Shulou(Shulou.com)06/02 Report--

Set up FTP service

One: install ftp service 1.1 to mount the image file

Install the vsftpd package

1.2 you can also use the yum repository [root@localhost ~] # yum install vsftpd-sysvinit.x86_64-yInstalled: vsftpd-sysvinit.x86_64 0mon 3.0.2-25.el7 CompleteDepot 1.3 related file paths [root@localhost ~] # cd / etc/vsftpd/ [root@localhost vsftpd] # lsftpusers user_list vsftpd.conf vsftpd_conf_migrate.sh

Vsftpd.conf profile

User_list user list, which determines whether users in the user list can log in by modifying the configuration file, that is, modifying the login permissions of the blacklist and whitelist

The default profile parameters are as follows: [root@localhost vsftpd] # grep-v'# 'vsftpd.conf' filter out valid execution parameters' anonymous_enable=YES 'enable anonymous user' local_enable=YES 'enable local user' write_enable=YES 'enable write permission' local_umask=022 'enable reverse mask' dirmessage_enable=YES''xferlog_enable=YESconnect_from_port_20=YESxferlog_std_format=YESlisten=NOlisten_ipv6=YESpam _ service_name=vsftpd 'pam module authentication' userlist_enable=YES 'user list on' tcp_wrappers=YES

You can actually use it without modification at this time.

[root@localhost vsftpd] # systemctl start vsftpd [root@localhost vsftpd] # systemctl status vsftpd ● vsftpd.service-Vsftpd ftp daemon Loaded: loaded (/ usr/lib/systemd/system/vsftpd.service; disabled; vendor preset: disabled) Active: active (running) since Sat 2019-12-07 14:35:44 CST 22s ago Process: 93638 ExecStart=/usr/sbin/vsftpd / etc/vsftpd/vsftpd.conf (code=exited, status=0/SUCCESS) Main PID: 93639 (vsftpd) CGroup: / system.slice/vsftpd.service └─ 93639 / usr/sbin/vsftpd / etc/vsftpd/vsftpd.confDec 07 14:35:44 localhost.localdomain systemd [1]: Starting Vsftpd ftp... Dec 07 14:35:44 localhost.localdomain systemd [1]: Started Vsftpd ftp d...Hint: Some lines were ellipsized, use-l to show in full. Two: optimize ftp service 2.1 need to pay attention to turn off the firewall, there is also setenforce [root@localhost vsftpd] # systemctl stop firewalld.service [root@localhost vsftpd] # setenforce 0 [root@localhost vsftpd] # 2.1.1 use another host to log in to the ftp server, use anonymous login method C:\ Users\ GSY > ftp 192.168.247.140 'open vsftpd server ip' connects to 192.168.247.140. 220 (vsFTPd 3.0.2) 200 Always in UTF8 mode. User (192.168.247.140: (none)): ftp331 Please specify the password. Password: 230 Login successful.ftp > ftp > pwd 'View location' 257 "/" 'where the root does not represent the root directory of the server, the site on behalf of vsftpd' ftp > ls-a 'view' 200 PORT command successful. Consider using PASV.150 Here comes the directory listing....centos7ks.cfgpub 'public folder' 226 Directory send OK.ftp: received 32 bytes, took 0.00 seconds 16.00 kilobytes per second. Ftp >

You can check it at the appropriate site of the server.

[root@localhost vsftpd] # ls-a / var/ftp. .. Centos7 ks.cfg pub

Create a file on the server to test

[root@localhost vsftpd] # echo "778899" > / var/ftp/test.txt [root@localhost vsftpd] # ls-a / var/ftp. .. Centos7 ks.cfg pub test.txt [root@localhost vsftpd] # cat / var/ftp/test.txt 778899

Go to the client to check

Ftp > ls200 PORT command successful. Consider using PASV.150 Here comes the directory listing.centos7ks.cfgpubtest.txt 'add the corresponding file' 226 Directory send OK.ftp: received 35 bytes, used 0.01s 7.00kbytes / second. Ftp > 2.2 client switches to e disk for download test ftp > get test.txt200 PORT command successful. Consider using PASV.150 Opening BINARY mode data connection for test.txt (7 bytes) .226 Transfer complete.ftp: received 7 bytes and used 7000.00 kilobytes per second in 0.00 seconds. Ftp >

