Shulou(Shulou.com)06/02 Report--

File transfer Protocol (File Transfer Protocol,FTP), based on which FTP client and server can share files, upload files and download files. FTP generates a virtual connection based on TCP protocol, which is mainly used to control FTP connection information and regenerate into a separate TCP connection for FTP data transmission. Users can upload, download and delete files to the FTP server through the client, and the FTP server can provide it to multiple people to share at the same time.

FTP service is the Client/Server mode. The software for sharing and transferring FTP files based on FTP protocol is called FTP server source, and the client program is called FTP client based on FTP protocol. FTP client can upload and download files to FTP server.

1. FTP transmission mode

FTP is based on FTP S mode. There are two transmission modes between FTP client and server, which are FTP active mode and FTP passive mode. Both active and passive modes take FTP server as reference. The active and passive modes are shown in figures 1-2 (a) and 1-2 (b). The detailed differences between active and passive modes are as follows:

(1) FTP active mode: the client connects to the port 21 command port of the FTP server from an arbitrary port N (N > 1024). The client begins to listen on the port Number1 and sends the FTP command "port No.1" to the FTP server, and the FTP server connects to the data port designated by the client through the data port (20).

(2) FTP passive mode: the client connects to the port 21 command port of the FTP server from an arbitrary port N (N > 1024), the client begins to listen on port Number1, the client submits the PASV command, the server opens an arbitrary port (P > 1024) and sends the PORT P command to the client. The client initiates a connection from local port Number1 to port P of the server to transmit data.

In the actual environment of the enterprise, if both the FTP client and the FTP server open the firewall, FTP needs to work in active mode, so it only needs to open ports 20 and 21 in the FTP server-side firewall rules. The following chapters on firewall configuration will explain.

Figure 1-2 (a) FTP active mode

-

Figure 1-2 (b) FTP passive mode

2. Brief introduction of Vsftpd server

At present, the mainstream FTP server-side software includes: Vsftpd, ProFTPD, PureFTPd, Wuftpd, Server-U FTP, FileZilla Server and other software, among which the FTP server-side software widely used by Unix/Linux is Vsftpd.

Very secure FTP service process (Very Secure FTP daemon,Vsftpd), Vsftpd is the most mainstream FTP server program in the Unix/Linux distribution, with the advantages of small and light, safe and easy to use, stable and efficient, to meet the use of cross-departments, multi-users and so on.

3. Installation and configuration of Vsftpd server

There are two methods for Vsftpd server installation. One is based on YUM, but based on source code compilation and installation, and the final effect is exactly the same. This article uses YUM to install Vsftpd. The steps are as follows:

(1) execute the following command on the command line, as shown in figure 1-3:

Yum install vsftpd*-y

Figure 1-3 YUM installation Vsftpd server

(2) print the path of the configuration file after vsftpd installation, start the Vsftpd service, and check whether the process is started, as shown in figure 1-4:

Rpm-ql vsftpd | more

Systemctl restart vsftpd.service

Ps-ef | grep vsftpd

Figure 1-4 print the post-installation path of Vsftpd software

(3) the default configuration file of Vsftpd.conf is described as follows:

Anonymous_enable=YES enables anonymous user access

Local_enable=YES enables local system user access

Write_enable=YES local system user write permissions

Default permission mask for local_umask=022 local users to create files and directories

The dirmessage_enable=YES print directory displays information, which is usually used when the user accesses the directory for the first time

Xferlog_enable=YES enables upload / download logging

Connect_from_port_20=YES FTP uses 20 ports for data transmission

The xferlog_std_format=YES log file will be written according to xferlog's standard format

Listen=NO Vsftpd is not started as an independent service. It is managed by Xinetd service. It is recommended to change it to YES.

Listen_ipv6=YES enables IPV6 snooping

Pam_service_name=vsftpd logs in to the FTP server and authenticates according to the content in / etc/pam.d/vsftpd

Users are prohibited from accessing FTP in userlist_enable=YES Vsftpd.user_list and ftpusers configuration files

Tcp_wrappers=YES sets vsftpd to combine with tcp wrapper for host access control, and the Vsftpd server checks the settings in / etc/hosts.allow and / etc/hosts.deny to determine whether the host requesting a connection is allowed to access the FTP server.

