FTP service deployment
ftp transfer mechanisms:
FTP Client port 21 by the end instruction is transmitted by the data transmission port 20, the active and passive modes are divided into two kinds depending on the mode of operation VSFTP, VSFTP most cases work in a passive mode
Active mode:
1.Client end is greater than a random port 1024 issued a request to establish a connection to the FTP server port 21
2.Server end after receipt of the request, will take the initiative to link 20-port random port number +1 Client-side port, if the port is occupied, then go back and find random port number +2 port and so on, until the end to find a free Client port
Server-side and 3.Client data transmission through port 20
Passive mode:
1.Client end is greater than a random port 1024 issued a request to establish a connection to the FTP server port 21
2.Server end Client sends to the port will be a similar (xyz, ab) to tell the value of a random port number by Client-side opening 21 and opens the port xyz * 256 + ab
3.Client ab end port further data transfer via a random port Server side xyz * 256 +
The reality in both Client-side or Server-side are behind a firewall, in the active mode VSFTP will link the random number +1 Client-side port, Client-side obviously not all random port open on the firewall; and in the next issue of passive the same problem will still be placed in front of the firewall Server side, which requires the Server-side firewall connection tracking is turned on, that is, with the release port access requests associated port 21, which is why in most cases is a passive mode operation VSFTP .
vsftp deployment:
Environment Description:
Server system: CentOS7.5; memory 2G; 30G hard drive
Client system: Windows10; software: xftp client
Note: 1) every step of the operation path, do not mess
2) detailed configuration of the final part of this article is to show
3) The installation vsftpd be deployed in the form of yum
Vsftp landing type:
VSFTP provides system users, anonymous users, and three kinds of different virtual users landing approach. All virtual users will be mapped to a user system, file system directory when access is the user's home directory for this purpose; anonymous user is a virtual user, system user mapping for ftp, detailed information can be viewed by man vsftpd.conf
1. Install vsftp
[root@linuxMA ~]# yum -y install vsftpd*
2. Use rpm -qc view vsftpd configuration file
[root@linuxMA ~]# rpm -qc vsftpd
/etc/logrotate.d/vsftpd
/etc/pam.d/vsftpd
/etc/vsftpd/ftpusers
/etc/vsftpd/user_list
/etc/vsftpd/vsftpd.conf
Detailed profiles #
/etc/logrotate.d/vsftpd rolling log configuration file
/etc/pam.d/vsftpd certification documents, pam called the Plugable Authentication
/ etc / vsftpd / ftpusers control mechanism of the landing system users, appear in the file the user is not allowed to use ftp server, which is defined in the /etc/pam.d/vsftpd
/ etc / vsftpd / user_list with /etc/vsftpd/vsftpd.conf in userlist_enable = YES and userlist_deny = YES | NO realize black and white lists to note here is: black and white lists are the premise of the configuration /etc/vsftpd/vsftpd.conf file userlist_enable = YES, the user userlist_deny option defaults to YES (the blacklist), which appears in the file does not allow landing VSFTP, even if manually add userlist_deny = NO (white list) allowing only the user that the file appears in the landing permit VSFTP still will check / etc when VSFTP start / vsftpd / ftpusers file and prevents users from logging in the file
/etc/vsftpd/vsftpd.conf VSFTP main configuration file, all configuration options must be the top grid write the configuration file # spaces is to demonstrate, with no spaces are commented configuration options
3. The cp command to back up configuration files
[root@linuxMA ~]# cd /etc/vsftpd/
[root@linuxMA vsftpd]# ls
ftpusers user_list vsftpd.conf vsftpd_conf_migrate.sh
[root@linuxMA vsftpd]# cp vsftpd.conf vsftpd.conf.bak
[root@linuxMA vsftpd]# ls
ftpusers user_list vsftpd.conf vsftpd.conf.bak vsftpd_conf_migrate.sh
1) Configure anonymous users
[root@linuxMA vsftpd]# vim vsftpd.conf
write_enable=YES
anon_umask=022
anonymous_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable = YES (whether to allow anonymous write access to other users (rename, delete, cover)
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
# Enable vsftp service, and see whether a successful start
[root@linuxMA vsftpd]# systemctl start vsftpd
[root@linuxMA vsftpd]# netstat -lnpt |grep vsftpd
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 34531/vsftpd
# Login authentication:
# Test successful landing:
#Modify permissions:
[root@linuxMA ~]# cd /var/ftp/
[root@linuxMA ftp]# ll
0 Total amount
drwxr-xr-x 2 root root 6 8月 3 2017 pub
[root@linuxMA ftp]# chown ftp:ftp pub/
[root@linuxMA ftp]# ll
0 Total amount
drwxr-xr-x 2 ftp ftp 21 9月 16 10:16 pub
Key: Change the root directory of the owner, if you do not change, it can only access other rights can not take effect. Because we are ftp user's identity to access, and the pub default owner is a group that root .