Test the download, then test the upload

Feedback permission is not enough

Ftp > put 999.txt200 PORT command successful. Consider using PASV.550 Permission denied. Ftp > 2.3Now modify the vsftpd configuration file of the server to maximize anonymous login permissions # anon_mkdir_write_enable=YES 'means anonymous users can create directories' # anon_upload_enable=YES 'means anonymous users can upload'

Remove the # key and save and exit

You can also use man to view the usage of vsftpd.conf configuration files

[root@localhost vsftpd] # man vsftpd.conf

Enter man mode,: anon to view key information

Default: NO anon_other_write_enable If set to YES, anonymous users will be permitted to per- form write operations other than upload and create direc- tory, such as deletion and renaming. This is generally not recommended but included for completeness. Default: NO anon_upload_enable If set to YES, anonymous users will be permitted to upload files under certain conditions. For this to work, the option write_enable must be activated, and the anony- mous ftp user must have write permission on desired upload locations. This setting is also required for vir- tual users to upload; by default, virtual users are treated with anonymous (i.e. Maximally restricted) privi- lege.

The permission defaults to no

Anon_other_write_enable representatives can rename or delete files

Add this command to the configuration file to maximize the permissions of anon

You can use filtering to see if the verification function is enabled

[root@localhost vsftpd] # grep-v'# 'vsftpd.conf anonymous_enable=YESlocal_enable=YESwrite_enable=YESlocal_umask=022anon_upload_enable=YESanon_mkdir_write_enable=YESanon_other_write_enable=YESdirmessage_enable=YESxferlog_enable=YESconnect_from_port_20=YESxferlog_std_format=YESlisten=NOlisten_ipv6=YESpam_service_name=vsftpduserlist_enable=YEStcp_wrappers= YES [root @ localhost vsftpd] # 2.4 modified configuration file The service needs to be reloaded to take effect [root@localhost vsftpd] # systemctl reload vsftpdFailed to reload vsftpd.service: Job type reload is not applicable for unit vsftpd.service.See system logs and 'systemctl status vsftpd.service' for details. [root@localhost vsftpd] # systemctl restart vsftpd [root@localhost vsftpd] # service reload vsftpdThe service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl. [root@localhost vsftpd] # service vsftpd reloadReloading vsftpd configuration (via systemctl): Failed to reload vsftpd.service: Job type reload is not applicable for unit vsftpd.service.See system logs and 'systemctl status vsftpd.service' for details. [failure]

Reloading doesn't work, so it has to be restarted.

2.5 maximize the permissions of anon in vsftpd, taking into account whether the permissions of the file itself have been relaxed [root@localhost vsftpd] # cd / var/ftp [root@localhost ftp] # ls-altotal 12drwxr-xr-x. 4 root root 62 Dec 7 14:53. Drwxr-xr-x. 24 root root 4096 Nov 22 14:43.. drwxr-xr-x. 2 root root 6 Nov 22 14:51 centos7-rw-r--r--. 1 root root 909 Nov 22 15:17 ks.cfgdrwxr-xr-x. 2 root root 6 Oct 31 2018 pub-rw-r--r--. 1 root root 7 Dec 7 14:53 test.txt

Test it first.

Ftp > put 999.txt200 PORT command successful. Consider using PASV.553 Could not create file.

Still can't. Let go of ftp permission.

[root@localhost ftp] # chmod 777 / var/ftp [root@localhost ftp] # ls-altotal 12drwxrwxrwx. 4 root root 62 Dec 7 14:53. Drwxr-xr-x. 24 root root 4096 Nov 22 14:43.. drwxr-xr-x. 2 root root 6 Nov 22 14:51 centos7-rw-r--r--. 1 root root 909 Nov 22 15:17 ks.cfgdrwxr-xr-x. 2 root root 6 Oct 31 2018 pub-rw-r--r--. 1 root root 7 Dec 7 14:53 test.txt

Yes

Ftp > put 999.txt200 PORT command successful. Consider using PASV.150 Ok to send data.226 Transfer complete.ftp: send 7 bytes in 0.00 seconds and 3.50 kilobytes per second.

Go to the server to check the verification

[root@localhost ftp] # ls-altotal 16drwxrwxrwx. 4 root root 77 Dec 7 15:32. Drwxr-xr-x. 24 root root 4096 Nov 22 14:43.-rw-. 1 ftp ftp 7 Dec 7 15:32 999.txtdrwxr-xr-x. 2 root root 6 Nov 22 14:51 centos7-rw-r--r--. 1 root root 909 Nov 22 15:17 ks.cfgdrwxr-xr-x. 2 root root 6 Oct 31 2018 pub-rw-r--r--. 1 root root 7 Dec 7 14:53 test.txt

By the same token, you can also change pub.

