Centos vsftpd Security Settings

FTP is the first thing INTERNET enthusiasts are familiar with. It facilitates file sharing (cross-platform access), but the security of ftp transmitted in plain text has become a big problem. This article focuses on the security of ftp from four aspects: basic security, tcp-wrapper, ftps, and virtual users.

1. Basic Security

A. Restrict Anonymous Users from using the specified email address as the password:

# Vim/etc/vsftpd. conf

Deny_email_enable = YES

# (Default follows)

Banned_email_file =/etc/vsftpd/banned_emails

# Vim/etc/vsftpd/banned_emails

A@qq.com

B. restrict local user logon and switch Directories

Chroot_list_enable = YES

Chroot_list_file =/etc/vsftpd/chroot_list

# Vim/etc/vsftpd/chroot/_ list: edit the file and add user1 to it.

User1

3. Disable Logon of some local users:

# Vim/etc/vsftpd. conf

Userlist_enable = YES (default)

Adding users to the/etc/vsftpd/ftpusers or/etc/vsftpd/user_list file ensures higher security of user_list,

2. tcp-wrapper

A. First, let's talk about TCP Wrapper:

Generally, a firewall is installed on the operating system to process network connections. However, although the firewall is widely used, it is not omnipotent, for example, it cannot process tasks such as sending text to the connection initiator.
TCP Wrappers extends the capability of inetd to implement control for the service programs under its control. By using this method, it can provide log support, return a message to the connected connection, so that the service program only accepts internal connections, and so on.
However, some additional security functions provided by TCP-Wrappers should not be considered as a substitute for good firewalls. TCP Wrappers should be used together with firewalls or other security enhancement facilities, provides one more layer of security protection for the system.

B. Overview of TCP Wrapper System

We can see the relationship between the hierarchical structure of tcp wrapper and applications in the system.
Note: Netfilter (iptable) works at the network layer while tcp wrapper works at the application layer.

The rules of/etc/hosts. allow and/etc/hosts. deny are clearly displayed.

# Yum install vsftpd

Default Configuration File tcp_wrappers = YES,

Check whether vsftp supports tcp_wrapper,

# Ldd $ (which vsftpd)

Linux-gate.so.1 => (0x009e8000)

Libssl. so.6 =>/lib/libssl. so.6 (0x00b44000)

Libwrap. so.0 =>/lib/libwrap. so.0 (0x00ce2000)

Libnsl. so.1 =>/lib/libnsl. so.1 (0x00c98000)

Libpam. so.0 =>/lib/libpam. so.0 (0x00110000)

Libcap. so.1 =>/lib/libcap. so.1 (0x007c6000

........

Tcp_wrapper is supported,

Vim/etc/hosts. allow

Vsftpd: 192.168.2.0/255.255.255.0: allow (access from the 192.168.2.0 network segment is allowed)

Vim/etc/hosta. deny

Vsftpd: all: deny (prohibit users from accessing other network segments)

[Root @ mail ~] # Ftp192.168.2.1

Connected to 192.168.2.1.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.2.1: root ):

[Root @ mail ~] # Ftp 127.0.0.1

Connected to 127.0.0.1.

421 Service not available.

Ftp>

3. ftps Configuration

Ftp-server 192.168.2.1

Ftp-client 192.168.2.100

CA Server Configuration

# Vim/etc/pki/tls/openssl. cnf

43 [CA_default]

44

45 dir =/etc // pki/CA # CA custom path

87 [policy_match]

88 countryName = optional

89 stateOrProvinceName = optional

90 organizationName = optional

Create related directories and files based on the configuration file, and set the private key to cakey. pem, and the root certificate to cacer. pem.

