Vsftpd:very Secure FTP
Very secure FTP server software, because FTP is very old software, but also based on the transmission of plaintext, there is no encryption technology, so there is a vsftpd.
Based on the TCP link, the listener is on port 21.
Program configuration file:
/etc/vsftpd/vsftpd.conf
[[Email protected] ftp]# service vsftpd startstarting vsftpd for vsftpd: [OK][[email PR Otected] ftp]# netstat-ntlpactive Internet connections (only servers) TCP 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 42268/vsftpd
There are three types of FTP users:
1. Anonymous User: Mapped to a fixed system User: FTP Vsftp
2, Local Users: That is, system users, Root,daemon
3, virtual users: Based on a certain type of authentication login anonymous users, authentication methods are: Nsswtich (Name Service conversion), Pam (plug-in authentication module)
Experiment: Connect MySQL via Pam_mysql, get the user account password on MySQL, log in to FTP
1, install Pam_mysql Drive
[Email protected] src]# yum-y install pam-devel mysql-devel [[email protected] src]# TAR-XF Pam_mysql-0.7rc1.tar.gz[[em AIL protected] src]# CD Pam_mysql-0.7rc1[[email protected] pam_mysql-0.7rc1]#./configure--with-mysql=/usr--with-pam= /usr[[email protected] pam_mysql-0.7rc1]# make && make Install[[email protected] pam_mysql-0.7rc1]# cd/lib/ Security/[[email protected] security]# lspam_mysql.la pam_mysql.so//Generate PAM connect MySQL driver
2, authorized account, create user table, let Pam read the table's account password
mysql> grant all on pam.* to ' Pamuser ' @localhost identified by "123456"; query ok, 0 rows affected (0.03 sec) mysql> create table Pamuser (Id int not null primary key, name char () not null , password char ( binary not null); query ok, 0 rows affected (0.01 secmysql> desc pamuser -> ;+----------+----------+------+-----+---------+-------+| field | Type | Null | Key | Default | extra |+----------+----------+------+-----+---------+-------+| id | int (one) | NO | PRI | NULL | | | naMe | char () | NO | | null | | | password | char ( | no | | null) | |+----------+----------+------+-----+------ ---+-------+3 rows in set (0.00 sec)
Mysql> insert into pamuser (Id,name,password) values (1, ' Tom ', Password ("magedu")); query ok, 1 row affected (0.00 sec) Mysql> insert into pamuser ( Id,name,password) values (2, ' Jerry ', Password ("Jerry")); query ok, 1 row affected (0.00 sec) mysql> select * from pamuser;+----+-------+-------------------------------------------+| id | name | password |+ ----+-------+-------------------------------------------+| 2 | jerry | * 09fb9e6e2aa0750e9d8a8d22b6aa8d86c85bf3d0 | | 1 | tom | *6b8ccc83799a26cd19d7ad9aeeadbcd30d8a8664 |+----+-- -----+-------------------------------------------+2 rows in set (0.00 SEC)
4. Create a mapped user
[[email protected] security]# useradd-s/nologin-d/ftproot vuser[[email protected] security]# ID vuseruid=501 (vuser) GI d=501 (VUser) groups=501 (VUser)
5. Edit the configuration file to indicate the mapping user when the virtual user accesses
[[email protected] security]# vim/etc/vsftpd/vsftpd.conf guest_enable=yesguest_username=vuser//Add these two statements
6, write the virtual user authentication file
[Email protected]ost pam.d]# vim/etc/pam.d/vsftpd.conf Auth required/lib/security/pam_mysql.so user=pamuser passwd= 123456 host=localhost db=pam table=pamuser usercolumn=name passwdcolumn=password crypt=2account required/lib/security /pam_mysql.so user=pamuser passwd=123456 host=localhost db=pam table=pamuser usercolumn=name Passwdcolumn=password crypt=2
7, modify the VSFTPD configuration file
[[email protected] pam.d]# vim/etc/vsftpd/vsftpd.confpam_service_name=vsftpd.conf//change VSFTPD to Vsftpd.confanon_ Upload_enable=yes//Allow anonymous users to upload anon_mkdir_write_enable=yes//Allow anonymous users to create files Anon_other_write_enable=yes// Anonymous user Delete and rename operations
8. Restart the VSFTPD service to verify that the virtual user can log in to FTP
[[email protected] ~]# ftp 172.18.250.76connected to 172.18.250.76 (172.18.250.76) .220 (vsftpd 2.2.2) name (172.18.250.76:root): tom331 please specify the password. password:230 login successful. //ok, can login remote system type is Unix. Using binary mode to transfer files.ftp> ls227 entering passive Mode (172,18,250,76,115,157). 150 here comes the directory listing.226 Transfer done (but failed to open directory) . //This cannot display VUser's home directory, as long as the permissions are modified
Modify the permissions of the VUser home directory and modify subdirectories under the home directory so that anonymous users can create uploads in this directory
[[email protected]/]# chmod go+rx ftproot/[[email protected] ftproot]# chown vuser upload/
Test Login again:
ftp> ls227 entering passive mode ( 172,18,250,76,69,54) .150 here comes the directory listing.drwxr-xr-x 2 501 0 4096 apr 18 05:32 upload226 directory send ok.
