Build an intranet vsftp Server

I. background

A company's product needs to provide the upload function. Http cannot meet the upload speed requirements, so it uses FTP to upload.

Ii. installation and configuration

1. Installation command:

Yum install vsftpd. After installation, service vsftpd restart starts vsftp.

2. Configuration:

1). vsftp Configuration

/Etc/vsftpd. conf, the main configuration file of vsftp, I will not post all the configuration files. Here is a detailed description. I only want to talk about several parameters to be modified:

　　　　　　　　

Anonymous_enable = No, whether anonymous logon is allowed, because we have account permission control, therefore, you cannot allow anonymous logon to chroot_local_user = Yes chroot_list_enable = Yes chroot_list_file =/etc/vsftpd/chroot_list. These three settings do not allow you to browse upper-level directories in chroot_list. Userlist_deny = No userlist_file =/etc/vsftpd/user_list

　　

We know that the default communication port for FTP listening is 21 and the data port is 20. However, some people are scanning these frequently used ports all the time on the Internet. I once set up FTP on the window, I tested a function and didn't make too many changes to the configuration file. I was scanned by the software just one hour after I started it. I put a JSP file in the root directory of my website, I called it myself and scared me into a cold sweat. The server directory information was basically displayed. To prevent these "hacker" software from scanning, set a port by myself.

Listen_port = 8021 communication port ftp_data_port = 8020 data port pasv_enable = Yes passive mode enabled pasv_addr_resolve = Yes passive mode whether to use the set address to return to the client, if it is no, obtain the address from the socket of The Link. If yes, set it to the address pasv_address = 222.185.xxx.xxx returned in passive mode. Security is required, hiding the lower bound pasv_max_port = 10001 PASV mode of the next two address segments: pasv_min_port = 10010 PASV mode; upper bound local_max_rate = 200000 user transmission speed limit; Unit: Bytes/second, 0 indicates no restriction

 

Service vsftpd restart, restart to take effect

2). Firewall Configuration

Add the port used by vsftp to/etc/sysconfig/iptables.

　　　　　　　

　　　　　　　　-A INPUT -m state --state NEW -m tcp -p tcp --dport 8021 -j ACCEPT　　　　　　　　-A INPUT -m state --state NEW -m tcp -p tcp --dport 8020 -j ACCEPT　　　　　　　　-A INPUT -m state --state NEW -m tcp -p tcp --dport 10000:10010 -j ACCEPT

 

Service iptables restart, restart to take effect

3) Add a vsftp user and disable SSH login.

　　　　　　

# Adduser-D/home/FTP/Bruce-g ftp-S/sbin/nologin Bruce create a vsftp user,/home/FTP/Bruce create a home directory for this user (you can set it as needed ), -G ftp: This user is an FTP Member, And/sbin/nologin prohibits this user from logging on. Bruce-> User Name (which can be set as needed) # passwd Bruce sets the password for Bruce and finally uses the CHMOD command to grant permissions to the user's home directory
Chmod 755/home/FTP/Bruce

 

 

So far, our vsftp server has been built in half. The following is the hardware configuration and client compilation.

Iii. Port ing and client compiling

1. Port ing

This issue is crucial and is also the biggest problem that has plagued me during the entire server setup process. After the second part of configuration is completed and the client is compiled, I try to connect and query the file list in the directory. The Client Always Returns connectiontimeout, which is checked multiple times from vsftp configuration to program, I caught the packet with the packet capture tool and found the problem. The following is the packet captured when the program is wrong:

　　　　　　　　

 

1. [Saturday 16: 04: 13: 129] 220 (vsftpd 2.2.2) 2. [Saturday 16: 04: 13: 130] user bruce3. [Saturday 16: 04: 13: 133] 331 please specify the password.4. [Saturday 16: 04: 13: 133] Pass Bruce, 20135. [Saturday 16: 04: 28: 208] 230 login successful.6. [2013/4/27 Saturday 16: 04: 28: 209] type i7. [Saturday 16: 04: 28: 211] 200 switching to binary mode.8. [Saturday 16: 04: 28: 247] pasv9. [Saturday 16: 04: 28: 249] 227 entering passive mode (192.168.1.122, 39,16 ). 500 Oops: vsf_sysutil_recv_peek: No data500 Oops: child died

When I ran to step 1, I got stuck for a moment. Then I reported the error java.net. connectexception: Connection timed out: connect, and the error 9th occurred in the last two lines. The first response is that the returned IP address is incorrect. Because I mapped the Internet port, the client is returned with an intranet address. Therefore, the above parameters are added.

　　　　　　　　

Pasv_addr_resolve = yes: whether to use the set address in passive mode and return it to the client. If no, the address is obtained from the socket of The Link. If yes, set pasv_address = 222.185.xxx.xxx to the address returned in passive mode. For security purposes, remove the following two address segments.

