A, FTP service principle
FTP (File Transfer Protocol) is a very old and is widely used file transfer protocol, FTP protocol is now the most widely used network file sharing protocol one, we now also have been carried out in various documents with the FTP protocol transfers, FTP provides a reliable way for us to share files over a network
FTP is a C / S architecture services, has a server and a client, FTP over TCP as the underlying transport protocol, the protocol is a secure FTP file transfer, FTP provides two port numbers, and 20 port 21, a data interface 20, to provide data transmission between, command interface 21 is provided between the transmission command
FTP server and client connections generally have two modes: active mode (Active Mode) and passive mode (Passive Mode)
① active mode principle as shown below:
The active mode, the client will send to the first port 21 of a server connection command, connection establishment request to the server, then the server response back to the client, the client sends and requests a port for transmitting data, the port number to> 1023, the server side port 20 at this time will take the initiative to establish the connection, the client and the server data terminal and the data transfer port
② passive mode principle as shown below:
The active mode is different is that 21 to establish a connection in passive mode, the client is the first server-side port, after this time the server will open a data transfer port a> number of 1023, and returned to the client, this time the client will open a port> 1023, then the data transfer will take the initiative to talk to the client server to establish a connection port, to transfer data between the two
So, the difference between active mode and passive mode is that what is the 20-port server initiates a connection to the client, or server-side open a random port, waiting for a client to its initiative to establish a connection. In our production environment, usually still use the passive mode connection, because we have a server-side configuration of the firewall, and the firewall port for connection to external networks are generally released within the network, the network inside out to connect to network port is usually limited, so then if we use active mode connections, then port may be blocked by the firewall, which can not provide our FTP service
Two, vsfptd installation
Under Linux, we are the most widely used FTP service program is vsftpd (Very Secure FTP Daemon), we can also see from the name, it provides a very secure FTP service. vsftpd is the name of the server running on a UNIX-like operating system that can run on, such as, BSD, Solaris, HP-UX and IRIX on top of Linux. It supports many other FTP server does not support the feature. E.g:
① very high security requirements ② ③ bandwidth limits the possibility of creating a virtual user ④ high-speed ...
It can be said vsftpd provides us with a fast, stable and very secure FTP service
This is not installed by default vsftpd FTP program in CentOS, we installed via yum install vsfptd
[root@xiaoluo ~]# yum install -y vsftpd Loaded plugins: fastestmirror, refresh-packagekit, security Loading mirror speeds from cached hostfile * base: ftp.nsysu.edu.tw * extras: ftp.nsysu.edu.tw * updates: ftp.twaren.net Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package vsftpd.x86_64 0:2.2.2-11.el6_4.1 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: vsftpd x86_64 2.2.2-11.el6_4.1 updates 151 k Transaction Summary ================================================================================ Install 1 Package(s) Total download size: 151 k Installed size: 331 k Downloading Packages: vsftpd-2.2.2-11.el6_4.1.x86_64.rpm | 151 kB 00:01 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : vsftpd-2.2.2-11.el6_4.1.x86_64 1/1 Verifying : vsftpd-2.2.2-11.el6_4.1.x86_64 1/1 Installed: vsftpd.x86_64 0:2.2.2-11.el6_4.1 Complete!
So we installed our vsftpd service program, and when installed vsftpd we can look at some of the program's configuration file, all its configuration files are stored in the / etc under / vsftpd / directory
[root@xiaoluo ~]# cd /etc/vsftpd/ [root@xiaoluo vsftpd]# ls -l total 20 -rw-------. 1 root root 125 Mar 1 18:16 ftpusers -rw-------. 1 root root 361 Mar 1 18:16 user_list -rw-------. 1 root root 4599 Mar 1 18:16 vsftpd.conf -rwxr--r--. 1 root root 338 Mar 1 18:16 vsftpd_conf_migrate.sh
Which a total of four profiles, vsftpd.conf is our main configuration file, ftpusers is our blacklist user profiles, system users as well as our usual root users are placed in this configuration file inside, because these users a lot of permission, if you use ftp service may cause some problems, user_list our user list file, we can set up in the main configuration file that the user is the user blacklist or whitelist has the last one is our ftp service migration script
After our vsftpd program installed, we can see a ftp folder under / var directory, this folder is the shared folder of our ftp
[@ xiaoluo the vsftpd the root] # CD / var / FTP / [@ xiaoluo the root FTP] LS # Pub
Three, FTP users, and how to file sharing
vsftpd is by using the user management as a unit, you want to access shared files to a ftp, you must be logged in to a particular user identity, we can configure what types of users:
① Normal user (user system)
Our system user is normal user operating system, installation of a variety of services in general we can use the services they provide through the system user login
First, we start our vsftpd this service, here we come to use our current system users visit our ftp through a graphical interface tools provided by CentOS
[root@xiaoluo ftp]# service vsftpd start Starting vsftpd for vsftpd: [ OK ]
Enter our current system user name and password to log in to go up, we go up to use the system user login, the default folder opened our user's home directory, as long as the user has access to files and folders, the user can access
② anonymous user (anonymous)
All our services are supported by an FTP user login, we can not enter any login information you will be able to come in
We see that we do not enter any information is also able to log on our ftp, which is based on an anonymous user login.
