Install also configure the FTP server. Part 2So, after a small acquaintance with the FTP protocol in the first elements of our material, we immediately proceed to install also the configuration of our own FTP server. Just note that in Windows 2000 / XP there is a built-in FTP server (Control Panel -> Installing also uninstalling programs -> Installing Windows Components -> Internet Information Services -> FTP Service). However, it is very primitive, inconvenient, and also unsafe - that's why we will not put it in any way.
And we will install the most powerful and multifunctional FTP server Serv-U - most of the FTP sites of the most famous companies are working on it. Try not to use the old versions in any way, as there are vulnerabilities in them.
Serv-U consists of a pair of elements - Serv-U Administrator for configuring also the management of the FTP server, also the actual FTP server. Serv-U Administrator can also be installed on a friend's computer, through it it is allowed to remotely manage the Serv-U FTP server. To manage the FTP server service uses the TCP port 43958. Therefore, in order to avoid hacking, set the password to the management (in the "Set / Change Password" menu), preferably long. The option "Start automatically (system service)" allows you to automatically start the FTP server, and it will work regardless of who is logged on to the computer. Otherwise, the FTP server will start only when you start Serv-U Administrator.
Now configure the firewall. We also need to allow incoming outgoing TCP connections for Servuadmin.exe processes as well Servudaemon.exe.
We proceed further along the log of the settings of Serv-U Administrator, in "Settings -> General". Here it is worthwhile to include at least three important options. "Block FTP_bounce attacks and FXP" is the protection from transferring traffic between a pair of FTP-servers (an attacker's client can establish a session on behalf of another server, run pumping also leave, only you will be wasted to drive a room on the disk and also lose the purchased traffic limit). "Block users who connect more than ..." - protection from attempts to select the password of any FTP-account. "Block anti time-out schemes" - protection from attempts to bypass the limits of the pores of the session, given to one or another account. Similar here it is allowed to limit the overall speed of upload (upload), download (also) the number of immediately served users (this is a global setting, then we can create such limits separately for different accounts).
Now create the server. To do this, we make our way through the settings log to "Domains", press the right mouse button and select "New Domain" in the pop-up. In the settings window, the "Domain IP Address" field is left empty, "Domain name" - specify some name, for example "FtpName" (it is only necessary for us), "Domain port number" is the port on which the FTP- server, for now we will specify a standard value of 21. "Domain type" indicates where the server settings will be stored, it is better to store them in INI-files.
Now the server is created (in English - "Domain"). It is possible to organize several servers (in this branch of the configuration log), on different ports, only the sense for ordinary users is not there.
In the settings log in the "Domains -> FtpName" section, we enable encryption support for "Security -> Allow SSL / TLS ans regular sessions". Now a little distracted from the server itself will also deal with ports also IP.
First, the server needs to know its external (Internet) IP address. If the address is static, then everything is simple - we enter it in the "Domain IP address". But if the IP address is dynamic (as, for example, in Stream), then you will have to use DynamicDNS services, where you will be assigned a domain name that will point to your IP, continuously monitor its updates as well.
In particular, such a complimentary favor to eat on No-IP.com , where you can create your computer some third-level domain on the Internet, for example, mycomputer.no-ip.com. There Blah Blah is allowed to download the customer No-IP dynamic update client, which will be continuously contacting No-IP.com to also check / update your IP address. I will not tell you about the settings of this customer, but I can advise its settings not to change, in addition to the parameter "When updating via NAT / Router / Proxy address ONLY" - it's better to set it on "every 5 minutes". So, after placing the customer also registering on No-IP.com, we put a checkbox in the settings of our FTP to "Enable dynamic DNS" and go to the appeared tab "Dynamic DNS". We prescribe the address registered in No-IP.com.
Secondly, it's time to deal with the ports. Many ISPs block incoming connections on the 21st port. To work around this problem, you should choose any other unused port, for example 32768, also enter it on the "Domain in FTP port number" tab. But remember that if the port is different from 21, then you should alienate the link in no way to ftp://mycomputer.no-ip.com, only ftp://mycomputer.no-ip.com:32768. Probably your FTP server is behind NAT. In this case on NAT it is necessary to configure the function "Port Forwarding". First, for the port on which he gives the answer. Secondly, as we already described earlier, for clients working in the "PASV" mode, some other ports are needed, to which they will connect. For this purpose, in Serv-U, eat the appropriate setting "Local Server -> Settings -> Advanced -> PASV port range", in which we specify some idle range, for example 32769-32784 also forward it to NAT.
We adjust further. In the menu "Domains -> FtpName (our server) -> Settings" on the "Logging" tab we enable the logging mode for system messages, security messages, files downloads, file uploads, IP names, FTP commands, FTP replies. In any way it will not increase a log, but it will help to localize problems. Specify the name of the log file also include the checkbox "Enable logging to file". On other tabs, nothing to configure does not need - by default, everything is suitable for most users.
Now we will create the user. For the source - the guest. First you need to create a folder on the disk, which will become the root directory of our FTP. For example, create C: \ FTP_Root. Next, you need to create a folder in which everyone can upload files (we will not give them [guests] from there), for example, we will do C: \ FTP_Root \ Incoming.
In Serv-U, eat the system of templates (Groups). There it is allowed to indicate the privileges of access for the created directories. It's simpler to create a group with the privilege of reading the root folder, as well as writing to. \ Incoming, only then do not prescribe to all users such blah blah rights, just add them this template. So, we move along the log of settings in "Domains -> FtpName -> Groups" and create a new group (New Group) there, call it, for example, guest. We go to the "Dir Access" tab, we also add there a couple of our directories - C: \ FTP_Root also C: \ FTP_Root \ Incoming.
