Use vsftpd service to transfer files (anonymous user authentication, local user authentication, virtual user authentication)

vsftpd It is an FTP service program running on Linux operating system. It is not only completely open source but also free. In addition, it also has high security, transmission speed, and supports virtual user authentication and other features that other FTP service programs do not have.

As a more secure file transfer service program, vsftd allows users to log in to FTP in three authentication modes The server Up.

  • Anonymous open mode: it is the most insecure authentication mode. Anyone can log in to FTP directly without password verification The server.
  • Local user mode: It is authenticated through the local account password information of the Linux system, which is more secure than the anonymous open mode. But if you are ××× After cracking the account information, you can log in to FTP unimpeded The server To fully control the entire server.
  • Virtual user mode: It is the safest authentication mode among the three modes. It needs to establish a user database file for the FTP service separately, and virtualize the account information used for password verification. These account information actually does not exist in the server system, and is only used for authentication by the FTP service program. Experimental environment After configuring the yum warehouse on the FTP server, install vsftpd Service procedure

Anonymous open mode

vsftpd By default, the service program opens the anonymous open mode, which requires anonymous users to upload and download permissions, as well as the permission to allow anonymous users to create, delete and rename files. This configuration is not recommended for real environments. The system user corresponding to the anonymous user of the FTP server is FTP.

anonymous_enable=YES / / allow anonymous access anon_upload_enable=YES / / allow anonymous users to upload files anon_mkdir_write_enable=YES / / allow anonymous users to create directories anon_other_write_enable=YES// allow anonymous users to modify or delete directories anon_umask=022 / / set the permission mask for anonymous users to upload data

service iptables stop               
setenforce 
copy

Execute the FTP command on the client to connect to the FTP server, and access the FTP root directory /var/ftp by default. For security reasons, the permissions of the FTP root directory do not allow anonymous users or other users to have write permission (otherwise, a 500 error will be reported when accessing)

/By default, a subfolder pub is created under the var/ftp directory, which can be used for uploading files during anonymous access. It is necessary to ensure that anonymous user FTP has write permission to this directory.

[root@RedHat6
drwxr-xr-x. 
copy

Client test:

yum install ftp -y                           
copy
Connected to ).
)
Name (
 Please specify the password.
Password:                                                 
 Login successful.
Remote system type  UNIX.
Using binary mode to transfer files.
ftp> ls                                                       
).
150 Here comes the directory listing.
-rw-r--r--    1 0        0               7 Mar 26 02:42 ftp.txt
drwxr-xr-x    2 14       0            4096 Feb 12  2013 pub
226 Directory send OK.
ftp> 
local: ftp.txt remote: ftp.txt
227 Entering Passive ).
150 Opening BINARY mode data connection ).
226 Transfer complete.
7 bytes received )
ftp> cd pub                                         
250 Directory successfully changed.
ftp> put 123.txt                                   
local: 123.txt remote: 123.txt
227 Entering Passive ).
150 Ok to send data.
226 Transfer complete.
7 bytes sent )
ftp> ls                                           
227 Entering Passive ).
150 Here comes the directory listing.
-rw-------    1 14       50              7 Mar 26 02:44 123.txt
226 Directory send OK.
ftp> mkdir data                                  
257 "/pub/data" created
ftp> quit                                   
221 Goodbye.
copy

Local user mode

The anonymous open mode was used before, but now it is turned off, and then the local user mode is turned on. Create a local user zhangsan to test.

anonymous_enable=NO / / anonymous access is prohibited local_enable=YES / / allow local user mode write_enable=YES / / set writable permissions local_umask=022 / / set the umask value of the local user mode creation file

Execute the ftp command on the client to connect to the ftp server. By default, the user's home directory is accessed, and the default owner and group of the directory are the user himself.

Client test:

[root@RedHat6-1 ~]# ftp 192.168.10.50
Connected to 192.168.10.50 (192.168.10.50).
220 (vsFTPd 2.2.2)
Name (192.168.10.50:root): zhangsan                         //zhangsan user login
331 Please specify the password.
Password:                                                                    //Enter the user's password
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

257 "/files" created

227 Entering Passive Mode (192,168,10,50,117,63).
150 Here comes the directory listing.
drwxr-xr-x    2 500      500          4096 Mar 26 03:03 files
226 Directory send OK.

