Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you about what the CentOS FTP server system suite is like. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

1. VsFTPd, currently commonly used CentOS FTP server suite; vsFTPd is one of the most respected CentOS FTP server programs in Linux distributions; it is characterized by compact, light, secure and easy to use; it can give play to and master its own characteristics, but the most important thing is that it can be used; at present, the main FTPD packages commonly used in open source operating systems are ProFTPD, PureFTPd, wuftpd and so on. As for which CentOS FTP server suite is better, which one you are most familiar with, which one is *

2. CentOS FTP user management commentary CentOS FTP server manages users according to / etc/passwd and / etc/group by default, so we must understand the management of users and user groups in Linux system. The management of users and user groups is the basis of all applications. Some brothers do not want to understand the basic things, so they want to set up all kinds of servers in one step. Facts have proved that this learning method is the most unwise. Although you may start the CentOS FTP server in a few minutes, you may not know what went wrong when you encounter a problem; so the basics are extremely important; recommended article: "Overview of Linux user (user) and user Group (group) Management"

2.1. understanding of anonymous CentOS FTP users and user groups; when we visit the major CentOS FTP, we may not think about what identity we log in if his FTP allows anonymous login; for example, we type in the browser; ftp://mirrors.kernel.org or ftp://ftp:ftp@mirrors.kernel.org

We will find that the above two lines are eventually accessible, and the results shown are exactly the same, and eventually jump to the ftp://mirrors.kernel.org address; do we have a user and password when we access the CentOS FTP? Yes, it is also necessary, only anonymous access is allowed on the server side, and the user name and password of anonymous access are ftp, but we do not feel that he has a user name and password because of anonymous access. The second address is to access ftp://mirrors.kernel.org with a CentOS FTP user and a password of CentOS FTP.

If we use the CentOS FTP command to connect to mirrors.kernel.org, we will find that we need to enter the user CentOS FTP before the password CentOS FTP can access; in the CentOS FTP server, the anonymous user's username and password are CentOS FTP; this user can be found in / etc/passwd in your operating system; there may be a line similar to the following; ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

Note: / etc/passwd is the profile of the system user; / etc/group is the profile of the user group of the system. You can learn some basic knowledge of user management through the "Linux user (user) and user Group (group) Management Overview" and related documents. In the CentOS FTP user line, we see seven fields, each of which is separated by a: sign.

CentOS FTP is the user name x is the password field, is hidden; 14 is the user's UID field, can not be the same as other users' UID, otherwise it will cause system security problems; 50 use the user group's GID, can be set by yourself, do not share the CentOS FTP's GID with other user groups, otherwise it will cause the whole system problem; CentOS FTP User is the user description field / var/ftp is the home directory of the ftp user, which can be defined by yourself

/ sbin/nologin this is the user login SHELL, which can also be defined. / sbin/nologin means that you cannot log in to the system; the system virtual account (also known as pseudo user) is generally set up this way. For example, we change the / sbin/nologin of the CentOS FTP user to / bin/bash so that the CentOS FTP user logs in to the system as a real user through a local or remote tool, ssh or telnet.

This is not safe for the system; if you do not think it is necessary for a user to log in to the system, you can only give him permission to log on to his CentOS FTP account, that is, only give him permission to CentOS FTP, and do not set his SHELL to / bin/bash, etc.

Understanding of the CentOS FTP user group: when we look at / etc/group, we will find something like this. Ftp:x:50:/etc/group is the administrative profile of the user group. The above line indicates that the user group ftp,x is a password segment and 50 is GID;. We know that the CentOS FTP user belongs to the CentOS FTP user group against the CentOS FTP line in / etc/passwd, because the GID of the GID and CentOS FTP user groups in the CentOS FTP user line are the same.

2.2, can anonymous CentOS FTP users and CentOS FTP user groups be deleted? in general, rows of CentOS FTP users and user groups cannot be deleted in / etc/passwd and / etc/group, because the CentOS FTP server requires them to manage CentOS FTP users, by default.

