Shulou(Shulou.com)06/01 Report--

CentOS6.4_X64 installation and configuration vsFTP-2.2.2

1. Environment:

CentOS6.4_X64

Vsftpd-2.2.2-11.el6_3.1

Installation of software and dependent software packages

1. General pam and db4 default systems have been installed. If not, install them as follows.

# rpm-qa pam

# rpm-qa db4 / check whether it is installed

# yum install vsftpd pam* db4*-y / install the required software

2. Configure vsftp as a system service

# chkconfig-- level 35 vsftpd on

3. The following configuration file is generated after the installation is completed:

[root@localhost vsftpd] # ll / etc/vsftpd/

-rw-. 1 root root 125 Feb 192013 ftpusers

-rw-. 1 root root 361 Feb 192013 user_list

-rw-r--r--. 1 root root 4691 Sep 17 16:54 vsftpd.conf

-rwxr--r--. 1 root root 338 Feb 192013 vsftpd_conf_migrate.sh

3. Establish a host account for FTP

1. Establish a ftp virtual hosting account

# useradd vsftpd-s / sbin/nologin

/ / vsftpd the real user of the system who is mapped by the virtual account and does not need to log in to shell

IV. Configuration file of VSFTPD

Configure vsftpd.conf / / the file is in / etc/vsftpd/

1. Back up the existing configuration file:

# cd / etc/vsftpd/

# cp vsftpd.conf vsftpd.conf.bak

2. Change the configuration file as follows:

[root@localhost vsftpd] # vi vsftpd.conf

Anonymous_enable=NO / / anonymous users are not allowed to access.

Local_enable=YES / / sets it accessible to local users. Mainly for virtual host users, if the project is set to NO, then all virtual users will not be able to access it.

Write_enable=YES / / is set to be able to write.

Local_umask=022 / / sets the permission mask for uploaded files.

Idle_session_timeout=600

Data_connection_timeout=1200 / / set the timeout

Anon_upload_enable=NO / / prohibits anonymous users from uploading.

Anon_mkdir_write_enable=NO / / prohibits anonymous users from establishing directories.

Dirmessage_enable=YES / set to enable the directory slogan function.

Xferlog_enable=YES / / sets the logging function to be enabled.

Connect_from_port_20=YES / / set port 20 for data connection.

Chown_uploads=NO / / setting forbids uploading files to change the host.

Xferlog_file=/var/log/vsftpd.log / / sets the service log save path for Vsftpd. The file needs to be created manually

And the vsftpd user must be given read and write access to the log file vsftpd.log, otherwise the service will fail to start.

Xferlog_std_format=YES / / sets the log to use a standard record format.

Nopriv_user=vsftpd / / sets the host user of the supporting Vsftpd service to be a manually established Vsftpd user.

Note that once a change is made to the host user, attention must be paid to the read and write authorization of the read and write files associated with the service. For example, the log file must give the user write permission and so on.

Async_abor_enable=YES / is set to support asynchronous transmission.

Ascii_upload_enable=YES

Ascii_download_enable=YES / / sets the upload and download functions that support ASCII mode.

Ftpd_banner=Welcome to blah FTP service.// sets the landing slogan for Vsftpd

Chroot_local_user=YES

Chroot_list_enable=YES / / forbids users from logging out of their FTP home directory.

Chroot_list_file=/etc/vsftpd/chroot_list / / if chroot_list_enable=YES is enabled, be sure to turn on this, which locks the location where the logged-in user can only access the home directory.

Note: establish chroot_list file

Touch/etc/vsftp/chroot_list, then enter the account one on a line and save it. If you don't need to restrict users, you can just create an empty file, or set chroot_list_enable=NO

Ls_recurse_enable=NO / / forbids users to use the "ls-R" command after logging in to FTP. This command can cause significant overhead on server performance. If this item is allowed, blocking multiple users using the command at the same time will pose a threat to the server.

Listen=YES / / sets the Vsftpd service to work in StandAlone mode. By the way, the so-called StandAlone mode is that the service has its own daemon support, and we will be able to see the daemon name of vsftpd under the ps-A command. If you do not want to work in StandAlone mode, you can choose SuperDaemon mode, in which vsftpd will not have its own daemon, but will be fully represented by the super daemon Xinetd, at the same time, many functions of Vsftp services will not be implemented.

