[Linux study notes 20] Vsftpd deployment and optimization

0. Experimental environment

1. Close selinux

1. vim /etc/selinux/config

SELINUX=disabled#重启后生效

2. setenforce 0:shut down

3. getenforce: View

2. Configure the software repository and install lftp

dnf install lftp -y

lftp: FTP protocol text browser (installed on the test host)

3. If you log in to this machine from another host, you need to execute:

1. firewall-cmd --permanent --add-service=ftp

2. firewall-cmd --reload

3. firewall-cmd --list-all

1. Introduction to ftp

FTP ( File Transfer Protocol , file transfer protocol) is one of the protocols in the TCP/IP protocol suite. The FTP protocol includes two components, one is the FTP server, and the other is the FTP client. The FTP server is used to store files, and users can use the FTP client to access the resources located on the FTP server through the FTP protocol. When developing a website, the FTP protocol is usually used to transfer web pages or programs to a web server. In addition, due to the very high efficiency of FTP transfer, this protocol is generally used when transferring large files on the network.

2. vsftpd installation and activation

1. dnf install vsftpd -y: Install vdftpd
2. dnf install lftp -y: Install lftp
3. setenforce 0: Turn off selinux
4. systemctl enable --now vsftpd: Turn on vsftpd
5. rpm -qc vsftpd: Find the main configuration file of vsftpd

3. Basic information of vsftpd

1. service name:vsftpd.service
2. Configuration directory:/etc/vsftpd
3. Main configuration file:/etc/vsftpd/vsftpd.conf
4. Default publishing directory:/ var / ftp
5. Error message:

550		程序本身拒绝
553		文件系统权限限制
500		权限过大
530		认证失败

4. Access control for anonymous users

4.1. Login Control

1. vim /etc/vsftpd/vsftpd.conf: Modify the configuration file

anonymous_enable=YES | NO
# YES 允许匿名用户登陆
# NO 不允许

2. systemctl restart vsftpd: Restart service
3. lftp 192.168.43.101: Anonymous login
   quit: logout

• Example:

When login is prohibited,


modify to allow login and restart the service

4.2. Home Directory Control

1. vim /etc/vsftpd/vsftpd.conf: Modify the configuration file

anon_root=/var/ftp #添加
# 使用匿名登入时，所登入的目录（默认为/var/ftp）

2. systemctl restart vsftpd: Restart service
3. lftp 192.168.43.101: Anonymous login

• Example

Create a new directory and set it as an anonymous login directory

4.3. Upload control

1. vim /etc/vsftpd/vsftpd.conf: Modify the configuration file

anon_upload_enable=YES | NO 
# YES 允许匿名登入者有上传文件的权限（前提要有写权限）

2. systemctl restart vsftpd: Restart service
3. chmod 775 /westos_ftp/westosdir/：Modify login directory permissions (upload is write permission)
4. chgrp ftp /westos_ftp/westosdir/: Modify the group
5. lftp 192.168.43.101: Anonymous login
   put 文件路径: upload files (cannot upload to the home directory)

• Example

4.4. Directory creation control

1. vim /etc/vsftpd/vsftpd.conf: Modify the configuration file

anon_mkdir_write_enable=NO | YES 
# YES 允许匿名用户新建目录
# NO 不允许（默认为NO）

2. systemctl restart vsftpd: Restart service
3. lftp 192.168.43.101: Anonymous login

• Example

4.5. Download control

1. vim /etc/vsftpd/vsftpd.conf: Modify the configuration file

anon_world_readable_only=YES | NO
# YES 允许匿名用户下载可读的文件（默认为YES）
# NO 允许匿名用户下载不可读的文件

2. systemctl restart vsftpd: Restart service
3. lftp 192.168.43.101: Anonymous login
   get 文件: download files (download from which directory you log in)
   mirror 目录: download directory

