Linux Step By Steps
TFTP SERVER

From: Bill Parker <dogbert@mail.netnevada.net>

Here is a step by step to implement tftp server on OpenLinux

Enabling a TFTP server on your linux box

Date Written: April 27, 2001

Systems Tested against: OpenLinux 2.3

Kernel Tested against: 2.2.19 (should work in 2.4.x, or < 2.2.19)

Written by Bill Parker with help from Jeffery Hawkins

This describes how to get a TFTP (trivial file transfer protocol) server working on your linux box in a secure fashion.

First, you need a tftp server, and on every installation of OpenLinux to date, the tftp server and client software is NOT installed by default, so what I did was to obtain atftp-0.3.tar.gz (advanced tftp) which contains both client and server software for
linux. Also, tftp can be a security hole if NOT properly configured, so the end user assumes all risk here.

Do these steps as root:

cd /usr/local/src
tar zvxf <path>/atftp-0.3.tar.gz
cd atftp-0.3
make
make install (note that I had to move the manual pages to /usr/man/man1 and /usr/man/man8 myself after doing the install).

Create "/tftpboot" directory, and set it's access permissions for full access.

cd /
mkdir tftpboot
chmod 777 tftpboot

if you want to use a different directory name you will need to modify the line in /etc/inetd.conf to look like this:

tftp dgram udp wait root /usr/sbin/tcpd in.tftpd /cisco

I used the directory 'cisco' since i'm using this to back up and store cisco IOS images as well as configuration files (so in the above section, the 'tftpboot' would become in this case 'cisco'

Modify the "/etc/hosts.allow" and "/etc/hosts.deny" files for TCP Wrapper Security. If you don't want to specify any security using TCP Wrappers, then the files should have no entries. In my case I used the following in /etc/hosts.allow and hosts.deny:

#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
ALL: 192.168.2. 192.168.3.
swat: 127.0.0.1 : ALLOW
swat: 192.168.3. : ALLOW
swat: xxx.xxx.xxx. : ALLOW
in.tftpd: xxx.xxx.xxx. 192.168.3.
swat: ALL : DENY

where xxx.xxx.xxx.xxx is the IP address of the linux box running the tftp server.

#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!

swat: ALL EXCEPT 127.0.0.1
ALL: ALL

Modify "/etc/inetd.conf" to enable TCP Wrapper Control of tftp (to do this, remove the '#' sign in the first column, so the line looks like this below):

#
# Tftp service is provided primarily for booting. Most sites
# run this only on machines acting as "boot servers." Do not uncomment
# this unless you *need* it.
#
tftp dgram udp wait root /usr/sbin/tcpd in.tftpd /cisco

For more security, you may want to configure your IPCHAINS rules for blocking the UDP Port used by TFTP (which is 69):

#
## tftp
$IPCHAINS -A input -p udp -s xxx.xxx.xxx.xxx/24 -d $LOCALNET 69 -j ACCEPT
$IPCHAINS -A input -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 69 -j DENY

where xxx.xxx.xxx.xxx is the IP address of the linux box running the tftp server.

*** NOTE ***

LOCALNET can be 0.0.0.0/0 as well, but I have LOCALNET defined as something else on my system

*** NOTE ***

Stop and Start INETD by going to /etc/rc.d/init.d and doing

./inet stop./inet start (or give inetd a HUP, if currently running)

If you are successful, try using tftp (available on wintendo machines) to move a file from your windows (or another linux box) to your linux box hosting the tftp server) with the following command (I did this in windows 2000):

tftp -i xxx.xxx.xxx.xxx PUT <filename> <cr>

where xxx.xxx.xxx.xxx is the IP address of the linux box running the tftp server.

In /var/log/messages you will see something like this (the logging is excellent with atftp-0.3, btw):

Apr 27 14:16:51 htmlodds tftpd[32161]: Trivial FTP server started (atftp-0.3)
Apr 27 14:16:51 htmlodds tftpd[32163]: Fetching from xxx.xxx.xxx.xxx to
scrt312.exe
Apr 27 14:19:24 htmlodds tftpd[32167]: Fetching from xxx.xxx.xxx.xxx to
mirc59t.exe
Apr 27 14:24:24 htmlodds tftpd[32161]: Terminating after timeout of 300 seconds
Apr 27 14:24:24 htmlodds tftpd[32161]: Load measurements:
Apr 27 14:24:24 htmlodds tftpd[32161]: User: 0.720s Sys: 1.000s
Apr 27 14:24:24 htmlodds tftpd[32161]: Total: 452.492s CPU: 0.380%
Apr 27 14:24:24 htmlodds tftpd[32161]: Time between connections:
Apr 27 14:24:24 htmlodds tftpd[32161]: Min: 152.488s Max: 152.488s
Apr 27 14:24:24 htmlodds tftpd[32161]: Thread stats:
Apr 27 14:24:24 htmlodds tftpd[32161]: simultaneous threads: 1
Apr 27 14:24:24 htmlodds tftpd[32161]: number of servers: 2
Apr 27 14:24:24 htmlodds tftpd[32161]: number of aborts: 0
Apr 27 14:24:24 htmlodds tftpd[32161]: number of errors: 0
Apr 27 14:24:24 htmlodds tftpd[32161]: number of files sent: 0
Apr 27 14:24:24 htmlodds tftpd[32161]: number of files received: 2
Apr 27 14:24:24 htmlodds tftpd[32161]: Main thread exiting

If you get this far, your tftp server on Caldera OpenLinux is working very well. If someone can suggest ways to improve security for this process, I would be interested in adding more information to this document.

Bill Parker (dogbert@mail.netnevada.net)