Shulou(Shulou.com)06/03 Report--

The implementation case of vsftpd in Enterprise Network

Environment:

VMware workstation 10

Centos6.4 operating system

SFTP is a GPL-based FTP server software used on Unix-like systems, and its full name is Very Secure FTP.

Security is the original intention of writing VSFTP. In addition to this inherent security feature, high speed and high stability are also two important features of VSFTP.

In terms of speed, when downloading data using ASCII code mode, VSFTP is twice as fast as Wu-FTP, and if the Linux host uses a 2.4.* kernel, the download speed can reach 86MB/S on Gigabit Ethernet.

In terms of stability, VSFTP is even more excellent. VSFTP supports more than 4000 simultaneous connections on a single machine (non-cluster). According to Red Hat's Ftp server, the VSFTP server can support 15000 concurrent users.

Install vsftp

[root@localhost ~] # rpm-qa | grep ftp

Gvfs-obexftp-1.4.3-15.el6.i686

[root@localhost ~] # mount / dev/cdrom / media/cdrom

Mount: block device / dev/sr0 is write-protected, mounting read-only

You can view the information about this package.

[root@localhost Packages] # rpm-qip gvfs-obexftp-1.4.3-15.el6.i686.rpm

Install the server

[root@localhost Packages] # rpm-ivh / media/cdrom/Packages/vsftpd-2.2.2-11.el6_3.1.i686.rpm

Preparing... # [100%]

1:vsftpd # # [100%]

Install the relevant client (this lab can also be on the same host)

[root@localhost Packages] # ll / media/cdrom/Packages/ | grep ftp

-Rafael, Rafe, Rafael. 2 root root 56856 Nov 9 2012 ftp-0.17-53.el6.i686.rpm

-Rafael, Rafe, Rafael. 2 root root 72784 Jul 31 2012 gvfs-obexftp-1.4.3-15.el6.i686.rpm

-Rafael, Rafe, Rafael. 2 root root 752916 Jul 2 2011 lftp-4.0.9-1.el6.i686.rpm

-Rafael, Rafe, Rafael. 2 root root 31508 Sep 25 2011 tftp-0.49-7.el6.i686.rpm

-Rafael, Rafe, Rafael. 2 root root 39276 Sep 25 2011 tftp-server-0.49-7.el6.i686.rpm

-Rafael, Rafe, Rafael. 2 root root 160540 Feb 19 2013 vsftpd-2.2.2-11.el6_3.1.i686.rpm

[root@localhost Packages] # rpm-ivh / media/cdrom/Packages/ftp-0.17-53.el6.i686.rpm

Preparing... # [100%]

1:ftp # # [100%]

[root@localhost Packages] # rpm-ivh / media/cdrom/Packages/lftp-4.0.9-1.el6.i686.rpm

Preparing... # [100%]

1:lftp # # [100%]

Add a new hard disk sdb

Disk identifier: 0x000238d5

Device Boot Start End Blocks Id System

/ dev/sda1 * 1 39 307200 83 Linux

Partition 1 does not end on cylinder boundary.

/ dev/sda2 39 1175 9128960 83 Linux

/ dev/sda3 1175 1306 1048576 82 Linux swap / Solaris

Disk / dev/sdb: 1073 MB, 1073741824 bytes

255 heads, 63 sectors/track, 130 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I size (minimum/optimal): 512 bytes / 512 bytes

Disk identifier: 0x00000000

After the newly added disk is visible, it is followed by partitioning, formatting, and mounting (temporary or permanent) editing / etc/fstab

[root@localhost ~] # vim / etc/fstab

As shown in the figure, / dev/sdb1/ mounting to mnt/part1 file type is automatically recognized, and usrquota is used to indicate that disk quota mode is supported when starting the file system. 0 indicates that the parameter defaults to 0 indicates dump (backup) frequency. 0 means no backup, 1 means daily, 2 means irregular

The other 0 indicates whether to check the boot disk integrity of fsck.

