Linux installation and configuration service vsftpd
- Server to download and install vsftpd
# 安装
yum install -y vsftpd
# 查看版本
vsftpd -v
#启动服务
service vsftpd start
# 修改配置后重新启动
service vsftpd restart
vsftp Configuration
Profiles /etc/vsftpd/vftpd.conf
- Anonymous User
Anonymous user login, the default user name is ftp, password is arbitrary, the default access for the root directory
/var/ftp
Anonymous users to upload files and folders for the default owner
ftp:ftp
anonymous_enable=YES # 允许匿名用户登录 | NO
anon_upload_enable=YES # 允许匿名用户上传文件 |NO
anon_mkdir_write_enable=YES # 允许创建文件夹 | NO
anon_other_write_enable=YES # 允许删除,重命名等权限
anon_root=$root # 设置匿名用户访问的根目录
# 修改匿名用户上传文件的用户归属者
chown_uploads=yes
chown_username=$user
# 注意,只能更改文件 owner,不能改变 group,同时此条指令对 创建的文件夹无效
Some notes
If enabled anonymous users will / var/ftp/
folder w
permissions canceled chmod a-w /var/ftp
, while creating a folder and give full access, so you can allow anonymous users to operate in this folder
cd /var/ftp; mkdir pub; chmod 777 pub
In addition, modifications anon_umask=022
to ensure that anonymous users have read and write access to the folder, which would allow users to download
If you do not modify anon_umask
the default would eliminate file and folder permissions to read, resulting file is unreadable
If problems occur, please note that permission
- End user services
By default, the user is locked in addition, ordinary users can
ftp
log in to the systemSee
/etc/vsftpd
underftpusers
anduser_list
file
Related
local_enable=YES # 是否允许
local_umask=022 # 新建文件权限管理
By default, users log on using a server that can access the system /
directory
Restrict user access to directory
chroot_local_user=YES # 允许本地用户登录
allow_writeable_chroot=YES # 允许对顶级目录进行修改
# 如果不用上面那条指令,请关闭 用户对其家目录的 写权限
# 这样就会让用户无法在根目录下进行写操作,只能在二级目录下进行操作
You can see information related instructions profiles
- Virtual User Login
Reference links , write good, very detailed
Configure virtual user ID and password, create a file used to store the account password
Every two lines corresponding account and password, for example touch vuser.txt
, and write information
hello
123456
jack
abcd
Then configure
# 转换数据库 修改权限
db_load -T -t hash -f vuser{,.db}
chmod 600 vuser{,.db}
# 创建用户,用于虚拟账户登录
useradd -d /opt/vuser -s /sbin/nologin vuser
# 配置验证模块
vim /etc/pam.d/vsftpd.vu
# 写入一下内容 注意之前生成文件的位置
auth required pam_userdb.so db=/etc/vsftpd/vuser ##识别转换过的数据库文件
account required pam_userdb.so db=/etc/vsftpd/vuser ##连接的密码服务
# 修改配置文件
#pam_service_name=vsftpd ##注释
##添加下面三行内容,下面可能会出现问题,可以把 注释删除,不要留有多余的空格
guest_enable=YES ##开启来宾用户访问
guest_username=vuser ##使用vuser用户名
pam_service_name=vsftpd.vu ##pam模块
Then you can use the virtual user login
After landing, you will find you can upload files, but you can not see the root of the file (a directory in the root directory unreadable)
Then you can modify vuser
the permissions of the home directory chmod o+r ~vuser
to give permission
Because I set before anon_umask=022
, so you can create your own file into the folder, if not set, or permission more stringent, may cause the folder can not reproduce
The development rights for users
mkdir vu_dir
# 修改 /etc/vsftpd/vsftpd.conf 添加 => 指定配置文件路径
user_config_dir=/etc/vsftpd/vu_dir
Then vu_dir
create a file with the name of a user named
echo anon_umask=000 > hello # 修改 hello 用户的权限
ftp service mode of operation
- Active mode
In this mode, briefly, the connection is complete and the client service side, after the authentication is completed. Inform their client server listening port number of services, in the transmission of data and commands, take the initiative to connect to the server specified by the client and send data.
Active mode, because it is the active server to access the client, it is necessary to ensure that the client can be exposed port number, but in general, including within the client's network, the server can not pass through the network to establish a connection with the client, this case You can use the following passive mode
- Passive mode
This model can solve the problem within the client, including the network, ftp
the service main process responsible for receiving new connection requests, and then open the child process to deal with a single connection. That is, for each external connection, ftp
will establish a single channel, and inform the client, the data transfer process after the client simply want to send data and commands to the new channel (on different ports established tcp
connection) so just let the server port is exposed and ip
can be, generally end with a public service ip
, can solve these problems within the network access
Ftp server access
The machine accesses the server, you need to use passive mode, but also because the server within the internal network, the (here understood the network is not good enough, add a layer of protection should be the outer layer of the server, which should also be the role of local security group, and then access public network ip, corresponding to the server can be forwarded to an internal port)
The basic configuration is to make vsftpd passive mode is turned on, and set the port range, note that the server must specify the port in an open server security group
If you turn on the firewall, but also open the specified port
pasv_enable=YES
# 端口范围
pasv_min_port=30000
pasv_max_port=31000
If only this set, when the ftp service interaction, through wireshark
can be found, the server does open up a new channel, but to inform the client, the return of ip
its internal network address, causes the client to try to connect, but always fail
So when you need to specify the server address, so the server notifies the client to use this ip
pasv_address=$ip # $ip 是服务器的外网 ip
# 另外 开启 ipv4 关闭 ipv6 ,这个方面不是很理解
listen=YES
#listen_ipv6=YES
Other knowledge
chroot
=>
Modify the root directory reference
umask
=> Mask setting file permissions
selinux
Safety-related
netstat -anp | grep vsftpd
=> Vsftpd start of the observation port, passive mode, if the file transfer quickly, observed the newly opened passage
wireshrak
The process can be analyzed at the client and server communication