Linux/Networking/Security: TFTP Deamon Setup and Cisco Configuration Backup
This is just a quick walk-through on setting up TFTP service on a RedHat, Centos, or Fedora system. In general, this process should transfer over to other Linux (not BSD!) derived distributions.
[root@tftpsrv ~]# yum install tftp Resolving Dependencies --> Running transaction check ---> Package tftp-server.i386 0:0.42-3.1.el5.centos set to be updated --> Processing Dependency: xinetd for package: tftp-server --> Running transaction check ---> Package xinetd.i386 2:2.3.14-10.el5 set to be updated --> Finished Dependency Resolution Dependencies Resolved
============================================================================= Package Arch Version Repository Size ============================================================================= Installing: tftp-server i386 0.42-3.1.el5.centos base 27 k Installing for dependencies: xinetd i386 2:2.3.14-10.el5 base 124 k Transaction Summary ============================================================================= Install 2 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 151 k Is this ok [y/N]: y Downloading Packages: (1/2): tftp-server-0.42-3 100% |=========================| 27 kB 00:00 (2/2): xinetd-2.3.14-10.e 100% |=========================| 124 kB 00:00 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing: xinetd ######################### [1/2] Installing: tftp-server ######################### [2/2] Installed: tftp-server.i386 0:0.42-3.1.el5.centos Dependency Installed: xinetd.i386 2:2.3.14-10.el5 Complete!
Edit configuration to enable tftp
[root@tftpsrv ~]# vi /etc/xinetd.d/tftp
# default: off
# description: The tftp server serves files using the trivial file transfer \
# protocol. The tftp protocol is often used to boot diskless \
# workstations, download configuration files to network-aware printers, \
# and to start the installation process for some operating systems.
service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -s /tftpboot -> some directory (/tftpfiles)
disable = yes -> no
per_source = 11
cps = 100 2
flags = IPv4
}
Create directory specified in tftp configuration file
[root@tftpsrv xinetd.d]# mkdir /tftpfiles
Start up xinetd. This is used to call tftp
[root@tftpsrv ~]# /etc/init.d/xinetd start Starting xinetd: [ OK ] [root@tftpsrv xinetd.d]# iptables-save > /etc/init.d/iptables [root@tftpsrv xinetd.d]# iptables -F
Below, the tftp put will fail. This is due to the file needing to be created on the TFTP server before the client can write to it. This is the only real security there is to TFTP. You at least need to know the filename before the file can be written or read.
C9124SW5# copy running-config tftp:CISCSCOCFG1 Enter hostname for the tftp server: 172.16.100.6 Trying to connect to tftp server...... TFTP put operation failed:Undefined error code (2)
Create the file to be saved from switch and change the permissions
[root@tftpsrv ~]# touch /tftpfiles/CISCSCOCFG1 [root@tftpsrv ~]# chmod 777 /tftpfiles/CISCSCOCFG1
Tell the switch to save the file
C9124SW5# copy running-config tftp:CISCSCOCFG1 Enter hostname for the tftp server: 172.16.100.6 Trying to connect to tftp server...... | TFTP put operation was successful
Check the services file to find the TFTP port and protocol information
[root@tftpsrv]# cat /etc/services | grep tftp tftp 69/tcp tftp 69/udp
Bring the firewall back up so we can insert rules to allow TFTP in
[root@tftpsrv]# /etc/init.d/iptables restart
On my test server, the firewall chain is “RH-Firewall-1-INPUT”. I always prefer inserting new firewall rules as the first rule. Most servers keep a few custom reject rules and most are explicit allow with the default deny at the end. Inserting the new rule as the first will normally bypass those that might reject before it ever gets to the tftp rule.
[root@tftpsrv]# iptables -I RH-Firewall-1-INPUT 1 -s 172.16.100.98 -p tcp --dport 69 -j ACCEPT [root@tftpsrv]# iptables -I RH-Firewall-1-INPUT 1 -s 172.16.100.98 -p udp --dport 69 -j ACCEPT
The above statements tell iptables to insert “-I” the new rule into the chain “RH-Firewall-1-INPUT” as rule number “1″. The -s is specifying the source, -p the protocol –dport the destination port and -j allows the connection to establish by jumping over to ACCEPT.
Verify the rules are there
[root@tftpsrv]# iptables -L Chain RH-Firewall-1-INPUT target prot opt source destination ACCEPT udp -- 172.16.100.98 anywhere udp dpt:tftp ACCEPT tcp -- 172.16.100.98 anywhere tcp dpt:tftp
Save the rules in sysconfig so they will be persistent through reboots
[root@tftpsrv]# iptables-save > /etc/sysconfig/iptables
Notes: Never flush your iptables rules “iptables -F” on production systems that are not protected by a firewall or are on are public IP. Always be sure to backup/save your iptables configuration when testing. Also, if you are not familiar with security, or there is someone else responsible for security in the company, as them before or have them modify the local iptables rules. Another good rule for servers running TFTP, FTP, Telnet, DNS, and mail is to have servers dedicated for each. These are some of the most exploited servers out there.
Thank you, that is very useful and digest.
علیرضا said this on July 8, 2009 at 10:34 am