify a specific one, for example - 192.168.1.3.
IP Filter- setting up filtering rules for client IP addresses. By default, connections are allowed for any IP.
Chapter Passive mode settings serves to configure passive FTP mode and will require changing almost all default parameters.
The port numbers that will be used to transmit data in passive mode must be set manually, since the router will need to be configured to redirect it to the network interface that the server is listening to. Therefore, you need to check the box to enable the "Use custom port range" mode and set the range - for example, from 50000 before 50020 . The number of ports the server listens to determines the limit on the number of simultaneous data transfer sessions.
Subsection IPv4 specific defines the IP address that will be sent by the server in response to the PASV command. In this case, it should not be the server’s own IP 192.168.1.3, but the “white IP” of our Internet connection. Therefore, you need to set the “Use the following IP” mode and instead of the IP address, enter the name received when registering with the dynamic DNS service - myhost8.ddns.net. As an alternative, you can use the mode for determining the external IP address using the FileZilla project by turning on. "Retrieve external IP Address from:". This option can be selected in cases where it is not possible to use the dynamic DNS tool. If you intend to use an FTP server on your local network, you need to set the mode to "Don"t use external IP for local connections" (do not use an external IP address for connections within the local network)
The rest of the server settings can be left unchanged or, if necessary, performed later: Security settings- Security Settings. By default, connections that can be used to implement DDoS attacks are prohibited
Miscellaneous- settings for buffer sizes and other log parameters and some FTP commands.
Admin Interface settings- server control panel settings. You can specify the network interface, listening port number, IP addresses from which connections to the control panel are allowed, and a password.
Logging- server event log settings. By default, writing to the file is not performed.
Speed Limit- data transfer rate limit settings. By default - no restrictions.
Filetransfer compression- settings for file compression during transfer. The default is no compression.
SSL/TLS settings enabling encryption mode for transmitted data. The default is no encryption.
Autoban- enable automatic blocking of users who select a password to connect. By default, automatic blocking is disabled.
Setting up port forwarding and firewall
In order for the FTP server to be accessible from the Internet, it is necessary to configure the router in such a way that incoming connections coming to certain TCP ports on the external interface are redirected to the TCP ports listened to by the FTP server on the internal network. For different router models, the settings may differ in terminology, but their meaning is the same - a TCP packet with a specific port number received on the external (WAN) interface is sent to the local network to the desired IP address and port. Example of settings for the D-Link DIR-320NRU router for port forwarding used for passive FTP mode:
Packets received on an interface with a "white IP" and having port numbers in the range 50000-50020 will be redirected to the IP address specified in the "Internal IP" field (in our case - 192.168.1.3). Similarly, a redirection is created for port 50021 if you changed the standard port number, or to port 21 of the FTP server if you left it unchanged.
After applying these settings, the FTP server will be accessible via URL ftp://myhost8.ddns.net:50021 or, for a connection within a local network:
ftp://192.168.1.3- if you did not change the default port number (21) in the FTP server settings.
ftp://192.168.1.3:50021- if a non-standard port number is used.
You can use a computer name instead of an IP address if it can be resolved to an IP address
ftp://comp1
ftp://comp1.mydomain.ru
Diagnosis of problems
If the connection to the FTP server does not occur, then there may be problems with the firewall blocking the connections necessary for the operation of the created FTP server. If you use the built-in Windows firewall, you must add a rule that allows network activity for the "FileZilla FTP server" service. If you are using a third-party firewall or antivirus with traffic filtering, you must create a corresponding rule using the available settings tools to allow network connections. Options are possible when settings are made to allow any network activity of a specific program, or to allow selected addresses and ports that apply to all programs.
The best place to start diagnostics is on the FTP server itself. As a diagnostic tool, you can use a standard telnet client(utility telnet.exe) . All firewalls do not block connections on the loopback interface, and to check that the server settings are correct, you can connect to it by entering the command:
telnet localhost 21- if a standard port number is used.
telnet localhost 50021- if the standard port number has been changed.
When this command is executed, a connection to the FTP server is made via the loopback interface and a server invitation (Welcome Message) should be displayed in the telnet window. If this does not happen, the server may be stopped, there is a port conflict, or port 21 (50021) is not listening. For diagnostics you can use the command netstat:
netstat –nab
The command line options mean:
n- use numeric port numbers and IP addresses
a- display all connections and listening ports
b- display the names of programs involved in creating connections.