Next, test to delete the uploaded file ftp > delete 999.txt250 Delete operation successful.ftp > ls200 PORT command successful. Consider using PASV.150 Here comes the directory listing.centos7ks.cfgpubtest.txt226 Directory send OK.ftp: received 35 bytes, 0.00 seconds 35.00 kilobytes / second. [root@localhost ftp] # ls-altotal 12drwxrwxrwx. 4 root root 62 Dec 7 15:36. Drwxr-xr-x. 24 root root 4096 Nov 22 14:43.. drwxr-xr-x. 2 root root 6 Nov 22 14:51 centos7-rw-r--r--. 1 root root 909 Nov 22 15:17 ks.cfgdrwxr-xr-x. 2 root root 6 Oct 31 2018 pub-rw-r--r--. 1 root root 7 Dec 7 14:53 test.txt

Test to delete the original file

Ftp > delete test.txt250 Delete operation successful.ftp > ls200 PORT command successful. Consider using PASV.150 Here comes the directory listing.centos7ks.cfgpub226 Directory send OK.ftp: received 25 bytes and took 0.00 seconds 12.50 kilobytes per second. [root@localhost ftp] # ls-altotal 8drwxrwxrwx. 4 root root 46 Dec 7 15:37. Drwxr-xr-x. 24 root root 4096 Nov 22 14:43.. drwxr-xr-x. 2 root root 6 Nov 22 14:51 centos7-rw-r--r--. 1 root root 909 Nov 22 15:17 ks.cfgdrwxr-xr-x. 2 root root 6 Oct 31 2018 pub

It can also be executed.

Third, test the ordinary user [root@localhost ftp] # useradd zhangsan [root@localhost ftp] # useradd lisi [root@localhost ftp] # echo "123123" | passwd zhangsan-- stdinChanging password for user zhangsan.passwd: all authentication tokens updated successfully. [root@localhost ftp] # echo "123123" | passwd lisi-- stdinChanging password for user lisi.passwd: all authentication tokens updated successfully.

Next, log in remotely on the client with the newly created user.

E:\ > ftp 192.168.247.140 connects to 192.168.247.140. 220 (vsFTPd 3.0.2) 200 Always in UTF8 mode. User (192.168.247.140: (none)): zhangsan331 Please specify the password. Password: 230 Login successful.ftp > pwd257 "/ home/zhangsan" 3.1 you can find it in your home directory

Next, do the upload test.

Ftp > put 999.txt200 PORT command successful. Consider using PASV.150 Ok to send data.226 Transfer complete.ftp: send 7 bytes in 0.00 seconds and 7.00 kilobytes per second. [root@localhost ftp] # ls / home/zhangsan999.txt [root@localhost ftp] # 3.2 switch directories and find that ordinary users can switch between ftp > cd / 250 Directory successfully changed.ftp > ls200 PORT command successful at will. Consider using PASV.150 Here comes the directory listing.binbootdevetchomeliblib64mediamntoptprocrootrunsbinsrvsystmpusrvar226 Directory send OK.ftp: received 107bytes and used 0.01s 9.73kbytes per second.

This is a hidden danger to server security.

Next, modify the appropriate configuration options.

# chroot_local_user=YES 'forbid local users to switch directories' allow_writeable_chroot=YES 'centos7 also need to enable this item'

Enable it, save exit, restart the service

Ftp > ls remote host closes the connection.

Use the bye command to exit ftp mode and log in again

E:\ > ftp 192.168.247.142 connects to 192.168.247.142. 220 (vsFTPd 3.0.2) 200 Always in UTF8 mode. User (192.168.247.142: (none)): zhangsan331 Please specify the password. Password: 230Login successful.ftp > ls200 PORT command successful. Consider using PASV.150 Here comes the directory listing.226 Directory send OK.ftp > ls-a 200 PORT command successful. Consider using PASV.150 Here comes the directory listing.bash_logout.bash_profile.bashrc.mozilla226 Directory send OK.ftp: received 58 bytes and used 0.00 seconds 14.50 kilobytes per second. Ftp > pwd257 "/" ftp > cd / etc550 Failed to change directory.ftp > 3.3 next configure the user list user--list

If userlist_deny=NO is used, only those users on the list are allowed to access

If userlist_deny=YES is used (the default), these users on the list are not allowed to access

You can add zhangsan to the test.

