Configuration of the file server Vsftp

FTP (file Transfer Protocol) is a protocol used to transfer files from one host to another. The FTP service can operate in both active mode and passive mode.

• Active mode: The FTP client connects to the FTP server's 21 port request via a randomly selected TCP port. This is the control connection. When the control connection is established, the data connection is made, and the FTP server uses its own 20 port and the client's random TCP port to transmit.

• Passive mode: TheFTP client connects to the FTP server's 21 port request via a randomly selected TCP port. The FTP server then randomly selects a TCP port and tells the client with a control connection that the client connects with another TCP port.

VSFTP (Very Secure FTP, very secure FTP) is a GPL-based FTP server software that is used on Unix-like systems.

1. Installation of VSFTP

   [email protected] ~]# Yum install vsftpd

2. The VSFTPD service starts, pauses, and loads automatically.

   [[Email protected] ~]# service VSFTPD start

   [Email protected] ~]# chkconfig vsftpd on

3. Before starting VSFTPD, you need to turn off SELinux and empty the iptables rule.

   
   

   
   

User authentication:

Virtual User: Used only to access resources in a particular service, VSFTPD supports saving users and passwords in local data files, databases, or LDAP.

Nsswitch:network Server switch, name resolution framework

Configuration file:/etc/nsswitch.conf

Module:/lib64/libnss*,/usr/lib64/libnss*

Pam:pluggable authentication module, user authentication Framework

Module:/lib64/security/

Configuration files:/etc/pam.conf,/etc/pam.d/*

System User: The user and password of the/etc/passwd in the host VSFTPD as the authentication user source

Anonymous User: vsftpd allow anonymous users to log on

CentOS 6.5:vsftpd

User Authentication profile:/etc/pam.d/vsftpd

Service script:/ETC/RC.D/INIT.D/VSFTPD

Configuration file directory:/ETC/VSFTPD

Master configuration file: vsftpd.conf

Anonymous user (mapped to FTP user) shared resource location:/var/ftp

Location of resources accessed by the system user via ftp: User's own home directory

Location of resources accessed by the virtual user via ftp: The home directory of the system user to which the virtual user specified the mapping becomes

Configuration of anonymous users:

Anonymous_enable=yes

Anon_upload_enable=yes

Anon_mkdir_write_enable=yes

Anon_ohter_write_enable=yes

Configuration of the system User:

Local_enable=yes

Write_enable=yes

local_umask=022

Imprison all FTP Local users in their home directory:

Chroot_local_user=yes

The FTP local users specified in the imprison file are in their home directory:

Chroot_list_enable=yes

Chroot_list_file=/etc/vsftpd/chroot_list

Xferlog_enable=yes

Xferlog_std_format=yes

Xferlog_file=/var/log/xferlog

Change the owner of the uploaded file:

Chown_uploads=yes

Chown_username=whoever

VSFTPD uses PAM to complete user authentication, which uses the PAM configuration file:

Pam_service_name=vsftpd

Whether to enable a list file that controls user logons

Userlist_enable=yes

Userlist_deny=yes|no

Default file is/etc/vsftpd/user_list

Connection limits:

Max_clients: Maximum number of concurrent connections;

MAX_PER_IP: The number of concurrent requests per IP that can be initiated concurrently;

Transfer rate:

Anon_max_rate: Maximum transfer rate for anonymous users in bytes per second;

Local_max_rate: Local User

Virtual users: All virtual users will be uniformly mapped to a specified system account, access to the shared location is the home directory for this system account, each virtual user can be given different access rights, through the anonymous user's permission control parameters to specify;

How virtual user accounts are stored:

Files: Editing files

Odd behavior User name

Even behavior password

This file needs to be encoded in hash format;

In the table in the system database:

Instant query database to complete user authentication;

MySQL library, Pam depends on Pam_mysql

# yum-y Install Pam_mysql

After the VSFTPD is installed, you can view the generated files, the main configuration file/etc/vsftpd/vsftpd.conf

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/75/B0/wKiom1ZAXwrjVZImAAB7Fsy1ckc766.png "title=" 11.png "alt=" Wkiom1zaxwrjvzimaab7fsy1ckc766.png "/>

Start the VSFTPD service and view the ports.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/75/AE/wKioL1ZAYPLgCMigAABB9g-hJQ4485.png "title=" 12.png "alt=" Wkiol1zayplgcmigaabb9g-hjq4485.png "/>

Clear the IP rule and turn off SELinux

[Email protected] ~]# iptables-f

[Email protected] ~]# Getenforce

Enforcing

[[email protected] ~]# Setenforce 0 temporarily close SELinux

[[email protected] ~]# Vi/etc/selinux/config permanently close SELinux

Selinux=disabled

In the Windows client, go to command-line mode, use the FTP command to test whether you can log on anonymously to the FTP server properly

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/75/B1/wKiom1ZAZDGScu7NAACnavHgzs8113.png "title=" 13.png "alt=" Wkiom1zazdgscu7naacnavhgzs8113.png "/>

By default, anonymous logons are allowed. It can also be tested by a Linux host.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/75/AE/wKioL1ZAZcbTlnPpAAAsbIGf1Xw149.png "title=" 14.png "alt=" Wkiol1zazcbtlnppaaasbigf1xw149.png "/>

Create a new Ftpuser to log in by the system user.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/75/B1/wKiom1ZAaFmDIvTaAAAhQuXrRjY380.png "title=" 15.png "alt=" Wkiom1zaafmdivtaaaahquxrrjy380.png "/>

The discovery system is free to switch directories.

