ftp occupy two ports 20 21
Vsftpd installation program
Type the command yum install vsftpd -y
Clear default firewall default rules:
[root@linuxprobe ~]# iptables -F
Save firewall rules table after emptying:
[root@linuxprobe ~]# service iptables save
Analysis of the main configuration file ftp
The main configuration file for up to 123 lines, but most are the # beginning, these are the annotation information, we can filter them out.
Backup vsftpd master configuration file:
[root@linuxprobe ~]# mv /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf_bak
Filter out all rows contain the # symbol, and filter the results written back vsftpd.conf file:
[root@linuxprobe ~]# grep -v "#" /etc/vsftpd/vsftpd.conf_bak > /etc/vsftpd/vsftpd.conf
At this reanalysis program vsftpd master configuration file under it:
[root@linuxprobe ~]# cat /etc/vsftpd/vsftpd.conf
Ftp installation services
Then there is the ftp of the three access modes are anonymous access model for local user-mode virtual user mode
Limit free we introduced one by one
Anonymous access mode
After filling the right to save and exit vsftpd.conf file, then restart the vsftpd service program and is set to boot from the start.
[root@linuxprobe ~]# systemctl restart vsftpd
[root@linuxprobe ~]# systemctl enable vsftpd
In the client attempts to login FTP service
Operation has been emptied above firewall rules in vsftpd.conf file also has allowed anonymous users to create directories with write permissions, then how can it be denied?
It is recommended that the reader not to look down , use their own methods to solve this problem after thinking long-term so that your Linux troubleshooting capabilities will be out of practice.
Recall details of the foregoing parameters, FTP root anonymous access modes is / var / FTP :
2. Local user mode
Type the command vim /etc/vsftpd/vsftpd.conf change parameters
Then restart the vsftpd service program and is set to boot from the start
vsftpd FTP service in order to make services more secure, log in as root is disabled by default, create a regular user of it:
Ftp client attempts to log in
3. Virtual User Mode
Because the virtual mode user account password is not the real present in the system, so long as the proper configuration of the virtual user mode than the local user mode is more secure, but Vsftpd service configuration virtual user mode of procedure is relatively complicated, process is as follows:
Step 1: Create a virtual FTP user database file.
Step 2: Create a system user FTP root directory and virtual user mapping.
Step 3: Create a virtual user support PAM authentication file.
Step 4: Add support vsftpd.conf configuration file.
Step 5: Set different permissions for the virtual users.
Step 6: Restart vsftpd service, verify experimental results.
FTP user to create a virtual database file.
Switch to vsftpd Program Category: [root @ linuxprobe ~] # cd / etc / vsftpd /
Create a database generated FTP user for the original account and password file
Use db_load command generated FTP user database file vuser.db with HASH algorithm
Check the type of database file:
[root@linuxprobe vsftpd]# file vuser.db
vuser.db: Berkeley DB (Hash, version 9, native byte-order)
FTP user database content is very sensitive, so permission to smaller:
[root@linuxprobe vsftpd]# chmod 600 vuser.db
Delete the original account and password file:
[root@linuxprobe vsftpd]# rm -f vuser.list
Step 2: Create a system user FTP root directory and virtual user mapping.
Create a virtual user and set to not allow landing system and define the user's home directory:
[root@linuxprobe ~]# useradd -d /var/ftproot -s /sbin/nologin virtual
View the user's home directory permissions:
[root@linuxprobe ~]# ls -ld /var/ftproot/
drwx------. 3 virtual virtual 74 Jul 14 17:50 /var/ftproot/
To ensure that other users can access, giving rwxr-xr-x permissions:
[root@linuxprobe ~]# chmod -Rf 755 /var/ftproot/
Step 3: Create a virtual user support PAM authentication file:
[root@linuxprobe ~]# vim /etc/pam.d/vsftpd.vu
// db parameter is used to point just generated vuser.db file, but do not write the suffix.
auth required pam_userdb.so db=/etc/vsftpd/vuser
account required pam_userdb.so db=/etc/vsftpd/vuser
Step 4: Add support vsftpd.conf configuration file.
As to the use of virtual user mode , and virtual user mode are far better than anonymous access mode is more secure, but also closed configuration anonymous open mode .
[root@linuxprobe ~]# vim /etc/vsftpd/vsftpd.conf
Step 5: Set different permissions for virtual users
Independent of the specified user permissions configuration file stored in the directory:
[root@linuxprobe ~]# vim /etc/vsftpd/vsftpd.conf
user_config_dir=/etc/vsftpd/vusers_dir
Create a separate directory user rights profiles stored:
[root@linuxprobe ~]# mkdir /etc/vsftpd/vusers_dir/
Switching into the directory:
[root@linuxprobe ~]# cd /etc/vsftpd/vusers_dir/
Create a blank linuxprobe profile:
[root@linuxprobe vusers_dir]# touch linuxprobe
Blackshield specify the user's specific rights:
[root@linuxprobe vusers_dir]# vim blackshield
anon_upload_enable=YES
anon_mkdir_write_enable=YES
Step 6: Restart vsftpd service, verify experimental results.
The client then follow the procedure above ftp sign like
A very serious problem
View all ftp of SELinux rules:
[root@linuxprobe ~]# getsebool -a | grep ftp
SELinux to set rules to allow FTP services:
[Root @ linuxprobe ~] # setsebool = -P ftpd_full_access on
At this point again create a file or directory is no problem:
[root@linuxprobe ~]# ftp 192.168.10.10
Connected to 192.168.10.10 (192.168.10.10).
220 (vsFTPd 3.0.2)
Name (192.168.10.10:root): blackshield
331 Please specify the password.
Password: Here enter the virtual user's password
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>mkdir files
257 "/files" created
ftp>rename files database
350 Ready for RNTO.
250 Rename successful.
ftp>rmdir database
250 Remove directory operation successful.
ftp>exit
221 Goodbye.
We only need to operate like this