1. ftp introduction
ftp: file transfer proto
, the oldest file transfer protocol in the interconnection
2. Install and enable vsftpd
dnf install vsftpd.x86_64 lftp.x86_64 -y
getenforce #View selinux status, if enabled, edit the /etc/selinux/config file and change the status to disabled
firewall-cmd --permanent --add- service=ftp
#Firewall allows ftp service systemctl enable --now vsftpd #Enable ftp service
firewall-cmd --reload #Reset
vim /etc/vsftpd/vsftpd.conf #Edit the configuration file to allow anonymous users to access
systemctl restart vsftpd #重Set
lftp 172.25.254.213 #Check whether the ftp service is available
3. Basic information of vsftpd
Service name: vdftpd.service
Configuration directory: /etc/vsftpd
Main configuration file: /etc/selinux/config
Default release directory: /var/ftp
Error message
550 #The program itself refused
553 #File system permission limit
500 #Permission is too large
530 #Authentication failed
4. Anonymous user access control
lftp 172.25.254.213 #When accessing the ftp service, no user authentication is added as anonymous access
lftp 172.25.254.213 -u westos #Local user access
login control (edit configuration file)
anonymous_enable=YES
#Allow anonymous users to log in anon_root =/westosdir #Change the home directory location/westosdir
anon_upload_enable=YES #Allow anonymous users to upload
systemctl restart vsftpd #But
note that not only the configuration file must be changed at this time, but also all groups and permissions of the file
chgrp ftp /var/ftp/pub/
chmod 775 /var/ftp/pub/
put /etc/passwd
anon_mkdir_write_enable=YES #Allow anonymous users to create new directories
anon_other_write_enable=YES
#Anonymous users can be deleted and renamed anon_world_readable_only=NO #Anonymous users can download unreadable files
systemctl restart vsftpd
lftp 172.25.254.213
get passwd
Anonymous user upload file permission setting
#When chown_username is set, the upload file permission will no longer be set with this parameter
anon_umask=022
chown_uploads=YES
chown_username=lee
chown_upload_mode=0644 #User
identity setting for anonymous users uploading files
#Note, ls can list things to be considered successful login
Number of
logins control # The maximum number that the ftp service can accept max_clients
=2
Anonymous user upload rate control
anon_max_rate=102400 #Upload rate is about 100M per second
5. Local user access
#Note, ls can list things to be considered successful login
Login control
useradd westos
echo lee | passwd --stdin westos
lftp 172.25.254.213 -u westos
local_enable=YES #Allow local users to log in
write_enable=YES #Allow write
local_umask=077 #Upload
file permission control, specify the default permissions for uploading local users
# User login control
/etc/vsftpd/ftpusers #Permanent blacklist, as long as you cannot log in permanently in this list
/etc/vsftpd/user_list #Temporary blacklist, if you only write this, it is blacklist
# But if it is in the configuration file, as userlist_deny The =NO parameter takes effect. By default, users cannot log in using ftp. Only users in user_list can log in (at this time, user_list becomes a whitelist, so users in user_list are not allowed to log in except for users in user_list).
User home directory control
local_root=/ westosdir #Set the local user's home directory to /westosdir and
lock the local user to their home directory, so that the user cannot browse the root directory
chroot_local_user=YES
chmod uw /home/* #If
you lock the user to your home directory, you need to close the root directory Write permission, because there is write permission at this time, which will cause access to be prohibited.
#When the user is not locked to the home directory (the user can browse the root directory by default), the list function is enabled, and the list is blacklist
chroot_local_user=NO
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list #When
all users are locked to their home directory (users cannot browse the root directory by default), the list function is enabled, and the list is whitelisted
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file =/etc/vsftpd/chroot_list
6, virtual user access
Create virtual user process
Write the authentication file
vim /etc/vsftpd/virt_users
encrypted authentication file
db_load -T -t hash -f /etc/vsftpd/virt_users /etc/vsftpd/virt_users.db #will generate virt_users.db, -T conversion, -t type- f Specify the conversion file
Write the authentication policy file
/etc/pam.d/virt_users #The
first line account, verification method, authentication plug-in, verification comparison file
# The second line password, verification method, authentication plug-in, verification comparison file
Write configuration file
pam_service_name =virt_users #here behind the equal sign is the name of the rule you handwritten under /etc/pam.d/, specify the authentication policy file
guest_enable=YES #specify the virtual user function to enable
guest_username=ftp #specify the user identity of the virtual user on the ftp server
At this time, the virtual user you set can access
the independent settings of the virtual user's home directory
local_root=/ftphomedir/$USER #Specify the user's home directory $USER is a variable specification
user_sub_token=$USER #Declare that $USER is a variable and not a string
user_config_dir=/etc/vsftpd/userconfdir #Set the configuration directory of all virtual users to / etc/vsftpd/userconfdir
mkdir -p /ftphomedir/user{1,2}/pub
chmod 775 /ftphomedir/user1
chgrp ftp /ftphomedir/user1
vim /etc/vsftpd/userconfdir/user1
anon_upload_enable=YES