Set up FTP service
Install vsftpd
- Run the following command to install vsftpd.
yum install -y vsftpd
- Run the following command to set the FTP service to start automatically.
systemctl enable vsftpd.service - Start the FTP service.
systemctl start vsftpd.service - Run the following command to view the port monitored by the FTP service.
netstat -antup | grep ftp
displays the interface as shown in the figure below, indicating that the FTP service has been started and the listening port number is 21. At this point, vsftpd has enabled anonymous access by default. You can log in to the FTP server without entering a user name and password, but you do not have the authority to modify or upload files.
Configure vsftpd
vsftpd (very secure FTP daemon) is the most respected FTP server in Linux distributions. vsftpd supports two access methods: anonymous access and local user mode. Anonymous access mode Any user can access the built FTP service; the local user mode only supports added local users to access the built FTP service.
Note: Only one of anonymous user mode and local user mode can be configured at the same time.
- Anonymous user mode
- Modify the configuration file vsftpd.conf.
vim /etc/vsftpd/vsftpd.conf
Press the i key to enter the edit mode, and uncomment the anonymous upload permission anon_upload_enable=YES.
- Press the ESC key to exit the editing mode, enter: wq to save and exit vim.
- Change the permissions of the /var/ftp/pub directory and add write permissions for FTP users.
chmod o+w /var/ftp/pub/ - Restart the FTP service.
systemctl restart vsftpd.service
- Local user mode
- Create a Linux user for the FTP service.
adduser ftptest
sets a password for the user.
passwd ftptest - Create a file directory for the FTP service.
mkdir /var/ftp/test - Change the owner of the /var/ftp/test directory to ftptest.
chown -R ftptest:ftptest /var/ftp/test - Modify the vsftpd.conf configuration file.
To configure FTP to active mode, execute the following command:
sed -i 's/anonymous_enable=YES/anonymous_enable=NO/' /etc/vsftpd/vsftpd.conf #禁止匿名登录FTP服务器
sed -i 's/listen=NO/listen=YES/' /etc/vsftpd/vsftpd.conf #监听IPv4 sockets
sed -i 's/listen_ipv6=YES/#listen_ipv6=YES/' /etc/vsftpd/vsftpd.conf #关闭监听IPv6 sockets
sed -i 's/#chroot_local_user=YES/chroot_local_user=YES/' /etc/vsftpd/vsftpd.conf #全部用户被限制在主目录
sed -i 's/#chroot_list_enable=YES/chroot_list_enable=YES/' /etc/vsftpd/vsftpd.conf #启用例外用户名单
sed -i 's/#chroot_list_file=/chroot_list_file=/' /etc/vsftpd/vsftpd.conf #指定例外用户列表文件,列表中的用户不被锁定在主目录
echo "allow_writeable_chroot=YES" >> /etc/vsftpd/vsftpd.conf
echo "local_root=/var/ftp/test" >> /etc/vsftpd/vsftpd.conf #设置本地用户登录后所在的目录
To configure FTP to passive mode, execute the following command:
sed -i 's/anonymous_enable=YES/anonymous_enable=NO/' /etc/vsftpd/vsftpd.conf #禁止匿名登录FTP服务器
sed -i 's/listen=NO/listen=YES/' /etc/vsftpd/vsftpd.conf #监听IPv4 sockets
sed -i 's/listen_ipv6=YES/#listen_ipv6=YES/' /etc/vsftpd/vsftpd.conf #关闭监听IPv6 sockets
sed -i 's/#chroot_local_user=YES/chroot_local_user=YES/' /etc/vsftpd/vsftpd.conf #全部用户被限制在主目录
sed -i 's/#chroot_list_enable=YES/chroot_list_enable=YES/' /etc/vsftpd/vsftpd.conf #启用例外用户名单
sed -i 's/#chroot_list_file=/chroot_list_file=/' /etc/vsftpd/vsftpd.conf #指定例外用户列表文件,列表中的用户不被锁定在主目录
echo "allow_writeable_chroot=YES" >> /etc/vsftpd/vsftpd.conf
echo "local_root=/var/ftp/test" >> /etc/vsftpd/vsftpd.conf #设置本地用户登录后所在的目录
echo "pasv_enable=YES" >> /etc/vsftpd/vsftpd.conf #开启被动模式
echo "pasv_address=<FTP服务器公网IP地址>" >> /etc/vsftpd/vsftpd.conf #本教程中为ECS服务器弹性IP
echo "pasv_min_port=20" >> /etc/vsftpd/vsftpd.conf #设置被动模式下,建立数据传输可使用的端口范围的最小值
echo "pasv_max_port=21" >> /etc/vsftpd/vsftpd.conf #设置被动模式下,建立数据传输可使用的端口范围的最大值
FTP active and passive: The
FTP protocol uses two TCP connections,
one is a command connection, used to transfer commands between the FTP client and the server; the
other is a data connection, used to upload or download data.
Regardless of the active mode or the passive mode, two connections must be established in sequence for file transfer, namely a command connection and a data connection. The difference between active mode and passive mode is mainly reflected in the data link channel.
Active mode FTP means that the server actively connects to the client’s data port.
In active mode, the FTP client randomly opens a port greater than 1024 to the server’s port 21. Initiate a connection, then open port N+1 for monitoring, and issue a PORT N+1 command to the server. After the server receives the command, it will use its local FTP data port (usually 20) to connect to the port N+1 designated by the client for data transmission.
The PASV mode of operation is that when the server receives a client connection request, it will automatically select one randomly from ports 1024 to 5000 to establish a connection with the client to transfer data. Due to passive and automatic connection establishment, it is vulnerable to attacks, so the security is poor.
-
Create a chroot_list file in the /etc/vsftpd directory, and write a list of exception users in the file.
#Use the vim command to edit the chroot_list file and add a list of exception users. Users in this list will not be locked in the home directory and can access other directories.
vim /etc/vsftpd/chroot_list
Description: When there are no exception users, the chroot_list file must be created, and the content can be empty. -
Restart the FTP service.
systemctl restart vsftpd.service
Client test
-
Open the Chrom browser and enter ftp://<FTP server public network IP address>:FTP port in the address bar. The public network IP address of the FTP server is the elastic IP address of the ECS server. For example: ftp://106.15.8.127:21
. -
In the pop-up dialog box, enter the user name and password.
ftp://106.15.8.127:21
-
The login success interface is as follows, at this time, you can perform operations with corresponding permissions on the FTP file.
