Shulou(Shulou.com)06/02 Report--

According to the official language, ftp, File transfer Protocol (File Transfer Protocol,FTP) is a set of standard protocols for transferring files on the network. The goal of FTP is to improve file sharing. Today from the two modes of ftp, the two main aspects of ftp user management are used in practice.

Two modes of 1.ftp

Concise and direct:

Active FTP:

Command connection: client > port 1024-> server port 21

Data connection: client > 1024 port 1024-> server 21 port

Data connection: client > port 1024-> server > port 1024

Specific description:

As shown in the figure, for both transmission modes, the process of establishing a control connection is the same: the server listens on port 21, and the client initiates a TCP connection to that port of the server. After the active mode server knows the port that the client is listening to through the control connection, it uses its own port 20 as the source port to initiate the TCP data connection "actively". On the other hand, the passive mode server listens on a random port of 1024-65535 and tells the client the port through the control connection, and the client initiates an TCP data connection to the port of the server.

Which of the two modes should be chosen? Select passive mode.

If the FTP client is in the private network, the FTP server should use the passive mode in the public network (application scenario of the CVM), because in this application scenario, the FTP server cannot access the FTP client in the private network, while the FTP client can access the FTP server.

Then the ftp server release more than 1024 ports, it is not safe, how to do it?

The server is configured with a high port, and then the firewall restricts that this port segment can be connected by the client.

The second is to restrict the ip of the client and specify a specific client address. (who uses it and who connects it)

Passive mode configuration connect_from_port_20=NOPASV_enable=YES on passive mode PASV_min_port=%number% passive mode lowest port PASV_max_port=%number% passive mode highest port

2.ftp creates virtual users (measures to enhance access security)

Concise and direct:

There are three ways to log in to FTP: anonymous login, local user login and virtual user login.

Anonymous login: use the default user name when logging in to FTP, usually ftp or anonymous.

Local user login: log in using the system user, in / etc/passwd.

Virtual user login: this is a FTP proprietary user, and there are two ways to implement virtual users, local data files and database servers.

FTP virtual users are proprietary users of the FTP server. Using virtual users to log in to FTP can only access the resources provided by the FTP server, which greatly enhances the security of the system.

Specific implementation:

2.1 build

Yum-y install vsftpd

Add a virtual user file, add a virtual user name and password, one-line user name, one-line password, and so on. Odd behavior user name, even behavior password.

Vim / etc/vsftpd/vuser.txt

Name # user

Passwd # password

Generate virtual user authentication file

Db_load-T-t hash-f / etc/vsftpd/vuser.txt / etc/vsftpd/vuser.db

Edit vsftpd's pam authentication file / etc/pam.d/vsftpd

Other lines of vsftpd can be commented out.

Add the following:

Auth required / lib64/security/pam_userdb.so db=/etc/vsftpd/vuser

Account required / lib64/security/pam_userdb.so db=/etc/vsftpd/vuser

Establish locally mapped users and set host directory permissions

Useradd-d / data-s / sbin/nologin vsftpd

Chmod a murw / data

Chown-R vsftpd:vsftpd / data

2.2 profile vsftpd.conf

# the connection-related ftpd_banner=welcome to ftp service# idle timeout is raised by the server if the user does not act during this period. Idle_session_timeout=300# data connection timeout data_connection_timeout=60connect_timeout=60max_clients=100# allows each client to connect 3 max_per_ip=3listen_address=192.168.100.100listen_port=21# permissions related # does not allow anonymous users to log in anonymous_enable=NO# allows local users to log in (in this case, create a system user vsftpd) local_enable=YES# allows uploads in ascii mode (to prevent malicious files such as upload scripts) without the risk of denial of service. Ascii_upload_enable=YESguest_enable=YESguest_username=vsftpd# allows anonymous users to upload (in this case, virtual users under system users) anon_upload_enable=YES# allows anonymous users to create and write anon_mkdir_write_enable=YES# to enable global permissions write_enable=YES# setting, the client upload directory permission is changed to 755, and the file permission is 644anon_umask=022#. The following is the system default setting # allows configuration to display information for the directory Displays the contents of the message_file file under each directory. Dirmessage_enable=YES#xferlog_enable=YES to enable recording upload / download activity logs. Xferlog_enable=YES#connect_from_port_20=YES enables connection requests for FTP data ports connect_from_port_20=NOxferlog_std_format=YES# uses the TCP_Wrappers remote access control mechanism in VSFTPD, and the default is YEStcp_wrappers=YES

Specially emphasized configuration:

# enable virtual users; system users corresponding to virtual users; PAM authentication files. After guest_enable=YESguest_username=vsftpdpam_service_name=vsftpd#, you can only upload and download files. However, the file on the ftp server cannot be modified. How can it be modified and deleted? Anon_other_write_enable=YES # allows virtual users to write (that is, modify delete operations)

2.3 start vsftpd

Systemctl start vsftpd

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.