# Cd/etc/pki/CA

# Mkdir crl certs newcerts

# Touch index.txt serial

# Echo "01"> serial

# Openssl genrsa 1024> private/cakey. pem

# Chmod 600 private /*

Openssl req-new-key private/cakey. pem-x509-out cacer. pem

The ftp-server generates the private key and certificate:

Mkdir-pv/etc/vsftpd/certs

Openssl genrsa 1024> vsftpd. key

Openssl req-new-key vsftpd. key-out vsftpd. csr

Openssl ca-invsftpd. csr-outvsftpd. cert

Edit vsftp configuration file

# Vim/etc/vsftpd. conf

Force_local_data_ssl = YES # specify vsftpd to force non-anonymous users to use encrypted data transmission

Force_local_logins_ssl = YES # specify vsftpd to force non-anonymous users to log on encrypted

Ssl_enable = YES # specify vsftpd to support encryption protocols

Ssl_sslv2 = YES # specify vsftpd to support Secure Socket Layer v2

Ssl_sslv3 = YES # specify vsftpd to support Secure Socket Layer v3

Ssl_tlsv1 = YES # specify vsftpd to support tls encryption mode v1

Rsa_cert_file =/etc/vsftpd/certs/vsftpd. cert # specify the ftp-server certificate path

Rsa_private_key_file =/etc/vsftpd/. sslkey/vsftpd. key # specify the ftp-server private path

# Service vsftpd restart # restart the vsftp service

It is for local users to use ftps and cannot be accessed using a browser or command line. Standard client software is required, such as flashfxp.

Packet Capture and ciphertext transmission:

4. Virtual users

To access a virtual user through a local data file, you must first create a file to save all users and passwords to the file, this method is applicable when there are few users and the changes are not frequent,

1) Software Package db4-utils that requires installation of the database generation; yum install db4-utils;

2) generate a virtual user file, in which the user and password are each row. In this chapter, create/etc/vsftpd/ftpuser.txt

Test1 # virtual user 1

123 # virtual user 1 Password

Test2 # virtual user 2

456 # virtual user 2 Password

3) generate virtual user data files. For security reasons, modify the permissions for the generated user data files:

# Db_load-T-t hash-f/etc/vsftpd/ftpuser.txt/etc/vsftpd/ftpuser. db

# Chmod 600/etc/vsftpd/ftpuser. db

4) modify the PAM Authentication file/etc/pam. d/vsftpd, comment the original content and add the following content, the configuration in the following two rows can be used to change the data source for user authentication and other user checks to a local data file (/etc/vsftpd/ftpuser. db)

Use the module/lib/security/pam_userdb.so

View the manual of this module:

# Vim/usr/share/doc/pam-0.99.6.2/txts/README. pam_userdb, usage example:

# Vim/etc/pam. d/vsftpd

Auth required/lib/security/pam_userdb.so db =/etc/vsftpd/ftpuser

Account required/lib/security/pam_userdb.so db =/etc/vsftpd/ftpuser

5) use the following command to create a local ing User:

# Useradd-d-s/sbin/nologin redhat

6) modify the/etc/vsftpd/vstpd. conf file as follows: (check man manual, man 5 vsftpd. conf)

# Vim/etc/vsftpd. conf

Guest_enable = YES # Allow virtual users

Guest_username = redhat # map a virtual user to a local reahat user

Pam_service_name = vsftpd # pam Authentication file (vsftpd by default)

7) Restart vsftpd and test logon,

8) modify the redhat home directory permission, # vim/etc/vsftpd. conf

Chmod o + r redhat

# Vim/etc/vsftpd. conf

Anon_upload_enable = YES (enable Anonymous upload ,)

Anon_umask = 073 (and set the File Upload permission to 704, allowing other users to download)

# Vim/etc/vsftpd. conf

Anon_other_write_enable = yes (you can rename, delete, and so on)

9) after the test is successful, the virtual user logs on to the same directory on the ftp server, that is, the local directory mapped to the user's vuser.

The experiment is complete.

This article from "Liu Yuan's blog" blog, please be sure to keep this source http://liuyuan51.blog.51cto.com/5971950/1092639