This page has been robot translated, sorry for typos if any. Original content here.

Install also configure the FTP server. Part 2

So, after a little acquaintance with the FTP protocol in the first elements of our material, we immediately proceed to install also setting up our own FTP server. Just note that in Windows 2000 / XP there is a built-in FTP server (Control Panel -> Install and Uninstall Programs -> Install Windows Components -> Internet Information Services -> FTP Service). However, it is very primitive, inconvenient, and also unsafe - therefore we will not put it in any way.
And we will install the most powerful also multifunctional FTP server Serv-U - most of the FTP sites of well-known companies work on it. Try not to use the old versions in any way, since there are vulnerabilities in them.

Serv-U consists of a couple of elements - Serv-U Administrator for configuring also the management of the FTP server, also the FTP server itself. Serv-U Administrator can also exist installed on a friend's computer, through it it is allowed to remotely control the Serv-U FTP server. For management, the FTP server service uses TCP port 43958. Therefore, in order to avoid hacking, set the password for management (in the "Set / Change Password" menu), preferably a long one. The option "Start automatically (system service)" allows you to automatically start the FTP server, and it will work regardless of who is logged on to the computer. Otherwise, the FTP server will start only at what time you start Serv-U Administrator.
Now configure the firewall. We need to allow incoming and outgoing TCP connections for Servuadmin.exe processes as well as Servudaemon.exe.
We follow further along the log of Serv-U Administrator settings, in "Settings -> General". Here, it makes sense to include at least three important options. “Block FTP_bounce attacks and FXP” is a protection against transferring traffic between a pair of FTP servers (an attacker’s client can establish a session on behalf of another server, start the transfer and also leave, only you will be wasted to fill the disk space and also lose the purchased traffic limit). "Block users who connect more than ..." - protection against attempts to guess the password of an FTP account. "Block anti time-out schemes" - protection against attempts to circumvent session pore limits given to an account. It seems that here it is allowed to limit the overall speed of reception (upload), upload (download) and the number of immediately served users (this is a global setting, then we can create such limits separately for different accounts).

Now create a server. To do this, break through the settings log in "Domains", press the right mouse button and select "New Domain" in the popup. In the settings window, leave the "Domain IP Address" field empty, "Domain name" - specify some name, for example, "FtpName" (it is only necessary for us), "Domain port number" is the port on which FTP will respond the server, for now, we’ll specify the standard value - 21. "Domain type" indicates in which place the server settings will be stored, it is better to store them in INI files.
Now the server is created (in English - "Domain"). It is possible to organize several servers (in this branch of the settings log), on different ports, there is no sense for ordinary users in this.

In the settings log in the "Domains -> FtpName" section, enable encryption support "Security -> Allow SSL / TLS ans regular sessions". Now let’s get a little distracted from the server itself and also deal with IP ports.
First, the server needs to know its external (Internet) IP address. If the address is static, then everything is simple - we enter it into the "Domain IP address". But if the IP address is dynamic (as, for example, in Stream), then you will have to use DynamicDNS services, in which place you will be assigned a domain name that will point to your IP, and it will constantly monitor its changes.

In particular, you can eat such a gratuitous favor on No-IP.com , where you can create your own computer any level 3 domain on the Internet, for example, mycomputer.no-ip.com. There blah blah it is allowed to download the customer No-IP dynamic update client, which will non-stop contact with No-IP.com and also check / update your IP address. I will not talk about the settings of this customer in any way, but I can advise you not to change its settings in any way, besides the parameter "When updating via NAT / Router / Proxy address ONLY" - it is better to set it to "every 5 minutes". So, having placed the customer by registering on No-IP.com as well, in the settings of our FTP checkbox "Enable dynamic DNS", we also go to the appeared tab "Dynamic DNS". We register the address registered in No-IP.com there.
Secondly, it is time to deal with ports. Many providers block incoming connections on port 21. To work around this problem, you should select any other unoccupied port, for example 32768, and also enter it on the tab "Domain in FTP port number". But remember that if the port is different from 21, then you should alienate the link in no way to ftp://mycomputer.no-ip.com, only ftp://mycomputer.no-ip.com:32768. Your FTP server is probably behind NAT. In this case, you need to configure the "Port Forwarding" function on NAT. Firstly, for the port on which it gives an answer. Secondly, as we already described earlier, for clients working in the "PASV" mode, some other ports are needed that they will connect to. For this purpose, in Serv-U, eat the appropriate setting "Local Server -> Settings -> Advanced -> PASV port range", in which we indicate a certain unoccupied range, for example 32769-32784 we also forward it to NAT.
We configure further. In the menu "Domains -> FtpName (our server) -> Settings" on the "Logging" tab, enable the log file mode for system messages, security messages, files downloads, file uploads, IP names, FTP commands, FTP replies - all this It’s not great to increase the log, but it helps to localize the problems. Specify the name of the log file also enable the checkbox "Enable logging to file". On other tabs, nothing needs to be configured at all - by default everything is suitable for most users there.

Now we will create the user. For the source - the guest. First you need to create a folder on the disk, which will become the root directory of our FTP. For example, create C: \ FTP_Root. Next, you need to create a folder where everyone can upload files (we won’t let them [the guests] download from there), for example, make C: \ FTP_Root \ Incoming.

In Serv-U, eat the template system (Groups). It is allowed to specify access privileges for the created directories. It’s easier to create a group with the privilege of reading the root folder and also write to. \ Incoming, only then do not register all such privileges to all users, just add this template to them. So, we move along the settings log in "Domains -> FtpName -> Groups" and create a new group there (New Group), name it, for example, guest. We go to the "Dir Access" tab, we also add a couple of our directories there - C: \ FTP_Root and also C: \ FTP_Root \ Incoming.