• Example

4.6. Delete and rename control

1. vim /etc/vsftpd/vsftpd.conf: Modify the configuration file

anon_other_write_enable=YES

2. systemctl restart vsftpd: Restart service
3. lftp 192.168.43.101: Anonymous login
   mv 文件名 新文件名: Rename
   rm 文件: Delete

• Example

4.7. Anonymous user upload file permission setting

1. vim /etc/vsftpd/vsftpd.conf: Modify the configuration file

anon_umask=022
#当设置chown_username= 后anon_umask不生效

2. systemctl restart vsftpd: Restart service
3. lftp 192.168.43.101: Anonymous login

• Example

4.8. User identity settings for anonymous users uploading files

1. vim /etc/vsftpd/vsftpd.conf: Modify the configuration file

chown_uploads=YES
chown_username=westos	#默认为ftp
chown_upload_mode=0644

2. systemctl restart vsftpd: Restart service
3. lftp 192.168.43.101: Anonymous login

• Example

4.9. Login quantity control

1. vim /etc/vsftpd/vsftpd.conf: Modify the configuration file

max_clients=2	#最大登陆数量

2. systemctl restart vsftpd: Restart service
3. lftp 192.168.43.101: Anonymous login

• Example

4.10. Upload rate control

1. vim /etc/vsftpd/vsftpd.conf: Modify the configuration file

anon_max_rate=102400

2. systemctl restart vsftpd: Restart service
3. lftp 192.168.43.101: Anonymous login

• Example

5. Local user access

Local user access command:
lftp 172.25.254.127 -u 用户

5.1. Login control

1. vim /etc/vsftpd/vsftpd.conf: Modify the configuration file

local_enable=YES | NO

2. systemctl restart vsftpd: Restart service
3. lftp 192.168.43.101 -u 用户: Local user login

• Example

Preparation: Create a new local user

experiment:

5.2. Home Directory Control

1. vim /etc/vsftpd/vsftpd.conf: Modify the configuration file

local_root=路径

2. systemctl restart vsftpd: Restart service
3. lftp 192.168.43.101 -u 用户: Local user login

• Example

5.3. Write permission control

1. vim /etc/vsftpd/vsftpd.conf: Modify the configuration file

write_enable=YES
# YES 有写权限（属于全局设置，默认为YES）

2. systemctl restart vsftpd: Restart service
3. lftp 192.168.43.101 -u 用户: Local user login

• Example

When write_enable=NO, no write permission

5.4. Upload file permission control

1. vim /etc/vsftpd/vsftpd.conf: Modify the configuration file

local_umask=022

2. systemctl restart vsftpd: Restart service
3. lftp 192.168.43.101 -u 用户: Local user login

• Example

When local_umask=022


When local_umask=077

5.5. Local user login blacklist

/etc/vsftpd/ftpusers: Permanent blacklist
/etc/vsftpd/user_list: Default blacklist

1. vim /etc/vsftpd/user_list: Modify the default blacklist
2. systemctl restart vsftpd: Restart service
3. lftp 192.168.43.101 -u 用户: Local user login

• Add user sdsnzy1 to the default blacklist /etc/vsftpd/user_list. After restarting the service, it is found that sdsnzy1 cannot log in, but sdsnzy2 can log in

5.6. Local user login whitelist

1. vim /etc/vsftpd/vsftpd.conf: Modify the configuration file

userlist_deny=NO

2. at this time /etc/vsftpd/user_list From blacklist to whitelist
3. systemctl restart vsftpd: Restart service
4. lftp 192.168.43.101 -u 用户: Local user login

• Modify the configuration file /etc/vsftpd/vsftpd.conf and find that sdsnzy1 can log in, and sdsnzy2 that is not in the list is forbidden to log in

5.7. Lock users to their home directory

1. chmod u-w /home/*
2. vim /etc/vsftpd/vsftpd.conf: Modify the configuration file

chroot_local_user=NO | YES
NO：不锁定（默认）	YES：锁定

3. systemctl restart vsftpd: Restart service
4. lftp 192.168.43.101 -u 用户: Local user login

