Shulou(Shulou.com)06/01 Report--

Today, I will talk to you about how to build and configure linux ftp services. Many people may not know much about it. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something from this article.

FTP introduction

FTP: an abbreviation for File transfer Protocol.

Function: used to upload (upload) and download (download) files

Working port of ftp: 21: control port, which is used to establish a connection between the client and the server

20: data port, which is used by the server to actively connect data to the client

Vsftpd: very secure File transfer Protocol daemon (very secure ftp daemon)

The working mode of ftp: active port, passive passive mode

When the client and the server transfer data, the server transmission port is 20:00 in active mode, and when the transmission port is a random port > 1024, it is passive mode.

The working process of ftp active (port) mode:

1. Establish a connection between the client and the server (login): client (random port number > 1024) server 21 port

two。 The two sides establish a data connection and transfer data: client (random port > 1024) server 20 port

Ftp passive (pasv) mode working process:

1. Establish a connection between the client and the server (login): client (random port number > 1024) server 21 port

two。 The two parties establish a data connection and transfer data: client (random port > 1024) server (random port > 1024)

Note: when there is a firewall on the ftp server, the client usually accesses the ftp server in passive mode. Specify the minimum and maximum values of the range of passive mode ports that are released on the vsftpd.conf and firewall of the ftp server.

Passive mode port range for vsftpd.conf:

Pasv_min_port=5000

Pasv_max_port=6000

Vsftpd deployment ideas:

1. Turn off the security feature and check the status:

Systemctl stop firewalld; setenforce 0 # turn off firewall and selinux security settings

Systemctl status firewalld; getenforce # check the firewall status to see if it is turned off

two。 Check to see if the software is installed, and if not, install the software.

Rpm-q vsftp ftp lftp # vsftpd is a server-side program and ftp lftp is a client program

3. Start the service and allow boot to start automatically

Systemctl restart vsftpd # restart the vsftpd service

Systemctl enable vsftpd # set vsftpd to boot automatically

4. Set up the shared directory and reload the settings.

5. Do local (internal test) access test, do remote (public test) access test.

Experimental environment:

Centos7.6 (take native IP as an example, 192.168.11.11)

Installation steps:

Yum install-y vsftpd ftp lftp # use yum to install the vsftpd ftp lftp software systemctl restart vsftpd # start the service systemctl enable vsftpd # set the boot systemctl status vsftpd # to check the service status. If it is running, the service starts successfully

Share the files you need:

Default shared directory for vsftpd:

1. Anonymous users (ftp or anonymous) share: / var/ftp directory

two。 Ordinary user: access the home directory of the ordinary user, usually the "/ home/ username" folder

Note: root users cannot log in to the vsftpd server by default to access the share because the root account is blacklisted.

Service testing:

Method 1: enter ftp 192.168.11.11 and then enter the user password according to the prompt to log in.

Method 2: lftp 192.168.11.11-u user name, password can log in successfully (example: user name is tom password is 0 login)

You can log in with Resource Manager under window: ftp://192.168.11.11

Vsftpd configuration file: rpm-qc vsftpd (view vsftpd configuration file)

The main configuration file is / etc/vsftpd/vsftpd.conf

Introduction to FTP Service function and corresponding profile Modification

Blacklist function:

/ etc/vsftpd/ftpusers and / etc/vsftpd/user_list are blacklisted files

Function: users can be set as blacklist and whitelist to restrict user access

For example, root users are blacklisted by default, and the root in the two above files can be accessed by root users by commenting them with the # symbol.

You can also add other users to the blacklist

(note: user_list can be set to a whitelist and add userlist_deny=NO to the last line of the / etc/vsftpd/vsftpd.conf configuration file)

After adding, restart the service, whitelist users can access, but non-whitelist users cannot. When the blacklist and whitelist exist at the same time, the blacklist priority is higher than the whitelist, that is, as long as it appears on the blacklist, you cannot log in to the service normally.

