Alibaba Cloud Linux builds FTP service (Windows/Linux anonymous access)

Environment description:
server build: Alibaba Cloud Centos7
vsftpd version: vsftpd-3.0.2-27.el7.x86_64
access test: windows7

1. Install FTP server

Install the ftp server installation package:
yum -y install vsftpd
check if vsftpd is installed
rpm -qa vsftpd

2. Configuration file description

/etc/vsftpd/vsftpd.conf //Main configuration file, there are too many configuration items, put it under the blog post for supplementation
/etc/vsftpd/ftpusers
Users in this file cannot access the ftp service. It should be noted that this file is not Affected by any configuration item, it is always valid and is a typical blacklist.
This file stores a list of users who are forbidden to access FTP. Generally, for security reasons, the administrator does not want some accounts with super privileges (such as root) to log in to FTP, so as to prevent the account from uploading or downloading files in dangerous locations from FTP to affect the system Cause damage

/etc/vsftpd/user_list
Simply put: ftpusers and user_list have nothing to do, ftpusers file always takes effect, user_list depends on the two configurations of userlist_enable and userlist_deny in the /etc/vsftpd/vsftpd.conf file

user_list can be valid or invalid. When valid, it can be a blacklist or a whitelist.

Regarding the two configurations of userlist_enable and userlist_deny:
1. The two options of userlist_enable and userlist_deny are combined for: all local users (excluding users in ftpusers) and users appearing in the user_list file and users not in the user_list file. The settings made by the class user collection.
2. If and only when userlist_enable=YES: the configuration of the userlist_deny item is valid, the user_list file will be used; when it is NO, no matter what the value of the userlist_deny item is invalid, all local users (except users in ftpusers) ) Can log in to FTP
3. When userlist_enable=YES, userlist_deny=YES: user_list is a blacklist, that is: all users appearing in the list will be denied login
4. When userlist_enable=YES, userlist_deny=NO: user_list is a white list, that is: only users appearing in the list will be allowed to log in (users other than user_list are denied login); in addition, we need to be reminded that after using the white list, anonymous users will not be able to log in! Unless you explicitly add a line to user_list: anonymous

3. Modify the configuration file (/etc/vsftpd/vsftpd.conf)

Error ID resolution:
  500 ##File system permissions are too large
  530 ##User authentication failed
  550 ##The service itself is not open
  553 ##Local file system permissions are too small
  
vim vsftpd.conf //Open the configuration file
#Anonymous user part
anonymous_enable= YES # Allow anonymous users to log in
no_anon_password=YES # Do not ask for passwords (passwords) when anonymous users log in.
anon_umask=022 # Set the permission mask for anonymous users to create files, which means that the directory created by anonymous users has permissions other than 022. That is, the directory created by an anonymous user has 755 permissions
anon_upload_enable=YES # Allow anonymous download
anon_mkdir_write_enable=YES # Allow anonymous creation of files
anon_world_readable_only=NO # When it is YES, other people of the file must have read permissions to allow downloading, only files Downloading is not possible if everyone is ftp and has read permission. Only other people have read permission before downloading is allowed; if it is NO, as long as the ftp user has read permission on the file, the download can be downloaded
anon_other_write_enable=YES # Allow anonymous users to access files and folders Deletion and renaming of
anon_max_rate=102400 # The maximum transmission speed of anonymous users, the unit is Byts/s
anon_root=/var/ftp # Set the directory where anonymous users log in. If not specified, the default is /var/ftp directory

#Local user part local_enable=YES # Allow local users to log in to the ftp server
local_umask=022 # Set the permission mask for files created by local users on the server, which means that the directories created by local users have permissions other than 022, that is, local users The created directory has 755 permissions