Example of displayed command results:
Active connections
Name Local address External address Status
TCP 0.0.0.0:21 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
RpcSs
In a collumn Local address there is a meaning 0.0.0.0:21 , which indicates that the program named FileZilla Server.exe listening (state LISTENING) TCP port number 21 on all network interfaces. If a specific interface and a different port number were specified in the FTP server settings, then this value will contain IP:port, For example - 192.168.1.3:50021
To display results in page mode, you can use the command:
netstat -nab | more
Or use search results by port number: netstat -nab | find ":21"
If the server is unavailable on a non-loopback interface, but accessible on a loopback interface, you need to understand the firewall settings.
Setting up users and groups.
Setting up users and groups is done through the menu "Edit" - "Users" ("Groups"). It is not necessary to create groups, but sometimes it is convenient in cases where there are a large number of users and their rights in relation to the FTP server differ. The settings for both groups and users are almost identical:
This example shows the result of adding an FTP server user named user1 having full rights to write, read, delete and merge files, as well as to view the contents, delete and create subdirectories in the directory C:\ftp\public
On the page General user properties are added, deleted, and changed.
On the page Shared Folders settings are made that determine the list of file system directories that will be used by the FTP server to provide access to them via the FTP protocol. Each user or group of users can be given their own directory with certain rights in relation to its contents.
On the page Speed limits You can set restrictions on data exchange speed.
On the page IP Filter You can set filtering rules for the user's IP address, indicating the addresses from which connection to the server is prohibited or allowed.
List of basic FTP commands
ABOR - Abort file transfer
CDUP - Change directory to a higher one.
CWD - Change current directory.
DELE - Delete a file (DELE filename).
HELP - Displays a list of commands accepted by the server.
LIST - Returns a list of files in a directory. The list is transmitted via the data connection (port 20).
MDTM - Returns the file modification time.
MKD - Create a directory.
NLST - Returns a list of files in a directory in a shorter format than LIST. The list is transmitted via the data connection (port 20).
NOOP - Empty operation
PASV - Enter passive mode. The server will return the address and port to which you need to connect to collect the data. The transfer will begin when the RETR, LIST, etc. commands are entered.
PORT - Enter active mode. For example PORT 12,34,45,56,78,89. Unlike the passive mode, the server itself connects to the client to transfer data.
PWD - Returns the current server directory.
QUIT - Disconnect
REIN - Reinitialize connection
RETR - Download file. RETR must be preceded by a PASV or PORT command.
RMD - Delete directory
RNFR and RNTO - Rename the file. RNFR - what to rename, RNTO - what to rename.
SIZE - Returns the file size
STOR - Upload a file to the server. STOR must be preceded by a PASV or PORT command.
SYST - Returns the system type (UNIX, WIN,)
TYPE - Set the file transfer type (A - ASCII text, I - binary)
USER - Username to log into the server
Example FTP session
FTP client connects to server with username user1, an empty password and downloads a file named cpu-v. Messages from the FTP server are highlighted in red, messages from the FTP client are highlighted in blue. The exchange of directives and parameters may vary slightly between different versions of the FTP client and FTP server software.
After connecting, the server transmits information about itself to the client:
220-FileZilla Server version 0.9.45 beta
220-written by Tim Kosse ( [email protected])
220 Please visit http://sourceforge.net/projects/filezilla/
The client passes the username:
USER user1
The server asks for a password:
331 Password required for user1
The client passes an empty password:
PASS
The server verifies the user account and reports the start of the session:
230 Logged on
The client requests the type of operating system on the server:
SYST
The server reports that the type Unix, emulated by Filezilla server:
215 UNIX emulated by FileZilla
The client requests a list of parameters supported by the server:
FEAT
The server responds with a list of supported parameters:
211-Features:
MDTM
REST STREAM
SIZE
MLST type*;size*;modify*;
MLSD
UTF8
CLNT
MFMT
211 End
The client requests the current directory of the server:
P.W.D.
The server reports that the current directory is the root directory ("/"):
257 "/" is current directory.
The client reports that it will transfer binary data:
TYPE I
The server confirms the type of data being transferred:
200 Type set to I
The client reports that it will use passive FTP mode:
PASV
The server reports the transition to passive mode and transmits the IP and port for passive FTP mode.
