Shulou(Shulou.com)06/01 Report--

Environment: CentOS 5.0operating system

one。 Installation:

1. Install Vsftpd service related parts:

[root@KcentOS5 ~] # yum install vsftpd*

Dependencies Resolved====

Package Arch Version Repository Size

=

Installing:

Vsftpd i386 2.0.5-10.el5 base 137 kTransaction Summary

=

Install 1 Package (s)

Update 0 Package (s)

Remove 0 Package (s)

two。 Confirm the installation of PAM service related parts:

[root@KcentOS5 ~] # yum install pam*

Dependencies Resolved

=

Package Arch Version Repository Size

=

Installing:

Pam-devel i386 0.99.6.2-3.14.el5 base 186kTransaction Summary

=

Install 1 Package (s)

Update 0 Package (s)

Remove 0 Package (s)

Development package, in fact, it does not matter, the main purpose is to confirm the PAM.

3. Install the DB4 part package:

Here is a special installation of a db4 package to support the file database.

[root@KcentOS5 ~] # yum install db4*

Dependencies Resolved

=

Package Arch Version Repository Size

=

Installing:

Db4-devel i386 4.3.29-9.fc6 base 2.0m

Db4-java i386 4.3.29-9.fc6 base 1.7m

Db4-tcl i386 4.3.29-9.fc6 base 1.0m

Db4-utils i386 4.3.29-9.fc6 base 119 kTransaction Summary

=

Install 4 Package (s)

Update 0 Package (s)

Remove 0 Package (s)

two。 System account

1. Establish the host user of the Vsftpd service:

[root@KcentOS5] # useradd vsftpd-s / sbin/nologin

The default Vsftpd service host user is root, but this does not meet the security needs. Here we create a user named vsftpd and use him as the service host user that supports Vsftpd. Since the user is only used to support Vsftpd services, it is not necessary to allow him to log in to the system, and set him as a user who cannot log in to the system.

two。 Establish a Vsftpd virtual hosting user:

[root@KcentOS5 nowhere] # useradd overlord-s / sbin/nologin

This article mainly introduces the virtual users of Vsftp, virtual users are not system users, that is to say, these FTP users do not exist in the system. In fact, their overall authority is concentrated on a certain user in the system, the so-called Vsftpd virtual host user is such a host user who supports all virtual users. Because he supports all the virtual users of FTP, then his own permissions will affect these virtual users, therefore, in the consideration of security, we should also pay attention to the control of the rights of this user, and there is absolutely no need for this user to log in to the system, and he is also set here as a user who cannot log in to the system. (insert a sentence here: originally in the establishment of the above two users, even the user's home path is not intended to be given. I wanted to add-d / home/nowhere, according to the man useradd manual: "- d,-- home HOME_DIR."

The new user will be created using HOME_DIR as the value for the

User flowers login directory. The default is to append the LOGIN name to

BASE_DIR and use that as the login directory name. The directory

HOME_DIR does not have to exist but will not be created if it is

Missing.

Use the-d parameter to specify the user's home directory, which is not required. If the specified directory does not exist, it will not be created.

three。 Adjust the configuration file for Vsftpd:

1. Back up the configuration file before editing

[root@KcentOS5] # cp / etc/vsftpd/vsftpd.conf / etc/vsftpd/vsftpd.conf.backup2. Edit the main configuration file Vsftpd.conf

[root@KcentOS5 ~] # vi / etc/vsftpd/vsftpd.conf

Here I will fully record the changes to the original configuration file, and I will keep comments on the original configuration wherever they are modified. Including my understanding of each configuration item, for some of the more key configuration items here I have made my point of view, and I will not delete the original English instructions for reference and comparison.

# Allow anonymous FTP? (Beware-allowed by default if you comment this out)

# anonymous_enable=YES

Anonymous_enable=NO

Set not to allow anonymous access

#

# Uncomment this to allow local users to log in.

Local_enable=YES

Make it accessible to local users. Note: mainly for virtual host users, if the project is set to NO, then all virtual users will not be able to access it.

#

# Uncomment this to enable any form of FTP write command.

Write_enable=YES

Set to be able to write.

#

# Default umask for local users is 077. You may wish to change this to 022

# if your users expect that (022 is used by most other ftpd's)

Local_umask=022

Set the permission mask for the uploaded file.

#

# Uncomment this to allow the anonymous FTP user to upload files. This only

# has an effect if the above global write enable is activated. Also, you will

# obviously need to create a directory writable by the FTP user.

# anon_upload_enable=YES

Anon_upload_enable=NO

Anonymous users are prohibited from uploading.