Although it cannot be deleted, some things related to CentOS FTP users and CentOS FTP users in / etc/passwd and / etc/group can be modified; for example, we can change the home directory of CentOS FTP users or the UID of CentOS FTP users. The premise is that you know something about user management, and system user management is one of the foundations of all applications. Brothers who are beginners in Linux may not understand the importance of user management, but you will find this truth slowly.

3. Installation of vsFTPd; there are vsFTPd packages in the installation disks of all major distributions, which can be installed with the package management tools provided by the corresponding distributions; of course, you can find vsftpd packages in the CentOS FTP images of major distributions; of course, you can also use the package management tools to install online

The software package of vsftpd is originally small, it won't take much time, two minutes will be enough. Because this article is a beginner's tutorial, I highly recommend that you install it with the software provided by the distribution, and you are not recommended to compile the source code package yourself; if you are using a Fedora or Redhat system, you can install it online with the following command

[root@localhost ~] # yum install vsftpd if it is a debian system, you can use apt to install it online

[root@localhost ~] # apt-get install vsftpd if you are a RPM system, you can also find the vsftpd-xxxx.rpm package to install through the rpm command

[root@localhost ~] # rpm-ivh vsftpd*.rpm you can download the source package to install, for example, we downloaded vsftpd-2.0.3.tar.gz

[root@localhost ~] # tar zxvf vsftpd-2.0.3.tar.gz

[root@localhost ~] # cd vsftpd-2.0.3

[root@localhost ~] # make; make install

[root@localhost ~] # cp vsftpd.conf / etc

Then modify / etc/vsftpd.conf to add the following line to the * line of the configuration file; the method of installing the listen=yes source package. If your system is managed by the RPM package, you can delete the file / etc/xinetd.d/vsftpd, and then start the xinetd server.

[root@localhost ~] # / etc/init.d/xinetd restart

Stop xinetd: [OK]

Start xinetd: [OK]

There are two modes of vsFTPd operation. In the review system of RPM package management, most of them are developed by Fedora/Redhat. For such systems, there is a xinted server; for non-RPM package management systems, there is generally no xinted. In order to ensure the unity of this document, we do not use xinetd mode, but use initd operation mode to start and manage the server, that is, independent operation mode; as for what is xinted and inted mode, you can refer to "setting up a Linux network installation server with vsFTPd".

4. VsFTPd server startup and shutdown; vsFTPd server startup and shutdown is extremely easy; we can directly transfer the server operation to the background; this is the operation mode of almost all server management

4.1.General method for starting and shutting down the vsFTPd server. To run the vsftpd command, you can use the root permission. If your current user is not root, you can use su to switch to the root permission. You have two ways to switch the root permission, one is su, the other is sudo;. Please refer to: "Super permissions in the Linux system control the operation of the vsFTPd server.

[root@localhost] # / usr/sbin/vsftpd &

[root@localhost] # / usr/local/sbin/vsftpd &

Whether the vsFTPd server is running; we can check whether the vsftpd is running through pgrep vsftpd; [root@localhost ~] # pgrep vsftpd4248 shows that the vsFTPd server is running, and you can test the connection through ftp commands, lftp tools, or gftp or other FTP clients; vsFTPd server shutdown: we use pkill vsftpd to kill the vsftpd process, so we close vsFTPd and use psgrep vsftpd to view the process. If there is no process, it proves that vsFTPd has been shut down. Of course, root permissions are also used.

[root@localhost ~] # pkill vsftpd

[root@localhost ~] # pgrep vsftpd

4.2.Startup and shutdown of vsFTPd server in Fedora/Redhat/CentOS: in Fedora/Redhat/CentOS, you can also use the following methods to start vsFTPd; and of course use root permissions; [root@localhost beinan] # / etc/init.d/vsftpd start starts vsftpd for vsftpd: [OK] restart vsFTPd with the following command

[root@localhost beinan] # / etc/init.d/vsftpd restart

Close vsftpd: [OK]

Start vsftpd for vsftpd: [OK]

To turn off the vsFTPd server, you should use the following command; [root@localhost beinan] # / etc/init.d/vsftpd stop close vsftpd: [OK]

5. The relationship between the vsFTPd server and the firewall and SELINUX; (important) I saw some brothers on the forum saying that the vsFTPd server started normally, but the user could not access or the user could not upload files. I think it should be the firewall or SELINUX; maybe the FTPD server was blocked by the firewall or SELINUX security mechanism. So you have to let the firewall go through ftp, and of course you have to let SELINUX go through the ftp server.

