Today, Liu talked about Chapter 11 and Chapter 12, feeling speak fast, at one go, not how to drink water.
11.1 File Transfer Protocol
In general, people will be networked computers primary purpose is to get information, and file transfer is a very important way to get information. Today's Internet is composed of tens of millions of personal computers, workstations, servers, minicomputers, mainframes, supercomputers, etc. have different models, physical devices composed of different architectures, and even a personal computer, it may also be equipped with Windows , Linux, UNIX, Mac, such as different operating systems. In order to solve the problem to solve file transfer problems between the device is so complex and diverse, File Transfer Protocol (FTP) came into being.
FTP is a file transfer protocol for the Internet, based on the client / server model, using the default port number 20 and 21, wherein the port 20 (data port) used for data transmission, the port 21 ( the command port) for receiving Related FTP client to issue the commands and parameters. FTP server commonly deployed in the network, with easy to set up, easy management of features. And some FTP client tool can also support multi-file downloads, and HTTP technology, FTP services to our customers. FTP protocol transmission topology shown in Figure 11-1.
11-1 FTP protocol transmission topology of FIG.
FTP server FTP protocol is provided in accordance with file storage service and accessed over the Internet host, FTP client is sending a connection request to the server to establish a data transmission link to the host. FTP protocol has two modes below.
Active mode : FTP server initiates a connection request to the client.
Passive mode : FTP server waits for a client initiates a connection request (the default operating mode of FTP).
Chapter 8 once said when learning the firewall service configuration, the firewall is usually used to filter incoming traffic from outside the network within the network, so there are times when you need to work mode FTP is set to active mode, it can transmit data.
11.2 Vsftpd service program
As vsftpd more secure file transfer service that allows users to log in three authentication mode to an FTP server.
Anonymous open mode : is one of the most insecure authentication mode, anyone can log on without a password verification directly to an FTP server.
Local user mode : through the Linux system to authenticate the local account password information mode, compared to anonymous open mode is more secure, and the configuration is also very simple. But if hackers cracked the account information you can log in unimpeded FTP server, complete control over the entire server.
Virtual User Mode : This is the most secure of the three modes in an authentication mode, it needs to establish FTP service user database files separately, the virtual password used to verify the account information, which in fact account information in the server system It does not exist, only authenticate using the FTP service program. Thus, even if a hacker to crack the account information can not log on the server, thus effectively reducing the scope and impact damage.
ftp is the Linux system by way of the command line interface to manage FTP transfer services client tools. We first manually install the ftp client tools, in order to view the results in subsequent experiments.
11.2.1 anonymous access mode
As mentioned before, the vsftpd service routine, anonymous open mode is the least secure an authentication mode. Anyone can log on without a password verification directly to an FTP server. This mode is generally used to access public documents unimportant (try not to store important documents in a production environment). Of course, if the firewall management tools described in Chapter 8 (such as Tcp_wrappers service program) will host range vsftpd service program allows access to the enterprise network can also provide basic security.
vsftpd service program enabled by default anonymous open mode, we need to do is open permissions to upload, download files of anonymous users, and to allow anonymous users to create, delete, rename the file permissions. It should be noted that the liberalization of these permissions for the anonymous user poses a potential danger, we just practice for the Linux system configuration vsftpd service program and let go of those rights, do not act so recommended in a production environment. Table 11-2 lists can be open to the anonymous user permissions and role parameters.
Table 11-2 may be open to the anonymous user permissions and role parameters
| parameter | effect |
| anonymous_enable=YES | Allow anonymous access mode |
| anon_umask=022 | umask value of anonymous users to upload files |
| anon_upload_enable=YES | Allow anonymous users to upload files |
| anon_mkdir_write_enable=YES | Allow anonymous users to create directories |
| anon_other_write_enable=YES | Allow anonymous users to modify or delete directory directory name |
1.2.2 Local user mode
Compared to anonymous open mode, local user mode to be more secure, and the configuration is also very simple. If you are using a previously anonymous open mode, it can now be closed, then open the local user mode. Local authority parameters for the user mode and effect As shown in Table 11-3.
