After the vsftpd installation is complete, we now start configuring vsftpd, but we still have a few steps to do before the official configuration.
3.1 User-related configuration Because it is a virtual user using vsftpd, we need to create a user in the system first, and the user has readable, writable and executable permissions to the /www directory.
Create a user as follows:
sudo useradd -m -s /bin/bash virtual
cat /etc/passwd |grep virtual
Note: The created user ftpilanni cannot log in to the system now because no password has been set for the user. Here, we also do not need ftpilanni to log into the system, which is relatively safe.
After the user is created, let's create the corresponding directory and modify the user to which it belongs, as follows:
sudo mkdir /www
sudo chown -R virtual:virtual /www/
After the user-related configuration is completed, we start to set up the user and password file login.txt for logging in to vsftp. as follows:
sudo mkdir /etc/vsftpd/
sudo vim /etc/vsftpd/login.txt
ailanni ailannipassword
login.txt is the user and password file for logging in to vsftpd.
After login.txt is set up, we want to use db_load for encryption. And db_load requires the software db-util. So we need to install db-util now, as follows:
sudo apt-get -y install db-util
After db-util is installed, now start encrypting loginx.txt with db_load. as follows:
sudo db_load -T -t hash -f /etc/vsftpd/login.txt /etc/vsftpd/login.db
After loginx.txt is encrypted, we now start to configure PAM authentication for vsftpd.
3.2 PAM verification Configure the PAM verification of vsftpd, here I do not use the /etc/pam.d/vsftpd file generated during vsftpd installation.
Because after my many tests, I found that if I use this file for verification, it cannot be verified. I don't know why, but I guess it's probably a bug in vsftpd.
Create a verification file as follows:
sudo vim /etc/pam.d/vsftpd.virtual
auth required pam_userdb.so db=/etc/vsftpd/login
account required pam_userdb.so db=/etc/vsftpd/login
The content of the vsftpd.virtual file can also be adjusted according to the OS version. I'm using ubuntu x64 now, so it can also be filled as:
auth required /lib/x86_64-linux-gnu/security/pam_userdb.so db=/etc/vsftpd/login
account required /lib/x86_64-linux-gnu/security/pam_userdb.so db=/etc/vsftpd/login
Where /etc/vsftpd/login corresponds to the /etc/vsftpd/login.db file
3.3 vsftp permission configuration Now vsftpd is officially configured, almost all configuration items of vsftpd are carried out in the /etc/vsftpd.conf file.
According to business requirements, the configuration content of vsftpd.conf is as follows:
grep -vE “^#|^$” /etc/vsftpd.conf
listen=YES
listen_ipv6=NO
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
chroot_local_user=YES
chroot_list_enable=NO
allow_writeable_chroot=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file = / etc / ssl / certs / ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO
guest_enable=YES
pam_service_name=vsftpd.virtual
user_config_dir=/etc/vsftpd/vu
pasv_enable=YES
pasv_min_port=30000
pasv_max_port=31000
In the above configuration file, a few points need to be highlighted.
local_enable=YES
write_enable=YES
local_umask=022
These two items enable write permissions for the system user. In particular, the write_enable=YES item must be enabled, otherwise the vsftpd virtual user will not be able to log in to vsftpd.
Why it came out like this? Because virtual users depend on system users.
chroot_local_user=YES
chroot_list_enable=NO
These three items are the permissions to configure the vsftpd user to prohibit switching the upper-level directory.
guest_enable=YES
pam_service_name=vsftpd.virtual
user_config_dir=/etc/vsftpd/vu
These three items are to enable vsftpd virtual use and virtual user account configuration directory.
pasv_enable=YES
pasv_min_port=30000
pasv_max_port=31000
These three items are to enable vsftpd passive mode and related ports.
3.4 Virtual user related configuration After the vsftpd configuration file is modified, it is now time to configure the related permissions of virtual users. as follows:
sudo mkdir /etc/vsftpd/vu
sudo vim /etc/vsftpd/vu/ailanni
guest_username=virtual
local_root=/www/
virtual_use_local_privs=YES
anon_umask=133
The above configuration parameters, where guest_username=ftpilanni indicates that the system user corresponding to FTP is set to ftpilanni
local_root=/www/ indicates the default directory when logging in to ftp with a local user.
virtual_use_local_privs=YES Virtual users have the same privileges as local users.
anon_umask represents the default mask for file uploads. The calculation method is 777 minus anon_umask is the permission to upload files. Here we set it to 133, which means that the permission of the uploaded file is 644. That is, the uploaded file has only read and write permissions for the user to which it belongs, but no execute permissions.
chkconfig vsftpd on --- set autostart
sudo service vsftpd restart --- restart vsftpd to take effect
The IPtables configuration is as follows:
sudo iptables-save >/home/ilanni/iptables.rule
clip_image017
sudo iptables-restore < /home/ilanni/iptables.rule
sudo iptables -nL
sudo vim /etc/network/interfaces
pre-up iptables-restore < /home/ilanni/iptables.rule
post-down iptables-save < /home/ilanni/iptables.rule