In Fedora/Redhat/CentOS, if you want to set up a firewall, you can turn off the firewall, or let ftp "pass" the firewall in customization; [root@localhost ~] # system-config-securitylevel-tui or run the following command to clear firewall rules (generic); [root@localhost beinan] # iptables-F commentary on SELINUX server, maybe both veteran and novice have some trouble with SELINUX. It is recommended that you SELINUX. Or let the vsFTPd server skip SELINUX startup; that is, use the

4.1. a general method for starting and shutting down the vsFTPd server; this is effective for starting the vsFTPd server in Fedora/Redhat/CentOS; of course, you can also turn off SELINUX, as shown in the / etc/selinux/config configuration file

/ etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing-SELinux security policy is enforced. # permissive-SELinux prints warnings instead of enforcing. # disabled-SELinux is fully disabled. SELINUX=Disabled # this shuts down the SELINUX server, please restart the system; # SELINUXTYPE= type of policy in use. Possible values are: # targeted-Only targeted network daemons are protected. # strict-Full SELinux protection. SELINUXTYPE=targeted

6. 500 OOPS: vsftpd: refusing to run with writable anonymous root if we have started the vsFTPd server, but the login test will show a prompt similar to the following; 500 OOPS: vsftpd: refusing to run with writable anonymous root this means that the permissions of the ftp user's home directory are incorrect and should be corrected.

[root@localhost ~] # more / etc/passwd | grep ftp

Ftp:x:1000:1000:FTP User:/var/ftp:/sbin/nologin

We found that the home directory of CentOS FTP users is in / var/ftp. This is because the permissions of / var/ftp are incorrect, and the permissions of this directory cannot be opened. It is because you have run chmod 777 / var/ftp. If you do not have the home directory of CentOS FTP users, of course you have to build one. The following home directory of CentOS FTP users cannot be completely open to all users, user groups and other user groups.

[root@localhost ~] # ls-ld / var/ftp

Drwxrwxrwx 3 root root 4096 2005-03-23 / var/ftp

To correct this mistake, the following methods should be used.

[root@localhost ~] # chown root:root / var/ftp

[root@localhost ~] # chmod 755 / var/ftp

Some brothers may say, what about the readability, downloading and uploading of anonymous users? This is also simple, create another directory under / var/ftp, permission is 777 on the line, and then change the vsftpd.conf to OK; nothing difficult

For security reasons, vsFTPd is not allowed to allow the permissions of CentOS FTP users' home directories to be completely unlimited. You can read the vsFTPd documentation to understand it; otherwise, it cannot be called the most secure CentOS FTP server, right?

7. Description of vsFTPd configuration file; vsftpd.conf is the configuration file of vsFTPd server. This file is usually / etc/vsftpd.conf or / etc/vsftpd/vsftpd.conf, subject to the system. The vsftpd.conf configuration file is the global control file of the vsFTPd server. In this configuration file, each line should be counted as a rule; the server with the # sign in front of it will not explain it, which is similar to the apache configuration file; the content followed by # is generally illustrative, or the option to turn off some features.

Vsftpd.conf this configuration file does not include all the functions you want to achieve, we have to solve some functions ourselves, we should learn to check vsFTPd documents and FAQ, etc., although it is in English, it is relatively simple; we should get used to reading foreign language documents, why? Because Linux is originally a foreigner, heavyweight software is all foreigners. Oh, brother, don't complain, who made us fall behind?

