This article is divided into two parts, namely theoretical part and a practical part of FTP
FTP principle and theory
FTP File Transfer Protocol, is a typical C / S architecture application layer protocol is required by the server software, the client software parts common file transfer functions.
FTP file transfer protocol provides file upload and download, you can use the LAN, you can also use the Internet.
FTP is an application layer protocol, also belong to the TCP, TCP's benefits: safe, reliable, connection, slow, you can transfer files via ftp
FTP connection and transmission mode
The default ftp protocol using TCP port 21, port 20 communicates with the Client,
20 port is used to establish a data connection, and then transfer files (upload and download)
A control port 21 connected to a user, for sending command information,
1) Active mode
1 server initiates
2 client wants to establish a ftp server port 21 connections, if you need to transfer data, the PORT command tells the client to the server, I opened a port (1024 to 65535),
3 server port 20 like the client sends a request to open a port and establish a data connection from
2) Passive mode
1 server waiting
2 The client initiates the request (local area network firewall prohibits active mode)
3 client to the server port 21 of the ftp control connection is established,
4 When you need to transfer files, server PASV command to tell the client, I opened a port
5 client connects to a server to initiate data port
FTP Transfer Mode
Text Mode: ASCII mode to transmit a sequence of text data, for plain text
Binary Mode: Binary mode to transmit a sequence of binary data, the non-plain-text: pictures
FTP user type
1 anonymous user (no password)
Anonymous
ftp
2 local users
And related systems, is the system of ordinary users
3 virtual UU
And system-independent, separate account and password, can not log into the system, very safe, especially safety, the safety old
Common FTP server program
IIS、Serv-U
wu-ftpd、Proftpd
vsftpd(Very Secure FTP Daemon)
Common FTP client program
ftp command
CuteFTP、FlashFXP、LeapFTP、Filezilla
gftp、kuftp
User list file
1 ftpusers
Prohibit log into the FTP server (which user); user_list no matter how kind of file is not accessible
2 user_list
It contains the user may log ban
1) userlist_enable=YES/NO //是否启用user_list用户列表
2) userlist_deny=YES/NO //是否禁止user_list列表中的用户
For example
zhs users to access the FTP resources, zhs user_list user records in the file, vsftpd configuration options = YES userlist_enable;
userlist_deny = NO; then zhs user and there ftpusers file, ask zhs in the end user can not access the FTP resources
vsftpd configuration file parameters
用的全局配置项
listen=YES/NO:是否以独立运行的方式监听服务
listen_address=192.168.4.1:设置监听的 IP 地址
listen_port=21:设置监听 FTP 服务的端口号
write_enable=YES/NO:是否启用写入权限
download_enable=YES/NO:是否允许下载文件
userlist_enable=YES/NO:是否启用 user_list 列表文件
userlist_deny=YES/NO:是否禁用 user_list 中的用户
max_clients=0:限制并发客户端连接数
max_per_ip=0:限制同一个IP 地址的并发连接数
常用的匿名 FTP 配置项
anonymous_enable=YES:启用匿名访问,默认为YES
anon_umask=022:匿名用户所上传文件的权限掩码;文件默认权限=666-022,结果为644;目录默认权限=777-022,结果为755
anon_root=/var/ftp:匿名用户的 FTP 根目录,默认就是/var/ftp,如果更改,请设置好目录的属主,否则匿名用户无法访问
anon_upload_enable=YES/NO:允许上传文件
anon_mkdir_write_enable=YES/NO:允许创建目录
anon_other_write_enable=YES/NO:开放其他写入权
anon_max_rate=0:限制最大传输速率(字节/秒)
常用的本地用户 FTP 配置项
local_enable=YES:是否启用本地系统用户,默认启用
local_umask=022:本地用户所上传文件的权限掩码
local_root=/var/ftp:设置本地用户的 FTP 根目录
chroot_local_user=YES:是否将用户禁锢在主目录,不能切换其他目录,如:etc boot 等
local_max_rate=0:限制最大传输速率(字节/秒)
Real part
Note : If the problem may be a problem with pam file written documents or db + user password file does not have permission to 600.
Implement a user to access a directory, based on the actual environment, such as sales department can only see sales documents, the Finance Department Finance Department can only see the file, there is a public directory, everyone can see
1. Close iptables, setenforce0 (not closing the port on the firewall allows 20/21)
2. Create a text formatted user name, password list (this file the odd behavior of the user name, password corresponding to the user behavior even number)
vim /etc/vsftpd/vusers.list
lisi
123.com
zhangsan
456.com
3. Create a Berkeley DB database file format
cd /etc/vsftpd
db_load -T -t hash -f vusers.list vusers.db
file vusers.db //查看属性
vusers.db: Berkeley DB (Hash, version 9, native byte-order)
chmod 600 /etc/vsftpd/vusers.* (必做,否则会失败)
4. Add the mapping of virtual user accounts, create FTP root directory
useradd -d /var/ftproot -s /sbin/nologin virtual
chmod 755 /var/ftproot/
5. Add a virtual user support service vsftpd
5.1 Establish pam authentication files for virtual users
vim /etc/pam.d/vsftpd.vu
#%PAM-1.0
auth required pam_userdb.so db=/etc/vsftpd/vusers
account required pam_userdb.so db=/etc/vsftpd/vusers
5.2. Modify vsftpd configuration, add a virtual user support
vim /etc/vsftpd/vsftpd.conf
local_enable=YES
write_enable=YES
anon_umask=022
guest_enable=YES
pam_service_name=vsftpd.vu
user_config_dir=/etc/vsftpd/vusers_dir
5.3 Establish separate configuration files for different virtual users
mkdir vusers_dir
cd vusers_dir/
Create a directory Finance Department
vim lisi
local_root=/caiwu
anon_upload_enable=YES
anon_mkdir_write_enable=YES
Create a directory of Sales
vim zhangsan
local_root=/xiaoshou
anon_upload_enable=YES
anon_mkdir_write_enable=YES
Establish a public directory, use the anonymous user, only not have write access permissions download
vim /etc/vsftpd/vsftpd.conf
增加
local_root=/var/ftp
5.4 to restart the service
systemctl restart vsftpd
5.5 verification