FTP的内容File Transfer Protocol
FTP is a protocol for file transfer in the Internet. It is based on client/server mode and uses ports 20 and 21 by default, of which port 20 (data port) is used for data transfer, and port 21 (command port) Used to accept related FTP commands and parameters sent by the client. FTP servers are generally deployed in the intranet, and are easy to build and manage. And some FTP client tools can also support multi-point download of files and breakpoint resume technology, so the FTP service has been favored by the majority of users. Figure 11-1 shows the transmission topology of the FTP protocol.
An FTP server is a host that provides file storage and access services on the Internet according to the FTP protocol, and an FTP client is a host that sends a connection request to the server to establish a data transmission link.
Two modes
Active mode: The FTP server actively initiates a connection request to the client.
Passive mode: The FTP server waits for the client to initiate a connection request (the default working mode of FTP).
Firewalls are generally used to filter traffic entering the internal network from the external network. Therefore, sometimes it is necessary to set the working mode of FTP to active mode before data can be transmitted.
What is vsftpd
vsftpd (very secure ftp daemon, very secure FTP daemon) is an FTP service program running on the Linux operating system. It is not only completely open source and free, but also has high security and transmission speed. As well as support for virtual user authentication and other features that other FTP service programs do not have.
Install vsftpd
1 [root@minxing ~]# yum install vsftpd
ptables firewall management tool disables the port number of the FTP transfer protocol by default, so before formally configuring the vsftpd service program, in order to avoid these default firewall policies "disturbing", you need to clear The default policy of the iptables firewall, and save the current status of the firewall policy that has been cleaned up
[root@minxing ~]# iptables -F
[root@minxing ~]# service iptables save
2 Back up the original file, remove the comment line, and view the content
[ root@minxing ~]# mv
/etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf_bak [root@minxing ~]# grep -v "#" /etc/vsftpd/vsftpd.conf_bak > /etc/vsftpd/ vsftpd.conf
[root@minxing ~]# cat /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
Common parameters and functions of the vsftpd service program
Vsftpd service program
vsftpd, as a more secure file transfer service program, allows users to log in to the FTP server in three authentication modes.
Anonymous open mode: is the least secure authentication mode, anyone can log in directly to the FTP server without password authentication.
Local user mode: It is a mode in which the local account password information of the Linux system is used for authentication. Compared with the anonymous open mode, it is more secure and easy to configure. However, if hackers crack the account information, they can log in to the FTP server unimpeded, thereby fully controlling the entire server.
Virtual user mode: It is the most secure authentication mode among the three modes. It needs to create a separate user database file for the FTP service, and virtualize the account information used for password verification, and these account information is actually in the server system. It does not exist and is only used for authentication by the FTP service program. In this way, even if hackers crack the account information, they cannot log in to the server, thereby effectively reducing the scope and impact of damage.
ftp is a client tool for managing FTP transfer services in a command-line interface in Linux systems. So the next step is to install the ftp client tool
[root@minxing ~]# yum install ftp
anonymous access mode
In the vsftpd service program, the anonymous open mode is the least secure authentication mode. Anyone can log in directly to the FTP server without password authentication. This mode is generally used to access unimportant public files (try not to store important files in a production environment). Of course, if the firewall management tool (such as the Tcp_wrappers service program) introduced in Chapter 8 is used to set the range of hosts that the vsftpd service program allows to access to the corporate intranet, it can also provide basic security.
The vsftpd service program enables anonymous open mode by default. What we need to do is to open the permissions of anonymous users to upload and download files, and to allow anonymous users to create, delete, and rename files. It should be noted that releasing these permissions for anonymous users will bring potential dangers. We only release these permissions to practice configuring the vsftpd service program in the Linux system. It is not recommended to do this in a production environment. Table 11-2 lists the permission parameters and functions that can be opened to anonymous users.
