Shulou(Shulou.com)06/02 Report--

10.1 introduction to ftp

There are three main types of network file sharing services, which are ftp, nfs and samba. We already learned about nfs in the previous chapter, and in this chapter we will talk about ftp.

FTP is the abbreviation of File Transfer Protocol (File transfer Protocol), which is used to control the two-way transfer of files on internet.

FTP is also an application, and there are different FTP applications based on different operating systems, and all of these applications follow the same protocol to transfer files.

In the use of FTP, users often encounter two concepts: download and upload

To download (Download) files is to copy files from a remote host to your own computer.

To Upload a file is to copy the file from your computer to a remote host.

10.2 ftp architecture

FTP works at the application layer and listens on port 21 of tcp. It is an application based on Cmax S architecture. It has a variety of client and server applications, here is a brief introduction

Client:

Ftp

Lftp,lftpget

Wget,curl

Filezilla

Gftp (Linux GUI)

Commercial software: flashfxp,cuteftp

Server:

Wu-ftpd

Proftpd: a ftp server program that provides web interface

Pureftp

Vsftpd:Very Secure

A powerful ftp server program of ServU:windows platform

10.3 ftp data connection mode

Ftp has two data connection modes: command connection and data connection

Command connection: a file management command that is always online and persistent until the user logs out

Data connection: a connection that is transmitted, created and closed on demand

Among them, there are two points that data connection needs to pay attention to, one is the data transmission format, the other is the data transmission mode.

There are two data transfer formats:

A) File transfer

B) binary transmission

There are also two modes of data transmission:

A) active mode: data connections are created by the server side

B) passive mode: the client creates a data connection

The following is the process of establishing the following two data transfer modes:

Active mode:

Command connection:

Client (1025)-> Server (21) client connects to server port 21 with a random port (greater than 1023)

Data connection:

Server (20/tcp)-- > Client (1025.1) the server uses its own port 20 to connect to the random port + 1 port that the client uses to create a command connection.

There is a drawback here, because the port of the client is random, and if the client has a firewall, the server may be rejected when it connects to the client to create a data connection.

Passive mode:

Command connection:

Client (1110)-- > Server (21) client connects to server port 21 with a random port

Data connection:

Client (1110room1)-- > Server (random port) client connects to the server with a port number of + 1 that creates a command connection. The server creates a data connection through a random port number that the command connection tells itself.

10.4 ftp response code

1xx: status code of pure information

2xx: the status code of the success class

3xx: status code that prompts you to provide further supplementary class information

4xx: client error

5xx: server side error

10.5 user authentication

There are three main types of ftp users:

A) Virtual user: used only to access resources in a particular service

B) system users: real users who can log in to the system

C) Anonymous users

Ftp user authentication is mainly achieved through nsswitch and pam. For nsswitch and pam, please see here.

10.6 vsftpd

The ftp application we are going to talk about here is vsftpd, which is the most widely used ftp software in the company.

This chapter mainly talks about the configuration of vsftpd, but don't talk about installation. Please google yourself.

The vsftpd user authentication profile is / etc/pam.d/vsftpd

The service script is / etc/rc.d/init.d/vsftpd

The configuration file directory is / etc/vsftpd/, where the main configuration file is / etc/vsftpd/vsftpd.conf

The shared resource location for anonymous users (mapped to ftp users) is / var/ftp

The location of the resources accessed by the system user through ftp is the user's home directory

The location of the resource accessed by the virtual user through ftp is the home directory of the system user that is mapped to the virtual user.

Common configurations of 10.7 vsftpd

Configuration of anonymous users:

Anonymous_enable=YES enables anonymous user login

Anon_upload_enable=YES allows anonymous users to upload

Anon_mkdir_write_enable=YES allows anonymous users to create directories, but cannot delete them

Anon_other_write_enable=YES allows anonymous users to create and delete directories

Configuration of system users:

Local_enable=YES enables local user login

Write_enable=YES allows local users to write

Default mask code for local_umask=022 uploading files via ftp

Chroot_local_user=YES imprisons all ftp local users in their home directories

Imprison the ftp local users specified in the file (/ etc/vsftpd/chroot_list) in their home directory:

Chroot_list_enable=YES

Chroot_list_file=/etc/vsftpd/chroot_list

Configuration of virtual users:

All virtual users will be mapped to a specified system account, and the shared location accessed is the home directory of the system account.

Each virtual user can be given different access rights, which can be specified through the access control parameters of anonymous users.

How to store virtual user accounts:

A) File: edit the file, which needs to be encoded in hash format.

Odd behavior user name

Even-numbered behavior password

B) in the table of the relational database:

Complete user authentication by querying the database in real time

Mysql library: pam depends on pam_mysql software and can be installed through the epel source yum

Log configuration:

Whether xferlog_enable=YES enables transfer log to record ftp transfer process

Whether the xferlog_std_format=YES transfer log uses the standard format

Xferlog_file=/var/log/xferlog specifies the location where the transport log is stored

Change the owner of the uploaded file: automatically change the owner of a file uploaded from the client to the server to the designated user

Whether chown_uploads=YES enables the function of changing the owner of the uploaded file

Chown_username=whoever specifies which user to change the owner of the uploaded file to, and this user must exist in the system

Vsftpd uses pam for user authentication, and the pam profile it uses:

Pam_service_name=vsftpd specifies which pam profile under / etc/pam.d vsftpd uses for user authentication

Whether to enable the list file that controls user login: the default is / etc/vsftpd/user_list file

Userlist_enable=YES

Does userlist_deny=YES deny users existing in the list file specified by userlist to log in to ftp?