Recommendation: it is best to back up the file when modifying the configuration file

Chroot cage function:

Because the logged-in user accesses their own home directory, but they can view other files, such as the root directory or other configuration files, they can use the chroot cage function to restrict access to their own home directory.

There are four types of chroot cages:

1. All users are unlocked (default, but not secure)

two。 Lock all

3. A small number of users do not lock

4. A small number of users add locks

Case 1: use vim to edit the configuration file / etc/vsftpd/vsftpd.conf, and use set nu to display the line number. You can see the configuration file with the following number of lines. It is not locked by default and does not need to be modified.

Case 2: activate the cage function for all ordinary users (that is, lock everyone)

Follow the steps above to edit the configuration file / etc/vsftpd/vsftpd.conf, set nu displays the line number, remove the 101st line #, and add allow_writeable_chroot=YES, as shown in the following figure:

Case 3: do not enable the cage function for a specified small number of users (that is, a small number of people do not lock)

Similarly, edit the configuration file and specify the whitelist path, as shown in the following figure:

Vim editor / etc/vsftpd/chroot_list, add users who do not need to enable the cage feature, and then restart the service

Case 4: enable the cage function for a specified small number of ordinary users (that is, a small number of people add locks)

Edit the configuration file as shown in the following figure:

Comment out 101line chroot_local_user=YES with #, and only the users in the file / etc/vsftpd/chroot_list enable the cage feature.

Finally restart the service (Note: every time you modify the configuration file, you have to restart the service systemctl restart vsftpd)

Anonymous Anonymous user feature

Practical purpose: the implementation allows anonymous anonymous users to have read and write permissions on shared files

Analysis: in order to achieve the above functions, the following conditions must be met

1. File sharing software must allow this user to have read and write permissions.

two。 Users should have read and write permissions on the shared directory itself.

3. Anonymous users are only allowed to upload files to subdirectories in / var/ftp. Such as / var/ftp/upload, and ftp anonymous users should have read and write access to the upload directory.

(warning: the owner and group of the / var/ftp directory are not allowed to be modified, and the other permission is not allowed to have w-writable permission, otherwise the following 500error will be prompted when accessing the share with ftp anonymous users: 500OOPS: vsftpd: refusing to run with writable root inside chroot ()

Login failed.

421 Service not available, remote server has closed connection)

The actual steps are:

1. Edit the configuration file / etc/vsftpd/vsftpd.conf, remove the # sign on line 29, 30, and add two more lines of code, as shown in the figure:

# anon_upload_enable=YES allows anonymous users to upload # anon_mkdir_write_enable=YES allows anonymous users to create directories with mkdir anon_other_write_enable=YES allows anonymous users to perform operations such as rm deletion (add this line) anon_world_readable_only=NO turns off the read-only limit for anonymous users (it cannot be downloaded when it is YES)

two。 Create / var/ftp/upload directory with root user with permission of 777 or ftp for both owner and group. Restart vsftpd service and log in using ftp to achieve anonymous sharing.

Ftp service speed limit feature:

That is, different file transfer speeds are limited to different users.

1. Add the following to the configuration file / etc/vsftpd/vsftpd.conf:

User_config_dir=/etc/vsftpd/userconf # specify the home directory of the personalization profile

two。 Create the home directory of the specified personalization profile: mkdir-pv / etc/vsftpd/userconf

Create an editor / etc/vsftpd/userconf/gg using vim

Add content: local_max_rate=2000000 # that is, limit the upload and download speed to 2MB/s for a user named gg

Tcp_wrapers Firewall Settings for vsftpd:

Tcp_wrapers function: a mini firewall that can be used for ip security access control for applications based on tcp protocol

Configuration file: / etc/hosts.allow (whitelist); / etc/hosts.deny (blacklist)

! Tip: let a few people be white, then first make an all blacklist in hosts.deny, and then make a release whitelist of a few IP in hosts.allow.