• When the home directory is not locked, you can freely enter the directory

• After the configuration file is modified to chroot_local_user=YES, restart the service and lock the home directory

5.8. Lock users to the blacklist in their home directory

That is, other users do not lock the home directory, only the users in the list lock the home directory

chroot_local_user=NO 时，/etc/vsftpd/chroot_list Is a blacklist (there is no such file originally)

1. vim /etc/vsftpd/chroot_list: Modify users in the blacklist
2. vim /etc/vsftpd/vsftpd.conf: Modify the configuration file

chroot_local_user=NO
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list#黑名单

2. systemctl restart vsftpd: Restart service
3. lftp 192.168.43.101 -u 用户: Local user login

• Example
  • Add kiosk user to the list /etc/vsftpd/chroot_list
  • Modify the configuration file and restart the service

5.9. Lock users to the whitelist in their home directory

That is, other users lock the home directory, only users in the list do not lock the home directory

chroot_local_user=YES 时，/etc/vsftpd/chroot_list Whitelist

1. vim /etc/vsftpd/chroot_list: Modify users in the whitelist
2. vim /etc/vsftpd/vsftpd.conf: Modify the configuration file

chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list#白名单

2. systemctl restart vsftpd: Restart service
3. lftp 192.168.43.101 -u 用户: Local user login

• Example

6. Virtual user access

In addition to anonymous users, virtual users can also be set to access FTP. The so-called virtual users refer to FTP user accounts stored in independent database files, which can be mapped to a system user account that cannot be logged in to further enhance the security of the FTP server.

6.1. Create a virtual user

1. vim /etc/vsftpd/ftp_auth_file: Create a certification document template

user1	#虚拟用户名
123	#密码
user2
123
user3
123

2. db_load -T -t hash -f /etc/vsftpd/ftp_auth_file /etc/vsftpd/ftp_auth_file.db: Encrypted authentication file (-f specifies the conversion file as the created file template)
   (-T: conversion; -t: type; -f: specifies the conversion file)
3. vim /etc/pam.d/ftp-auth: Write certification policy documents

account         required        pam_userdb.so   db=/etc/vsftpd/ftp_auth_file
auth            required        pam_userdb.so   db=/etc/vsftpd/ftp_auth_file
#注意在这里系统会默认加上.db后缀，因此我们不需要添加后缀名

4. vim /etc/vsftpd/vsftpd.conf : Edit the main configuration file

pam_service_name=ftp-auth	#指定认证策略文件（编写的认证策略文件是什么就写什么）
guest_enable=YES	#指定虚拟用户功能开启
guest_username=ftp	#指定虚拟用户在ftp服务器上的用户身份

5. systemctl restart vsftpd: Restart service

• Example

6.2. Independent setting of virtual user home directory

1. mkdir -p /var/ftphome/user{1…3}: Create a virtual user home directory
   touch /var/ftphome/user1/user1file1
touch /var/ftphome/user2/user2file1
touch /var/ftphome/user3/user3file1
2. vim /etc/vsftpd/vsftpd.conf: Modify the main configuration file

local_root=/var/ftphome/$USER
user_sub_token=$USER

3. systemctl restart vsftpd: Restart service·

• Example

6.3. Independent configuration of virtual users

1. mkdir /var/ftphome/user{1…3}/westos
chmod 775 /var/ftphome/user{1…3}/westos
chgrp ftp /var/ftphome/user{1…3}/westos
2. vim /etc/vsftpd/vsftpd.conf

#注释 避免对后续试验产生影响
#anon_upload_enable=YES
#anon_other_write_enable=YES
#anon_world_readable_only=NO
#anon_umask=022
user_config_dir=/etc/vsftpd/confdir
#在此目录中与用户名称相同的文件为用户配置文件

3. mkdir /etc/vsftpd/confdir
4. vim /etc/vsftpd/confdir/user1: Create and modify the configuration of user user1

anon_upload_enable=YES	#可上传文件

5. systemctl restart vsftpdRestart service

• Example