Self-study bird Brother Linux service-vsftpd

Lab Environment Virtual Machine CentOS 6.5

ipaddr=192.168.1.224

Installing VSFTPD

Yum-y Install VSFTPD

Configuration file:

Vim/etc/vsftpd/vsftpd.conf

View ports

[Email protected] ~]# NETSTAT-ANP |grep vsftpd

TCP 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 1409/vsftpd

Configuration file Description 20 port for data transfer port

# Make sure port transfer connections originate from Port (ftp-data).

Connect_from_port_20=yes

So to open port TCP 21 202 ports

Iptables-i input-p TCP--dport 20:21-j ACCETP

Service Iptables Save

The firewall loads the FTP module #不加载访问不了

Vim/etc/sysconfig/iptables-config

Add the following two, the order is not wrong

Iptables_modules= "Ip_conntrack_ftp"

Iptables_modules= "Ip_nat_ftp"

Restarting the firewall

/etc/init.d/iptables restart

Principle:

VSFTPD Active mode and passive mode,

The default is active mode:

After the client connects via 21 port to the FTP server and then Exchange data via 20 port, the active mode is the server 20 port active Connection client open random port for transmission! Therefore, if the client in the network, the routing is difficult to open the random port, the data is difficult to transfer into the intranet.

Passive mode:

After the client accesses the FTP server through 21 port to establish the connection, the passive mode is that the server randomly opens the port XXXX called the Client Access server XXXX port for data transmission! So this mode is also greatly unsafe, so we can set the open port to control!

################# #配置主动模式 #################################################

Vim/etc/vsftpd/vsftpd.conf

Anonymous_enable=yes #允许區名访问

Local_enable=yes #允许本地登录

Write_enable=yes #允许写

Anon_upload_enable=yes #允许區名上传

Anon_mkdir_write_enable=yes #允许區名mkdir和写

Dirmessage_enable=yes #启用目录欢迎信息

Xferlog_enable=yes #启用日志

ftpd_banner=##### #This is my FTP service.###### #全局欢迎信息

Chroot_local_user=yes #更改用户目录为家目录限制访问别的目录

Save

Restart Service

/ETC/INIT.D/VSFTPD restart

View SELinux

Setsebool-a |grep FTP

[[email protected] pub]# getsebool-a |grep FTP

Allow_ftpd_anon_write--off

Allow_ftpd_full_access--off

Allow_ftpd_use_cifs--off

Allow_ftpd_use_nfs--off

Ftp_home_dir--off

ftpd_connect_db--off

Ftpd_use_fusefs--off

Ftpd_use_passive_mode--off

Httpd_enable_ftp_server--off

Tftp_anon_write--off

Tftp_use_cifs--off

Tftp_use_nfs--off

Set SELinux

Setsebool-p Allow_ftpd_anon_write on

Setsebool-p allow_ftpd_full_access on

Setsebool-p Ftp_home_dir on

Check Again

[[email protected] pub]# getsebool-a |grep FTP

Allow_ftpd_anon_write- on

Allow_ftpd_full_access- on

Allow_ftpd_use_cifs--off

Allow_ftpd_use_nfs--off

Ftp_home_dir- on

ftpd_connect_db--off

Ftpd_use_fusefs--off

Ftpd_use_passive_mode--off

Httpd_enable_ftp_server--off

Tftp_anon_write--off

Tftp_use_cifs--off

Tftp_use_nfs--off

Create user

#创建不能登录的用户bob and specify the home directory as/var/ftpusers/

Useradd-s/sbin/nologin-d/var/ftpusers/bob

passwd Bob

Create directory welcome information file

The welcome message came into the directory because Dirmessage_enable=yes was enabled just now

All I create a welcome message file in the pub directory

echo "####### #There is pub#######" >/var/pub/.message

############## #测试 ###############################

Open cmd under Windows

FTP 192.168.1.224

See Welcome message

##### #This is my FTP service.######

Enter User name FTP

Input dir

>dir

I see the pub directory.

>pwd

> "/" #显示为根

>CD Pub

250-"####### #There is pub#######" into the pub directory appears in the Welcome message

Accessing ftp://192.168.1.224 with Explorer

See the Pub directory.

Upload file failed, prompt no permission.