(4) after starting the Vsftpd service, access the Vsftp server through Windows client Explorer, as shown in figure 1-5:

Ftp://192.168.111.131/

Figure 1-5 Anonymous users access the FTP default directory

FTP active / passive mode, which defaults to passive mode, is set to passive mode using the port method as follows:

Pasv_enable=YES

Pasv_min_port=60000

Pasv_max_port=60100

4. Vsftpd anonymous user configuration

Vsftpd is accessed by anonymous users by default, and the default FTP server path for anonymous users is: / var/ftp/pub. Anonymous users only have the permission to view and cannot be created, deleted or modified. To disable FTP anonymous user access, modify the configuration file / etc/vsftpd/vsftpd.conf, change anonymous_enable=YES to anonymous_enable=NO, and restart the Vsftpd service.

If anonymous users are allowed to upload, download and delete files, you need to add the following code to the / etc/vsftpd/vsftpd.conf configuration file:

Anon_upload_enable=YES allows anonymous users to upload files

Anon_mkdir_write_enable=YES allows anonymous users to create directories

Anon_other_write_enable=YES allows anonymous users other write permissions.

The complete vsftpd.conf profile code for anonymous users is as follows:

Anonymous_enable=YES

Local_enable=YES

Write_enable=YES

Local_umask=022

Anon_upload_enable=YES

Anon_mkdir_write_enable=YES

Anon_other_write_enable=YES

Dirmessage_enable=YES

Xferlog_enable=YES

Connect_from_port_20=YES

Xferlog_std_format=YES

Listen=NO

Listen_ipv6=YES

Pam_service_name=vsftpd

Userlist_enable=YES

Tcp_wrappers=YES

Since there are two default Vsftpd anonymous users: anonymous and ftp, anonymous users need to have write permission to the / var/ftp/pub directory if they need permission to upload, delete and modify files. You can use either chown or chmod as follows. The setting command is as follows:

Chown-R ftp pub/

Chmod Odysw pub/

If the above Vsftpd.conf configuration file is configured and the permissions are set, restart the vsftpd service. Through Windows client access, you can upload files, delete files, create directories and other operations, as shown in figure 1-6:

Figure 1-6 Anonymous users access uploaded files

5. User configuration of Vsftpd system

When the Vsftpd anonymous user is set up, anonymous users, anyone can view files and directories on the FTP server, and even modify or delete them. If this solution is suitable for storing private files on the FTP server, how to ensure the exclusive owner of the file or directory? Vsftpd system users can achieve this requirement.

To realize the user mode authentication of the Vsftpd system, you only need to create multiple users in the Linux system, create users to use useradd, and set passwords for users, then you can log in to FTP through users and passwords to upload, download, delete and other operations. The user implementation method of Vsftpd system is as follows:

(1) create system users jfedu1 and jfedu2 in the Linux system, and set the password to 123456:

Useradd jfedu1

Useradd jfedu2

Echo 123456 | passwd-- stdin jfedu1

Echo 123456 | passwd-- stdin jfedu2

(2) modify the vsftpd.conf configuration file code as follows:

Anonymous_enable=NO

Local_enable=YES

Write_enable=YES

Local_umask=022

Dirmessage_enable=YES

Xferlog_enable=YES

Connect_from_port_20=YES

Xferlog_std_format=YES

Listen=NO

Listen_ipv6=YES

Pam_service_name=vsftpd

Userlist_enable=YES

Tcp_wrappers=YES

(3) through the verification of the Windows resource client, log in to the FTP server using jfedu1 and jfedu2 users to upload, delete and download files. The home directories of files uploaded by users of jfedu1 and jfedu2 systems are under / home/jfedu1 and / home/jfedu2, as shown in figures 1-7 (a) and 1-7 (b):

Figure 1-7 (a) jfedu1 user logs in to the FTP server

Figure 1-7 (b) jfedu1 logs in to the FTP server to upload files

6. Vsftpd virtual user configuration

If users visit the FTP server based on Vsftpd, the more users of the system, the more disadvantageous to the management and the security management of the system. In view of this, in order to use VSFTPD more safely, we need to use Vsftpd virtual user mode.

Vsftpd virtual user principle: virtual users do not have actual real system users, but achieve access authentication by mapping to one of the real users and setting corresponding permissions. Virtual users can not log on to the Linux system, thus making the system more secure and reliable.

