Deployment and optimization of Vsftpd service
1 Experimental environment
1)Server host:
- Host name: ftp_server
- ip:172.25.254.136
- selinux: turn off
- Fire wall on
- dnf installation and setting complete
2) Client host:
- Host name: localhost
- ip:172.25.254.36
- selinux: turn off
- dnf installation and setting complete
- Install lftp (protocol text browser)
2 Introduction to ftp
ftp: file transfer proto
The oldest file transfer protocol in the Internet; ftp allows users to communicate with another host by means of file operations. In fact, users do not really log in to the computer they want to access and become full users. They can use ftp to access remote resources to enable users to transfer files back and forth, even though the computers on both sides may be configured with different operating systems and file storage methods. Its main goal is to improve file sharing
3 vsftpd installation and activation
1) Enter dnf install vsftpd.x86_64 lftp.x86_64 -y on the server side to install ftp service software and local access software:
2) Enter dnf install lftp -y on the client to install only the access software:
3) Ensure that selinux is closed:
4) Open vsftpd, add firewall strategy:
5) After the service is configured, anonymous users are not allowed to access by default at this time. You need to edit the /etc/vsftpd/vsftpd.conf main configuration file, and change the line 12 to allow anonymous users to access yes, and restart the service:
6) At this time, use lftp ip or enter ftp://ip in the browser, you can access successfully:
Note: Use lftp://ip, then enter ls to list resources, and then it will be considered as a successful login, quit or exit can exit ftp, the maximum number of ftp that can be logged in by default is 50, logging in refers to reopening a shell
4 Basic information of vsftpd
| Basic Information | meaning |
|---|---|
| vsdtpd.service | service name |
| /etc/vsftpd | Configuration directory |
| /etc/vsftpd/vsftpd.conf | Main configuration file |
| / var / ftp | Default release directory |
| Error message | meaning |
|---|---|
| 550 | The procedure itself refuses |
| 553 | File system permission restrictions |
| 500 | Too much authority |
| 530 | Authentication failed |
5 User access control
User access is divided into anonymous user access and local user access. When accessing, enter "lftp 172.25.254.136", without adding user authentication, it indicates that it is an anonymous user, and the default access is to publish the directory; when accessing, enter "lftp 172.25.254.136 -u westos", and write user means local user access, The default access is the user's home directory.
5.1 Anonymous user access
1) Login control, anonymous_enable=YES|NO, indicates whether to allow anonymous users to log in using ftp, which has been set before, and the effect has been seen
2) Home directory control, anon_root=/westos, indicates to change the default publishing directory of anonymous users For /westos, make sure that the directory exists before changing, restart the service after the change is completed, and log in again to see the content in the /westos directory, indicating that the default publishing directory has been successfully modified:
3) Upload control, anon_upload_enable=YES|NO, indicates whether to allow anonymous users to upload files. Uploading files without modifying this parameter will report an error of 550, indicating that the program itself refuses; after this parameter is modified to yes, uploading files will report an error message of 553, indicating that the file system does not have permission. Therefore, you must modify the permissions first. Enter the "chgrp ftp /var/ftp/pub" and "chmod 775 /var/ftp/pub" commands to indicate that the group to modify the pub directory is ftp, and the permission of the pub directory under the publishing directory is 775. After opening the permissions, go to upload the file to succeed. Note that you cannot directly change the permissions of the default publishing directory, you can only modify the permissions of the subdirectories below it:
4) Directory creation control, anon_mkdir_write_enable=YES|NO, indicates whether anonymous users are allowed to create directories. Similarly, if you create a directory directly before modifying this parameter, an error of 550 will be reported. After modifying this parameter to yes, restart the service to create the directory:
5) Download control, anon_world_readable_only=NO, which means that anonymous users can download files that cannot be read. By default, anonymous users are not allowed to download files. After the modification is completed, restart the service:
6) Delete the rename control, anon_other_write_enable=YES|NO, indicating whether anonymous users can delete and rename the contents in the directory, which is not allowed by default. After the modification is completed, restart the service:
7) Anonymous user upload file permission setting, anon_umask=022, means that the reserved permission for uploading files is 022, that is, the actual permission is 644; by default, the reserved permission for anonymous users when uploading files is 077, which is the actual The permission is 600. Note that when chown_username is set, the upload file permissions will no longer be set using this parameter:
8) Setting the user identity for anonymous users uploading files, modify the
"chown_upload=YES" and "chown_username=liu" parameters to indicate that the user uses the liu user identity when uploading files. By default, anonymous users upload files as ftp users. :
Because the chown_username parameter is set, the previous anon_umask=022 parameter becomes invalid. You can see that the reserved permission for uploading files is still 077. At this time, you can specify the user’s permission to upload files. The uploaded file permissions will change:
9) The number of logins is controlled, max_clients=2 means that the maximum number of connections for this service is 2. By default, there is no limit on the number of logins. In order to prevent the server from crashing due to too many logins, you can control the number of logins for the service.
