VSFTP PASV mode (passive mode transfer) and port mode and Linux under Vsftp configuration full scheme

What is called PASV mode (passive mode transfer)? How did he work?

FTP connections are generally two connections, one is the client and server transfer commands, and the other is the data transfer connection. FTP Service program generally support two different modes, one is Port mode, one is passive mode (PASV), I first say the two different modes of connection.

Let's assume that the client is C and the server is S.

Port mode:

When the client C is connected to the server, using the port mode, then client C sends a command to tell the server S (client C opens a port on the local n is waiting for you to make a data connection), when the server side s receives this port command, the client opens the port N to connect, This data connection is generated.

PASV mode:

When the client C is connected to the server side s, the server will send a message to client C, this information is (the server has opened a port m, you go to connect me now), when the client C received this information, the server can be connected to the M port, the connection is successful, the data connection was established.

From the above explanation, we can see that the main difference between the two modes is the data connection is established differently, for the port mode, is the client C on the local open a port and other server s to connect to establish a data connection, and the PASV mode is the server s open a port waiting for client C to establish a data connection.

Do I need to set the transfer mode to PASV mode?

If you connect to the Internet in such a way that you need to set it to PASV mode mode transfer

The route has two IP one is the intranet IP (that is, your gateway address) and the other is the external network IP, all of your LAN computers are sharing this 218.63.1.5 access to the Internet (in the middle through the 192.168.1.1 this gateway), Let's look at a detailed procedure for the connection so that you

Learn more about why you need to set up to be PASV mode transfer:

When you download the movie through the download tool or use the browser to start the connection to the FTP server, when the FTP service received your connection request sent a response to the customer and began to wait for the user's authentication information,–> certification after the start of establishing a data connection if you are not set to become PASV mode, then the customer segment ( Download tool) will open a data port on the local computer, and then send a "command" to the FTP service segment, (I have opened the n port you can now connect me), then the FTP server segment will start to connect your IP address n port, (but the connection is failed) because you are through the 192.168.1.1 This gateway (your routing device) accesses the FTP service segment of the Internet he is actually connected to your extranet address 218.63.1.5, which is simply not connected to the port you opened in the Download tool, for example, you are using the 192.168.1.2 client. FTP Service segment At this time can not be with your computer 192.168.1.2) listening port n connection, so at this point you will see the server feedback error message, prompted you 192.168.1.2 open port can not connect, such as, information at this time you need to set the transfer mode into PASV mode, And if you're using PASV mode then when your FTP passes the authentication, the customer segment first sends a PASV command to the server, the service segment accepts the command and opens a port and tells the customer segment "I have opened a port, you can now connect to the customer segment (download tool) after receiving the information, To connect to a port that has already been opened by the service segment to complete the data connection, all FTP-downloaded traffic is routed through this port

And when using Iptables to do NAT, the two modules (ip_nat_ftp, ip_conntrack_ftp) should be loaded in order to connect to the FTP server normally. Otherwise PASV passive mode cannot connect to the FTP server.

FTP Mode and Data port

FTP is divided into two categories, PORT FTP and PASV ftp,port FTP are general forms of FTP. These two FTP operations are the same when establishing a control connection, both the client first and the FTP server control port (the default value is 21) to establish a control link, and through this link to transfer operation instructions. They differ in the way that data transfer ports (Ftp-data) are used. Port FTP Specifies the ports used by the FTP server for data transfer, with a default value of 20. PASV FTP The FTP client determines the port for data transfer. PASV FTP This approach, mainly considering the existence of firewalls in the environment, by the client and the server to communicate (the client sends a data transfer request to the server contains the data transfer port), it is more convenient to determine the data port between the two.

Port_enable=yes|no

Set this option to No if you want to cancel port mode when the data is connected. The default value is yes.

Connetc_from_port_20=yes|no

Controls whether 20 ports (ftp-data) are used for data transfer in port mode. Yes use, no not used. The default value is no, but this parameter is set to Yes in the vsftpd.conf file that comes with RHL.

Ftp_data_port=port number

Sets the FTP data transfer port (ftp-data) value. The default value is 20. This parameter is used for port FTP mode.

Port_promiscuous=yes|no

The default value is No. When yes, the port security check is canceled. This check ensures that outgoing data can only be connected to the client. Be careful to turn this option on.

Pasv_enable=yes|no

YES, PASV mode is used when data transfer is allowed. No, use PASV mode is not allowed. The default value is yes.

Pasv_min_port=port number
Pasv_max_port=port number

Set in PASV mode, the lower and upper bounds of the port range can be used to set up the data transfer, and 0 means arbitrary. The default value is 0. Setting the port range to a relatively high range, such as 50000-60000, will help improve security.

Pasv_promiscuous=yes|no

When this option is activated, security checks for PASV mode are turned off. This check ensures that the data connection and the control connection are from the same IP address. Be careful to turn this option on. The only reasonable use of this option is in an organization that is comprised of a secure tunneling scheme. The default value is No.

pasv_address=

This option is a numeric IP address as a response to the PASV command. The default value is None, which means that the address is fetched from the inbound connection socket (incoming CONNECTD socket).

