ftp is a file transfer protocol, divided into active mode and passive mode
. The basic principle of active mode:
Active: The client sends a connection request to the server's FTP port (default is 21), and the server accepts the connection and establishes a command link. When it needs to transmit data, the client uses the PORT command on the command link to tell the server: "I have opened the XXXX port, you come and connect to me". So the server sends a connection request from port 20 to the XXXX port of the client to establish a data link to transmit data.
The basic principle of passive mode:
Passive: The client sends a connection request to the server's FTP port (default is 21), and the server accepts the connection and establishes a command link. When the data needs to be transmitted, the server uses the PASV command on the command link to tell the client: "I opened the XXXX port, you come to connect me". So the client sends a connection request to the XXXX port of the server to establish a data link to transmit data.
Building ftp service process
1. Install the service and perform firewall operations
On the premise of building the yum source, perform
yum install vsftpd -y
setenforce 0
firewalld-cmd --permanent --add-service=ftp
firewalld-cmd --reload
systemctl start vsftpd
2. Configure ftp service
1. Modify the home directory where the anonymous user logs in
anon_root=/ftpdirhaha #Create a new directory where the anonymous user logs in and
restart the service
2. Whether anonymous users and local users can log in
anonymous_enable=YES | NO
YES means anonymous users can log in, NO means anonymous users cannot log in
local_enable=YES | NO
YES means local users can log in, NO means local users cannot log in
If the login is unsuccessful, this interface will be displayed
3.
The premise of whether local users can upload files is to set write_enable=YES (open for writing by local users)
anon_upload_enable=YES means that local users can upload files
because the directory uploaded by local users is the /var/ftp/pub directory, so it is necessary to This directory is given the appropriate permissions.
The anonymous user is using the ftp user, so again give this directory permissions like this
chgrp ftp /var/ftp pub
chmod 775 /var/ftp/pub
4. Download by anonymous users
anon_world_readable_only=YES|NO (setting the parameter to NO means that anonymous users can download)
5. Speed limit processing for anonymous user downloads
anon_max_rate=102400 #The control speed is about 100kb
The experiment is to upload files to the ftp server, so the anon_upload_enable=YES parameter should be turned on for the experimental effect of
unlimited speed and the experimental effect speed
after speed limit
is controlled at around 100k
6. Permissions for local users and anonymous users to upload files
local_umask=022 #The larger the value, the higher the security level
anon_umask=077
The permissions of local users are 644 The permissions of
anonymous users are 600
7. Lock the local user in the home directory
chroot_local_user=YES
chmod uw /home/* #If you do not do this, you will get an error of excessive permissions
8. Setting
steps for virtual users:
(1) Create a file in /etc/vsftpd/ to save the virtual user name and password
(2) Encrypt this file
db_load -T -t hash -f userdb userdb.db
-T means Convert
-t hash means hash encryption
-f means the original file is the userdb file
(3) Modify the configuration file
vim
/etc/vsftpd/vsftpd.conf pam_service_name=ftpuser
This module is an authentication module, the source file is written vsftp, This change means that the service can read the authentication module of the rewritten ftpuser
guest_enable=YES #Use the identity of the guest to log in
guest_username=ftp #It is a parameter that the guest_enable parameter must set to use the ftp identity
local_root=/vftphome/$USER
user_sub_token=$USER
(4) Write a custom authentication module
[root@localhost user3]# cat /etc/pam.d/ftpuser
account required pam_userdb.so db=/etc/vsftpd/userdb
auth required pam_userdb.so db= /etc/vsftpd/userdb
(5) test
