I. implementation functions:
-
Domain user authentication
SSL encryption
Virtual domain user isolation Authentication
Implement the public directory Function
Implement Multi-user directory Functions
II. Implementation steps: 1. Basic System settingsComputer Name, IP address, gateway, subnet mask, DNS settings
2. Install the required software
Yuminstallhttpd -yYuminstallvsftpd* -yYuminstallpam* -yYuminstallmod_ssl* -y3. Create a vsftpd service host user
Useradd vsftpd –s/sbin/nologin
4. Create a vsftpd virtual host user
Useradd virtusers –s/sbin/nologin
5. VSFTPD Configuration
1) edit the vsftpd. conf configuration fileCp/etc/vsftpd/vsftpd.conf/etc/vsftpd/vsftpd. Conf. bak/backup configuration fileVi/etc/vsftpd/vsftpd.confAnonymous_enable = NO/set not to allow anonymous accessLocal_enable = YES/set local user access. Note: It is mainly a virtual host user. If this project is set to NO, all virtual users will not be able to access it.Write_enable = YES/set to allow write operations.Local_umask = 022/set the permission mask for the uploaded files.Anon_upload_enable = NO/prohibit Upload by anonymous usersAnon_mkdir_write_enable = NO/prohibit anonymous users from creating DirectoriesDirmessage_enable = YES/set to enable the directory flag function.Xferlog_enable = YES/set to enable logging.Connect_from_port_20 = YES/set port 20 for Data ConnectionChown_uploads = NO/set prohibit file upload to change the host#chown_username=whoever#xferlog_file=/var/log/xferlogXferlog_std_format = YES/set the standard log format.Idle_session_timeout = 1200/set the idle connection timeout time. The default value is used here. Leave the specific value to a specific user. If not specified, use the default value 600, in seconds.Data_connection_timeout = 7200/sets the maximum continuous transmission time per time. The default value is used here. Leave the specific value to a specific user. If not specified, use the default value 120, in seconds.Nopriv_user = vsftpd/set the host user supporting the vsftpd service to a manually created Vsftpd user. Note: Once you change the host user, you must pay attention to the read/write permissions of the read/write files related to the service. For example, a log file must grant the write permission to the user.Async_abor_enable = YES/sets support for asynchronous transmission.Ascii_upload_enable = YES/sets the support for uploading in ASCII mode.Ascii_download_enable = YES/set to support the ASCII mode download functionftpd_banner=Welcome to airmateftpService./set Vsftpd login slogans#deny_email_enable=YES#banned_email_file=/etc/vsftpd/banned_emailsLs_recurse_enable = NO/prohibit users from using FTP after login"ls -R". This command causes huge overhead on server performance. If this option is allowed, blocking multiple users from using this command at the same time will pose a threat to the server.#ls_recurse_enable=YESlisten=YES#listen_ipv6=YESPam_service_name = vsftpd/set the name of the validation configuration file for Vsftpd under the PAM service.Userlist_enable = YES/enable the userlist Functionuserlist_deny=YESuserlist_file=/etc/vsftpd/allowusers_list/Configure the location of the userlist user list fileTcp_wrappers = YES/set to support TCP WrappersGuest_enable = YES/set to enable the virtual User FunctionGuest_username = virtusers/host user of the specified virtual userVirtual_use_local_privs = YES/sets the virtual user's permissions to match their host userPort_enable = YES/Allow active connection to the FTP serverPasv_enable = YES/allow passive mode to connect to the FTP serverPasv_min_port = 50000/the minimum port for configuring passive mode is 50000Pasv_max_port = 50200/configure the maximum port 50200 in passive modePasv_address = 8.8.8.8/make vsftpd jump to the specified IP address when replying to the pasv commandSsl_enable = YES/enable sslrsa_cert_file=/etc/vsftpd/vsftpd. Pem/Specify the certificate locationssl_ciphers=HIGHsyslog_enable=yes/Record FTP logs/var/log/messagesFile to effectively solve the log garbled Problem2) create a path for storing the virtual user configuration file
mkdir/etc/vsftpd/vconf/
3) create an FTP user file storage location
Mkdir/opt/vsftp/Chown –R virtusers.virtusers/opt/vsftp/6. Configure the pam Authentication Method
1) modify the PAM Authentication parameters of vsftpdSet the pam Authentication configuration For vsftpd and add the following two
auth sufficient pam_ldap.so#keep this as the first 'auth' itemaccount sufficient pam_ldap.so#keep this as the first 'account' item2) configure the LDAP authentication parameters of PAM
Set the ldap authentication configuration of pam with the following parameters:
host 192.168.1.203base cn=users,dc=lidongni,dc=combinddn cn=administrator,cn=users,dc=lidongni,dc=combindpw www.lidongni.compam_login_attribute sAMAccountName3) Disable SElinux to simplify Configuration
If SElinux is installed and you do not understand the configuration, disable it. The method is to modify the following content in the/etc/selinux/config file:
SELINUX=disabled#effective after restart
7. Configure SSL encryption to enter the/etc/vsftpd/directory and enter the following command to generate the certificate:req -x509 -nodes -days 365 -newkey rsa:1024 -subj"/C=CN/ST=GD/L=SZ/O=lidongni/CN=lidongni"-keyout/etc/vsftpd/vsftpd1.pem -out/etc/vsftpd/vsftpd1.pem
8. Enable VSFTPD for the firewall
Add the following content to/etc/sysconfig/iptables and restart the iptables service.
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT-A OUTPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT