FTP server
Build an FTP server in centos7
FTP: File transfer protocol, working mode [client/server], FTP service port number: tcp/21, tcp/20
FTP active mode : the client connects to the port 21 command port of the FTP server from an arbitrary port N (N>1024), the client starts to listen on port N+1, and sends the FTP command "port N+1" to the FTP server, The FTP server uses the data port (20) to connect to the data port (N+1) designated by the client.
FTP passive mode : the client connects to the port 21 command port of the FTP server from an arbitrary port N (N>1024), the client starts to listen on port N+1, the client submits the PASV command, and the server opens an arbitrary port ( P >1024), and send the PORT P command to the client. The client initiates a connection from the local port N+1 to the server's port P to transmit data.
In the actual environment of the enterprise, if the FTP client and FTP server are both open to the firewall, FTP needs to work in active mode, so that only ports 20 and 21 need to be opened in the FTP server firewall rules.
1. Introduction to FTP server
FTP (File Transfer Protocol): The file transfer protocol is a client/server system. Users who use FTP must be authenticated before they can log in. FTP server users can be divided into three categories.
System user : the user of the system. Linux generally does not restrict physical users, so physical users can work on the entire file system. But they usually do not want them to access the system remotely via FTP.
Virtual user : A user who can only use the system in FTP mode and cannot log in to the system directly using Shell, that is, a virtual user. Authentication is required when accessing the server. Most FTP users are such users.
Anonymous user : Anonymous user access can be provided for public servers. Username: anonymous. However, when using anonymous users, they should be restricted as much as possible, with lower permissions, such as: the number of users connected at the same time is limited, the number of files accessed is limited, files cannot be uploaded, fewer instructions are allowed, and settings are hidden. The maximum number of connections that users can log in at the same time, etc.
2. FTP server installation
1. Install the vsftpd package using the default yum source
#yum install vsftpd ftp
2. Start the service and set to start automatically
Service name of vsftpd: vsftpd.service
#systemctl start vsftpd.service 启动服务
#systemctl enable vsftpd.service 开机自启
3. Set up firewall and selinux mechanism
#firewall-cmd --permanent --zone=public --add-service=ftp
#firewall-cmd --reload
#systemctl stop firewalld
#setenforce 0
4. Access the ftp server
Use ftp command to access in Linux system
Access FTP server on windows client
Three, set up anonymous users to access ftp
1. Anonymous users access FTP related knowledge points
(1) By default, anonymous users and system users are allowed to access ftp. The default directory accessed is: /var/ftp
Access test (user name: anonymous password is empty)
(2) The configuration file of ftp is: /etc/vsftpd/vsftpd.conf
Set up anonymous users to access ftp:
anonymous_enable=YES
(3) Set an anonymous user not to enter a password when logging in to ftp:
no_anon_password=YES
ftpd_banner= welcome to our home! //设置提示内容
(4) Set up anonymous users to upload, create, and delete files:
anon_upload_enable=YES 匿名用户上传权限
anon_mkdir_write_enable=YES 匿名用户新建文件夹的权限
anon_other_write_enable=yes 匿名用户删除和修改文件的权限
(5) Set file permissions
chmod 777 pub 不推荐使用
setfacl -m u:ftp:rwx pub 推荐使用
(6) Set permissions for anonymous users to upload or create new files
Umask value: Determines the
representation method of the default permission umask value when creating a new file or folder : 0022
If you are using vsftp as a local user, you must modify the value of local_umask in the configuration file;
if you are using vsftp as a virtual user, you must modify the value of anon_umask in the configuration file.
When umask = 022, the newly created directory permission is 755 and the file permission is 644; when
umask = 077, the newly created directory permission is 700 and the file permission is 600.
(7) The setting does not allow system users to log in, only anonymous users can log in:
anonymous_enable=YES
local_enable=no
(8) Set the default directory for anonymous users to access FTP
anon_root=/var/ftp
anon_root=/var/public
Note: To modify the default anonymous user when vsftp server directory, not the anon_root to one other account existing home directory, or can not achieve anonymous users to access ftp server.
Fourth, configure system users to access the FTP server
1. System user access to FTP related knowledge
(1) The system user accesses the main directory by default, and has the authority to upload, download, create, and delete, and can also switch to other directories in the system.
