Article Directory
- 0. Experimental environment
- 1. Introduction to ftp
- 2. vsftpd installation and activation
- 3. Basic information of vsftpd
- 4. Access control for anonymous users
-
- 4.1. Login Control
- 4.2. Home Directory Control
- 4.3. Upload control
- 4.4. Directory creation control
- 4.5. Download control
- 4.6. Delete and rename control
- 4.7. Anonymous user upload file permission setting
- 4.8. User identity settings for anonymous users uploading files
- 4.9. Login quantity control
- 4.10. Upload rate control
- 5. Local user access
-
- 5.1. Login control
- 5.2. Home Directory Control
- 5.3. Write permission control
- 5.4. Upload file permission control
- 5.5. Local user login blacklist
- 5.6. Local user login whitelist
- 5.7. Lock users to their home directory
- 5.8. Lock users to the blacklist in their home directory
- 5.9. Lock users to the whitelist in their home directory
- 6. Virtual user access
0. Experimental environment
- Close selinux
1. vim /etc/selinux/config
SELINUX=disabled#重启后生效
2. setenforce 0
:shut down
3. getenforce
: View
- Configure the software repository and install lftp
dnf install lftp -y
lftp: FTP protocol text browser (installed on the test host)
- If you log in to this machine from another host, you need to execute:
1. firewall-cmd --permanent --add-service=ftp
2. firewall-cmd --reload
3. firewall-cmd --list-all
1. Introduction to ftp
FTP ( File Transfer Protocol , file transfer protocol) is one of the protocols in the TCP/IP protocol suite. The FTP protocol includes two components, one is the FTP server, and the other is the FTP client. The FTP server is used to store files, and users can use the FTP client to access the resources located on the FTP server through the FTP protocol. When developing a website, the FTP protocol is usually used to transfer web pages or programs to a web server. In addition, due to the very high efficiency of FTP transfer, this protocol is generally used when transferring large files on the network.
2. vsftpd installation and activation
dnf install vsftpd -y
: Install vdftpddnf install lftp -y
: Install lftpsetenforce 0
: Turn off selinuxsystemctl enable --now vsftpd
: Turn on vsftpdrpm -qc vsftpd
: Find the main configuration file of vsftpd
3. Basic information of vsftpd
- service name:vsftpd.service
- Configuration directory:/etc/vsftpd
- Main configuration file:/etc/vsftpd/vsftpd.conf
- Default publishing directory:/ var / ftp
- Error message:
550 程序本身拒绝
553 文件系统权限限制
500 权限过大
530 认证失败
4. Access control for anonymous users
4.1. Login Control
vim /etc/vsftpd/vsftpd.conf
: Modify the configuration file
anonymous_enable=YES | NO
# YES 允许匿名用户登陆
# NO 不允许
systemctl restart vsftpd
: Restart servicelftp 192.168.43.101
: Anonymous login
quit
: logout
- Example:
When login is prohibited,
modify to allow login and restart the service
4.2. Home Directory Control
vim /etc/vsftpd/vsftpd.conf
: Modify the configuration file
anon_root=/var/ftp #添加
# 使用匿名登入时,所登入的目录(默认为/var/ftp)
systemctl restart vsftpd
: Restart servicelftp 192.168.43.101
: Anonymous login
- Example
Create a new directory and set it as an anonymous login directory
4.3. Upload control
vim /etc/vsftpd/vsftpd.conf
: Modify the configuration file
anon_upload_enable=YES | NO
# YES 允许匿名登入者有上传文件的权限(前提要有写权限)
systemctl restart vsftpd
: Restart servicechmod 775 /westos_ftp/westosdir/
:Modify login directory permissions (upload is write permission)chgrp ftp /westos_ftp/westosdir/
: Modify the grouplftp 192.168.43.101
: Anonymous login
put 文件路径
: upload files (cannot upload to the home directory)
- Example
4.4. Directory creation control
vim /etc/vsftpd/vsftpd.conf