Ftp> ls

227 Entering Passive Mode (192,168,2,114,176,227).

Here comes the directory listing.

Drwxr-xr-x 5 0 0 4096 21:10 consolekit

-rw-r--r--1 0 0 4439 Jul dir_colors

-rw-r--r--1 0 0 5139 Jul dir_colors.256color

-rw-r--r--1 0 0 4113 Jul dir_colors.lightbgcolor

Drwxr-xr-x 3 0 0 4096 Jul 07:50 NetworkManager

-rw-r--r--1 0 0 trolltech.conf

Drwxr-xr-x 4 0 0 4096 21:13 X11

Drwxr-xr-x 3 0 0 4096 21:11 ABRT

Drwxr-xr-x 4 0 0 4096 Nov 21:16 ACPI

-rw-r--r--1 0 0 22:12 Adjtime

-rw-r--r--1 0 0 1512 Jan aliases

-rw-r--r--1 0 0 12288 21:21 aliases.db

Drwxr-xr-x 2 0 0 4096 21:17 alsa

Drwxr-xr-x 2 0 0 4096 21:17 alternatives

-RW-------1 0 0 541 Mar anacrontab

-rw-r--r--1 0 0 148 may asound.conf

-rw-r--r--1 0 0 1 Feb at.deny

Drwxr-x---3 0 0 4096 21:17 audisp

Vsftpd+pam+mysql implementation (MYSQL,VSFTP based on the same Linux host)

1. Install MySQL and pam_mysql, where Pam_mysql is provided by Epel.

2. Create a virtual user

3. Create a database and table that holds the user name and password

mysql> CREATE DATABASE vsftpd;

Mysql> Grant Select on vsftpd.* to [e-mail protected] identified by ' 123 ';

Mysql> Grant Select on vsftpd.* to [e-mail protected] identified by ' 123 ';

mysql> flush Privileges;

mysql> use VSFTPD;

Mysql> CREATE TABLE Users (

-ID int auto_increment not NULL,

, name char (a) binary not NULL,

Password char () binary not NULL,

-primary key (ID)

);

2. Adding a Test virtual user

To add the required users as needed, it is necessary to note that their passwords should be stored with the password function encrypted for security purposes.

mysql> INSERT into users (Name,password) VALUES (' Tom ', password (' magedu '));

mysql> INSERT into users (Name,password) VALUES (' Jerry ', password (' magedu '));

Third, configuration vsftpd

1. Establish the required files for PAM Certification

#vi/etc/pam.d/vsftpd.mysql

Add the following two lines

Auth required/lib64/security/pam_mysql.so user=vsftpd passwd=www.magedu.com host=localhost db=vsftpd table=users Usercolumn=name Passwdcolumn=password crypt=2

Account required/lib64/security/pam_mysql.so user=vsftpd passwd=www.magedu.com host=localhost db=vsftpd table=users Usercolumn=name Passwdcolumn=password crypt=2

Note: Due to the way MySQL is installed, pam_mysql.so Unix-based sock may have problems connecting to the MySQL server, and it is recommended that you authorize a remotely connected MySQL user to access the VSFTPD database.

2. Modify the VSFTPD configuration file to adapt it to MySQL authentication

Establish a virtual user mapping of the system users and corresponding directories

# useradd-s/sbin/nologin-d/var/ftproot VUser

# chmod Go+rx/var/ftproot

Make sure that the following options are enabled in/etc/vsftpd.conf

Anonymous_enable=yes

Local_enable=yes

Write_enable=yes

Anon_upload_enable=no

Anon_mkdir_write_enable=no

Chroot_local_user=yes

Then add the following options

Guest_enable=yes

Guest_username=vuser

And make sure that the value of the Pam_service_name option is as follows

Pam_service_name=vsftpd.mysql//System user will not be able to log in

Iv. Start VSFTPD Service

# service VSFTPD Start

# Chkconfig VSFTPD on

Viewing port opening conditions

# NETSTAT-TNLP |grep:21

TCP 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 23286/vsftpd

Use the virtual user login, positive configuration results, the following is the command mode test, you can also use the other win box with IE or FTP client tool login, restart the VSFTPD service, enter the user name and password error, error log as follows

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/75/B5/wKiom1ZAjcOwjlFDAAC3dOj3kjg957.png "title=" 16.png "alt=" Wkiom1zajcowjlfdaac3doj3kjg957.png "/>

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/75/B3/wKioL1ZAjnLykL2eAABkb36-OKo935.png "title=" 17.png "alt=" Wkiol1zajnlykl2eaabkb36-oko935.png "/> Think for a long time do not know how to do, later to check var/lib/mysql/ Mysql.sock, the path does not exist, see MySQL related, I went to see the MySQL configuration file

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/75/B5/wKiom1ZAjtyBXSz7AAAhO5TuX_0246.png "title=" 18.png "alt=" Wkiom1zajtybxsz7aaaho5tux_0246.png "/>

Found Mysql.sock in the/tmp/directory, then I put/tmp/mysql.sock and/var/lib/mysql/mysql.sock made a connection.

[Email protected] ~]# Ln-sv/tmp/mysql.sock/var/lib/mysql/mysql.sock

'/var/lib/mysql/mysql.sock ', '/tmp/mysql.sock '

Restarting the service and then logging in is normal. (why not read/tmp/mysql.sock directly, but read/var/lib/mysql/mysql.sock??? Is there a great God who knows why? )

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/75/B5/wKiom1ZAj6jw7HBQAADUdN_CF9M985.png "title=" 19.png "alt=" Wkiom1zaj6jw7hbqaadudn_cf9m985.png "/>

Configuration of the file server Vsftp