Permission parameters and functions that can be opened to anonymous users
vim /etc/vsftpd/vsftpd.conf Edit configuration file
1 anonymous_enable=YES
2 anon_umask=022
3 anon_upload_enable=YES
4 anon_mkdir_write_enable=YES
5 anon_other_write_enable=YES
6 local_enable=YES
7 write_enable=YES
8 local_umask=022
9 dirmessage_enable=YES
10 xferlog_enable =YES
11 connect_from_port_20=YES
12 xferlog_std_format=YES
13 listen=NO
14 listen_ipv6=YES
15 pam_service_name=vsftpd
16 userlist_enable=YES
17 tcp_wrappers=YES
Fill in the parameters correctly in the main configuration file of the vsftpd service program, then save and exit. You also need to restart the vsftpd service program for the new configuration parameters to take effect. In the production environment or in the RHCSA, RHCE, RHCA certification exams, the configured service program must be added to the startup items to ensure that the server can still provide transmission services normally after restarting:
[root@minxing ~]# systemctl restart vsftpd
[root@minxing ~]# systemctl enable vsftpd
Now you can execute the ftp command on the client to connect to the remote FTP server. In the anonymous open authentication mode of the vsftpd service program, the account is unified as anonymous and the password is empty. And after connecting to the FTP server, the default access is the /var/ftp directory. We can switch to the pub directory under this directory, and then try to create a new directory file to check whether we have write permission:
[root@minxing ~]# ftp 192.168.213.131 The IP logged in here is bridge
Connected to 192.168. 213.131 (192.168.213.131).
220 (vsFTPd 3.0.2)
Name (192.168.213.131:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp > cd pub
250 Directory successfully changed.
ftp> mkdir file
550 Create directory operation failed.
Creation failed, obviously no write permission. Then let's check the permissions in the pub directory
[root@minxing ~]# ll -ld /var/ftp/pub/
drwxr-xr-x. 3 root root 21 March 29 09:38 /var/ftp/pub/
It can be seen that the permissions of everyone and all groups and others are read and write execute|read execute|execute. So in this file, only root can do whatever he wants, and the ftp anonymous user is someone else, he only has execute permission to this file, so he can't do anything. When installing the ftp client management tool, the system has automatically created a user. To achieve the right to write, we can change everyone to our own ftp user. Because we log in as an ftp anonymous user when we log in, change everyone to an ftp user, and this file can perform operations with corresponding permissions
[root@minxing ~]# chown -Rf ftp /var/ftp/pub
[root@minxing ~]# ll -ld /var/ftp/pub/
drwxr-xr-x. 3 ftp root 21 March 29 09:38 /var/ftp/pub
Log in again and you can see that you can create a file directory
[root @minxing ~]# ftp 192.168.213.131
Connected to 192.168.213.131 (192.168.213.131).
220 (vsFTPd 3.0.2)
Name (192.168.213.131:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub
250 Directory successfully changed.
ftp> mkdir file
257 "/pub/file" created
after login the default directory file here is /var/ftp/pub
local user mode
compared to anonymous Open mode, local user mode is more secure and easy to configure. If you were using anonymous open mode before, you can now turn it off and turn on local user mode. The permission parameters and functions for the local user mode are shown in the table.
1 When userlist_enable=YES, when userlist_deny=YES, no matter whether vim /etc/pam.d/vsftpd comment or not comment user_list is a blacklist, all users appearing in the list will be denied login; unless comment out the list user inside Can log
in 2 When userlist_enable=YES, userlist_deny=NO (users cannot log in) Finally, when vim /etc/pam.d/vsftpd is commented, userlist is still a whitelist, and users on the list can log in
3 When userlist_enable=NO, userlist_deny= When YES (the user cannot log in), the userlist is still a whitelist when vim /etc/pam.d/vsftpd is commented, and the list user can log in
. This is enough to show that when a function is turned on and all disabled, no matter what the pam is, the list User cannot log in. When an arbitrary disable is enabled, pam prohibits login by default, and list users cannot log in. When commenting out pam and enabling one of the first two, the list user can log in to the
vsftpd service program. In order to ensure the security of the server, the root administrator and most system users are prohibited from logging in by default, which can effectively prevent hackers from using FTP. The service brute-forces the root administrator password. If you are sure that using the root administrator in the production environment will not affect the system security, just delete the root username according to the above tips. We can also select an ordinary user that is not in the ftpuusers and user_list files to try to log in to the FTP server:
delete the root line to allow the root user to log in. In addition, users who are not in this forbidden login list can be logged in.
Compile the configuration file vim /etc/vsftpd/user_list /etc/vsftpd/
ftpuusers Comment out root [root@minxing ~]# ftp 192.168.213.131
Connected to 192.168.213.131 (192.168.213.131).
220 (vsFTPd 3.0.2)
Name (192.168.213.131:root): root
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
Here we can see that after the root user is deleted from the list of prohibited users from logging in, you can log in and see the files in the root user.
When implementing a file list to disable users, there are two ways to achieve root login, one is to remove the comment in the configuration file, the second is to remove the comment on the second line of pam and a userlist to disable is equal to NO.