Server View Permissions

At this point the root directory is actually/var/ftp/

[Email protected] pub]# ll-d/var/ftp/

Drwxr-xr-x. 3 root root 4096 April 3 14:04/var/ftp/

[Email protected] pub]# ll/var/ftp/

Drwxr-xr-x. 3 FTP FTP 4096 April 3 14:30 Pub

Therefore, there is no permission to write on the FTP directory.

Can only be written in the pub directory.

Access ftp://192.168.1.224 under Windows

Zone Name login See pub

Right-select login Enter user name Bob password 123456

Login successful

Upload and download operations are OK

########### #下面继续配置文件的一些常用功能 ##############

(i). Traffic Control for FTP servers

max_clients=100; Maximum number of connections allowed, defined as 100, default is 0, table has no limit

Max_per_ip=5; The number of connections allowed per IP, 0 tables without limits, need to be run in standalone mode before

anon_max_rate=50000; Maximum bandwidth for anonymous users in bps

local_max_rate=200000; Maximum system user bandwidth

How do I limit traffic to a given user?

#vi/etc/vsftpd/vsftpd.conf, add a line:

User_config_dir=/etc/vsftpd/userconf

#touch/etc/vsftpd/userconf/netseek_com to create a netseek_com file for the netseek_com user

#vi/etc/vsftpd/userconf/netseek_com Add the following:

local_max_rate=100000

(b) Change the upload owner

#chown_uploads =yes #改变上传所有者

#chown_username =ltiaw #上传所有者改为ltiaw

#chroot_list_enable =yes #启用改为根目录的list

#chroot_list_file =/etc/vsftpd/chroot_list #指定list文件

Enable the time here to enable all of the above Chroot commented out #chroot_local_user =yes

This can be specified users who chroot, do not put the list file users will not chroot

(iii) User access control

Userlist_enable=yes #用户控制启用

View Files

Vim/etc/vsftpd/user_list

The contents are as follows:

# vsftpd UserList

# If Userlist_deny=no, only allow users in the this file

# If userlist_deny=yes (default), never allow users in the this file, and

# do not even prompt for a password.

# Note that the default Vsftpd Pam Config also checks /etc/vsftpd/ftpusers

# for users that is denied.

Root

Bin

Daemon

Adm

Lp

Sync

Shutdown

Halt

Mail

News

Uucp

operator

Games

Nobody

This means: The default is to deny the user name under this file, and /etc/vsftpd/ftpusers the user in this file is also rejected!

So root is not logged in.

can also be added in the configuration file:userlist_deny=no

1.userlist_deny=no so the user name in the user_list is allowed,

But the /etc/vsftpd/ftpusers is still forbidden.

The 2./etc/vsftpd/ftpusers file is controlled by this configuration file: vim/etc/pam.d/vsftpd

Specifically how to control their own look.

Grab Bag

Tcpdump-i eth0 host 192.168.1.5 and host 192.168.1.224 |grep-v SSH

Transfer files two times, and discover that it is server 20 access client port, and the first time and the second port is not the same and greater than 1024

######################### #被动模式 ###########################################

Vim/etc/vsftpd/vsftpd.conf

Note 20 Port #connect_from_port_20 =yes

Add the following three lines

Pasv_enable=yes #启用被动模式

pasv_min_port=4500 #被动模式起始端口为: 4500

pasv_max_port=5000 #被动模式结束端口为: 5000

Save Restart Service

/ETC/INIT.D/VSFTPD restart

Open ports:

Iptables-i input-p TCP--dport 4500:5000-j ACCETP

/etc/init.d/iptables Save

Grab Bag:

Tcpdump-i eth0 host 192.168.1.224 and host 192.168.1.5 |grep-v SSH

Client Pass File

15:55:32.341781 IP 192.168.1.5.ssowatch > 192.168.1.224. 4693: Flags [.], seq 1:1461, ack 1, win 65535, length 1460

15:55:32.341795 IP 192.168.1.5.ssowatch > 192.168.1.224. 4693: Flags [P.], seq 1461:1847, ack 1, win 65535, length 386

5:55:37.358912 IP 192.168.1.5.vxcrnbuport > 192.168.1.224. 4776: Flags [.], ACK 447, win 65090, length 0

15:55:37.358921 IP 192.168.1.5.vxcrnbuport > 192.168.1.224. 4776: Flags [F], seq 1, ACK 447, win 65090, length 0

Is exactly what I just opened Port 4500-5000 between the ~

Open success

Self-study bird Brother Linux service-vsftpd