Pam_service_name=vsftpd / / sets the authentication profile name of the Vsftpd under the PAM service. Therefore, PAM verification will refer to the vsftpd file configuration under / etc/pam.d/.

Userlist_enable=YES / / sets that users in userlist_file will not be allowed to use FTP.

Tcp_wrappers=YES / / is set to support TCP Wrappers.

To use virtual users, the following sections need to be added: these settings are not included by default, but need to be added manually:

Guest_enable=YES / / sets the virtual user function to be enabled.

Guest_username=vsftpd / specifies the host user for the virtual user.

Virtual_use_local_privs=YES / / sets the permissions of virtual users to match their host users.

User_config_dir=/etc/vsftpd/vconf / / sets the configuration file storage path of the virtual user's personal Vsftp.

In this specified directory, individual profiles for each Vsftp virtual user will be stored. Note: these profile names must be the same as the virtual user name.

Pasv_min_port=61001

Pasv_max_port=62000 / / specifies the minimum and maximum values for opening a port when using passive mode

Anon_max_rate=1000000 / / maximum transfer rate for anonymous users

Local_max_rate=2000000 / / maximum transfer rate for local users

Max_clients=30 / / limit the maximum number of concurrent connections to the server 30

Max_per_ip=1 / / limits the maximum concurrent connection of a single IP address to 1

5. Create log files

[root@localhost vsftpd] # touch / var/log/vsftpd.log / / Log File

[root@localhost vsftpd] # chown vsftpd.vsftpd / var/log/vsftpd.log

Create a virtual user list file

A virtual user list file is created, which is used to record the user name and password of the vsftpd virtual user, which is named v_user. To keep the directory clear, the list file is placed under / etc/vsftpd/vconf/

[root@localhost vsftpd] # mkdir / etc/vsftpd/vconf/

[root@localhost vsftpd] # touch / etc/vsftpd/vconf/v_user

7. Create virtual users

Edit the virtual user list file v_user created above and add the user name and password information to it.

Format: odd behavior username, even lines are passwords, others, and so on

[root@localhost vsftpd] # vi / etc/vsftpd/vconf/v_user

Test / / user name

123123 / / password

Generate virtual user database files

[root@localhost vsftpd] # db_load-T-t hash-f / etc/vsftpd/vconf/v_user / etc/vsftpd/vconf/v_user.db

It is important to note that when you want to add a virtual user in the future, you only need to add the new user name and password to the virtual user list file in the above format: "Odd behavior username, even line is password". This will not take effect, but also to execute the "db_load-T-t hash-f virtual user list file virtual user database file. Db" command to make it effective!

Db_load-T-t hash-f / etc/vsftpd/vconf/v_user / etc/vsftpd/vconf/v_user.db

-T allows the application to load text files into the database. Since we then store the virtual user's information in a file, we must use this option in order for the Vsftpd application to load user data through text.

-t if the option-T is specified, be sure to follow the sub-option-t and append it after the-T option to specify the type of database to be loaded by translation. Under the extension introduction,-t can specify data types such as Btree, Hash, Queue, and Recon databases. Here, the next thing we need to specify is the hash type.

IX. Set permissions for database files

[root@localhost vsftpd] # chmod 600 / etc/vsftpd/vconf/v_user.db

[root@localhost vsftpd] # chmod 600 / etc/vsftpd/vconf/v_user

Modify the / etc/pam.d/vsftpd file by adding the following red section

#% PAM-1.0

Auth sufficient pam_userdb.so db=/etc/vsftpd/vconf/v_user

Account sufficient pam_userdb.so db=/etc/vsftpd/vconf/v_user

Session optionalpam_keyinit.so force revoke

Auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed

Auth required pam_shells.so

Auth include password-auth

Account include password-auth

Session requiredpam_loginuid.so

Session include password-auth

The above two red sections are added manually to verify the security and account permissions of the virtual user.

Auth here refers to the authentication of the user's username and password.

In this case, account refers to validating the permissions and restrictions on the user's account.

