|
From: Bill Parker <dogbert@mail.netnevada.net>
Here is a step by step to implement tftp server on OpenLinux
Enabling a TFTP server on your linux box
Date Written: April 27, 2001
Systems Tested against: OpenLinux 2.3
Kernel Tested against: 2.2.19 (should work in 2.4.x, or < 2.2.19)
Written by Bill Parker with help from Jeffery Hawkins
This describes how to get a TFTP (trivial file transfer protocol) server working on your linux box in a secure fashion.
First, you need a tftp server, and on every installation of
OpenLinux to date, the tftp server and client software is NOT
installed by default, so what I did was to obtain
atftp-0.3.tar.gz (advanced tftp) which contains both client and
server software for
linux. Also, tftp can be a security hole if NOT properly
configured, so the end user assumes all risk here.
Do these steps as root:
cd /usr/local/src
tar zvxf <path>/atftp-0.3.tar.gz
cd atftp-0.3
make
make install (note that I had to move the manual pages to
/usr/man/man1 and /usr/man/man8 myself after doing the
install).
Create "/tftpboot" directory, and set it's access permissions for full access.
cd /
mkdir tftpboot
chmod 777 tftpboot
if you want to use a different directory name you will need to modify the line in /etc/inetd.conf to look like this:
tftp dgram udp wait root /usr/sbin/tcpd in.tftpd /cisco
I used the directory 'cisco' since i'm using this to back up and store cisco IOS images as well as configuration files (so in the above section, the 'tftpboot' would become in this case 'cisco'
Modify the "/etc/hosts.allow" and "/etc/hosts.deny" files for TCP Wrapper Security. If you don't want to specify any security using TCP Wrappers, then the files should have no entries. In my case I used the following in /etc/hosts.allow and hosts.deny:
#
# hosts.allow This file describes the names of the hosts which
are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
ALL: 192.168.2. 192.168.3.
swat: 127.0.0.1 : ALLOW
swat: 192.168.3. : ALLOW
swat: xxx.xxx.xxx. : ALLOW
in.tftpd: xxx.xxx.xxx. 192.168.3.
swat: ALL : DENY
where xxx.xxx.xxx.xxx is the IP address of the linux box running the tftp server.
#
# hosts.deny This file describes the names of the hosts which
are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you
that
# the new secure portmap uses hosts.deny and hosts.allow. In
particular
# you should know that NFS uses portmap!
swat: ALL EXCEPT 127.0.0.1
ALL: ALL
Modify "/etc/inetd.conf" to enable TCP Wrapper Control of tftp (to do this, remove the '#' sign in the first column, so the line looks like this below):
#
# Tftp service is provided primarily for booting. Most
sites
# run this only on machines acting as "boot servers." Do not
uncomment
# this unless you *need* it.
#
tftp dgram udp wait root /usr/sbin/tcpd in.tftpd /cisco
For more security, you may want to configure your IPCHAINS rules for blocking the UDP Port used by TFTP (which is 69):
#
## tftp
$IPCHAINS -A input -p udp -s xxx.xxx.xxx.xxx/24 -d $LOCALNET
69 -j ACCEPT
$IPCHAINS -A input -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 69 -j
DENY
where xxx.xxx.xxx.xxx is the IP address of the linux box running the tftp server.
*** NOTE ***
LOCALNET can be 0.0.0.0/0 as well, but I have LOCALNET defined as something else on my system
*** NOTE ***
Stop and Start INETD by going to /etc/rc.d/init.d and doing
./inet stop./inet start (or give inetd a HUP, if currently running)
If you are successful, try using tftp (available on wintendo machines) to move a file from your windows (or another linux box) to your linux box hosting the tftp server) with the following command (I did this in windows 2000):
tftp -i xxx.xxx.xxx.xxx PUT <filename> <cr>
where xxx.xxx.xxx.xxx is the IP address of the linux box running the tftp server.
In /var/log/messages you will see something like this (the logging is excellent with atftp-0.3, btw):
Apr 27 14:16:51 htmlodds tftpd[32161]: Trivial FTP server
started (atftp-0.3)
Apr 27 14:16:51 htmlodds tftpd[32163]: Fetching from
xxx.xxx.xxx.xxx to
scrt312.exe
Apr 27 14:19:24 htmlodds tftpd[32167]: Fetching from
xxx.xxx.xxx.xxx to
mirc59t.exe
Apr 27 14:24:24 htmlodds tftpd[32161]: Terminating after
timeout of 300 seconds
Apr 27 14:24:24 htmlodds tftpd[32161]: Load measurements:
Apr 27 14:24:24 htmlodds tftpd[32161]: User: 0.720s Sys:
1.000s
Apr 27 14:24:24 htmlodds tftpd[32161]: Total: 452.492s CPU:
0.380%
Apr 27 14:24:24 htmlodds tftpd[32161]: Time between
connections:
Apr 27 14:24:24 htmlodds tftpd[32161]: Min: 152.488s Max:
152.488s
Apr 27 14:24:24 htmlodds tftpd[32161]: Thread stats:
Apr 27 14:24:24 htmlodds tftpd[32161]: simultaneous threads:
1
Apr 27 14:24:24 htmlodds tftpd[32161]: number of servers:
2
Apr 27 14:24:24 htmlodds tftpd[32161]: number of aborts: 0
Apr 27 14:24:24 htmlodds tftpd[32161]: number of errors: 0
Apr 27 14:24:24 htmlodds tftpd[32161]: number of files sent:
0
Apr 27 14:24:24 htmlodds tftpd[32161]: number of files
received: 2
Apr 27 14:24:24 htmlodds tftpd[32161]: Main thread exiting
If you get this far, your tftp server on Caldera OpenLinux is working very well. If someone can suggest ways to improve security for this process, I would be interested in adding more information to this document.
Bill Parker (dogbert@mail.netnevada.net)