FTP (file Transfer Protocol) is a protocol used to transfer files from one host to another. The FTP service can operate in both active mode and passive mode.
Active mode: The FTP client connects to the FTP server's 21 port request via a randomly selected TCP port. This is the control connection. When the control connection is established, the data connection is made, and the FTP server uses its own 20 port and the client's random TCP port to transmit.
Passive mode: TheFTP client connects to the FTP server's 21 port request via a randomly selected TCP port. The FTP server then randomly selects a TCP port and tells the client with a control connection that the client connects with another TCP port.
VSFTP (Very Secure FTP, very secure FTP) is a GPL-based FTP server software that is used on Unix-like systems.
Installation of VSFTP
[email protected] ~]# Yum install vsftpd
The VSFTPD service starts, pauses, and loads automatically.
[[Email protected] ~]# service VSFTPD start
[Email protected] ~]# chkconfig vsftpd on
Before starting VSFTPD, you need to turn off SELinux and empty the iptables rule.
User authentication:
Virtual User: Used only to access resources in a particular service, VSFTPD supports saving users and passwords in local data files, databases, or LDAP.
Nsswitch:network Server switch, name resolution framework
Configuration file:/etc/nsswitch.conf
Module:/lib64/libnss*,/usr/lib64/libnss*
Pam:pluggable authentication module, user authentication Framework
Module:/lib64/security/
Configuration files:/etc/pam.conf,/etc/pam.d/*
System User: The user and password of the/etc/passwd in the host VSFTPD as the authentication user source
Anonymous User: vsftpd allow anonymous users to log on
CentOS 6.5:vsftpd
User Authentication profile:/etc/pam.d/vsftpd
Service script:/ETC/RC.D/INIT.D/VSFTPD
Configuration file directory:/ETC/VSFTPD
Master configuration file: vsftpd.conf
Anonymous user (mapped to FTP user) shared resource location:/var/ftp
Location of resources accessed by the system user via ftp: User's own home directory
Location of resources accessed by the virtual user via ftp: The home directory of the system user to which the virtual user specified the mapping becomes
Configuration of anonymous users:
Anonymous_enable=yes
Anon_upload_enable=yes
Anon_mkdir_write_enable=yes
Anon_ohter_write_enable=yes
Configuration of the system User:
Local_enable=yes
Write_enable=yes
local_umask=022
Imprison all FTP Local users in their home directory:
Chroot_local_user=yes
The FTP local users specified in the imprison file are in their home directory:
Chroot_list_enable=yes
Chroot_list_file=/etc/vsftpd/chroot_list
Xferlog_enable=yes
Xferlog_std_format=yes
Xferlog_file=/var/log/xferlog
Change the owner of the uploaded file:
Chown_uploads=yes
Chown_username=whoever
VSFTPD uses PAM to complete user authentication, which uses the PAM configuration file:
Pam_service_name=vsftpd
Whether to enable a list file that controls user logons
Userlist_enable=yes
Userlist_deny=yes|no
Default file is/etc/vsftpd/user_list
Connection limits:
Max_clients: Maximum number of concurrent connections;
MAX_PER_IP: The number of concurrent requests per IP that can be initiated concurrently;
Transfer rate:
Anon_max_rate: Maximum transfer rate for anonymous users in bytes per second;
Local_max_rate: Local User
Virtual users: All virtual users will be uniformly mapped to a specified system account, access to the shared location is the home directory for this system account, each virtual user can be given different access rights, through the anonymous user's permission control parameters to specify;
How virtual user accounts are stored:
Files: Editing files
Odd behavior User name
Even behavior password
This file needs to be encoded in hash format;
In the table in the system database:
Instant query database to complete user authentication;
MySQL library, Pam depends on Pam_mysql
# yum-y Install Pam_mysql
After the VSFTPD is installed, you can view the generated files, the main configuration file/etc/vsftpd/vsftpd.conf
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/75/B0/wKiom1ZAXwrjVZImAAB7Fsy1ckc766.png "title=" 11.png "alt=" Wkiom1zaxwrjvzimaab7fsy1ckc766.png "/>
Start the VSFTPD service and view the ports.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/75/AE/wKioL1ZAYPLgCMigAABB9g-hJQ4485.png "title=" 12.png "alt=" Wkiol1zayplgcmigaabb9g-hjq4485.png "/>
Clear the IP rule and turn off SELinux
[Email protected] ~]# iptables-f
[Email protected] ~]# Getenforce
Enforcing
[[email protected] ~]# Setenforce 0 temporarily close SELinux
[[email protected] ~]# Vi/etc/selinux/config permanently close SELinux
Selinux=disabled
In the Windows client, go to command-line mode, use the FTP command to test whether you can log on anonymously to the FTP server properly
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/75/B1/wKiom1ZAZDGScu7NAACnavHgzs8113.png "title=" 13.png "alt=" Wkiom1zazdgscu7naacnavhgzs8113.png "/>
By default, anonymous logons are allowed. It can also be tested by a Linux host.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/75/AE/wKioL1ZAZcbTlnPpAAAsbIGf1Xw149.png "title=" 14.png "alt=" Wkiol1zazcbtlnppaaasbigf1xw149.png "/>
Create a new Ftpuser to log in by the system user.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/75/B1/wKiom1ZAaFmDIvTaAAAhQuXrRjY380.png "title=" 15.png "alt=" Wkiom1zaafmdivtaaaahquxrrjy380.png "/>
The discovery system is free to switch directories.
Ftp> ls
227 Entering Passive Mode (192,168,2,114,176,227).
Here comes the directory listing.