Note: after modifying the configuration file, the vsFTPd server must be restarted to take effect. Remember ~ ~

8. The realization of some common functions of vsFTPd server

8.1. About the implementation of anonymous upload and download; as for anonymous upload, it is actually relatively simple. First of all, we need to modify vsftpd.conf, which is located in the / etc/ directory, which may be / etc/vsftpd.conf or / etc/vsftpd/vsftpd.conf file. Subject to your system environment

First of all: we need to change the vsftpd.conf to make sure there are the following lines

Anonymous_enable=YES

Anon_upload_enable=YES

Anon_mkdir_write_enable=YES

Anon_umask=022

Second: create a folder under the CentOS FTP user's home directory and change its permissions to fully open

Where is the home directory of CentOS FTP users? As we said earlier, check it through / etc/passwd; you can also check it through finger ftp.

[root@localhost beinan] # finger ftp

Login: ftp Name: FTP User

Directory: / var/ftp Shell: / sbin/nologin

This means that the CentOS FTP user's home directory is in / var/ftp. We need to create a directory under this directory, and then set his permissions to any user who can read, write and execute. In general, in the distribution, there is a directory for / var/ftp/pub. If not, you can also create one yourself. After changing the configuration file, you can upload and download anonymously as long as you open the permissions of any directory under / var/ftp.

For example, if you want anonymous users to upload and download both in / var/ftp/pub, you can open the permission of / var/ftp/pub. If you do not have this directory, you need to create one yourself.

[root@localhost ~] # mkdir / var/ftp/pub

[root@localhost ~] # chmod 777 / var/ftp/pub is OK when uploading to the pub directory, is that right?

8.2. Examples of adding local users and opening read and write permissions; CentOS FTP users are generally not allowed to log on to the system, which is also for security. In the system, a user who does not have the right to log on to the system is generally called a virtual user, and a virtual user is also written into / etc/passwd; this is only a method of a virtual user, but it is not a real virtual user, just takes off his right to log on to SHELL, so he does not have the ability to log in to the system.

If we want to locate the beinan user directory in the / opt/beinan directory and cannot log in to the system, we should do the following

[root@localhost] # adduser-d / opt/beinan-g ftp-s / sbin/nologin beinan

[root@localhost ~] # passwd beinan

Changing password for user beinan.

New password:

Retype new password:

Passwd: all authentication tokens updated successfully.

[root@localhost ~] #

In fact, this is not enough. We also need to change the configuration file vsftpd.conf to ensure that the local virtual user has read and write access.

Local_enable=YES

Write_enable=YES

Local_umask=022

8.4. How to realize the virtual path? For example:

/ home/a maps to ftp://localhost/a

/ home/b/c is ftp://localhost/c

In fact, this can not be said to be the content of vsFTPd, in fact, we have already contacted, maybe we did not pay attention, we can achieve it through the following methods. [root@localhost] # mount-- bind [original directory] [new directory] for example, the default directory of my ftp is / var/ftp, and I want to map the / mnt/LinG/WinSoft folder to the / var/ftp directory. I'll do the following. We'll first create a directory [root@localhost ~] # mkdir / var/ftp/WinSoft in the / var/ftp directory, and then execute the mount command [root@localhost ~] # mount-- bind / mnt/LinG/WinSoft / var/ftp/WinSoft so that's OK.

8.5. turn on the logging function of the vsFTP server; correct the # in front of the xferlog_file below, that is, turn on the log function of vsftp, so that we can view the vsftpd.log in the / var/log directory. This is the logging function of vsFTP, which is extremely important to us. Xferlog_file=/var/log/vsftpd.log

8.6, how to customize the welcome message; how to customize the welcome message, that is, after we log in to some FTP, there will be something like: welcome to LinuxSir FTP, where you will get the most sincere help, if you have any questions and suggestions, please write to us, thank you.

This is not difficult to implement, we can check the vsftpd.conf file to see if there is this line.

Dirmessage_enable=YES

Message_file=.message

If not, add. If there is a # in front of the dirmessage_enable=YES, remove the #. In fact, the default CentOS FTP message is .message, so you can specify it without adding message_file=. You can specify it yourself, it doesn't matter; then we make a .message file and write down what you want to write, for example, the content of .message is as follows:

Welcome to LinuxSir FTP!

