One. Introduction
FTP difference between two modes: ( . 1 ) PORT (active) mode called active mode, referring to the FTP server "active" data connection to client port to transmit data, the process is specifically: from an arbitrary client non-privileged port N (N > 1024 ) to connect to the FTP server command port (i.e., port tcp 21), followed by the client starts listening port N + 1'd, and transmitting the FTP command "port N + 1" to the FTP server. Then the server from its own data ports (20) "Active" specified by the client is connected to the data port (N +. 1 ), so that the client can establish a data transmission channel and the ftp server. ( 2 ) the PASV (passive) mode, a so-called passive mode, refers to the FTP server "passive" waiting for client to connect their data ports, in particular the process: When opening an FTP connection, the client opens two arbitrary non- privileged local port (N > 1024. 1 and + N ). The first 21-port port connection to the server, but the FTP active mode are different, the client does not submit PORT command and allowing the server to connect back to its data port, but submitted PASV command. The result of this is that the server then opens a random unprivileged port (P > 1024 ), and sends the PORT P command to the client. The client then initiates from the present to port N + port P 1 is used to transmit data to the server. (Note that in this mode FTP server does not need to open the tcp port 20) comparison between two models: ( . 1 ) PORT (active) mode as long as mode 21 and 20 open port of the server, and the PASV (passive) mode is greater than the server need to open all tcp port 1024 and port 21. ( 2 ) from a network security point of view, then it seems ftp PORT mode is more secure, but less secure ftp PASV, then why RFC to re-establish a ftp PASV mode in the ftp PORT basis of it? In fact, the main purpose of the development of RFC ftp PASV mode for data transfer security point of departure, because the ftp port using a fixed 20-port for data transmission, so as hackers can use sniffer content such as sniffer crawl ftp data, so that by ftp PORT mode to transmit data can easily be hackers, so use PASV ftp server is set up the way to the most secure full great scheme.
So : If you simply for file sharing, can disable PASV mode, lifting the threat of a large number of open ports, but also bring convenience to the firewall settings. Unfortunately, the default browser or FTP tools are used in connection PASV mode FTP server, therefore, must make vsftpd in the case of a firewall is turned on, it is possible to support PASV mode for data access.
two. Installation and startup command:
-y install vsftpd yum # installation /etc/init.d/vsftpd Start # Contos 6.5 start systemctl Start vsftpd # Contos 7 Start Service vsftpd restart # Contos 6.5 restart systemctl restart vsftpd # Contos 7 Restart Service vsftpd STOP # Contos 6.5 stop systemctl stop vsftpd # Contos 7 stop chkconfig vsftpd ON # Contos 6.5 is set to run automatically at boot systemctl enable vsftpd.service # Contos run automatically at startup settings 7
three. Vsftp server configuration:
Profile Description: /etc/vsftpd/vsftpd.conf # vsftpd core configuration file / etc / vsftpd / ftpusers # is used to specify which users can not access the FTP server / etc / vsftpd / user_list # specified list of users allowed to use vsftpd file / etc / vsftpd / vsftpd_conf_migrate.sh # is the number of variables and operating vsftpd setup script / var / the FTP / # default root directory for anonymous users
1. Configure vsftpd.conf
# Whether to allow anonymous FTP server, the default setting is YES to allow # the user can use the user name ftp or anonymous ftp login conducted password for the user's E-mail address. # As it does not allow anonymous access is set to NO anonymous_enable = NO # whether to allow a local user (ie the user account linux systems) FTP server, the default setting is YES to allow # local user login will enter the user's home directory, and anonymous users after logging into the anonymous user's download directory / var / the FTP / Pub # if only allow anonymous users to access, preceded by the # comment out to prevent local users to access the FTP server local_enable = YES # whether to allow a local user with write files to an FTP server permissions, the default setting to YES to allow write_enable = YES # mask, the local user default mask 077 # you can set up a local user's default file mask 022, can also be based on personal preferences set it to other values local_umask = 022 # whether to activate the directory function welcome message # when a user mode with CMD's first visit to a directory on your server, FTP server will display the welcome message # By default, the information is welcome by .message file in the directory to get the # This file is saved custom welcome message, set up by the user's own dirmessage_enable = YES # indicates that the FTP server upload and download records xferlog_enable = YES # show will be recorded the upload and download in the case of a write xferlog_file the specified file, that file option specifies xferlog_file xferlog_std_format = YES xferlog_file = / var / log / xferlog # enable double log. In case of uploading and downloading of files by recording server xferlog Meanwhile, # vsftpd_log_file the specified file, i.e. /var/log/vsftpd.log server will be used to record the transmission condition dual_log_enable = YES vsftpd_log_file = / var / log / vsftpd.log # set FTP server FTP data connection request to enable the port, ftp-data data transmission connection 21 to the control port connect_from_port_20 = NO #Turn passive mode pasv_enable = YES # passive mode the lowest port pasv_min_port = 12000 # passive mode highest port pasv_max_port = of 15,000 pasv_promiscuous = YES pasv_addr_resolve = YES pasv_address = 59.151.37.141 (public address) # setting changes are allowed to upload the file's owner chown_uploads = NO # If set to YES, vsftpd will run in standalone mode, and the process is monitored by its own connection request vsftpd the listen = YES guest_enable = YES guest_username = ftproot user_config_dir = / etc / vsftpd / vuser_conf pam_service_name = vsftpd userlist_enable=YES tcp_wrappers=YES ascii_upload_enable=YES ascii_download_enable=YES [root@pt-158 ~]#
2. The first establish a virtual user list file:
Touch / etc / vsftpd / account.txt edit virtual user account list file :( first line, second line of code, note: do not use the root user name, the system retained) vi / etc / vsftpd / account.txt test01 Test02 user01 user02
3. Create a virtual user data files:
-T -t -f /etc/vsftpd/account.txt hash db_load / etc / vsftpd / account.db chmod 600 /etc/vsftpd/account.db # set the PAM authentication file and specify the virtual user database file for reading take
4. The following information is added (added later invalid) in the file header /etc/pam.d/vsftpd:
[root@pt-158 vsftpd]# cat /etc/pam.d/vsftpd #%PAM-1.0 #session optional pam_keyinit.so force revoke #auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed #auth required pam_shells.so #auth include password-auth #account include password-auth #session required pam_loginuid.so #session include password-auth auth required /lib64/security/pam_userdb.so db=/etc/vsftpd/account account required /lib64/security/pam_userdb.so db=/etc/vsftpd/account [root@pt-158 vsftpd]#
5.新建一个系统用户vsftpd,用户家目录为/data1/ftphome/ftproot, 用户登录终端设为/bin/false(即使之不能登录系统):
useradd vsftpd -d /data1/ftphome/ftproot -s /bin/false
chown vsftpd:vsftpd /data1/ftphome/ftproot -R
6.建立虚拟用户个人Vsftp的配置文件:
mkdir /etc/vsftpd/vuser_conf [root@pt-158 vuser_conf]# cat test01 anon_world_readable_only=YES anon_upload_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES anon_umask=022 local_root=/data1/ftphome/ftproot [root@pt-158 vuser_conf]# cat user01 anon_world_readable_only=YES anon_upload_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES anon_umask=022 local_root=/data1/ftphome/ftproot [root@pt-158 vuser_conf]#
7.配置防火墙:
59.151.37.141物理机防护墙添加,关闭192.168.7.158虚拟机的防火墙:
-A PREROUTING -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.7.158:21
-A PREROUTING -p tcp --dport 12000:15000 -j DNAT --to 192.168.7.158:12000-15000
8.最后重启vsftpd服务器:
systemctl restart vsftpd