Shulou(Shulou.com)06/01 Report--

FTP service has a long history, but because it appeared earlier, security issues were not taken into account at the beginning of the design. Up to now, FTP service still uses plaintext transmission protocol, but it is retained because of its convenient construction and use. Today, I will share with you how to build a server and make it meet the corresponding needs in the actual production environment. For the convenience of the demonstration, we turn off the firewall and SELinux here in advance. If you forget to turn off the subsequent process, there will be some inexplicable error messages.

Step 1: YUM install ftp server-side vs-ftpd

Yum install-y vsftpd

Step 2: configure vs-ftpd

Vim / etc/vsftpd/vsftpd.conf

Xferlog_enable=YES

Xferlog_file=/var/log/xferlog

Pam_service_name=vsftpd.mysql

Guest_enable=YES

Guest_username=vsftpd

Step 3: compile and install pam-mysql (the compilation environment is definitely necessary)

[root@centos730g ~] # yum install-y mariadb-devel pam-devel openssl-deve

[root@centos730g ~] # ls

Anaconda-ks.cfg pam_mysql-0.7RC1.tar.gz

[root@centos730g ~] # tar xf pam_mysql-0.7RC1.tar.gz

[root@centos730g ~] # cd pam_mysql-0.7RC1/

[root@centos730g pam_mysql-0.7RC1] # / configure-- with-pam=/usr-- with-mysql=/usr-- with-pam-mods-dir=/usr/lib64/security

[root@centos730g pam_mysql-0.7RC1] # make

/ bin/sh. / libtool-- mode=compile gcc-DHAVE_CONFIG_H-I. -I. -I. -I/usr/include/security-I/usr/include-g-O2-g-O2-I/usr/include/mysql-c pam_mysql.c

Mkdir .libs

Gcc-DHAVE_CONFIG_H-I. -I. -I. -I/usr/include/security-I/usr/include-g-O2-g-O2-I/usr/include/mysql-c pam_mysql.c-fPIC-DPIC-o.libs / pam_mysql.o

Pam_mysql.c: In function 'pam_mysql_converse':

Pam_mysql.c:3192:4: warning: passing argument 2 of 'conv- > conv' from incompatible pointer type [enabled by default]

Conv- > appdata_ptr)) {/ / an error message appears here, which does not affect the final result. Ignore it.

^

Pam_mysql.c:3192:4: note: expected 'const struct pam_message * *' but argument is of type 'struct pam_message * *

/ bin/sh. / libtool-- mode=link gcc-g-O2-I/usr/include/mysql-o pam_mysql.la-rpath / usr/lib64/security-module-avoid-version pam_mysql.lo-L/usr/lib64/mysql-lmysqlclient-lpthread-lz-lm-lssl-lcrypto-ldl-lcrypt

Gcc-shared .libs / pam_mysql.o-L/usr/lib64/mysql-lmysqlclient-lpthread-lz-lm-lssl-lcrypto-ldl-lcrypt-Wl,-soname-Wl,pam_mysql.so-o. Libs / pam_mysql.so

Creating pam_mysql.la

(cd .libs & & rm-f pam_mysql.la & & ln-s. / pam_mysql.la pam_mysql.la)

[root@centos730g pam_mysql-0.7RC1] #

[root@centos730g pam_mysql-0.7RC1] # make install

Step 4: install, configure and start mariadb-server

[root@centos730g ~] # yum install-y mariadb-server

[root@centos730g ~] # systemctl start mariadb

[root@centos730g ~] # mysql_secure_installation / / run the security configuration script (set administrator password, delete anonymous account, open administrator remote login, delete test database)

Step 5: go to the database and create a FTP user account database

MariaDB [(none)] > create database vsftpd

MariaDB [(none)] > create table vsftpd.users (id int not null auto_increment primary key,name char (30) not null unique key,password char (48))

MariaDB [(none)] > insert into vsftpd.users (name,password) values ('admin',password (' adminpass')), ('guest',password (' guestpass'))

MariaDB [(none)] > grant all on vsftpd.* to 'vsftpd'@'127.0.0.1' identified by' vsftpdpass

MariaDB [(none)] > flush privileges

MariaDB [(none)] > exit

Step 6: manually write the configuration file for ftp connection mysql

[root@centos730g ~] # vim / etc/pam.d/vsftpd.mysql

Auth required / usr/lib64/security/pam_mysql.so user=vsftpd passwd=vsftpdpass host=127.0.0.1 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

Account required / usr/lib64/security/pam_mysql.so user=vsftpd passwd=vsftpdpass host=127.0.0.1 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

Step 7: create the FTP root directory, create the FTP account in the database that maps to the local account, and specify the home directory as the FTP root directory, and set the corresponding permissions of the FTP root directory

Mkdir-pv / ftproot/ {pub,upload} / / to facilitate later verification of the effect, create two directories (pub for download and upload for user upload)

Chmod-w / ftproot / / ftp root directory cannot have write permission

Useradd-r-d / ftproot vsftpd

Step 8: start the vsftpd service, install the ftp client tool lftp, and verify the login effect

[root@centos730g ~] # yum install-y lftp

[root@centos730g] # lftp-u admin 192.168.1.71

Password:

Lftp admin@192.168.1.71:~ > ls

Ls: Login failed: 530 Login incorrect.