Then when we mount the file with the-a parameter, the file will be actively tested and mounted (the auto parameter works)

[root@localhost ~] # mkdir / mnt/part1

[root@localhost] # mount-a

Because we want to do disk configuration on this disk, to generate a disk quota file, we may have to install the command package for quota generation first.

[root@localhost part1] # rpm-qa | grep quota

Quota-3.17-18.el6.i686

Close selinux first or an error will be reported as follows:

Quotacheck: Cannot create new quotafile / mnt/part1/aquota.user.new: Permission denied

Quotacheck: Cannot initialize IO on new quotafile: Permission denied

[root@localhost part1] # ll

Total 12

Drwx-. 2 root root 12288 Feb 15 01:29 lost+found

[root@localhost part1] # cd

[root@localhost ~] # cd / mnt/part1

[root@localhost part1] # setenforce 0

[root@localhost part1] # quotacheck-augvc

-a represents all on the disk (so it needs to be executed under the mount point of the relevant partition),-u calculates the space occupied by the user on the disk,-g calculates the group,-v details,-c ignores the original

Quotacheck: Your kernel probably supports journaled quota but you are not using it. Consider switching to journaled quota to avoid running quotacheck after an unclean shutdown.

Quotacheck: Scanning / dev/sdb1 [/ mnt/part1] done

Quotacheck: Cannot stat old user quota file: No such file or directory

Quotacheck: Old group file not found. Usage will not be substracted.

Quotacheck: Checked 3 directories and 2 files

Quotacheck: Old file not found.

[root@localhost part1] # ll

Total 19

-rw-. 1 root root 6144 Feb 15 03:18 aquota.user

Drwx-. 2 root root 12288 Feb 15 01:29 lost+found

Because aquota.user is a binary file, if we want to edit him, we need to edit it with extra commands, edquota-u for a user,-g for a group, and-p for a copy.

[root@localhost part1] # useradd user1

[root@localhost part1] # passwd user1

Changing password for user user1.

New password:

BAD PASSWORD: it is too short

BAD PASSWORD: is too simple

Retype new password:

Passwd: all authentication tokens updated successfully.

[root@localhost] # edquato-u user1

As shown in the figure, the soft in the file indicates the software limit, that is, it is the warning level limit. When the value is reached, the user will receive a warning every time he logs in, while hard is the hardware limit, that is, the hard disk will be locked automatically when the soft warning is reached. In general, a grace time will appear when the soft warning appears, usually for 7 days, and it will be locked without processing for 7 days, as shown in the figure with blocks limit and inodes limit, respectively.

A blocks of 0 means that the used block is 0, and so is inodes

[root@localhost part1] # useradd user2

[root@localhost part1] # passwd user2

Changing password for user user2.

New password:

BAD PASSWORD: it is too short

BAD PASSWORD: is too simple

Retype new password:

Passwd: all authentication tokens updated successfully.

[root@localhost part1] # edquota-p user1-u user2

[root@localhost part1] # edquota-u user2

[root@localhost part1] # quotaon / dev/sdb1

Add to the boot automatic detection

[root@localhost part1] # echo "quotaon / dev/sdb1" > > / etc/rc.d/rc.local

[root@localhost part1] # mkdir public

[root@localhost part1] # ll

Total 22

-rw-. 1 root root 7168 Feb 15 04:10 aquota.user

Drwx-. 2 root root 12288 Feb 15 01:29 lost+found

Drwxr-xr-x. 2 root root 1024 Feb 15 04:15 public

When we create a new directory, others in the default local permissions (other) do not have write permissions, so the next thing we need to do is how to say public as an anonymous login directory.

[root@localhost part1] # vim / etc/vsftpd/vsftpd.conf

Change it to the content as shown in the picture

[root@localhost part1] # service vsftpd restart

Shutting down vsftpd: [OK]

Starting vsftpd for vsftpd: [OK]

[root@localhost part1] # cd. / public/

[root@localhost public] # touch f1.txt

[root@localhost public] # touch f2.txt

[root@localhost public] # setenforce 0

[root@localhost public] # service iptables stop

Iptables: Flushing firewall rules: [OK]

Iptables: Setting chains to policy ACCEPT: filter [OK]

Iptables: Unloading modules: [OK]

Permission settings related to login users can also be edited in ftp's ftpuser and user_list files, and source control can be done on tcp_wrapper (vim / etc/hosts.allow,/etc.hosts.deny).

