Shulou(Shulou.com)06/02 Report--

As the number of users becomes larger and larger, it is unwise to create more system users, so it is necessary to create a virtual account for vsftpd, but the database of the vsftpd virtual account is saved in a data file in Berkeley DB format, so you need to install db4-utils tools to create such a database file.

I. system environment

# cat / etc/issue

CentOS release 6.8 (Final)

Kernel\ r on an\ m

# uname-a

Linux iZuf62wzdy3bbx4vbp2f6bZ 2.6.32-642.13.1.el6.x86_64 # 1 SMP Wed Jan 11 20:56:24 UTC 2017 x86 "64 GNU/Linux

Second, install vsftpd service

# yum-y install vsftpd

# / etc/init.d/vsftpd restart

# chkconfig vsftpd on

Create a virtual user database

First of all, you need to create a plaintext file, an odd behavior username and an even behavior password. Use the db_load tool to convert it to a database file, and the db_load tool needs to be obtained by installing db4-utils software. Finally, the security of the data is enhanced by modifying the file permissions.

# yum-y install db4-utils

# vim / etc/vsftpd/vlogin

Write the user name and password in the vlogin file:

Username01

Password01

Username01

Password01

Generate a virtual database file (vlogin.db)

# db_load-T-t hash-f / etc/vsftpd/vlogin / etc/vsftpd/vlogin.db

# chmod 600 / etc/vsftpd/ {vlogin,vlogin.db}

4. Set up virtual account verification

Linux generally sets the account verification mechanism through the PAM file, and then uses the new data file for login verification by creating the PAM file. The db option in the PAM file is used to specify and verify the account and password database file.

# vim / etc/pam.d/vsftpd (the following two lines are added to this file)

Auth required / lib64/security/pam_userdb.so db=/etc/vsftpd/vlogin

Account required / lib64/security/pam_userdb.so db=/etc/vsftpd/vlogin

Fifth, set up virtual account sharing directory

Because all virtual accounts need to be mapped to a real system account, the system needs to add a system account and set up a home directory (here it is applied to web to upload website files, so www users must be the same as WEB users)

Useradd-s / sbin/nologin-d / data/www www

VI. Modify the VSFTPD main configuration file

# vim / etc/vsftpd/vsftpd.conf

Anonymous_enable=YES (whether to allow anonymous login to the FTP server, the default setting is YES allow, that is, the user can log in with the user name ftp or anonymous for ftp, and the password is the user's E-mail address. If anonymous access is not allowed, remove the preceding # and set it to NO)

Local_enable=YES (whether to allow local users (that is, user accounts in the linux system) to log in to the FTP server. The default setting is YES. After logging in, local users will enter the user's home directory, while anonymous users will log in to the anonymous user's download directory / var/ftp/pub. If only anonymous users are allowed to access, add # to prevent local users from accessing the FTP server. )

Write_enable=YES (whether local users are allowed to write to FTP server files. The default setting is YES allow)

Local_umask=022 (or other values, set the default file mask for local users to 022, or set it to other values according to personal preference, the default is 077)

Anon_upload_enable=YES (whether anonymous users are allowed to upload files, write_enable=YES must be set to YES by default)

Anon_mkdir_write_enable=YES (whether anonymous users are allowed to create new folders, the default setting is YES allow) anon_other_write_enable=NO # prohibits anonymous users from doing other write operations

Dirmessage_enable=YES (whether to activate the directory welcome message function. When a user accesses a directory on the server for the first time in CMD mode, the FTP server will display a welcome message. By default, the welcome information is obtained through the .message file in that directory, which saves the custom welcome information and is created by the user.)

Xferlog_enable=YES (default is NO if this option is enabled, the system will maintain a log file that records server uploads and downloads. By default, the log file is / var/log/vsftpd.log, which can also be set through the xferlog_file option below. )

Connect_from_port_20=YES (setting FTP server to enable connection request for FTP data port, ftp-data data transfer, 21 as connection control port)

Xferlog_file=/var/log/vsftpd.log (set the system to maintain log files that record uploads and downloads of FTP servers. / var/log/vsftpd.log is the default, or you can set other files)

Chown_uploads=YES (set whether to change the owner of the uploaded file, in conjunction with one of the following settings)

# chown_username=whoever (set the owner of the uploaded file you want to change, and enter a system user name if necessary, for example, you can change all uploaded files to root owner. Whoever: anyone)

# xferlog_std_format=YES (if this option is enabled, the transfer log file will be written in the standard xferlog format, which defaults to / var/log/xferlog, or can be set through the xferlog_file option, which defaults to NO)

# dual_log_enable (if you add and enable this option, two similar log files will be generated, default in the / var/log/xferlog and / var/log/vsftpd.log directories. The former is a wu_ftpd type of transport log, which can be analyzed using standard logging tools; the latter is a vsftpd type of log)

# syslog_enable (if this option is added and enabled, the log that should have been output to / var/log/vsftpd.log will be output to the system log)

# idle_session_timeout=600 (set the data transmission interruption interval, which means that the idle user session interruption time is 600s, that is, when the data transfer is finished, the user should not connect to the FTP server for more than 600s. This value can be modified according to the actual situation)

# data_connection_timeout=120 (set the data connection timeout, which means that the data connection timeout is 120 seconds, which can be modified according to the actual situation)

# nopriv_user=ftpsecure (unprivileged system user required to run vsftpd, default is nobody)

# async_abor_enable=YES (this setting only needs to be enabled if FTP client issues the "async ABOR" command, and this setting is generally not safe, so it is usually canceled)