350 Ready for RNTO.
250 Rename successful.

227 Entering Passive Mode (192,168,10,50,147,228).
150 Here comes the directory listing.
drwxr-xr-x    2 500      500          4096 Mar 26 03:03 database
226 Directory send OK.

250 Remove directory operation successful.

227 Entering Passive Mode (192,168,10,50,123,117).
150 Here comes the directory listing.
226 Directory send OK.

221 Goodbye.
copy

It should be noted that version 7 requires adding the "allow_writeable_chroot=YES" parameter to the configuration file to allow local users to log in// Allow writing to the imprisoned FTP root directory, and do not refuse the user's login request

1. Imprison Host Directory

If you also want to imprison all host directories in their host directories, you can add chroot_local_user configuration item, otherwise the user will be able to switch to any folder outside the server's /var/, /etc/, /boot/ and other host directories, which will pose a security risk.

chroot_local_user=YES / / imprison the host directory

Client test:

550 Failed to change directory.

550 Failed to change directory.

221 Goodbye.
copy
2. Black and white list

However, after logging in with the root administrator, the system prompts the following error message:

Connected to ).
)
Name (with root User login
 Permission denied.
Login failed.
copy

that is because vsftpd By default, a file named "user list" user is stored in the directory where the service program is located_ List, default userlist_deny=YES, so the names appearing on this list will not be allowed to log in to the ftp server, that is, the blacklist.

[root@RedHat6-2 ~]# cd /etc/vsftpd/
[root@RedHat6-2 vsftpd]# ls
ftpusers  user_list  vsftpd.conf  vsftpd_conf_migrate.sh
[root@RedHat6-2 vsftpd]# vim user_list / / view user_list file

#





root
bin
daemon
adm
lp
sync            //These users are not allowed to log in to the ftp server by default
shutdown
halt
mail
news
uucp
operator
games
nobody
copy
Virtual user mode
Step 1:

Create a user database file for FTP authentication, including odd line account name and even line password.

[root@RedHat6

rose
abc123
jack
abc123
copy
[root@RedHat6
vuser.db: Berkeley DB (Hash, version , native byte-order)
[root@RedHat6
[root@RedHat6
copy
Step 2:

Create the vsftpd service program to store the root directory of files and the system local user of virtual user mapping. The root directory for storing files in FTP service refers to the default location accessed by virtual users after logging in.

Step 3:

Create a PAM file vfstpd.vu to support virtual users, where the "db=" parameter uses dB_ The path of the account password database file generated by the load command.

auth required pam_userdb.so db=/etc/vsftpd/vuser 
account required pam_userdb.so db=/etc/vsftpd/vuser 
copy
Step 4:

Through pam in the main configuration file of vsftpd service program_ service_ The name parameter changes the name of the pam authentication file to vsftpd Vu, add guest_enable,guest_username parameter.

anonymous_enable=NO / / anonymous access is prohibited guest_enable=YES / / enable virtual user mode guest_username=virtual / / specify the virtual user account pam_service_name=vsftpd.vu / / specify PAM file

Step 5:

Set different permissions for virtual users. First create the storage path of the configuration files of the virtual user with different permissions, and then create the files named rose and jack respectively under this path.

Step 6:

Modify the vsftpd main configuration file again by adding user_ config_ The dir parameter defines the path where the configuration files of the two virtual users with different permissions are stored, and restarts the vsftpd service.

user_config_dir=/etc/vsftpd/vu_dir / / individual user profile

Client test:

Connected to ).
)
Name (
 Please specify the password.
Password:                      
 Login successful.
Remote system type  UNIX.
Using binary mode to transfer files.
ftp> put anaconda-ks.cfg                               
local: anaconda-ks.cfg remote: anaconda-ks.cfg
).
150 Ok to send data.
226 Transfer complete.
1498 bytes sent )
ftp> quit
221 Goodbye.
copy
[root@RedHat6
 Total consumption 
-rw-r--r--. 
copy

How to install VsFTPD server with TLS on Ubuntu 18.04 LTS https://www.linuxidc.com/Linux/2018-10/154930.htm

Posted by mblack0508 on Tue, 26 Jul 2022 02:17:46 +0530