By default, vsftpd will be created when the installation of a system ftp user, the user is used for anonymous user login, the user's default login to the anonymous ftp directory is / var / ftp / directory, without any access restrictions rights files can provide anonymous users to share
[root@xiaoluo ftp]# cat /etc/passwd | grep ftp ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
So our FTP Why can it be landing an anonymous user? The main configuration file because vsftpd.conf configured
[root@xiaoluo ftp]# cat /etc/vsftpd/vsftpd.conf # Example config file /etc/vsftpd/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=YES // 允许匿名用户进行登陆 # # Uncomment this to allow local users to log in. local_enable=YES # # Uncomment this to enable any form of FTP write command. write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. #anon_upload_enable=YES # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # The target log file can be vsftpd_log_file or xferlog_file. # This depends on setting xferlog_std_format parameter xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #chown_username=whoever # # The name of log file when xferlog_enable=YES and xferlog_std_format=YES # WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log #xferlog_file=/var/log/xferlog # # Switches between logging into vsftpd_log_file and xferlog_file files. # NO writes to vsftpd_log_file, YES to xferlog_file xferlog_std_format=YES # # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. #ascii_upload_enable=YES #ascii_download_enable=YES # # You may fully customise the login banner string: #ftpd_banner=Welcome to blah FTP service. # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd/banned_emails # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). #chroot_local_user=YES #chroot_list_enable=YES # (default follows) #chroot_list_file=/etc/vsftpd/chroot_list # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # # When "listen" directive is enabled, vsftpd runs in standalone mode and # listens on IPv4 sockets. This directive cannot be used in conjunction # with the listen_ipv6 directive. listen=YES # # This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6 # sockets, you must run two copies of vsftpd with two configuration files. # Make sure, that one of the listen options is commented !! #listen_ipv6=YES pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES
We see that the configuration file of anonymous_enable = YES is to allow our anonymous user logon, if it is set to NO, so that anonymous users can not log on
③ virtual users (ftp-only)
The user is specifically created only for the use of ftp users, usually with less
We landed FTP, not only can use the GUI interface provides CentOS, you can also use the tools at our command line login, we are using here is lftp, likewise we also need to be installed
[root@xiaoluo ~]# yum install -y lftp Loaded plugins: fastestmirror, refresh-packagekit, security Loading mirror speeds from cached hostfile * base: ftp.nsysu.edu.tw * extras: ftp.nsysu.edu.tw * updates: ftp.twaren.net Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package lftp.x86_64 0:4.0.9-1.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: lftp x86_64 4.0.9-1.el6 base 753 k Transaction Summary ================================================================================ Install 1 Package(s) Total download size: 753 k Installed size: 2.5 M Downloading Packages: lftp-4.0.9-1.el6.x86_64.rpm | 753 kB 00:10 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : lftp-4.0.9-1.el6.x86_64 1/1 Verifying : lftp-4.0.9-1.el6.x86_64 1/1 Installed: lftp.x86_64 0:4.0.9-1.el6 Complete!