So if Linux opens the fire farm, the corresponding ports must be opened such as:

-A rh-firewall-1-input-m state–state new-p tcp-m tcp–dport 30000:31000–syn-j ACCEPT

Four, firewall configuration

#!/bin/bash

#ip. Sh

echo "1″>/proc/sys/net/ipv4/ip_forward

Modprobe ip_conntrack_ftp

Modprobe ip_nat_ftp

Iptables-f

Iptables-x

Iptables-z

Iptables-t nat-f

Iptables-t Nat-x

Iptables-t nat-z

Iptables-p INPUT ACCEPT

Iptables-p OUTPUT ACCEPT

Iptables-p FORWARD DROP

Iptables-t filter-a forward-p tcp-s 172.16.0.0/16-d 192.168.0.10–dport 21-j ACCEPT

Iptables-t filter-a forward-p tcp-s 192.168.0.10–sport 21-j ACCEPT

Iptables-t filter-a forward-p tcp-s 172.16.0.0/16-d 192.168.0.10–dport 30000:310000-j ACCEPT

Iptables-t filter-a forward-p tcp-s 192.168.0.10–sport 3000:4000-j ACCEPT

Iptables-t filter-a forward-p tcp-m state–state related,established-j ACCEPT

Iptables-t filter-a forward-p icmp–icmp-type 8-j ACCEPT

Iptables-t filter-a forward-p icmp–icmp-type 0-j ACCEPT

Five, verify:

# in XP under the FTP command connection, are active mode connection, you can use a graphical interface software, the default is generally passive mode.

# Netstat-an|grep 172

Linux under Vsftp configuration full scheme

Outline:

A brief introduction to the VSFTPD

Second, Enterprise Linux under the VSFTPD solution

Three, VSFTPD related configuration file detailed

One, VSFTPD's brief:

VSFTP (Very Secure FTP Daemon, very secure FTP server). As the name implies, VSFTPD design is the starting point is security. At the same time, with the continuous upgrade of the version, VSFTPD has made great progress in performance and stability. In addition to excellent security and performance, there is also a good ease of use. Red hat is using VSFTPD on its own FTP server (ftp.redhat.com)

Second, Enterprise Linux under the VSFTPD combat solution

Requirements:

1. User: Netseek_com;ftp:ftp.netseek.com (192.168.0.21, I have configured the relevant DNS)

2. Prohibit anonymous login, prohibit users from leaving the user directory

3. Command Channel port using 5021, data channel port using 5020 (you can change to the port you want to set, such as 1021,1020)

4. Allow the use of the passive mode port range of 10010~10020.

5. User bandwidth is set to 200KPS, user space is limited to 300M, allow 10MB buffer in grace period

The following are the steps:

In order to more fully describe the installation process, I am on my other host (Netseek) configuration, on the machine ip:192.168.0.20 bound 192.168.0.21, also configured the relevant DNS resolution, here I will not say more please refer to the " Linux Almighty Web Server Setup. "

1. Configure related services

Start the service:

[Email protected] root]# #rpm –qa | grep vsftpd; see if the VSFTPD service is installed

#/etc/init.d/vsftpd start; Launch service

#chkconfig vsftpd on; Let system services start as the system starts

To configure related documents:

#vi/etc/vsftpd/vsftpd.conf

Prohibit anonymous user access:

Anonymous_enable=yes, change YES to No

At the end of the file, add the following settings:

# new added by Netseek

listen_port=5021; command Channel port, default = 21

listen_data_port=5020; Data channel port, default is 20

Pasv_enable=yes; Allow passive mode

pasv_min_port=10000; Using the port range in passive mode

pasv_max_port=10010

local_max_rate=200000; user Broadband restrictions

Chroot_local_user=yes the user from the home directory

listen_address=192.168.0.21, let him monitor the ip:192.168.0.21.

Note: do not add ";" during the addition process. And these Chinese notes, here I am in order to facilitate everyone to understand before adding.

2. Add a virtual host user

Add user netseek_com, the user directory is specified as/var/www/netseek.com, and this user cannot log on to the system.

#mkdir/var/www/netseek.com

#useradd –s/sbin/nologin–d/var/www/netseek.com netseek_com

Note-s/sbin/nologin is not allowed to log on to the system,-D is the specified user directory for/var/www/netseek.com

#passwd netseek_com (Do not Hack me 3ks) dnhm3ks This is the password I set

#chown –R netseek_com:netseek_com/var/www/netseek.com

Note: Set all and belonging groups of the user directory and its subdirectories to netseek_com

3. Configure disk quotas

I have more than one partition on my disk during the installation process,/home,/var,/,/www,tmp,swap,/boot multiple partitions separately. It is recommended that you divide the disk into separate partitions, which reduces the risk of data loss due to disk partition corruption.

#[[email protected] root]# Rpm-qa | grep quota

quota-3.06-9; My system has the disk quota tool installed

#vi/etc/fstab

Find Similar

Label=/var/var ext3 Defaults 1 2

By adding Usrquota after defaults, replace the following:

Label=/var/var ext3 Defaults,usrquota 1 2

Reload/var this partition:

#mount –o Remount/var

#cd/var Enter this directory

#touch Quota.user

#chmod Quota.user

#quotacheck –mf/var Force detection of disk partition space usage

[Email protected] var]# Quotacheck-mf/var

Quotacheck:warning–quotafile/var/quota.user was probably truncated. Can ' t save Quota Settings ...