The response is correct when you run again,

　　　　　　

227 Entering Passive Mode (222,185,xxx,xxx,39,24).

Note: 256 in brackets indicates the connection port number. The algorithm is 39*10008 + 24 =. The port falls between the upper and lower bounds of the vsftp. conf configuration file, indicating that the port setting has taken effect. However, the problem still exists. It seems that it is not as simple as an IP address. Then there is only the port number left. I went back and re-learned the two FTP methods:

　　　　

Active FTP: Command connection: client> port 1024> server port 21 (Here We Are 8081, and the Internet ing is 15321) data connection: client> port 1024 <-Port 20 of the server (8020 here, ing to 15320 on the Internet) Passive FTP (preventing the server from actively connecting to the port behind the firewall and failing to connect ): command connection: port over 1024 of the client-> port 21 of the server (Here We Are 8081, and the Internet ing is 15321)

Data Connection: port number greater than 1024 of the client-> port number greater than 1024 of the server (limited to 10001-10010)

The actual situation is that when the public network mapped Intranet ports, only two ports 8021 and 8020 were mapped, and vsftp was not mapped. in the conf configuration file, 10001-10010 is mapped to the 10 ports requested by the IT management department. In this case, 10001-> 10010 is strictly mapped and then the client program is executed:

[Saturday 16: 04: 17: 114] 220 (vsftpd 2.2.2) [Saturday 16: 04: 17: 116] user BRUCE [Saturday 16: 04: 17: 118] 331 please specify the password. [Saturday 16: 04: 17: 119] Pass Bruce, 2013 [Saturday 16: 04: 32: 203] 230 login successful. [Saturday 16: 04: 32: 203] Type I [Saturday 16: 04: 32: 206] 200 switching to binary mode. [Saturday 16: 04: 32: 236] PASV [Saturday 16: 04: 32: 238] 227 entering passive mode (222,185, XXX, XXX ). [Saturday 16: 04: 32: 241] list/[Saturday 16: 04: 32: 243] 150 here comes the directory listing.226 directory send OK.

Done !!

2. Client Program

　　　　　　

Import Java. io. ioexception; import java.net. socketexception; import org.apache.commons.net. FTP. FTP; import org.apache.commons.net. FTP. ftpclient; import org.apache.commons.net. FTP. ftpclientconfig; import org.apache.commons.net. FTP. ftpfile; import org.apache.commons.net. FTP. ftpreply; public class ftptools {private ftpclient FTP = new ftpclient (); /*** FTP connection method * @ Param hostname public IP * @ Param Port Public port * @ Param username FTP Username * @ Param password FTP password * @ return */Public Boolean connect (string hostname, int port, string username, string password) {try {ftpclientconfig conf = new ftpclientconfig (ftpclientconfig. __nt); Conf. setserverlanguagecode ("ZH"); FTP. configure (CONF); FTP. setcontrolencoding ("GBK"); // avoid Chinese file name garbled FTP. setconnecttimeout (150000); FTP. enterlocalpassivemode (); FTP. connect (hostname, Port); int code = FTP. getreplycode (); If (ftpreply. ispositivecompletion (CODE) {If (FTP. login (username, password) {FTP. enterlocalpassivemode (); // switch to PASV passive mode FTP. setfiletype (FTP. binary_file_type); // required. Set it to binary for FTP transmission. setdatatimeout (60000); FTP. setsotimeout (120000); ftpfile [] files = FTP. listfiles ("/"); system. out. println (files. length); For (ftpfile file: Files) {system. out. println (file. getname () ;}return true ;}} catch (socketexception e) {e. printstacktrace (); try {FTP. disconnect () ;}catch (ioexception E1) {e1.printstacktrace () ;}} catch (ioexception e) {e. printstacktrace (); try {FTP. disconnect () ;}catch (ioexception E1) {e1.printstacktrace () ;}} try {FTP. disconnect ();} catch (ioexception e) {e. printstacktrace ();} return false;} public static void main (string [] ARGs) {New ftptools (). connect ("222.185.xxx.xxx", 15321, "Bruce", "Bruce, 2013 ");}}

 

Now, the vsftp server is built here. The client code only releases simple connection test code, which will be followed by the project's advancement, I will share with you how to upload, download, resumable upload, and solve other problems, hoping to help students who are new to vsftp or who have encountered problems.

PS: In an episode later, I directed the directory to the disk array mounted to the server. The directory can be downloaded, but it cannot be uploaded. The permission is also granted. Later I learned that it is useless to grant chmod 777 to the FTP user on the mounting machine. Only the super administrator who mounts the disk can grant permissions.