FTP server construction and Security Configuration

FTP is a widely used communication protocol on the Internet. It works in layer 7th of the OSI model and is a specific application of TCP/IP. FTP adopts TCP-based reliable connection: Listening to port 21 to wait for control of connection requests. After the connection is established, Port 20 is used to establish a data transmission channel.

Some typical messages used in FTP:

125 data connection is enabled and transmission starts

200 command OK

331 user name OK. Enter the password

425 data connection cannot be enabled

452 file writing error

500 the command cannot be identified

Vsftp is an open-source FTP server software in Linux. It has simple structure and excellent performance. It is a lightweight, stable, and secure FTP.

1. Install vsftp. (Test environment: contos 6.5)

Check whether there is any vsftp installation source on the local machine:

~# rpm -qa | grep svftpd

If yes, the vsftp version is displayed, so that you can directly install it:

～#  yum install vsftpd

But I didn't seem to have it above. I could only download the source code for compilation. Vsftp official website home page: http://vsftpd.beasts.org, seemingly unable to enter, online looked for the next, you can download here: webmaster home. The version is vsftp v2.3.2 for Linux. Decompress and compile:

～#  tar xvf vsftpd-2.3.2.tar.gz~#   cd ./vsftpd-2.3.2

This document describes the builddefs. h file under the vsftpd-2.3.2 Directory, which is mainly used to set some security configurations of the FTP server: ctp_wrappers, Pam and SSL. You can select/cancel as needed.

Vim./builddefs. h # ifndef vsf_builddefs_h # define vsf_builddefs_h # UNDEF #// a tool for parsing TCP packets. It is used to restrict access permissions of a certain service to protect the system. # Define vsf_build_pam // an efficient and convenient user-level authentication method to enhance server security performance. # UNDEF vsf_build_ssl // uses encryption technology to ensure that data is not eavesdropped during transmission. # Endif/* vsf_builddefs_h */

2. Configure the vsftpd. conf file

The vsftpd. conf file is the main configuration file in the/etc/vsftpd/directory.

# Allow Anonymous FTP? (Beware-allowed by default if you comment this out ). anonymous_enable = Yes // sets whether anonymous access is allowed # uncomment this to allow local users to log in. local_enable = Yes // set whether to allow local user login # uncomment this to enable any form of FTP write command. write_enable = Yes // set whether write operations are allowed # default umask for local users is 077. you may wish to change this to 022, # If your users Except CT that (022 is used by most other ftpd's) local_uma SK = 022 // local user operation permission # uncomment this to allow the anonymous FTP user to upload files. this only # has an effect if the above global write enable is activated. also, you will # obviusly need to create a Directory Writable By the FTP user. # anon_upload_enable = Yes // sets whether to allow anonymous File Uploads # uncomment this if you want the anonymous FTP user to be able to create # new directories. # anon_mkdir_write_enable = Yes // set whether to allow Create a directory anonymously # activate directory messages-messages given to remote users when they # go into a certain directory. dirmessage_enable = Yes // sets whether to send a message after the directory is changed # the target log file can be vsftpd_log_file or xferlog_file. # This depends on setting xferlog_std_format parameterxferlog_enable = Yes // set whether to activate the log function # Make sure port transfer connections originate from Port 20 (ftp-data ). connect_from_port_20 = Yes // sets whether to use 20 Port Data Transmission (Port mode) # if you want, you can arrange for uploaded anonymous files to be owned by # A different user. Note! Using "root" for uploaded files is not # recommended! // Modify the owner of the File Uploaded by an anonymous user # chown_uploads = yes # chown_username = Whoever # the name of log file when xferlog_enable = yes and xferlog_std_format = yes # warning-changing this filename affec/ ETC/logrotate. d/vsftpd. log # xferlog_file =/var/log/xferlog // set the log file storage location # switches between logging into vsftpd_log_file and xferlog_file files. # No writes to vsftpd_log_file, yes to xferlog_filexferlog_std_format = Yes // set whether to use the standard File log # You may change the default value for timing out an idle session. # idle_session_timeout = 600 // set the Session Timeout # You may change the default value for timing out a data connection. # data_connection_timeout = 120 // set the data transmission timeout # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. # nopriv_user = ftbench cure // set up a non-privileged user account # enab Le this and the server will recognize asynchronous Abor requests. not # recommended for Security (the code is non-trivial ). not enabling it, # However, may confuse older FTP clients. # async_abor_enable = Yes // set whether to allow the client to use commands such as sync # by default the server will pretend to allow ASCII mode but in fact ignore # the request. turn on the below options to have the server actually do ASCII # mangling on files when In ASCII mode. # Beware that on some FTP servers, ASCII support allows a Denial of Service # attack (DOS) via the command "size/big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. // set whether to transmit files in ASCII format # ASCII mangling is a horrible feature of the Protocol. # ascii_upload_enable = yes # ascii_download_enable = yes # You may fully customise Login banner string: # ftpd_banner = welcome to blah FTP service. // set the welcome information after logon # You may specify a file of disallowed anonymous e-mail addresses. apparently # useful for combatting certain DoS attacks. # deny_email_enable = Yes // set whether to enable or disable specified anonymous user logon # (default follows) # banned_email_file =/etc/vsftpd/banned_emails // Add to the user list (If yes is set above) # You may specify an explicit list of local users to chroot () to their home # Directory. if chroot_local_user is yes, then this list becomes a list of # users to not chroot (). # chroot_local_user = Yes // related to the following configuration # chroot_list_enable = Yes // sets whether local users are allowed to leave their home directory # (default follows) # // if this item is used, set chroot_local_user = yes to No. Users who cannot leave the main directory write a row of user names to the specified file. # Chroot_list_file =/etc/vsftpd/chroot_list # You may activate the "-R" option to the builtin ls. this is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. however, some broken FTP clients such as "ncftp" and "mirror" Assume # the presence of the "-R" option, so there is a strong case for enabling it. # ls_recurse_enable = Yes // # When "listen" directive is en Abled, vsftpd runs in standalone mode and # listens on IPv4 Sockets. this directive cannot be used in conjunction # With the listen_ipv6 direve ve. listen = Yes // set whether to enable IPv4 listening # This Directive enables listening on IPv6 Sockets. to listen on IPv4 and IPv6 # sockets, you must run two copies of vsftpd with two configuration files. # Make sure, that one of the listen options is commented !! # Listen_ipv6 = Yes // set whether to enable the IPv6 listener pam_service_name = vsftpd // set the PAM module used for access userlist_enable = Yes // If this option is activated, disable the user from the specified file to log on to TCP_WRAPPERS = Yes // set whether to use TCP_WRAPPERS as the host access control method

