Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞
FTP active and passive working mode-Linux Enterprise Application-Linux server application information. The following is a detailed description. Article from: http://linux.net527.cn/fuwuqiyingyong/Ftpfuwuqi/38774.html
What is PASV mode (passive mode transfer )? How does he work?
FTP connections generally have two connections: one is the client and the server transmission command, and the other is the data transmission connection. FTP service programs generally support two different modes: Port Mode and Pasv Mode ), let me first talk about the two different connection modes.
Assume that the client is C and the server is S.
After client C connects to server S, the Port mode is used, then client C will send a command to inform server S (client C opens a local port N waiting for you to connect to the data ), when the server S receives the Port command, it connects to the Port N opened by the client, which is generated.
After client C connects to server S, server S will send a message to client C. The message is (server S opens a local port M, So connect to me now ), after receiving this information, client C can connect to the M Port of server S. After the connection is successful, the data connection is established.
From the above explanation, we can see that the main difference between the two modes is that the data connection is established differently. For the Port mode, in Pasv mode, server S opens a port locally and waits for client C to establish a data connection.
Do I need to set the transfer mode to PASV mode?
If you connect to the INTERNET, for example, you need to set it to PASV mode for transmission.
There are two ip addresses on the route: Intranet ip address (your gateway address) and Internet IP address, all your computers in the LAN share the 220.127.116.11 access to the INTERNET (through the 192.168.1.1 gateway in the middle). Let's take a look at the detailed connection process so that you can
To learn more why PASV mode transmission is required:
When you download a video using a download tool or using a browser, you can connect to the FTP server, when the FTP service receives your connection request, it sends a Response Message to the customer and starts waiting for the user's authentication information,?> After the authentication is passed, start to establish a data connection. If you do not set it to pasv mode, then the customer segment (download tool) will open a data port on the local computer, then, send a "command" to the FTP service segment (you can connect to me now if I have opened port n). Then, the FTP server segment starts to connect to port N of your IP address, (but the connection fails) Because you are using the gateway 192.168.1.1 (your routing device) the ftp service segment used to access the internet is actually connected to a route device whose internet address is 18.104.22.168. The port opened in the download tool cannot be connected at all, for example, if you are using the client 192.168.1.2, the FTP service segment cannot be connected to your computer 192.168.1.2 at this time. Therefore, you will see the error message from the server, if you are prompted that the port opened at 192.168.1.2 cannot be connected, you need to set the transfer mode to PASV. If you are using PASV mode, after ftp authentication, the customer segment first sends a PASV command to the server. After receiving the command, the server Segment opens a port and tells the customer segment that "I have opened a port, now you can connect to the "customer segment (download tool) After receiving the information, connect to the port opened in the service segment to complete the data connection, all the data streams downloaded by ftp are transmitted through this port.
In addition, when using iptables for NAT, the two modules (ip_nat_ftp and ip_conntrack_ftp) should be loaded to connect to the ftp server normally. Otherwise, pasv cannot connect to the ftp server in passive mode.
Ftp mode and data port
There are two types of FTP: port ftp and pasv ftp. port ftp is a common form of FTP. The two types of FTP have the same operation when establishing a control connection. They are established by the client first with the control port of the FTP server (default value: 21, and use this link for transmission operation commands. The difference between them is that the data transmission port (ftp-data) is used. Port ftp specifies the PORT used for data transmission by the FTP server. The default value is 20. Pasv ftp is the data transmission port determined by the FTP client. Pasv ftp is mainly used to communicate with the server in the firewall environment (the data transmission port is included in the data transmission request sent from the client to the server ), it is more convenient to determine the data transmission port between the two.
Port_enable = YES | NO
If you want to cancel PORT mode during data connection, set this option to NO. The default value is YES.
Connetc_from_port_20 = YES | NO
Control whether PORT 20 (ftp-data) is used for data transmission in PORT mode ). YES, NO. The default value is NO, but this parameter is set to YES in the vsftpd. conf file that comes with RHL.
Ftp_data_port = port number
Set the ftp-data value. The default value is 20. This parameter is used in port ftp mode.
Port_promiscuous = YES | NO
The default value is NO. If YES, cancel the PORT security check. This check ensures that the outgoing data can only be connected to the client. Enable this option with caution.
