Shulou(Shulou.com)06/02 Report--

10.1. Introduction to FTP service

FTP is a widely used communication protocol on Internet, which is used to transfer files between different hosts. The commonly used FTP server software under Linux system includes wu-ftpd;vsftpd (Very Secure ftp Daemon), proftpd;pureftpd and so on. Client software has

CLI:ftp;lftp; (wget, lftpget) download tool, non-interactive

GUI: gftpd; FlashFXP;Cuteftp;Filezilla

FTP adopts the working mode of Cramp S and establishes the connection between the client and the server through the TCP protocol. But unlike most other application protocols, FTP establishes two sets of communication links between the client and the server, namely the control link and the data link. Among them, the control link is responsible for sending and receiving FTP commands during the FTP session, and the data link is responsible for data transmission. The communication process between the FTP client and the server is as follows:

1. The user uses the client program of FTP protocol to connect to the remote FTP server program

2. The user uses the client program to upload or download FTP files, and the FTP client program sends the corresponding control commands to FTP through the control link.

3. The server program receives and executes the commands issued by the user.

4. The FTP server returns the execution result to the client

By default, the FTP server program uses two pre-assigned port numbers 20 and 21, which are used to transmit data links and control links, respectively. However, data transmission can be divided into active mode and passive mode, and their data transmission ports are different.

How active mode works: the FTP client connects to port 21 of the FTP server and sends a user name and password to log in. When the client wants to list list or read data successfully, the client randomly opens a port (more than 1024), sends PORT commands to the FTP server, and tells the server client to adopt active mode and open the port. After receiving the PORT active mode command and port number, the FTP server connects through port 20 of the server and the open port of the client to send data, as shown in the following figure:

How the passive mode works: the FTP client connects to port 21 of the FTP server, sends a user name and password to log in, and sends PASV commands to the FTP server when you want to list list or read data. The server randomly opens a port (above 1024) locally, and then tells the client the open port, and the client connects to the open port of the server for data transmission, as shown in the following figure:

Reference: https://my.oschina.net/binny/blog/17469

10.2. Installation and configuration of vsftpd server

Vsftpd can be installed through the rpm package or source code. Through rpm installation, you only need to use the yum command. Source code installation is described here. Its official address is http://vsftpd.beasts.org/, and the installation and configuration of vsftpd are introduced here in version 3.0.2.

The composition of the document:

/ etc/vsftpd: configuration file directory

/ etc/rc.d/init.d/vsftpd: service script

/ usr/sbin/vsftpd: main program

/ var/ftp: data file directory (anonymous user access directory)

/ etc/pam.d/vsftpd: authentication file pam (Plugable Authentication Module) plug-in authentication module

Modularization library file: / lib64/security/pam*.so

Authentication profile: / etc/pam.conf and / etc/pam.d/*

Basic configuration: / etc/vsftpd/vsftpd.conf

[root@mylinux vsftpd-3.0.2] # useradd nobody # default configuration user [root@mylinux vsftpd-3.0.2] # mkdir / usr/share/empty # default configuration directory to be used [root@mylinux vsftpd-3.0.2] # mkdir / var/ftp # directory to be used by anonymous users [root@mylinux vsftpd-3.0.2] # useradd -d / var/ftp/ ftp [root@mylinux vsftpd-3.0.2] # chown root.root / var/ftp/ [root@mylinux vsftpd-3.0.2] # chmod og-w / var/ftp/ [root@mylinux app] # tar xf vsftpd-3.0.2.tar.gz [root@mylinux app] # cd vsftpd-3.0.2 [root@mylinux vsftpd-3.0.2] # make & & make install [root@mylinux vsftpd-3.0.2] # cp vsftpd .conf / etc/ # copy the configuration file to

Start and shut down vsftpd

Vsftpd supports two startup modes: xinetd and standalone. Among them, xinetd starts and shuts down the vsftpd service through the xinetd process, which is the default startup mode of vsftpd. The standalone mode uses independent processes to start and shut down, which is the same as that of ordinary programs.

Xinetd mode:

In this way, vsftpd cannot be managed separately, and when vsftpd needs to be restarted, the entire xinetd server must be restarted.

Standalone mode:

In this way, the vsftpd service will be started and shut down as a separate process. The steps to configure the standalone startup method are as follows:

[root@mylinux vsftpd-3.0.2] # vim / etc/xinetd.d/vsftpd # change the diabale option to yes service ftp {socket_type = stream wait = no user = root server = / usr/local/sbin/vsftpd # server_args = # log_on_success + = DURATION USERID # log_on_failure + = USERID nice = 10 disable = yes} [root@mylinux vsftpd-3.0.2] # vim / etc/vsftpd.conf # specify standalone startup mode listen=YES [root@mylinux vsftpd -3.0.2] # chkconfig vsftpd--level 3 off # shut down the self-startup service [root@mylinux vsftpd-3.0.2] # / usr/local/sbin/vsftpd & # launch [1] 1926

Log in to ftp:

[root@mylinux vsftpd-3.0.2] # ftp localhost # Login Native Trying:: 1...ftp: connect to address:: 1Connection refusedTrying 127.0.0.1...Connected to localhost (127.0.0.1) .220 (vsFTPd 3.0.2) Name (localhost:root): anonymous # Anonymous user Login 331 Please specify the password.Password: # enter password Anonymous users do not need the password 230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp > ls227 Entering Passive Mode. 150 Here comes the directory listing.226 Directory send OK.ftp > quit # exits 221 Goodbye. [root@mylinux vsftpd-3.0.2] #

Vsftpd.conf profile

The configuration of the vsftpd server is mainly done through its main configuration file / etc/vsftpd.conf. The file is commented with'#', one line for each option, and the format is' option = value'.

