Network File System (NFS)

For more background information on the protocol, see Wikipedia Article on Network File System

NFS is an open IETF and RFC standard, and was originally developed by Sun Microsystems. It is available naively on Unix and Linux, as well as many other platforms, including Microsoft Windows (Windows uses SMB protocol by default). The most widely adopted version is NFSv4; however, NFSv4.1 and NFSv4.2 also exist and are in use by various vendors.

For details on how to configure a server or client on Ubuntu Linux, refer to the Ubuntu Server Documentation and the section on Network File System (NFS).

NFS Key Components are:

• NFS Server: Hosts shared directories and facilitates access to clients
• Exports: Directories on the server that are shared with clients
• NFS Client: Mounts remote directories and facilitates local access to shared files

The NFS client mounts an NFS export (a shared directory) in an empty directory under the root, as if it were any other local volume. You can configure these network locations to be mounted on startup using the /etc/fstab and view them using lsblk and df as you can with any other storage volume. The process for mounting a filesystem is the same as a local disk; however, instead of a path to a local volume, the path is to an NFS export at a network location, for example: sudo mount 192.168.56.99:/shared /media/shared.

The server can be configured to share specific directories as defined in /etc/exports. Access control can also be defined per export, such as read and write options, security checks and enforcement, and even specifying which hosts are explicitly allowed access. NFS can also be used with authentication. The exportfs utility is used for viewing and managing shared directory settings.

Microsoft Windows File and Print Sharing (SMB) and SAMBA

Microsoft Windows uses proprietary SMB and NMP for file and print sharing. Please review more information on Wikipedia under Server Message Block.

SMB is a server-client model software. It is intended to be used on local networks only and is not intended to share files over the internet or across multiple LANs, as it opens up the servers and clients to many security issues. The SMB version 3.1.1 is the current version as of Windows 10 and Server 2016 and newer. It is a good idea to disable older SMB services, such as SMB versions 1 and 2, since they pose significant risks and vulnerabilities.

Microsoft does not make SMB specifications available, and does not support any implementations for use in other operating systems. SAMBA is an open source and free (GNU GPL) SMB and AD implementation. It was created by a PHD student by packet sniffing and reverse engineering the protocol back in 1991. The current SMB implementations are much more robust and are widely used and are standard in all Linux distros and many other OS such as MacOS (Apple) and Unix. Many commercially available NAS appliances integrate and use SAMBA, including large enterprise-grade systems. Cloud providers use SAMBA to provide Windows File services to their customers in their cloud environment.

For file and print sharing where user access control is needed (authentication), you can add Windows user accounts to your server (the SAMBA database is referred to as SAM). If configured correctly, Windows clients can connect to a SAMBA server, and users are able to authenticate from Windows using the credentials from the server. In addition to file and print sharing functionality, SAMBA can also connect to Active Directory domains, and can act as AD Domain Controller, potentially replacing a Windows server in some use-cases.

Software packages are samba for the server and smbclient for the client. More specific information is provided in the lab where the SAMBA server is configured on the lab VM. You can learn more by referring to Ubuntu Server Documentation, under Set up Samba as a file server article.

SAMBA-related utilities and tools:

• smbcontrol: send messages to smbd, nmbd or winbindd processes
• testparm: check an smb.conf configuration file for internal correctness
• smbstatus: report on current Samba connections
• pdbedit: manage the SAM database (Database of Samba Users)

File Transfer Protocol (FTP)

FTP is one of the oldest protocols that predates TCP/IP. It was created in 1971 and was updated in 1981 to become TCP/IP compatible. As with many old protocols, it was not designed to be secure. By default, the command and data channels are in plain text. Although the unencrypted variant is useful for public and unauthenticated file sharing where security is not of greatest concern, FTP is subject to brute-force, adversary-in-the-middle, DoS, Spoofing, packet capture, port stealing and many other vulnerabilities. It is highly recommended that you use the secure variant, FTPS, instead. FTPS uses SSL/TLS encryption to add a security layer to FTP and to prevent plain-text transmission of user credentials and other information over the internet.

FTP has a server and client model. The client software used to be built into browsers and operating systems, where the user could simply type a URL starting with ftp:// in an address bar. In more modern OS and browsers, this functionality has been removed or limited due to potential security implications. Usually, a user must install an FTP client software to access resources on an FTP server.

FTP operations require at least two TCP connections (ports):

• Control channel: All authentication and commands are transmitted, and replies are received through this channel (Default port 21)
• Data channel: transferring actual data and files (Default port 20, or a random port is negotiated)

Clients may choose to open multiple data channel ports for concurrent file transfers. Since most clients are behind NAT firewalls, unsolicited requests for communication over a random port from the server are usually not feasible. The FTP server can be configured to operate in one of the following modes, depending on the clients expected to be using the system:

• Active Mode FTP
  • Client initiates a TCP connection for control to port 21
  • Client selects a random port, and the server reaches out to that port to open the data channel
    • The server will only need to have port 21 open through the firewall
    • In a scenario where the client is behind a NAT, the unsolicited connection from the server will not be able to penetrate the NAT to reach the client (the client opens and forwards the port on its end by configuring the client-side NAT router/firewall to do so)
• Passive Mode FTP
  • Client initiates a TCP connection to port 21
  • Server communicates a randomly selected available port from a defined port range
  • Client will be reaching out to the specified port for the data channel
    • The server must have the port range defined, and traffic to these ports must be allowed through the firewall to the server
    • Client can reach the port through NAT because the client is initiating the connection (client does not need to open or forward ports)

Generally, for modern internet, passive-mode FTP is preferred, at the cost of the FTP server being exposed over a range of open ports.

The VSFTP Server

The "Very Secure FTP" (vsftp, and the daemon is vsftpd) is the software we have chosen as an FTP server for our lab. The vsftp package is a fully featured FTP and FTPS server. It can support all typical FTP server features, such as support for authenticated or anonymous access (uses Linux user accounts for authentication), SSL/TLS for FTPS, and chroot, where users are limited to a directory, and that directory is represented as the root of their filesystem (\). The chroot is used to prevent users from navigating up their directory (for example, by using cd .. so that they cannot access other users' or the system's files).

• Installation in Ubuntu: apt install vsftp
• Configurations are at /etc/vsftpd.conf
• Logs are at /var/log/vsftpd.log
• service vsftpd [start | stop | status]

FTPS vs SFTP

This is to clarify the difference between the two protocols since I see much confusion. I have even observed that software such as Filezilla had confused the two in their user interface. Please take a mental note of the following protocols and their differences.

• FTPS: FTP + SSL/TLS, uses TLS to encrypt FTP communications. It can be configured in FTP servers to be enabled as an implicit or explicit requirement
• SFTP: SSH File Transfer Protocol does NOT use the FTP protocol. It uses the SSH protocol while enabling the bi-directional transfer of binary files between the server and client. See the scp utility for how to use via CLI.