Shulou(Shulou.com)06/01 Report--

This article introduces what the vsftpd configuration is like, the content is very detailed, interested friends can refer to, hope to be helpful to you.

IP snooping and connection control

There are two startup parameters for vsftpd to work in stand-alone mode (standalone):

Listen=yes/no

Listen_ipv6=yes/no

The first one has been mentioned earlier, and the second is applied in the ipv6 network environment, only one value of these two-phase parameters can be yes.

In the actual network environment, the server usually has multiple IP addresses, and each IP address is connected to a different network segment, so we may not want computers on all network segments to be able to access the server. By default, vsftpd listens on all IP addresses, so we need the following two lines:

Listen_address= snooping ip

Listen_address6= snooping ip

These two lines are for IPv4 and IPv6 environments, respectively.

The following two items are vsftpd concurrent connection control:

Max_clients= digit

Max_per_ip= digit

The parameter max_clients sets the maximum number of concurrent connections that the server can accept, and max_per_ip sets the maximum number of connections that can be initiated by each client IP. By setting these two parameters appropriately for server performance, you can find a balance between the number of connections acceptable to the server and the connection speed. Both default values are 0, which means there is no limit.

Accept_timeout= digit

Connect_timeout= digit

Data_connection_timeout= digit

Idle_session_timeout= digit

The numbers above are all in seconds. Access_timeout represents the timeout of the data connection when the pasv data connection mode is used; connect_timeout represents the timeout when the data connection is connected in port mode; the ftp service connection mode will be described in more detail below. Data_connection_timeout indicates that the idle time waiting for the data connection to wait after the data connection has timed out, after which the data connection will be disconnected. Idle_session_timeout sets the time to be in a daze, that is, how often the client does not interact with the server with the ftp command, and the ftp service will be disconnected automatically.

5. About connection Port Settin

We know that one thing that makes ftp services different from other services is that ftp services use tcp dual connection channels, that is, ftp-server and ftp-data connections. It can be understood that ftp-server connections accept client connection requests, concurrency control, authentication of identity and permissions, and commands issued by the transmitting client. The ftp-data connection is responsible for transferring data, that is, it will only be available when there is a data transfer. Let's first take a look at the settings of ftp-server:

Listen_port= port number

Then this setting can set the ftp-server port number, which defaults to 21. If we specify another port number, then the client will have to use the specified port number when connecting to the server. Let's add this line to the main configuration file:

Listen_port=2121

# ftp 127.0.0.1

Ftp: connect: Connection refused

Ftp > open 127.0.0.1 2121

Connected to 127.0.0.1.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

……

Now that we've seen the effect, let's talk about ftp-data connectivity.

There are two modes of FTP data transmission: FTP Port mode and FTP Passive mode, and the two working modes are completely different.

FTP Port mode

In FTP Port mode, after the client establishes a ftp-server connection with the server, if an instruction involves data transfer, a ftp-data connection needs to be established. In fact, the connection steps are as follows:

(1) the client enables another free port xx higher than 1024 to prepare for the connection, and uses the port command to send a data packet to the server using the ftp-server channel. The packet contains the client's IP address and xx port, telling the server client that the xx port is ready to connect. The Port command also supports third-party (third-party) mode, where the client tells the server to open a connection to another host.

(2) the server actively connects to the client xx port with the ftp-data port (default is 20).

(3) after the client responds to the server connection and continues to complete the three-way handshake, the ftp-data connection is established and begins to transmit data. When the data transfer is complete, the server ftp-data port is waiting to be shut down.

We see that in Port mode, the ftp-data connection request is initiated by the server. Now take a look at the statement settings for Port mode in vsftpd:

Port_enable=yes/no / / whether port mode is enabled

Whether the fixed 20 port is used by default in connect_from_port_20=yes/no / / port mode

Ftp_data_port=port_number / / specifies the port number for port mode

Port_promiscuous=yes/no / / whether to use secure port mode

If you set port_enable to yes, you will use port mode. If the port uses a fixed port of 20 in port mode, the connect_from_port_20 option is set to yes, which is the default setting rule for many servers. We can also specify other ports, so it is up to ftp_data_port to specify fixed ports. The default value of port_promiscuous is no, which means to verify whether the target ip of the data connection is the IP of the real client before the ftp-data connection is connected, otherwise it is not checked. Do not change this parameter value to yes unless you make sure that the server is connected to the real client.

About how the vsftpd configuration is shared here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.