Shulou(Shulou.com)06/01 Report--

Most people do not understand the knowledge points of this article "how to deploy and encrypt FTP server in Centos", so the editor summarizes the following content, detailed content, clear steps, and has a certain reference value. I hope you can get something after reading this article. Let's take a look at this "how to deploy and encrypt FTP server in Centos" article.

FTP is a software for uploading and downloading. Through it, users can connect their PC to the server running FTP protocol and access the programs and information on the server.

Step 1: install the FTP server

1. Installing the vsftpd server is very straightforward, as long as you run the following command on the terminal.

# yum install vsftpd

2. After the installation is completed, the service is disabled first, so we need to start it manually and set it to be enabled automatically the next time it starts:

# systemctl start vsftpd# systemctl enable vsftpd

3. Next, to allow access to the FTP service from an external system, we need to open port 21 that the FTP daemon listens to:

# firewall-cmd-- zone=public-- permanent-- add-port=21/tcp# firewall-cmd-- zone=public-- permanent-- add-service=ftp# firewall-cmd-- reload step 2: configure FTP server

4. Now, we will do some configuration to set up and encrypt our FTP server. Let's back up the original configuration file first.

/ etc/vsftpd/vsftpd.conf

:

# cp / etc/vsftpd/vsftpd.conf / etc/vsftpd/vsftpd.conf.orig

Next, open the above file and set the following options to the relevant values:

Anonymous_enable=NO # disable anonymous login local_enable=YES # # allow local users to login write_enable=YES # FTP commands allowing changes to the file system local_umask=022 # # the umask value used by local users to create files dirmessage_enable=YES # displays a message when the user enters a new directory for the first time Xferlog_enable=YES # used to record uploads, Download the detailed log file connect_from_port_20=YES # use port 20 (ftp-data) for PORT-style connections xferlog_std_format=YES # use the standard log format listen=NO # do not let vsftpd run in stand-alone mode listen_ipv6=YES # # vsftpd will listen on IPv6 instead of IPv4pam_service_name=vsftpd # The PAM service name used by vsftpd userlist_enable=YES # vsftpd supports loading user list tcp_wrappers=YES # using tcp wrappers

5. Now configure FTP to allow / deny access to users based on the user list file / etc/vsftpd.userlist.

By default, if userlist_enable=YES is set, the users listed in userlist_file=/etc/vsftpd.userlist are denied login when the userlist_deny option is set to YES.

However, changing the configuration to userlist_deny=NO means that only users explicitly specified in userlist_file=/etc/vsftpd.userlist are allowed to log in.

Userlist_enable=YES # # vsftpd will load the user name list userlist_file=/etc/vsftpd.userlist # the file userlist_deny=NO where the user name is stored from the file given by userlist_file

This is not all. When users log in to the FTP server, they go into chroot jail, which is the local root directory that serves only as the home directory of the FTP session.

Next, we will show you two possible scenarios of how to chroot a FTP user to a FTP user's home directory (local root), as described below.

6. Next, add the following option to restrict FTP users to their own home directories.

Chroot_local_user=YESallow_writeable_chroot=YES

Chroot_local_user=YES means that the user can set chroot jail, which is the home directory after login by default.

Also by default, vsftpd does not allow the chroot jail directory to be writable for security reasons, however, we can add allow_writeable_chroot=YES to override this setting.

Save and close the file.

Step 3: encrypt the FTP server with SELinux

7. Now, let's set the following SELinux Boolean value to allow FTP to read files in the user's home directory. Note that this was originally done using the following command:

# setsebool-P ftp_home_dir on

However, because of this bug report: the ftp_home_dir directive is disabled by default.

Now we will use the semanage command to set the SELinux rule to allow FTP to read / write to the user's home directory.

# semanage boolean-m ftpd_full_access-- on

At this point, we need to restart vsftpd for the current settings to take effect:

# systemctl restart vsftpd step 4: test the FTP server

8. Now we will create a FTP user with the useradd command to test the FTP server.

# useradd-m-c "Ravi Saive, CEO"-s / bin/bash ravi# passwd ravi

After that, we use the echo command to add the user ravi to the file / etc/vsftpd.userlist:

# echo "ravi" | tee-a / etc/vsftpd.userlist# cat / etc/vsftpd.userlist

9. Now is the time to test whether our above settings work. Let's use the anonymous login test, and we can see from the screenshot below that anonymous login is not allowed.

# ftp 192.168.56.10Connected to 192.168.56.10 (192.168.56.10) .220 Welcome to TecMint.com FTP service.Name (192.168.56.10:root): anonymous530 Permission denied.Login failed.ftp >

Test FTP anonymous login

10. Let's also test whether users not listed in / etc/vsftpd.userlist have permission to log in. The screenshot below shows whether it is not included:

# ftp 192.168.56.10Connected to 192.168.56.10 (192.168.56.10) .220 Welcome to TecMint.com FTP service.Name (192.168.56.10:root): aaronkilik530 Permission denied.Login failed.ftp >

FTP user login failed

11. Now finally test whether the user listed in / etc/vsftpd.userlist actually entered his or her home directory after logging in:

# ftp 192.168.56.10Connected to 192.168.56.10 (192.168.56.10) .220 Welcome to TecMint.com FTP service.Name (192.168.56.10:root): ravi331 Please specify the password.Password:230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp > ls

User logged in successfully

Warning: there are certain security risks when using allow_writeable_chroot=YES, especially if the user has upload permission or shell access.

Activate this option only if you know exactly what you are doing. It is important to note that these security implications are not vsftpd-specific and apply to all FTP daemons that provide the placement of local users in chroot jail.

Therefore, we will see a more secure way to set different non-writable local roots in the next section.

Step 5: configure different FTP home directories

12. Open the vsftpd configuration file again and comment out the following unsafe options:

# allow_writeable_chroot=YES

Then create another alternative root directory for the user (ravi, yours may be different) and remove all users' writable permissions to that directory:

# mkdir / home/ravi/ftp# chown nobody:nobody / home/ravi/ftp# chmod Amurw / home/ravi/ftp

13. Next, create a folder in the local root directory where the user stores his / her files:

# mkdir / home/ravi/ftp/files# chown ravi:ravi / home/ravi/ftp/files# chmod 0700 / home/ravi/ftp/files/

Then add / modify these options in the vsftpd configuration file:

User_sub_token=$USER # insert the user name local_root=/home/$USER/ftp # under the local root directory to define the local root directory of any user

Save and close the file. Once again, with the new settings, let's restart the service:

# systemctl restart vsftpd

Now, for the last time in the test, check that the user's local root directory is the FTP directory we created in his home directory.

# ftp 192.168.56.10Connected to 192.168.56.10 (192.168.56.10) .220 Welcome to TecMint.com FTP service.Name (192.168.56.10:root): ravi331 Please specify the password.Password:230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp > ls

FTP user home directory logged in successfully

The above is about the content of this article on "how to deploy and encrypt FTP servers in Centos". I believe we all have some understanding. I hope the content shared by the editor will be helpful to you. If you want to know more about the relevant knowledge, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.