#

# Uncomment this if you want the anonymous FTP user to be able to create

# new directories.

# anon_mkdir_write_enable=YES

Anon_mkdir_write_enable=NO

Anonymous users are prohibited from creating directories.

#

# Activate directory messages-messages given to remote users when they

# go into a certain directory.

Dirmessage_enable=YES

Set to enable the directory slogan function.

#

# Activate logging of uploads/downloads.

Xferlog_enable=YES

Set to turn on logging.

#

# Make sure PORT transfer connections originate from port 20 (ftp-data).

Connect_from_port_20=YES

Set port 20 for data connection.

#

# If you want, you can arrange for uploaded anonymous files to be owned by

# a different user. Note! Using "root" for uploaded files is not

# recommended!

# chown_uploads=YES

Chown_uploads=NO

Set to prohibit the upload of files to change the host.

# chown_username=whoever

#

# You may override where the log file goes if you like. The default is shown

# below.

Xferlog_file=/var/log/vsftpd.log

Set the service log save path for Vsftpd. Note that the file does not exist by default. It is necessary to manually touch out, and because the service host user of the Vsftpd has been changed here is the manually established Vsftpd. Care must be taken to give the user write permissions to the log, otherwise the service will fail to start.

#

# If you want, you can have your log file in standard ftpd xferlog format

Xferlog_std_format=YES

Set the log to use a standard record format.

#

# You may change the default value for timing out an idle session.

# idle_session_timeout=600

Set the idle connection timeout. The default is used here. Leave the specific value to each specific user to specify, of course, if not specified, or use the default value of 600 here, in seconds.

#

# You may change the default value for timing out a data connection.

# data_connection_timeout=120

Set the maximum continuous transmission time at a time. The default is used here. Leave the specific value to each specific user to specify, of course, if not specified, or use the default value of 120 here, in seconds.

#

# It is recommended that you define on your system a unique user which the

# ftp server can use as a totally isolated and unprivileged user.

# nopriv_user=ftpsecure

Nopriv_user=vsftpd

Set the host user of the supporting Vsftpd service to be a manually established Vsftpd user. Note that once a change is made to the host user, attention must be paid to the read and write authorization of the read and write files associated with the service. For example, the log file must give the user write permission and so on.

#

# Enable this and the server will recognise asynchronous ABOR requests. Not

# recommended for security (the code is non-trivial). Not enabling it

# however, may confuse older FTP clients.

Async_abor_enable=YES

Set to support asynchronous transmission.

#

# By default the server will pretend to allow ASCII mode but in fact ignore

# the request. Turn on the below options to have the server actually do ASCII

# mangling on files when in ASCII mode.

# Beware that on some FTP servers, ASCII support allows a denial of service

# attack (DoS) via the command "SIZE / big/file" in ASCII mode. Vsftpd

# predicted this attack and has always been safe, reporting the size of the

# raw file.

# ASCII mangling is a horrible feature of the protocol.

Ascii_upload_enable=YES

Ascii_download_enable=YES

Set the upload and download functions that support ASCII mode.

#

# You may fully customise the login banner string:

Ftpd_banner=This Vsftp server supports virtual users ^ _ ^

Set the login slogan for Vsftpd.

#

# You may specify a file of disallowed anonymous e-mail addresses. Apparently

# useful for combatting certain DoS attacks.

# deny_email_enable=YES

# (default follows)

# banned_email_file=/etc/vsftpd/banned_emails

#

# You may specify an explicit list of local users to chroot () to their home

# directory. If chroot_local_user is YES, then this list becomes a list of

# users to NOT chroot ().

# chroot_list_enable=YES

Chroot_list_enable=NO

Users are not allowed to log out of their FTP home directory.

# (default follows)

# chroot_list_file=/etc/vsftpd/chroot_list

#

# You may activate the "- R" option to the builtin ls. This is disabled by

# default to avoid remote users being able to cause excessive I/O on large

# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume

# the presence of the "- R" option, so there is a strong case for enabling it.

# ls_recurse_enable=YES

Ls_recurse_enable=NO

Prohibit users from using the "ls-R" command after logging in to FTP. This command can cause significant overhead on server performance. If this item is allowed, blocking multiple users using the command at the same time will pose a threat to the server.