#Global part write_enable=YES # Allow users to perform write operations to the server
xferlog_enable=YES # Record logs when uploading/downloading files (enable log function)
connect_from_port_20=YES # Use standard 20 port to connect to ftp (whether to use 20 port to transfer data (Whether to use active mode))
xferlog_std_format=YES # Use standard file log (standard format)
listen=NO # Turn off ipv4 monitoring
listen_ipv6=YES # Turn on ipv6 monitoring

pam_service_name=vsftpd # Use the pam module to control, the vsftpd file is in the /etc/pam.d directory (define the name used by PAM, the default is vsftpd)
userlist_enable=YES # means to activate the userlist_deny configuration item and user_list file
userlist_deny=yes # All Users who appear in the list will be denied login
tcp_wrappers=YES # Turn on tcp_wrappers management support
pasv_promiscuous=yes # Turn off the security check of PASV mode
#pasv_enable=NO # Allow pasv mode

anonymous_enable=YES
no_anon_password=YES
local_enable=YES
write_enable=YES
local_umask=022
anon_umask=022
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_world_readable_only=NO
anon_other_write_enable=YES
#dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
anon_max_rate=102400

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
pasv_promiscuous=yes

#pasv_enable=NO
#ftpd_banner=Welcome to my FTP server.

4. Start the FTP service

systemctl start vsftpd #Start the FTP service
Restart the service command:
systemctl restart vsftpd # Restart the FTP service (be careful to restart vsftpd after modifying the configuration file, otherwise the configuration will not take effect)

5. Modify firewall policy, SeLinux policy, modify root directory attributes

Because it is a test, I directly close firewalld and set SeLinux to Disabled
systemctl stop firewalld
cat /etc/selinux/config to

modify the root directory attributes:
chown -R ftp:ftp /var/ftp
chmod 777 /var/ ftp/pub

6. Access test

Note: Because our ftp server is built on Alibaba Cloud, we need to configure the rules for the security group in the background of our Alibaba Cloud server, and open the port 21

to access on the windows7 system as follows:
1. Enter: ftp at the top of the system resource manager ://xxxxxx (domain name or IP)

can now click into the pub directory to create or delete folders, or upload or copy files

2. Access from the browser.
Note: You need to configure the security group in our Alibaba Cloud server background. Rules: open the ports 1204-65535. In order to ensure the security of the server as much as possible, fill in your own local ip in the authorization object. If you own windows It is placed in the internal network, then fill in the corresponding external network ip

access interface as follows, I am using Firefox here:

linux anonymous access is as follows:
linux access ftp service needs to install the ftp client
yum -y install ftp

The access test is successful!

7. Solve the problems encountered

1. The problem as shown in the figure below is encountered during the windows access test:

Solution: Open Network Sharing Center>>Internet Options>>Advanced>>Remove the "Use Passive FTP (for firewall and DSL modem compatibility)" option (remove the front √)

2. Error: 425 Security: Bad IP connecting. As shown in the figure below:

Reason: FTP client and server changed their IP addresses during the connection.
Solution:
Add to the vim
/etc/vsftpd/vsftpd.conf configuration file: pasv_promiscuous=YES to
restart the vsftpd service: systemctl restart vsftpd

pasv_promiscuous option parameter description: When
this option is activated, the security check in PASV mode will be disabled. This check ensures that the data connection and the control connection are from the same IP address. Turn on this option carefully. The only reasonable usage of this option is to exist in an organization composed of secure tunnel solutions. The default value is NO.
The reasonable usage is: in some security tunnel configuration environment, or better support FXP (only enable it).

8./etc/vsftpd/vsftpd.conf configuration file parameter description

By default, anonymous users upload and download all uploads and downloads. The users used are the ftp user's permissions. To upload files, the ftp user needs to have the write permission, and to download, the ftp user needs to have the read permission, so generally In this case, if the ftp user has read permission to the file, he has download permission to the file