227 Entering Passive Mode (212,248,22,114,195,97)
The client requests to receive a file named cpu-v from the current server directory
RETR cpu-v
The server reports the start of data transfer:
150 Opening data channel for file download from server of "/cpu-v"
Upon completion, the server reports a successful transfer:
226 Successfully transferred "/cpu-v"
In conclusion, I would like to add that the Filezilla project includes not only the development and support of a high-quality free FTP server, but also a popular free FTP client
An article with a brief description of a free FTP client for Linux, Mac OS and Windows. This FTP client supports many application data transfer protocols - FTP, FTP over SSL/TLS (FTPS), SSH File Transfer Protocol (SFTP), HTTP, SOCKS and FTP-Proxy. In other words, Filezilla FTP Client is a universal software for receiving and transferring files over all modern application protocols between nodes on various platforms.
FTP (File Transfer Protocol) is a standard protocol designed for transferring files over TCP networks (for example, the Internet). FTP is often used to download web pages and other documents from a private development device to public hosting servers.
The protocol is built on a client-server architecture and uses different network connections to transfer commands and data between the client and server. FTP users can authenticate by passing a username and password in clear text, or, if the server allows it, they can connect anonymously. You can use the SSH protocol for secure transfers that hide (encrypt) the login and password and also encrypt the content.
A rather striking feature of the FTP protocol is that it uses multiple (at least double) connections. In this case, one channel is the control channel, through which commands are sent to the server and its responses are returned (usually via TCP port 21), and through the rest the actual data transmission occurs, one channel for each transmission. Therefore, within one session via the FTP protocol, you can transfer several files simultaneously, and in both directions. For each data channel, its own TCP port is opened, the number of which is selected either by the server or the client, depending on the transmission mode.
The FTP protocol has a binary transfer mode, which reduces traffic overhead and reduces communication time when transferring large files. The HTTP protocol necessarily requires encoding binary information into text form, for example using the Base64 algorithm.
When starting work via the FTP protocol, the client enters a session, and all operations are carried out within the framework of this session (in other words, the server remembers the current state). The HTTP protocol does not “remember” anything - its task is to give data and forget it, so remembering the state when using HTTP is carried out by methods external to the protocol.
FTP operates at the application layer of the OSI model and is used to transfer files using TCP/IP. To do this, an FTP server must be running and awaiting incoming requests. The client computer can contact the server on port 21. This connection (control flow) remains open for the duration of the session. The second connection (data stream) can be opened either by the server from port 20 to the port of the corresponding client (active mode), or by the client from any port to the port of the corresponding server (passive mode), which is necessary to transfer the data file. Control flow is used to operate the session - for example, the exchange of commands and passwords between the client and server using a telnet-like protocol. For example, "RETR filename" will transfer the specified file from the server to the client. Because of this two-port structure, FTP is considered an out-of-band protocol, as opposed to in-band HTTP.
Connection and data transfer
The protocol is defined in RFC 959. The server responds on the control flow with three-character ASCII status codes with an optional text message. For example, "200" (or "200 OK") means that the last command was executed successfully. The numbers represent the response code, and the text represents the clarification or request. Current transmission on the data stream can be interrupted by an interrupt message sent on the control flow.
FTP can operate in active or passive mode, the choice of which determines how the connection is established. In active mode, the client creates a TCP control connection with the server and sends its IP address and an arbitrary client port number to the server, and then waits until the server starts a TCP connection with this address and port number. In case the client is behind a firewall and cannot accept an incoming TCP connection, passive mode can be used. In this mode, the client uses control flow to send a PASV command to the server, and then receives its IP address and port number from the server, which is then used by the client to open a data flow from an arbitrary client port to the received address and port. Both modes were updated in September 1998 to support IPv6. At this time, further changes were made to Passive Mode, upgrading it to Enhanced Passive Mode.
When transmitting data over a network, four data representations can be used:
ASCII - used for text. The data is, if necessary, converted from the character representation on the sending host to "eight-bit ASCII" before transmission, and (again, if necessary) to the character representation on the receiving host. As a result, this mode is not suitable for files containing more than just plain text.
