The vsftpd of Linux

#############################################################

I. VSFTPD INTRODUCTION

VFTPD (Very Secure FTP), file sharing software. Supports IPV6 and SSL encryption.

VSFTPD security is mainly embodied in three aspects:

Process separation, the process of handling different tasks is independent operation;

When the process is running, it is running with minimal permission;

Most processes are imprisoned using chroot to prevent clients from accessing illegal shared directories;

Install VSFTPD:

Yum Install Vsftpd-y

VSFTPD related core files and directory descriptions:

/ETC/LOGROTATE.D/VSFTPD # #日志轮转备份配置文件

/ETC/PAM.D/VSFTPD # #基于PAM的vsftpd验证配置文件

/ETC/RC.D/INIT.D/VSFTPD # #vsftpd启动脚本

/ETC/VSFTPD # #软件主目录

/etc/vsftpd/ftpusers # #默认的vsftpd黑名单

/etc/vsftpd/user_list # #临时黑名单, can be set to whitelist via master profile

/etc/vsftpd/vsftpd.conf # #vsftpd主配置文件

/USR/SBIN/VSFTPD # #vsftpd主程序

/VAR/FTP # #默认vsftpd共享目录

#############################################################

Two. Anonymous account Login

VSFTPD default is anonymous sharing, the default share path is/VAR/FTP

Anonymous_enable=yes

Local_enable=yes

#############################################################

Three. Local account Login

Vim/etc/vsftpd/vsftpd.conf

Modify

Anony_enable=no, the default share path is the account home directory

！ Note: When a local 9 account is logged in, the user can leave the home directory to enter other directories in the system, which is very dangerous, so it is used in the file

Chroot_local_user=no, users will be imprisoned in their own home directory

Test:

Useradd-s/sbin/nologin Tom

Useradd-s/sbin/nologin Jerry

Useradd-s/sbin/nologin Smith

Touch/home/{tom,jerry,smith}/test.txt

Setenforce 0

Systemctl Stop Firewall

Service vsftpd Start                 

#############################################################

Four. Virtual Account Login

1. Create a virtual user

Vim/etc/vsftpd/userfile # #虚拟用户名和密码文件

Add to:

WESTOS1 # #用户名1

123 # #用户1密码

Westos2 # #用户名2

123 # #用户2密码

WESTOS3 # #用户名3

123 # #用户3密码

Db_load-t-T Hash-f/etc/vsftpd/userfile/etc/vsftpd/userfile.db

# # Db_load: Creating a Virtual user

#-T: Allows the application to load text file translation into the database

#-T: Specifies the type of data to be loaded into the translation

# # Hash:hash Code Encryption

# #/etc/vsftpd/userfile: Log user name and password

# #/etc/vsftpd/userfile.db:hash Encrypted files

rm-fr/etc/vsftpd/userfile# #删掉虚拟用户文件

2. Modify the VSFTPD configuration file, set the relevant parameters

Vim/etc/vsftpd/vsftpd.conf

Add: |

Pam_service_name=vuser # #pam认证方式

Userlist_enable=yes # #启用userlist用户列表文件

Tcp_wrappers=yes # #启动tcp_wrappers

Guest_enable=yes # #所有的非匿名用户登录都映射为guest_username指定的账户

GUEST_USERNAME=FTP # #设定来宾用户

local_root=/ftpdir/$USER # # local account access to the root path of the FTP

#local_root =/var/ftp/pub/# #本地账号访问ftp的根路径

user_sub_token= $USER # #

Allow_writeable_chroot=yes # #

user_config_dir=/etc/vsftpd/vuser-conf##

3. Authentication mechanism (account number, password)

Vim/etc/pam.d/vuser

Add to

Account Required Pam_userdb.so Db=/etc/vsftpd/userfile

Auth Required pam_userdb.so Db=/etc/vsftpd/userfile

4. Create the root directory of the local account

Mkdir/ftpdir/westos1

Mkdir/ftpdir/westos2

Mkdir/ftpdir/westos3

5. Change permissions and group names

chmod 775/ftpdir/westos*

Chgrp ftp/ftpdir/westos*

Systemctl Restart VSFTPD

6.

vim/etc/vstpd/vuser-conf/westos* # #匿名用户的配置文件

Add: (Any permissions you want to give, examples below)

Anon_upload_enable=yes

#############################################################

Five.

Vim/etc/selinux/config

Chcon-t Public_content_t/ftpdir-r

Vim/etc/vsftpd/vsftpd.conf

+-Anon_root=/ftpdir

Vim/etc/selinux/config

Reboot

Vim/etc/selinuxconfig

Reboot

Semanage fcontext-a-T public_content_t '/ftpdir (/.*)? '

Semanage fcontext-l |grep FTPDir

Ls-zd/ftpdir

restorecon-rvvf/ftpdir/

#############################################################

SELinux (security-enhanced Linux)

I. Introduction to SELinux

The compulsory access control mechanism based on Linux kernel is designed to enhance the anqing nature of traditional Linux operating system.

Vim/etc/sysconfig/selinux

# This file controls the state of the SELinux on the system.
# selinux= can take one of these three values:
# Enforcing-selinux security policy is enforced.
# Permissive-selinux Prints warnings instead of enforcing.
# disabled-no SELinux policy is loaded.
Selinux=disabled
# selinuxtype= can take one of three the values:
# targeted-targeted processes is protected,
# Minimum-modification of targeted policy. Only selected processes is protected.
# Mls-multi level Security protection.
selinuxtype=targeted

SELinux Total switch three states enforcing, permissive, disabled

Enforcing: Forced to open (will intercept illegal access and record the date to)

Permissive: Warning Mode (will be recorded in SELinux day to date, but will not intercept)

Disabled: Disabled (set to J disabled, should restart the computer)

selinuxtype=targeted set SELinux type, type two, targeted, MLS

Targeted: Access control primarily for service processes

MLS: Control of all processes

####################################################### #二. Access and simple settings

Temporary settings (fail after reboot)

Setenforce 0# #设置SELinux为permissive模式

Setenforce #设置SELinux为enforcing模式

Permanent mode (modify config file)

Vim/etc/sysconfig/selinux

####################################################### #三.

SELinux adds security information tags to processes and files (selinux user, role, type, level)

(1) SELinux security context

Ls-z viewing context information for a file or directory

[Email protected] ~]# ls-z anaconda-ks.cfg
-RW-------. Root root System_u:object_r:admin_home_t:s0 anaconda-ks.cfg

PS Aux-z Viewing context information for a process

Semanage login-l# #查看系统账户与SELinux账户之间的映射关系

[[email protected "kiosk]# semanage login-l

Login name           SELinux user          Mls/mcs range        Service

__default__           unconfined_u         S0-s0: c0.c1023       *
root                  unconfined_u         S0-s0: c0.c1023       *
system_u              system_u             S0-s0: c0.c1023       *

(2) SELinux user is granted a specific role, the role is granted to the operation specific domain

(3) Type defines the domain of the process and the type of the file

(4) Level MLS MCS

####################################################### #四. Modifying the security context

Chcon-t ADMIN_HOME_T/ROOT/PASSWD # #修改文件安全上下文中的类型

Chcon-r-T admin_hom_t/root/# #递归修改目录安全上下文

Chcon--reference=/etc/passwd/root/passwd##

The vsftpd of Linux