Common options:

Configuration of anonymous users:

Anonymous_enable=YES login authority

Anon_upload_enable=YES upload permission

Anon_other_write_enable=YES delete permission

Anon_mkdir_write_enable=YES create directory

When the write feature is enabled, ftp users also have corresponding write permissions to the corresponding local file system; the permissions that take effect depend on the intersection of file system permissions and service permissions.

Imprison users in their home directory:

Chroot_local_user= {Yes | No}

Chroot_list_enable= {YES | NO} only imprison home directories of users in the list

Chroot_list_file=/etc/vsftpd/chroot_list imprisoned user list

Definition of welcome message:

Ftp_banner=some string

Or banner_file=/path/to/some_banner_file (write welcome message in the file)

Dirmessage_enable=yes (Welcome message under the directory when changing directories)

Create a .messages file in a directory accessible to ftp

The mechanism for controlling logged-in users:

Users in / etc/vsftpd/ftpusers are not allowed to use the ftp service, which is defined in / etc/pam.d/vsftpd.

User_list profiles can be used in two ways:

Blacklist:

Userlist_enable=YES

Userlist_deny=YES

Whitelist:

Userlist_enable=YES

Userlist_deny=NO

Connection restrictions:

Max_clients: maximum number of concurrent connections

Max_per_ip: concurrent requests can be initiated simultaneously for each IP

Transmission rate:

Anon_max_rate: the maximum transfer rate for anonymous users, in bytes per second

Local_max_rate: the maximum transfer rate of the local user, in bytes per second

Umask for uploading files:

Anno_umask: umask of files uploaded by anonymous users

Local_umask: umask of files uploaded by local users

Modify the owner and group of files uploaded by anonymous users:

Chown_uploads=YES

Chown_username=someuser

System users of ftp:

Anonymous user-> system user: anonymous_enable

System user: local_enable

Virtual user: all virtual users will be mapped to a system user, and the file directory accessed is the home directory of this system user.

The storage location of the user:

Hash encoded files: odd behavior username, even behavior password

Relational Database: pam-mysql achieves Authentication

10.2. Vsftpd authentication method based on pam-mysql

1. Install mysql and pam_mysql

[root@localhost home] # yum-y install vsftpd mysql-server mysql-devel pam_mysql

2. Prepare the database and related tables

Mysql > create database vsftpd;mysql > grant select on vsftpd.* to vsftpd@localhost identified by 'mylinux';mysql > grant select on vsftpd.* to vsftpd@127.0.0.1 identified by' mylinux';mysql > flush privileges;mysql > use vsftpd;mysql > create table users (- > id int AUTO_INCREMENT NOT NULL,-> name char (20) binary NOT NULL,-> password char (48) binary NOT NULL,-> primary key (id)->)

3. Add the virtual user tested. For the sake of security, you should use PASSWORD function to encrypt and store.

Mysql > insert into users (name,password) values ('tom',password (' 123456'); mysql > insert into users (name,password) values ('jerry',password (' 123456'))

4. Establish the file # vi / etc/pam.d/vsftpd.mysql required for pam certification

Auth required / lib/security/pam_mysql.so user=vsftpd passwd=mylinux host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2account required / lib/security/pam_mysql.so user=vsftpd passwd=mylinux host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

Pam_mysql.so may have problems connecting to the mysql server based on unix sock, so it is recommended that you authorize a remotely connected mysql and access the vsftpd database.

5. Modify the configuration file of vsftpd to adapt to mysql authentication, and establish the system user and corresponding directory of virtual user mapping.

[root@localhost home] # useradd-s / sbin/nologin-d / var/ftproot vuser [root@localhost home] # chmod go+rx / var/ftproot

Ensure that the following options are enabled in / etc/vsftpd.conf

Anonymous_enable=YESlocal_enable=YESwrite_enable=YESanon_upload_enable=NOanon_mkdir_write_enable=NOchroot_local_user=YES

Then add the following options

Guest_enable=YESguest_username=vuser

And make sure that the value of the pam_service_name option is as follows

Pam_service_name=vsftpd.mysql

6. Start the vsftpd service

[root@localhost home] # service vsftpd startStarting vsftpd for vsftpd: [OK] [root@localhost home] # chkconfig vsftpd on

7. Configure virtual users with different access rights

Configure vsftpd to use the profile directory for virtual users

# vim vsftpd.conf

Add

User_config_dir=/etc/vsftpd/vusers_config

Create the required directories and provide configuration files for virtual users

# mkdir / etc/vsftpd/vusers_config/# cd / etc/vsftpd/vusers_config/# touch tom jerry

Configure the access rights of virtual users, and the access rights of virtual users to vsftpd services are carried out through the relevant instructions of anonymous users. If you need to give tom users permission to upload files, you can modify the / etc/vsftpd/vusers/tom file by adding the following options.

Anon_upload_enable= {YES | NO} anon_mkdir_write_enable= {YES | NO} anon_other_write_enable= {YES | NO}

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.