Change the user's default login directory to the user's home directory

[root@localhost home] # mv user1 / mnt/part1/

[root@localhost home] # mv user2 / mnt/part1/

[root@localhost home] # vim / etc/passwd

[root@localhost home] # cd / mnt/part1/

[root@localhost part1] # mkdir. / home

[root@localhost part1] # mv user1 user2. / home

Login test, as shown in the figure. (note that even if you log in on the local computer, you will not be able to log in if you use ip instead of the loopback address, which is the reason for the default setting.)

Relevant order

No write permission

[root@localhost home] # useradd-D

GROUP=100

HOME=/home

INACTIVE=-1

EXPIRE=

SHELL=/bin/bash

SKEL=/etc/skel

CREATE_MAIL_SPOOL=yes

[root@localhost home] # useradd-D-b / mnt/part1/home

[root@localhost home] # useradd user3

[root@localhost home] # grep user3 / etc/passwd

User3:x:503:504::/mnt/part1/home/user3:/bin/bash

In this way, the new users will automatically move the home directory to the directory shown above, and log in here by default

Test disk quota

Since the previous setting is only 10m (actually less than 10m), it is easy to see the disk limit.

Also delete this file to make room for the later test, so use dd to generate the file in another directory

Other results and steps are as follows

View disk quotas as an administrator

[root@localhost public] # vim / etc/vsftpd/vsftpd.conf

[root@localhost public] # service vsftpd restart

Shutting down vsftpd: [OK]

Starting vsftpd for vsftpd: [OK]

[root@localhost public] # dd if=/dev/zero of=f3 bs=1M count=1

1: 0 records in

1: 0 records out

1048576 bytes (1.0 MB) copied, 0.0178166 s, 58.9 MB/s

[root@localhost public] # mv f3.. / home/user1

[root@localhost public] # cd / tmp

[root@localhost tmp] # ftp 127.0.0.1

Connected to 127.0.0.1 (127.0.0.1).

220 (vsFTPd 2.2.2)

Name (127.0.0.1:root): user1

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

Ftp > dir

227 Entering Passive Mode (127, 0pm, 1127184)

150 Here comes the directory listing.

-rw-r--r-- 100 1048576 Feb 16 02:09 f3

226 Directory send OK.

Ftp > get f3

Local: f3 remote: f3

227 Entering Passive Mode (127, 0pm, 0pm).

150 Opening BINARY mode data connection for f3 (1048576 bytes).

226 Transfer complete.

1048576 bytes received in 0.998 secs (1050.89 Kbytes/sec)

[root@localhost public] # ftp 127.0.0.1

Connected to 127.0.0.1 (127.0.0.1).

220 (vsFTPd 2.2.2)

Name (127.0.0.1:root): anonymous

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

Ftp > get f3

Local: f3 remote: f3

227 Entering Passive Mode (127, 0pm, 1149174).

150 Opening BINARY mode data connection for f3 (131072 bytes).

226 Transfer complete.

131072 bytes received in 0.656 secs (109.79 Kbytes/sec)

Maximum number of connections test (3) as shown in the figure

[root@localhost public] # vim / etc/vsftpd/vsftpd.conf

[root@localhost public] # service vsftpd restart

Shutting down vsftpd: [OK]

Starting vsftpd for vsftpd: [OK]

The maximum number of connections per ip is tested (2) as follows

[root@localhost public] # ftp 192.168.2.199

Connected to 192.168.2.199 (192.168.2.199).

