Configuring SSH & FTP: Login, Transfer, Tunnels

You administer a server, web-01 (10.10.10.20). Your job: log in securely, move files, open a tunnel to an internal service, and understand the old FTP server still running on it.

This lesson uses two sandbox terminals: the client (your laptop) on top and the server below. Run the client commands as you read.

Protocol	Port	Encrypted?	Use
SSH	22	Yes	Remote shell, tunnels
SCP/SFTP	22	Yes	File transfer over SSH
FTP	21 (control), 20 (data)	No (plaintext)	Legacy file transfer

Part 1 , SSH

Log in with a password

ssh admin@web-01
admin@web-01's password:

You land in a shell on the server, the prompt changes to admin@web-01:~$. Type whoami, hostname, cat /etc/os-release, then exit to come back.

Log in with a key (no password)

Passwords are weak and phishable. Real servers use key pairs: a private key stays on your laptop, the public key sits on the server.

ssh-keygen -t ed25519                 # make a key pair
ssh-copy-id admin@web-01              # install the public key on the server
ssh -i ~/.ssh/id_ed25519 admin@web-01 # now it logs in with no password

Configure the server (sshd_config)

The SSH daemon reads /etc/ssh/sshd_config. On the server terminal:

cat /etc/ssh/sshd_config

The lines that matter most for hardening:

Port 22 , change it to reduce drive-by scans.
PermitRootLogin no , never let root log in directly.
PasswordAuthentication no , force key-only auth once keys work.
PubkeyAuthentication yes , allow key login.

After editing, apply it with sudo systemctl restart sshd.

Transfer files: scp and sftp

Both ride on the encrypted SSH channel (port 22), so no extra service is needed.

scp report.pdf admin@web-01:/var/www   # push one file to the server
scp admin@web-01:/var/log/app.log .    # pull a file back
sftp admin@web-01                      # interactive: ls, put, get, bye

Port forwarding (tunnels)

SSH can carry other connections inside its encrypted tunnel. Three forms:

Local (-L): reach a service that only the server can see.
```
ssh -L 8080:localhost:80 admin@web-01
```
Now http://localhost:8080 on your laptop hits the server's port 80. Classic use: reach an internal database or admin panel through a bastion host.
Remote (-R): expose your local service to the server side.
```
ssh -R 9090:localhost:3000 admin@web-01
```
Dynamic (-D): a SOCKS proxy that tunnels all your traffic.
```
ssh -D 1080 admin@web-01
```

Part 2 , FTP and anonymous login

web-01 also runs an old FTP server (vsftpd). FTP sends credentials in plaintext, anyone sniffing the wire sees them, which is why SFTP replaced it. But you will still meet FTP in the wild, so learn it.

Anonymous login: what it does

Many FTP servers allow an anonymous user so the public can download files without an account.

ftp ftp.web-01
Name (ftp.web-01:learner): anonymous
331 Please specify the password.
Password:                     # any email address works
230 Login successful.

Once in, try it on the client terminal:

ls                 # browse the public files
get welcome.txt    # 226 Transfer complete , download works
put secret.txt     # 550 Permission denied , uploads are blocked
bye

That is the whole point of anonymous login: read-only access to public files. It can download but never upload, rename, or delete. The server enforces this in /etc/vsftpd.conf:

anonymous_enable=YES    # the anonymous user may log in
anon_root=/srv/ftp      # ...but is jailed to this public folder
write_enable=NO         # global: no writes
anon_upload_enable=NO   # belt and braces: anonymous cannot upload

Active vs passive mode

FTP uses two connections: a control channel (port 21) and a separate data channel. In passive (PASV) mode the client opens the data connection, which is what works through firewalls and NAT. Modern clients default to passive.

Try it (two terminals)

Client: ssh admin@web-01, then hostname (see web-01), then exit.
Client: ssh-keygen -t ed25519, then ssh-copy-id admin@web-01, then ssh -i ~/.ssh/id_ed25519 admin@web-01 , notice no password prompt.
Server: cat /etc/ssh/sshd_config , find PermitRootLogin no.
Client: scp report.pdf admin@web-01:/var/www.
Client: ftp ftp.web-01, log in as anonymous, then get welcome.txt (works) and put secret.txt (denied). bye.
Client: open a tunnel: ssh -L 8080:localhost:80 admin@web-01.

Why this matters

SSH is how every server, container, and cloud VM is administered. Keys beat passwords, sshd_config is where you harden it, and port forwarding is a daily tool for reaching internal services safely. FTP teaches the opposite lesson, plaintext protocols leak credentials, and anonymous access must be locked to read-only.