Table 11-3 and the role of local authority parameters used in user mode
| parameter | effect |
| anonymous_enable=NO | Prohibit anonymous access mode |
| local_enable=YES | Local mode allows the user |
| write_enable=YES | Set write permissions |
| local_umask=022 | Local user mode to create a file umask value |
| userlist_deny=YES | Enable the "Prevent users list", a list of files and user_list ftpusers |
| userlist_enable=YES | Open User Role list of file function |
11.2.3 virtual user mode
Finally, we explain the virtual user mode is the most secure of the three modes of an authentication model, of course, because of security compared to the previous two models has improved, so the configuration process will be slightly more complicated.
Step 1 : Create a user database files for FTP authentication, in which the odd behavior of the account name, password behavior even number. For example, we were to create two user lisi zhangsan and password are redhat:
[root@linuxprobe ~]# cd /etc/vsftpd/ [root@linuxprobe vsftpd]# vim vuser.list zhangsan redhat lisi redhat
However, the plaintext is neither safe, nor with vsftpd service to make the program directly loaded format, and therefore need to use the command db_load hash (hash) algorithm converts the original plaintext files into database files and reduce the file permissions on the database ( prevent others from seeing the contents of the database file), and then delete the original plaintext file.
[root@linuxprobe vsftpd]# db_load -T -t hash -f vuser.list vuser.db [root@linuxprobe vsftpd]# file vuser.db vuser.db: Berkeley DB (Hash, version 9, native byte-order) [root@linuxprobe vsftpd]# chmod 600 vuser.db [root@linuxprobe vsftpd]# rm -f vuser.list
Step 2 : Create vsftpd service program for local system user's home directory to store files and virtual user mapping. Root of the FTP service for storing files means that the default position when the user logs in virtual visit.
Because each file system of Linux have an owner, owning group attributes, such as using a virtual account "Joe Smith" created a new file, but the system can not find the account "Joe Smith" you will lead to the emergence of file permissions error. To do this, we need to re-create a virtual user can be mapped to a local user's system. In simple terms, the default is to allow users to log on to the virtual mappings with whom the local user's home directory system, user-created virtual file attributes are also ascribed to the local system users to avoid Linux system can not handle virtual users property rights to the file created.
To facilitate the management of data on the FTP server, the local user home directory system is provided for the / var directory (which is used to store the data change frequently). And for security reasons, we will this system does not allow local users to log into the FTP server, this will not affect the virtual users log on, but also to prevent hackers to log in through this system a local user.
[root@linuxprobe ~]# useradd -d /var/ftproot -s /sbin/nologin virtual [root@linuxprobe ~]# ls -ld /var/ftproot/ drwx------. 3 virtual virtual 74 Jul 14 17:50 /var/ftproot/ [root@linuxprobe ~]# chmod -Rf 755 /var/ftproot/
Step 3 : Create PAM files are used to support virtual users.
PAM (Pluggable Authentication Modules) is an authentication mechanism, the separation of the services and authentication system provided by a number of dynamic link libraries and unified API, allows system administrators to flexibly adjust the needs of different authentication service program founded. PAM in order to function fully and thoroughly publicize the role, at least a section of the space can (stay tuned for the Advanced chapter of this book the reader interested in the topic, which will explain in detail PAM).
Popular terms, PAM module is a set of security mechanisms, system administrators can use to easily adjust the authentication service program without having to make any changes to the application. PAM taken thought hierarchical design (application layer, application layer interfaces, authentication module layer), the structure shown in Figure 11-2.
FIG hierarchical design of the structure 11-2 PAM
Create a virtual user authentication for PAM files vsftpd.vu, where "db =" parameter using the account password database file path db_load generated commands, but do not write the suffix database files within the PAM file:
[root@linuxprobe ~]# vim /etc/pam.d/vsftpd.vu auth required pam_userdb.so db=/etc/vsftpd/vuser account required pam_userdb.so db=/etc/vsftpd/vuser
Step 4 : PAM authentication file name is modified by pam_service_name vsftpd.vu main configuration file parameters vsftpd service procedures, as PAM connecting link layer and application layer authentication module, according to the needs of the application allows the flexibility to itself into the desired discrimination function. When the application requires PAM authentication, you need to define responsible for the accreditation of PAM configuration file in the application, to achieve the required authentication.
