vsftpd It is an FTP service program running on Linux operating system. It is not only completely open source but also free. In addition, it also has high security, transmission speed, and supports virtual user authentication and other features that other FTP service programs do not have.
As a more secure file transfer service program, vsftd allows users to log in to FTP in three authentication modes The server Up.
- Anonymous open mode: it is the most insecure authentication mode. Anyone can log in to FTP directly without password verification The server.
- Local user mode: It is authenticated through the local account password information of the Linux system, which is more secure than the anonymous open mode. But if you are ××× After cracking the account information, you can log in to FTP unimpeded The server To fully control the entire server.
- Virtual user mode: It is the safest authentication mode among the three modes. It needs to establish a user database file for the FTP service separately, and virtualize the account information used for password verification. These account information actually does not exist in the server system, and is only used for authentication by the FTP service program. Experimental environment After configuring the yum warehouse on the FTP server, install vsftpd Service procedure
Anonymous open mode
vsftpd By default, the service program opens the anonymous open mode, which requires anonymous users to upload and download permissions, as well as the permission to allow anonymous users to create, delete and rename files. This configuration is not recommended for real environments. The system user corresponding to the anonymous user of the FTP server is FTP.
anonymous_enable=YES / / allow anonymous access anon_upload_enable=YES / / allow anonymous users to upload files anon_mkdir_write_enable=YES / / allow anonymous users to create directories anon_other_write_enable=YES// allow anonymous users to modify or delete directories anon_umask=022 / / set the permission mask for anonymous users to upload data
copyservice iptables stop setenforce
Execute the FTP command on the client to connect to the FTP server, and access the FTP root directory /var/ftp by default. For security reasons, the permissions of the FTP root directory do not allow anonymous users or other users to have write permission (otherwise, a 500 error will be reported when accessing)
/By default, a subfolder pub is created under the var/ftp directory, which can be used for uploading files during anonymous access. It is necessary to ensure that anonymous user FTP has write permission to this directory.
copy[root@RedHat6 drwxr-xr-x.
Client test:
copyyum install ftp -y
copyConnected to ). ) Name ( Please specify the password. Password: Login successful. Remote system type UNIX. Using binary mode to transfer files. ftp> ls ). 150 Here comes the directory listing. -rw-r--r-- 1 0 0 7 Mar 26 02:42 ftp.txt drwxr-xr-x 2 14 0 4096 Feb 12 2013 pub 226 Directory send OK. ftp> local: ftp.txt remote: ftp.txt 227 Entering Passive ). 150 Opening BINARY mode data connection ). 226 Transfer complete. 7 bytes received ) ftp> cd pub 250 Directory successfully changed. ftp> put 123.txt local: 123.txt remote: 123.txt 227 Entering Passive ). 150 Ok to send data. 226 Transfer complete. 7 bytes sent ) ftp> ls 227 Entering Passive ). 150 Here comes the directory listing. -rw------- 1 14 50 7 Mar 26 02:44 123.txt 226 Directory send OK. ftp> mkdir data 257 "/pub/data" created ftp> quit 221 Goodbye.
Local user mode
The anonymous open mode was used before, but now it is turned off, and then the local user mode is turned on. Create a local user zhangsan to test.
anonymous_enable=NO / / anonymous access is prohibited local_enable=YES / / allow local user mode write_enable=YES / / set writable permissions local_umask=022 / / set the umask value of the local user mode creation file
Execute the ftp command on the client to connect to the ftp server. By default, the user's home directory is accessed, and the default owner and group of the directory are the user himself.