So that we can use to visit our ftp lftp the
① direct use lftp 127.0.0.1 landing
[root@xiaoluo ~]# lftp 127.0.0.1 lftp 127.0.0.1:~> pwd ftp://127.0.0.1 lftp 127.0.0.1:~> ls drwxr-xr-x 2 0 0 4096 Mar 01 10:16 pub
This landing is on the anonymous ftp user logs in, we can see the directory after landing inside is / var / pub this shared directory
② use lftp -u xiaoluo 127.0.0.1 landing
[root@xiaoluo ~]# lftp -u xiaoluo 127.0.0.1 Password: lftp [email protected]:~> pwd ftp://[email protected] lftp [email protected]:~> ls drwxr-xr-x 2 500 500 4096 May 26 05:22 Desktop drwxr-xr-x 3 500 500 4096 May 19 16:10 Documents drwxr-xr-x 2 500 500 4096 May 13 17:36 Downloads drwxr-xr-x 2 500 500 4096 May 13 17:36 Music drwxr-xr-x 2 500 500 4096 May 13 17:36 Pictures drwxr-xr-x 2 500 500 4096 May 13 17:36 Public drwxr-xr-x 2 500 500 4096 May 13 17:36 Templates drwxr-xr-x 2 500 500 4096 May 13 17:36 Videos
PS: turn off SELinux firewall (high version of the release have turned security); otherwise the authority to operate
su vim /etc/selinux/config
Find " SELINUX = enforcing" changed to " SELINUX = Disabled"; after doing the following:
|
1
|
>setenforce
0
//或者重启生效
|
We can also specify -u to us by way of the system user login ftp, after the user logs on the system, the default landing folder is the root of our users
Fourth, users upload files via ftp, download operation
① normal users to upload, download operation
We can also upload files through the lftp command, downloading, respectively, using put and get commands
For example, I now create a file in xiaoluo xiaoluo.txt the user's home directory, and then we will download it from the ftp command to get through
[xiaoluo xiaoluo @ ~] $ Touch xiaoluo.txt [xiaoluo xiaoluo @ ~] $ LS Desktop Downloads Pictures Templates xiaoluo.txt Documents Public Music Videos [xiaoluo xiaoluo @ ~] $ su - Password: [root @ xiaoluo ~] # lftp - xiaoluo 127.0.0.1 U Password: lftp [email protected]: ~> LS drwxr XR-2 X-26 is 500 500 4096 On May 05:22 Desktop drwxr XR-X-500. 3. 19 500 4096 On May 16:10 Documents drwxr-XR On May 2 4096 500 500 the -X-13 is 17:36 Downloads drwxr XR-2 X-13 is 500 500 4096 On May 17:36 Music drwxr XR-2 X-13 is 500 500 4096 On May 17:36 Pictures drwxr-xr-x 2 500 500 4096 May 13 17:36 Public drwxr-xr-x 2 500 500 4096 May 13 17:36 Templates drwxr-xr-x 2 500 500 4096 May 13 17:36 Videos -rw-rw-r-- 1 500 500 0 Jun 08 16:20 xiaoluo.txt lftp [email protected]:~> get xiaoluo.txt lftp [email protected]:~> exit [root@xiaoluo ~]# ls anaconda-ks.cfg Desktop install.log install.log.syslog xiaoluo.txt
We see that we have just landed xiaoluo by the user, and then create a directory in their home xiaoluo.txt of a file, and then we switched to the root directory, first of all visit our lftp, then get down to download the file command , then we can find there xiaoluo.txt just downloaded the file under the root user's home directory
[ Note: ] My current root directory in which the user is through lftp landing, when downloading a file will be downloaded to the directory
We can also use the put command to upload the file to the ftp
[root@xiaoluo ~]# touch root.txt [root@xiaoluo ~]# ls anaconda-ks.cfg install.log root.txt Desktop install.log.syslog xiaoluo.txt [root@xiaoluo ~]# lftp -u xiaoluo 127.0.0.1 Password: lftp [email protected]:~> put root.txt lftp [email protected]:~> ls drwxr-xr-x 2 500 500 4096 May 26 05:22 Desktop drwxr-xr-x 3 500 500 4096 May 19 16:10 Documents drwxr-xr-x 2 500 500 4096 May 13 17:36 Downloads drwxr-xr-x 2 500 500 4096 May 13 17:36 Music drwxr-xr-x 2 500 500 4096 May 13 17:36 Pictures drwxr-xr-x 2 500 500 4096 May 13 17:36 Public drwxr-xr-x 2 500 500 4096 May 13 17:36 Templates drwxr-xr-x 2 500 500 4096 May 13 17:36 Videos -rw-r--r-- 1 500 500 0 Jun 08 16:26 root.txt -rw-rw-r-- 1 500 500 0 Jun 08 16:20 xiaoluo.txt lftp [email protected]:~> exit [root@xiaoluo ~]# cd /home/xiaoluo/ [root@xiaoluo xiaoluo]# ls Desktop Downloads Pictures root.txt Videos Documents Music Public Templates xiaoluo.txt
I created in the root directory of the home root.txt this file, and then uploaded to the ftp xiaoluo by the user, then we switch to the home directory xiaoluo found that the file has been uploaded go up
[ Note: ] We use ftp file upload, download operation, ensure that the user has read and write directory permissions! ! !
