This page has been robot translated, sorry for typos if any. Original content here.

We also set up an FTP server. Part 2

So, after a small acquaintance with the FTP-protocol in the first elements of our material, we immediately proceed to the installation and setting up your own FTP-server. Immediately, we note that in Windows 2000 / XP there is a built-in FTP server (Control Panel -> Installation and removal of programs -> Installation of Windows components -> Internet Information Services -> FTP Service). However, it is very primitive, inconvenient, and also unsafe - therefore we will not install it at all.
And we will install the most powerful and multifunctional FTP server Serv-U - most of the FTP sites of famous companies work on it. Try not to use the old versions, as there are vulnerabilities in them.

Serv-U consists of a pair of elements - the Serv-U Administrator to configure also the management of the FTP server, as well as the FTP server itself. Serv-U Administrator can also be installed on a friend's computer, through which it is allowed to remotely manage the Serv-U FTP server. To manage the FTP server service, it uses TCP port 43958. Therefore, in order to avoid hacking, set a password for management (in the "Set / Change Password" menu), preferably a long one. The "Start automatically (system service)" option allows you to automatically start an FTP server, and it will work no matter who is logged on to the computer. Otherwise, the FTP server will start up only at what time you start the Serv-U Administrator.
Now we set up the firewall. We need to allow incoming outgoing connections using the TCP protocol for Servuadmin.exe processes and also Servudaemon.exe.
We follow further along the log of the Serv-U Administrator settings, in "Settings -> General". There’s a reason to include at least three important options. "Block FTP_bounce attacks and FXP" is a protection from transferring traffic between a pair of FTP servers (an attacker’s client can set up a session on behalf of another server, start the download also leave, only you will waste space on the disk and also lose the purchased traffic limit). "Block users who connect more than ..." - protection from attempts to guess the password of any FTP account. "Block anti time-out schemes" - protection from attempts to bypass the limits of the session time, given to one or another account. Similarly, it is allowed to limit the overall speed of reception (upload), return (download) and the number of immediately served users (this is a global setting, then we can create such limits separately for different accounts).

Now create a server. To do this, we make our way through the settings log in "Domains", press the right mouse button and also select in the pop-up "New Domain". In the settings window, leave the field "Domain IP Address" empty, "Domain name" - specify some name, for example "FtpName" (it is necessary only for us), "Domain port number" is the port on which the FTP will respond server, for now let's specify the default value - 21. "Domain type" indicates where the server settings will be stored, it is better to save them in INI files.
Now the server is created (in English - "Domain"). You can organize several servers (in this branch of the settings log), on different ports, there is no point for ordinary users in this.

In the settings log in the section "Domains -> FtpName" we enable support for encryption "Security -> Allow SSL / TLS ans regular sessions". Now we digress from the server itself a little and we will also deal with the ports of IP.
First, the server needs to know its external (Internet) IP address. If the address is static, then everything is simple - we enter it into the "Domain IP address". But if the IP address is dynamic (as, for example, in "Stream"), you will have to use the services of DynamicDNS, where you will be assigned a domain name, which will point to your IP, and also keep up to date to keep track of its changes.

In particular, such a gratuitous favor to eat at No-IP.com , there you can create your computer any domain 3 level on the Internet, for example, mycomputer.no-ip.com. There, blah blah, you are allowed to download the No-IP dynamic update client, which will non-stop contacting No-IP.com and also check / update your IP address. I will not talk about the settings of this customer, but I can advise you not to change its settings, in addition to the "When updating via NAT / Router / Proxy address ONLY" parameter - it is better to set it to "every 5 minutes". So, having placed the customer also having registered on No-IP.com, we put in the settings of our FTP a checkbox on "Enable dynamic DNS" and also switch to the appeared tab "Dynamic DNS". There we register the address registered in No-IP.com.
Secondly, it is time to deal with the ports. Many providers block incoming connections on port 21. To get around this problem, you should select any other unused port, for example, 32768, and also enter it on the "Domain to FTP port number" tab. But remember that if the port is different from 21, then the clients you should alienate the link does not ftp://mycomputer.no-ip.com, only ftp://mycomputer.no-ip.com:32768. Your FTP server is probably behind NAT. In this case, NAT needs to configure the "Port Forwarding" function. First, for the port on which it gives the answer. Secondly, as we already described earlier, for clients working in the "PASV" mode, some more ports are needed on which they will connect. For this purpose in Serv-U to eat the corresponding setting "Local Server -> Settings -> Advanced -> PASV port range", in which we indicate a certain unoccupied range, for example 32769-32784 we also forward it to NAT.
We configure further. In the "Domains -> FtpName (our server) -> Settings" menu on the "Logging" tab, we turn on the logging mode for system messages, security messages, files downloads, file uploads, IP names, FTP commands, FTP replies - all this It doesn’t do well to increase the log, but it helps to localize problems. Specify the name of the log file also include the checkbox "Enable logging to file". On the other tabs, nothing needs to be set up - by default everything is suitable for most users.

Now we will create a user. For the source - the guest. First we need to create a folder on the disk, which will become the root directory of our FTP. For example, create C: \ FTP_Root. Next, you need to create a folder into which everyone can upload files (we will not give them to them [guests] from there), for example, we will do C: \ FTP_Root \ Incoming.

In Serv-U eat the template system (Groups). There it is allowed to specify access privileges for the created directories. It is easier to create a group with the benefit of reading the root folder as well as entries in. \ Incoming, only then not to prescribe all users such privileges, just add this template to them. So, moving along the settings log in "Domains -> FtpName -> Groups" we also create a new group (New Group) there, we call it, for example, guest. Go to the tab "Dir Access", we also add a couple of our catalogs there - C: \ FTP_Root and C: \ FTP_Root \ Incoming.

