Case study of Vsftpd Security Configuration

Case 1
Configure the ftp server as follows,
1. anonymous Users can only download files. The root directory of anonymous users is/var/abc/. Users are required to add a virtual disk (30 GB) to the virtual machine to partition the disk, format the first partition (10 Gb) of the new disk as the EXT3 file system, mount the partition to the/part1 directory, and create the home directory on/part1, change the default home directory of the local account on the linux host to/part1/home, and create user1 and user2 accounts in the system. When user3 and user4 perform ftp access, you can access your home directory. each user's space is limited to 8 MB and the speed is 3 MB/S. the ftp server must have 80 connections at the same time, the maximum number of connections per user is 3. logon to user5 is prohibited.
Case 2. Use tcp_wrapper for ip address restriction. Use CA for Secure ftp access
1. The configuration is as follows:
Modify the user's home directory
[Root @ root ~] # Useradd-D-B/part1/home
Disk Quota first
[Root @ mail ~] # Fdisk/dev/sdb
The number of cylinders for this disk is set to 3916.
There is nothing wrong with that, but this is larger than 1024,
And coshould in certain setups cause problems:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(E.g., dos fdisk, OS/2 FDISK)
Command (m for help): n
Command action
E extended
P primary partition (1-4)
P
Partition number (1-4): 1
Last cylinder or + size or + sizeM or + sizeK (1218-3916, default 3916): + 10G
Command (m for help): w
Ii. Hard disk formatting command:
Mkfs-t ext3/dev/sdb1
Create a directory and mount the hard disk
3. Edit the configuration file as follows:
[Root @ mail ~] # Vim/etc/fstab
[Root @ mail ~] # Mount/dev/sdb1/part1/home

[Root @ mail ~] # Mount-o remount/dev/sdb1
[Root @ mail ~] # Mount
/Dev/sdb1 on/part1/home type ext3 (rw, usrquota)
The disk quota parameter usrquota has been added successfully.
[Root @ mail ~] # Df-h
File System capacity used available % mount point
/Dev/mapper/VolGroup00-LogVol00
13 Gb 2.2G 9.8G 18%/
/Dev/sda1 99 M 12 M 82 M 13%/boot
Tmpfs 125 M 0 125 M 0%/dev/shm
/Dev/sdb1 9.2G 150 M 8.6G 2%/part1/home
4. Create a disk quota database
[Root @ mail ~] # Quotacheck-auvg
Switch to the/part1/home Directory
[Root @ root home] # ll
Total 24
-Rw ------- 1 root 6144 12-18 0:10 aquota. user
Drwx ------ 2 root 16384 12-18 lost + found
5. Now we can see that after the disk quota database is generated, files are automatically generated under/part1/home, aquota. user
This file is used to store all disk quota information.
6. Enable disk quota.
[Root @ mail ~] # Quotaon/part1/home
7. Edit the disk quota.
# Edquota user3
Now we have a user user3 in our system. We will make disk quotas for this user.
 
8. If we need to allocate disk quotas to multiple users, it is too troublesome to specify one disk at a time. There is a way to reduce the burden.
[Root @ mail ~] # Edquota-p user1 user2
Run the following command to view the disk quota of user2.
[Root @ mail ~] # Edquota user2
The verification is as follows:
[User3 @ root ~] $ Dd if =/dev/zero of = u3 bs = 1 M count = 8
Sdb1: write failed, user block limit reached.
Dd: write "u3": exceeds the disk quota
8 + 0 records in
7 + 0 records out
[Root @ root ~] # Edquota-p user3 user4
[Root @ root ~] # Repquota-
* ** Report for user quotas on device/dev/sdb1
Block grace time: 7 days; Inode grace time: 7 days
Block limits File limits
User used soft hard grace
----------------------------------------------------------------------
Root -- 152688 0 0 4 0 0
User3 -- 8000 8000 8000 9 0 0
User4 -- 32 8000 8000 8 0 0
9. Vsftpd Server Configuration
[Root @ mail vsftpd] # vim vsftpd. conf
96 chroot_list_enable = YES
97 # (default follows)
98 chroot_list_file =/etc/vsftpd/chroot_list
97 # (default follows)
98 chroot_list_file =/etc/vsftpd/chroot_list
Pam_service_name = vsftpd
Userlist_enable = YES
Tcp_wrappers = YES
Max_clients = 80
Max_per_ip = 3
Anon_root =/var/abc
Local_max_rate = 3000000
10. Disable user3 user4 from changing directories after Logon
[Root @ mail vsftpd] # vim chroot_list
User3
User4
Verification:
[Root @ root ~] # Ftp 127.0.0.1
Name (127.0.0.1: user3): user3
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
Ftp> cd/home
550 Failed to change directory. The directory cannot be switched.
Each ip address can be connected up to three times
 
