Experimental environment
server host:
hostname: westos_node3
ip address: 172.25.254.20
selinux off: (restart required to complete the setting)
vim /etc/sysconfig/selinux
fire wall open
dnf installation setting is complete
Client host:
host name: westos_zxn
ip address: 172.25.254.10
selinux closes
dnf installation setting is complete
Install lftp ftp protocol text browser
ftp introduction
ftp:file transfer proto (file transfer channel)
the oldest file transfer protocol in the Internet
vsftpd installation and activation
In node3:
dnf install vsftpd -y
systemctl enable --now firewalld
systemctl enable --now vsftpd
firewalld -cmd --permanent --add-service=ftp
firewalld -cmd --permanent --add-source=172.25.254.10 --zone=trusted
systemctl restart firewalld 或 firewalld-cmd --reload
vim /etc/vsftpd/vsftpd.conf
12 anonymous_enable=YES enable anonymous user access
systemctl restart vsftpd
Test installation release:
ftp://172.25.254.20 in firefox
lftp 172.25.254.20 This access method must be able to list resources to be considered successful.
After using it, please enter exit to exit lftp
Basic information of vsftpd
Service name:
vsftpd.service
Configuration directory:
/etc/vsftpd
Main configuration file:
/etc/vsftpd/vsftpd.conf
Default publishing directory:
/var/ftp
Error message:
550 The program itself refused (that is, the service itself is not allowed, and needs to be modified in the configuration file)
553 File system permission restrictions
500 permission is too large
530 Authentication failed (password error, anonymous user login is not turned on)
Anonymous user access control
lftp 192.168.0.10 When accessing the ftp service, no user authentication is added as anonymous access
lftp 192.168.0.10 -u westos local user access
Login control
/etc/vsftpd/vsftpd.conf
12 anonymous_enable=YES|NO
systemctl restart vsftpd
Home Directory Control
anon_root=/westosdir
systemctl restart vsftpd
connects to node3 in the host and finds that the home directory has changed
Upload control
30 anon_upload_enable=YES|NO
systemctl restart vsftpd
chmod 775 /var/ftp/pub (If 777 is used here, "500 error" will appear if the authority is too large)
chgrp ftp /var/ftp/pub/
lftp 172.25.254.20
cd pub
put /etc/passwd
Directory creation control
34 anon_mkdir_write_enable=YES|NO
Directory can be created at this time
Anonymous users can download files that cannot be read, delete re-command control
anon_other_write_enable=YES|NO
Download control
anon_world_readable_only=NO
Anonymous user upload file permission setting
anon_umask=022 When chown_username is set, the upload permission will not be set with this parameter, and chown_upload_mode must be used
The user identity of anonymous users uploading files is set to ftp by default
chown_upload=YES
chown_username=redhat All the files generated by anonymous users on the server are generated as redhat.
chown_upload_mode=0644. After setting chown_username, the upload permission must be set with this parameter.
At this time, the permission and owner of the newly uploaded file have been changed
Login quantity control:
max_clients=2
If there are more than two users logged in at this time, the following situations will occur:
Upload rate control
anon_max_rate=102400
In the host:
dd if=/dev/zero of=file bs=1M count=100 It
can be seen that the download file speed has been restricted at this time
Local user access
login control
useradd redhat
useradd xsb
useradd daddy
echo linux | passwd --stdin redhat
echo linux | passwd --stdin daddy
echo linux | passwd --stdin xsb
su-redhat/daddy/xsb
touch xxfile
lftp 172.25.254.20 -u xxx can login successfully at this time
local_enable=NO modify the configuration file in node3
At this time, the local user cannot log in successfully!
Home Directory Control
local_root=/westosdir modify the home directory to westosdir
The home directory has been changed at this time
Write permission control
write_enable=NO
At this time, an error will be reported when trying to write a file
Upload file permission control
local_umask=077 Modify the upload permission to 077
It can be seen that the permission of the newly uploaded file is 600 (upload file permission 600=777-077 (upload permission)-111)
Lock users to their home directory (not browse / directory) before doing this operation, you can browse / directory at will
chroot_local_user=YES At this time, all users are restricted to their own home directory, when it is NO, everyone can access
chmod uw /home/* Remove the write permission, the
/ directory cannot be browsed at this time
Lock users to the whitelist in their home directory
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
vim /etc/vsftpd/chroot_list
systemctl restart vsftpd
At this time, except for the redhat in the whitelist, no one can access the / directory
Lock users to the blacklist in their home directory
chroot_local_user=NO
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
vim /etc/vsftpd/chroot_list
systemctl restart vsftpd
At this time, all except the locked redhat can be accessed / directory
User login control
Before doing this experiment, you need to log out the following configurations to maintain a pure experimental environment
/etc/vsftpd/ftpusers is
permanently black
/etc/vsftpd/user_list
is black by default
User login whitelist
userlist_deny=NO After this service is turned on, /etc/vsftpd/user_list will be set as a whitelist, users who are not in the list cannot log in to ftp
Virtual user access
The process of establishing a virtual user (you need to comment out userlist_deny=NO before doing this)
vim /etc/vsftpd/westos_user Create an authentication file template
user1
123
user2
123
db_load -T -t hash -f westos_user westos_user.db encrypted authentication file -T conversion -t type -f specifies the conversion file
vim /etc/pam.d/westos_ftp
account required pam_userdb.so db=/etc/vsftpd/westos_user
auth required pam_userdb.so db=/etc/vsftpd/westos_user
vim
/etc/vsftpd/vsftpd.conf pam_service_name=westos_ftp specifies the authentication policy file
guest_enable=YES specifies the virtual user function to enable
guest_username=ftp specifies the user identity of the virtual user on the ftp server
systemctl restart vsftpd
Independent setting of virtual user's home directory
mkdir /virtuserdir
mkdir /virtuserdir/user{1…2}
mkdir /virtuserdir/user{1…2}/pub
touch /virtuserdir/user1/user1file
touch /virtuserdir/user2/user2file
vim /etc/vsftpd/vsftpd.conf
local_root=/virtuserdir/ U S E R u s e r s u b t o k e n = USER user_sub_token= USERusersubto k e n=USER
systemctl restart vsftpd
At this time, log in to the virtual user home directory again is independent
User configuration independent
The following configuration needs to be done before doing this experiment
The experiment starts
user_config_dir=/etc/vsftpd/westos_conf The file with the same name as the user in this directory is the user configuration file
mkdir /etc/vsftpd/westos_conf
vim /etc/vsftpd/westos_conf/user2
anon_upload_enable=YES
After setting, user2 user can upload files, user1 and user3 cannot