Here, you will get the most sincere help.

If you have any questions or suggestions, please write to us. Thank you. We can use the editor to write this .message, I think this process is needless to say.

Then we copy the .message file to each user's home directory. For example, a user of my CentOS FTP is beinan, and the home directory of this user is / opt/beinan

We're going to put .message in the / opt/beinan directory. If the system user CentOS FTP, his directory is / var/ftp, which is the default, and when anonymous users log in, they access the / var/ftp directory. We want anonymous users to see the welcome message. Put .message in the / var/ftp directory. Other users are nothing more than similar operations.

8.7. The hard disk space is limited, how to change the default home directory of my account CentOS FTP to somewhere else? My hard disk space is limited, how can I change the default path / var/ftp of my account ftp to somewhere else? Or, all my linux directories are in the / root partition, because space is tight, can I put the default path of the CentOS FTP user to another partition? For the management of the CentOS FTP user, we should look at / etc/passwd and then modify the CentOS FTP user line

Ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin for example, if we want to change the ftp user's home directory to / opt/ftp, we need to change the line similar to the previous line to ftp:x:14:50:FTP User:/opt/ftp:/sbin/nologin, and then we need to create a new home directory for ftp users.

[root@localhost ~] # mkdir / opt/ftp

[root@localhost ~] # chmod 755 / opt/ftp

[root@localhost ~] # chown root:root / opt/ftp

If the default ftp disk space is tight, we can also use the virtual path mapping method to solve it; that is, the mount-bind method; depending on the situation, whichever is suitable is the * method.

8.8.How do I get the vsFTP server to limit the number of links and the number of links per IP***? You should change the configuration file vsftpd.conf of the vsFTPd server to add the following two lines:

Max_clients= digit

Max_per_ip= digit

For example: I want my vsFTP*** to support a maximum of 5 links per IP, so I should add the following two lines to my vsftpd.conf:

Max_clients=100

Max_per_ip=5

After changing the configuration file, don't forget to start the vsftp server.

8.9. How to limit the transmission speed? Anon_max_rate= number Note: this is the anonymous speed local_max_rate= number Note: this is the speed of local users on the vsFTP server Note: the unit of this number is byte, so we have to calculate it. For example, I want anonymous users and users on vsFTP to download as 80KB, so this number should be 1024x80=81920.

So we need to add the following two lines to the vsftpd.conf

Anon_max_rate=81920

Local_max_rate=81920

8.10. How to selectively restrict users to the home directory? We need to create a file ourselves in the / etc directory or / etc/vsftpd directory (if your vsftpd configuration files are all in this directory); # touch / etc/vsftpd.chroot_list limits the two users beinan and nanbei to their home directory, while other FTP users do not. In the vsftpd.chroot_list file, just add beinan and nanbei, and notice that each user has a line.

Beinan

Nanbei

Then change the / etc/vsftpd/vsftpd.conf file to find the following two lines

Chroot_list_enable=YES

If chroot_list_file=/etc/vsftpd.chroot_list does not have such two lines, it can be added by itself. It is the same.

Once set up, re-vsFTPD the server.

Supplement 1: how to limit all FTP users in the system to the home directory? After being prompted by brother juliaugong, I looked up the foreign language description of vsFTPd and proved that this option is an one-size-fits-all solution. All users can limit the home directory. We can change the vsftpd.conf file by adding the following line chroot_local_user=YES to change the configuration file, and don't forget to restart the vsFTPd server.

8.11. How to bind IP to vsFTPd? How do I bind IP to vsFTPd? In other words, how to make users access FTP only through a certain IP. Actually, this function is very interesting. If the IP of the intranet is bound, there is no external way to access it. If the IP of the external service is bound, the intranet can only access the FTP through the IP of the external service. Add a line to the vsftpd.conf. Take my local area network as an example, please see the operating environment in the * post, so that the external network cannot access my FTP, and the intranet may also access the FTP;listen_address=192.168.0.2 through 192.168.0.2.

This is what the CentOS FTP server system suite shared by Xiaobian is like. If you happen to have similar doubts, please refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.