VSFTPD--Verification method

The VSFTPD program provides an optional authentication method for FTP services, namely anonymous access, Local users, and virtual users:

Anonymous access: Anyone can log in to the FTP server without verifying the password.

Local User: Use user, password information from the FTP server.

Virtual User: Create a separate FTP account profile.

1. Anonymous access mode

FTP Anonymous access mode is a less secure mode of service, especially in the real working environment do not store sensitive data, so as not to leak.

The VSFTPD program allows anonymous access mode by default, as long as the upload and write permissions for anonymous users are turned on.

Vi/etc/vsftpd/vsftpd.conf

Anonymous_enable=yes
#允许匿名访问模式.

anon_umask=022
#匿名用户上传文件的umask值.

Anon_upload_enable=yes
#允许匿名用户上传文件

Anon_mkdir_write_enable=yes
#允许匿名用户创建目录

Anon_other_write_enable=yes
#允许匿名用户修改目录名或删除目录

Save the exit vsftpd.conf file, restart the VSFTPD service program, and set it to boot automatically.

Note the owner/group of the FTP root directory for anonymous access.

2. Local User mode

The VSFTPD service program has allowed local user mode by default, as long as you add parameters that set local user mode permissions.

Vi/etc/vsftpd/vsftpd.conf

Anonymous_enable=no
#禁止匿名访问模式.

Local_enable=yes
#允许本地用户模式.

Write_enable=yes
#设置可写入权限.

local_umask=022
#本地用户模式创建文件的umask值.

Userlist_deny=yes
#参数值为YES即禁止名单中的用户, the value of no indicates that only the users in the list are allowed.

Userlist_enable=yes
#允许 "No landing list", the list of documents for Ftpusers and User_list.

Ftpusers or user_list prohibit login user list List file

3. Virtual User mode

Because the account password for the virtual user mode is not present in the real system, it is more secure to configure the virtual user mode than the local user mode, but the VSFTPD service configuration virtual user mode is relatively complex in the following process:

1th Step: Establish the Virtual FTP user database file.

2nd step: Create the FTP root directory and the virtual user mapping of the system users.

3rd Step: Establish a PAM authentication file that supports virtual users.

4th Step: Add the support configuration in the vsftpd.conf file.

5th step: Set different permissions for the virtual user.

6th step: Restart the VSFTPD service to verify the experimental results.

1th Step: Establish the Virtual FTP user database file.

Switch to the VSFTPD program directory:

cd/etc/vsftpd/

Create the original account and password files used to generate the FTP user database:

VI vuser.list//singular behavior account number, dual-action password. Probepa33w0rdblack

Pa22w1rd

Use the Db_load command to generate the FTP user database file vuser.db with the hash algorithm:

Db_load-t-T hash-f vuser.list vuser.db

To view the type of database file:

File Vuser.dbvuser.db:Berkeley db (Hash, version 9, native Byte-order)

FTP User database content is sensitive, so the permissions to the smaller:

chmod vuser.db

Delete the original account and password files:

Rm-f vuser.list

2nd step: Create the FTP root directory and the virtual user mapping of the system users.

Create a user virtual and set it to not allow logging on to the system and define the user's home directory:

useradd-d/var/ftproot-s/sbin/nologin Virtual

To view the user's home directory permissions:

LS-LD/VAR/FTPROOT/DRWX------. 3 Virtual, Jul 17:50/var/ftproot/

To ensure that other users can access, give Rwxr-xr-x permissions:

CHMOD-RF 755/var/ftproot/

3rd Step: Establish a PAM authentication file that supports virtual users:

The vi/etc/pam.d/vsftpd.vu//parameter db is used to point to the vuser.db file that was just generated, but do not write the suffix. Auth required pam_userdb.so Db=/etc/vsftpd/vuseraccount required pam_userdb.so Db=/etc/vsftpd/vuser

4th Step: Add the support configuration in the vsftpd.conf file.

Vi/etc/vsftpd/vsftpd.cong

Anonymous_enable=no
#禁止匿名开放模式.

Local_enable=yes
#允许本地用户模式.

Guest_enable=yes
#开启虚拟用户模式.

Guest_username=virtual
#指定虚拟用户帐号.

Pam_service_name=vsftpd.vu
#指定pam文件.

Allow_writeable_chroot=yes
#允许禁锢的FTP根目录可写而不拒绝用户登入请求.

5th step: Set different permissions for the virtual user

Specify the directory where the user independent permission profile resides:

Vi/etc/vsftpd/vsftpd.confuser_config_dir=/etc/vsftpd/vusers_dir

Create a directory where the user-independent permission profile resides:

mkdir/etc/vsftpd/vusers_dir/

Switch to enter the directory:

cd/etc/vsftpd/vusers_dir/

To create a blank probe configuration file:

Specify specific permissions for black users:

VI Black

Anon_upload_enable=yesanon_mkdir_write_enable=yesanon_other_write_enable=yes

6th step: Restart the VSFTPD service to verify the experimental results.
After confirming the correct completion, save and exit the vsftpd.conf file, restart the VSFTPD program and set it to auto-enable after booting.

Pluggable Authentication Module Pam:

Pluggable authentication Module PAM (pluggable authentication Modules) is an authentication mechanism that separates system-provided services from authentication by means of a number of dynamic link libraries and unified APIs. So that the system administrator can flexibly adjust the service program according to the requirements of different authentication methods.

In general, Pam is a set of security mechanisms of the module (plug-in), so that the system administrator can easily adjust the service program authentication, at this time can not do any changes to the application, the ease of use is very strong, Pam took the idea of layered design-application layer, application interface layer, identification module layer.

Pam API as the application layer and the Identification module layer of connection, so that the application can flexibly insert the required authentication function module, when the application requires PAM certification, generally in the application to define the Pam profile responsible for its certification, really flexible implementation of the authentication function, The reader does not have to be proficient in the PAM module, and does not need to elaborate on the parameters, just know the important directory of the PAM module:

/lib/security:pam authentication module.

/ETC/PAM.D: A PAM configuration file that is defined for different services.

For example, the VSFTPD program writes the following parameters in its main configuration file ("/etc/vsftpd/vsftpd.conf"):

Pam_service_name=vsftpd

Indicates that the FTP server is authenticated according to the contents of the/etc/pam.d/vsftpd file.

VSFTPD--Verification method