Client test:
copy[root@RedHat6-1 ~]# ftp 192.168.10.50 Connected to 192.168.10.50 (192.168.10.50). 220 (vsFTPd 2.2.2) Name (192.168.10.50:root): zhangsan //zhangsan user login 331 Please specify the password. Password: //Enter the user's password 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. 257 "/files" created 227 Entering Passive Mode (192,168,10,50,117,63). 150 Here comes the directory listing. drwxr-xr-x 2 500 500 4096 Mar 26 03:03 files 226 Directory send OK. 350 Ready for RNTO. 250 Rename successful. 227 Entering Passive Mode (192,168,10,50,147,228). 150 Here comes the directory listing. drwxr-xr-x 2 500 500 4096 Mar 26 03:03 database 226 Directory send OK. 250 Remove directory operation successful. 227 Entering Passive Mode (192,168,10,50,123,117). 150 Here comes the directory listing. 226 Directory send OK. 221 Goodbye.
It should be noted that version 7 requires adding the "allow_writeable_chroot=YES" parameter to the configuration file to allow local users to log in// Allow writing to the imprisoned FTP root directory, and do not refuse the user's login request
1. Imprison Host Directory
If you also want to imprison all host directories in their host directories, you can add chroot_local_user configuration item, otherwise the user will be able to switch to any folder outside the server's /var/, /etc/, /boot/ and other host directories, which will pose a security risk.
chroot_local_user=YES / / imprison the host directory
Client test:
copy550 Failed to change directory. 550 Failed to change directory. 221 Goodbye.
2. Black and white list
However, after logging in with the root administrator, the system prompts the following error message:
copyConnected to ). ) Name (with root User login Permission denied. Login failed.
that is because vsftpd By default, a file named "user list" user is stored in the directory where the service program is located_ List, default userlist_deny=YES, so the names appearing on this list will not be allowed to log in to the ftp server, that is, the blacklist.
copy[root@RedHat6-2 ~]# cd /etc/vsftpd/ [root@RedHat6-2 vsftpd]# ls ftpusers user_list vsftpd.conf vsftpd_conf_migrate.sh [root@RedHat6-2 vsftpd]# vim user_list / / view user_list file # root bin daemon adm lp sync //These users are not allowed to log in to the ftp server by default shutdown halt mail news uucp operator games nobody
Virtual user mode
Step 1:
Create a user database file for FTP authentication, including odd line account name and even line password.
copy[root@RedHat6 rose abc123 jack abc123
copy[root@RedHat6 vuser.db: Berkeley DB (Hash, version , native byte-order) [root@RedHat6 [root@RedHat6
Step 2:
Create the vsftpd service program to store the root directory of files and the system local user of virtual user mapping. The root directory for storing files in FTP service refers to the default location accessed by virtual users after logging in.
Step 3:
Create a PAM file vfstpd.vu to support virtual users, where the "db=" parameter uses dB_ The path of the account password database file generated by the load command.
copyauth required pam_userdb.so db=/etc/vsftpd/vuser account required pam_userdb.so db=/etc/vsftpd/vuser
Step 4:
Through pam in the main configuration file of vsftpd service program_ service_ The name parameter changes the name of the pam authentication file to vsftpd Vu, add guest_enable,guest_username parameter.
anonymous_enable=NO / / anonymous access is prohibited guest_enable=YES / / enable virtual user mode guest_username=virtual / / specify the virtual user account pam_service_name=vsftpd.vu / / specify PAM file
Step 5:
Set different permissions for virtual users. First create the storage path of the configuration files of the virtual user with different permissions, and then create the files named rose and jack respectively under this path.
Step 6:
Modify the vsftpd main configuration file again by adding user_ config_ The dir parameter defines the path where the configuration files of the two virtual users with different permissions are stored, and restarts the vsftpd service.
user_config_dir=/etc/vsftpd/vu_dir / / individual user profile
Client test:
copyConnected to ). ) Name ( Please specify the password. Password: Login successful. Remote system type UNIX. Using binary mode to transfer files. ftp> put anaconda-ks.cfg local: anaconda-ks.cfg remote: anaconda-ks.cfg ). 150 Ok to send data. 226 Transfer complete. 1498 bytes sent ) ftp> quit 221 Goodbye.
copy[root@RedHat6 Total consumption -rw-r--r--.
How to install VsFTPD server with TLS on Ubuntu 18.04 LTS https://www.linuxidc.com/Linux/2018-10/154930.htm