Shulou(Shulou.com)06/03 Report--

FTP file sharing service is based on tcp protocol ports: tcp 21 (three-way handshake to establish a connection);tcp 20 (data transfer)

Working mode application layer

Divided by client perspective:

[Active Mode]

The client opens a dynamic port above 1024, such as (2000)

--》Connect to port 21 of the server for a three-way handshake to establish a connection. There will be delays in the three-way handshake process. During the delay process:

The client again opens a port (2001) that is 1 larger than the previous port and listens.

The client sends the command Port2001 to the server, informing the server that the client's data transmission port is 2001.

--> Server opens port 20 and establishes connection with client port 2001 for data communication

[Passive Mode]

Client opens a dynamic port (2000)

--》Connect to port 21 of the server for a three-way handshake to establish a connection. There will be a delay in the three-way handshake process. During the delay process:

The client again opens a port (2001) that is 1 larger than the previous port and listens.

--> The customer service sends a pasv command to the server, informing the server that the client is now in passive mode and waiting for the server to actively connect to the client.

The server sends the Port3000 command to the client, informing the client that the data transmission port of the server is 3000.

--> Client takes port 2001 to establish connection with port 3000 on server side for data communication

experimental preparation

Two servers Linux system Centos 7.1

turn off the firewall

systemctl stop firewalld temporarily closed

systemctl disable firewalld permanently closed

Close selinux

setenforce 0 Temporary shutdown

sed -i '/SELINUX/s/enforcing/disabled/g' /etc/selinux/config Permanently closed

yum -y install ftp client install FTP service

yum -y install vsftpd server install vsftp service

start the service

systemctl enable vsftpd enable autostart service

systemctl restart vsftpd restart service

systemctl stop vsftpd stop service

The main configuration file/etc/vsftpd/vsftpd.conf

#12 Open Anonymous Access

#16 Allow local entity accounts to log in

#19 Allow entity accounts to have write permissions

#23 Permission to Create File 644 (Entity User)

#29 Allow anonymous user uploads (only files can be uploaded, not directories)

#33 Permission to create directories anonymously

#37 Record access open

#40 Turn on logging

#43 Open port 20 for data transmission

#48, 49 Change the owner of the uploaded file

#53 Log path and file name

#57 Is logging in standard format

#60 Session connection timeout 600s

#63 Data transmission timeout 120s

#82 Upload Data Transfer Mode

#90 Don't allow anonymous users 'email addresses as their passwords

#92 Record the email address of the file

#100 Entity accounts are active only in the default login location

#101 Turn on its list function

#103 Location and path of list

#114 Deny listening (IPv4)

#123 IPv6 monitoring, can help monitor IPv4

#125 User authentication mapping authentication list

#126 No user can log in to ftp as long as they are in the user list

experiment one

Special settings in the profile (entity user switching directory restrictions)

[Entity users are not allowed to switch paths. They can only be active at default access locations]

vim /etc/vsftpd/vsftpd.conf

100 lines uncomment (i.e. remove #) Enable entity user switching directory function

chroot_local_user = yes

manually add

allow_writable_chroot = yes Allow user to log in

101 lines of explanation

chroot_list_enable = YES Enable user list function, users in this list can switch paths

103 lines of explanation

chroot_list_file = /etc/vsftpd/chroot_list

Specify the path and file name of the user list, manually create

vim /etc/vsftpd/chroot_list

Users added to the list can switch paths, users outside the list cannot

Restart service validation

experiment two

vim etc/vsftpd/vsftpd.conf

Special permission settings in the profile (allow anonymous users to use permissions)

[Enable anonymous users to upload, create directories, delete, etc.]

29 lines of explanation

anon_upload_enable = YES Enable anonymous user upload function, only upload files

33 lines of explanation

anon_mkdir_write_enable = YES Create directory permissions

34 lines of explanation

anon_other_write_enable = YES Manually add, enable other write permissions for anonymous users

Restart service validation

client-side validation

User Name: ftp

Password: Any

Modify security permissions of anonymous users 'default login location (owner, group)

chown -R ftp.ftp /var/ftp/pub

Restart service validation

Client: upload, create directory, delete, etc.

the third experiment

User restriction profile/etc/vsftpd

[Limit login of physical system users]

User list files: ftusers, user_list

ftpusers：

As long as the users in the list are denied access

user_list：

Set in master profile

userlist_enable = yes/no

If the value is YES ->, the user list function is enabled, and the user refuses to log in in the user_list.

If the value is NO -> user_list list is invalid

userlist_enable = yes

If userlist_deny = YES, it means that users in the list are not allowed to log in, and users outside the list can only log in from the command line.

If userlist_deny = NO only users in the list can log in

Experiment 4

Virtual user:w

Idea: The client needs to log in with an account and password, but the account is not an entity account in the system, but a virtual account.

Create an entity account on the server and map the account to multiple virtual accounts

1. Create a new virtual account text file/etc/vsftpd

vim vftpuser (odd lines for username, even lines for password)

snow

123

lisa

321

No extra blank lines

save and exit

2. Make a database file from a text file

Command: db_load -T -t hash -f/vftuser/etc/vsftpd/vftuser.db

-T: Import content from text file into database file

-t: Specify the encryption algorithm as hash

-f: Specify text file, path and file name of generated library file

3. Configuration validation file/etc/pam.d/vsftpd

Backup the original validation file

cp /usr/share/doc/vsftpd-3.0.2/EXAMPLE/VIRTUAL_USERS/vsftpd.pam /etc/pam.d/vsftpd Copy template validation file

vim /etc/pam.d/vsftpd

auth required pam_userdb.so db = /etc/vsftpd/vftpuser

account required pam_userdb.so db = /etc/vsftpd/vftpuser

Execute the location and file name of the database file, note that there is no need to add.db

4. Create physical accounts and map them to multiple virtual accounts

#useradd -d /var/ftp/vftp test Create a new account test and specify the home directory path

#chmod 777 /var/ftp/vftp

Modify the main configuration file vim /etc/vsftpd/vsftpd.conf

Add in the bottom line

guest_enable = yes Enable virtual user

guest_username = test Entity account mapped

5. Restart service validation

[Note] After the virtual user function is enabled, all physical accounts cannot be logged in.

To log in to an entity account, add the entity user to ~/vftpuser

systemctl status vsftpd -l Display detailed status

Experiment 5:

Restrict permissions for virtual users

vim /etc/vsftpd/vsftpd.conf

Turn off all anonymity.

Add at the bottom line

user_config_dir = /etc/vsftpd/vftp

[Set the path of permission restriction file for all virtual users]

#cd /etc/vsftpd/vftp

vim snow

anon_world_readable_only = yes Enable read permissions

write_enable = yes Enable write

anon_upload_enable = yes Upload

anon_mkdir_write_enable = yes Create directory

anon_other_write_enable = yes Other write permissions

Save exit, restart service validation

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.