Lftp admin@192.168.1.71:~ >

Make sure that this error message occurs when the password is not incorrectly typed because SELinux is not turned off. At the same time, there are corresponding error records in the log file of the security module.

[root@centos730g ~] # cat / var/log/secure

Oct 18 20:00:50 centos730g vsftpd [13492]: pam_mysql-MySQL error (Can't connect to MySQL server on '127.0.0.1' (13))

Oct 18 20:02:30 centos730g vsftpd [13514]: pam_mysql-MySQL error (Can't connect to MySQL server on '127.0.0.1' (13))

Close SELinux and try to log in again. Everything is fine.

[root@centos730g ~] # getenforce

Enforcing

[root@centos730g ~] # setenforce 0

[root@centos730g ~] # getenforce

Permissive

[root@centos730g ~] #! lftp

Lftp-u admin 192.168.1.71

Password:

Lftp admin@192.168.1.71:~ > ls

Drwxr-xr-x 2 0 0 4096 Oct 18 12:05 pub

Drwxr-xr-x 2 0 0 4096 Oct 18 12:05 upload

Lftp admin@192.168.1.71:/ >

Lftp admin@192.168.1.71:/ > cd upload/

Lftp admin@192.168.1.71:/upload > put / etc/fstab

Put: Access failed: 550 Permission denied. (fstab)

Lftp admin@192.168.1.71:/upload >

Lftp admin@192.168.1.71:/upload > exit

[root@centos730g] # lftp-u guest 192.168.1.71

Password:

Lftp guest@192.168.1.71:~ > ls

Drwxr-xr-x 2 0 0 4096 Oct 18 12:05 pub

Drwxr-xr-x 2 0 0 4096 Oct 18 12:05 upload

Lftp guest@192.168.1.71:/ > cd upload/

Lftp guest@192.168.1.71:/upload > put / etc/issue

Put: Access failed: 550 Permission denied. (issue)

Lftp guest@192.168.1.71:/upload >

At this point, both admin,guest virtual users can successfully log in to the ftp server and download files after being authenticated by mysql, but if you want to have upload permission, you must configure permissions separately for a single virtual account.

Step 9: configure upload and modify permissions for the administrator account admin

Edit the vsftpd configuration file to add a line

Vim / etc/vsftpd/vsftpd.conf

User_config_dir=/etc/vsftpd/users_conf

Create a directory to store a single user rights profile

Mkdir / etc/vsftpd/users_conf

Manually write the contents of the permission profile

Vim / etc/vsftpd/users_conf/admin

Anon_upload_enable=YES / / allow upload

Anon_other_write_enable=YES / / allow deletion

Anon_mkdir_write_enable=YES / / allow directory creation

Grant write access to the / ftproot/upload directory to the local mapping account vsftpd user

[root@centos730g] # setfacl-m u:vsftpd:rwx / ftproot/upload/

[root@centos730g ~] # getfacl / ftproot/upload/

Getfacl: Removing leading'/ 'from absolute path names

# file: ftproot/upload/

# owner: root

# group: root

User::rwx

User:vsftpd:rwx

Group::r-x

Mask::rwx

Other::r-x

[root@centos730g ~] #

Note that although vsftp has write permission at this time, the write permission will not take effect for that user until the corresponding permission is opened in a separate authorization file.

After the configuration is complete, restart the vsftpd service to make the configuration you just made take effect.

[root@centos730g ~] # systemctl restart vsftpd

Log in again using the admin account to verify upload and modification permissions

[root@centos730g] # lftp-u admin 192.168.1.71

Password:

Lftp admin@192.168.1.71:~ > cd upload/

Lftp admin@192.168.1.71:/upload > put / etc/fstab

574 bytes transferred

Lftp admin@192.168.1.71:/upload > ls

-rw- 1 996 994 574 Oct 18 12:47 fstab

Lftp admin@192.168.1.71:/upload > mkdir admin

Mkdir ok, `admin' created

Lftp admin@192.168.1.71:/upload > ls

Drwx- 2 996 994 4096 Oct 18 12:47 admin

-rw- 1 996 994 574 Oct 18 12:47 fstab

Lftp admin@192.168.1.71:/upload > rm fstab

Rm ok, `fstab' removed

Lftp admin@192.168.1.71:/upload > ls

Drwx- 2 996 994 4096 Oct 18 12:47 admin

Lftp admin@192.168.1.71:/upload > rm-rf admin

Rm ok, `admin' removed

Lftp admin@192.168.1.71:/upload > ls

Lftp admin@192.168.1.71:/upload >

Lftp admin@192.168.1.71:/upload > exit

[root@centos730g] # lftp-u guest 192.168.1.71

Password:

Lftp guest@192.168.1.71:~ > cd upload/

Lftp guest@192.168.1.71:/upload > put / etc/issue

Put: Access failed: 550 Permission denied. (issue)

Lftp guest@192.168.1.71:/upload >

Admin is separately configured to upload and modify authorization, so the write permission of upload is effective for it, while guest is not authorized separately, and the write permission is not valid for it.

At this point, the demand for ftp services is basically met in the actual production environment, of course, the user accounts of ftp services are generally not so many as to use the database to store, so it is necessary to decide which way to store ftp user accounts according to the actual needs. But what we must remind you here is that the permission requirements of ftp service for directories are very strict. If you are not careful, you will get all kinds of error messages, so you must be careful in the process of configuration.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.