We give them the benefits of access. For FTP_Root - only Read and List, for Incoming - only Write-Create-Inherit. Such privileges denote: Read - reading files, Write - writing files, Append - adding files, Delete - deleting files, Execute - running executable files on the server machine (a very dangerous privilege, do not give it to anyone), List - showing a list of subdirectories Create - create a subdirectory, Remove - delete a subdirectory, Inherit - all subdirectories will have similar benefits (otherwise, they will also have no access rights, if they are not registered independently). Lines of directories are allowed to move up and down. When using inheritance (Inherit), this is relevant - the top line has the highest priority resolution.
So, now we are creating a guest user. Go to "Domains -> FtpName -> Users" also create the user "Anonymous" (this is the standard name of the guest, otherwise it will not be the guest). We specify C: \ FTP_Root as the initial directory (Home Directory). On the task "Lock user in home directory?" give the answer "Yes" - this will simplify the user's work.
Now - a significant point - in the settings of this user (Anonymous) we break through to the tab "Dir Access" and delete the automatically created FTP_Root line there (take care that it inherits the benefits of reading in Incoming). Now on the "Account" tab, add the guest group to Group (s), click "Apply". Going back to "Dir Access" also look. FTP_Root and Incoming also appeared here, and it’s impossible to edit them - the user received those same guest benefits from the "guest" template.

So, we have created a visitor. It can download any files from the C: \ FTP_Root directory (excluding subdirectories) and also upload some file to C: \ FTP_Root \ Incoming, but it cannot download it from there (thus, your server cannot be used for unauthorized transit). files).
Now we create some more authorized user. To save pores, copy "Anonymous" and also rename it. Go back through the settings log in "Users", select (do not open) "Anonymous" also do in the context menu "Copy User".

Rename it (for example, in Ivanov) also set the password. Pay care, you yourself can not see what his password is, so remember it or tell the password to this user all at once.
Now we move to the tab "Dir Access". Pay attention that since it enters the "guest" group, the root directory is also incoming with it already registered. Let this user be able to download, to the sample, our music. To do this, add the route to the music files and give the benefits of Read-List-Inherit (the user will be able to download any files, also subdirectories).
However, if the user connects now, he will not see any directory with music, only see FTP_Root. Therefore, you need to make a link to it from FTP_Root, and not with Windows tools, only with the help of Serv-U itself. Go to the settings log in "Domains -> FtpName -> Settings" on the tab "General, Virtual path mapping".

You need to do this so that the music folder (for example, c: \ Doc \ Music) appears in c: \ FTP_Root as it is in the FTP_Root subdirectory. Click "Add" and fill in: "Physical path" - the directory to which you want to make a link, we write c: \ Doc \ Music, "Mapped to" - the directory in which this link should be placed - we always always have C: \ FTP_Root, "Vitual name" is the name of this virtual subdirectory in FTP_Root, for example, Music. Is done.
In the "Virtual path mapping" you can place any kind of links, but only those who see the corresponding rights in "Dir Access" will see them. For example, in our case, the visitor does not see the Music directory.
So that Ivanov doesn’t take our network’s channel especially when downloading music, we’ll go to the “General” tab of his account and also indicate “Max download speed”.
By the way, I’ll also tell our user Ivanov to join FTP. Just typing ftp://mycomputer.no-ip.com, he will enter as a guest, just not like Ivanov. Login is also allowed to paste the password directly into the address ftp: // Ivanov: password@mycomputer.no-ip.com - the browser (FTP client) will also understand this. Or, you should study the settings of the FTP client in order to find where in it when connecting, the name and the password for non-guest input are indicated.
Now we will create another user, who will have access to any secret documents, and therefore it is impossible to prevent his account from being hacked. We copy it from Anonymous, also we name, for example, Petrov. Go to the tab "General" of his account. There is a couple of interesting items from the point of view of security.

First, the Password type. If you specify "OTP S / KEY MD5", the attackers will not intercept the password. If you specify "Regular password", then it will become the standard procedure for sharing passwords, it can also intercept. The user cannot choose the password mode, it should be done on the server.
Secondly, Require secure connection. Password type provides only password protection, but not sent data. Setting an encrypted connection also provides data security, as well as password security. Moreover, if the checkbox on "Require secure connection" is not set, the user can personally choose the encrypted union, only if the jackdaw is, then the user will be obliged to use the encrypted connection, they will not allow it in any other way. By the way, most clients do not support the encryption of OTP passwords - since this is redundant, because the Password type make "Regular password" if there are encrypted connections for this account.
Let me remind you that regular Windows FTP clients do not support either OTP passwords or encryption - users need to use, for example, CuteFTP to apply these security measures.
When everything is set up, obviously, you will want to see for yourself how it all works. It is also possible to move to another computer is not necessary at all (except, really, checking the firewall or NAT settings). Using the local address (127.0.0.1) for this, we type in the browser or FTP client the address ftp://127.0.0.1 (if the default port is 21), or ftp://127.0.0.1:32768 (if the port is non-standard, for example , 32768). Is done. You can fully experience in this way all the capabilities of your server. But note that in passive mode (PASV), if your FTP server is behind NAT, then the server will indicate the external IP to the customer for data exchange, and the connection will become impossible. Therefore, for verification, use the usual PORT mode in FTP clients.
PS By the way, if that is not clear, then Serv-U has an excellent context-sensitive help system, called by pressing the "F1" key.