FTP Service configuration set up notes

1. What is a file-sharing service?

File storage domain is simply a block device can be shared to others to use.

1.1 file sharing services in three ways

1. FTP: application layer services, cross-platform
2. NFS: part of the kernel mode, can not be cross-platform use
3. Samba: cross-platform

1.2 The domain server connected to the storage device three ways

1. DAS: the connection disk
2. NAS: network file sharing (file storage) is achieved by nfs / cifs protocol, e-mail, web server, multimedia streaming services, such as file sharing will apply to NAS storage architecture
3. SAS: realized and ISCSI FCSAN physical storage devices connected through a network cable or optical fiber used (Comparative underlying storage block, and mount the required format when used local disk), relating to the application database suitable for storage architecture SAS

2, FTP Introduction

FTP is File Transfer Protocol File Transfer Protocol acronym, network-based application layer protocol to transfer files.

FTP can transfer files over a network, mainly due to the application layer so it will not work again limited the platform.

2.1 FTP works

The client establishes a connection via TCP three-way handshake with the server, the connection can only be established after a successful file transfer.

1. FTP data transmission is divided into command data and file data transmission command is a command to execute the client, the server returned to the client-side after receiving the results, such as ls command to return all the files directory under the current directory. Data transfer files file transfer is the transfer of data to the client, the server and the client connection.
2. The FTP client and server establish a connection generally three steps, to establish a connection, data transmission, disconnected.
3. FTP is a TCP based protocol to transfer data using the port to establish authenticated channel 21, the port 20 to establish a data channel.
4. FTP is transmitted in the clear.
5. FTP users can be divided into user entity (real user), the anonymous user (anonymous user), the guest user (guest user).

2.2 FTP mode of operation

Now that the network architecture will have a firewall to block ports and high port is actively connected, in particular 20 port is prohibited active connections, because the 20-port is FTP data port, so in order to resolve firewall issues client or server, and FTP have the active and passive mode, the active connection to one end of the firewall by the outer end of the inner firewall, the firewall this way will not be blocked.

2.2.1 Active mode

May be used when there is a firewall service, the client can not actively connected to the server 20, a data port, the server needs to actively connected to the two ports of the client.

1. After the TCP communication is established at both ends of the channel, the client sends a request and the server port 21 of the connection port and authenticated open port used to establish a high data connection.
2. After the server receives a request, in response to a request by a port 20 sending ACK.
3. Establishing a data connection server port passage 20 through upper port sent with the client.

2.2.2 Passive mode

Usually for the presence of a firewall client, the server after receiving a connection request the client because of a firewall can not achieve high client port, the client needs to connect to the active data transfer port of the server.

1. After both ends of a communication channel to establish a TCP connection, the client sends a request to the server PASV.
2. PASV server after receiving a request opens a data transfer port as the upper port to the client in response to connection requests from clients.
3. Port of the client after receiving the response, the response will be to connect the server to establish a data transmission channel.

2.3 FTP user type

1. Anonymous User

   anonymous or ftp

2. Local Users

   Information account name and password stored in the passwd, shadow file

3. Virtual User

   Separate account / password data files

   user_list ftp_user1 123456 /var/pub

3, VSFTPD installation and use

Official Website: http: //vsftpd.beasts.org

3.1 turn off the firewall and SELINUX

# 1.关闭防火墙
systemctl stop firewalld.service
systemctl disabled firewalled.service
# 2.关闭SELINUX
## 2.1 永久关闭，需要重启服务器
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/sysconfig/selinux
reboot
## 2.2 临时关闭
setenforce 0