# When "listen" directive is enabled, vsftpd runs in standalone mode and

# listens on IPv4 sockets. This directive cannot be used in conjunction

# with the listen_ipv6 directive.

Listen=YES

Set the Vsftpd service to work in StandAlone mode. By the way, the so-called StandAlone mode is that the service has its own daemon support, and we will be able to see the daemon name of vsftpd under the ps-A command. If you do not want to work in StandAlone mode, you can choose SuperDaemon mode, in which vsftpd will not have its own daemon, but will be fully represented by the super daemon Xinetd, at the same time, many functions of Vsftp services will not be implemented.

#

# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6

# sockets, you must run two copies of vsftpd whith two configuration files.

# Make sure, that one of the listen options is commented!!

# listen_ipv6=YESpam_service_name=vsftpd

Set the authentication profile name of the Vsftpd under the PAM service. Therefore, PAM verification will refer to the vsftpd file configuration under / etc/pam.d/.

Userlist_enable=YES

Set that users in userlist_file will not be allowed to use FTP.

Tcp_wrappers=YES

Set to support TCP Wrappers. # KC: The following entries are added for supporting virtual ftp users.

The following are important configuration items for Vsftpd virtual user support. These settings are not included in the default Vsftpd.conf, so you need to add your own configuration manually. Guest_enable=YES

Set to enable the virtual user feature.

Guest_username=overlord

Specifies the host user for the virtual user.

Virtual_use_local_privs=YES

Set the permissions of virtual users in line with their host users.

User_config_dir=/etc/vsftpd/vconf

Set the configuration file storage path of the virtual user's personal Vsftp. In other words, each Vsftp virtual user's personality profile will be stored in this specified directory, and one thing to note is that these profile names must be the same as the virtual user name.

Pam_service_name=vsftpd # specifies the pam module name (customizable)

Save exit.

two。 Establish the log file of Vsftpd, and change the owner to the service host user of Vsftpd:

[root@KcentOS5 ~] # touch / var/log/vsftpd.log

[root@KcentOS5] # chown vsftpd.vsftpd / var/log/vsftpd.log 4. Establish a virtual user profile storage path:

[root@KcentOS5 ~] # mkdir / etc/vsftpd/vconf/

three。 Create a virtual user database file

1. First, create a virtual user list file:

[root@KcentOS5 ~] # touch / etc/vsftpd/virtusers

A virtual user list file is created, which is a data file to record the username and password of the vsftpd virtual user. I name it virtusers here. To avoid file clutter, I put the list file under / etc/vsftpd/.

two。 Edit the virtual user list file:

[root@KcentOS5 ~] # vi / etc/vsftpd/virtusers

-

Kanecruise

123456

Near

123456near

Mello

123456mello

-

Edit the virtual user list file and add the user name and password information to it. The format is simple: "one user name, one password".

3. Generate a virtual user data file:

[root@KcentOS5] # db_load-T-t hash-f / etc/vsftpd/virtusers / etc/vsftpd/virtusers.db

Here, by the way, let me briefly explain this order.

See how db4's db_load command is used:

[root@KSRV2 vsftpd] # db_load

Usage: db_load [- nTV] [- c name=value] [- f file]

[- h home] [- P password] [- t btree | hash | recno | queue] db_file

Usage: db_load-r lsn | fileid [- h home] [- P password] db_file

Explain that in this article, the db_load command has several related options, especially the argument-T

The-T option allows non-Berkeley DB applications to easily load text files into databases.

If the database to be created is of type Btree or Hash, or the keyword keys is specified as set, the input must be paired lines of text, where the first line of the pair is the key item, and the second line of the pair is its corresponding data item. If the database to be created is of type Queue or Recno and the keywork keys is not set, the input must be lines of text, where each line is a new data item for the database.

Option-T allows the application to load the translation of text files into the database. Since we then store the virtual user's information in a file, we must use this option in order for the Vsftpd application to load user data through text. If the-T option is specified, the underlying access method type must be specified using the-t option.

If the option-T is specified, be sure to follow the suboption-tmurt

Specify the underlying access method. If no-t option is specified, the database will be loaded into a database of the same type as was dumped; for example, a Hash database will be created if a Hash database was dumped.

Btree and Hash databases may be converted from one to the other. Queue and Recno databases may be converted from one to the other. If the-k option was specified on the call to db_dump then Queue and Recno databases may be converted to Btree or Hash, with the key being the integer record number.

The sub-option-t, appended after the-T option, is used to specify the type of database to be loaded by translation. Under the extension introduction,-t can specify data types such as Btree, Hash, Queue, and Recon databases. Here, the next thing we need to specify is the hash type.