For example, with the default parameters on pam_service_name = vsftpd vsftpd configuration file in the main service program, expressly provided for safety certification in accordance with /etc/pam.d/vsftpd file logging onto the FTP server. Now we have to do is to vsftpd master configuration file any original PAM authentication file vsftpd modified for the new vsftpd.vu file. The parameters used in the operation and the effect are shown in Table 11-4.
Table 11-4 using the parameters and the role used when PAM authentication file
| parameter | effect |
| anonymous_enable=NO | Prohibit anonymous open mode |
| local_enable=YES | 允许本地用户模式 |
| guest_enable=YES | 开启虚拟用户模式 |
| guest_username=virtual | 指定虚拟用户账户 |
| pam_service_name=vsftpd.vu | 指定PAM文件 |
| allow_writeable_chroot=YES | 允许对禁锢的FTP根目录执行写入操作,而且不拒绝用户的登录请求 |
11.3 TFTP简单文件传输协议
简单文件传输协议(Trivial File Transfer Protocol,TFTP)是一种基于UDP协议在客户端和服务器之间进行简单文件传输的协议。顾名思义,它提供不复杂、开销不大的文件传输服务(可将其当作FTP协议的简化版本)。
TFTP的命令功能不如FTP服务强大,甚至不能遍历目录,在安全性方面也弱于FTP服务。而且,由于TFTP在传输文件时采用的是UDP协议,占用的端口号为69,因此文件的传输过程也不像FTP协议那样可靠。但是,因为TFTP不需要客户端的权限认证,也就减少了无谓的系统和网络带宽消耗,因此在传输琐碎(trivial)不大的文件时,效率更高。
接下来在系统上安装TFTP的软件包,进行体验。
TFTP的根目录为/var/lib/tftpboot。我们可以使用刚安装好的tftp命令尝试访问其中的文件,亲身体验TFTP服务的文件传输过程。在使用tftp命令访问文件时,可能会用到表11-5中的参数。
表11-5 tftp命令中可用的参数以及作用
| 命令 | 作用 |
| ? | 帮助信息 |
| put | 上传文件 |
| get | 下载文件 |
| verbose | 显示详细的处理信息 |
| status | 显示当前的状态信息 |
| binary | 使用二进制进行传输 |
| ascii | 使用ASCII码进行传输 |
| timeout | 设置重传的超时时间 |
| quit | 退出 |
12.1 SAMBA文件共享服务
上一章讲解的FTP文件传输服务确实可以让主机之间的文件传输变得简单方便,但是FTP协议的本质是传输文件,而非共享文件,因此要想通过客户端直接在服务器上修改文件内容还是一件比较麻烦的事情。
1987年,微软公司和英特尔公司共同制定了SMB(Server Messages Block,服务器消息块)协议,旨在解决局域网内的文件或打印机等资源的共享问题,这也使得在多个主机之间共享文件变得越来越简单。到了1991年,当时还在读大学的Tridgwell为了解决Linux系统与Windows系统之间的文件共享问题,基于SMB协议开发出了SMBServer服务程序。这是一款开源的文件共享软件,经过简单配置就能够实现Linux系统与Windows系统之间的文件共享工作。当时,Tridgwell想把这款软件的名字SMBServer注册成为商标,但却被商标局以SMB是没有意义的字符而拒绝了申请。后来Tridgwell不断翻看词典,突然看到一个拉丁舞蹈的名字—Samba,而且这个热情洋溢的舞蹈名字中又恰好包含了“SMB”,于是Samba服务程序的名字由此诞生(见图12-1)。Samba服务程序现在已经成为在Linux系统与Windows系统之间共享文件的最佳选择。
图12-1 Samba服务程序的logo
Samba服务程序的配置方法与之前讲解的很多服务的配置方法类似,首先需要先通过Yum软件仓库来安装Samba服务程序(Samba服务程序的名字也恰巧是软件包的名字)
12.1.1 配置共享资源
Samba服务程序的主配置文件与前面学习过的Apache服务很相似,包括全局配置参数和区域配置参数。全局配置参数用于设置整体的资源共享环境,对里面的每一个独立的共享资源都有效。区域配置参数则用于设置单独的共享资源,且仅对该资源有效。创建共享资源的方法很简单,只要将表12-2中的参数写入到Samba服务程序的主配置文件中,然后重启该服务即可。
表12-2 用于设置Samba服务程序的参数以及作用
12.1.1 配置共享资源
Samba服务程序的主配置文件与前面学习过的Apache服务很相似,包括全局配置参数和区域配置参数。全局配置参数用于设置整体的资源共享环境,对里面的每一个独立的共享资源都有效。区域配置参数则用于设置单独的共享资源,且仅对该资源有效。创建共享资源的方法很简单,只要将表12-2中的参数写入到Samba服务程序的主配置文件中,然后重启该服务即可。
表12-2 用于设置Samba服务程序的参数以及作用
| 参数 | 作用 |
| [database] | 共享名称为database |
| comment = Do not arbitrarily modify the database file | 警告用户不要随意修改数据库 |
| path = /home/database | 共享目录为/home/database |
| public = no | 关闭“所有人可见” |
| writable = yes | 允许写入操作 |
12.1.2 Windows挂载共享
