Monday, September 10, 2007

TFTP server - setup and install howto

The Trivial File Transfer Protocol (TFTP) is normally used only for booting diskless workstations. The tftp-server package provides the server for TFTP, which allows users to transfer files to and from a remote machine. TFTP provides very little security, and should not be enabled unless it is expressly needed. The TFTP server is run from /etc/xinetd.d/tftp, and is disabled by default on Red Hat Linux systems.

The TFTP protocol is extensively used to support remote booting of diskless devices. The server is normally started by inetd, but can also run standalone.

Here's an entry that covers few easy steps on creating a working TFTP server from Fedora.

First, install TFTP software using yum

# yum -y install tftp-server

If you have an existing TFTP server, you can upgrade tftp by issuing

# yum -y upgrade tftp-server

Using xinetd, configuring tftp config file /etc/xinetd.d/tftp would be like so

# cd /etc/xinetd.d
# cat tftp
service tftp
socket_type = dgram
protocol = udp
wait = no
user = root
server = /usr/sbin/in.tftpd
server_args = -s -c /tftpboot -u nobody
disable = no
per_source = 11
cps = 100 2
flags = IPv4

TFTP Additional Security

Be informed that TFTP access and services does not require account authentcation from the server. Due to the lack of authentication information, tftpd will allow only publicly readable files (o+r) to be accessed, unless the -p option is specified.

TFTP with TCPWrapper

/etc/hosts.allow allows a specific IP address for accessing the TFTP server and /etc/hosts.deny denies any other IP address via TCP wrappers. Similar lines should be presentr from both files.

# echo "in.tftpd:" >> /etc/hosts.allow
# echo "in.tftpd: ALL" >> /etc/hosts.deny

TFTP with IPTables

Here's a single entry from my /etc/sysconfig/iptables . This line allow TFTP access into a TFTP server via port 69. A similar line should exists from your /etc/sysconfig/iptables or firewall as shown below:

-A RH-Firewall-1-INPUT -p udp -m udp --dport 69 -j ACCEPT


Make sure the TFTP client is not being being block by the TFTP server like so

# ping tftp.client.ip.address
# route del -host tftp.client.ip.address reject

By default TFTP package installation, all uploaded files to TFTP server are being stored under /tftpboot folder. By default installation, /tftpboot are owned by root with root group access.
Let's modify that to look like

# chown nobody.nobody /tftpboot -R
# chmod 600 /tftpboot


Simply verify your TFTP service and port if they are currently being served and active, like so

# netstat -lap | grep ftp
# ss -ua | grep tftp

Launch TFTP daemon service

Restart your iptables firewall and xinetd daemon service like so

# service xinetd restart
# service iptables restart

Try to upload a file to your TFTP server using a tftp client software.

With the above settings, you should be able to access, upload and download files from and into your TFTP server. This can be handy also when backing up data from your appliances like cisco routers and the like, which supports TFTP upload and download access.

Did you noticed an intersting floating half-rounded black box around this site too?


HighlanderOne said...

Hello and thanks for posting this document.

In the line:

# chmod 600 /tftpboot

you actually meant to say

# chmod 700 /tftpboot

for /tftpboot is a directory, and without the executing permission the TFTP will fail.


Sign up for PayPal and start accepting credit card payments instantly.
ILoveTux - howtos and news | About | Contact | TOS | Policy