[root@localhost ftp] # echo "zhangsan" > > / etc/vsftpd/user_list [root@localhost ftp] #

After reloading the service, log in again and find that the login failed.

E:\ > ftp 192.168.247.140 connects to 192.168.247.140. 220 (vsFTPd 3.0.2) 200 Always in UTF8 mode. User (192.168.247.140: (none)): zhansan331 Please specify the password. Password: 530 Login incorrect. Login failed. Ftp > ftp > ls530 Please login with USER and PASS.530 Please login with USER and PASS.ftp >

Increase the user list limit, allow only users in the list to access, and then restart the service

[root@localhost ftp] # vim / etc/vsftpd/vsftpd.conf userlist_enable=YES 'means to enable' userlist_deny=NO'in the user list and only allow users in the user list to access it

Testing, finding effective

E:\ > ftp 192.168.247.140 connects to 192.168.247.140. 220 (vsFTPd 3.0.2) 200 Always in UTF8 mode. User (192.168.247.140: (none)): lisi530 Permission denied. Login failed. Ftp > bye221 Goodbye.E:\ > ftp 192.168.247.140 connects to 192.168.247.140. 220 (vsFTPd 3.0.2) 200 Always in UTF8 mode. User (192.168.247.140: (none)): zhangsan331 Please specify the password. Password: 230 Login successful.ftp >

Delete the configuration you just added and continue testing

4: virtual user 4.1 create / etc/vsftpd/vuser file first

Write the account number and password of the virtual account

[root@localhost ftp] # cd / etc/vsftpd/ [root@localhost vsftpd] # vim vuser [root@localhost vsftpd] # cat vuser lisa123123tom1231234.2 convert vuser files to database files

-T stands for conversion-t represents type hash represents hash algorithm type-f specifies the file

[root@localhost vsftpd] # db_load-T-t hash-f vuser vuser.db [root@localhost vsftpd] # [root@localhost vsftpd] # ls-altotal 48drwxr-xr-x. 2 root root 117 Dec 7 16:37. Drwxr-xr-x. 140 root root 8192 Dec 7 15:41.-rw-. 1 root root 125 Oct 31 2018 ftpusers-rw-. 1 root root 370 Dec 7 16:03 user_list-rw-. 1 root root 5142 Dec 7 16:11 vsftpd.conf-rwxr--r--. 1 root root 338 Oct 31 2018 vsftpd_conf_migrate.sh-rw-r--r--. 1 root root 23 Dec 7 16:33 vuser-rw-r--r--. 1 root root 12288 Dec 7 16:37 vuser.db

For security, modify these two files to 600 permissions

[root@localhost vsftpd] # chmod 600vuse* [root@localhost vsftpd] # ls-altotal 48drwxr-xr-x. 2 root root 117 Dec 7 16:37. Drwxr-xr-x. 140 root root 8192 Dec 7 15:41.-rw-. 1 root root 125 Oct 31 2018 ftpusers-rw-. 1 root root 370 Dec 7 16:03 user_list-rw-. 1 root root 5142 Dec 7 16:11 vsftpd.conf-rwxr--r--. 1 root root 338 Oct 31 2018 vsftpd_conf_migrate.sh-rw-. 1 root root 23 Dec 7 16:33 vuser-rw-. 1 root root 12288 Dec 7 16:37 vuser.db4.3 create an account corresponding to a virtual user [root@localhost vsftpd] # useradd-d / opt/vuser-s / sbin/nologin vuser [root@localhost vsftpd] # grep 'vuser' / etc/passwdvuser:x:1003:1003::/opt/vuser:/sbin/nologin [root@localhost vsftpd] # ls / opt192.168.139.132 rh vuser4.4 use the pam authentication module to open and support virtual user login

