The official language introduced to ftp, file transfer protocol (File Transfer Protocol, FTP) is a standard protocol for file transfer over the network, FTP goal is to improve the sharing of documents. Today, from two modes of ftp, ftp user management at both major practical use.
1.ftp two modes
simple and straightforward:
Active FTP:
command to connect: Client> 1024 port ---> server port 21
the data connection: Client> 1024 port <20 --- server port
passive FTP:
command to connect: Client> 1024 port ---> Server 21 port
data connection: client> 1024 port ---> server> 1024 port
Specify:
As shown for two transmission modes, the process of establishing control connections are the same, both the server listens on port 21, the client initiates a TCP connection to the port server. Active mode server over the control connection port of the client know that after listening, using its own port 20 as the source port, "active" initiates a TCP data connection. The passive mode server listens on a random port 1024-65535 and connected by controlling the port to tell the client, the client initiates a TCP data connection to the port of the server.
The choice of which of the two models? Select passive mode.
If the FTP client on the private network, FTP server (cloud scenarios host) the public should use the passive mode, because this scenario can not access FTP server in the private network FTP client, FTP client can access FTP server.
That ftp server open ports greater than 1024, insecurity, how do?
Server configuration highs port, then this port in the firewall restrictions segments can be connected over the client.
Furthermore, it is to limit the client's ip, specify a specific client address. (Who is who even)
被动模式配置
connect_from_port_20=NO
PASV_enable=YES 开启被动模式
PASV_min_port=%number% 被动模式最低端口
PASV_max_port=%number% 被动模式最高端口2.ftp create a virtual user (measures to enhance access security)
simple and straightforward:
We have three ways FTP login, anonymous logins, local user login and virtual user login.
Anonymous login: Use the default user name when logging FTP, typically ftp or anonymous.
Local users log on: The system user to log in / etc / passwd in.
Virtual User Login: This is the exclusive user FTP, there are two ways to achieve virtual users, local data file and database servers.
FTP virtual user is the exclusive user FTP server, virtual users log in using FTP, FTP server can only access the resources provided, which greatly enhances the security of the system.
Detailed Description:
2.1 build
yum -y install vsftpd
add a virtual user file, add the virtual user name and password, user name row, row your password, and so on. The odd behavior of the user name, password behavior even number.
/etc/vsftpd/vuser.txt vim
name # User
passwd # password
generating virtual user authentication file
db_load hash -T -t -f /etc/vsftpd/vuser.txt /etc/vsftpd/vuser.db
PAM authentication file to edit the vsftpd /etc/pam.d/vsftpd
other lines vsftpd can be commented out.
Add the following:
auth required /lib64/security/pam_userdb.so db = / etc / vsftpd / Vuser
the Account required /lib64/security/pam_userdb.so db = / etc / vsftpd / Vuser
establish local mapping user and set the home directory permissions
useradd - D / Data -s / sbin / nologin the vsftpd
the chmod AW / Data
chown -R & lt the vsftpd: the vsftpd / Data
2.2 profiles vsftpd.conf
#连接相关
ftpd_banner=welcome to ftp service
#空闲超时时间,用户超过这段时间不动作被服务器提出。
idle_session_timeout=300
#数据连接超时时间
data_connection_timeout=60
connect_timeout=60
max_clients=100
#允许每个客户端连接3个
max_per_ip=3
listen_address=192.168.100.100
listen_port=21
#权限相关
#不允许匿名用户登录
anonymous_enable=NO
#允许本地用户登录(这里指创建系统用户vsftpd)
local_enable=YES
#允许ascii模式的上传(可以防止上传脚本等恶意文件),而不会遭受拒绝服务的危险。
ascii_upload_enable=YES
guest_enable=YES
guest_username=vsftpd
#允许匿名用户上传(这里指系统用户下的虚拟用户)
anon_upload_enable=YES
#允许匿名用户创建和写入
anon_mkdir_write_enable=YES
#开启全局权限
write_enable=YES
#设置这个之后客户端上传目录权限就改为755,文件权限就为644
anon_umask=022
#以下为系统默认设置
#允许为目录配置显示信息,显示每个目录下面的message_file文件的内容。
dirmessage_enable=YES
#xferlog_enable=YES,启用记录上传/下载活动日志功能。
xferlog_enable=YES
#connect_from_port_20=YES启用FTP数据端口的连接请求
connect_from_port_20=YES
xferlog_std_format=YES
pam_service_name=vsftpd
#在VSFTPD中使用TCP_Wrappers远程访问控制机制,默认值为YES
tcp_wrappers=YESSpecial emphasis configuration:
#开启虚拟用户;虚拟用户对应的系统用户;PAM认证文件。
guest_enable=YES
guest_username=vsftpd
pam_service_name=vsftpd
#这种完成后只能上传文件,及下载文件。但是不能修改ftp 服务端的文件。
如何才能修改及删除呢?
anon_other_write_enable=YES #允许虚拟用户写入权限(即修改删除操作)2.3 Starting vsftpd
systemctl Start vsftpd