3.2 Installation vsftpd

yum install -y vsftpd

3.3 view files generated by the installation

[root@ftp ~]# rpm -qa|grep vsftpd
vsftpd-3.0.2-25.el7.x86_64
[root@ftp ~]# rpm -ql vsftpd
/etc/logrotate.d/vsftpd
/etc/pam.d/vsftpd                   # pam认证文件
/etc/vsftpd
/etc/vsftpd/ftpusers            # 限制登录文件
/etc/vsftpd/user_list
/etc/vsftpd/vsftpd.conf     # 主配置文件
/etc/vsftpd/vsftpd_conf_migrate.sh
/usr/lib/systemd/system-generators/vsftpd-generator
/usr/lib/systemd/system/vsftpd.service
/usr/lib/systemd/system/vsftpd.target
/usr/lib/systemd/system/[email protected]
/usr/sbin/vsftpd                    # 程序文件
/usr/share/doc/vsftpd-3.0.2
/usr/share/doc/vsftpd-3.0.2/AUDIT
/usr/share/doc/vsftpd-3.0.2/BENCHMARKS
/usr/share/doc/vsftpd-3.0.2/BUGS
/usr/share/doc/vsftpd-3.0.2/COPYING
/usr/share/doc/vsftpd-3.0.2/Changelog
/usr/share/doc/vsftpd-3.0.2/EXAMPLE
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/INTERNET_SITE
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/INTERNET_SITE/README
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/INTERNET_SITE/README.configuration
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/INTERNET_SITE/vsftpd.conf
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/INTERNET_SITE/vsftpd.xinetd
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/INTERNET_SITE_NOINETD
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/INTERNET_SITE_NOINETD/README
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/INTERNET_SITE_NOINETD/README.configuration
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/INTERNET_SITE_NOINETD/vsftpd.conf
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/PER_IP_CONFIG
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/PER_IP_CONFIG/README
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/PER_IP_CONFIG/README.configuration
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/PER_IP_CONFIG/hosts.allow
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/README
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/VIRTUAL_HOSTS
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/VIRTUAL_HOSTS/README
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/VIRTUAL_USERS
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/VIRTUAL_USERS/README
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/VIRTUAL_USERS/README.configuration
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/VIRTUAL_USERS/logins.txt
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/VIRTUAL_USERS/vsftpd.conf
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/VIRTUAL_USERS/vsftpd.pam
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/VIRTUAL_USERS_2
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/VIRTUAL_USERS_2/README
/usr/share/doc/vsftpd-3.0.2/FAQ
/usr/share/doc/vsftpd-3.0.2/INSTALL
/usr/share/doc/vsftpd-3.0.2/LICENSE
/usr/share/doc/vsftpd-3.0.2/README
/usr/share/doc/vsftpd-3.0.2/README.security
/usr/share/doc/vsftpd-3.0.2/REWARD
/usr/share/doc/vsftpd-3.0.2/SECURITY
/usr/share/doc/vsftpd-3.0.2/SECURITY/DESIGN
/usr/share/doc/vsftpd-3.0.2/SECURITY/IMPLEMENTATION
/usr/share/doc/vsftpd-3.0.2/SECURITY/OVERVIEW
/usr/share/doc/vsftpd-3.0.2/SECURITY/TRUST
/usr/share/doc/vsftpd-3.0.2/SIZE
/usr/share/doc/vsftpd-3.0.2/SPEED
/usr/share/doc/vsftpd-3.0.2/TODO
/usr/share/doc/vsftpd-3.0.2/TUNING
/usr/share/doc/vsftpd-3.0.2/vsftpd.xinetd
/usr/share/man/man5/vsftpd.conf.5.gz
/usr/share/man/man8/vsftpd.8.gz
/var/ftp                                    # FTP家目录
/var/ftp/pub
[root@ftp ~]# 

3.4 based on anonymous user access control

To configure the anonymous user based access control, you need to modify vsftpd master configuration file /etc/vsftpd/vsftpd.conf, the main parameters are the following:

• anonymous_enable = YES: Enable anonymous users
• anon_upload_enable = YES: allows anonymous users to upload files
• anon_mkdir_write_enable = YES: whether to allow anonymous users to create directories, to consider the home directory on the file system, you must have write permission
• anon_other_write_enable = YES: allows anonymous users to upload or create more privileges than the directory, for example, delete or rename
• anon_umask = 077: default owner and permissions to upload the file specified

3.4.1 Run anonymous user login

After modifying the configuration files directly without starting, the software can be connected directly via FTP, the default user name is ftp, no password.

systemctl start vsftpd.service

But this time the anonymous user can not upload files and create directories:

3.4.2 Run anonymous users to upload files, create directories

Open permissions allow anonymous users to upload files and create folders:

cd /etc/vsftpd/
vim vsftpd.conf
# 开启下面三个权限
anonymous_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
# 进入ftp家目录，创建一个文件夹并授权
[root@ftp ~]# cd /var/ftp/
[root@ftp ftp]# mkdir -p ./testdir
[root@ftp ftp]# setfacl -m u:ftp:rwx ./testdir/
[root@ftp ftp]# getfacl ./testdir/
# file: testdir/
# owner: root
# group: root
user::rwx
user:ftp:rwx
group::r-x
mask::rwx
other::r-x
[root@ftp ftp]# 

Log back ftp, you can upload files and create directories in testdir directory, but did not delete the file and re-name the file permissions.

