Shulou(Shulou.com)06/01 Report--

1. Introduction to vsftp

FTP is the abbreviation of File Transfer Protocol (File transfer Protocol)

Two connections: command connection, data connection (relative to the server)

FTP connections support two modes: active mode (Port mode) and passive mode (Passive mode)

Active mode: the server connects the client actively through port 20, the client listens on port + 1 that establishes a command connection with the server, and the server works on TCP/20

Passive mode: the client uses its own port to establish a command connection with the server + 1 to connect to the random port of the server, which is sent to the client when the command connection is established

There are three types of vsftp users, which are anonymous users, system users and virtual users.

/ etc/vsftpd/vsftpd.conf main profile common options

Anonymous_enable=NO (whether anonymous login is allowed)

Local_enable=YES (whether local users are allowed to log in, setting up a virtual account must be YES)

Write_enable=NO (decide whether to allow some FTP commands to change the file system. Including uploading files, deleting files, adding directories, deleting directories)

Anon_upload_enable=NO (whether anonymous users are allowed to upload files, write_enable=YES is required. Default is YES)

Anon_mkdir_write_enable=NO (whether virtual users are allowed to create folders)

Xferlog_enable=YES (if this option is enabled, the system will maintain log files that record server uploads and downloads)

Xferlog_file=/var/log/xferlog (set log location)

Ftpd_banner=Welcome to blah FTP service. (implement the user's welcome message login banners)

Chroot_local_user=YES (when set to NO, users have access to files other than their own directory after logging on to the FTP server, and when set to YES, users are locked in their own host directory)

Pam_service_name=vsftpd.mysql (sets the profile name used by the authentication service provided by the PAM plug-in module)

Guest_enable=YES (if enabled, all non-anonymous users will be treated as tourists when logging in, and their names will be mapped to the names specified in guest_username. This option must be set for virtual users)

Guest_username=vuser (sets the name that will be mapped when visitors enter. This is set to "vuser", that is, the local user name that is mapped after the virtual user logs in to ftp)

User_config_dir=/etc/vsftpd/user_config (define the directory of the user profile, create a file with the same name for the virtual user in the folder, and define the permissions of the virtual user in the file)

Virtual_use_local_privs=YES (virtual user and local user have the same permissions. It is important to ensure that virtual users have the same permissions as mapped local users)

Note: when the write feature is enabled, ftp users also have corresponding write permissions to the corresponding local file system, and the effective permissions depend on the intersection of file system permissions and service permissions.

Number of connections and rate limit

Max_clients: maximum number of concurrent connections

Max_per_ip: concurrent requests can be initiated simultaneously for each IP

Anon_max_rete: the transfer rate of anonymous users, in bytes per second

Local_max_rate: local user transfer rate, in bytes per second

2. Vftpd authenticates virtual users based on PAM_MYSQL, and each user has its own independent directory and different access rights (test1 users only have upload, download and create permissions, but delete operations are not allowed, while test2 users have upload, download, new and delete permissions)

2.1 install mysql and pam_mysql

Rpm-ivh https://mirrors.aliyun.com/epel/6Server/x86_64/epel-release-6-8.noarch.rpm

Yum-y install vsftpd mysql-server mysql-devel pam_mysql

Service mysqld start

Chkconfig mysqld on

2.2 create a virtual account

Mysql

Mysql > create database vsftpd

Mysql > grant all on vsftpd. To vsftpd@'localhost' identified by 'vsftpd'

Mysql > grant all on vsftpd. To vsftpd@'192.168.%.%' identified by 'vsftpd'

Mysql > grant all on vsftpd. To vsftpd@127.0.0.1 identified by 'vsftpd'

Mysql > flush privileges

Mysql >\ Q

Mysql-uvsftpd-p

Mysql > use vsftpd

Mysql > CREATE TABLE users (id INT UNSIGNED AUTO_INCREMENT NOT NULL PRIMARY KEY, name VARCHAR (50) NOT NULL, password CHAR (48) NOT NULL)

Mysql > desc users

Mysql > insert into users (name,password) values ('test1',password (' test1'))

Mysql > insert into users (name,password) values ('test2',password (' test2'))

Mysql > select from users

Mysql >\ Q

2.3Create PAM certification document

Vim / etc/pam.d/vsftpd.mysql

Auth required / lib64/security/pam_mysql.so user=vsftpd passwd=vsftpd host=192.168.130.61 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

Account required / lib64/security/pam_mysql.so user=vsftpd passwd=vsftpd host=192.168.130.61 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

2.4 system users and corresponding directories and subdirectories that establish virtual user mapping

Useradd-s / sbin/nologin-d / var/ftproot vuser

Mkdir / var/ftproot/test {1,2}

Chown vuser:vuser / var/ftproot/test*

Chmod-R go+rx / var/ftproot

2.5 modify the configuration of vsftpd as follows

Anonymous_enable=NO

Local_enable=YES

Write_enable=YES

Anon_upload_enable=NO

Anon_mkdir_write_enable=NO

Anon_umask=022

Xferlog_enable=YES

Xferlog_file=/var/log/xferlog

Ftpd_banner=Welcome to blah FTP service.

Chroot_local_user=YES

Pam_service_name=vsftpd.mysql

Guest_enable=YES

Guest_username=vuser

User_config_dir=/etc/vsftpd/vusers_config

# virtual_use_local_privs=YES

2.6 create an account differential permission file

Mkdir / etc/vsftpd/vusers_config

Vim / etc/vsftpd/vusers_config/test1

Local_root=/var/ftproot/test1

Anon_upload_enable=YES

Anon_mkdir_write_enable=YES

Anon_other_write_enable=NO

Vim / etc/vsftpd/vusers_config/test2

Local_root=/var/ftproot/test2

Anon_upload_enable=YES

Anon_mkdir_write_enable=YES

Anon_other_write_enable=YES

2.7Boot vsftpd and set Boot up

Service vsftpd start

Chkconfig vsftpd on

2.8Login to FTP for permission verification

Lftp-u test1,test1 192.168.130.61

Lftp-u test2,test2 192.168.130.61

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.