Note: You need to restart after completing (1) finished modifying the configuration service to take effect
(2)还需要从新从客户端登陆,否则修改后的配置看不到效果。
2)配置系统用户
1.创建测试用户zhangsan、lisi 密码都为“123456”
[root@linuxMA ~]# useradd zhangsan
[root@linuxMA ~]# useradd lisi
[root@linuxMA ~]# echo "123456" |passwd --stdin zhangsan
更改用户 zhangsan 的密码 。
passwd:所有的身份验证令牌已经成功更新。
[root@linuxMA ~]# echo "123456" |passwd --stdin lisi
更改用户 lisi 的密码 。
passwd:所有的身份验证令牌已经成功更新。
2.修改配置文件
[root@linuxMA ~]# vim /etc/vsftpd/vsftpd.conf
local_enable=YES
local_umask=077
chroot_local_user=YES
allow_writeable_chroot=YES
write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
userlist_deny=NO
tcp_wrappers=YES
[root@linuxMA ~]# vim /etc/vsftpd/user_list //添加用户到白名单
zhangsan
lisi
[root@linuxMA ~]# systemctl restart vsftpd //重启服务
#登陆测试:
#登陆成功:
#添加并进行测试
[root@linuxMA ~]# cd /home/zhangsan/
[root@linuxMA zhangsan]# touch zhangsan.txt
3)配置虚拟用户
1.建立虚拟FTP用户的帐号
[root@linuxMA ~]# useradd -s /sbin/nologin vu
2.创建虚拟用户文件
[root@linuxMA ~]# cd /etc/vsftpd/
[root@linuxMA vsftpd]# vim user
wangwu
12345
maliu
12345
基数行代表用户名,偶数行代表密码
3. 通过db_load工具创建出Berkeley DB格式的数据库文件
[root@linuxMA vsftpd]# db_load -T -t hash -f user user.db
[root@linuxMA vsftpd]# ls
ftpusers user user.db user_list vsftpd.conf vsftpd.conf.bak vsftpd_conf_migrate.sh
db_load -T -t hash -f user user.db
-f 指定数据原文件
-T 允许非Berkeley DB的应用程序使用文本格式转换的DB数据文件
-t hash 读取文件的基本方法
4. 建立支持虚拟用户的PAM认证文件
[root@linuxMA vsftpd]# vim /etc/pam.d/vsftpd.vu
加入以下两行
auth required /lib64/security/pam_userdb.so db=/etc/vsftpd/user
account required /lib64/security/pam_userdb.so db=/etc/vsftpd/user
对应刚才生成user.db的文件
5.修改配置文件
[root@linuxMA vsftpd]# vim vsftpd.conf
write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
userlist_enable=YES
tcp_wrappers=YES
allow_writeable_chroot=YES
guest_enable=YES
guest_username=vu
pam_service_name=vsftpd.vu
local_enable=YES
local_umask=077
chroot_local_user=YES
virtual_use_local_privs=YES
user_config_dir=/etc/vsftpd/user_dir
6. 为用户建立独立的配置目录及文件
[root@linuxMA vsftpd]# mkdir /etc/vsftpd/user_dir
[root@linuxMA vsftpd]# ls
ftpusers user user.db user_dir user_list vsftpd.conf vsftpd.conf.bak vsftpd_conf_migrate.sh
[root@linuxMA vsftpd]# cd /etc/vsftpd/user_dir
[root@linuxMA user_dir]# vim wangwu
local_root=/etc/vsftpd/data //虚拟用户数据的存放路径
#创建虚拟用户数据存放目录
[root@linuxMA user_dir]# cd ..