: Modify the configuration file
anon_mkdir_write_enable=NO | YES
# YES 允许匿名用户新建目录
# NO 不允许(默认为NO)
systemctl restart vsftpd
: Restart servicelftp 192.168.43.101
: Anonymous login
- Example
4.5. Download control
vim /etc/vsftpd/vsftpd.conf
: Modify the configuration file
anon_world_readable_only=YES | NO
# YES 允许匿名用户下载可读的文件(默认为YES)
# NO 允许匿名用户下载不可读的文件
systemctl restart vsftpd
: Restart servicelftp 192.168.43.101
: Anonymous login
get 文件
: download files (download from which directory you log in)
mirror 目录
: download directory
- Example
4.6. Delete and rename control
vim /etc/vsftpd/vsftpd.conf
: Modify the configuration file
anon_other_write_enable=YES
systemctl restart vsftpd
: Restart servicelftp 192.168.43.101
: Anonymous login
mv 文件名 新文件名
: Rename
rm 文件
: Delete
- Example
4.7. Anonymous user upload file permission setting
vim /etc/vsftpd/vsftpd.conf
: Modify the configuration file
anon_umask=022
#当设置chown_username= 后anon_umask不生效
systemctl restart vsftpd
: Restart servicelftp 192.168.43.101
: Anonymous login
- Example
4.8. User identity settings for anonymous users uploading files
vim /etc/vsftpd/vsftpd.conf
: Modify the configuration file
chown_uploads=YES
chown_username=westos #默认为ftp
chown_upload_mode=0644
systemctl restart vsftpd
: Restart servicelftp 192.168.43.101
: Anonymous login
- Example
4.9. Login quantity control
vim /etc/vsftpd/vsftpd.conf
: Modify the configuration file
max_clients=2 #最大登陆数量
systemctl restart vsftpd
: Restart servicelftp 192.168.43.101
: Anonymous login
- Example
4.10. Upload rate control
vim /etc/vsftpd/vsftpd.conf
: Modify the configuration file
anon_max_rate=102400
systemctl restart vsftpd
: Restart servicelftp 192.168.43.101
: Anonymous login
- Example
5. Local user access
Local user access command:
lftp 172.25.254.127 -u 用户
5.1. Login control
vim /etc/vsftpd/vsftpd.conf
: Modify the configuration file
local_enable=YES | NO
systemctl restart vsftpd
: Restart servicelftp 192.168.43.101 -u 用户
: Local user login
- Example
Preparation: Create a new local user
experiment:
5.2. Home Directory Control
vim /etc/vsftpd/vsftpd.conf
: Modify the configuration file
local_root=路径
systemctl restart vsftpd
: Restart servicelftp 192.168.43.101 -u 用户
: Local user login
- Example
5.3. Write permission control
vim /etc/vsftpd/vsftpd.conf
: Modify the configuration file
write_enable=YES
# YES 有写权限(属于全局设置,默认为YES)
systemctl restart vsftpd
: Restart servicelftp 192.168.43.101 -u 用户
: Local user login
- Example
When write_enable=NO, no write permission
5.4. Upload file permission control
vim /etc/vsftpd/vsftpd.conf
: Modify the configuration file
local_umask=022
systemctl restart vsftpd
: Restart servicelftp 192.168.43.101 -u 用户
: Local user login
- Example
When local_umask=022
When local_umask=077
5.5. Local user login blacklist
/etc/vsftpd/ftpusers: Permanent blacklist
/etc/vsftpd/user_list: Default blacklist
vim /etc/vsftpd/user_list
: Modify the default blacklistsystemctl restart vsftpd
: Restart servicelftp 192.168.43.101 -u 用户
: Local user login
- Add user sdsnzy1 to the default blacklist /etc/vsftpd/user_list. After restarting the service, it is found that sdsnzy1 cannot log in, but sdsnzy2 can log in
5.6. Local user login whitelist
vim /etc/vsftpd/vsftpd.conf
: Modify the configuration file
userlist_deny=NO
- at this time /etc/vsftpd/user_list From blacklist to whitelist
systemctl restart vsftpd
: Restart servicelftp 192.168.43.101 -u 用户
: Local user login
- Modify the configuration file /etc/vsftpd/vsftpd.conf and find that sdsnzy1 can log in, and sdsnzy2 that is not in the list is forbidden to log in
5.7. Lock users to their home directory
chmod u-w /home/*
