Shulou(Shulou.com)06/03 Report--

I. brief explanation

Ftp: file transfer protocol

Vsftpd: a very secure ftp process

Second, the working mode

The command port of ftp is 21

Active mode (not recommended): ftp data port is 20, the server connects to the client, because the client has a firewall, so it is inconvenient to use

Passive mode (recommended): the server tells the client my open port, and the client connects to the server

Third, install vsftpd

Yum-y install vsftpdsetenforce 0sed-I's etc/selinux/config'/ etc/selinux/config

After the installation is complete, the firewall setting opens the port in 21 and in the configuration file (pasv_min_port to pasv_max_port)

Configuration file: / etc/vsftpd/vsftpd.conf

Main program: / usr/sbin/vsftpd

Fourth, configure ftp in passive mode

1. General configuration

# anonymous anonymous_enable=NO#local system userlocal_enable=YESallow_writeable_chroot=YES#passive mode and portpasv_enable=YESpasv_min_port=20000pasv_max_port=20999#listenlisten=YESlisten_ipv6=NOconnect_from_port_20=YES#log xferlog_enable=YESxferlog_file=/var/log/xferlog#welcome infodirmessage_enable=YES#trans limitidle_session_timeout=120data_connection_timeout=120tcp_wrappers=YESmax_clients=10max_per_ip=10#safelocal_umask=022chroot_local_user=YES

two。 Anonymous user configuration (not recommended)

Anonymous user anonymous, corresponding to the ftp user of the server. The folder accessed is / var/ftp, except root cannot have write permission.

Enable configuration

# anonymous anonymous_enable=YES

3. System user configuration (not recommended)

Because ftp is transmitted in clear text, if you get caught, you can see the user name and password of the system user, which makes the server insecure

Related configuration

# local system userlocal_enable=YESwrite_enable=YES

Virtual user configuration (recommended)

It can be based on both database and file modes, and the file mode is configured as follows:

1. Create a user database file

The vm_user.txt format must be one-line user name and one-line password, such as

Tom

123456

Vi / etc/vsftpd/vm_user.txtcd / etc/vsftpd/db_load-T-t hash-f vm_user.txt vm_user.dbchmod 600 vm_user.db

two。 Create mapped users and FTP directories

Useradd-s / sbin/nologin ftpuser

3. Create a pam file

Vi / etc/pam.d/vm-vsftpdauth required pam_userdb.so db=/etc/vsftpd/vm_useraccount required pam_userdb.so db=/etc/vsftpd/vm_user

4. Configure in vsftp.conf

# vm_ftpguest_enable=YESguest_username=ftpuserpam_service_name=vm-vsftpduser_config_dir=/etc/vsftpd/vm_ftp.d/

5. Set separate permissions for virtual users

Mkdir / etc/vsftpd/vm_ftp.d/mkdir / home/ftpuser/lifechown-R ftpuser:ftpuser / home/ftpuser/vi / etc/vsftpd/vm_ftp.d/tomwrite_enable=YESanon_world_readable_only=NOanon_upload_enable=YESanon_mkdir_write_enable=YESanon_other_write_enable=YESlocal_root=/home/ftpuser/life

6. The complete vsftpd.conf configuration is as follows

# anonymous anonymous_enable=NO#local system userlocal_enable=YESallow_writeable_chroot=YES#passive mode and portpasv_enable=YESpasv_min_port=20000pasv_max_port=20999#listenlisten=YESlisten_ipv6=NOconnect_from_port_20=YES#log xferlog_enable=YESxferlog_file=/var/log/xferlog#welcome infodirmessage_enable=YES#trans limitidle_session_timeout=120data_connection_timeout=120tcp_wrappers=YESmax_clients=10max_per_ip=10#safelocal_umask=022chroot_local_user=YES#vm_ftpguest_enable=YESguest_username=ftpuserpam_service_name=vm-vsftpduser_config_dir=/etc/vsftpd/vm_ftp.d/

7. Restart and add boot entry

Systemctl restart vsftpdsystemctl enable vsftpd

VI. Virtual file configuration based on mysql or mariadb

The basic configuration is the same as above, except that the pam module files and database tables are modified.

The content of the 1.pam file is changed. A crypt of 0 means that the database is stored in plain text and encrypted in 1 bit.

Auth required / usr/lib64/security/pam_mysql.so user=ftpuser passwd=ftp123456 host=localhost db=mylab table=ftp_user usercolumn=name passwdcolumn=password crypt=0account required / usr/lib64/security/pam_mysql.so user=ftpuser passwd=ftp123456 host=localhost db=mylab table=ftp_user usercolumn=name passwdcolumn=password crypt=0

two。 Files required to install pam

Yum-y install pam-devel

Install pam_mysql-0.7RC1

Tar xf pam_mysql-0.7RC1.tar.gzcd pam_mysql-0.7RC1./configure-with-mysql=/home/program/mariadb/-with-pam-mods-dir=/lib64/security/make & make install

The pam module file needs to use the database library file, so

Vi / etc/ld.so.conf.d/mysql.conf/home/program/mariadb/libldconfig

3. Database creation tables and authorized users

Create table ftp_user (id int not null auto_increment primary key,name char (20) binary not null,password char (48) binary not null); insert into ftp_user (name,password) values ('ftphome','123'), (' ftpwork','456'); grant select on mylab.ftp_user to 'ftpuser'@'localhost' identified by' 123456

VII. Configuration instructions

Whether anonymous_enable=YES enables anonymous users local_enable=YES whether to enable system users write_enable=YES can upload files anon_upload_enable=YES by default anonymous users cannot upload, but the default var/pub directory itself does not have write permission Anon_mkdir_write_enable=YES anonymous users can create folders anon_other_write_enable=YES anonymous users other write permissions dirmessage_enable=YES whether to display hidden files under the welcome information directory. Message for the content xferlog_enable=YES whether to start the transfer log xferlog _ file=/var/log/xferlog specifies whether the log file xferlog_std_format=YES log file is uploaded using the standard format chown_uploads=YES whether to change the owner chown_username=whoever change Owner idle_session_timeout=600 command connection timeout data_connection_timeout=120 data connection timeout ascii_upload_enable=YES uploads ascii_download_enable=YES in text mode downloads chroot_local_user=YES in text mode all users lock to home directory chroot_list_enable=YES requires exception chroot_list_file=/etc/vsftpd/chroot_list exception user list allow_writeable_chroot=YES when the directory is locked in By default, you can log in without write permission to the root folder. This setting enables writing to listen=YES whether to listen to pam_service_name=vsftpd pam verification file module name userlist_enable=YES to enable user_list file userlist_deny=NO when it is yes, the list cannot log in. When no, only users in the list can log in tcp_wrappers=YES can be restricted through the host file nax_clients = 10 maximum number of client connections max_per_ip = 10 each ip can connect several anon_world_readable_only=YES allowed to download, YES can not be downloaded, NO can

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.