Image mode (commonly called binary) - the sending device sends each file byte by byte, and the recipient stores the byte stream upon receipt. Support for this mode has been recommended for all FTP implementations.
EBCDIC - used to transfer plain text between hosts in EBCDIC encoding. Otherwise, this mode is similar to the ASCII mode.
Local mode - allows two computers with identical settings to send data in their own format without converting to ASCII.
For text files, various management formats and record structure settings are provided. These features were designed to work with files containing Telnet or ASA formatting.
Data transfer can be carried out in any of three modes:
Stream mode - data is sent as a continuous stream, freeing FTP from performing any processing. Instead, all processing is done by TCP. The end-of-file indicator is not needed except for separating data into records.
Block mode - FTP breaks the data into several blocks (header block, number of bytes, data field) and then transmits them to TCP.
Compression mode - data is compressed using a single algorithm (usually by encoding series lengths).
Authentication
FTP authentication uses the usual username/password scheme to grant access. The username is sent to the server with the USER command, and the password is sent with the PASS command. If the information provided by the client is accepted by the server, then the server will send an invitation to the client and the session begins. Users can, if the server supports this feature, log in without providing credentials, but the server can only grant limited access for such sessions.
AnonymousFTP
The host providing the FTP service can provide anonymous FTP access. Users typically log in with "anonymous" as their username. Although users are typically asked to provide their email address instead of a password, no verification is actually performed. Many FTP hosts that provide software updates support anonymous access.
NAT- P.T.
Especially for the FTP protocol to work through firewalls, a NAT extension called NAT-PT (rfc2766) was made, which allows incoming connections to be translated from the server to the client through NAT. During such a connection, NAT replaces the transmitted data from the client, indicating to the server the true address and port with which the server can connect, and then broadcasts the connection from the server from this address to the client to its address. Despite all the measures and innovations taken to support the FTP protocol, in practice, the NAT-PT function is usually disabled in all routers and routers in order to provide additional security against virus threats.
NATand bypassing firewalls
FTP typically transfers data when there is a connection between the server and the client, after the client has sent the PORT command. This creates a problem for both NAT and firewalls, which do not allow connections from the Internet to internal hosts. For NAT, an additional problem is that the representation of IP addresses and port numbers in the PORT command refers to the internal host's IP address and port, instead of the public IP address and NAT port. There are two approaches to this problem. The first is that the FTP client and FTP server use the PASV command, which invokes a data connection established from the client to the server. The second approach is to change the PORT command values for NAT using the gateway at the application layer.
Web browser support
Most regular web browsers can retrieve files located on FTP servers, although they may not support protocol extensions like FTPS. When an FTP address is specified rather than an HTTP address, the available content on the remote server is presented similarly to other web content. A fully functional FTP client can be run in Firefox as a FireFTP extension.
Safety
FTP was not designed to be a secure protocol (especially by today's standards) and has numerous security vulnerabilities. In May 1999, the authors of RFC 2577 summarized the vulnerabilities into the following list of issues:
Hidden attacks (bounce attacks)
Spoof attacks
Brute force attacks
Packet capture, sniffing
Username protection
Port stealing
FTP cannot encrypt its traffic, all transmissions are cleartext, so usernames, passwords, commands and data can be read by anyone able to intercept the packet over the network. This problem is typical for many Internet Protocol specifications (including SMTP, Telnet, POP, IMAP) developed before the creation of encryption mechanisms such as TLS and SSL. The usual solution to this problem is to use "secure", TLS-protected versions of the vulnerable protocols (FTPS for FTP, TelnetS for Telnet, etc.) or another, more secure protocol, such as SFTP/SCP, provided with most Secure Shell protocol implementations .
SafeFTP
There are several methods for secure file transfer, at one time or another called "Secure FTP": FTPS, SFPS, FTP over SSH.
Explicit FTPS is an extension to the FTP standard that allows clients to require that the FTP session be encrypted. This is implemented by sending the "AUTH TLS" command. The server has the ability to allow or reject connections that do not request TLS. This protocol extension is defined in RFC 4217. Implicit FTPS is a legacy standard for FTP that requires the use of an SSL or TLS connection. This standard was supposed to use different ports from normal FTP.