② anonymous users to upload, download operation
Our anonymous ftp user landing after the default shared folder permissions only to read, which can only download files from a shared directory operations in
[xiaoluo the root @ ~] # CD / var / FTP / Pub / [the root @ xiaoluo Pub] Touch xiaoluo.txt # [@ xiaoluo the root Pub] # LS xiaoluo.txt [@ xiaoluo the root Pub] CD # [@ xiaoluo the root ~ ] 127.0.0.1 # lftp lftp 127.0.0.1:~> Pub CD / lftp 127.0.0.1:/pub> LS -rw-R & lt - r-- On Jun. 1 0 08 0 0 16:39 xiaoluo.txt lftp 127.0.0.1 : / Pub> GET xiaoluo.txt lftp 127.0.0.1:/pub> Exit [xiaoluo the root @ ~] # LS Anaconda-install.log.syslog xiaoluo.txt the install.log the ks.cfg Desktop
So how do we upload files to achieve it by setting?
(1) Modify vsftpd master configuration file open anonymous users upload function :
= YES anonymous_enable - open access to anonymous users (default)
= YES anon_upload_enable - open anonymous users to upload files
= YES anon_mkdir_write_enable - open anonymous users to create folders function
[root@xiaoluo ~]# vim /etc/vsftpd/vsftpd.conf # Example config file /etc/vsftpd/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=YES # # Uncomment this to allow local users to log in. local_enable=YES # # Uncomment this to enable any form of FTP write command. write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. anon_upload_enable=YES # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. anon_mkdir_write_enable=YES # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # The target log file can be vsftpd_log_file or xferlog_file. # This depends on setting xferlog_std_format parameter xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #chown_username=whoever # # The name of log file when xferlog_enable=YES and xferlog_std_format=YES # WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log #xferlog_file=/var/log/xferlog # # Switches between logging into vsftpd_log_file and xferlog_file files. # NO writes to vsftpd_log_file, YES to xferlog_file xferlog_std_format=YES # # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. #ascii_upload_enable=YES #ascii_download_enable=YES # # You may fully customise the login banner string: #ftpd_banner=Welcome to blah FTP service. # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd/banned_emails # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). #chroot_local_user=YES #chroot_list_enable=YES # (default follows) #chroot_list_file=/etc/vsftpd/chroot_list # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # # When "listen" directive is enabled, vsftpd runs in standalone mode and # listens on IPv4 sockets. This directive cannot be used in conjunction # with the listen_ipv6 directive. listen=YES # # This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6 # sockets, you must run two copies of vsftpd with two configuration files. # Make sure, that one of the listen options is commented !! #listen_ipv6=YES pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES
(2) file gives anonymous users to upload the folder to use the authority to write
[xiaoluo in to the root @ ~] # the CHMOD of 2777 / the var / the ftp / designed for pub / [in to the root xiaoluo @ ~] # ls is ld / the var / the ftp / designed for pub / drwxrwsrwx. 2 root root 4096 Jun 9 00:42 / var / ftp / pub /
At this point we restart our vsftpd service, you can use an anonymous user to upload a file operation
[root@xiaoluo ~]# service vsftpd restart Shutting down vsftpd: [ OK ] Starting vsftpd for vsftpd: [ OK ] [root@xiaoluo ~]# ls anaconda-ks.cfg Desktop install.log install.log.syslog [root@xiaoluo ~]# touch xiaoluo.txt [root@xiaoluo ~]# ls anaconda-ks.cfg Desktop install.log install.log.syslog xiaoluo.txt [root@xiaoluo ~]# lftp 127.0.0.1 lftp 127.0.0.1:~> cd pub/ lftp 127.0.0.1:/pub> ls lftp 127.0.0.1:/pub> put xiaoluo.txt lftp 127.0.0.1:/pub> exit [root@xiaoluo ~]# cd /var/ftp/pub/ [root@xiaoluo pub]# ls xiaoluo.txt
We see, xiaoluo.txt file we created in the root directory home go up already logged uploaded by an anonymous user
[ Note: ] We can not be the anonymous user's home directory permissions set to 777, which is / var / ftp directory, and its subdirectories can only set permissions to 777, because vsftp think it is very safe, If this is set, vsftpd will prohibit access to the anonymous user's home directory