FTP access control services
Their access control 1. FTP service (Object Access Control)
- ftpusers blacklist
- userlist default blacklist (can be a white list)
Requirement 1: Do not allow users to access ftp service stu1
echo stu1 >> / etc / vsftpd / ftpusers
Requirement 2: only allow users to access ftp service STU2
1) modify the configuration file, the whitelist will become user_list
userlist_deny = NO
2) was added to this file to the user STU2 user_list
echo STU2 >> / et / the vsftpd / user_list
to sum up:
- Ftpusers file in the user can not access the ftp server
- User_list user file, if userlist_deny = NO (white list), only the user can access the file .
- If the file is user_list white list, the user both in ftpusers user_list again, then ftpusers refused priority.
User name, password? Blacklist? whitelist?
2. FTP Service Network Access Control
Support tcp_wrappers
/etc/hosts.allow priority
/ect/hosts.deny
/etc/hosts.deny vsftpd:all 全部拒绝 vsftpd:all EXCEPT 192.168.0.2 拒绝所有除了192.168.0.2 vsftpd:192.168.0.254 拒绝单个IP地址,相当于hosts.allow文件增加vsftpdd:192.168.0.254:deny vsftpd:192.168.0.0/255.255.255.0 拒绝某个网段 vsftpd:192.168.0.0/255.255.255.0 EXCEPT 192.168.0.254 拒绝某个网段,除了某个IP地址 注意:此处子网掩码不支持192.168.0.0/24写法
How to determine whether a service support tcp_wrappers?
1) ./ configure --enable-libwrap support tcp_wrappersf access control (plus configuration)
/usr/local/bin
2) rpm installation
[root@server vsftpd]# ldd /usr/sbin/vsftpd|grep libwrap*
libwrap.so.0 => /lib64/libwrap.so.0 (0x00007fcc222de000)
[root@server vsftpd]# ldd /usr/sbin/sshd|grep libwrap*
libwrap.so.0 => /lib64/libwrap.so.0 (0x00007fba5dd90000)
Requirements: Deny Everyone 10.1.1.0/24 and 192.168.91.0/24 network access, in addition to the server 10.1.1.3
vim /etc/hosts.deny vsftpd:10.1.1.0/255.255.255.0,192.168.91.0/255.255.255.0 EXCEPT 10.1.1.3
In addition to network access control tcp_wrappers can also host to xinetd service area management.
vim /etc/vsftpd/vsftpd.conf
listen=YES // 独立模式下监听,如果托管给xinetd,需改为NO
怎么托管给xinetd?
3. set up a virtual FTP user authentication service (Native verification was not successful)
Create a virtual user account database
vsftpd service uses Berkeley DB database file format to store virtual user accounts, use the tools db_load production database files. (If not, the installation package in the CD-ROM 1, software called db4-utils)
[root@server vsftpd]# vim ./vusers.list // 新建一个虚拟用户账号密码列表文件 zhangsan 123 lisi 123 wangwu 456 [root@server vsftpd]# db_load -T -t hash -f vusers.list vusers.db [root@server vsftpd]# ls banner_file ftpusers vsftpd.conf vusers.db chroot_list user_list vsftpd_conf_migrate.sh vusers.list [root@server vsftpd]# file vusers.db vusers.db: Berkeley DB (Hash, version 9, native byte-order) 注意:db_load命令 -T 允许非Berkeley的程序使用该数据库 -t 指定算法(hash:哈希,散列) -f 指定源文件 生成的数据库文件必须为“.db”格式 [root@server vsftpd]# chmod 600 vusers.* //修改有关用户名密码文件的权限,增强安全性 [root@server vsftpd]# ll vusers.* -rw------- 1 root root 12288 Apr 22 20:37 vusers.db -rw------- 1 root root 33 Apr 22 20:37 vusers.list
Add virtual mapping accounts, modify permissions for the FTP root directory
[root@server vsftpd]# useradd -d /var/ftproot/ -s /sbin/nologin virtual [root@server vsftpd]# ll -d /var/ftproot/ drwx------ 4 virtual virtual 4096 Apr 22 20:47 /var/ftproot/ [root@server vsftpd]# chmod 755 /var/ftproot/ [root@server vsftpd]# ll -d /var/ftproot/ drwxr-xr-x 4 virtual virtual 4096 Apr 22 20:47 /var/ftproot/
Increase PAM authentication
[root@server vsftpd]# vim /etc/pam.d/vsftpd.vu //手动创建从pam认证文件 auth required pam_userdb.so db=/etc/vsftpd/vusers account required pam_userdb.so db=/etc/vsftpd/vusers
Modify the configuration file, restart the service
anon_umask=022 guest_enable=YES guest_username=virtual
Client Test
略
Extended: FTP web hosting
- IP-based virtual hosts
- Based on the virtual host port
eth0: 10.1.1.2 only allows local users to access
eth1: 10.1.1.3 only allows anonymous users to access, and each limit
[root@server vsftpd]# rpm -ql vsftpd
/usr/share/doc/vsftpd-2.2.2/EXAMPLE/VIRTUAL_HOSTS
/usr/share/doc/vsftpd-2.2.2/EXAMPLE/VIRTUAL_HOSTS/README
[root@server vsftpd]# cd /usr/share/doc/vsftpd-2.2.2/EXAMPLE/VIRTUAL_HOSTS/
[root@server VIRTUAL_HOSTS]# ls
README
[root@server VIRTUAL_HOSTS]# less README // 查看操作步骤