SFTP, or "SSH File Transfer Protocol", is not related to FTP, except that it also transfers files and has a similar set of commands for users. SFTP, or secure FTP, is a program that uses SSH (Secure Shell) to transfer files. Unlike standard FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted openly over the network. SFTP is similar in functionality to FTP, but because it uses a different protocol, standard FTP clients cannot communicate with an SFTP server and vice versa.
FTPthroughSSH(NotSFTP)
FTP over SSH (not SFTP) refers to the practice of tunneling a regular FTP session over an SSH connection. Because FTP uses multiple TCP connections, tunneling over SSH is especially difficult. When many SSH clients try to establish a tunnel for the control channel (the original client-server connection on port 21), only this channel will be protected; when transferring data, the FTP software on either end will establish new TCP connections (data channels) that will bypass the SSH connection and thus lose integrity.
Otherwise, the SSH client software needs to have some knowledge of FTP to monitor and rewrite FTP control flow messages and autonomously open new redirections for the FTP data flow.
FTP over SSH is sometimes referred to as secure FTP; but it should not be confused with other methods such as SSL/TLS (FTPS). Other file transfer methods using SSH and not related to FTP are SFTP and SCP; in each of them, both credentials and file data are always protected by the SSH protocol.
FXP (File eXchange Protocol) is a way to transfer files between two FTP servers directly without downloading them to your computer. In an FXP session, the client opens two FTP connections to two different servers, requesting a file from the first server, specifying the IP address of the second server in the PORT command.
An undoubted advantage of supporting the FXP standard is that end users wishing to copy files from one FTP server to another are no longer subject to the bandwidth limitations of their own Internet connection. There is no need to download a file for yourself and then upload it to another FTP server. Thus, the file transfer time will depend only on the connection speed between two remote FTP servers, which in most cases is obviously higher than the “user” one.
FXP began to be used by attackers to attack other servers: the PORT command specifies the IP address and port of the attacked service on the victim’s computer, and the RETR/STOR commands access this port on behalf of the FTP server, and not the attacking machine, which made it possible to carry out large-scale DDoS attacks using many FTP servers at once, or bypass the security system of the victim’s computer if it relies only on client IP verification and the FTP server used for the attack is located on a trusted network or gateway. As a result, almost all servers now check that the IP address specified in the PORT command matches the IP address of the FTP client and, by default, prohibit the use of third party IP addresses there. Therefore, using FXP is not possible when working with public FTP servers.
Basic Commands
ABOR - Abort file transfer
CDUP - Change directory to a higher one.
CWD - Change directory.
DELE - Delete a file (DELE filename).
EPSV - Enter extended passive mode. Used instead of PASV.
HELP - Displays a list of commands accepted by the server.
LIST - Returns a list of files in a directory. The list is sent over a data connection.
MDTM - Returns the file modification time.
MKD - Create a directory.
NLST - Returns a list of files in a directory in a shorter format than LIST. The list is sent over a data connection.
NOOP - Empty operation
PASV - Enter passive mode. The server will return the address and port to which you need to connect to collect the data. The transfer will begin when the following commands are entered: RETR, LIST, etc.
PORT - Enter active mode. For example PORT 12,34,45,56,78,89. Unlike the passive mode, the server itself connects to the client to transfer data.
PWD - Returns the current directory.
QUIT - Disconnect
REIN - Reinitialize connection
RETR - Download file. RETR must be preceded by a PASV or PORT command.
RMD - Delete directory
RNFR and RNTO - Rename the file. RNFR - what to rename, RNTO - what to rename.
SIZE - Returns the file size
STOR - Upload file. STOR must be preceded by a PASV or PORT command.
SYST - Returns the system type (UNIX, WIN, ...)
TYPE - Set the file transfer type (binary, text)
USER - Username to log into the server
Protocol Description
Difference from HTTP
Connection and data transfer
Web browser support
Syntax
The FTP URL syntax is described in RFC1738, in the form: ftp://[<пользователь>[:<пароль>]@]<хост>[:<порт>]/<путь>(parameters in square brackets are optional). For example:
More details about specifying the username and password are written in the browser documentation. By default, most web browsers use passive (PASV) mode, which better bypasses end-user firewalls.