parameter	Description
anonymous_enable=YES	Enable anonymous users (allow anonymous users to log in)
no_anon_password=YES	Do not ask for password when anonymous users log in
anon_upload_enable=yes/no	Control the upload permission of anonymous users to files (not directories)
anon_world_readable_only=yes/no	Control the download permissions of anonymous users to files. Note: There are three permissions for files, file owner, file group, and other people of the file. Anon_world_readable_only means that when it is YES, other people of the file must have read permissions. Downloading is allowed. Only if the file owner is ftp and has read permission, it cannot be downloaded. Other people must also have read permission before downloading is allowed; if it is NO, the file can be downloaded as long as the ftp user has read permission
anon_mkdir_write_enable=yes/no	Control anonymous users' permission to create folders
anon_other_write_enable=yes/no	Control the deletion and renaming of files and folders by anonymous users . Note: The anonymous user downloads using the user nobody, so the corresponding O location must have r permission to be downloaded. If you want anonymous users to be able to upload and delete permissions, you must set
anon_root=(path)	Set the directory where anonymous users log in. If not specified, the default is the /var/ftp directory, and the local_root parameter is used to specify the directory where the local user is located after logging in
anon_max_rate=102400	The maximum transmission speed of anonymous users, the unit is Byts/s
anon_umask=022	Set the permission mask for anonymous users to create files, which means that directories created by anonymous users have permissions other than 022, that is, directories created by anonymous users have 755 permissions
chown_uploads=YES	Modify the owner of files uploaded by anonymous users. The users of all anonymously uploaded files will be changed to chown_username and used together with chown_username
chown_username=whoever	Username of anonymous upload file
local_root=/var/ftp	Set the directory where the local user logs in. This item is not set in the default configuration file. At this time, after the user logs in to the FTP server, the directory where the user is located is the user's home directory, and for the root user, it is the /root directory.
local_enable=YES	Allow local users to log in to the ftp server
local_umask=022	Set the permission mask for files created by local users on the server, which means that the directories created by local users have permissions other than 022, that is, directories created by local users have 755 permissions
local_max_rate= 102400	The maximum transmission speed of the local user, the unit is Byts/s
userlist_enable=YES	Indicates that the userlist_deny configuration item and user_list file are activated
userlist_deny=yes	All users appearing in the list will be denied access to ftp
chroot_local_user=YES	Restrict all local users in their own directory, directly restrict all local users
chroot_list_enable=YES	Set to enable the user list file specified by the chroot_list_file configuration item. The user name in the file is one per line. If this function is enabled, all users listed in the chroot_list_file cannot change the root directory. The default value is yes
chroot_list_file=/etc/vsftpd/chroot_list	Specify the restricted user list file, pointing out the list file of users locked in their own directory
user_config_dir=(path)	Specify access directories for users to achieve different permissions for different users, for example: 1. Parameter: user_config_dir=/etc/vsftpd/userconfig 2. Create a userconfig directory (when not): mkdir /etc/vsftpd/userconfig 3. Use the user name Create a configuration file, such as user ftpadmin: vim /etc/vsftpd/userconfig/ftpadmin 4. After entering the editing state, enter: local_root=/home/ftpupload
write_enable=YES	Global configuration, whether to allow writing (whether it is an anonymous user or a local user, if you want to enable upload permissions, configure this parameter)
ftpd_banner=Welcome to my FTP server	Set the welcome message to "Welcome to my FTP server.", after the user logs in to the FTP server successfully, the server can output the preset welcome message to the logged-in user
banner_file=/etc/vsftpd/banner	若欢迎信息较多，则可使用banner_file配置项，将欢迎信息放在/etc/vsftpd/banner文件里面
xferlog_enable=YES	上传/下载文件时记录日志
xferlog_std_format=YES	使用标准文件日志
xferlog_file=/var/log/vsftpd.log	日志文件
connect_from_port_20=YES	使用20端口传输数据(是否使用主动模式)
listen=NO	关闭ipv4监听，YES为打开
listen_ipv6=YES	开启ipv6监听
pam_service_name=vsftpd	使用pam模块控制，vsftpd文件在/etc/pam.d目录下（定义PAM 所使用的名称，预设为vsftpd）
tcp_wrappers=YES	开启tcp_wrappers管理支持
pasv_promiscuous=yes	关闭PASV模式的安全检查
pasv_enable=NO	允许使用pasv模式
nopriv_user=ftp	指定vsftpd服务的运行帐户，不指定时使用ftp
idle_session_timeout=600	会话超时，客户端连接到ftp但未操作
data_connection_timeout=120	数据传输超时
async_abor_enable=YES	是否允许客户端使用sync等命令
Pasv_min_port=50000 Pasv_max_port=60000	将客户端的数据连接端口改在50000—60000之间
Max_clients=200	FTP的最大连接数
Max_per_ip=4	每IP的最大连接数
Listen_port=5555	从5555端口进行数据连接

