Shulou(Shulou.com)06/01 Report--

This article shares with you what security measures are available in VSFTPD. Xiaobian thinks it is quite practical, so share it with you to learn. I hope you can gain something after reading this article. Let's not say much. Let's take a look at it together with Xiaobian.

vsftpd is one of the most respected FTP server programs in Linux distributions. Features are compact and light, safe and easy to use. Configuration is a bit troublesome, vsftpd.conf file configuration is relatively simple, we can set the following:

VSFTPD Settings Options

The VSFTPD configuration file/etc/vsftpd/vsftpd.conf is a text file. Lines that begin with the "#" character are comment lines. Each option is set as a line in the format of "option=value". Note that no blank characters can be left on both sides of the "=" sign. In addition to this master profile, you can also set up personal profiles for specific users, as described below.

The vsftpd.conf file included in the VSFTPD package is simple to configure and very paranoid (the document calls itself). We can make some settings based on the actual situation to make VSFTPD more usable.

1. Safety measures

1.1 User login control

pam_service_name=vsftpd

Indicates the PAM profile name used by VSFTPD for PAM authentication. The default value is vsftpd. The default PAM profile is/etc/pam.d/vsftpd.

/etc/vsftpd.ftpusers

VSFTPD prohibits users listed in this file from logging on to FTP servers. This mechanism is default in/etc/pam.d/vsftpd.

userlist_enable=YES|NO

When this option is enabled, VSFTPD reads the list of users in the file specified by the userlist_file parameter. When a user in the list logs on to the FTP server, the user is disabled before being prompted for a password. That is, after the user name is input, VSFTPD finds that the user name is in the list, and VSFTPD directly prohibits the user from asking for the password and other subsequent steps. The default value is NO.

userlist_file=/etc/vsftpd.user_list

Indicates the file containing the user list that was read after the userlist_enable option took effect. The default value is/etc/vsftpd.user_list.

userlist_deny=YES|NO

Determines whether to prohibit or allow only users in the file specified by userlist_file from logging on to the FTP server. This option does not take effect until the userlist_enable option is enabled. YES, the default, prevents users in the file from logging in and does not prompt them for a password. NO, only users in files are allowed to log on to FTP servers.

tcp_wrappers=YES|NO

TCP_Wrappers remote access control mechanism is used in VSFTPD, default is YES.

1.2 directory access control

chroot_list_enable=YES|NO

Lock certain users in their own directories. That is, when these users log in, they cannot go to other directories of the system, only in their own directories (and their subdirectories). The specific user is listed in the file specified by the chroot_list_file parameter. The default value is NO.

chroot_list_file=/etc/vsftpd/chroot_list

A list file indicating users locked in their home directory. The file format is one user per line. Usually this file is/etc/vsftpd/chroot_list. This option is not set by default.

chroot_local_users=YES|NO

Locks local users in their own directories. When this option is enabled, the chroot_list_enable and chroot_local_users parameters change their role, and users in files specified by chroot_list_file will not be locked in their own directories. When this parameter is enabled, it may cause security conflicts, especially if the user has upload, shell access, etc. permissions. Therefore, this parameter can only be turned on if you know for sure. The default value is NO.

passwd_chroot_enable

When this option is enabled, in conjunction with the chroot_local_user option, the location of the chroot() container can be specified on a per-user basis. Each user's container is derived from each user's home directory field in/etc/passwd. The default value is NO.

1.3 File operation control

hide_ids=YES|NO

Whether to hide owner and group information for files. YES, when the user uses a command such as "ls -al," the owner and group information of all files in the directory list are displayed as ftp. The default value is NO.

ls_recurse_enable=YES|NO

YES, allows the "ls -R" command. This option has a small security risk because using "ls -R" in the root directory of a large FTP site consumes a lot of system resources. The default value is NO.

write_enable=YES|NO

Controls whether any FTP commands that modify file systems are allowed, such as STOR, DELE, RNFR, RNTO, MKD, RMD, APPE, and SITE. The default value is NO, but this option is turned on in the simple configuration file that comes with it.

secure_chroot_dir=

this option points to an empty directory, and ftp users do not have write permissions to this directory. When vsftpd does not need access to the file system, this directory is used as a secure container and users are restricted to this directory. The default directory is/usr/share/empty.

1.4 Add file permission settings

anon_umask=

The umask value for files added by anonymous users. The default value is 077.

file_open_mode=

Upload file permissions, same values as chmod. If the file you want to upload is executable, set this value to 0777. The default value is 0666.

local_umask=

The umask value when a local user adds a file. The default value is 077. However, most other FTP servers use 022. You can change it to 022 if your users wish. This is set to 022 in the configuration file that comes with it.

The above is what safety measures are in VSFTPD. Xiaobian believes that some knowledge points may be seen or used in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.