无论Samba共享服务是部署Windows系统上还是部署在Linux系统上,通过Windows系统进行访问时,其步骤和方法都是一样的。下面假设Samba共享服务部署在Linux系统上,并通过Windows系统来访问Samba服务。Samba共享服务器和Windows客户端的IP地址可以根据表12-4来设置。
表12-4 Samba服务器和Windows客户端使用的操作系统以及IP地址
| 主机名称 | 操作系统 | IP地址 |
| Samba共享服务器 | RHEL 7 | 192.168.10.10 |
| Linux客户端 | RHEL 7 | 192.168.10.20 |
| Windows客户端 | Windows 7 | 192.168.10.30 |
要在Windows系统中访问共享资源,只需在Windows的“运行”命令框中输入两个反斜杠,然后再加服务器的IP地址即可,如图12-2所示。
图12-2 在Windows系统中访问共享资源
12.1.3 Linux挂载共享
上面的实验操作可能会让各位读者误以为Samba服务程序只是为了解决Linux系统和Windows系统的资源共享问题而设计的。其实,Samba服务程序还可以实现Linux系统之间的文件共享。请各位读者按照表12-5来设置Samba服务程序所在主机(即Samba共享服务器)和Linux客户端使用的IP地址,然后在客户端安装支持文件共享服务的软件包(cifs-utils)。
表12-5 Samba共享服务器和Linux客户端各自使用的操作系统以及IP地址
| 主机名称 | 操作系统 | IP地址 |
| Samba共享服务器 | RHEL 7 | 192.168.10.10 |
| Linux客户端 | RHEL 7 | 192.168.10.20 |
| Windows客户端 | Windows 7 | 192.168.10.30 |
12.2 NFS网络文件系统
If you think configure Samba service program too much trouble, and happened to need to share the host file system is Linux, teacher Trent Liu highly recommend you to deploy Services for NFS client to share files. NFS (Network File System) service can file on a remote Linux system to mount shared resources directory on the local host, so that the local host (Linux clients) based on TCP / IP protocol, as it did read resources on the local host write a shared folder on a remote Linux system.
Due to the default RHEL 7 system NFS service is already installed, plus configuration steps NFS service is also very simple, therefore Liu Trent teacher in teaching will NFS jokingly Need For Speed. Next, we are ready to configure NFS service. First, use the Yum repositories to check their RHEL 7 system if NFS packages are installed:
12.3 AutoFs service automatically mount
Either Samba or NFS service service, should the written information to mount the / etc / fstab, so remote shared resources automatically with the server is powered on and mount it. While this is handy, but if you mount remote resources too much, will give network bandwidth and server hardware resources of great load. If you do not use long after the resources to mount, it will result in a waste of server hardware resources. There may be readers, "he said mount command can be executed before each use to manually mount." This is a good choice, but each time you need to mount the re-use, you do not feel trouble?
autofs the service automatically mount can help us solve this problem. With the mount command, autofs service program is a Linux system daemons, when detecting the user attempts to access a file system is not mounted, it will automatically mount the file system. In other words, we will mount the information filled in / etc after / fstab file, the system automatically when you switch to mount, while autofs service program is used when the user needs to dynamically mount the file system , thus saving hardware resources, network resources and servers.