Turn off anonymous user access and only allow system users to access
anonymous_enable=no 关闭匿名用户访问
local_enable=yes 允许系统用户访问
local_umask=022
(2) Set the system users to only have access to their own home directory and have all permissions, and are not allowed to switch to other directories in the system.
chroot_local_user=YES 控制用户访问路径访问自己的主目录,不能切换到其他目录
allow_writeable_chroot=YES 允许写入
ftpd_banner= welcome to our home!
max_clients=30 设置最大连接数
idle_session_timeout=600 设置超时时间
(3) Set the system user to access the specified directory, and it is not allowed to switch to other directories in the system, and have the authority to upload, download, create, and delete.
local_root=/mnt/public/ 设置系统用户访问ftp的默认目录
write_enable=YES 允许写入
chroot_local_user=YES 控制用户访问路径访问指定目录,不能切换到其他目录
allow_writeable_chroot=YES 允许写入
Modify the file permissions under the /mnt/public/ directory
2. Access control based on local users
By default, all system users in the ftp server can access ftp. How to restrict access to only specified system users? Two configuration files related to system users are provided in vsftp:
/etc/vsftpd/ftpusers provides a list of ftp users (blacklist) that are forbidden to log in. The user contained in this file will be prohibited from logging into the vsftpd server, regardless of whether the user appears in /etc/vfsftpd/user_list.
/etc/vsftpd/user_list provides a list of ftp users (whitelist) that are allowed to log in. The users contained in this file may be prohibited from logging in and may be allowed to log in.
The specific decision is made in the main configuration file vsftpd.conf:
When there is userlist_enable=YES, the user_list file takes effect.
When there is userlist_deny=YES, only accounts in the list are prohibited from logging in.
When there is userlist_deny=NO, users in the list are allowed to log in.
Among them: the priority of the ftpusers file is higher than the user_list file, that is, if a user exists in two files at the same time, access to ftp is denied.
Example: Only allow the ftpuser user to access ftp, then the following settings can be made:
#vim /etc/vsftpd/vsftpd.conf
userlist_enable=YES #启用userlist用户列表(系统默认设置)
userlist_deny=NO #只允许列表中的用户登录
#vim/etc/vsftpd/user_list
After restarting the service and testing on the client, only the ftpuser user can access ftp at this time
Five, configure virtual users to access FTP
1. Install the software and authentication modules needed for Vsftpd virtual users
#yum install pam* libdb-utils libdb* --skip-broken -y
2. Create a temporary virtual user file /etc/vsftpd/ftpusers.txt. The format of the username and password is as follows:
Techftp username
123456 Password
netftp
123456
admftp
123456
markftp
123456
3. Generate the Vsftpd virtual user database authentication file and set the authority to 600
#db_load -T -t hash -f /etc/vsftpd/ftpusers.txt /etc/vsftpd/vsftp_login.db
#chmod 600 /etc/vsftpd/vsftp_login.db
4. Configure PAM authentication file: vim /etc/pam.d/vsftpd.vu
auth required pam_userdb.so db=/etc/vsftpd/vsftp_login
account required pam_userdb.so db=/etc/vsftpd/vsftp_login
5. Create a system user for virtual user mapping
#useradd -s /sbin/nologin ftpuser
6. Modify the configuration file: #vim /etc/vsftpd/vsftpd.conf
pam_service_name=vsftpd
pam_service_name=vsftpd.vu
guest_enable=YES 开启系统虚拟用户访问
guest_username=ftpuser 指定系统虚拟用户
user_config_dir=/etc/vsftpd/vsftpd_user_conf 指定虚拟用户的配置文件目录
virtual_use_local_privs=YES 允许虚拟用户访问
7. Create private virtual directories and independent configuration files for virtual users respectively
#mkdir /home/ftpuser/techftp
#mkdir /etc/vsftpd/vsftpd_user_conf
#vim techftp
local_root=/home/ftpuser/techftp 默认访问的目录
write_enable=YES 允许写入
anon_world_readable_only=YES 允许浏览
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
#mkdir /home/ftpuser/netftp
#vim netftp
local_root=/home/ftpuser/netftp
write_enable=YES
virtual_use_local_privs=NO #不具有可登录用户的权限
anon_world_readable_only=YES #可浏览目录
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
Six, Vsftpd log management
1. The configuration of the log file of the FTP server built by the Vsftp software can be found in /etc/vsftpd.conf:
xferlog_enable=YES Turn on the FTP server to log uploads and downloads
xferlog_std_format=YES log format
xferlog_file=The path specifies the log file
The default is: /var/log/xferlog
2. The log file output format is as follows:
(1) Current time (local time), the format is: DDD MMM dd hh:mm:ss YYYY
(2) Transmission time: the time used to transmit the file, in seconds
(3) Remote host name/IP:
(4) File size: the size of the transferred file, in bytes
(5) File name: transfer file name, including path
(6) Transmission type: a—transmission in ASCII; b—transmission in binary file
(7) Special treatment mark:
_: No special treatment
c: The file is compressed
u: The file is in uncompressed format
T: The file is in tar format
(8) Transmission direction: o Transfer from FTP server to client; i Transfer from client to FTP server
(9) Access mode: a anonymous user; g guest user; r user in the system
(10) Username
(11) Service name: generally FTP
(12) Authentication method: 0 none; 1 RFC931 authentication
(13) Authenticated user id: If you use *, the test means that the id cannot be obtained
(14) Completion status: i transmission is not completed; c means transmission is completed.