RedHatLinux5FTP Server Configuration

FtphttpmailFTP, the full name of filetransferprotocol for three network applications, has the following Disadvantages: plaintext transmission is troublesome. FTP adopts the double TCP connection mode. The C/S model controls the connection. The TCP port number 21 indicates the data connection. The TCP port number 20 indicates the control of the connection: transfers FTP control commands and command execution information between the FTP client and the FTP server. Control connections throughout the entire FTP session

FTP
Ftp http mail
FTP full name file transfer protocol
Appeared 40 years ago
Disadvantage: plaintext transmission is troublesome.
FTP adopts double TCP Connection Mode C/S model
Control connection using TCP port 21
Data connection using TCP port 20

Control connection: Transfers FTP control commands and command execution information between the FTP client and the FTP server. Control connections remain open throughout the FTP session

Data Connection
It is used to transmit data, including data upload, download, and file list sending. Data connection will terminate after data transmission ends.

FTP adopts two data transmission modes:
Active Mode: PORT
Passive Mode: PASV
From the server perspective,

FTP has two file transmission modes:
ASCII mode: the default file transmission mode. Features: local files are converted to standard ASCII codes during transmission. Applicable to transferring text files
Binary Mode: the transmission mode of image files. This mode transfers files in bit streams and is suitable for transferring program files. The default value is binary.
Differences between text mode and binary mode
The text transmitter uses ASCII characters separated by the carriage return key and line break, while binary can be transferred without conversion or formatting. The binary mode is faster than the text mode and can transmit all ASCII values, therefore, the system administrator generally sets FTP to binary mode.

Binary mode is used to transfer executable files, compressed files, and image files. If you use ASCII mode, a bunch of garbled characters are displayed. You must use BINARY mode again. Files written in HTML and text must be uploaded in ASCII mode. files uploaded in BINARY mode may be damaged, resulting in file execution errors .?
Enable ASCII Transmission
By default, to improve transmission efficiency, vsftpd prohibits ASCII transmission. Although asc commands can be used in ftp client software, binary transmission is still used for transferring files.
You can enable the ASCII transmission mode for upload and download separately by editing the/etc/vsftpd configuration file and removing the # Before the following two lines to enable it.
# Ascii_upload_enable = YES
# Ascii_download_enable = YES
Common FTP server programs
IIS Serv-U Filezilla for windows
Wu-ftpd Proftpd is commonly used
Default FTP in vsftpd (Very Secure FtP Daemon) linux
Common FtP client programs:
Ftp command ie chrome
CuteFTP FlashFXP is widely used. communication encryption LeapFTP Filezilla
Gftp kuftp

Vsftpd Features: High Speed, stability, and inherent high security performance
Size: 140kB
Speed: it is twice that of wu-FTPd.
Stability: supports simultaneous connection of more than 4000 concurrent users on a single machine

Function: supports IP-based virtual FTP servers.
Support for virtual users
Supports PAM or xinetd/tcp_wrappers authentication.
Two running modes are supported: independent and Xinetd.
Supports independent configuration for each virtual user
Bandwidth restrictions

FTP user type: anonymous user: anonymous or ftp
Local User: the account name, password, and other information are stored in the passwd shadow file.
Virtual users: use independent account/password data files
User_list zhangsan 123456/var/pub

Vsftpd Software Package
Http://vsftpd.beasts.org/
Main Program:/usr/sbin/vsftpd
Service name: vsftpd
User Control list file:/etc/vsftpd/ftpusers disabled user list
/Etc/vsftpd/usr_list only provides one user list, whether to disable setting in the configuration file
Configuration File:/etc/vsftpd. conf

Configure basic performance and security options
1. Set the interruption time of idle user sessions
For example, the following Configuration:
Idle_session_timeout = 600
The session will be interrupted 10 minutes after it is idle.
2. Set the idle data connection interruption time
For example, the following Configuration:
Data _ connection_timeout = 120
The data connection will be interrupted after being idle for 2 minutes.
3. Set the automatic disconnection and activation time when the client is idle.
For example, the following Configuration:
Accept_timeout = 60
Connect_timeout = 60
The client will be automatically disconnected after 1 minute of idle, and the connection will be automatically activated after 1 minute of interruption.

Set the welcome information after connecting to the server
To enable the user to display information after connecting to the server, vsftpd provides two options:
Ftpd_banner
Banner_file
For example, you can set the value of the ftpd_banner option below:
Banner_enable = Welcome to Win32 FTP service.
That is, after the user connects to the server, the system displays the message "Welcome to Win32 FTP service .".
You can also set the value of the following banner_file option:
Banner_file =/var/vsftpd_banner_file
That is, information in the/var/vsftpd_banner_file file is displayed after the user connects to the server.