After the modification is completed, restart the service: When the number of logins exceeds two, the following information will be displayed. Note , You can use the same host, open multiple shells, and log in separately. When there are more than two, the following information will be displayed:
10) Upload rate control, anon_max_rate=102400 means to control the upload rate of anonymous users at about 100k. By default, anonymous users upload files without rate control, which will cause the system to call the largest resources to complete this task. In order to prevent excessive waste of resources, the upload rate of anonymous users can be limited. After modifying this parameter, the upload rate will slowly drop to about 100. Just like the download rate control of Baidu network disk, restart the service after modification:
intercept a file and upload it when there is no limit, the rate is very fast, reaching M/s:
setting parameters: the
upload rate is gradually reduced, until it reaches 100k/s about:
5.2 Local user access
1) Enter the "lftp 192.168.122.200 -u westos" "command to log in as a local user. When a local user logs in, the default login is the home directory of the local user:
2) Login control, local_enbale=YES|NO, indicates whether local users are allowed Access, local users can log in by default, modify the configuration file to restrict the login of local users:
3) Home directory control, local_root=/westosdir, after the default local user enters, what you see is the content of the /home/westos home directory. After modifying this parameter, you will enter the modified directory, which must exist:
4) Write permission control, write_enable=YES|NO, indicates whether local users can write or not. By default, local users can upload files. Modifying this parameter can prohibit the service from providing write permissions to local users. After modification, anonymous users will also No write permission:
5) Upload file permission control, local_umask=022, 022 is the default reserved permission, that is, the actual file permission is 644, and the reserved permission can be modified to 077. At this time, the file permission is 600:
6) User login control, local users can access the ftp service by default, the login permissions of local users can be restricted, and black and white lists can be set:
-
vim /etc/vsftpd/ftpusers, represents a permanent blacklist, with the highest priority:
-
vim /etc/vsftpd/user_list, the default blacklist or temporary blacklist:
When userlist_deny=NO is set in the configuration file, the default blacklist becomes a whitelist at this time, but permanent black or permanent black, even if his username is in the whitelist, he cannot log in, because permanent black has a higher priority :
7) Lock the user to his home directory, enter the "chmod uw /home/*" command, and then set the parameter chroot_local_user=YES. By default, local users can access the root directory after logging in, but this will reduce the security of the system , So you have to lock the user, and when you enter the root directory after locking, the contents of the home directory will be displayed. But this will not report an error. This is because the permission to write in the home directory is restricted. At this time, login will not report an error:
- Before setting this parameter, you can enter the root:
- After setting this parameter and the home directory write permission limit:
8) Locking users to their home directory as shown above will lock all local users by default, which will affect it, so you can set the black and white list of
locked users to your home directory. Lock users to the blacklist of your home directory,
chroot_local_user=NO
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list You
need to create the /etc/vsftpd/chroot_list file first, and then edit the file vim /etc/vsftpd/chroot_list to add the blacklisted user. After joining, the user cannot access his root. But other users who are not on the list can access the root:
9) Lock the user to the whitelist in your home directory,
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
If the /etc/vsftpd/chroot_list file exists, edit the vim /etc/vsftpd/chroot_list file to change the user A whitelisted user joins the file. After joining, the user can access his root, but other users who are not in the list cannot access the root. If the file does not exist, after it is created, perform the following operations:
6 Virtual user access
When logging in to the ftp service, it takes time and effort to manage anonymous users, and they cannot all be established as local users. In order to solve these files, virtual users can be established.
6.1 Create a virtual user
1) Create an authentication file template in the /etc/vsftpd directory, and customize the file name. The file contains the user name and password. There can be no spaces in the file, or it will be recognized as a character:
2) Encrypted authentication file, where -T means encryption, -t means encryption method, -f means designated conversion file, after encryption, there will be authentication file and .db encrypted authentication file in this directory:
3) To write authentication rules, the file name must be customized under the /etc/pam.d/ directory. The writing format of the file is shown in the figure below, and its contents respectively indicate
- Account verification method verification plug-in verification comparison file
- Password verification method verification plug-in verification comparison file
db=/etc/vsftpd/virt_users means to compare from the encrypted authentication file, there is no need to add .db after the file, because the default is .db, if you add it, it means db=/etc/vsftpd/virt_users.db.db, yes wrong:
4) Edit the /etc/vsftpd/vsftpd.conf file
- pam_service_name=virt_users, which means the authentication policy file read by ftp
- guest_enable=YES, which means that the virtual user function is enabled
- guest_username=ftp, which represents the identity of the virtual user
5) After setting, the virtual user accesses the default publishing directory:
6.2 Independent setting of virtual user's home directory
1) The virtual user access directory is the default publishing directory. Each virtual user establishes its own publishing directory, and different files are created in each user’s publishing directory to facilitate the observation of experimental effects:
2) Edit the main configuration file
- local_root=/ftpuserdir/$USER, specify the home directory of the virtual user
- user_sub_token=$USER, declare that $USER is a variable instead of a string
3) At this time, the virtual user can log in to his own publishing directory, but if the virtual user does not have permission to his own directory and the /pub directory, after setting the directory permissions, he can have the same permissions as the anonymous user, which means that the virtual user belongs to Special anonymous users, anonymous users have permissions, virtual users also have: After
having directory permissions, virtual users can have the same permissions as anonymous users:
6.3 Independent user configuration
1) Note that after completing the above configuration, virtual users will have the same permissions as anonymous users, so you need to comment on the permissions for anonymous users at this time:
2) After commenting, you can see that the permissions of the virtual user are restricted, and the corresponding permissions of the virtual user will also be restricted at the same time:
3) If you want a virtual user to have certain permissions, you can create a new directory in the /etc/vsftpd/ directory to store the configuration files of a single user. Edit the main configuration file and add the following content to it, which means to set the configuration directory of all virtual users:
After the setting is completed, the user's configuration file has not been configured at this time, and the virtual user still has no permissions:
4) A separate user configuration file can be created in the newly created user configuration directory. The file name is the same as the user name. Enter the permissions required by a user in the file:
At this time, users who have not been set will not With this permission, it makes the user permissions independent:
