Shulou(Shulou.com)06/03 Report--

Brief introduction:

Security is the original intention of writing VSFTP. In addition to this inherent security feature, high speed and high stability are also two important features of VSFTP.

In terms of speed, when downloading data using ASCII code mode, VSFTP is twice as fast as Wu-FTP, and if the Linux host uses a 2.4.* kernel, the download speed can reach 86MB/S on Gigabit Ethernet.

In terms of stability, VSFTP is even more excellent. VSFTP supports more than 4000 simultaneous connections on a single machine (non-cluster). According to Red Hat's Ftp server, the VSFTP server can support 15000 concurrent users.

Experimental environment:

OS: CentOS 6.6

Vsftp: vsftpd-2.2.2-12.el6_5.1.x86_64

1. Installation of vsftpd

1. Vsftp can download rpm installation or use official CD.iso configuration local configuration yum source for installation

[root@1inux htdocs] # yum-y install vsftpdLoaded plugins: fastestmirror, refresh-packagekit SecuritySetting up Install ProcessLoading mirror speeds from cached hostfileResolving Dependencies-- > Running transaction check--- > Package vsftpd.x86_64 0Package vsftpd.x86_64 2.2.2-12.el6_5.1 will be installed-- > Finished Dependency ResolutionDependencies Resolved= Package Arch Version Repository Size=Installing: vsftpd x86 _ 64 2.2.2-12.el6_5.1 CD 151 kTransaction Summary=Install 1 Package (s) Total download size: 151 kInstalled size: 331 kDownloading Packages:Running rpm_check_debugRunning Transaction TestTransaction Test SucceededRunning Transaction Installing: vsftpd-2.2.2-12.el6_5.1.x86_64 1 Verifying: vsftpd-2.2.2-12.el6_5.1.x86_64 1Acer 1 Installed: vsftpd.x86_64 0Vue 2.2.2-12.el6 _ 5.1 Complete! [root@1inux htdocs] # 2 、 View the files generated after vsftp installation:

[root@1inux htdocs] # rpm-ql vsftpd/etc/logrotate.d/vsftpd/etc/pam.d/vsftpd / / user authentication profile / etc/rc.d/init.d/vsftpd / / service script / etc/vsftpd/ / profile directory / etc/vsftpd/vsftpd.conf / / profile / etc/vsftpd/ftpusers/etc/vsftpd/user_list/etc/vsftpd/vsftpd_conf_ Migrate.sh/usr/sbin/vsftpd / / main program. / var/ftp/ / anonymous access directory / var/ftp/pub

3. Start vsftp after the installation is complete

[root@1inux htdocs] # service vsftpd startStarting vsftpd for vsftpd: [OK] [root@1inux htdocs] # =

Anonymous login FTP anonymous login method: (1) you can enter the user name ftp, the password is empty, and then log in (2) the user name and password are anonymousftp > help / / CentOS ftp client can use the help command to get the command list! Debug mdir sendport site$ dir mget put sizeaccount disconnect mkdir pwd statusappend exit mls quit structascii form mode quote systembell get modtime recv suniquebinary glob mput reget tenexbye hash newer rstatus Tickcase help nmap rhelp tracecd idle nlist rename typecdup p_w_picpath ntrans reset userchmod lcd open restart umaskclose ls prompt rmdir verbosecr macdef passive runique? delete mdelete proxy sendftp > introduction to the main commands:

Ascii transmits data with ascii code

Binary transmits data in binary mode

Chmod modify permissions

Cd changes directories

Lcd local directory switching

Delete deletes a file

Get download

Put upload

Mget downloads multiple at a time

Upload more than one mput at a time

Pwd shows the current location

Bye exit

II. Vsftp anonymous access configuration

Note: back up the configuration files before configuration to prevent irreparable losses # cp / etc/vsftpd/vsftpd.conf / etc/vsftpd/vsftpd.conf.bak

1. Prohibit anonymous users from accessing: modify the configuration file as follows:

Anonymous_enable=NO

[root@1inux] # ftp 172.16.66.82Connected to 172.16.66.82 (172.16.66.82). 220 (vsFTPd 2.2.2) Name (172.16.66.82:root): ftp331 Please specify the password.Password:530 Login incorrect.Login failed. / / failed to access ftp > 2. Add anonymous user upload permission

Anon_upload_enable=YES / / enable this line

Ftp > put fstablocal: fstab remote: fstab227 Entering Passive Mode. 553 Could not create file. / / still prompt that cannot be created This is because the vsftp service is started by the ftp user and has no write access to the / var/ftp directory solution: create a directory under the / var/ftp/ directory to change its permissions so that the ftp user has read and write access to it: [root@1inux vsftpd] # mkdir / var/ftp/upload/ [root@1inux vsftpd] # cd / var/ftp/ [root@1inux ftp] # setfacl-m u:ftp:rwx upload/ [root@1inux ftp] # getfacl Upload/# file: upload/# owner: root# group: rootuser::rwxuser:ftp:rwxgroup::r-xmask::rwxother::r-x, let's try uploading the file again.

[root@1inux ~] # ftp 172.16.66.82Connected to 172.16.66.82 (172.16.66.82). 220 (vsFTPd 2.2.2) Name (172.16.66.82:root): ftp331 Please specify the password.Password:230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp > ls227 Entering Passive Mode (1721878). 150 Here comes the directory listing.drwxr-xr-x 200 4096 Aug 04 2014 pubdrwxrwxr-x 200 4096 May 01 20:43 upload226 Directory send OK.ftp > cd upload250 Directory successfully changed.ftp > lcd / etcLocal directory now / etcftp > put fstablocal: fstab remote: fstab227 Entering Passive Mode (172 Here comes the directory listing.-rw- 16 secs 62 Kbytes/sec 82 May 47 May 38). 150 Here comes the directory listing.-rw- 0.000133 secs (8473.68 Kbytes/sec) ftp > ls227 Entering Passive Mode (172 166 Kbytes/sec 82233197). 150 Here comes the directory listing.-rw- 1 14 50 1127 May 01 20 : 52 fstab / / file already exists 226Directory send OK.ftp > 3, Create a directory:

The default configuration prohibits anonymous users from creating directories, which can be changed by modifying the configuration file:

Anon_mkdir_write_enable=YES / / enable this line

Then save and reload the configuration file: [root@1inux vsftpd] # service vsftpd reloadShutting down vsftpd: [OK] Starting vsftpd for vsftpd: [OK] [root@1inux vsftpd] # create directory anontest by anonymous login on the client

Ftp > mkdir anontest257 "/ upload/anontest" created / / hint to create successfully ftp > ls227 Entering Passive Mode (172 Here comes the directory listing.drwx- 166Power82Power41121) .150 Here comes the directory listing.drwx- 2 14 50 4096 May 01 21:02 anontest / / directory already exists-rw- 1 14 50 1127 May 01 20:52 fstab226 Directory send OK.ftp > 4, delete files or directories

Files cannot be deleted in the default configuration, and a line needs to be added to the configuration file as follows:

Anon_other_write_enable=YES

Log in anonymously: ftp > ls227 Entering Passive Mode (172ls227 161066page82233251) .150 Here comes the directory listing.drwx- 2 14 50 4096 May 01 21:02 anontest-rw- 1 1450 1127 May 01 20:52 fstab226 Directory send OK.ftp > delete fstab / / delete files 250 Delete operation successful.ftp > rmdir anontest / / delete directory 250 Remove directory operation successful.ftp > ls227 Entering Passive Mode (172, 16, 66, 82, 237, 22) .150 Here comes the directory listing.226 Directory send OK.ftp >

III. Local user rights management

1. Use the system user to log in: [by default, use the system user to log in, and after logging in, you can create, upload and delete files or directories under their home directory]

Local_enable=YES / / this line is enabled by default

Write_enable=YES / / write permission is enabled by default

Local_umask=022 / / controls the permissions after FTP login

Add a user to the vsftp: [root@1inux vsftpd] # useradd admin [root@1inux vsftpd] # passwd adminChanging password for user admin.New password: BAD PASSWORD: it is WAY too shortBAD PASSWORD: is a palindromeRetype new password: passwd: all authentication tokens updated successfully. [root@1inux vsftpd] # 1.2, visit