3.4.3 open anonymous users to delete and rename rights

vim /etc/vsftpd/vsftpd.conf
# 增加下面的内容，重启vsftpd服务
anon_other_write_enable=YES
systemctl restart vsftpd.service

Test delete files and rename:

3.5 based on local user access control

By default, the operating system can directly use the account user name and password to login. And after landing, to enter their home directory.

Local user access control can also be achieved by modifying the vsftpd configuration file based, there are about several parameters:

1. local_enable = YES: whether to allow Linux users to log, is enabled by default, of course, also be prohibited
2. write_enable = YES: whether to allow system users to upload files
3. local_root = / ftproot: non-anonymous user login directory, when using Linux user login is successful, it will not default in their own home directory of. On the contrary, it will be located under the specified directory
4. Specifying default permissions for system users to upload files: local_umask = 022

3.5.1 allows the system user to log in and upload files

vim /etc/vsftpd/vsftpd.conf
# 默认以下三个参数都是开启的
local_enable=YES
write_enable=YES
local_umask=022

# 添加一个系统用户并设置密码
useradd centos
echo "123456"|passwd --stdin centos

The system has a default user to upload files, create directories, rename, and delete permissions.

The default system user can also enter other directories, so it was not safe, so if you want to enable FTP user login system then they would have to modify the configuration file, prohibit system users to access other directories in addition to the home directory.

3.5.2 local user can only access their home directory

Vsftpd.conf modify configuration files

vim /etc/vsftpd/vsftpd.conf
# 开启下面的参数
chroot_local_user=YES
# 这个参数是全局的，开启后所有的本地用户都不能访问除了家目录以外的目录

But after turning this argument, because the vsftpd after updating to 2.3.5, vsftpd enhanced security checks, if a user is limited to their home directory, the home directory of the user no longer has permission to write it! If the inspection found that there are write permission, it will report the error.

To resolve this error in two ways:

# 1.方式一：将对应家目录的写权限去除
chmod a-w /home/centos
# 2.方式二：在配置文件在加入下面的参数
allow_writeable_chroot=YES

3.5.3 configuration specified local user can only access the home directory

配置指定用户只能访问家目录，其他用户可以访问其他目录，需要在配置文件中关闭全局设置的参数allow_writeable_chroot=YES，开启下面两个参数：

chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list

然后需要创建指定的文件chroot_list并在文件中指定对应的用户：

vim /etc/vsftpd/chroot_list
# 限制只能在家目录
centos

# 重启vsftpd服务
systemctl restart vsftpd.service
# 新建一个用户并设置密码
useradd redhat
echo "123456"|passwd --stdin redhat

用centos用户访问，只能在自己的家目录中：

用redhat用户访问，可以访问除了家目录以外的其他目录：

3.6 设置chroot

在默认配置中，本地用户可以切换到自己家目录以外的其他目录进行浏览，并在权限许可的范围内进行下载和上传。这样的设置对于一个FTP服务器来说是不安全的。

如果希望本地用户登录之后不能访问除了家目录以外的目录，则需要设置chroot选项，具体设置下面三个选项：

chroot_local_user
chroot_list_enable
chroot_list_file

3.6.1 设置所有用户只需chroot

只需要将chroot_local_user选项设置为YES，所有的本地用户都只能访问自己的家目录。

chroot_local_user=YES

2.6.2 设置部分指定用户执行chroot

需要注释全局的设置或者设为NO，然后开启另外两个选项：

chroot_local_user=NO
chroot_list_enable=YES
chroot_list_file=/etc/vaftpd/chroot_list