3. Configure the ftpusers file

The ftpusers file is used to restrict the users in the system to/from using the FTP service. You can add or delete an object based on the actual situation.

#User that are not allowed to login via ftproot.........

4. Configure the user_list File

Whether the user specified by the user_list file can access the FTP server depends on the setting of the userlist_deny option. The default value is Yes, which means that users of the user_list file are prohibited from accessing the FTP server, which is similar to the ftpusers file. However, if it is set to No, the opposite is true. That is, only users in the file list can access the FTP server.

# vsftpd userlist# If userlist_deny=NO,only allow users in this file# If userlist_deny=YES(default),never allow users in this file,and do not even prompt for a password.# ...# ...root...

If you want to restrict the specified local user (that is, the user of the user_list file) from accessing the FTP server, you can modify the vsftpd. conf file accordingly:

userlist_enable=YESuserlist_deny=YESuserlist_file=/etc/vsftpd/user_list

Similarly, if you want to restrict the access of the specified local user (that is, the user of the user_list file) to the FTP server, but other local users cannot access the server, you can modify the vsftpd. conf file accordingly:

userlist_enable=YESuserlist_deny=NO userlist_file=/etc/vsftpd/user_list

5. Configure to allow anonymous users to use the FTP server

Create user FTP-Anon and directory/var/ftp-Pub:

Mkdir/var/ftp-pubuseradd-D/var/ftp-Pub FTP-Anon //-D specifies the main file directory of the user, by default, the home directory of the user after successful logon is vsftpd.

For anonymous access,/var/ftp-Pub should not belong to the user's FTP-Anon or have write permission. Therefore, you can modify the permission using the following methods:

～# chown root.root /var/ftp-pub~# og-w -d /var/ftp-pub

Modify the vsftpd. conf file:

Anonymous_enable = Yes // set to allow anonymous access (enabled by default) // set to allow anonymous upload and Directory Creation (optional, use with Caution !) Anon_upload_enable = yesanon_mkdir_write_enable = Yes

6. Virtual users use vsftp servers

The above (including General) FTP access is to access the server by creating a system account, which is very insecure. If the permission configuration is incorrect, the server will be threatened. However, by establishing a virtual FTP account (separated from the system account), the system security can be greatly enhanced. A virtual FTP account can only be used for file transfer, also known as a guest user. It saves the user name/password and then verifies it. Therefore, vsftp requires the identity of a system user to read data (User Name/password) files, that is, the guest user, which is used to map virtual users.

The specific configuration is as follows:

(1) generate a virtual user password library file. For example:

～# vim login.txt   zhangsan    //username1  hehe        //passwd1lisi        //username2mimanicai   //passwd2......

(2) Configure to generate the authentication file for vsftp

Save and exit. Run the db_load command to generate the password library file:

～#  db_load -T -t hash -f login.txt /etc/vsftpd/vsftpd_login.db

Modify the permissions of the password library file:

chmod 600 /etc/vsftpd/vsftpd_login.db

Edit the PAM Configuration File required by the virtual user

~ # Vim/etc/PAM. d/vsftpd // Add the following two lines: auth required/lib/security/pam_userdb.so DB =/etc/vsftpd/vsftpd_login.dbaccount required/lib/security/pam_userdb.so DB =/etc/vsftpd/vsftpd_login.db

(3) create a directory for virtual user access and set the corresponding Access Permissions

~# useradd -d /home/ftp virtual~# chmod 700 /home/ftp

(4) create a configuration file

~ # Cp/etc/vsftpd. CONF/etc/vsftpd. conf. Bak ~ # Vim/etc/vsftpd. conf // configure anonymous_enable = yeslocal_enable = yeswrite_enable = yesanon_upload_enable = Enabled = nolisten = yesguest_enable = yesguest_username = Virtual

(5) restart the vsftp Server

~# service vsftpd restart

Now, the vsftp server configuration is complete. You can use the user account in login.txt to log on to the FTP server.

7. Change the vsftp port number.

Add the following to the vsftpd. conf file and restart vsftp.

～# listen_port=2121

8. Configure the chroot of the vstfp Server

Chroot specifies a fixed directory for the login user. This directory is generally the user's main directory, and the user is restricted to this directory, similar to the virtual directory of the Web server, this protects the system security.

Set the specified user to execute chroot:

chroot_local_user=NOchroot_list_enable=YESchroot_list_file=/etc/vsftpd/chroot_list

Related references: http://wiki.ubuntu.org.cn/Vsftpd

FTP server construction and Security Configuration