Create a new pam module file, / etc/pam.d/vsftpd.vu, and write in it

Auth required pam_userdb.so db=/etc/vsftpd/vuser

Account required pam_userdb.so db=etc/vsftpd/vuser

Note that the files after db represent files with the suffix db

[root@localhost vsftpd] # cd / etc/pam.d/ [root@localhost pam.d] # cat vsftpd #% PAM-1.0session optional pam_keyinit.so force revokeauth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeedauth required pam_shells.soauth include password-authaccount include password-authsession required pam_loginuid.sosession include password-auth [root@localhost pam.d] # vim vsftpd .vu [root@localhost pam.d] # cat vsftpd.vu auth required pam_userdb.so db=/etc/vsftpd/vuseraccount required pam_userdb.so db=etc/vsftpd/vuser [root@localhost pam.d] # 4.5 then modify the configuration file [root@localhost vsftpd] # vim vsftpd.conf # pam_service_name=vsftpd 'turn off the command' guest_enable=YES'to add the guest function 'guest_username=vuserpam_service_name=vsftpd.vu 'The pam module service specifies the module just created'[root@localhost pam.d] # tail-9 / etc/vsftpd/vsftpd.conf # Make sure That one of the listen options is commented!! listen_ipv6=YES#pam_service_name=vsftpduserlist_enable=YEStcp_wrappers=YESguest_enable=YESguest_username=YESpam_service_name=vsftpd.vu

After modification, restart the service

4.6 you can then log in using a virtual user and upload the file E:\ > ftp 192.168.247.142 to connect to 192.168.247.142. 220 (vsFTPd 3.0.2) 200 Always in UTF8 mode. User (192.168.247.142: (none)): lisa331 Please specify the password. Password: 230 Login successful.ftp > put 999.txt200 PORT command successful. Consider using PASV.150 Ok to send data.226 Transfer complete.ftp: send 7 bytes in 0.00 seconds and 7.00 kilobytes per second. Ftp >

View server verification

[root@localhost vuser] # cd / etc/vsftpd/ [root@localhost vsftpd] # cd / opt/vuser [root@localhost vuser] # ls999.txt [root@localhost vuser] #

Switch another user

E:\ > ftp 192.168.247.142 connects to 192.168.247.142. 220 (vsFTPd 3.0.2) 200 Always in UTF8 mode. User (192.168.247.142: (none)): tom331 Please specify the password. Password: 230Login successful.ftp > put 911.txt200 PORT command successful. Consider using PASV.150 Ok to send data.226 Transfer complete.ftp: send 7 bytes in 0.00 seconds and 7.00 kilobytes per second. Ftp > [root@localhost vuser] # ls-altotal 20drwxMurray. 3 vuser vuser 108 Dec 8 16:46. Drwxr-xr-x. 5 root root 142 Dec 8 15:13.-rw-. 1 vuser vuser 7 Dec 8 16:46 911.txtmuri RWMI. 1 vuser vuser 7 Dec 8 16:39 999.txtMury RW Murray RW Murray. 1 vuser vuser 18 Aug 3 2017 .bash _ logout-rw-r--r--. 1 vuser vuser 193 Aug 3 2017 .bash _ profile-rw-r--r--. 1 vuser vuser 231 Aug 3 2017. Bashrcdrwxr-xr-x. 4 vuser vuser 39 Oct 23 13:35. Mozilla 4.7 can also create a configuration directory for users separately To specify the user's permissions [root@localhost vuser] # vim / etc/vsftpd/vsftpd.confuser_config_dir=/etc/vsftpd/vu_dir 'add' [root@localhost vuser] # cd / etc/vsftpd [root@localhost vsftpd] # mkdir vu_ dirt [root @ localhost vsftpd] # cd vu_dir/ [root @ localhost vu_dir] # vim tomanon_umask=022E:\ > ftp 192.168.247.142 connect to 192.168.247.142. 220 (vsFTPd 3.0.2) 200 Always in UTF8 mode. User (192.168.247.142: (none)): tom331 Please specify the password. Password: 230Login successful.ftp > put 744.txt200 PORT command successful. Consider using PASV.150 Ok to send data.226 Transfer complete.ftp > [root@localhost vuser] # ls-altotal 20drwxMurray. 3 vuser vuser 138Dec 8 16:53. Drwxr-xr-x. 5 root root 142 Dec 8 15:13.-rw-r--r--. 1 vuser vuser 0 Dec 8 16:53 744.txtmuri RWMI. 1 vuser vuser 0 Dec 8 16:50 755.txtmuri RWMI. 1 vuser vuser 7 Dec 8 16:46 911.txtmuri RWMI. 1 vuser vuser 7 Dec 8 16:39 999.txtMury RW Murray RW Murray. 1 vuser vuser 18 Aug 3 2017 .bash _ logout-rw-r--r--. 1 vuser vuser 193 Aug 3 2017 .bash _ profile-rw-r--r--. 1 vuser vuser 231 Aug 3 2017. Bashrcdrwxr-xr-x. 4 vuser vuser 39 Oct 23 13:35 .mozilla

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.