[root@linuxMA vsftpd]# mkdir data
[root@linuxMA vsftpd]# chmod 777 data/
#重启服务
[root@linuxMA ]# systemctl restart vsftpd
登陆测试:
#登陆成功。添加文件进行测试
[root@linuxMA vsftpd]# cd data/
[root@linuxMA data]# touch wangwu.txt
重点:本地用户和虚拟用户不能同时登录、因为认证方式只有一种
本地是pam_service_name =vsftpd
虚拟是pam_service_name =vsftpd.vu
配置文件详解
#常用的匿名FTP配置项
anonymous_enable=YES 是否允许匿名用户访问
anon_umask=022 匿名用户所上传文件的权限掩码
anon_root=/var/ftp 设置匿名用户的FTP根目录
anon_upload_enable=YES 是否允许匿名用户上传文件
anon_mkdir_write_enable=YES 是否允许匿名用户允许创建目录
anon_other_write_enable=YES 是否允许匿名用户有其他写入权(改名,删除,覆盖)
anon_max_rate=0 限制最大传输速率(字节/秒)0为无限制
#常用的本地用户FTP配置项
local_enable=YES 是否允许本地系统用户访问
local_umask=022 本地用户所上传文件的权限掩码
local_root=/var/ftp 设置本地用户的FTP根目录
chroot_list_enable=YES 表示是否开启chroot的环境,默认没有开启
chroot_list_file=/etc/vsftpd/chroot_list 表示写在/etc/vsftpd/chroot_list文件里面的用户是不可以出chroot环境的。默认是可以的。
Chroot_local_user=YES 表示所有写在/etc/vsftpd/chroot_list文件里面的用户是可以出chroot环境的,和上面的相反。
local_max_rate=0 限制最大传输速率(字节/秒)0为无限制
#常用的全局配置项
listen=YES 是否以独立运行的方式监听服务
listen_address=192.168.4.1 设置监听FTP服务的IP地址
listen_port=21 设置监听FTP服务的端口号
write_enable=YES 是否启用写入权限(上传,删除文件)
download_enable=YES 是否允许下载文件
dirmessage_enable=YES 用户切换进入目录时显示.message文件
xferlog_enable=YES 启用日志文件,记录到/var/log/xferlog
xferlog_std_format=YES 启用标准的xferlog日志格式,禁用此项将使用vsftpd自己的格式
connect_from_port_20=YES 允许服务器主动模式(从20端口建立数据连接)
pasv_enable=YES 允许服务器被动模式
pasv_max_port=24600 设置被动模式服务器的最大端口号
pasv_min_port=24500 设置被动模式服务器的最小端口号
pam_service_name=vsftpd 用户认证的PAM文件位置
(/etc/pam.d/vsftpd.vu)
userlist_enable=YES 是否启用user_list列表文件
userlist_deny=YES 是否禁用user_list中的用户
max_clients=0 限制并发客户端连接数
max_per_ip=0 限制同一IP地址的并发连接数
tcp_wrappers = YES whether to enable host access control tcp_wrappers
chown_username = root represents the owner of anonymous users to upload files is root, off by default
ascii_upload_enable = YES indicate whether to allow users to upload a binary file, the default is not allowed
ascii_download_enable = YES this is representative of whether to allow the user to download a binary file, the default is not allowed
nopriv_user = vsftpd provided Vsftpd host user support services for the user to manually set up Vsftpd
async_abor_enable = YES is set supports asynchronous transmission function
ftpd_banner = Welcome to Awei FTP servers set of landing slogan Vsftpd
guest_enable = YES setting is enabled virtual user features
guest_username = ftpuser user specified virtual host user
virtual_use_local_privs = YES set of virtual users in their host user permissions
user_config_dir = / etc / vsftpd / vconf set of virtual user's personal configuration file storage path Vsftp