#############################################################
I. VSFTPD INTRODUCTION
VFTPD (Very Secure FTP), file sharing software. Supports IPV6 and SSL encryption.
VSFTPD security is mainly embodied in three aspects:
Process separation, the process of handling different tasks is independent operation;
When the process is running, it is running with minimal permission;
Most processes are imprisoned using chroot to prevent clients from accessing illegal shared directories;
Install VSFTPD:
Yum Install Vsftpd-y
VSFTPD related core files and directory descriptions:
/ETC/LOGROTATE.D/VSFTPD # #日志轮转备份配置文件
/ETC/PAM.D/VSFTPD # #基于PAM的vsftpd验证配置文件
/ETC/RC.D/INIT.D/VSFTPD # #vsftpd启动脚本
/ETC/VSFTPD # #软件主目录
/etc/vsftpd/ftpusers # #默认的vsftpd黑名单
/etc/vsftpd/user_list # #临时黑名单, can be set to whitelist via master profile
/etc/vsftpd/vsftpd.conf # #vsftpd主配置文件
/USR/SBIN/VSFTPD # #vsftpd主程序
/VAR/FTP # #默认vsftpd共享目录
#############################################################
Two. Anonymous account Login
VSFTPD default is anonymous sharing, the default share path is/VAR/FTP
Anonymous_enable=yes
Local_enable=yes
#############################################################
Three. Local account Login
Vim/etc/vsftpd/vsftpd.conf
Modify
Anony_enable=no, the default share path is the account home directory
! Note: When a local 9 account is logged in, the user can leave the home directory to enter other directories in the system, which is very dangerous, so it is used in the file
Chroot_local_user=no, users will be imprisoned in their own home directory
Test:
Useradd-s/sbin/nologin Tom
Useradd-s/sbin/nologin Jerry
Useradd-s/sbin/nologin Smith
Touch/home/{tom,jerry,smith}/test.txt
Setenforce 0
Systemctl Stop Firewall
Service vsftpd Start
#############################################################
Four. Virtual Account Login
1. Create a virtual user
Vim/etc/vsftpd/userfile # #虚拟用户名和密码文件
Add to:
WESTOS1 # #用户名1
123 # #用户1密码
Westos2 # #用户名2
123 # #用户2密码
WESTOS3 # #用户名3
123 # #用户3密码
Db_load-t-T Hash-f/etc/vsftpd/userfile/etc/vsftpd/userfile.db
# # Db_load: Creating a Virtual user
#-T: Allows the application to load text file translation into the database
#-T: Specifies the type of data to be loaded into the translation
# # Hash:hash Code Encryption
# #/etc/vsftpd/userfile: Log user name and password
# #/etc/vsftpd/userfile.db:hash Encrypted files
rm-fr/etc/vsftpd/userfile# #删掉虚拟用户文件
2. Modify the VSFTPD configuration file, set the relevant parameters
Vim/etc/vsftpd/vsftpd.conf
Add: |
Pam_service_name=vuser # #pam认证方式
Userlist_enable=yes # #启用userlist用户列表文件
Tcp_wrappers=yes # #启动tcp_wrappers
Guest_enable=yes # #所有的非匿名用户登录都映射为guest_username指定的账户
GUEST_USERNAME=FTP # #设定来宾用户
local_root=/ftpdir/$USER # # local account access to the root path of the FTP
#local_root =/var/ftp/pub/# #本地账号访问ftp的根路径
user_sub_token= $USER # #
Allow_writeable_chroot=yes # #
user_config_dir=/etc/vsftpd/vuser-conf##
3. Authentication mechanism (account number, password)
Vim/etc/pam.d/vuser
Add to
Account Required Pam_userdb.so Db=/etc/vsftpd/userfile
Auth Required pam_userdb.so Db=/etc/vsftpd/userfile
4. Create the root directory of the local account
Mkdir/ftpdir/westos1
Mkdir/ftpdir/westos2
Mkdir/ftpdir/westos3
5. Change permissions and group names
chmod 775/ftpdir/westos*
Chgrp ftp/ftpdir/westos*
Systemctl Restart VSFTPD
6.
vim/etc/vstpd/vuser-conf/westos* # #匿名用户的配置文件
Add: (Any permissions you want to give, examples below)
Anon_upload_enable=yes
#############################################################
Five.
Vim/etc/selinux/config
Chcon-t Public_content_t/ftpdir-r
Vim/etc/vsftpd/vsftpd.conf
+-Anon_root=/ftpdir
Vim/etc/selinux/config
Reboot
Vim/etc/selinuxconfig
Reboot
Semanage fcontext-a-T public_content_t '/ftpdir (/.*)? '
Semanage fcontext-l |grep FTPDir
Ls-zd/ftpdir
restorecon-rvvf/ftpdir/
#############################################################
SELinux (security-enhanced Linux)
I. Introduction to SELinux
The compulsory access control mechanism based on Linux kernel is designed to enhance the anqing nature of traditional Linux operating system.
Vim/etc/sysconfig/selinux
# This file controls the state of the SELinux on the system.
# selinux= can take one of these three values:
# Enforcing-selinux security policy is enforced.
# Permissive-selinux Prints warnings instead of enforcing.
# disabled-no SELinux policy is loaded.
Selinux=disabled
# selinuxtype= can take one of three the values:
# targeted-targeted processes is protected,
# Minimum-modification of targeted policy. Only selected processes is protected.
# Mls-multi level Security protection.
selinuxtype=targeted
SELinux Total switch three states enforcing, permissive, disabled
Enforcing: Forced to open (will intercept illegal access and record the date to)
Permissive: Warning Mode (will be recorded in SELinux day to date, but will not intercept)
Disabled: Disabled (set to J disabled, should restart the computer)
selinuxtype=targeted set SELinux type, type two, targeted, MLS
Targeted: Access control primarily for service processes
MLS: Control of all processes
####################################################### #二. Access and simple settings
Temporary settings (fail after reboot)
Setenforce 0# #设置SELinux为permissive模式
Setenforce #设置SELinux为enforcing模式
Permanent mode (modify config file)
Vim/etc/sysconfig/selinux
####################################################### #三.
SELinux adds security information tags to processes and files (selinux user, role, type, level)
(1) SELinux security context
Ls-z viewing context information for a file or directory
[Email protected] ~]# ls-z anaconda-ks.cfg
-RW-------. Root root System_u:object_r:admin_home_t:s0 anaconda-ks.cfg
PS Aux-z Viewing context information for a process
Semanage login-l# #查看系统账户与SELinux账户之间的映射关系
[[email protected "kiosk]# semanage login-l
Login name SELinux user Mls/mcs range Service
__default__ unconfined_u S0-s0: c0.c1023 *
root unconfined_u S0-s0: c0.c1023 *
system_u system_u S0-s0: c0.c1023 *
(2) SELinux user is granted a specific role, the role is granted to the operation specific domain
(3) Type defines the domain of the process and the type of the file
(4) Level MLS MCS
####################################################### #四. Modifying the security context
Chcon-t ADMIN_HOME_T/ROOT/PASSWD # #修改文件安全上下文中的类型
Chcon-r-T admin_hom_t/root/# #递归修改目录安全上下文
Chcon--reference=/etc/passwd/root/passwd##
The vsftpd of Linux