The steps for configuring the Vsftpd virtual user enterprise case are as follows:

(1) install the software and authentication modules required by Vsftpd virtual users:

Yum install pam* libdb-utils libdb*-skip-broken-y

(2) create a temporary file / etc/vsftpd/ftpusers.txt for virtual users, and create a new virtual user and password, where jfedu001 and jfedu002 are virtual usernames and 123456 are passwords. If there are multiple users, you can fill in the format in turn:

Jfedu001

123456

Jfedu002

123456

(3) generate the authentication file of Vsftpd virtual user database and set the permission 700:

Db_load-T-t hash-f / etc/vsftpd/ftpusers.txt / etc/vsftpd/vsftpd_login.db

Chmod 700 / etc/vsftpd/vsftpd_login.db

(4) configure the PAM authentication file and add the following two lines at the beginning of the / etc/pam.d/vsftpd line:

Auth required pam_userdb.so db=/etc/vsftpd/vsftpd_login

Account required pam_userdb.so db=/etc/vsftpd/vsftpd_login

(5) all Vsftpd virtual users need to be mapped to one system user. The system user does not need a password or login, and is mainly used for virtual user mapping. The creation command is as follows:

Useradd-s / sbin/nologin ftpuser

(6) the complete vsftpd.conf configuration file code is as follows:

# global config Vsftpd 2017

Anonymous_enable=YES

Local_enable=YES

Write_enable=YES

Local_umask=022

Dirmessage_enable=YES

Xferlog_enable=YES

Connect_from_port_20=YES

Xferlog_std_format=YES

Listen=NO

Listen_ipv6=YES

Userlist_enable=YES

Tcp_wrappers=YES

# config virtual user FTP

Pam_service_name=vsftpd

Guest_enable=YES

Guest_username=ftpuser

User_config_dir=/etc/vsftpd/vsftpd_user_conf

Virtual_use_local_privs=YES

As described above, the parameters of Vsftpd virtual user profile are described in detail:

# config virtual user FTP

Pam_service_name=vsftpd virtual user enables pam authentication

Guest_enable=YES enables virtual users

Guest_username=ftpuser maps virtual user to system user ftpuser

User_config_dir=/etc/vsftpd/vsftpd_user_conf sets the directory where the virtual user profile is located

Virtual_use_local_privs=YES virtual users use the same permissions as local users.

(7) so far, all virtual users jointly upload and download files based on the / home/ftpuser home directory. You can create virtual user profiles and virtual user profile home directories in the / etc/vsftpd/vsftpd_user_conf directory:

Mkdir-p / etc/vsftpd/vsftpd_user_conf/

(8) create profiles for virtual users jfedu001 and jfedu002 users as follows:

/ etc/vsftpd/vsftpd_user_conf/jfedu001, and create a private virtual directory as follows:

Local_root=/home/ftpuser/jfedu001

Write_enable=YES

Anon_world_readable_only=YES

Anon_upload_enable=YES

Anon_mkdir_write_enable=YES

Anon_other_write_enable=YES

/ etc/vsftpd/vsftpd_user_conf/jfedu002, and create a private virtual directory as follows:

Local_root=/home/ftpuser/jfedu002

Write_enable=YES

Anon_world_readable_only=YES

Anon_upload_enable=YES

Anon_mkdir_write_enable=YES

Anon_other_write_enable=YES

Details of the virtual user profile:

Local_root=/home/ftpuser/jfedu002 jfedu002 Virtual user profile path

Write_enable=YES allows login users to have write permission

Anon_world_readable_only=YES allows anonymous users to download and then read files

Anon_upload_enable=YES allows anonymous users to upload files, and this parameter takes effect only when write_enable=YES

Anon_mkdir_write_enable=YES allows anonymous users to create directories, and this parameter takes effect only when write_enable=YES

Anon_other_write_enable=YES allows anonymous users other permissions, such as deletion, renaming, and so on.

(9) create respective virtual directories for virtual users:

Mkdir-p / home/ftpuser/ {jfedu001,jfedu002}

Chown-R ftpuser:ftpuser / home/ftpuser

Restart the Vsftpd service and log in to the Vsftpd server through the Windows client explorer. The test results are shown in figures 1-8 (a) and 1-8 (b):

Figure 1-8 (a) jfedu001 virtual user logs in to the FTP server

Figure 1-8 (b) jfedu001 virtual user uploads and downloads files

If you think the author's article is good, please reward the author with a few pieces of silver, so that the author will feel full of encouragement and motivation to continue to create! We support originality! Encourage originality!

After the reward, the record of the participants is displayed at the bottom of the article. You can directly scan the Wechat to reward you, and press the reward directly according to the tips.

Custom reward amount, friendly reminder that the reward amount should not exceed 50 yuan, Tuhao can do as much as you like, 51CTO thank you for your support to the author! Thank you for your generosity.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.