Configuring SSH & FTP: Login, Transfer, Tunnels

You administer a server, web-01 (10.10.10.20). Your job: log in securely, move files, open a tunnel to an internal service, and understand the old FTP server still running on it.

This lesson uses two sandbox terminals: the client (your laptop) on top and the server below. Run the client commands as you read.

Protocol	Port	Encrypted?	Use
SSH	22	Yes	Remote shell, tunnels
SCP/SFTP	22	Yes	File transfer over SSH
FTP	21 (control), 20 (data)	No (plaintext)	Legacy file transfer

Part 1 , SSH

Log in with a password

ssh admin@web-01
admin@web-01's password:

You land in a shell on the server, the prompt changes to admin@web-01:~$. Type whoami, hostname, cat /etc/os-release, then exit to come back.

Log in with a key (no password)

Passwords are weak and phishable. Real servers use key pairs: a private key stays on your laptop, the public key sits on the server.

ssh-keygen -t ed25519                 # make a key pair
ssh-copy-id admin@web-01              # install the public key on the server
ssh -i ~/.ssh/id_ed25519 admin@web-01 # now it logs in with no password

Configure the server (sshd_config)

The SSH daemon reads /etc/ssh/sshd_config. On the server terminal:

cat /etc/ssh/sshd_config

The lines that matter most for hardening:

Port 22 , change it to reduce drive-by scans.
PermitRootLogin no , never let root log in directly.
PasswordAuthentication no , force key-only auth once keys work.
PubkeyAuthentication yes , allow key login.

After editing, apply it with sudo systemctl restart sshd.

Transfer files: scp and sftp

Both ride on the encrypted SSH channel (port 22), so no extra service is needed.

scp report.pdf admin@web-01:/var/www   # push one file to the server
scp admin@web-01:/var/log/app.log .    # pull a file back
sftp admin@web-01                      # interactive: ls, put, get, bye

Port forwarding (tunnels)

SSH can carry other connections inside its encrypted tunnel. Three forms:

Local (-L): reach a service that only the server can see.
```
ssh -L 8080:localhost:80 admin@web-01
```
Now http://localhost:8080 on your laptop hits the server's port 80. Classic use: reach an internal database or admin panel through a bastion host.
Remote (-R): expose your local service to the server side.
```
ssh -R 9090:localhost:3000 admin@web-01
```
Dynamic (-D): a SOCKS proxy that tunnels all your traffic.
```
ssh -D 1080 admin@web-01
```

Part 2 , FTP and anonymous login

Anonymous login: what it does

Many FTP servers allow an anonymous user so the public can download files without an account.

ftp ftp.web-01
Name (ftp.web-01:learner): anonymous
331 Please specify the password.
Password:                     # any email address works
230 Login successful.

Once in, try it on the client terminal:

ls                 # browse the public files
get welcome.txt    # 226 Transfer complete , download works
put secret.txt     # 550 Permission denied , uploads are blocked
bye

That is the whole point of anonymous login: read-only access to public files. It can download but never upload, rename, or delete. The server enforces this in /etc/vsftpd.conf:

anonymous_enable=YES    # the anonymous user may log in
anon_root=/srv/ftp      # ...but is jailed to this public folder
write_enable=NO         # global: no writes
anon_upload_enable=NO   # belt and braces: anonymous cannot upload

Active vs passive mode

Try it (two terminals)

Client: ssh admin@web-01, then hostname (see web-01), then exit.
Client: ssh-keygen -t ed25519, then ssh-copy-id admin@web-01, then ssh -i ~/.ssh/id_ed25519 admin@web-01 , notice no password prompt.
Server: cat /etc/ssh/sshd_config , find PermitRootLogin no.
Client: scp report.pdf admin@web-01:/var/www.
Client: ftp ftp.web-01, log in as anonymous, then get welcome.txt (works) and put secret.txt (denied). bye.
Client: open a tunnel: ssh -L 8080:localhost:80 admin@web-01.

Configuring SSH & FTP: Login, Transfer, Tunnels

What you'll learn

Configuring SSH & FTP: Login, Transfer, Tunnels

Part 1 , SSH

Log in with a password

Log in with a key (no password)

Configure the server (sshd_config)

Transfer files: scp and sftp

Port forwarding (tunnels)

Part 2 , FTP and anonymous login

Anonymous login: what it does

Active vs passive mode

Try it (two terminals)

Why this matters

Check your understanding

What you'll learn

Configuring SSH & FTP: Login, Transfer, Tunnels

Part 1 , SSH

Log in with a password

Log in with a key (no password)

Configure the server (sshd_config)

Transfer files: scp and sftp

Port forwarding (tunnels)

Part 2 , FTP and anonymous login

Anonymous login: what it does

Active vs passive mode

Try it (two terminals)

Why this matters

Check your understanding