FTP installation and configuration

In centos7 ftp installation services

 yum install -y vsftpd

Start Service

systemctl start vsftpd

From the start

systemctl enable vsftpd

View port

 

Close attention to local firewall and SELinux, or does not operate properly

 

Important documents

/ Var / ftp / pub / default shared directory

/etc/vsftpd/vsftpd.conf main configuration file

/ Etc / vsftpd / user_list blacklist, whitelist can be modified to       

/ Etc / vsftpd / ftpusers blacklist

 

FTP relevant user

Anonymous User

anonymous or ftp

 Local Users

Linux system users 

Virtual User

Administrators to customize user

 

Profile /etc/vsftpd/vsftpd.conf

= YES anonymous_enable              ### allow anonymous logins, the proposed closure
local_enable = YES to allow local users to log ###
write_enable = YES ### allows the file system to make changes to the FTP command
local_umask = 022              the umask value of ### local user to create files used by
dirmessage_enable = YES ### displays a message when a user first enters a new directory
xferlog_enable = YES ### for record uploading, downloading log files details
connect_from_port_20 = YES ### active mode data transmission interface
xferlog_std_format is = YES ### using standard log format ftp
the listen = NO ### Do not let vsftpd runs in standalone mode
listen_ipv6 = YES ### vsftpd will listen for IPv6 instead of IPv4
pam_service_name = PAM service name used vsftpd ### vsftpd
userlist_enable = YES ### limits the user to sign
tcp_wrappers=YES        ### 使用 tcp wrappers

 

Anonymous User Login

By default, ftp anonymous users can sign, sign directory is / var / ftp /

The user name anonymous or ftp, password is blank, the proposed closure

By default, only download files, you can not upload files in the corresponding directory

You can modify the corresponding configuration file, the file permissions allow anonymous users to upload and build directories

/Etc/vsftpd/vsftpd.conf profile in the following two lines of comments can be removed

= anon_upload_enable YES # allowed to upload files
anon_mkdir_write_enable = YES # allow the establishment of a directory

Restart the service, as it is also required to make ftp / var / ftp / pub's owner

chown ftp pub/

Sign back in with the anonymous ftp user can create a directory pub / upload files and

 

 

System User Login

 

Adoption of Linux system users to sign in as a user ftp services, but because ftp is passed in clear text, if the person was intercepted packets, equivalent to get Linux users and passwords, it is recommended to close

By default, users log in using the system, you can upload and download, directory for the user's home directory

Replacement system can modify the user profile sign position, add /etc/vsftpd/vsftpd.conf

local_root=/tmp/test_home/

Then create corresponding directory mkdir / tmp / test_home , restart the service

Login again ftp, directory / tmp / test_home, other Linux users login ftp service is (note directory permissions system) in this directory

But the user login system with ftp there is a flaw that can be switched to the root directory, other directories may steal information, so we need to imprison users of the system home directory

Into the configuration file, remove these comments in front of the sentence, and then restart the service, that all system users confined to the home directory

chroot_local_user=YES

Note that a particular configuration, if these three are uncommented, while in / etc / vsftpd / establish a chroot_list, the contents inside the system user, write here the user can access any system directory

chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list

If we in the / etc / vsftpd / chroot_list add a system user test2, then the system user login ftp server, you can access the root directory, you can also access other directories

 

 

Blacklist and whitelist

/etc/vsftpd/ftpusers和 /etc/vsftpd/user_list默认情况下都是黑名单，但是/etc/vsftpd/user_list可以通过配置文件修改成白名单

在/etc/vsftpd/vsftpd.conf配置文件中

userlist_enable=YES  #在这句下面添加以下两句，将user_list反转成白名单
userlist_deny=NO            
userlist_file=/etc/vsftpd/user_list

注意黑名单的权限比白名单大，即同时存在与黑名单和白名单，依旧被禁用

虚拟用户登入

比较安全和常见的登入方式为虚拟用户登入，即只能登入ftp服务器

1、添加一个虚拟用户口令文件

vim /etc/vsftpd/vuser.txt

在里面输入虚拟用户和密码

vtest  #账户
test   #密码
vtest2 #账户
test2  #密码

2、生成认证文件

db_load -T -t hash -f /etc/vsftpd/vuser.txt  /etc/vsftpd/vuser.db

如果没有安装口令认证文件先安装

 yum -y install db4-utils

3、编辑pam认证文件

进入 /etc/pam.d/vsftpd，注释掉原来的内容，因为系统登入依赖这个文件
 在后面添加两行

auth required  /lib64/security/pam_userdb.so db=/etc/vsftpd/vuser
account required /lib64/security/pam_userdb.so db=/etc/vsftpd/vuser

 

 4、建立本地映射用户

useradd -d /home/vftproot -s /sbin/nologin vuser
chmod 755 /home/vftproot

5、修改配置文件

在/etc/vsftpd/vsftpd.conf下面添加

guest_enable=YES
guest_username=vuser
user_config_dir=/etc/vsftpd/vuser_conf

然后重启服务，就可以进行虚拟用户登入，记得删除原来的vuser.txt文件

 

虚拟用户进行目录分配

mkdir /etc/vsftpd/vuser_conf

在这个目录下创建文件，文件名为虚拟用户名，在里面指定权限和目录，没有设置的虚拟用户则根据主配置文件

 vim /etc/vsftpd/vuser_conf/vtest2 

anon_upload_enable=YES
anon_mkdir_write_enable=YES
local_root=/tmp/vtest2

mkdir /tmp/vtest2
chown vuser vtest2/

并在配置文件中添加

allow_writeable_chroot=YES

重启服务，再次登入，可以正常使用