Safety
FTP was not designed to be a secure protocol (especially by today's standards) and has numerous security vulnerabilities. In May 1999, the authors of RFC 2577 summarized the vulnerabilities into the following list of issues:
- Hidden attacks (bounce attacks)
- Spoof attacks
- Brute force attacks
- Packet capture, sniffing
- Username protection
- Port stealing
FTP cannot encrypt its traffic, all transmissions are cleartext, so usernames, passwords, commands and data can be read by anyone able to intercept the packet over the network. This problem is typical for many Internet Protocol specifications (including SMTP, Telnet, POP, IMAP) developed before the creation of encryption mechanisms such as TLS and SSL. The usual solution to this problem is to use "secure", TLS-protected versions of the vulnerable protocols (FTPS for FTP, TelnetS for Telnet, etc.) or another, more secure protocol such as SFTP/SCP provided with most Secure Shell protocol implementations .
Secure FTP
There are several methods for securely transferring files, at one time or another called "Secure FTP".
FTPS
Explicit FTPS is an extension to the FTP standard that allows clients to require that the FTP session be encrypted. This is implemented by sending the "AUTH TLS" command. The server has the ability to allow or reject connections that do not request TLS. This protocol extension is defined in the RFC 4217 specification. Implicit FTPS is a legacy standard for FTP that requires an SSL or TLS connection. This standard was supposed to use different ports from normal FTP.
SFTP
SFTP, or "SSH File Transfer Protocol", is not related to FTP, except that it also transfers files and has a similar set of commands for users. SFTP, or secure FTP, is a program that uses SSH (Secure Shell) to transfer files. Unlike standard FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted openly over the network. SFTP is similar in functionality to FTP, but because it uses a different protocol, standard FTP clients cannot communicate with an SFTP server and vice versa.
FTP over SSH (not SFTP)
FTP over SSH (not SFTP) refers to the practice of tunneling a regular FTP session over an SSH connection. Because FTP uses multiple TCP connections, tunneling over SSH is especially difficult. When many SSH clients try to establish a tunnel for the control channel (the original client-server connection on port 21), only this channel will be protected; when transferring data, the FTP software on either end will establish new TCP connections (data channels) that will bypass the SSH connection and thus lose integrity.
Otherwise, the SSH client software needs to have some knowledge of FTP to monitor and rewrite FTP control flow messages and autonomously open new redirections for the FTP data flow. Software packages that support this mode:
- Tectia ConnectSecure (Win/Linux/Unix)
- Tectia Server for IBM z/OS from the SSH Communications Security package
- (under GPL license)
FTP over SSH is sometimes referred to as secure FTP; but it should not be confused with other methods such as SSL/TLS (FTPS). Other file transfer methods using SSH and not related to FTP are SFTP and SCP; in each of them, both credentials and file data are always protected by the SSH protocol.
Story
The first implementation of the protocol (1971) provided for the exchange between the client and server of messages consisting of a header (72 bits) and variable length data. The message header included a request to or response from the FTP server, the type and length of the data being transferred. Request parameters (for example, path and file name), information from the server (for example, a list of files in a directory) and the files themselves were transmitted as data. Thus, commands and data were transmitted over the same channel.
In 1972, the protocol was completely changed and took on a form close to the modern one. Commands with parameters from the client and server responses are transmitted over a TELNET connection (control channel); a separate connection (data channel) is created for data transfer.
In subsequent editions, the ability to work in passive mode, transfer files between FTP servers was added, commands were introduced to obtain information, change the current directory, create and delete directories, and save files under a unique name. For some time there were commands for sending email via FTP, but they were later removed from the protocol.
In 1980, the FTP protocol began to use TCP. The latest version of the protocol was released in 1985. In 1997, an addition to the protocol appeared that allows information to be encrypted and signed in the control channel and data channel. In 1999, an addendum dedicated to protocol internationalization was released, which recommended the use of UTF-8 encoding for server commands and responses and defined a new LANG command that sets the response language.
Basic Commands
- ABOR - Abort file transfer
- CDUP - Change directory to a higher one.
- CWD - Change directory.
- DELE - Delete a file (DELE filename).
- EPSV - Enter extended passive mode. Used instead of PASV.
- HELP - Displays a list of commands accepted by the server.
- LIST - Returns a list of files in a directory. The list is sent over a data connection.
- MDTM - Returns the file modification time.
- MKD - Create a directory.
- NLST - Returns a list of files in a directory in a shorter format than LIST. The list is sent over a data connection.