Ftp> cd upload250 directory successfully changed.ftp> mkdir tom.txt //can create 257 "/upload/tom.txt" createdftp> lcd /etc //switch to the ETC directory on the Linux host local directory now /etc ftp> put fstab //can upload Local: fstab remote: fstab227 entering passive mode (172,18,250,76,222,184) .150 ok to send data.226 transfer complete.805 bytes sent in 0.00111 secs (726.53  KBYTES/SEC) [[email protected] ~]# ftp 172.18.250.76connected to 172.18.250.76 (172.18.250.76) .220 (vsftpd 2.2.2) name (172.18.250.76:root): jerry // Jerry Login is no problem 331 please specify the password. Password:230 login successful. Remote system type is unix. Using binary mode to transfer files.ftp> ls227 entering passive Mode (172,18,250,76,234,145) .150 here comes the directory listing.drwxr-xr-x 3 501 0 &Nbsp; 4096 apr 18 08:53 upload226 directory send ok.
If you want Tom to have upload functionality, Jerry doesn't, what to do
Idea: Prohibit all anonymous user upload function, only open alone Tom can upload
[Email protected]/]# vim/etc/vsftpd/vsftpd.conf #anon_upload_enable =yesuser_config_dir=/etc/vsftpd/vsftpd.conf.d ///Let the service read the permissions defined here [[email protected]/]# cd/etc/vsftpd/[[email protected] vsftpd]# mkdir vsftpd.conf.d[[email prote CTED] vsftpd]# CD vsftpd.conf.d/[[email protected] vsftpd.conf.d]# vim Tomanon_upload_enable=yes
under test ....
[[email protected] ~]# ftp 172.18.250.76connected to 172.18.250.76 ( 172.18.250.76) .220 (vsftpd 2.2.2) name (172.18.250.76:root): tom 331 please specify the password. Password:230 login successful. Remote system type is unix. Using binary mode to transfer files.ftp> cd upload250 directory successfully changed.ftp> ls227 Entering Passive Mode ( 172,18,250,76,233,150). 150 HERE COMES THE DIRECTORY LISTING.-RW------- 1 501 501    805 APR 18 08:53 FSTABDRWX------ 2 501 501 &nBsp; 4096 apr 18 08:53 tom.txt226 directory send ok.ftp> lcd /etcLocal directory now /etcftp> put issue //tom Uploading Files local: issue remote: issue227 entering passive mode ( 172,18,250,76,158,39). 150 ok to send data.226 transfer complete.47 bytes sent in 0.000309 secs (152.10 kbytes/sec) //upload file ok
[[email protected] ~]# ftp 172.18.250.76connected to 172.18.250.76 ( 172.18.250.76) .220 (vsftpd 2.2.2) name (172.18.250.76:root): jerry331 please Specify the password. Password:230 login successful. Remote system type is unix. Using binary mode to transfer files.ftp> cd upload250 directory successfully changed.ftp> lcd /etcLocal directory now /etcftp> put issue //jerry Uploading Files Local: issue remote: issue227 entering passive Mode (172,18,250,76,24,97) .550 permission denied. //upload file failed, rejected
In addition to defining uploads, you can define permissions such as Create, delete, rename, and so on, as you would upload on the previous method.
VSFTPD Virtual user authentication based on Pam_mysql
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