4. View the generated virtual user data file

[root@KcentOS5 ~] # ll / etc/vsftpd/virtusers.db

-rw-r--r-- 1 root root 12288 Sep 16 03:51 / etc/vsftpd/virtusers.db

It is important to note that when you want to add a virtual user later, you only need to add the new user name and password to the virtual user list file in the format of "one-line username, one-line password". But this is not enough, it will not take effect! Also execute the "db_load-T-t hash-f virtual user list file virtual user database file. Db" command to make it effective!

four。 Set the PAM authentication file and specify the virtual user database file to read

1. Look at the PAM authentication configuration file of the original Vsftp:

[root@KcentOS5 ~] # cat / etc/pam.d/vsftpd

#% PAM-1.0

Session optional pam_keyinit.so force revoke

Auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed

Auth required pam_shells.so

Auth include system-auth

Account include system-auth

Session include system-auth

Session required pam_loginuid.so

two。 Make a backup before editing:

[root@KcentOS5] # cp / etc/pam.d/vsftpd / etc/pam.d/vsftpd.backup3. Edit the PAM authentication profile for Vsftpd

[root@KcentOS5 ~] # vi / etc/pam.d/vsftpd

#% PAM-1.0

Auth sufficient / lib64/security/pam_userdb.so db=/etc/vsftpd/virtusers

Account sufficient / lib64/security/pam_userdb.so db=/etc/vsftpd/virtusers

The above two items are added manually to verify the security and account permissions of the virtual user.

Auth here refers to the authentication of the user's username and password.

In this case, accout refers to validating the permissions and restrictions on the user's account.

The following sufficient indicates the sufficient condition, that is, once the verification is passed here, you do not have to go through the remaining verification steps below. On the contrary, if it does not pass, it will not be immediately blocked by the system, because the failure of sufficient does not determine the failure of the entire verification, which means that the user will have to go through the rest of the verification audit.

The following / lib/security/pam_userdb.so indicates that the audit will be carried out by calling the library function pam_userdb.so.

The final db=/etc/vsftpd/virtusers specifies that the verification library function will call the data in the specified database for validation.

# KC: The entries for Vsftpd-PAM are added above.session optional pam_keyinit.so force revoke

Auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed

Auth required pam_shells.so

Auth include system-auth

Account include system-auth

Session include system-auth

Session required pam_loginuid.so

five。 Configuration of virtual users

1. Plan the main path for the virtual user:

[root@KcentOS5 ~] # mkdir / opt/vsftp/

two。 Set up the FTP user directory for the test user:

[root@KcentOS5 ~] # mkdir / opt/vsftp/kanecruise/ / opt/vsftp/mello/ / opt/vsftp/near/

3. Create a virtual user profile template: [root@KcentOS5 ~] # cp / etc/vsftpd/vsftpd.conf.backup / etc/vsftpd/vconf/vconf.tmp

4. Customize the virtual user template profile:

[root@KcentOS5 ~] # vi / etc/vsftpd/vconf/vconf.tmp

-

Local_root=/opt/vsftp/virtuser

Specify the specific primary path of the virtual user.

Anonymous_enable=NO

Set not to allow anonymous users to access.

Write_enable=YES

Set to allow write operations.

Local_umask=022

Set the permission mask for uploading files.

Anon_upload_enable=NO

Anonymous users are not allowed to upload.

Anon_mkdir_write_enable=NO

The setting does not allow anonymous users to establish directories.

Idle_session_timeout=600

Sets the idle connection timeout.

Data_connection_timeout=120

Set the maximum time for a single continuous transmission.

Max_clients=10

Sets the number of concurrent client accesses.

Max_per_ip=5

Set the maximum number of threads for a single client, this configuration is mainly to take care of Flashget, Thunderbolt and other multi-threaded download software.

Local_max_rate=50000

Set the maximum transmission rate of the user, in bUniver s.

