Shulou(Shulou.com)06/02 Report--

Configure ftp source and modify anonymous user default user login to access root directory

The following image is a mirror image of the local file

1. Install FTP to configure yum source

1. Install FTP software

# yum install -y vsftpd* Install FTP software

# service vsftpd start Start FTP service

#chkconfig --add vsftpd

#chkconfig vsftpd on

2. Mount the centos 6.5 CD onto the server, then copy all the files in the DVD to the ftp directory of the local computer

#mount /dev/cdrom /mnt

#mkdir -p /opt/ftp/centos6.5

#cp -r /mnt/* /opt/ftp/centos6.5

3. Edit the yum configuration file

# vi /etc/yum.repos.d/yum.repo

[Packages]

name=Packages

baseurl=ftp://your yum server IP address/centos6.5 ftp access directory is/opt/ftp, so add the following directory centos6.5

enable=1

gpgcheck=0

Second, modify the anonymous user default user login access root directory

To change the default access directory to another directory such as/opt/ftp I directly in/opt directory mkdir -p /opt/ftp/centos6.5, default permissions are: 755 Note that after changing the configuration all service vsftpd restart

The test procedure is as follows

vi /etc/vsftpd/vsftpd.conf

Add the following directly to the configuration file:

anon_root=/opt/ftp

anon_upload_enable=NO

Service restart

Access the directory/opt/ftp via ftp://ip (proof that the default directory has been changed).

Go to the Packages directory and install the createrepo package

# rpm -ivh python-deltarpm-3.5-0.5.20090913git.el6.x86_64.rpm deltarpm-3.5-0.5.20090913git.el6.x86_64.rpm# rpm -ivh createrepo-0.9.9-18.el6.noarch.rpm

Create some files in the directory createpo-v /opt/ftp/centos6.5/repodata

createrepo -v /opt/ftp/centos6.5/

III. VSFTP working mode

FTP has two channels:

Control channel: manage user login, etc., common port number: TCP 21; client actively establishes connection with server

Data channel: Users need to use when transferring data, such as browsing directories, uploading, downloading, etc.; this port should be divided into two cases, one when FTP works in active mode (default is active mode) open port 20, the server actively uses port 20 to connect to the client's dynamic port; another case is when FTP works in passive mode, the client will use its own dynamic port to connect to the FTP server's dynamic port (the server opens dynamic port to be connected by the client).

1, we know that VSFTP this software, security is very good, but when setting up we found vsftp in the open firewall very annoying, because VSFTP control port is 21, data port in passive mode is dynamic, this is a headache, if the firewall only open port 21, then the client will not be able to browse, download, etc. to establish a data channel; at this time you can set it like this, the method is as follows:

vim /etc/vsftpd/vsftpd.conf#connect_from_port_20=YES #Set data port to 20, comment on this line! pasv_enable=YES #Enable passive mode pasv_min_port=9000 #Set passive mode minimum port pasv_max_port=9010 #Set passive mode maximum port

We set the firewall rules again:

iptables -A INPUT -p tcp --dport 21 -j ACCEPTiptables -A INPUT -p tcp --dport 8000:8010 -j ACCEPT #Release 8000:8010 port IPTABLES_MODULES="ip_nat_ftp ip_conntrack_ftp" #Have kenel load FTP module or modprobe ip_nat_ftp ip_conntrack_ftp

Then restart the vsftpd service!

Benefits: ftp client does not need to care about firewall settings, as long as the server side open 21 and data port OK!

2. When FTP server works in active mode, Linux firewall should open port 21 and ip_nat_ftp,ip_conntrack_ftp module;

For example: vim /etc/sysconfig/iptables-config add the following two lines at the end

IPTABLES_MODULES="ip_nat_ftp"IPTABLES_MODULES="ip_conntrack_ftp"

Re-open the firewall policy, as follows:

iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

Another point to note is that the default state of the client is passive mode, be sure to remember to change to active mode, otherwise you will be prompted after logging in to the client that you have insufficient permissions because of the data port!

Note: FTP client firewall to open 20 data port!

cat /etc/sysconfig/iptables# Generated by iptables-save v1.4.7 on Tue May 16 10:56:54 2017*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [43:3768]-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A INPUT -s 168.1.5.132/32 -p tcp -m tcp --dport 7001 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT*nat:PREROUTING ACCEPT [1972:167817]:POSTROUTING ACCEPT [0:0]:OUTPUT ACCEPT [446:29864]-A PREROUTING -p tcp -m tcp --dport 7001 -j DNAT --to-destination 168.1.5.132:7001-A PREROUTING -d 218.90.136.90/32 -p tcp -m tcp --dport 7001 -j DNAT --to-destination 168.1.2.138:7001-A POSTROUTING -j MASQUERADECOMMIT# Completed on Tue May 16 10:56:54 2017

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.