We give them privileges of access. For FTP_Root - only Read also List, for Incoming - only Write-Create-Inherit. Such privileges mean: Read - reading files, Write - writing files, Append - file addition, Delete - deleting files, Execute - running executable files on the server machine (very dangerous privilege, do not give it to anyone), List - showing a list of subdirectories, Create - create a subdirectory, Remove - delete a subdirectory, Inherit - all subdirectories will own similar privileges (otherwise, there will be no access to them either, unless they are registered by themselves). Directory stitches are allowed to move up and down. When using inheritance (Inherit), this is actual - the top line has the highest priority of the permission.
So, now we create a guest user. Go to "Domains -> FtpName -> Users" also create the user "Anonymous" (this is the standard guest name, otherwise it will not be a guest). As the initial directory (Home Directory), specify C: \ FTP_Root. On the task "Lock user in home directory?" give the answer "Yes" - this will simplify the user's work.
Now - a significant point - in the settings of this user (Anonymous) we make our way to the "Dir Access" tab and also delete there automatically created line in FTP_Root (note that it inherits the privileges of reading in Incoming). Now, on the "Account" tab, add the group guest to Group (s), click "Apply". We return back to "Dir Access" also look. There appeared FTP_Root also Incoming, and they can not be edited - the user received the same privileges for guests from the "guest" template.
So, we have created a visitor. It can download any files from the C: \ FTP_Root directory (excluding subdirectories) and also upload a file to C: \ FTP_Root \ Incoming, but it can not download it from there (thus, your server can not be used for unauthorized transit files).
Now create some more authoritative user. To save pores, copy "Anonymous" also rename. We go up the log of the settings in the "Users", select (do not open) "Anonymous" also do the context menu "Copy User".
Rename it (for example, in Ivanov) also set the password. Pay attention, you yourself can not see what his password is, so remember it or at once tell the password to this user.
Now move to the "Dir Access" tab. Pay attention that since it enters the group "guest", the root directory is also incoming it is already registered. Let this user be able to download, to the sample, our music. For this we add a route to the music files and also give Read-List-Inherit benefits (the user will be able to download any files also subdirectories).
However, if the user now connects, then he does not see any directory with music, only sees FTP_Root. Therefore, you need to make a link to it from FTP_Root, and not by means of Windows, only by means of Serv-U itself. Go to the settings log in the "Domains -> FtpName -> Settings" tab on the "General, Virtual path mapping" tab.
It is necessary to make so that the folder music (for example, c: \ Doc \ Music) was shown in c: \ FTP_Root as as it a subdirectory FTP_Root. Click "Add" and fill in: "Physical path" - the directory to which you want to link, c: \ Doc \ Music, "Mapped to" - the directory in which this link should be placed - we will always get this C: \ FTP_Root, "Vitual name" is the name of this virtual subdirectory in FTP_Root, for example, Music. Done.
In "Virtual path mapping" you can place any links, but only those who see it in "Dir Access" own the corresponding rights. For example, in our case, the visitor does not see the Music directory.
To Ivanov when downloading music does not take particularly great our network channel, we move to the "General" tab of his account also specify "Max download speed".
By the way, I'll tell you more how our user Ivanov join FTP. Simply typing ftp://mycomputer.no-ip.com, it will enter as a guest, but not like Ivanov. Login also the password is allowed to insert directly into the ftp address: // Ivanov: firstname.lastname@example.org - the browser (FTP client) will understand this also uses. Or, you need to study the settings of the FTP client to find where in it when connecting the name is also a password for no guest login.
Now we will create another user, which will have access to any secret documents, and therefore it is impossible to allow the hacking of his account. We copy it from Anonymous, also called, for example, Petrov. Go to the "General" tab of his account. Here you can eat a couple of interesting points from the point of view of safety.
First, the Password type. If you specify "OTP S / KEY MD5", then the attackers will not intercept the password in any way. If you specify "Regular password", this will become the standard procedure for exchanging passwords, and it can also be intercepted. The user can not choose the password mode, this should be done on the server.
Second, Require secure connection. Password type provides only password protection, but not data transfer. The installation of an encrypted connection also provides data protection, as well as password protection. Moreover, if you do not put a check on "Require secure connection" in any way, then the user can select the encrypted association himself only if the jackdaw costs, then the user will be obliged to use the encrypted connection, otherwise it will not be allowed in any other way. By the way, most clients do not support OTP passwords when encrypting - as this is redundant, because Password type make "Regular password" if encryption connections exist for this account.
I will remind you that regular Windows FTP clients do not support OTP passwords or encryption in any way - users should use CuteFTP to apply these security measures.
When everything is set up, obviously, you will want to see for yourself how it all works. It's possible, it's also not necessary to move to another computer (except, really, check the firewall settings or NAT). Using the local address (127.0.0.1) for this purpose, we type in the browser or ftp client the address ftp://127.0.0.1 (if the default port is 21), or ftp://127.0.0.1:32768 (if the port is non-standard, for example , 32768). Done. You can fully fully test in this way all the features of your server. But keep in mind that in passive mode (PASV), if your FTP server is behind NAT, then for the data exchange the server will indicate to the customer the external IP, and also the association will become impossible. Therefore, for testing, use the usual PORT mode in FTP clients.
PS By the way, if that is not clear, then Serv-U has an excellent context-sensitive help system, called by pressing the "F1" key.