421 There are too many connections from your internet address.

Ftp > bye

Support the concept of configuration directory (for each user), in which the user-specific configuration will overwrite previous system configurations, such as annoymous

[root@localhost public] # cd / etc/vsftpd/

[root@localhost vsftpd] # mkdir dir

[root@localhost vsftpd] # vim. / dir

[root@localhost vsftpd] # cd. / dir

[root@localhost dir] # vim user1

[root@localhost dir] # vim user2

[root@localhost tmp] # ftp 127.0.0.1

Connected to 127.0.0.1 (127.0.0.1).

220 (vsFTPd 2.2.2)

Name (127.0.0.1:root): user2

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

Ftp > dir

227 Entering Passive Mode (127, 0pm, 1146163).

150 Here comes the directory listing.

-rw-r--r-- 100 131072 Feb 16 05:04 f3

226 Directory send OK.

Ftp > get f3

Local: f3 remote: f3

227 Entering Passive Mode (127, 0pm, 1147100).

150 Opening BINARY mode data connection for f3 (131072 bytes).

226 Transfer complete.

131072 bytes received in 33.4secs (3.93Kbytes/sec)

Ftp > bye

[root@localhost tmp] # rm f3 (pay attention to disk space)

Rm: remove regular file `f3percent? Y

[root@localhost tmp] # ftp 127.0.0.1

Connected to 127.0.0.1 (127.0.0.1).

220 (vsFTPd 2.2.2)

Name (127.0.0.1:root): user2

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

Ftp > dir

227 Entering Passive Mode (127, 0pm, 1183105).

150 Here comes the directory listing.

-rw-r--r-- 100 131072 Feb 16 05:04 f3

226 Directory send OK.

Ftp > get f3

Local: f3 remote: f3

227 Entering Passive Mode (127, 0pm, 1173103)

150 Opening BINARY mode data connection for f3 (131072 bytes).

226 Transfer complete.

131072 bytes received in 0.0655 secs (2000.89 Kbytes/sec)

Ftp > bye

The minimum and maximum port for passive access can also be defined by the above configuration file (to facilitate port control of the firewall)

Pasv_max_port=

Pasv_min_port=

Knowledge supplement:

(bit, b is also called bit for short), a group of eight bit forms a byte (called byte). Generally speaking, each character on the keyboard occupies 2 bytes, and a Chinese character generally occupies 4 bytes. Further up is 1024 carry, 1024 bytes = 1kb

1024kb=1mb

1024mb=1G

Note: differences between MiB and MB,KiB and KB, etc.

1KB (kilobyte) = 1000byte, 1KiB (kibibyte) = 1024byte

1MB (megabyte) = 1000000byte, 1MiB (mebibyte) = 1048576byte

Hard disk manufacturers are calculated by GB (decimal, that is, the third power of 10 = 1000, such as 1MB=1000KB), while computers (operating systems) are calculated by GiB (binary, that is, the 10th power of 2, such as 1MiB=1024KiB), but domestic users generally understand it as 1MB=1024KB, so in order to facilitate the understanding of Chinese culture, it is possible to translate MiB into MB.

Also according to the hard disk manufacturers and users' different understanding of the 1MB size, so the actual capacity of many 160g hard drives is less than 160g according to the actual 1MB=1024KB of the computer, which can also explain why the newly bought hard disk is not as big as it indicates.

In broadband networks, what operators call 1m bandwidth refers to 1Mbps (megabits per second, megabits per second). Bps is the abbreviation of bit per Second, which means "bit" per second. Is a single "bit" used to calculate the data transfer rate. For example, the 1m width commonly used by the Telecommunications Bureau is in bps. We all know that a byte is equal to 8 bits, while the storage unit of our computer uses bytes, that is, we can theoretically download 1X1024/8=128KB/sec data to the hard disk every second. But this is only theoretical speed. In fact, it is necessary to deduct about 12% of the header information (package Ethernet Header,IP Header,TCP Header,ATM Header, etc.), a variety of control signals. Therefore, the upper limit of transmission speed should be around 112KB/sec, which should not be understood literally as "1m bytes of data can be transmitted per second. So don't be superstitious about advertising. In terms of transmission units, B and b represent Bytes and bits, respectively. The definition of the two is different, and the difference is 8 times).

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.