chroot_list_enable=YES
通过与chroot_local_user=YES/NO搭配能实现以下几种效果：
1、当chroot_list_enable=YES，chroot_local_user=YES时，在/etc/vsftpd.chroot_list文件中列出的用户，可以切换到其他目录；未在文件中列出的用户，不能切换到其他目录。
2、当chroot_list_enable=YES，chroot_local_user=NO时，在/etc/vsftpd.chroot_list文件中列出的用户，不能切换到其他目录；未在文件中列出的用户，可以切换到其他目录。
3、当chroot_list_enable=NO，chroot_local_user=YES时，所有的用户均不能切换到其他目录。
4、当chroot_list_enable=NO，chroot_local_user=NO时，所有的用户均可以切换到其他目录。

9.ftp-主动模式（PORT）和被动模式（PASV）

    FTP 分为两种模式，主动模式（PORT）和被动模式（PASV），PORT模式是一般形式的FTP。
    这两种模式的FTP在建立控制连接时操作是一样的，都是由客户端首先和FTP服务器的控制端口(默认值为21)建立控制链接，并通过此链接进行传输操作指令。
    它们的区别在于使用数据传输端口(ftp- data)的方式。PORT模式由FTP服务器指定数据传输所使用的端口，默认值为20。PASV模式由FTP客户端决定数据传输的端口。
    PASV模式主要是考虑到存在防火墙的环境下，由客户端与服务器进行沟通(客户端向服务器发出数据传输请求中包含了数据传输端口)，决定两者之间的数据传输端口更为方便。

在网上找了两张图片，描述得很清晰，下面我以这两张图总结一下：

按照图中的步骤：
1.用户登陆FTP服务器，客户端从任意一个大于1024（1024-65535）的非特权端口
连接到服务端的21端口（命令端口）
2.FTP服务端告诉客户端，说：“你的身份验证通过，你已经连接到我的21端口登陆成功了
3.客户端收到服务端的通知后，自己随机开放了一个端口
4.客户端利用FTP的port命令将随机端口发送到FTP服务器（通俗说就是：客户端告诉服务端说：“我给你开放了xxx端口，你传输数据的时候连接这个端口就可以了）
5.服务端收到客户端发送过来的随机端口后，会从自己的数据端口20连接到客户端指定的数据端口（随机端口）进行数据传输

1. When the client opens an FTP connection, the client opens any two unprivileged ports, one of which is connected to the 21 command port of the
server. 2. The FTP server tells the client, "Your authentication is passed, and you are connected to My 21 port login is successful
3. The client submits the pasv command to the server
4. After the server receives the pasv command from the client, the server opens any unprivileged port
5. The server uses the port command to open the non -privileged port on the server The privileged port is sent to the client.
6. The client receives the unprivileged port sent by the server .
7. The second data port opened by the client from the beginning is connected to the unprivileged port of the server to establish a data connection to transmit data.

Summary:
    Active mode means that the client open port is connected to the 21 port of the server to establish a command connection; after a data port is randomly generated, the server is notified of the locally open data port, and the server 20 port actively establishes a data connection with the local open data port.
    In passive mode, the client opens two ports, one is used to connect to port 21 of the ftp server, and the other is used as a data port. First establish a command connection with the server; submit the pasv command to the server, the server randomly generates a data port, and then serves The client sends the port command to tell the client its own open data port; then the client actively establishes a data connection from its own data port and the server's open data port to transmit data

If there is anything wrong with the above, please correct me, thank you!