Linux Miscellaneous (16): enterprise application-level ftp configuration (3)

This time, we will explain the blacklist, whitelist, and different ftp access settings on the Intranet and Internet.

1. Blacklist
Sometimes we do not want some local users to log on. At this time, we need to set a blacklist. It is under/etc/vsftpd:


How to add a user to the blacklist:

(1) first, we add a user (westos) to ftpusers:

Restart the service (and clear the fire wall) and check whether you can log on:


To log on to westos, you must enter a password, but cannot log on. This is a blacklist.

(2) Let's add westos to user_list to see:



Do you see the prompt above? When userlist_deny = NO, only write users are allowed to log on to ftp, that is, whitelist. When its value is YES, users who are never allowed to log on to ftp are blacklisted. The default value is YES. We will modify it later.

Start the service again, and then check whether you can log on:


Still unable to log on. It seems that westos has been added to the blacklist.

Next we will try the whitelist. As mentioned earlier, we will modify the configuration file vsftpd. conf:


Now you can log on successfully.


2. Intranet access and Internet access:

For the ftp service, sometimes we want to be open to both internal personnel and external personnel, and expect their permissions to be different. In this way, we can better meet the actual application. Next we should consider these issues:

(1) first, there must be different NICs for the Intranet and Internet:

Add another NIC:



Configure the configuration file corresponding to the two NICs, in which the network for eth1 is Internet:

Vsftpd. conf;

Vsftpd1.conf:


For the sake of Security period, we cannot allow users to change directories. This is a good practice. Since we provide the ftp service, users can only access the directories provided by ftp. It is very dangerous to jump to other directories in the system. We need to set the configuration file:




3. Virtual users

What is a virtual user? For an Internet user, it certainly does not know what the local user on our server has. If it is a previous configuration, it is clear that the internet personnel cannot access the ftp service. So we set virtual users for them.

Add a virtual user to the vsftpd directory:




The virtual users are user1 and user2 respectively, and the passwords are both 123.


Generate hash Encryption File

Generate the password detection file ftpps in the/etc/pam. d directory:



The above is password detection, and the following is user name Detection:


External User Logon Detection:


Allow anonymous users to log on:



After the preceding permissions, virtual users, and passwords are set, let's see if the service can be opened:


Create a virtual user access directory:



Our selinux is enabled. Check whether the security context is correct. Modify the settings:


Then we modify the configuration file:



Create permission Directory:/etc/vsftpd/config,
Create File user1.

User1 permissions:


Modify the context of the default release directory of user1:


Restart the service:



Then, you can log on with the virtual user user1. after entering the service, the server will let it run with what is westos, but it has the permission of user1. Similarly, you can log on to user2. This greatly enhances the ftp service functions.

Summary:

This is a bit complicated. I hope you can practice more. I have to study it again.