Shulou(Shulou.com)06/03 Report--

Basic installation

Yum install vsftpd

Then edit the configuration file / etc/vsftpd/vsftpd.conf

Turn off anonymous access

Anonymous_enable=NO

Open the log

Xferlog_enable=YES

Xferlog_file=/var/log/vsftpd.log

Enable local user restrictions (false root)

Chroot_local_user=YES

Users who configure restrictions can have write permission

Allow_writeable_chroot=YES

Guardian mode (another is stand-alone mode, which is used for large-scale access)

Listen=NO

At this point, restart the ftp service, and you can log in normally using the local user.

/ etc/vsftpd/ directory:

Ftpusers: this file is pam restricted ftp user access login (you can see / etc/pam.d/vsftpd).

User_list: this file is the vsftpd service itself that restricts ftp user access to login

Configure FTP virtual user

(once virtual user configuration is enabled, local user access becomes invalid because pam needs to be configured)

1. Add to the end of the profile

# virtual user defined

Guest_enable=YES

Host user of virtual user

Guest_username=vftpuser

User_config_dir=/etc/vsftpd/userconf

two。 Create a virtual user and password:

Vi / etc/vsftpd/vftpuser.txt

Add users and passwords (for example)

Zhangsan

123456

Lisi

654321

Then convert the txt file to a db file (the db_load command needs to be installed)

Db_load-T-t hash-f / etc/vsftpd/vftpuser.txt / etc/vsftpd/vftpuser.db

3. Modify ftp authentication method, edit / etc/pam.d/vsftpd

Comment all first, and then add the following configuration

Auth required / lib64/security/pam_userdb.so db=/etc/vsftpd/vftpuser

Account required / lib64/security/pam_userdb.so db=/etc/vsftpd/vftpuser

4. Then create the virtual user's own profile

Enter the configuration directory / etc/vsftpd/userconf

Create the same file as the virtual user name

Vi zhangsan

Add the following configuration so that virtual users can add, delete, modify and query

Local_root=/ftp/upload

Write_enable=YES

Virtual_use_local_privs=YES

5. Finally restart the service

Note: it is safer for ftp servers to use virtual users

Appendix: vsftpd configuration active mode and passive mode and their principles

Principle:

Active FTP:

Command connection: client > 1024 port → server port 21

Data connection: client > 1024 port ← server 20 port

Passive FTP:

Command connection: client > 1024 port → server port 21

Data connection: client > 1024 port ← server > 1024 port

Introduction:

The PORT (active) connection process is that the client sends a connection request to the server's FTP port (default is 21), and the server accepts the connection and establishes a command link. When it is necessary to transmit data, the client uses the PORT command on the command link to tell the server, "I have opened the XXXX port, you come and connect me". So the server sends a connection request from port 20 to the client's XXXX port and establishes a data link to transmit data.

The PASV (passive) connection process is that the client sends a connection request to the server's FTP port (the default is 21), and the server accepts the connection and establishes a command link. When data needs to be transmitted, the server uses the PASV command on the command link to tell the client, "I have opened the XXXX port, you come and connect to me." To sum up: active mode: the server knocks on the client door, and then the client opens the door passive mode: the client knocks on the server door, and then the server opens the door, so, if you surf the Internet through an agent, you can't use active mode, because the server knocks on the door of the Internet proxy server, not the door of the client, and sometimes the client doesn't open the door easily. Because there is a firewall, unless the client opens a high-end port greater than 1024

Active configuration parameters:

Port_enable=YES | NO

Set this option to NO if you want to cancel the PORT mode when you connect to the data. The default is YES.

Connetc_from_port_20=YES | NO (YES is written in the default profile)

Controls whether port 20 (ftp-data) is used for data transfer in PORT mode. YES is used, NO is not used. The default value is NO, but this parameter is set to YES in the vsftpd.conf file that comes with RHL.

Ftp_data_port=port number

Sets the ftp data transfer Port (ftp-data) value. The default value is 20. This parameter is used for PORT FTP mode.

Port_promiscuous=YES | NO

The default is NO. When YES, cancel the PORT security check. This check ensures that outgoing data can only be connected to the client. Open this option carefully.

Passive configuration parameters:

Pasv_enable=YES | NO

YES, which allows PASV mode to be used for data transfer. NO, PASV mode is not allowed. The default is YES.

Pasv_min_port=port number

Pasv_max_port=port number

The default value is 0.

Note:

1. Pay attention to the configuration of the firewall

two。 Regardless of whether the server is active or passive, the client uses passive mode when connecting with ftp

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.