[root@1inux] # ftp 172.16.66.82Connected to 172.16.66.82 (172.16.66.82) 220 (vsFTPd 2.2.2) Name (172.16.66.82:root): admin331 Please specify the password.Password:230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp > ls227 Entering Passive Mode The default access for unified users is their home directory ftp > lcd / root / / switch local directory ftp > pwd257 "/ etc"--

2. Prohibit system users from accessing:

2.1. Modify the configuration file:

Local_enable=NO

Then reload the service [root@1inux vsftpd] # service vsftpd reloadShutting down vsftpd: [OK] Starting vsftpd for vsftpd: [OK] [root@1inux vsftpd] # 2.1, Visit: [root@1inux] # ftp 172.16.66.82Connected to 172.16.66.82 (172.16.66.82) .220 (vsFTPd 2.2.2) Name (172.16.66.82:root): admin530 This FTP server is anonymous only.Login failed. / / prompt failure directly after entering user name ftp >

3. Lock the system users to their home directory

Chroot_local_user=YES / / enable this line

[root@1inux] # ftp 172.16.66.82Connected to 172.16.66.82 (172.16.66.82). 220 (vsFTPd 2.2.2) Name (172.16.66.82:root): admin331 Please specify the password.Password:230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp > pwd257 "/" ftp > lcd / etcLocal directory now / etcftp > ls227 Entering Passive Mode. 4096 May 01 21:24 abc226 Directory send OK.4 、 Lock some users to their home directory You can enable the following lines:

Chroot_list_enable=YES / / enable list

Chroot_list_file=/etc/vsftpd/chroot_list / / all users in this file will be locked

Create users: [root@1inux vsftpd] # useradd centos [root@1inux vsftpd] # echo "1" | passwd-- stdin centos [root@1inux vsftpd] # useradd fedora [root@1inux vsftpd] # echo "1" | passwd-- stdin fedora [root@1inux vsftpd] # 4.2, create user list [root@1inux vsftpd] # vim chroot_ list [root @ 1inux vsftpd] # cat chroot_list centos4.3, Reload the configuration file [root@1inux vsftpd] # service vsftpd reloadShutting down vsftpd: [OK] Starting vsftpd for vsftpd: [OK] 4.4, login to view

1. Log in to [root@1inux ~] # ftp 172.16.66.82Connected to 172.16.66.82 (172.16.66.82) .220 (vsFTPd 2.2.2) Name (172.16.66.82:root): centos331 Please specify the password.Password:230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp > pwd257 "/" ftp > 2. Log in to [root@1inux ~] # ftp 172.16.66.82Connected to 172.16.66.82 (172.16.66.82) .220 (vsFTPd 2.2.2) Name (172.16.66.82:root): fedora331 Please specify the password.Password:230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp > pwd257 "/ home/fedora" as fedora

4. Other simple configuration instructions:

1. Dirmessage_enable=YES / / directory message prompt

Create a new file in the directory where FTP wants to prompt messages: # vim. MessageHello, guestHow are you? Reload configuration file: # service vsftpd reload

[root@1inux ~] # ftp 172.16.66.82Connected to 172.16.66.82 (172.16.66.82) .220 (vsFTPd 2.2.2) Name (172.16.66.82:root): ftp331 Please specify the password.Password:230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp > cd upload250-Hello, guest / has prompted the message just defined 250-How are you?250 Directory successfully changed.ftp > 2, log related

Xferlog_enable=YES / / whether to enable the transfer log. Default is enabled.

Whether the xferlog_std_format=YES / / transfer log is enabled in standard format

Xferlog_file=/var/log/xferlog / / log path, [both of the first two must be enabled]

3. Whether the upload owner has changed

# chown_uploads=YES / / whether to change the owner of a ftp when uploading a file

# chown_username=whoever / / change the owner to whoever, that is, the user name on the system

4. Timeout correlation

# idle_session_timeout=600 / / Idle session timeout, which will be disconnected automatically

# data_connection_timeout=120 / / data connection timeout (that is, when the user uploads and downloads data, the ftp is disconnected after the data connection is disconnected)

5. Upload and download format

# ascii_upload_enable=YES / / whether it is forced to upload using ascill

# ascii_download_enable=YES / / whether it is mandatory to download using ascill

Note: when uploading and downloading binary files, forcing the use of ascill to upload and download will cause failure.