Connection restrictions:

Maximum number of max_clients=# concurrent connections

Number of concurrent requests that can be initiated simultaneously per IP of max_per_ip=#

Transmission rate:

Maximum transfer rate for anon_max_rate anonymous users, in bytes per second

Maximum transfer rate for local_max_rate local users, in bytes per second

Common configuration:

Dirmessage_enable=YES enables .message description information in a directory

Suppose there is a directory called / upload, under which a file named .message is created, and some description information is written in the file, then the contents of the .message file are automatically displayed when the user changes to the / upload directory.

Message_file sets the file name of the directory information file obtained when accessing a directory. The default is .message.

Idle_session_timeout=600 sets the default time to disconnect inactive session

Data_connection_timeout=120 sets the data transfer timeout

Ftpd_banner=Welcome to chenlf FTP service. Custom welcome message, which is automatically displayed when you log in to ftp

10.8 vsftpd virtual user configuration

The configuration steps for vsftpd virtual users are as follows. Here, mysql is used for user authentication.

A) install the required programs

Yum-y install vsftpd mysql-server mysql-devel pam_mysql

Note: pam_mysql is provided by epel source

B) create a virtual user account

Prepare the database and related tables: first make sure that the mysql service has been started properly. Then, set up a database to store virtual users as needed, which is created as a vsftpd database

Mysql > CREATE DATABASE vsftpd;mysql > GRANT SELECT ON vsftpd.* TO 'vsftpd'@'localhost' IDENTIFIED BY' Your password';mysql > GRANT SELECT ON vsftpd.* TO 'vsftpd'@'127.0.0.1' IDENTIFIED BY' Your password';mysql > FLUSH PRIVILEGES;mysql > use vsftpd;mysql > CREATE TABLE users (id int UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,name char (20) binary NOT NULL,password char (48) binary NOT NULL)

Add virtual users for testing: add the required users as needed. It is important to note that their passwords should be encrypted and stored using the PASSWORD function for security reasons.

Mysql > INSERT INTO users (name,password) values ('tom',password (' Your password')); mysql > INSERT INTO users (name,password) values ('jerry',password (' Your password'))

C) configure vsftpd

Create the files required for pam certification, edit the / etc/pam.d/vsftpd.mysql file, and add the following two lines:

Auth required / lib64/security/pam_mysql.so user=vsftpd passwd='Your password' host=mysqldb_ip db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2account required / lib64/security/pam_mysql.so user=vsftpd passwd='Your password' host=mysqldb_ip db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

Note: due to the different installation methods of mysql, there may be problems when pam_mysql.so connects to the mysql server based on unix sock. In this case, a user who authorizes a remotely connected mysql and accesses the vsftpd database is established.

Modify vsftpd configuration file / etc/vsftpd/vsftpd.conf to adapt to mysql authentication

Establish the system users and corresponding directories for virtual user mapping:

Establish the system users and corresponding directories for virtual user mapping:

Useradd-s / sbin/nologin-d / var/ftproot vuserchmod go+rx / var/ftproot/

Ensure that the following options are enabled in / etc/vsftpd/vsftpd.conf:

Anonymous_enable=YESlocal_enable=YESwrite_enable=YESanon_upload_enable=NOanon_mkdir_write_enable=NOchroot_local_user=YES

Then add the following options:

Guest_enable=YESguest_username=vuser

And make sure that the value of the pam_service_name option is as follows:

Pam_service_name=vsftpd.mysql

D) start the vsftpd service and check the port opening

Service vsftpd startchkconfig vsftpd onss-tnlp | grep 21

E) configure virtual users to have different access rights

Vsftpd can provide a separate profile for each user in the profile directory to define their access to ftp services, and the profile name of each virtual user is the same as the user name of the virtual user.

The profile directory can be any unused directory, just specify its path and name in vsfptd.conf

Edit the vsftpd.conf file and add the following options

User_config_dir=/etc/vsftpd/vusers_config

Create the required directories and provide configuration files for virtual users

Mkdir / etc/vsftpd/vusers_configcd / etc/vsftpd/vusers_configtouch tom jerry

Configure access for virtual users

The access rights of virtual users to vsftpd services are carried out through the relevant instructions of anonymous users.

For example, if you need to give tom users permission to upload files, you can modify the / etc/vsftpd/vusers_config/tom file by adding the following options:

Anon_upload_enable= {YES | NO} anon_mkdir_write_enable= {YES | NO} anon_other_write_enable= {YES | NO}

Useful download tools for Linux:

Axel: can achieve multi-thread download, breakpoint resume and other functions, the download speed is super fast

Lftpget

Wget

Curl

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.