1.1 vsftpd virtual users
Virtual User Principle:
1) generates N users, N users need not exist Linux systems, users can log N, to ensure the security of Linux systems.
2) then N users how to log in to Linux, vsftpd to access the server, only need to create a system user (not allowed to log into the system), other virtual Linux system users to access vsftpd requests mapped to a file server on your system.
3) Find a virtual user logs on the main access module for /etc/pam.d/vsftpd authority, so that the temporary file (ftpusers.txt account, password), and needs to be db_load command to generate db database, because creating virtual users pam.d modules need to read the user's virtual database.
pam_service_name=vsftpd
4) With this parameter, vsftpd server to access the db database account and password, the system will access ftp user requests to actually exist, the system reads the user virtual user profiles, directory and extract the appropriate permissions to complete virtual user requesting access.
1.2 Vsftpd deployment of virtual users
1) install vsftpd (yum deployment)
2) Create a virtual user's user name and password file
Vim /etc/vsftpd/ftpusers.txt
jingfeng1
123
jingfeng2
123
# Username password file must be a single account, two-line code format
3) create db database file pam module required
db_load -T: Open the database encryption algorithm
-t: Specifies the hash algorithm
-f: Specifies the generated database configuration file
4) Create a system user login Linux
useradd -s /sbin/nologin ftpuser
5) Create a pam authentication module file
auth: Authentication, Authorization (check the user name, password is correct or not);
account: checks the user's account has expired, disabled and so on.
required: this must be certified, or certification will not go down, exit;
pam_userdb.so set independently authenticate the user account database
db = vsftpd_login file specified user name and password database file
6) modify the master configuration file
#config virtual user FTP
pam_service_name = vsftpd virtual users to enable pam authentication;
guest_enable = YES enable the virtual user;
guest_username = ftpuser mapping a virtual user to the system user ftpuser;
user_config_dir = / etc / vsftpd / vsftpd_user_conf set up virtual user configuration directory files are located;
virtual_use_local_privs = YES virtual users using the same permissions as the local user.
allow_writeable_chroot=YES
Imprison virtual user's home directory, while prohibiting access to a directory other than the home directory
(1) are as follows jingfeng2 users to create profiles for virtual users jingfeng1,:
vim / etc / vsftpd / vsftpd_user_conf / jingfeng1, while creating private virtual directory, as follows:
| local_root=/home/ftpuser/jingfeng1 write_enable=YES anon_world_readable_only=YES anon_upload_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES |
vim / etc / vsftpd / vsftpd_user_conf / jingfeng2, while creating private virtual directory, as follows:
| local_root=/home/ftpuser/jingfeng2 write_enable=YES anon_world_readable_only=YES anon_upload_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES |
Detailed contents of the virtual user profiles:
| local_root = / home / ftpuser / jingfeng2 jingfeng2 virtual user profile path; write_enable = YES allows the user has write access to the landing; anon_world_readable_only = YES to allow anonymous users to download and read the file; anon_upload_enable = YES to allow anonymous users to upload files permissions only when write_enable = YES The value takes effect; anon_mkdir_write_enable = YES to allow anonymous users to create directories, only when write_enable = YES The value takes effect; anon_other_write_enable = YES to allow anonymous users of other rights, such as deleting, renaming and so on. |
Permissions
mkdir -p /home/ftpuser/jingfeng{1..2};chown -R ftpuser:ftpuser /home/ftpuser/
chmod 755 /home/ftpuser
1.3 active and passive mode
Active mode: ftp server initiates a link request to the client
Passive mode: ftp server waits for a client to initiate a link request (the default mode)
Select mode of principles:
1) client does not have a firewall, use active mode
2) server without a firewall, use passive mode
3) Both sides have a firewall, vsftpd can set the port range, the server open a range of ports, clients choose the passive mode link
Configure the server to open a passive mode
Modify the following parameters /etc/vsftpd/vsftpd.conf
Pasv_enable = YES: turn passive mode
Pasv_min_port=5010
Pasv_max_port=5015
Passive mode setting data port range
Connect_from_port_20=NO
Data transfer port 20 is closed
Open the firewall to test, create a test file in the client connections
Test results are as follows
Open active mode configuration
Modify the configuration file /etc/vsftpd/vsftpd.conf
Pasv_enable = NO: off passive mode, the active mode automatically open
Connect_from_port_20=YES
Data transfer port 20 is closed
Create a file using the client test results are as follows
2120 open ports in the firewall
Parameter Description attached Vsftpd
1. Default Configuration:
1> allows anonymous users and local user login.
anonymous_enable=YES
local_enable=YES
2> landing anonymous user name ftp or anonymous, password is empty; anonymous users can not leave the anonymous user's home directory / var / ftp, and can only be downloaded can not be uploaded.