6. Ftp information

# ftpd_banner=Welcome to blah FTP service. / / whether the welcome message is displayed when users log in, you can customize [root@1inux ~] # ftp 172.16.66.82Connected to 172.16.66.82 (172.16.66.82) .220 Welcome to blah FTP service. / / display Name (172.16.66.82:root) when logging in:

7. Vsftpd uses pam to complete user authentication, and the pam configuration file it uses

/ etc/pam.d/vsftpd / / defines which module to authenticate the user when accessing the vsftpd

# cat / etc/pam.d/vsftpd% PAM-1.0session optional pam_keyinit.so force revokeauth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeedauth required pam_shells.soauth include password-authaccount include password-authsession required pam_loginuid.sosession include password-auth-

Auth / / for authentication

Account / / check whether the user account is within the validity period

Session / /

_ / etc/pam.d/vsftpd _ auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed

/ etc/vsftpd/ftpusers stores a list of users who refuse to access vsftp. Once the user name appears in this file, it will be prohibited from accessing vsftp.

Eg: server side: [root@1inux vsftpd] # echo "admin" > > ftpusers [root@1inux vsftpd] # service vsftpd reload client: [root@1inux ~] # ftp 172.16.66.82Connected to 172.16.66.82 (172.16.66.82) .220 Welcome to blah FTP service.Name (172.16.66.82:root): admin331 Please specify the password.Password:530 Login incorrect.Login failed. / / failed to log in ftp >

8. Control the user list file

/ etc/vsftpd/user_list

Userlist_enable=YES / / whether to enable list files that control user login

Userlist_deny=YES | NO / / whether to reject users in the user list defaults to YES

Eg1:

When userlist_deny=YES, the user_list file becomes a blacklist, and users in the file are not allowed to log in

Add the centos user # echo "centos" > > / etc/vsftpd/user_ list [root @ 1inux ~] # ftp 172.16.66.82Connected to 172.16.66.82 (172.16.66.82) .220 Welcome to blah FTP service.Name (172.16.66.82:root): centos530 Permission denied. / / denied access to Login failed.ftp >-eg2:

When userlist_deny=NO, the user_list file becomes a whitelist, and only users in the user_list file are allowed to log in

[root@1inux vsftpd] # cat user_list # vsftpd userlist# If userlist_deny=NO, only allow users in this file# If userlist_deny=YES (default), never allow users in this file And# do not even prompt for a password.# Note that the default vsftpd pam config also checks / etc/vsftpd/ftpusers# for users that are denied.rootbindaemonadmlpsyncshutdownhaltmailnewsuucpoperatorgamesnobodycentos [root@1inux vsftpd] # client: [root@1inux ~] # ftp 172.16.66.82Connected to 172.16.66.82 (172.16.66.82) .220 Welcome to blah FTP service.Name (172.16.66.82:root): fedora530 Permission denied. / / fedora users are directly rejected Login failed.ftp > bye221 Goodbye. [root@1inux ~] # ftp 172.16.66.82Connected to 172.16.66.82 (172.16.66.82) .220 Welcome to blah FTP service.Name (172.16.66.82:root): centos331 Please specify the password.Password:230 Login successful. / / centos users can access Remote system type is UNIX.Using binary mode to transfer files.ftp >

9. Connection restrictions:

Max_clients: maximum number of concurrent connections

Max_per_ip: the maximum number of requests that can be initiated simultaneously by each IP

10. Transmission rate

Anon_max_rate: the maximum transfer rate for anonymous users, in bytes per second

Local_max_rate: maximum transfer rate for local users

These are basically the configurations used by OK virtual users and systems. Welcome to add

For more configuration parameters, please see man vsftpd.conf

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.