The following experiments are all performed on Ubuntu server 14.04 X64.
Business requirements:
Now requires the creation of an FTP account User1, the account can only be logged into the/www directory, cannot switch to the parent directory. At the same time security considerations also require that the account upload file permissions of 644, that is, the uploaded file has a readable writable permission, but no executable permissions.
One: Installation vsftpd
sudo apt-get-y install vsftpd
View the files that are installed in the VSFTPD
Dpkg-l vsftpd |tac
II:VSFTPD configuration
1. Create the user as follows:
sudo useradd-m-s/bin/bash ftpuser
Note: The user created by Ftpuser is now unable to log on to the system because the user is not set a password. Here, we do not need to Ftpuser login to the system, which is relatively safe.
After the user is created, we create the corresponding directory and modify the user to which it belongs, as follows:
sudo mkdir/www
sudo chown-r ftpuser:ftpuser/www/
After the user-related configuration is over, we begin to set the user and password file login.txt for login vsftp. As follows:
sudo mkdir/etc/vsftpd/
sudo vim/etc/vsftpd/login.txt
User1
Password1
After the login.txt is set up, we will encrypt it using Db_load. and db_load need to db-util this software. So we need to install Db-util now, as follows:
sudo apt-get-y install Db-util
Once the Db-util has been installed, the Loginx.txt is now encrypted using Db_load. As follows:
sudo db_load-t-t hash-f/etc/vsftpd/login.txt/etc/vsftpd/login.db
After Loginx.txt encryption is complete, we will now start configuring Pam validation for VSFTPD.
2. PAM Authentication Configuration
VSFTPD Pam Authentication, where I did not use the/etc/pam.d/vsftpd file that was generated when the VSFTPD was installed.
Create the validation file as follows:
sudo vim/etc/pam.d/vsftpd.virtual
Auth Required pam_userdb.so Db=/etc/vsftpd/login
Account Required Pam_userdb.so Db=/etc/vsftpd/login
The contents of the Vsftpd.virtual file can also be adjusted according to the OS version. I am using Ubuntu x64, so I can also fill in the following:
Auth required/lib/x86_64-linux-gnu/security/pam_userdb.so Db=/etc/vsftpd/login
Account Required/lib/x86_64-linux-gnu/security/pam_userdb.so Db=/etc/vsftpd/login
3. vsftp Permissions Configuration
According to business requirements vsftpd.conf configuration content is as follows:
Grep-ve "^#|^$"/etc/vsftpd.conf
Listen=yes
Listen_ipv6=no
Anonymous_enable=no
Local_enable=yes
Write_enable=yes
local_umask=022
Dirmessage_enable=yes
Use_localtime=yes
Xferlog_enable=yes
Connect_from_port_20=yes
Xferlog_file=/var/log/vsftpd.log
Xferlog_std_format=yes
Chroot_local_user=yes
Chroot_list_enable=no
Allow_writeable_chroot=yes
Secure_chroot_dir=/var/run/vsftpd/empty
Pam_service_name=vsftpd
Rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
Rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
Ssl_enable=no
Guest_enable=yes
Pam_service_name=vsftpd.virtual
user_config_dir=/Etc/vsftpd/vu
Pasv_enable=yes
pasv_min_port=30000
pasv_max_port=31000
You need to add and merge by default to:
#listen =yes
Listen_ipv6=no
#anonymous_enable =no
#local_enable =yes
Write_enable=yes
local_umask=022
#dirmessage_enable =yes
#use_localtime =yes
#xferlog_enable =yes
#connect_from_port_20 =yes
Xferlog_file=/var/log/vsftpd.log
Xferlog_std_format=yes
Chroot_local_user=yes
Chroot_list_enable=no
Allow_writeable_chroot=yes
#secure_chroot_dir =/var/run/vsftpd/empty
#pam_service_name =vsftpd
#rsa_cert_file =/etc/ssl/certs/ssl-cert-snakeoil.pem
#rsa_private_key_file =/etc/ssl/private/ssl-cert-snakeoil.key
Ssl_enable=no
Guest_enable=yes
Pam_service_name=vsftpd.virtual
User_config_dir=/etc/vsftpd/vu
Pasv_enable=yes
pasv_min_port=30000
pasv_max_port=31000
In the above configuration file, there are several points that need to be highlighted.
Local_enable=yes
Write_enable=yes
local_umask=022
These are the write permissions that enable the system user. In particular, the Write_enable=yes key must be enabled, otherwise vsftpd virtual users will not be able to log on vsftpd.
Why would that be? Because the virtual user is dependent on the system user.
Chroot_local_user=yes
Chroot_list_enable=no
Allow_writeable_chroot=yes
These three items are configured VSFTPD users to disable the ability to switch the parent directory.
Guest_enable=yes
Pam_service_name=vsftpd.virtual
User_config_dir=/etc/vsftpd/vu
These three items are enabled for VSFTPD virtual and virtual user account configuration directory.
Pasv_enable=yes
pasv_min_port=30000
pasv_max_port=31000
These three items are enabled VSFTPD Passive mode and related ports.
3.4 Virtual user-related configuration
After the VSFTPD configuration file has been modified, the permissions for the virtual user are now being configured. As follows:
sudo mkdir/etc/vsftpd/vu
sudo vim/etc/vsftpd/vu/user1
Guest_username=ftpuser
local_root=/www/
Virtual_use_local_privs=yes
anon_umask=133
The above configuration parameters, where Guest_username=ftpuser represents the set FTP corresponding to the system user as Ftpuser
local_root=/www/represents the default directory when you log on to FTP with a local user.
Virtual_use_local_privs=yes virtual users and local users have the same permissions.
Anon_umask represents the default mask for file uploads. The calculation is 777 minus Anon_umask is the right to upload the file. Here we set the 133, that is, after uploading the file permissions are 644. That is, the uploaded file has only read and write permissions for the owning user, and no execute permission.
After all the above configuration is complete, we will restart VSFTPD as follows:
sudo service vsftpd restart
Three iptables configuration
In the actual production environment, we usually turn on the firewall for the sake of safety.
On Ubuntu, we can also use iptables for protection.
The iptables configuration is as follows:
sudo iptables-save >/home/ilanni/iptables.rule
sudo iptables-restore
sudo iptables-nl
sudo vim/etc/network/interfaces
Pre-up Iptables-restore
Post-down Iptables-save </Home/ilanni/iptables.rule
Ubuntu under VSFTPD Virtual User Configuration