1. Set up FTP
Vsftp
FTP
Port: 20, 21
TCP protocol
Two FTP working modes: passive mode and Active Mode
FTP transmission content: control commands, file data
Active Mode:
The FTP server listens on port 21 and receives control commands from the client;
If the client reads a file, the READ command is sent to port 21 on the server. The command also tells the server that the client opens a data connection over port 1024 to wait for the server. After receiving this situation, the server initiates a new data transmission connection. The original port of these data packets uses 20 to send data.
Feature: the client cannot be in a private network
Passive Mode:
The FTP server listens on port 21 and receives control commands from the client;
If the client reads a file, the READ command is sent to port 21 on the server, and the Command tells the server to open a port greater than port 1024 on the server, wait for the client to actively connect to the data transmission.
Features: the client can be in a private network
Software: vsftpd
Passive Mode
SRC port:-> 1024
DST port:> 1024
Src ip: 10.1.1.20 <--- changed to a public IP: 61.1.1.1 after the route
Dst ip: 210.38.224.86
Active Mode:
Server:
SCR port: 20
DST port:> 1024
Scr ip: 210.38.224.86
Dst ip: 61.1.1.1
======================================
Configuration File:/etc/vsftpd. conf
Example 1: Implement anonymous account access to resources
After installing the software package, start the service
After Anonymous logon, the resource path is in the/var/FTP (Home Directory of the FTP account) of the server)
Permission: Read-Only
Anonymous_enable = Yes
Example 2: Upload objects anonymously
Anon_upload_enable = Yes
Mkdir/var/FTP/pub
Chmod 777/var/FTP/putb
Example 3: Use two methods to modify the path of the resource after Anonymous Account Logon/ftp
Man vsftpd. conf
Method 1. modify the configuration file
Anon_root =/ftp
Method 2: Change the Home Directory of an anonymous account to/ftp
Example 4: Allow anonymous accounts to download files uploaded by themselves
By default, why cannot I download my uploaded files?
After the file is uploaded, the permission is automatically changed to 600, while the FTP account does not have the permission to download the 600-Permission file.
-RW ------- 1 14 50 845 Jul 19 fstab not allowed
-RW-r -- 1 0 0 1666 Jul 19 inittab can
Method 1: Change the File Upload permission of an anonymous account to 644 automatically.
Man vsftpd. conf
Anon_umask = 022
If the file permission is 444, how can umask be set?
Anon_umask = 0222
Method 2: Allow anonymous accounts to download files that are not readable by everyone
Anon_world_readable_only = No <--- the default value is yes. Only files that can be read by all users can be downloaded.
Exercise: You can create, delete, and delete folders anonymously.
Example 5: implement normal account access to anonymous Resources
Resource path: Home Directory of the account
You can switch to this account to access any path and download any files that can be read by this account (/etc/passwd)
Local_enable = yes # allow a local account to log on
Write_enable = yes # Allow the local account to have the write permission
Local_umask = 022
Example 6: implement the path after locking a common account to log on
Chroot_local_user = Yes
Example 7. Restrict a user from logging on to FTP
Method 1: Modify the user's default shell
/Bin/false <-- only valid for normal accounts, not anonymous accounts
Method 2. modify the configuration file
Userlist_enable = Yes
Add the Tom name to the/etc/vsftpd/user_list file specified by userlist_file.
In this case, user_list is a blacklist, and all users in it are not allowed to log on to FTP.
How can I change user_list to a whitelist? Only users in the whitelist can log on to FTP
Userlist_deny = No
Example 8: The implementation only locks the resource path of some accounts, and other accounts are not locked
Chroot_local_user = Yes
Chroot_list_enable = Yes
Chroot_list_file =/etc/vsftpd/chroot_list <--- do not lock the list of Home Directories
If you want to blacklist/etc/vsftpd/chroot_list, users in the blacklist will be locked.
Chroot_local_user = No
All the above ftp usage for common accounts can be subject to disk quotas for space restrictions, provided that these accounts are real local accounts on the server.
Example 9. Use a virtual account
1. Create a real account corresponding to all virtual accounts
Useradd-S/sbin/nologin vuser
2. Create a virtual account file
# Yum install db4-utils-y
# Vim/etc/vsftpd/vusers
Vuser1 -- User Name
123 -- Password
Vuser2
321
Vuser3
456
# Db_load-T-t hash-F/etc/vsftpd/vusers. DB
# Chmod 640/etc/vsftpd/vusers *
3. modify the configuration file
Guest_enable = Yes
Guest_username = vuser
Pam_service_name = vuser
# Pam_service_name = vsftpd
4. Create the PAM module File for Account Verification
# Vim/etc/PAM. d/vuser
# % PAM-1.0
Auth sufficient/lib/security/pam_userdb.so DB =/etc/vsftpd/vusers
Account sufficient/lib/security/pam_userdb.so DB =/etc/vsftpd/vusers
All the preceding virtual accounts are in the same home directory. How can we achieve that a virtual account has an independent home directory and has independent permission control:
1. Add additional parameters
User_sub_token = $ user
User_config_dir =/etc/vsftpd/vuser_config # used to store the configuration file of the virtual account
2. Change the Home Directory of the real account corresponding to the virtual account
# Usermod-d '/home/vuser/$ user' vuser
# Finger vuser
Login: vuser name: (null)
Directory:/home/vuser/$ User Shell:/sbin/nologin
Never logged in.
No mail.
No plan.
3. Create independent home directories for each virtual account under/home/vuser
# Mkdir/home/vuser {1, 2, 3}
# Chown vuser: vuser/home/vuser/vuser1
# Chown vuser: vuser/home/vuser/vuser2
# Chown vuser: vuser/home/vuser/vuser3
4. Create independent configuration files
# Vim/etc/vsftpd/vuser_config/vuser1
Write_enable = No
Disadvantages of this solution: the disk quota cannot be realized.
Ii. Set up a yum Server
1. Vim/etc/yum. Repos. d/rhel-debuginfo.repo
[Server]
Name = Server
Baseurl = ftp: // 10.1.1.101/rhel_source/Server
Enabled = 1
Gpgcheck = 0
[Vt]
Name = vt
Baseurl = ftp: // 10.1.1.101/rhel_source/vt
Enabled = 1
Gpgcheck = 0
[Cluster]
Name = Cluster
Baseurl = ftp: // 10.1.1.101/rhel_source/Cluster
Enabled = 1
Gpgcheck = 0
[Clusterstorage]
Name = clusterstorage
Baseurl = ftp: // 10.1.1.101/rhel_source/clusterstorage
Enabled = 1
Gpgcheck = 0
[Wych]
Name = wych
Baseurl = ftp: // 10.1.1.101/rhel_source/wych
Enabled = 1
Gpgcheck = 0
2. createrepo/share/rhel_source/
3. Yum clean all
4. Yum list
5. client machines
Vim/etc/yum. Repos. d/rhel-debuginfo.repo
RHEL-debuginfo]
Name = Red Hat Enterprise Linux $ releasever-$ basearch-Debug
Baseurl = ftp: // 10.1.1.101/rhel_source/Server
Enabled = 1
Gpgcheck = 0
Gpgkey = file: // etc/pki/rpm-GPG-key-RedHat-release