Examples of settings:

Format description: daemon name: hostname or IP address

Vim / etc/hosts.deny # blacklist

Vsftpd:192.168.11.1 # denied the host 192.168.11.1 access to the vsftpd share

Sshd:192.168.11.1 # denied the host 192.168.11.1 access to the sshd share

Vsftpd virtual user features:

Virtual user: a user account that is not created by useradd (not an account in / etc/passwd), but an independent user account that belongs to vsftpd created with vim.

Advantages of virtual users: it can avoid too many user accounts in the system and let vsftpd file sharing software manage their own user accounts independently.

Virtual user account file format:

The odd lines in the file are the user accounts, and the even lines are the user's password.

Example:

1. Create a virtual user account file: vim / etc/vsftpd/vuser.txt, and enter the contents in the figure, that is, create a virtual user f1MageF2Magnef3 with a password of 123456.

two。 Convert virtual user accounts into encrypted database format files.

Yum install-y libdb-utils # install libdb-utils

Cd / etc/vsftpd # cd to / etc/vsftpd directory

Db_load-T-t hash-f / etc/vsftpd/vuser.txt / etc/vsftpd/vuserdb.db # convert vuser.txt to .db format using hash algorithm

Chmod-v 600 / etc/vsftpd/vuserdb.db # give file / etc/vsftpd/vuserdb.db permission

3. Add the authentication relationship of the virtual user account file to the pam authentication file of vsftpd.

Vim / etc/pam.d/vsftpd, insert the following two lines at the beginning of the file, as shown:

Auth sufficient pam_userdb.so db=/etc/vsftpd/vuserdb

Account sufficient pam_userdb.so db=/etc/vsftpd/vuserdb (Code function: allows both virtual users and ordinary users to access shares.)

4. Create an ordinary user account qq with useradd

Useradd qq-s / sbin/nologin # create a user named qq and specify the login shell as .sbin / nologin

5. Set a real user account in the vsftpd.conf configuration file and associate the real user account vftper with the virtual user account file.

Vim vsftpd.conf adds the following at the end of the file:

Guest_enable=YES # allows guest users to access shares, that is, virtual users

Guest_username=vftper # specifies that the guest user name is the vftper user (that is, the new user created in step 4)

User_config_dir=/etc/vsftpd/vuser_conf # specify the user profile directory

Allow_writeable_chroot=YES # allows write operations to be performed under the chroot function (this line must be added, otherwise login will fail)

6. Set an independent share access speed and access directory for each virtual user account.

Cd / etc/vsftpd

Mkdir-v vuser_conf

Cd vuser_conf # create a vuser_conf directory under the / etc/vsftpd directory

# create member personalization files for F1 and f2 virtual users, and allow F1 virtual users to be readable and writable in their home directories.

Touch f1 f2

Mkdir-v / home/vftper/ {F1 Magi f2}

Chmod-v 777 / home/vftper/ {f1jue f2}

Vim F1 input:

Write_enable=YES

Anon_world_readable_only=NO

Anon_upload_enable=YES

Anon_mkdir_write_enable=YES

Anon_other_write_enable=YES

Local_root=/home/vftper/f1

# allow f2 to be readable but not writable in your home directory.

Vim f2 input:

Local_root=/home/vftper/f2 # only write this line, other lines may not be written

Write_enable=NO

Anon_world_readable_only=NO

Anon_upload_enable=NO

Anon_mkdir_write_enable=NO

Anon_other_write_enable=NO

7. Restart the vsftpd service and use the virtual user account to access the share respectively.

Systemctl restart vsftpd

Ftp 192.168.11.11-> use F1 and f2 virtual users to access the share and test the upload of files.

At this point, the trial of vsftpd's virtual user project has been completed.

Operational functions of ftp and lftp client programs:

Both are client applications

Ftp command format: ftp 192.168.11.11

Lftp command format: lftp 192.168.11.11-u qq,0 # login using an account with a password of 0 and user name qq

The difference between ftp and lftp: to transfer files in ftp mode, you need to specify the root directory of files, while lftp does not need to specify the root directory of files.

After reading the above, do you have any further understanding of how to build and configure linux ftp services? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.