vim /etc/vsftpd/vsftpd.conf
: Modify the configuration file
chroot_local_user=NO | YES
NO:不锁定(默认) YES:锁定
systemctl restart vsftpd
: Restart servicelftp 192.168.43.101 -u 用户
: Local user login
- When the home directory is not locked, you can freely enter the directory
- After the configuration file is modified to chroot_local_user=YES, restart the service and lock the home directory
5.8. Lock users to the blacklist in their home directory
That is, other users do not lock the home directory, only the users in the list lock the home directory
chroot_local_user=NO 时,/etc/vsftpd/chroot_list Is a blacklist (there is no such file originally)
vim /etc/vsftpd/chroot_list
: Modify users in the blacklistvim /etc/vsftpd/vsftpd.conf
: Modify the configuration file
chroot_local_user=NO
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list#黑名单
systemctl restart vsftpd
: Restart servicelftp 192.168.43.101 -u 用户
: Local user login
- Example
- Add kiosk user to the list /etc/vsftpd/chroot_list
- Modify the configuration file and restart the service
5.9. Lock users to the whitelist in their home directory
That is, other users lock the home directory, only users in the list do not lock the home directory
chroot_local_user=YES 时,/etc/vsftpd/chroot_list Whitelist
vim /etc/vsftpd/chroot_list
: Modify users in the whitelistvim /etc/vsftpd/vsftpd.conf
: Modify the configuration file
chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list#白名单
systemctl restart vsftpd
: Restart servicelftp 192.168.43.101 -u 用户
: Local user login
- Example
6. Virtual user access
In addition to anonymous users, virtual users can also be set to access FTP. The so-called virtual users refer to FTP user accounts stored in independent database files, which can be mapped to a system user account that cannot be logged in to further enhance the security of the FTP server.
6.1. Create a virtual user
vim /etc/vsftpd/ftp_auth_file
: Create a certification document template
user1 #虚拟用户名
123 #密码
user2
123
user3
123
db_load -T -t hash -f /etc/vsftpd/ftp_auth_file /etc/vsftpd/ftp_auth_file.db
: Encrypted authentication file (-f specifies the conversion file as the created file template)
(-T: conversion; -t: type; -f: specifies the conversion file)vim /etc/pam.d/ftp-auth
: Write certification policy documents
account required pam_userdb.so db=/etc/vsftpd/ftp_auth_file
auth required pam_userdb.so db=/etc/vsftpd/ftp_auth_file
#注意在这里系统会默认加上.db后缀,因此我们不需要添加后缀名
vim /etc/vsftpd/vsftpd.conf
: Edit the main configuration file
pam_service_name=ftp-auth #指定认证策略文件(编写的认证策略文件是什么就写什么)
guest_enable=YES #指定虚拟用户功能开启
guest_username=ftp #指定虚拟用户在ftp服务器上的用户身份
systemctl restart vsftpd
: Restart service
- Example
6.2. Independent setting of virtual user home directory
mkdir -p /var/ftphome/user{1…3}
: Create a virtual user home directory
touch /var/ftphome/user1/user1file1
touch /var/ftphome/user2/user2file1
touch /var/ftphome/user3/user3file1
vim /etc/vsftpd/vsftpd.conf
: Modify the main configuration file
local_root=/var/ftphome/$USER
user_sub_token=$USER
systemctl restart vsftpd
: Restart service·
- Example
6.3. Independent configuration of virtual users
mkdir /var/ftphome/user{1…3}/westos
chmod 775 /var/ftphome/user{1…3}/westos
chgrp ftp /var/ftphome/user{1…3}/westos
vim /etc/vsftpd/vsftpd.conf
#注释 避免对后续试验产生影响
#anon_upload_enable=YES
#anon_other_write_enable=YES
#anon_world_readable_only=NO
#anon_umask=022
user_config_dir=/etc/vsftpd/confdir
#在此目录中与用户名称相同的文件为用户配置文件
mkdir /etc/vsftpd/confdir
vim /etc/vsftpd/confdir/user1
: Create and modify the configuration of user user1
anon_upload_enable=YES #可上传文件
systemctl restart vsftpd
Restart service
- Example