- NOOP - Empty operation
- PASV - Enter passive mode. The server will return the address and port to which you need to connect to collect the data. The transfer will begin when the following commands are entered: RETR, LIST, etc.
- PORT - Enter active mode. For example PORT 12,34,45,56,78,89. Unlike the passive mode, the server itself connects to the client to transfer data.
- PWD - Returns the current directory.
- QUIT - Disconnect
- REIN - Reinitialize connection
- RETR - Download file. RETR must be preceded by a PASV or PORT command.
- RMD - Delete directory
- RNFR and RNTO - Rename the file. RNFR - what to rename, RNTO - what to rename.
- SIZE - Returns the file size
- STOR - Upload file. STOR must be preceded by a PASV or PORT command.
- SYST - Returns the system type (UNIX, WIN, ...)
- TYPE - Set the file transfer type (binary, text)
- USER - Username to log into the server
FTP response codes
Below is a brief description of the response codes that may be returned by an FTP server. These codes have been standardized by the IETF in RFC 959. As mentioned earlier, the response code is a three-digit number. The first digit is responsible for one of three outcomes: success, refusal, or an indication of an error or incomplete answer.
- 2xx – Successful response
- 4xx/5xx – Command cannot be executed
- 1xx/3xx – Error or incomplete response
The second digit determines the type of error:
- x0z – Syntactic.
- x1z – Information. Corresponds to the information message.
- x2z – Connections. The message refers to a control connection or a data connection.
- x3z – Corresponds to user authentication and rights messages.
- x4z – Not defined.
- x5z – File system. Corresponds to a file system status message.
The third digit definitively specifies the error.
Example
220 FTP server ready. USER ftp //Anonymous 230 Login successful. PASV 227 Entering Passive Mode (192,168,254,253,233,92)//The client must open a connection to the transmitted IP LIST 150 Here comes the directory listing. //The server sends a list of files in the directory 226 Directory send OK. CWD incoming 250 Directory successfully changed. PASV 227 Entering Passive Mode (192,168,254,253,207,56) STOR gyuyfotry.avi 150 Ok to send data. //The client sends the contents of the file 226 File receive OK. QUIT 221 Goodbye.The argument 192,168,254,253,207,56 means that a connection to the server is expected on a node with an IP address of 192.168.254.253 on port 207<< 8 + 56 = 53048 (где << - операция побитового сдвига, 207 записывается в младший разряд, а потом сдвигается в старший, чтобы в младший записать 56 или 207*256+56=53048).
Many FTP servers have a directory (called incoming, upload, etc.) that is writable and intended for uploading files to the server. This allows users to feed the server with fresh data.
FXP
FXP(English) File eXchange Protocol- file exchange protocol) - a way to transfer files between two FTP servers directly, without downloading them to your computer. In an FXP session, the client opens two FTP connections to two different servers, requesting a file from the first server, specifying the IP address of the second server in the PORT command.
An undoubted advantage of supporting the FXP standard is that end users wishing to copy files from one FTP server to another are no longer subject to the bandwidth limitations of their own Internet connection. There is no need to download a file for yourself and then upload it to another FTP server. Thus, the file transfer time will depend only on the connection speed between two remote FTP servers, which in most cases is obviously higher than the “user” one.
FXP began to be used by attackers to attack other servers: the PORT command specifies the IP address and port of the attacked service on the victim’s computer, and the RETR/STOR commands call this port on behalf of the FTP server, and not the attacking machine, which made it possible to organize large-scale DDoS attacks using many FTP servers at once, or bypass the security system of the victim’s computer if it relies only on checking the client’s IP and the FTP server used for the attack is located on a trusted network or gateway. As a result, almost all servers now check that the IP address specified in the PORT command matches the IP address of the FTP client and, by default, prohibit the use of third party IP addresses there. Therefore, using FXP is not possible when working with public FTP servers.
see also
- List of FTP servers (English)
- FTP server commands and error codes
Links
- Original FTP specification RFC 959
- RFC 2228 Security Extensions
- FTP Internationalization RFC 2640
- NAT-PT extension to support FTP RFC 2766
- Encryption KEA and SKIPJACK RFC 2773
- RFC 3659 FTP Command Extension
| URI schemes | |
|---|---|
| Official | aaa: |