Pasv_enable = YES | NO
YES. PASV mode is used for data transmission. NO. PASV mode is not allowed. The default value is YES.
Pasv_min_port = port number
Pasv_max_port = port number
In PASV mode, the lower and upper bounds of the port range can be used for data transmission. 0 indicates any value. The default value is 0. Setting the port range in a relatively high range, such as 50000-60000 will help improve security.
Pasv_promiscuous = YES | NO
When this option is activated, security checks in PASV mode are disabled. This check ensures that the data connection and control connection come from the same IP address. Enable this option with caution. The only rational use of this option is that it exists in an organization consisting of a security tunnel solution. The default value is NO.
This option is a digital IP address and serves as a response to the PASV command. The default value is none, that is, the address is obtained from the incoming connection socket (incoming connectd socket.
Therefore, if the fire protection field is enabled in linux, the corresponding port must be opened, for example:
-A RH-Firewall-1-INPUT-m state? State NEW-p tcp-m tcp? Dport 30000: 31000? Syn-j ACCEPT 4. Firewall Configuration
# In xp, ftp commands are used for connection in active mode. graphical interfaces can be used for software. The default mode is passive.
# Netstat-an | grep 172
VsFTP configuration solution in Linux
1. VsFTPd Overview
Ii. Enterprise Linux vsFTPD Solution
Iii. VsFTPD configuration files
I. Brief Introduction to VsFTPd:
VSFTP (Very Secure FTP Daemon, a Very Secure FTP Server ). As the name suggests, the starting point of VSFTPD design is security. At the same time, with the continuous upgrade of the version, VSFTPD has made great progress in performance and stability. In addition to excellent security and performance, there are also good usability. Red Hat uses vsFTPd on its FTP Server (ftp.redhat.com ).
Ii. Practical vsFTPD solution in Enterprise Linux
1. User: netseek_com; FTP: ftp.netseek.com (192.168.0.21, I have configured the relevant DNS)
2. Prohibit anonymous login and prohibit users from leaving the user directory.
3. Use 5021 as the Command Channel port and 5020 as the Data Channel port (you can change it to the port you want to set, for example)
4. The range of ports allowed to be used in passive mode is 10010 ~ 10020.
5. the user bandwidth is set to 300 KPS, the user space is limited to M, and a buffer of 10 MB is allowed within the grace period.
The procedure is as follows:
To fully describe the entire installation process, I configured it on my other host (netseek), bound 192.168.0.21 to the IP address 192.168.0.20 of the server, and configured the relevant DNS resolution, for more information, see "Linux all-around web Server Setup ".
1. Configure Related Services
Start the service:
[Root @ netseek root] # rpm? Qa | grep vsftpd; check whether the vsftpd service is installed
#/Etc/init. d/vsftpd start; start the service
# Chkconfig vsftpd on; Enable system services as the system starts
# Vi/etc/vsftpd. conf
Prohibit anonymous user access:
Anonymous_enable = YES, change YES to NO
Add the following settings at the end of the file:
Note that-s/sbin/nologin makes it unable to log on to the system.-d specifies the user directory as/var/www/netseek.com.
# Passwd netseek_com (Do not Hack me 3ks) DnHm3ks this is the password I set
# Chown? R netseek_com: netseek_com/var/www/netseek.com
Note: Set all and groups of User Directories and Their subdirectories to netseek_com.
3. Configure the disk quota
During installation, I have multiple partitions on the disk, including/home,/var,/,/www, tmp, swap, And/boot. We recommend that you split the disk into multiple independent partitions to reduce the risk of data loss caused by disk partition corruption.
# [Root @ netseek root] # rpm-qa | grep quota
Quota-3.06-9; my system has installed the disk quota Tool
LABEL =/var ext3 defaults 1 2
After ults, add usrquota as follows:
LABEL =/var ext3 defaults, usrquota 1 2
Reload the/var partition:
# Mount? O remount/var
# Cd/var enter this directory
# Touch quota. user
# Chmod 600 quota. user
# Quotacheck? Mf/var forcibly checks disk partition space usage
[Root @ localhost var] # quotacheck-mf/var
Quotacheck: WARNING? Quotafile/var/quota. user was probably truncated. Can't save quota settings...