这样，文件/etc/vaftpd/chroot_list中的用户就只能访问自己的家目录，其他本地用户可以访问除了家目录的其他目录。

配置基于本地用户的访问限制，需要修改配置文件，主要有以下两种方式：

1. 限制指定的本地用户不能访问，而其他本地用户可以访问

   userlist_enable=YES
   userlist_deny=YES
   userlist_file=/etc/vsftpd/user_list

   使文件/etc/vsftpd/user_list中指定的本地用户不能访问FTP服务器，而其他的本地用户可以访问FTP服务器。

   userlist_enable=YES
   userlist_deny=NO
   userlist_file=/etc/vsftpd/user_list

3.7 提示信息

3.7.1 登陆提示信息

登陆提示信息图形界面(FTP软件)是看不到的，只适用于ftp作为客户端的时候。可以使用下面的方式进行配置。但是优先级却不一样。

# 如果限制用户只能访问家目录，下面这个配置优先生效
ftpd_banner="Welcome to Mage Ftp Server!"
# 下面这个优先级较上一个配置低
banner_file=/etc/vsftpd/ftpbanner.txt

# 其他情况当两个配置都在的时候，默认banner_file的优先生效

3.7.2 访问目录提示信息

当用户进入某一目录后，可以给用户一个提示消息。用来提示这个目录的作用。在相应的目录下新建一个隐藏文件.message，该文件中进行提示信息描述。需要添加如下配置：

dirmessage_enable=YES
message_file=.message

# 在/var/ftp/pub下新建.message
vim /var/ftp/pub/.message
This is the public floder.

3.8 进一步配置VSFTPD

3.8.1 最大传输速率限制

local_max_rate=50000
anon_max_rate=30000

上面的设置是将本地用户的最大传输速率限制为50kbytes/s，匿名用户最大传输速率限制为30kbytes/s。

3.8.2 设置客户端连接时的端口范围

pasv_min_port=50000
pasv_max_port=60000

上面的设置将客户端连接时的端口范围限制在50000-60000之间，提高系统安全性。

3.8.3 基本性能和安全选项配置

# 1.设置空闲用户会话中断时间(单位:秒)
idle_session_timeout=6000

# 2.设置空闲的数据连接的终端时间(单位:秒)
date_connection_timeout=120

# 3.设置客户端空闲时的自动中断和激活连接时间(单位:秒)
accept_timeout=60
connect_timeout=60
# 上面的配置将是客户端1分钟后自动中断，在中断一分钟后自动激活连接

4、VSFTPD虚拟用户

4.1 虚拟用户

• 所有虚拟用户会统一映射为一个指定的系统账号：访问共享设置，即为此系统账号的家目录。
• 各虚拟账户可以被赋予不同的访问权限，通过匿名用户的权限控制参数进行指定。

4.2 虚拟账号的存储方式

4.2.1 文本

编辑文本文件，该文件需要被编码为hash格式。奇数行为用户名、偶数行为密码。

db_load -T -t hash -f vusers.txt vusers.db

• 基于文件验证的vsftpd虚拟用户

  # 1.创建用户数据库文件
  vim /etc/vsftpd/vusers.txt
  zhangsan
  123456
  lisi
  123456
  
  # 2. 生成数据库文件
  cd /etc/vsftpd/
  db_load -T -t hash -f vusers.txt vusers.db
  
  # 3.修改数据库文件权限
  chmod 600 ./vusers.db
  
  # 4.创建系统用户和访问FTP目录
  # 创建系统用户并指定家目录
  useradd -d /var/ftproot -s /sbin/nologin vuser
  # 修改家目录权限
  chmod +rwx /var/ftproot
  
  # 5.创建pam配置文件
  # 修改pam配置文件，让vsftpd支持pam模块进行身份验证
  vim /etc/pam.d/vsftpd.db
  auth required pam_userdb.so db=/etc/vsftpd/vusers
  account required pam_userdb.so db=/etc/vsftpd/vusers
  
  # 6.修改vsftpd主配置文件指定pam配置文件
  vim /etc/vsftpd/vsftpd.conf
  guest_enable=YES
  guest_username=vuser
  pam_service_name=vsftpd.db
  
