Article Directory
1. File transfer protocol
File Transfer Protocol (FTP), based on which FTP client and server can share files, upload files, and download files. FTP generates a virtual connection based on the TCP protocol, which is mainly used to control the FTP connection information, and at the same time, a separate TCP connection is generated for FTP data transmission. Users can upload, download, and delete files to the FTP server through the client, and the FTP server can be shared by multiple people at the same time.
The FTP service is the Client/Server (C/S) mode. The software that realizes the external sharing and transmission of FTP files based on the FTP protocol is called the FTP server source side. The client program is based on the FTP protocol, so it is called the FTP client. The client can upload and download files to the FTP server
2. FTP transfer mode
FTP is based on the C/S mode. There are two transmission modes for the FTP client and server . They areFTP active mode, FTP passive mode
- Active mode: The FTP server actively initiates a connection request to the client.
- Passive mode: The FTP server waits for the client to initiate a connection request (FTP's default working mode).
- FTP active mode: the client connects to the port 21 command port of the FTP server from an arbitrary port N (N>1024), the client starts to listen on port N+1, and sends the FTP command "port N+1" to the FTP server, The FTP server uses the data port (20) to connect to the data port (N+1) designated by the client.
- FTP passive mode: the client connects to the port 21 command port of the FTP server from an arbitrary port N (N>1024), the client starts to listen on port N+1, the client submits the PASV command, and the server opens an arbitrary port ( P >1024), and send the PORT P command to the client. The client initiates a connection from the local port N+1 to the server's port P to transmit data.
In the actual environment of the enterprise, if the FTP client and FTP server are both open to the firewall, FTP needs to work in active mode, so that only ports 20 and 21 need to be opened in the FTP server firewall rules.
3. Introduction to Vsftpd server
The current mainstream FTP server software includes: Vsftpd, ProFTPD, PureFTPd, Wuftpd, Server-U FTP, FileZilla Server and other software, among which Unix/Linux is the more widely used FTP server software is Vsftpd.
Very secure FTP service process (Very Secure FTP daemon, Vsftpd), Vsftpd is the most mainstream FTP server program in Unix/Linux distributions. The advantages are small and light, safe and easy to use, stable and efficient, and can meet the needs of enterprises across departments and multiple users. and so on .
Four, Vsftp installation and configuration
Check if it is installed:
rpm -qa | grep vsftpd
Uninstall vsftpd
yum remove vsftpd
Install vsftpd
yum install vsftpd -y
start up
systemctl start vsftpd
Reboot
systemctl restart vsftpd
Check if it is activated
pe -ef | grep vsftpd
Install ftp
yum install ftp -y
Configuration file
/etc/vsftpd/vsftpd.conf This file is the core configuration file of vsftpd service! When we modify the configuration file, it is best to backup a copy first!
cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.bak
The default configuration file of vsftpd.conf is explained in detail as follows:
| parameter | effect |
|---|---|
| anonymous_enable=YES | Enable anonymous user access |
| local_enable=YES | Enable local system user access |
| write_enable=YES | Local system user write permission |
| local_umask=022 | Default permission mask for files and directories created by local users |
| dirmessage_enable=YES | Print the directory display information, usually used to prompt the information when the user accesses the directory for the first time |
| xferlog_enable=YES | Enable upload/download logging |
| connect_from_port_20=YES | FTP uses port 20 for data transfer |
| xferlog_std_format=YES | The log file will be written according to the standard format of xferlog |
| listen=NO | Vsftpd does not start as an independent service, it is managed by Xinetd service, it is recommended to change to YES |
| listen_ipv6=YES | Enable IPV6 monitoring |
| pam_service_name=vsftpd | Log in to the FTP server and authenticate based on the content in /etc/pam.d/vsftpd |
| userlist_enable=YES | Users in the Vsftpd.user_list and ftpusers configuration files are prohibited from accessing FTP |
| tcp_wrappers=YES | Set the combination of vsftpd and tcp wrapper for host access control. The Vsftpd server checks the settings in /etc/hosts.allow and /etc/hosts.deny to determine whether the host requesting connection is allowed to access the FTP server |
User access mode configuration
vsftpd, as a more secure file transfer service program, allows users to log in to the FTP server in three authentication modes .
-
Anonymous open mode: It is the most insecure authentication mode. Anyone can log in to the FTP server directly without password verification.
-
Local user mode: It is a mode of authentication through the local account password information of the Linux system, which is more secure than the anonymous open mode, and it is simple to configure. However, if the account information is cracked by a hacker, you can log in to the FTP server unimpeded, thus completely controlling the entire server.