Set maximum transmission rate limit
For example, the following Configuration:
Local_max_rate = 50000
Anon_max_rate = 30000
The maximum transmission rate of local users is 50 kbytes/sec, and that of anonymous users is 30 kbytes/sec.
5. Set the port range for client connection
For example, the following Configuration:
Pasv_min_port = 50000
Pasvanderbilt max_port = 60000
The port range for client connection is between 50000 and 60000. This improves the system security.

Configure Access Control Based on Local Users
To configure access control based on local users, you can modify the main configuration file/etc/vsftpd. conf of vsftpd. There are two restrictions:
1. Restrict access from the specified local user, while other local users can access
For example, the following settings:
Userlist_enable = YES
Userlist_deny = YES
Userlist_file =/etc/vsftpd. user_list
Make the local user specified in the file/etc/vsftpd. user_list unable to access the FTP server, while other local users can access the FTP server.

2. restrict the access of the specified local user, while other local users are not allowed to access
For example, the following settings:
Userlist_enable = YES
Userlist_deny = NO
Userlist_file =/etc/vsftpd. user_list
Allow the local users specified in the file/etc/vsftpd. user_list to access the FTP server, while other local users cannot access the FTP server.

In the default configuration, local users can switch to a directory other than their own directories for browsing, and download and upload within the permitted range. This setting is not secure for an FTP server.
If you do not want to switch to a directory other than your own directory after login, you need to set the chroot option, for example:
Chroot_local_user
Chroot_list_enable
Chroot_list_file
There are two methods to set chroot:
(1) set all local users to execute chroot
Set the value of chroot_local_user to YES, that is:
Chroot_local_user = YES
(2) set the specified user to execute chroot
The following settings are required:
Chroot_local_user = NO
Chroot_list_enable = YES
Chroot_list_file =/etc/vsftpd. chroot_list
In this way, the user specified in the/etc/vsftpd. chroot_list file cannot execute chroot.
Build a vsftpd Server Based on Virtual users
1. Create an account database file for a virtual FTP user
Create a virtual user account name and password list
Odd behavior account name
The password of the account in the previous row in the even row
Convert to a data file in the Berkeley DB format
Db_load Conversion Tool
Db4-utils-4.3.29-9.fc6.i386.rpm package installation required
[Root @ filesvr ~] # Vi/etc/vsftpd/vusers. list
Mike
123
John
456
[Root @ filesvr ~] # Cd/etc/vsftpd/
[Root @ filesvr vsftpd] # db_load-T-t hash-f vusers. list vusers. db
[Root @ filesvr vsftpd] # file vusers. db
Vusers. db: Berkeley DB (Hash, version 8, native byte-order)
[Root @ filesvr vsftpd] # chown 600/etc/vsftpd/vusers .*

2. Create the FTP root directory and virtual user ing system users
[Root @ filesvr ~] # Mkdir/var/ftproot
[Root @ filesvr ~] # Useradd-d/var/ftproot-s/sbin/nologin virtual
[Root @ filesvr ~] # Chmod 755/var/ftproot/

3. Create a PAM Authentication file that supports Virtual users
[Root @ filesvr ~] # Vi/etc/pam. d/vsftpd. vu
# % PAM-1.0
Auth required pam_userdb.so db =/etc/vsftpd/vusers
Account required pam_userdb.so db =/etc/vsftpd/vusers

4. Add configuration support in the vsftpd. conf file
[Root @ filesvr ~] # Vi/etc/vsftpd. conf
Anonymous_enable = NO
Local_enable = YES
Write_enable = YES
Anon_umask = 022
Guest_enable = YES
Guest_username = virtual
Pam_service_name = vsftpd. vu

5. Create independent configuration files for individual virtual users
Add User Configuration directory support to the vsftpd. conf file
User_config_dir =/etc/vsftpd/vusers_dir
Create independent configuration directories and files for user mike and john
The configuration file name has the same name as the user name.
[Root @ filesvr ~] # Mkdir/etc/vsftpd/vusers_dir/
[Root @ filesvr ~] # Cd/etc/vsftpd/vusers_dir/
[Root @ filesvr vusers_dir] # touch mike
[Root @ filesvr vusers_dir] # vi john
Anon_upload_enable = YES
Anon_mkdir_write_enable = YES
6. Reload vsftpd Configuration
Service vsftpd reload

7. Test access using a virtual FTP account
Use mike and john respectively to log on to the FTP server for download and upload tests.
Mike users can log on and browse and download files, but cannot upload files.
John users can log on, browse, download, or upload files
Anonymous users or other system users cannot log on