Shulou(Shulou.com)06/02 Report--

This article will explain in detail how to build a vsftp service that meets your requirements for linux operation and maintenance. The editor thinks it is very practical, so I share it with you for reference. I hope you can get something after reading this article.

When we have installed the vsftpd software on the server and have understood the main configuration file / etc/vsftpd/vsftpd.conf of the software, we can build the ftp service we want.

Designated ports, etc.

Listen_port=21 sets the port to listen on

Download_enable=YES allows you to download files

Max_clients=100 limits the number of concurrent client connections

Max_per_ip=100 limits the number of concurrent links in Unified ip

Anonymous and physical users are prohibited from logging in.

First of all, turn off the login of anonymous users, and do not give anonymous users browsing rights.

Anonymous_enable=NO

So why not allow physical users to log in? Because physical users can already log in using a more secure sftp, there is no need to log in using the ftp protocol. In addition, because ftp is a plaintext transfer protocol, it is not good if the account password is intercepted.

How to prohibit physical users from logging in? The third step in configuring virtual users at the bottom of the article is to comment out everything under / etc/pam.d/vsftpd.

Active connection, passive connection settin

We want to build to support both active and passive connections, so the settings are as follows:

Port settings for active connection mode

Connect_from_port_20=YES

Set up a firewall to release port 21, and without opening port 20, directly allow packets that are actively requested by the host to enter the local machine (establish/related).

Iptables-An INPUT-p tcp-- dport 21-j ACCEPT # FTP Service iptables-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

Passive mode is turned on, and passively connected ports are limited to any one of 10001mm 11000.

Pasv_enable=YESpasv_min_port=10001pasv_max_port=11000

Set up a firewall to allow ports between 10000mm and 11000 to be open.

Iptables-An INPUT-p tcp-- dport 10001vig ACCEPT # ftp passive connection port

Configure virtual users

The steps to configure a virtual user are as follows:

Create a virtual user password file

Generate virtual user password authentication file

Edit vsftpd's PAM authentication file

Establish a local mapping directory and set host directory permissions

Modify the configuration file.

Get a separate profile for each virtual user

1. Create a password file for the virtual user in the format of odd behavior username and even behavior password. Let's create such a file / etc/vsftpd/vusers, which reads as follows:

Ftptest1111111ftptest2222222

two。 Generate a virtual user password authentication file and execute the following command:

Db_load-T-t hash-f / etc/vsftpd/vusers / etc/vsftpd/login.db

When the command is executed correctly, the / etc/vsftpd/login.db file appears. For security reasons, we set the permissions for this file to 600. 0.

Chmod 600 login.db

3. Edit the PAM profile required by the virtual user

Vim / etc/pam.d/vsftpd

Comment out all the previous content and add two new lines

Auth required / lib64/security/pam_userdb.so db=/etc/vsftpd/login account required / lib64/security/pam_userdb.so db=/etc/vsftpd/login

Note that if it is 32-bit without 64 after lib, there is no need to add a suffix after login. After doing this, physical users will not be able to log in to the ftp service.

4. Establish a local mapping directory and set host directory permissions.

Establish the host user of the virtual user

# useradd-d / home/vsftp-s / sbin/nologin ftpuser

Modify directory permissions to 755

# chmod 755 / home/vsftp/

5. Modify the configuration file.

Write the following lines of configuration information to the / etc/vsftpd/vsftpd.conf configuration file.

# enable the virtual user login feature guest_enable=YES# to enhance the security check of the guest_username=ftpuser# pam authentication file corresponding to the virtual user and the host user (this configuration exists by default). If the user is limited to his or her home directory, the user's home directory can no longer have write permissions, so add the following configuration allow_writeable_chroot=YES

6. Create a separate profile for each virtual user.

If you want to create a separate profile for each virtual user, you need to add it to the main profile

User_config_dir=/etc/vsftpd/config

Specifies the profile path for the virtual user. Next, create their own profiles for the two virtual users:

# profile for ftptest1 virtual user # create virtual user home directory # mkdir / home/vsftp/ftptest1# chown ftpuser:ftpuser / home/vsftp/ftptest1/# create configuration file # mkdir / etc/vsftpd/config # vim / etc/vsftpd/config/ftptest1

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.