-
Virtual user mode: It is the safest authentication mode among these three modes. It needs to create a separate user database file for the FTP service and virtualize the account information used for password verification, and these account information does not actually exist in the server system Yes, it is only used for authentication by the FTP service program. In this way, even if the hacker cracks the account information, they cannot log in to the server, thereby effectively reducing the scope and impact of the damage.
Anonymous open mode
Permission parameters and functions that can be opened to anonymous users
| parameter | effect |
|---|---|
| anonymous_enable=YES | Allow anonymous access mode |
| anon_umask=022 | The umask value of files uploaded by anonymous users |
| anon_upload_enable=YES | Allow anonymous users to upload files |
| anon_mkdir_write_enable=YES | Allow anonymous users to create directories |
| anon_other_write_enable=YES | Allow anonymous users to modify the directory name or delete the directory |
Modify the configuration file
vim /etc/vsftpd/vsftpd.conf
anonymous_enable=YES #允许匿名访问模式
anon_umask=022 #匿名用户上传文件的 umask 值
anon_upload_enable=YES #允许匿名用户上传文件
anon_mkdir_write_enable=YES #允许匿名用户创建目录
anon_other_write_enable=YES #允许匿名用户修改目录名称或删除目录
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
Since there are two default Vsftpd anonymous users: anonymous and ftp, if anonymous users need to upload files, delete and modify permissions, they need ftp users to have write permissions to the /var/ftp/pub directory, use either of the following chown and chmod Just type, the setting command is as follows:
chown -Rf ftp /var/ftp/pub
chmod o+w var/ftp/pub/
If an error is reported, it is usually caused by SELinux or a firewall problem
The getsebool command to view the SELinux domain policies related to FTP:
getsebool -a | grep ftp
Modify the policy rule:
setsebool -P ftpd_full_access=on
Local user mode
Authorization parameters and functions used in local user mode
| parameter | effect |
|---|---|
| anonymous_enable=NO | Prohibit anonymous access mode |
| local_enable=YES | Allow local user mode |
| write_enable=YES | Set writable permissions |
| local_umask=022 | Enable "Forbidden User List", the list files are ftpusers and user_list |
| userlist_enable=YES | Allow anonymous users to modify the directory name or delete the directory |
| userlist_deny=YES | Enable user role list file function |
Create test users user1 and user2 with passwords "123456"
useradd user1
useradd user2
--stdin:从标准输入接收用户密码
echo 123456 | passwd --stdin user1
echo 123456 | passwd --stdin user2
Modify the configuration file
vim /etc/vsftpd/vsftpd.conf
anonymous_enable=NO #禁止匿名访问模式
local_enable=YES #允许本地用户模式
write_enable=YES #设置可写权限
local_umask=022 #本地用户模式创建文件的 umask 值
userlist_enable=YES
userlist_deny=NO
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
There are two files in the /etc/vsftpd directory
- ftpusers is not affected by any configuration items, it is always effective, it is a blacklist! The file is stored as a list of users who are prohibited from accessing FTP. **Usually for security reasons, the administrator does not want some accounts with excessive permissions (such as root) to log in to FTP, so as not to upload or download some dangerous locations from FTP through this account The files on the system cause damage to the system.
- User_list is closely related to the userlist_enable and userlist_deny configuration items in vsftpd.conf. It can be valid or invalid. When it is valid, it can be a blacklist or a whitelist!
When userlist_enable=YES, the configuration of the userlist_deny item is valid, and the user_list file is used; when it is NO, no matter what the value of the userlist_deny item is, it is invalid.
When userlist_enable=YES and userlist_deny=YES, user_list is a blacklist, and all users appearing in the list will be denied login.