3> local user login name local user name and password for the local user password for this purpose; local user can read and write in their own home directory; users can leave their own local directory to another directory have access to, and in the upload / download permissions allow the case.
write_enable=YES
4> write in the local user file /etc/vsftpd.ftpusers prohibit the landing.
2. configuration file format:
vsftpd.conf the content is very simple, that is, each line of a setting. If the blank line or a line beginning with # will be ignored. Only one format of the content, as shown below
option=value
It should be noted that both sides of the equal sign can not add blank.
3. anonymous users ( Anonymous ) Set
anonymous_enable=YES/NO(YES)
Controls whether to allow anonymous user login, YES to allow anonymous login, NO is not allowed. The default is YES.
write_enable=YES/NO(YES)
Whether to allow landing user has write permissions. Belongs to the global set, the default is YES.
no_anon_password=YES/NO(NO)
If this function when starting, use anonymous login, will not ask for a password. Default is NO.
ftp_username=ftp
Define the name of the anonymous user login. The default value is ftp.
anon_root = / var / ftp
When using anonymous login, the login directory. The default is / var / ftp. Note that ftp directory can not be 777 property rights, namely the anonymous user's home directory can not have permission to 777.
anon_upload_enable=YES/NO(NO)
If set to YES, allows anonymous login have permission to upload files (non-catalog), and only when write_enable = YES, this is valid. Of course, anonymous users must have write access to the parent directory. Default is NO.
anon_world_readable_only=YES/NO(YES)
If set to YES, it allows anonymous login can read downloaded files (can be downloaded to the machine reading, reading can not be opened directly in an FTP server). The default is YES.
anon_mkdir_write_enable=YES/NO(NO)
If set to YES, it allows anonymous login has permission to add the directory only if write_enable = YES, this is valid. Of course, anonymous users must have write access to the parent directory. Default is NO.
anon_other_write_enable=YES/NO(NO)
If set to YES, allows anonymous login to upload or create more privileges than the directory, for example, delete or rename. (If anon_upload_enable = NO, the anonymous users can not upload files, but you can delete or rename files that already exist; if anon_mkdir_write_enable = NO, the anonymous users can not upload or create a new folder, but you can delete or rename the existing file folder .) The default is NO.
chown_uploads=YES/NO(NO)
Set whether to change the anonymous users to upload files (non-directory) of the owner. Default is NO.
chown_username=username
Set anonymous users to upload files (non-directory) owner name. It is not recommended to root.
anon_umask=077
umask value when setting up anonymous login to add or upload files. The default value is 077, corresponding to the new file permissions 700.
deny_email_enable=YES/NO(NO)
If enable this feature, you must provide a file / etc / vsftpd / banner_emails, content for the email address. If using anonymous login, will be asked to enter the email address, if entered email address in this file is not allowed to enter. Default is NO.
banned_email_file=/etc/vsftpd/banner_emails
This file is used to enter the email address, only when deny_email_enable = YES, this file will be used. If using anonymous login, will be asked to enter the email address, if entered email address in this file is not allowed to enter.
4. Local User Settings
local_enable=YES/NO(YES)
Controlling whether to allow a local user to sign, YES to allow a local user login, NO is not allowed. The default is YES.
local_root=/home/username
When the local user login, will be replaced to the defined directory. The default value of each user's home directory.
write_enable=YES/NO(YES)
Whether to allow landing user has write permissions. Belongs to the global set, the default is YES.
local_umask=022
umask value when new local user files. The default value is 077.
file_open_mode=0755
File permissions local user to upload files, and used the same value chmod. The default is 0666.
5. Welcome language settings
dirmessage_enable=YES/NO(YES)
If you enable this option, then the user first enters a directory, it will check whether there .message this file in the directory, if any, of the contents of this file will appear, usually welcome this file will be placed to speak, or to Description of the directory. The default is on.
message_file=.message
Settings directory message files can be written to the file to be displayed. The default value is .message.
banner_file=/etc/vsftpd/banner
When a user logs in, it displays the contents of the file where this setting is usually welcome words or explanation. The default is no. If you welcome more information on the configuration item is used.
ftpd_banner=Welcome to BOB's FTP server
Here Welcome words used to define a string, banner_file is in the form of files, and ftpd_banner is a string. The preset is no.