Download rate: www.2cto.com
 
Disable Logon of the local user5 User:
# Vim/etc/vsftpd. conf
Userlist_enable = YES
Add users to/etc/vsftpd/ftpusers
 
Case 2 Configuration Analysis
1. Check whether the server supports tcp_wrapper.
[Root @ localhost Server] # ldd $ (which vsftpd)
Linux-gate.so.1 => (0x00138000)
Libssl. so.6 =>/lib/libssl. so.6 (0x001ba000)
Libwrap. so.0 =>/lib/libwrap. so.0 (0x00af5000)
It can be seen that the server supports tcp_wrapper and only allows a certain ip address to log on or a network segment.
Vim/etc/hosts. allow
Vsftpd: 192.168.10.10: allow # Or vsftpd: 192.168.10.0/255.255.255.0: allow
Vim/etc/hosta. deny
Vsftpd: all: deny
Verify that the ip address of the ftp server is 192.168.10.10
C: \ Documents ents and Settings \ Administrator> ftp 192.168.10.10
Connected to 192.168.10.10.
421 Service not available.
Use ip address 192.168.10.10 to log on
User (192.168.10.10 :( none): user1
Connection closed [root @ localhost etc] # ftp 192.168.10.10
Connected to 192.168.10.10.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.10.10: root): user1
230 Login successful. by remote host.
You can see that you can log on.
Ftps Configuration
Note: first, clear the configuration in tcp_wrapper to avoid affecting access.
[Root @ localhost Server] # rpm-ivh libsmi-0.4.5-2.el5.i386.rpm
[Root @ localhost Server] # rpm-ivh wireshark-1.0.8-1.el5_3.1.i386.rpm
[Root @ localhost Server] # tshark-ni eth0-R "tcp. dstport eq 21"
You can use the packet capture tool to view the user name and password.
 
CA
The private key is cakey. pem, and the root certificate is cacer. pem.
45 dir =/etc/pki/CA
87 [policy_match]
88 countryName = optional
89 stateOrProvinceName = optional
90 organizationName = optional
91 organizationalUnitName = optional
92 commonName = optional
93 emailAddress = optional
[Root @ localhost CA] # mkdir certs newcerts crl
[Root @ localhost CA] # touch index.txt serial
5. the CA Server generates its own certificate
[Root @ localhost CA] # openssl genrsa 1024> private/cakey. pem
Certificate generated by the CA Server
[Root @ localhost CA] # openssl req-new-key private/cakey. pem-x509-out cacert. pem
7. the ftp server generates its own private key
[Root @ localhost CA] # mkdir/etc/vsftpd/certs
[Root @ localhost CA] # cd/etc/vsftpd/certs/
[Root @ localhost certs] # openssl genrsa 1024> vsftpd. key
8. ftp server requests
[Root @ localhost certs] # openssl req-new-key vsftpd. key-out vsftpd. csr
9. CA server issues Certificate
[Root @ localhost certs] # openssl ca-in vsftpd. csr-out vsftpd. cert
10. Modify the certificate and private key permissions of the CA Server
[Root @ localhost vsftpd] # cd/etc/pki/CA
[Root @ localhost CA] # chmod 600 private/cakey. pem
[Root @ localhost CA] # chmod 600 cacert. pem
If you access the ftp server through ftps, you need to use the ftp server certificate. Therefore, describe the certificate and Private Key location in the ftp configuration file.
Force_local_data_ssl = YES
Force_local_logins_ssl = YES
Ssl_enable = YES
Ssl_sslv2 = YES
Ssl_sslv3 = YES
Ssl_tlsv1 = YES
Rsa_cert_file =/etc/vsftpd/certs/vsftpd. cert
Rsa_private_key_file =/etc/vsftpd/certs/vsftpd. key
Test:
C: \ Documents ents and Settings \ Administrator> ftp 192.168.10.10
Connected to 192.168.10.10.
220 (vsFTPd 2.0.5)
User (192.168.10.10 :( none): user1
530 Non-anonymous sessions must use encryption. # You can see that the data has been encrypted.
Login failed. '-- encrypted access is not supported
Use third-party software for testing as follows
 

Go to your home directory by default

You can switch directories.

Use the packet capture tool to capture packets. You can find that the data has been encrypted.
[Root @ localhost vsftpd] # tshark-ni eth0-R "tcp. dstport eq 21"