Rebooting the system

This warning will appear the first time you run it, and it will not work again.

To specify user quotas:

#edquota netseek_com Set disk quotas for user netseek_com.

Disk quotas for User netseek_com (UID 501):

Filesystem blocks soft hard inodes soft hard

/dev/sda5 6616 307200 0 15 0 0

Note:

Ilesystem blocks soft hard inodes soft hard

filesystem-the file system being set up, do not modify or delete

bolock-current use of the touch disk space, in kilobytes

Soft (first)-Floppy space limit, default 0, means no limit, I am set to 300M here.

Hard (first)-rigid quota limit, 0 means no limit.

inodes-Current number of files

Soft (second)-a soft limit on the number of files, 0 means no Limit

Hard (second)-rigid limit on the number of files, 0 means no Limit

Let the system start is loaded automatically:

#vi/etc/rc.d/rc.local, add the following:

/ETC/INIT.D/VSFTPD start

/sbin/quotacheck

/sbin/quotaon–avu

Now see how netseek_com users are using disk space

[Email protected] ~]# quota-u netseek_com

Disk quotas for User netseek_com (UID 501):

Filesystem blocks Quota limit grace files quota limit Grace

/dev/sda5 6616 307200 0 15 0 0

Note: For more quota commands, please check with the man command, Ugo (Vbird) said, we must learn to find men!

4. Effect Demo, landing demo:

Four, VSFTPD related configuration detailed

1. Anonymous user-related settings

Anonymous_enable=yes, change YES to No, disable anonymous user login

#non_mkdir_write_enable =yes, remove the # comment and allow anonymous users to create a directory

#non_upload_enalbe =yes, remove #, allow anonymous users to upload

Anon_world_readable_only=yes, allow anonymous users to download, is forbidden by default, this can be added by itself.

Anon_other_write_enable=yes, set it to Yes, in addition to uploading and creating directories, you can also rename, delete files, default is no

No_anon_password=no, set it to Yes, anonymous users will not query the user password directly login.

FTP_USERNAME=FTP, anonymous user Login System account default is FTP, this item is best not to change, otherwise improper setting will bring the system security threat.

2.FTP Service Port Designation

listen_port=8021, specifying a command channel of 8021, which defaults to 21

listen_data_port=8020, specifying a data channel of 8020 with a default of 20

3. Settings for upload mode

Pasv_enable=yes, it is allowed to use passive mode, by default.

pasv_min_port=10000, specifying the minimum value to open the port when using passive mode

pasv_max_port=10004, specifies the maximum number of ports to open when using passive mode.

4.VSFTP server Specifies IP address

Listen_address=192.168.0.21, specifying FTP,IP address

Note: The specified IP is only allowed when the VSFTP is running in standalone mode, and if the VSFPD file is already established under the/ETC/XINETD.D directory, the disable in the file must be set to Yes.

5. Lock users and prevent users from leaving the user home directory

Chroot_local_user=yes, set it to YES, locked in the user home directory, set to No, can switch

To set the specified user to lock the user home directory:

#chroot_list_enable =yes

#chroot_list_file =/etc/vsftpd.chroot_list

Change it to read as follows:

Chroot_list_enable=no

Chroot_list_file=/etc/vsftpd/vsftpd.chroot_list

Save the above and do the following:

#touch/etc/vsftpd/vsftpd.chroot_list

#vi/etc/vsftpd/vsftpd.chroot_list, add a list of users to the file, such as:

Netseek_com

Traffic control for 6.FTP servers

max_clients=100; Maximum number of connections allowed, defined as 100, default is 0, table has no limit

Max_per_ip=5; The number of connections allowed per IP, 0 tables without limits, need to be run in standalone mode before

anon_max_rate=50000; Maximum bandwidth for anonymous users in bps

local_max_rate=200000; Maximum system user bandwidth

How do I limit traffic to a given user?

#vi/etc/vsftpd/vsftpd.conf, add a line:

User_config_dir=/etc/vsftpd/userconf

#touch/etc/vsftpd/userconf/netseek_com to create a netseek_com file for the netseek_com user

#vi/etc/vsftpd/userconf/netseek_com Add the following:

local_max_rate=100000

Save the Restart service.

7. Customized Welcome information

Directory Description Settings

#vi/etc/vsftpd/vsftpd.conf

#dirmessage_enable =yes, before the # removed.

Then we customize a. Message, write what you want to write, and then copy the file to the individual user's home directory, OK.

System Welcome Message Settings

Ftpd_banner=welcome to ftp.netseek.com, Yeah!!!

System Welcome message File Settings

Banner_file=/etc/vsftpd/welcome is similar to Ftpd_banner, except that banner_file specifies a welcome file.

VSFTP PASV mode (passive mode transfer) and port mode and Linux under Vsftp configuration full scheme