Restart the system
This warning will appear during the first running, but it won't happen again.
Specify the user quota:
# Edquota netseek_com sets the disk quota for the user netseek_com.
Disk quotas for user netseek_com (uid 501 ):
Filesystem blocks soft hard inodes soft hard
/Dev/sda5 6616 307200 0 15 0 0
Ilesystem blocks soft hard inodes soft hard
Filesystem-the file system being set. Do not modify or delete it.
Bolock-currently used disk space, in KB
Soft (first)-limited disk space. The default value is 0, which indicates no limit. Here I set it to 300 MB.
Hard (first)-hard quota limit. 0 indicates no limit.
Inodes-current file count
Soft (second)-soft limit on the number of files. 0 indicates no limit
Hard (second)-hard limit on the number of files. 0 indicates no limit.
Anon_world_readable_only = YES. Anonymous Users are allowed to download data. By default, this parameter is disabled. You can add this parameter on your own.
Anon_other_write_enable = YES. If you set it to YES, in addition to uploading and creating directories, you can also Rename and delete files. The default value is NO.
Set no_anon_password = NO to YES. Anonymous users do not query user passwords and log on directly.
Ftp_username = ftp. The default account for anonymous users to log on to the system is ftp. Do not change this option. Otherwise, improper configuration will threaten the system security.
2. Specify the FTP service port
Listen_port = 8021. Specify the Command Channel as 8021. The default value is 21.
Listen_data_port = 8020. Set the data channel to 8020. The default value is 20.
3. Set the upload Mode
Pasv_enable = YES. whether to allow passive mode. The default value is allowed.
Pasv_min_port = 10000, which specifies the minimum value of the port opened when passive mode is used.
Pasv_max_port = 10004, which specifies the maximum value of the port opened when passive mode is used.
4. Vsftp Server IP Address
Listen_address = 192.168.0.21, specifying FTP and IP address
Note: The specified IP address is allowed only when vsftp runs in standalone mode. if the vsfpd file has been created under the d directory, you must set the disable in the file to yes.
5. Lock the user and prevent the user from leaving the user's home directory.
Chroot_local_user = YES, set it to YES, it will be locked in the user's main directory, set to NO, you can switch
Set the specified user to lock the user's main directory:
# Chroot_list_enable = YES
# Chroot_list_file =/etc/vsftpd. chroot_list
Change it to the following:
Chroot_list_enable = NO
Chroot_list_file =/etc/vsftpd. chroot_list
Save the above and perform the following operations:
# Touch/etc/vsftpd. chroot_list
# Vi/etc/vsftpd. chroot_list: Add a user name list to the file, for example:
6. FTP server traffic control
Max_clients = 100; Maximum number of connections allowed, defined as 100. The default value is 0, and there is no limit on the table.
Max_per_ip = 5; Number of connections allowed by each IP address. Table 0 has no limit and must run in independent mode.
Anon_max_rate = 50000; maximum bandwidth of anonymous users, in bps
Local_max_rate = 200000; maximum bandwidth of the System user
How can I limit the traffic of a specified user?
# Vi/etc/vsftpd. conf, add one line:
# Touch/etc/vsftpd/userconf/netseek_com: the user netseek_com creates a netseek_com file.
# Vi/etc/vsftpd/userconf/netseek_com Add the following content
Local_max_rate = 100000
Save and restart the service.
7. Customize welcome information
Directory description settings
# Vi/etc/vsftpd. conf
# Dirmessage_enable = YES, remove the previous.
Then we customize a. message, write what you want to write, and copy the file to the Home Directory of each user.
System Welcome Message settings
Ftpd_banner = Welcome to ftp.netseek.com, Yeah !!!
System Welcome Message File Settings
Banner_file =/etc/vsftpd/welcome is similar to ftpd_banner. The difference is that banner_file specifies the welcome File
This article from the CSDN blog, reproduced please indicate the source: http://blog.csdn.net/tianqixin/archive/2011/05/08/6403492.aspx
This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or
reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or
complaint, to firstname.lastname@example.org. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
and provide relevant evidence. A staff member will contact you within 5 working days.