The following sufficient indicates the sufficient condition, that is, once the verification is passed here, you do not have to go through the remaining verification steps below. On the contrary, if it does not pass, it will not be immediately blocked by the system, because the failure of sufficient does not determine the failure of the entire verification, which means that the user will have to go through the rest of the verification audit.

The following pam_userdb.so indicates that the audit will be carried out by calling the library function pam_userdb.so.

The final db=/etc/vsftpd/v_user specifies that the verification library function will call the data in the specified database for validation.

Special note: be sure to use "sufficient". According to the practice of the old version, if you use required here, you will fail to pass the user authentication. The following error is reported:

[root@localhost vsftpd] # tail / var/log/secure

Sep 17 17:28:20 localhost vsftpd [1387]: pam_unix (vsftpd:auth): check pass; user unknown

Sep 17 17:28:20 localhost vsftpd [1387]: pam_unix (vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=test r

Host=localhost

Sep 17 17:28:20 localhost vsftpd [1387]: pam_succeed_if (vsftpd:auth): error retrieving information about user test

Create a user's profile

1. Full control of the profile

The name of the user profile should correspond to the "virtual user" name created

# touch / etc/vsftpd/vconf/test

# vim / etc/vsftpd/vconf/test

Local_root=/data/ftp/ personal directory path of the virtual user

Anon_world_readable_only=NO

/ / if enabled, all user names that are not anonymously logged in will be switched to the user name specified by guest_username

Anon_upload_enable=YES / / Anonymous users can upload

Anon_mkdir_write_enable=YES / / Anonymous users can create directories

Anon_other_write_enable=YES / / other write rights of anonymous users

Local_max_rate=1048576 / / maximum transmission speed for local users (in Byts/s)

2. Only downloadable, no other permissions

# vim / etc/vsftpd/vconf/test

Local_root=/data/ftp/ personal directory path of the virtual user

Write_enable=NO / / user does not have write permission

Anon_world_readable_only=NO

Anon_upload_enable=NO / / Anonymous users cannot upload

Anon_mkdir_write_enable= NO / / Anonymous users cannot create directories

Anon_other_write_enable= NO / / Anonymous users have no right to write

Local_max_rate=1048576 / / maximum transmission speed for local users (in Byts/s)

12. Establish a virtual user directory

If the personal directory of the virtual user is not established, then all the virtual users log in in the same directory

# mkdir / data/ftp/

# chown vsftpd.vsftpd / data/ftp/

# chmod 700 / data/ftp/ if the permission is not set to 700, the following error occurs

500 OOPS: cannot change directory:/data/ftp

This is the completion of the configuration, if you want to add new users, just follow steps 8 and 11 above.

XIII. All directory files and structures after configuration

[root@localhost vsftpd] # ll / etc/vsftpd/

-rw-r--r--. 1 root root 0 Sep 17 16:47 chroot_list

-rw-. 1 root root 125 Feb 192013 ftpusers

-rw-. 1 root root 361 Feb 192013 user_list

Drwxr-xr-x. 2 root root 4096 Sep 17 18:22 vconf

-rw-r--r-- 1 root root 4689 Sep 18 10:32 vsftpd.conf

-rwxr--r--. 1 root root 338 Feb 192013 vsftpd_conf_migrate.sh

[root@localhost vsftpd] # ll / etc/vsftpd/vconf

-rw-r--r-- 1 root root125 Sep 17 18:22 test

-rw-. 1 root root 12 Sep 17 16:55 vir_user

-rw-. 1 root root 12288 Sep 17 16:55 vir_user.db

XIV. Rules for firewalls

1. Turn off the firewall

# service iptables stop / / temporarily shut down iptables, effective immediately, restart fails

# chkconfig iptables on / / enable after restart

# chkconfig iptables off / / permanently shut down after restart

2. SElinux status and shutdown

# getenforce / / query SElinux status

Three modes: enforcing / / mandatory mode, on state

Permissive / / tolerance mode, which represents the operation

Disabled / / closed status, no actual operation

# setenforce 0 | 1 / / configuration status

0: switch to permissive tolerance mode

1: switch to enforcing mandatory mode

# vim / etc/selinux/config / / Edit the file SELINUX= "diskabled", which will not take effect immediately, but will take effect after restart.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.