6. controls whether to allow the user to switch to the parent directory
In the default configuration, local user can use after login FTP cd command to change to a different directory, so the system would pose a security risk. Directory may be controlled by the user to switch three profiles.
chroot_list_enable=YES/NO(NO)
Set whether the user list file chroot_list_file configuration items specified enabled. Default is NO.
chroot_list_file=/etc/vsftpd.chroot_list
It is used to specify a user list file, which is used to control which users can switch to the parent directory user's home directory.
chroot_local_user=YES/NO(NO)
The user is used to specify a list of files in the user whether to allow the switch to the parent directory. Default is NO.
By matching can achieve the following effects:
① When chroot_list_enable = YES, chroot_local_user = YES, /etc/vsftpd.chroot_list users listed in the file, can switch to another directory; user not listed in the document, can not switch to another directory.
② When chroot_list_enable = YES, chroot_local_user = NO, the users listed in the file /etc/vsftpd.chroot_list, can not switch to another directory; user not listed in the document, can switch to another directory.
③ When chroot_list_enable = NO, chroot_local_user = YES, all users can not switch to another directory.
④ When chroot_list_enable = NO, chroot_local_user = NO, all users can switch to another directory.
7. The data transfer mode
FTP when transferring data, you can use binary, ASCII mode can also be used to upload or download data.
ascii_upload_enable=YES/NO(NO)
ASCII mode data upload settings are enabled. Default is NO.
ascii_download_enable=YES/NO(NO)
ASCII mode settings are enabled to download data. Default is NO.
8. The access control settings
Two control modes: A control host access, another control user access.
① control host access:
tcp_wrappers=YES/NO(YES)
Vsftpd whether provided in combination with tcp wrapper for access control of the host. The default is YES. If enabled, vsftpd server checks the settings in the /etc/hosts.allow and /etc/hosts.deny, to decide the host connection request, whether to allow access to the FTP server. These two documents can play a simple firewall.
For example: To allow only 192.168.0.1-192.168.0.254 users can connect to the FTP server, add the following in /etc/hosts.allow file:
vsftpd:192.168.0. :allow
all:all :deny
② control user access:
For user access control can be achieved by vsftpd.user_list and ftpusers files in the / etc directory.
userlist_file=/etc/vsftpd.user_list
Control user access to FTP files, which reads the user name. A user name and his party.
userlist_enable=YES/NO(NO)
Whether to enable vsftpd.user_list file.
userlist_deny=YES/NO(YES)
Vsftpd.user_list file to decide whether users can access the FTP server. If set to YES, the user is not allowed vsftpd.user_list file access FTP, if set to NO, then only vsftpd.user_list files users can access FTP.
/ etc / vsftpd / ftpusers file designed to define the list of users allowed to access the FTP server ( note : if userlist_enable = YES, userlist_deny = NO, this time if the user has a ftpusers vsftpd.user_list and when, then this users are not able to access the FTP, that ftpusers of higher priority). By default vsftpd.user_list and ftpusers, these two documents have been pre-set some do not allow access to the FTP server within the system account. If the system does not have these two files, then new ones are created, add the user to go to.
9. The access rate provided
anon_max_rate=0
Set the maximum transmission speed used by anonymous login, unit B / s, 0 means no speed limit. The default value is 0.
local_max_rate=0
Local user can use a maximum transmission speed, unit B / s, 0 means no speed limit. The default is 0.
10. timeout
accept_timeout=60
Setting establish FTP connection timeout, in seconds. The default value is 60.
connect_timeout=60
Establishing a data connection in the timeout mode PORT seconds. The default value is 60.
data_connection_timeout=120
Set to establish an FTP data connection timeout, in seconds. The default value is 120.
idle_session_timeout=300
How long does not set any operation FTP server, the FTP connection is disconnected, in seconds. The default value is 300.
11. Log file settings
xferlog_enable= YES/NO(YES)
Are upload / download logging is enabled. If enabled, the upload and download of information will be a complete record in the file, as defined in xferlog_file. Turned on by default.
xferlog_file=/var/log/vsftpd.log
Set the log file name and path, the default value /var/log/vsftpd.log.
xferlog_std_format=YES/NO(NO)
If enabled, the log file will be written xferlog standard format, as wu-ftpd general. The default is off.