  # 7.修改虚拟用户权限配置
  vim /etc/vsftpd/vsftpd.conf
  user_config_dir=/etc/vsftpd/vusers.d/
  # 创建配置目录并给用户设置权限(权限配置文件与用户名一样)
  mkdir -p /etc/vsftpd/vusers.d/
  cd /etc/vsftpd/vusers.d/
  # 给zhangsan设置权限
  vim zhangsan
  # 虚拟用户上传权限
  anon_upload_enable=YES
  # 虚拟用户创建文件夹
  anon_mkdir_write_enable=NO
  # 虚拟的其他用户对指定用户目录的写权限
  anon_other_write_enable=NO
  # 修改登录目录至其他目录
  # local_root=/ftproot
  

  重启vsftpd服务，用zhangsan用户登录，只能上传文件，不能创建文件夹和删除文件：

  

  # 给lisi配置权限
  cd /etc/vsftpd/vusers.d/
  vim lisi
  # 虚拟用户上传权限
  anon_upload_enable=YES
  # 虚拟用户创建文件夹
  anon_mkdir_write_enable=YES
  # 虚拟的其他用户对指定用户目录的写权限
  anon_other_write_enable=YES
  # 修改登录目录至其他目录
  #local_root=/ftproot
  

  重启vsftpd服务，用lisi账号登陆，可以上传、新建、删除：

  

4.2.2 关系型数据库

实时查询数据库完成用户认证。

• MySQL

  https://www.cnblogs.com/zhenhui/p/5916116.html

  pam需要依赖于pam_mysql

  • /lib/security/pam_mysql.so
  • /usr/share/doc/pam_mysql-0.7/README

1. 安装MySQL及pam_mysql插件

yum install -y mariadb-server pam-devel mariadb-devel vsftpd ftp
# 下载pam_mysql源码包
wget http://www.huzs.net/soft/vsftpd/pam_mysql-0.7RC1.tar.gz
# 编译安装pam_mysql
tar xf pam_mysql-0.7RC1.tar.gz && cd pam_mysql-0.7RC1
./configure --with-openssl --with-pam-mods-dir=/lib/security/
make && make install

1. 创建vsftpd数据库和用户表

# 启动数据库
systemctl enable mariadb.service
systemctl start mariadb.service
# 初始化数据库
/usr/bin/mysql_secure_installation

CREATE DATABASE vsftpd;
use vsftpd;
CREATE TABLE users (
    id int AUTO_INCREMENT NOT NULL,
  name char(20) binary NOT NULL,
  password char(48) binary NOT NULL,
  primary key(id)
);

1. 创建虚拟用户

INSERT INTO users(name,password) values('jack',PASSWORD('123456')),('tom',PASSWORD('123456'));

1. 授权

GRANT ALL ON vsftpd.* TO 'vsftpd'@'localhost' IDENTIFIED BY 'vsftpdpass';
GRANT ALL ON vsftpd.* TO 'vsftpd'@'127.0.0.1' IDENTIFIED BY 'vsftpdpass';
FLUSH PRIVILEGES;

1. 配置pam认证

# 1.建立pam认证所需文件
vim /etc/pam.d/vsftpd.mysql
# 2.添加下面两行
auth required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpdpass host=127.0.0.1 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpdpass host=127.0.0.1 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

1. 创建虚拟用户的映射用户

useradd -s /sbin/nologin -d /var/ftproot vuser
setfacl -m u:vuser:rwx /var/ftproot

1. 修改vsftpd的配置文件，使其适应mysql认证

vim /etc/vsftpd/vsftpd.conf
pam_service_name=vsftpd.mysql
guest_enable=YES
guest_username=vuser

1. 配置虚拟用户具有不同的访问权限

# 1.配置虚拟用户有单独的权限设定
vim /etc/vsftpd/vsftpd.conf
user_config_dir=/etc/vsftpd/vusers_conf

# 2.创建所需目录，并为虚拟用户提供配置文件
mkdir /etc/vsftpd/vusers_conf
cd /etc/vsftpd/vusers_conf
# 配置虚拟用户具有不同的访问权限
vim jack
# 写入以下内容
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES

vim tom
# 写入以下内容
anon_upload_enable=YES
anon_mkdir_write_enable=NO
anon_other_write_enable=NO

1. 重启vsftpd服务并测试

systemctl restart vsftpd.service

登陆jack账户，有上传、新建、删除、重命名的权限：

登陆tom账户，只有上传的权限：