Drwxr-xr-x 5 0 0 4096 21:10 consolekit
-rw-r--r--1 0 0 4439 Jul dir_colors
-rw-r--r--1 0 0 5139 Jul dir_colors.256color
-rw-r--r--1 0 0 4113 Jul dir_colors.lightbgcolor
Drwxr-xr-x 3 0 0 4096 Jul 07:50 NetworkManager
-rw-r--r--1 0 0 trolltech.conf
Drwxr-xr-x 4 0 0 4096 21:13 X11
Drwxr-xr-x 3 0 0 4096 21:11 ABRT
Drwxr-xr-x 4 0 0 4096 Nov 21:16 ACPI
-rw-r--r--1 0 0 22:12 Adjtime
-rw-r--r--1 0 0 1512 Jan aliases
-rw-r--r--1 0 0 12288 21:21 aliases.db
Drwxr-xr-x 2 0 0 4096 21:17 alsa
Drwxr-xr-x 2 0 0 4096 21:17 alternatives
-RW-------1 0 0 541 Mar anacrontab
-rw-r--r--1 0 0 148 may asound.conf
-rw-r--r--1 0 0 1 Feb at.deny
Drwxr-x---3 0 0 4096 21:17 audisp
Vsftpd+pam+mysql implementation (MYSQL,VSFTP based on the same Linux host)
1. Install MySQL and pam_mysql, where Pam_mysql is provided by Epel.
2. Create a virtual user
3. Create a database and table that holds the user name and password
mysql> CREATE DATABASE vsftpd;
Mysql> Grant Select on vsftpd.* to [e-mail protected] identified by ' 123 ';
Mysql> Grant Select on vsftpd.* to [e-mail protected] identified by ' 123 ';
mysql> flush Privileges;
mysql> use VSFTPD;
Mysql> CREATE TABLE Users (
-ID int auto_increment not NULL,
, name char (a) binary not NULL,
Password char () binary not NULL,
-primary key (ID)
);
2. Adding a Test virtual user
To add the required users as needed, it is necessary to note that their passwords should be stored with the password function encrypted for security purposes.
mysql> INSERT into users (Name,password) VALUES (' Tom ', password (' magedu '));
mysql> INSERT into users (Name,password) VALUES (' Jerry ', password (' magedu '));
Third, configuration vsftpd
1. Establish the required files for PAM Certification
#vi/etc/pam.d/vsftpd.mysql
Add the following two lines
Auth required/lib64/security/pam_mysql.so user=vsftpd passwd=www.magedu.com host=localhost db=vsftpd table=users Usercolumn=name Passwdcolumn=password crypt=2
Account required/lib64/security/pam_mysql.so user=vsftpd passwd=www.magedu.com host=localhost db=vsftpd table=users Usercolumn=name Passwdcolumn=password crypt=2
Note: Due to the way MySQL is installed, pam_mysql.so Unix-based sock may have problems connecting to the MySQL server, and it is recommended that you authorize a remotely connected MySQL user to access the VSFTPD database.
2. Modify the VSFTPD configuration file to adapt it to MySQL authentication
Establish a virtual user mapping of the system users and corresponding directories
# useradd-s/sbin/nologin-d/var/ftproot VUser
# chmod Go+rx/var/ftproot
Make sure that the following options are enabled in/etc/vsftpd.conf
Anonymous_enable=yes
Local_enable=yes
Write_enable=yes
Anon_upload_enable=no
Anon_mkdir_write_enable=no
Chroot_local_user=yes
Then add the following options
Guest_enable=yes
Guest_username=vuser
And make sure that the value of the Pam_service_name option is as follows
Pam_service_name=vsftpd.mysql//System user will not be able to log in
Iv. Start VSFTPD Service
# service VSFTPD Start
# Chkconfig VSFTPD on
Viewing port opening conditions
# NETSTAT-TNLP |grep:21
TCP 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 23286/vsftpd
Use the virtual user login, positive configuration results, the following is the command mode test, you can also use the other win box with IE or FTP client tool login, restart the VSFTPD service, enter the user name and password error, error log as follows
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/75/B5/wKiom1ZAjcOwjlFDAAC3dOj3kjg957.png "title=" 16.png "alt=" Wkiom1zajcowjlfdaac3doj3kjg957.png "/>
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/75/B3/wKioL1ZAjnLykL2eAABkb36-OKo935.png "title=" 17.png "alt=" Wkiol1zajnlykl2eaabkb36-oko935.png "/> Think for a long time do not know how to do, later to check var/lib/mysql/ Mysql.sock, the path does not exist, see MySQL related, I went to see the MySQL configuration file
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/75/B5/wKiom1ZAjtyBXSz7AAAhO5TuX_0246.png "title=" 18.png "alt=" Wkiom1zajtybxsz7aaaho5tux_0246.png "/>
Found Mysql.sock in the/tmp/directory, then I put/tmp/mysql.sock and/var/lib/mysql/mysql.sock made a connection.
[Email protected] ~]# Ln-sv/tmp/mysql.sock/var/lib/mysql/mysql.sock
'/var/lib/mysql/mysql.sock ', '/tmp/mysql.sock '
Restarting the service and then logging in is normal. (why not read/tmp/mysql.sock directly, but read/var/lib/mysql/mysql.sock??? Is there a great God who knows why? )
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/75/B5/wKiom1ZAj6jw7HBQAADUdN_CF9M985.png "title=" 19.png "alt=" Wkiom1zaj6jw7hbqaadudn_cf9m985.png "/>
Configuration of the file server Vsftp