= YES log_ftp_protocol | NO ( NO )
If this option is enabled, all FTP requests and responses will be recorded in the log, the log file in the default /var/log/vsftpd.log. When this option is enabled, xferlog_std_format can not be activated. This option is useful for debugging. Default is NO.
12 define a user profile
In vsftpd can be achieved by different user defined user profile using a different configuration.
user_config_dir=/etc/vsftpd/userconf
Set the directory where the user profile. After setting the configuration items, user login server, the system will be to / etc / vsftpd under / userconf directory, and read the same file name of the current user, and according to the configuration command file, the current user further Configuration.
For example: Define user_config_dir = / etc / vsftpd / userconf, and there is a host on the user test1, test2, then we called test1 and test2 user_config_dir two files in the directory new file. If test1 login, set in the test1 under user_config_dir this file will be read. The default is no. Using the user profile, you may be implemented to control the speed of access to different users, defined local_max_rate = XX, to each user profile.
13.FTP works and port settings
FTP has two modes: PORT FTP (active mode) and PASV FTP (passive mode)
listen_port=21
Set up an FTP server to establish the connection port is listening, the default is 21.
connect_from_port_20=YES/NO
Using the specified FTP data transfer port 20, the default value is YES.
ftp_data_port=20
Provided under PORT mode, FTP data connection ports used, the default value is 20.
pasv_enable=YES/NO(YES)
If set to YES, the operation mode using PASV; if set to NO, PORT mode is used. The default value is YES, i.e., to use PASV mode.
pasv_max_port=0
In PASV mode, the data port may be used to the maximum range of port 0 represents an arbitrary port. The default value is 0.
pasv_min_port=0
In PASV mode, the data port may be used in the minimum range port 0 represents an arbitrary port. The default value is 0.
14. The connection-related settings
listen=YES/NO(YES)
Set vsftpd server is running in standalone mode. Operating in standalone mode is a preferred embodiment, this time must be set to listen YES, this is the default. Recommendations do not change, there are many associated with the server running configuration commands, you need to be effective in this mode. If set to NO, then vsftpd is not running as a separate service, subject to xinetd services management and control, will be limited functionality.
max_clients=0
Set the maximum number of connections allowed vsftpd default value 0, it indicates unlimited. If set to 100, while allowing the connector 100, the excess will be rejected. Only in standalone mode to be effective.
max_per_ip=0
Each IP is provided to allow the FTP server on the number of connections simultaneously. The default value is 0, it indicates unlimited. Only in standalone mode to be effective.
listen_address = IP address
FTP setting FTP server listens on the requesting user's IP address specified. If not set, the IP address of the server for all bound to listen. Only in standalone mode to be effective.
setproctitle_enable=YES/NO(NO)
The settings on each connection to the FTP server, whether manifested in different processes. The default value is NO, this time using ps aux | grep ftp there will only be a process of vsftpd. If set to YES, then each connection, there will be a process of vsftpd.
15. The virtual user settings
PAM virtual user authentication.
pam_service_name=vsftpd
Set the name used by PAM, the default value /etc/pam.d/vsftpd.
guest_enable= YES/NO(NO)
Enable virtual users. Default is NO.
guest_username=ftp
Here used to map virtual users. The default value is ftp.
virtual_use_local_privs=YES/NO(NO)
When this parameter is activated (YES), the virtual users and the local user the same privileges. When this parameter is closed (NO), the virtual users and anonymous users the same privileges. By default, this parameter is off (NO).
16. Other settings
text_userdb_names= YES/NO(NO)
Run set when ls -la like, it is a UID, GID or exhibit specific user and group names. The default value is NO, that is displayed in a manner UID and GID. If you want to display user and group names, is set to YES.
ls_recurse_enable=YES/NO(NO)
If this feature is enabled, it allows login to use ls -R (you can view the files in subdirectories under the current directory) this instruction. Default is NO.
hide_ids=YES/NO(NO)
If this feature is enabled, all files owner and group are ftp, which is user login using the command ls -al like, file owner can see with the group are ftp. The default is off.
download_enable=YES/NO(YES)
If set to NO, all the files are not downloaded to the local folder is not affected. The default is YES.