-

Here, the original vsftpd.conf configuration file is simplified and saved as a template for the virtual user profile. There will not be much configuration content to be specified here, and the main framework and restrictions will be defined by Vsftpd's main configuration file vsftpd.conf, that is, configuration items not mentioned in the virtual user profile will refer to the settings in the master configuration file. Here, as a virtual user's profile template, you only need to leave some configuration items with user flow control and access mode control. The key item here is the local_root configuration, which is used to specify the FTP primary path of the virtual user. 5. Change the owner of the virtual user's home directory to the virtual host user:

[root@KcentOS5] # chown-R overlord.overlord / opt/vsftp/6. Check permissions:

[root@KcentOS5 ~] # ll / opt/vsftp/

Total 24

Drwxr-xr-x 2 overlord overlord 4096 Sep 16 05:14 kanecruise

Drwxr-xr-x 2 overlord overlord 4096 Sep 16 05:00 mello

Drwxr-xr-x 2 overlord overlord 4096 Sep 16 05:00 near

six。 Customize for test users:

1. Copy from the virtual user template profile:

[root@KcentOS5 ~] # cp / etc/vsftpd/vconf/vconf.tmp / etc/vsftpd/vconf/kanecruise

two。 Customize for specific users:

[root@KcentOS5 ~] # vi / etc/vsftpd/vconf/kanecruise

-

Local_root=/opt/vsftp/kanecruise

Anonymous_enable=NO

Write_enable=YES

Local_umask=022

Anon_upload_enable=NO

Anon_mkdir_write_enable=NO

Idle_session_timeout=300

Data_connection_timeout=90

Max_clients=1

Max_per_ip=1

Local_max_rate=25000

-

Template comments:

# cat / etc/vsftpconf/user1local_root=/opt/vsftp/user1 # specify user login directory anonymous_enable=NO # do not allow anonymous login write_enable=YES # writable local_umask=022 # mask is 022anon_upload_enable=NO # anonymous user cannot upload anon_mkdir_write_enable=NO # anonymous user cannot create directory idle _ session_timeout=300 # session timeout 300 seconds data_connection_timeout=90 # data connection timeout 90 seconds max_clients=1 # maximum connections 1max_per_ip=1 # maximum connections per ip 1local_max_rate=25000 # maximum transfer rate 25000B/s

seven。 Start the service:

[root@KcentOS5 ~] # service vsftpd start

Starting vsftpd for vsftpd: [OK]

eight。 Test:

1. Pre-place files in the virtual user directory:

[root@KcentOS5 ~] # touch / opt/vsftp/kanecruise/kc.test

two。 Log in to FTP as a client from another machine:

[root@Yum ~] # ftp

Ftp > open 192.168.1.22

Connected to 192.168.1.22.

220 This Vsftp server supports virtual users ^ _ ^

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.22:root): kanecruise

331 Please specify the password.

Password: 123456

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

3. Test order operation

Ftp > ls

227 Entering Passive Mode (192, 168, 1, 22, 220, 24)

150 Here comes the directory listing.

-rw-r--r-- 1 501 501 0 Sep 15 21:14 kc.test

226 Directory send OK. (catalog list successful)

4. Test upload operation:

Ftp > put

(local-file) KC.repo

(remote-file) KC.repo

Local: KC.repo remote: KC.repo

227 Entering Passive Mode (192, 168, 1, 22, 230)

150 Ok to send data.

226 File receive OK. (uploaded successfully)

699 bytes sent in 0.024 seconds (29 Kbytes/s)

Ftp >

5. Test the build directory operation:

Ftp > mkdir test

257 "/ opt/vsftp/kanecruise/test" created (directory established successfully)

6. Test the download operation:

Ftp > get kc.test

Local: kc.test remote: kc.test

227 Entering Passive Mode (192, 168, 1, 221, 164178)

150 Opening BINARY mode data connection for kc.test (0 bytes).

226 File send OK. (downloaded successfully)

7. Test timeout:

Ftp > dir

421 Timeout. (valid for timeout)

Ftp > user

Not connected. Note:

In / etc/vsftpd/vsftpd.conf, the option for local_enable must be turned on to Yes to make access by virtual users possible, otherwise the following phenomena will occur:

-

[root@KcentOS5 ~] # ftp

Ftp > open 192.168.1.22

Connected to 192.168.1.22.

500 OOPS: vsftpd: both local and anonymous access disabled!

-

Reason: no matter how rich virtual users are, they are actually based on their host user overlord. If overlord, the host of virtual users, is restricted, then virtual users will also be restricted.

Add:

500 OOPS: error

It is possible that there are commands in your vsftpd.con configuration file that cannot be implemented, and another possibility is that there is a space after the YES or NO of the command.

What I came across was a command with a space after it. Because I use GEDIT to edit the configuration file

550 permission error, unable to create directories and files

Solution: close selinux

# vi / etc/selinux/config

SELINUX=XXX-- > XXX represents the level

Change to

SELINUX=disabled

Restart

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.