Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "the creation and configuration of vsftpd virtual account". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Demand analysis

According to the needs of the enterprise, different users have different permission restrictions, and the FTP server needs to implement user audit. To consider the security of the server, turn off the login of physical users, use the virtual account authentication mechanism, and set different permissions for different virtual accounts. In order to ensure the performance of the server, we also need to limit the number of connections and download speed of the client according to the level of the user.

1. Create a user database

(1) create a user text file

First create the user text file vsftpd_virtualuser.txt, add two virtual accounts, public account ftp and customer account vip

] # touch / etc/vsftpd/vsftpd_virtualuser.txt

] # vim / etc/vsftpd/vsftpd_virtualuser.txt

Format:

Virtual account number 1

Password

Virtual account number 2

Password

(2) generate database

The text file that saves the virtual account and password cannot be called directly by the system account. Ha ~ We need to use the db_load command to generate db database files.

Db_load-T-t hash-f / etc/vsftpd/vsftpd_virtualuser.txt / etc/vsftpd/vsftpd_virtualuser.db

Note:

Rhel5 installs only db4- 4.3.29-9.fc6.i386.rpm and db4-devel-4.3.29-9.fc6.i386.rpm by default

To use db_load, you need to install the db4-utils-4.3.29-9.fc6.i386.rpm package. Otherwise, the error in the following figure will occur: cannot be found.

(3) modify the access permissions of database files

The password information of the virtual account is saved in the database file. In order to prevent illegal users from stealing ha, we can modify the access rights of the file. The permissions of the generated authentication files should be set to be readable and writable only to root users.

Chmod 600 / etc/vsftpd/vsftpd_virtualuser . *

2. Configure the PAM file

In order to enable the server to use database files and authenticate the client, it is necessary to call the PAM module of the system. PAM (Plugable Authentication Module) is a pluggable authentication module, so it is not necessary to reinstall the application system and adjust the authentication mode of the program by modifying the specified configuration file. The path to the PAM module configuration file is the / etc/pam.d/ directory, where a large number of authentication-related configuration files are stored and named after the service name.

Modify the PAM configuration file / etc/pam.d/vsftpd corresponding to vsftpd to use the default configuration with "#" all comments and add the corresponding fields.

3. Create the system user corresponding to the virtual account

For public accounts and customer accounts, because different permissions need to be configured, the directories of the two accounts can be isolated and the user's file access can be controlled. The public account ftp corresponds to the system account ftpuser and specifies its home directory as / var/ftp/share, while the customer account vip corresponds to the system account ftpvip and specifies the home directory as / var/ftp/vip

Chmod-R500 / var/ftp/share/: the public account ftp is only allowed for download, and other user rights in the share directory are changed to rx readable and executable.

Chmod-R 700 / var/ftp/vip/: the customer account vip allows uploading and downloading, so the permissions for the vip directory are set to rwx, readable, writable and executable.

If you do not set an executable user login, you will get a directory error that cannot be changed.

4. Establish a configuration file

Set different permissions for multiple virtual accounts. If you cannot achieve this function with one profile, you need to establish an independent profile for each virtual account and set it up as needed.

(1) modify the vsftpd.conf main configuration file

Configure the main profile / etc/vsftpd/vsftpd.conf to add the common settings of the virtual account and add the user_config_dir field to define the profile directory of the virtual account

Disable anonymous user login and enable local user login settings

Anonymous_enable=NO

Local_enable=YES

(2) create a virtual account profile

Under the path specified by user_config_dir, create a configuration file with the same name as the virtual account and add the corresponding configuration fields.

First, set up the configuration file for the public account ftp

Guest_enable=yes: open virtual account login

Guest_username=ftpuser: set the system account corresponding to ftp to ftpuser

Anon_world_readable_only=no: allows anonymous users to browse the file system of the entire server anon_max_rate=50000: limit the transfer rate to 50KB/s

Note:

Vsftpd does not absolutely lock the file transfer speed limit on a numerical value, but varies between 80% and 120%. For example, if you set 100KB/s, the speed actually changes between 80KB/s~120KB/s.

This is the end of the content of "the creation and configuration of the virtual account of vsftpd". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.