# ascii_upload_enable=YES (most FTP servers choose to transfer data in ASCII mode. If you remove #, you can upload and download files in ASCII mode)

# ascii_download_enable=YES (remove # to download files in ASCII)

# ftpd_banner=Welcome to blah FTP service. (remove # from the welcome message displayed when you log in to the FTP server, and modify the welcome message after =. In addition, if you create a file named .message under the directory where you need to set the welcome information of the change directory, and write the welcome message and save it, a custom welcome message will be displayed when you enter this directory)

# deny_email_enable=YES (can withstand some special email address. If you log in to the server as anonymous, you will be asked for a password, that is, your email address. If you hate some email address, you can use this setting to revoke his login permission, but it must be matched with the following settings)

# banned_email_file=/etc/vsftpd/banned_emails (when the deny_email_enable=YES above, you can use this setting to specify that the email address cannot log on to the vsftpd server. This file needs to be created by the user, one email address at a time! )

# chroot_list_enable=YES (when set to NO, users have access to files other than their own directory after logging in to the FTP server. When set to YES, users are locked in their own home directory, and vsftpd will look for chroot_list files in the following chroot_list_file option values. This file needs to be created by users, and then users who need to be locked in their own home directory are included, one user per line)

# chroot_list_file=/etc/vsftpd/chroot_list (this file needs to be created by yourself. Users included in this file will not be able to change to a directory other than their own directory after logging in, and the FTP server will automatically chrooted to the user's own home directory, so that the users in the chroot_list file cannot be transferred to other users' FTP home directory at will, which is conducive to the security management and privacy protection of the FTP server)

# ls_recurse_enable=YES (whether recursive queries are allowed. FTP servers of large sites enable this to facilitate remote users to query)

Listen=YES (if set to YES, vsftpd will run in stand-alone mode, and vsftpd will listen for and process connection requests)

Listen_port=21 (specify listening port, default does not specify port 21)

# listen_ipv6=YES (set whether IPV6 is supported)

Pam_service_name=vsftpd (sets the configuration file name used by the authentication service provided by the PAM plug-in module, that is, / etc/pam.d/vsftpd file, in which the file=/etc/vsftpd/ftpusers field indicates that the account content that the PAM module can resist comes from the file / etc/vsftpd/ftpusers)

Userlist_enable=YES (the default value of this option is NO, and the user in the ftpusers file is prohibited from logging on to the FTP server; if this option is set to YES, the user in the user_list file is allowed to log in to the FTP server, while if userlist_deny=YES is set at the same time, the user in the user_list file will not be allowed to log in to the FTP server, or even have no password prompt, and will be directly rejected by the FTP server)

# userlist_deny=YES/NO (this defaults to YES, which sets whether to prevent users in the user_list file from logging in to the FTP server)

Tcp_wrappers=YES (indicates that the server uses tcp_wrappers as the host access control method, and tcp_wrappers can realize the host address-based access control of network services in the linux system. Two files, hosts.allow and hosts.deny, in the / etc directory are used to set the access control of tcp_wrappers. The former sets the allowed access record and the latter sets the denied access record. For example, if you want to restrict anonymous access of some hosts to the FTP server 192.168.57.2, edit / etc/hosts.allow file, for example, add two lines of command below: vsftpd:192.168.57.1ENY and vsftpd:192.168.57.9ENY indicate that the IP is limited to 192.168.57.1, 192.168.57.9 the host accesses the FTP server with IP 192.168.57.2, while the FTP server can PING, but cannot be connected)

Chroot_local_user=YES

Chroot_list_enable=YES

Tcp_wrappers=YES

Guest_enable=YES

Guest_username=www

Pasv_enable=YES

Pasv_min_port=20000

Pasv_max_port=30000

User_config_dir=/etc/vsftpd/vsftpd_user_conf

=

The following is a new addition

[root@localhost data] # cat / etc/pam.d/vsftpd

Auth required/lib64/security/pam_userdb.sodb=/etc/vsftpd/vlogin

Account required/lib64/security/pam_userdb.sodb=/etc/vsftpd/vlogin

Auth sufficient/lib64/security/pam_userdb.sodb=/etc/vsftpd/vlogin

Account sufficient/lib64/security/pam_userdb.sodb=/etc/vsftpd/vlogin

[root@localhost data] # cat / etc/vsftpd/vsftpd.conf

Anonymous_enable=NO

Local_enable=YES

Write_enable=YES

Local_umask=022

Anon_upload_enable=YES

Anon_mkdir_write_enable=YES

Anon_mkdir_write_enable=NO

Dirmessage_enable=YES

Xferlog_enable=YES

Xferlog_file=/var/log/xferlog

Chown_uploads=YES

Chroot_local_user=YES

Chroot_list_enable=YES

Pam_service_name=vsftpd

Userlist_enable=YES

# userlist_deny=NO

# userlist_file=/etc/vsftpd/user_list

Tcp_wrappers=YES

Guest_enable=YES

Guest_username=www

Listen=YES

Listen_port=21

Pasv_enable=YES

Pasv_min_port=20000

Pasv_max_port=30000

User_config_dir=/etc/vsftpd/vsftpd_user_conf

=

User rights configuration in the directory / etc/vsftpd/vsftpd_user_conf:

[root@localhost ~] $cat / etc/vsftpd/vsftpd_user_conf/ftpusername

Local_root=/data/projects/www_data

Write_enable=YES

Virtual_use_local_privs=YES

Reference website:

Http://www.cnblogs.com/helonghl/articles/5533857.html

Http://www.cnblogs.com/allenjin/archive/2011/12/03/2274542.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.