When userlist_enable=YES and userlist_deny=NO: user_list is a whitelist, and only users who appear in the list will be allowed to log in (users other than user_list are denied login); another special reminder is: use white After the list, anonymous users will not be able to log in! Unless you explicitly add a line in user_list: anonymous
View list
cat /etc/vsftpd/user_list
Add user to whitelist
vim /etc/vsftpd/user_list
user1
user2
Need to turn on the permission policy for FTP service in SELinux domain again
setsebool -P ftpd_full_access=on
Virtual user mode
- Create a virtual FTP user account
useradd -s /sbin/nologin vu
- Create virtual user file
The cardinal number line represents the user name, the even number line represents the password
cd /etc/vsftpd/
vim user
user1
123456
user2
123456
- Create a database file in Berkeley DB format through the db_load tool
db_load -T -t hash -f user user.db
-f 指定数据原文件
-T 允许非Berkeley DB的应用程序使用文本格式转换的DB数据文件
-t hash 读取文件的基本方法
- Establish PAM authentication files supporting virtual users
vim /etc/pam.d/vsftpd.vu
加入以下两行
auth required /lib64/security/pam_userdb.so db=/etc/vsftpd/user
account required /lib64/security/pam_userdb.so db=/etc/vsftpd/user
对应刚才生成user.db的文件
- Modify the parameters and functions of the configuration file when
using PAM files for authentication
| parameter | effect |
|---|---|
| anonymous_enable=NO | Prohibit anonymous access mode |
| local_enable=YES | Allow local user mode |
| guest_enable=YES | Enable virtual user mode |
| guest_username=virtual | Specify virtual user account |
| pam_service_name=vsftpd.vu | Specify PAM file |
| allow_writeable_chroot=YES | Allows write operations to the imprisoned FTP root directory, and does not deny user login requests |
vim /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
guest_enable=YES
guest_username=virtual
allow_writeable_chroot=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd.vu
userlist_enable=YES
tcp_wrappers=YES
user_config_dir=/etc/vsftpd/user_dir
- Create independent configuration directories and files for users
mkdir /etc/vsftpd/user_dir
cd /etc/vsftpd/user_dir
vim user
local_root=/etc/vsftpd/data
虚拟用户数据的存放路径
Create a virtual user data storage directory
cd /etc/vsftpd
mkdir data
chmod 777 data/
Restart service
systemctl restart vsftpd
Five, detailed configuration file
Commonly used anonymous FTP configuration items
anonymous_enable=YES # 是否允许匿名用户访问
anon_umask=022 # 匿名用户所上传文件的权限掩码
anon_root=/var/ftp # 设置匿名用户的FTP根目录
anon_upload_enable=YES # 是否允许匿名用户上传文件
anon_mkdir_write_enable=YES # 是否允许匿名用户允许创建目录
anon_other_write_enable=YES # 是否允许匿名用户有其他写入权(改名,删除,覆盖)
anon_max_rate=0 # 限制最大传输速率(字节/秒)0为无限制
Commonly used local user FTP configuration items
local_enable=YES # 是否允许本地系统用户访问
local_umask=022 # 本地用户所上传文件的权限掩码
local_root=/var/ftp # 设置本地用户的FTP根目录
chroot_list_enable=YES # 表示是否开启chroot的环境,默认没有开启
chroot_list_file=/etc/vsftpd/chroot_list # 表示写在/etc/vsftpd/chroot_list文件里面的用户是不可以出chroot环境的。默认是可以的。
Chroot_local_user=YES # 表示所有写在/etc/vsftpd/chroot_list文件里面的用户是可以出chroot环境的,和上面的相反。
local_max_rate=0 # 限制最大传输速率(字节/秒)0为无限制
Commonly used global configuration items
listen=YES # 是否以独立运行的方式监听服务
listen_address=192.168.4.1 # 设置监听FTP服务的IP地址
listen_port=21 # 设置监听FTP服务的端口号
write_enable=YES # 是否启用写入权限(上传,删除文件)
download_enable=YES # 是否允许下载文件
dirmessage_enable=YES # 用户切换进入目录时显示.message文件
xferlog_enable=YES # 启用日志文件,记录到/var/log/xferlog
xferlog_std_format=YES # 启用标准的xferlog日志格式,禁用此项将使用vsftpd自己的格式
connect_from_port_20=YES # 允许服务器主动模式(从20端口建立数据连接)
pasv_enable=YES # 允许服务器被动模式
pasv_max_port=24600 # 设置被动模式服务器的最大端口号
pasv_min_port=24500 # 设置被动模式服务器的最小端口号
pam_service_name=vsftpd # 用户认证的PAM文件位置(/etc/pam.d/vsftpd.vu)
userlist_enable=YES # 是否启用user_list列表文件
userlist_deny=YES # 是否禁用user_list中的用户
max_clients=0 # 限制并发客户端连接数
max_per_ip=0 # 限制同一IP地址的并发连接数
tcp_wrappers=YES # 是否启用tcp_wrappers主机访问控制
chown_username=root # 表示匿名用户上传的文件的拥有人是root,默认关闭
ascii_upload_enable=YES # 表示是否允许用户可以上传一个二进制文件,默认是不允许的
ascii_download_enable=YES # 这个是代表是否允许用户可以下载一个二进制文件,默认是不允许的
nopriv_user=vsftpd # 设置支撑Vsftpd服务的宿主用户为手动建立的Vsftpd用户
async_abor_enable=YES # 设定支持异步传输功能
ftpd_banner=Welcome to FTP # 设定Vsftpd的登陆标语
guest_enable=YES # 设置启用虚拟用户功能
guest_username=ftpuser # 指定虚拟用户的宿主用户
virtual_use_local_privs=YES # 设定虚拟用户的权限符合他们的宿主用户
user_config_dir=/etc/vsftpd/vconf # 设定虚拟用户个人Vsftp的配置文件存放路径