We give them privileges of access. For FTP_Root, only Read is also a List, for Incoming, only Write-Create-Inherit. Such benefits mean: Read - reading files, Write - writing files, Append - adding files, Delete - deleting files, Execute - running executable files on the server machine (very dangerous privilege, don’t give it to anyone), List - showing a list of subdirectories, Create - creating a subdirectory, Remove - deleting a subdirectory, Inherit - all subdirectories will have similar privileges (otherwise, they will not have any rights either, unless they are registered independently). Directory lines are allowed to move up and down. When using inheritance (Inherit), this is important - the top line owns the highest priority of permission.
So, now we are creating a guest user. We go to "Domains -> FtpName -> Users" and also create the user "Anonymous" (this is the standard name of the guest, otherwise it will not be a guest). As the initial directory (Home Directory), specify C: \ FTP_Root. To the task "Lock user in home directory?" give the answer "Yes" - this will simplify the work of the user.
Now - a significant point - in the settings of this user (Anonymous) we make our way to the "Dir Access" tab and also delete the automatically created line in FTP_Root there (pay attention that it inherits the reading privileges in Incoming). Now, on the "Account" tab, add the guest group to Group (s), click "Apply". We go back to "Dir Access" also look. Here FTP_Root also appeared Incoming, and it is impossible to edit them - it was the user who received the very benefits for guests from the "guest" template.

So, we have created a visitor. It can download any files from the C: \ FTP_Root directory (excluding subdirectories) and also upload a file to C: \ FTP_Root \ Incoming, but it cannot download it from there (thus, your server cannot be used for unauthorized transit files).
Now create some more authoritative user. To save pores, copy "Anonymous" also rename. We go up the settings log in "Users", select (do not open) "Anonymous" and also do "Copy User" in the context menu.

Rename it (for example, in Ivanov) also set a password. Pay attention, you yourself will not be able to see what kind of password he has, so remember it or immediately tell the password to this user.
Now move to the "Dir Access" tab. Please note that since he joins the "guest" group, the root directory of his is also already registered. Let this user be able to download, to the sample, our music. To do this, add a route to music files and give Read-List-Inherit benefits (the user will be able to download any files as well as subdirectories).
However, if the user is now connected, then he will not see any catalog with music, he will only see FTP_Root. Therefore, you need to make a link to it from FTP_Root, and not by the means of Windows, only by the means of Serv-U itself. We go through the settings log in "Domains -> FtpName -> Settings" to the tab "General, Virtual path mapping".

You need to make sure that the folder with music (for example, c: \ Doc \ Music) is shown in c: \ FTP_Root as it is a subdirectory of FTP_Root. Click "Add" and fill in: "Physical path" - the directory to which you want to make a link, scribble c: \ Doc \ Music, "Mapped to" - the directory in which you need to place this link - we will always have C: \ FTP_Root, "Vitual name" is the name of this virtual subdirectory in FTP_Root, for example, Music. Done.
In "Virtual path mapping" you can place any links you like, but only those who in "Dir Access" own the appropriate rights will see them. For example, in our case, the visitor will not see the Music catalog.
So that Ivanov doesn’t take our network channel particularly cool when downloading music, we go to the “General” tab of his account and specify “Max download speed”.
By the way, I’ll also tell you how our user Ivanov to join FTP. Just by typing ftp://mycomputer.no-ip.com, he will log in as a guest, but not like Ivanov. The login also allows the password to be inserted directly into the address ftp: // Ivanov: password@mycomputer.no-ip.com - the browser (FTP client) understands this and also uses it. Or you should study the settings of the FTP client in order to find where in it when connecting, the name and password for the non-guest login are indicated.
Now we’ll create another user, who will have access to any secret documents, which is also why it is impossible to prevent hacking of his account. Copy it from Anonymous, also called, for example, Petrov. We go to the "General" tab of his account. Here to eat a couple of points interesting from the point of view of safety.

Firstly, Password type. If you specify "OTP S / KEY MD5", then the attackers will not intercept the password in any way. If you specify "Regular password", then this will become the standard procedure for exchanging passwords; they can also intercept it. The user cannot select the password mode in any way; this must be done on the server.
Secondly, Require secure connection. Password type provides only password protection, but not forwarded data. Establishing an encrypted connection also provides data protection, as well as password protection. Moreover, if you don’t put a daw on "Require secure connection" in any way, then the user can choose the encrypted association himself if he wants, only if the daw is on, the user will be obliged to use the encrypted connection, they won’t be allowed to use it otherwise. By the way, the majority of clients do not support OTP passwords during encryption - since this is redundant, therefore Password type do "Regular password" if encrypted connections can exist for this account.
Let me remind you that regular Windows FTP clients do not support OTP passwords or encryption in any way - to use these security measures, users need to use, for example, CuteFTP.
When everything is set up, obviously, you will want to see for yourself how it all works. It is possible to also move to another computer is not necessary at all (except, really, checking the settings of the firewall or NAT). Using the local address (127.0.0.1) for this, we type in the browser or FTP client the address ftp://127.0.0.1 (if the default port is 21), or ftp://127.0.0.1:32768 (if the port is non-standard, for example , 32768). Done. You can fully experience in this way all the capabilities of your server. But keep in mind that in passive mode (PASV), if your FTP server is behind NAT, the server will indicate the external IP for the client to exchange data, and it will also become impossible to combine. Therefore, for verification, use the usual PORT mode in FTP clients.
PS By the way, if that is not clear, then Serv-U has an excellent context-sensitive help system, called by pressing the "F1" key.