Part 1: Basic knowledge of FTP:
FTP: File Transfer Protocol (File TransferProtocol) makes it possible to share files between hosts; it is an application layer protocol; it can also be shared across different operating systems. Work is based on C / S.
There are two types of FTP connection methods:
1. The command connection works on port 21 of tcp, but the command connection is only initiated by the client to the server after connecting to the server.
[root @ station144 ~] # lftp 172.16.0.1
lftp 172.16.0.1:~> cd pub /
lftp 172.16.0.1:/pub> ls
2. Data connection:
Active mode:
650) this.width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/1F4361S5-0.png "title =" active mode.png "width =" 499 "height =" 320 "border =" 0 "hspace =" 0 "vspace =" 0 "style =" width: 499px; height: 320px; "/>
Analysis: The server monitors the communication under TCP port 20 and is a fixed port, while the client monitors the port is not fixed. It is a randomly generated port greater than 1023 and the communication port is the listening port +1. Disadvantages: Since the client listening port is greater than 1023, when the server requests connection to the client, the connection will fail due to the firewall.
Passive mode:
650) this.width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/1F4362938-1.png "title =" passive connection.png "width =" 499 "height =" 370 "border =" 0 "hspace =" 0 "vspace =" 0 "style =" width: 499px; height: 370px; "/>
Analysis: The server side still listens on port 20, but the server side communicates through a randomly generated port greater than 1023; here is 6666 for communication. But it will not actively connect to the client but wait for the client's request and then respond to send data. If other users come to request data again, the server will reopen a random port to send data in response. These random ports are told to the client through port 21. Disadvantages: Such a server-side firewall is more troublesome.
Summary: Command connection and data connection are related, there can be no data connection but absolutely no command connection. The two modes of data connection are determined according to the client's request method.
Data transfer mode: binary and text
Part 2: Simple FTP implementation and configuration analysis
Server software type:
Unix: wuftpd (now uncommon)
Linux: proftpd, pureftp, vsftpd (Red Hat system comes with special security), filezilla (both linux version and windows version)
Windows: Serv-U, IIS
Client software type:
Linux: browser comes with access, ftp, lftp (very powerful, only works on Linux), gftp (only works on Linux), filezilla (client side).
Windows: browser comes with access, ftp, flashxp, cuteftp, leapftp, etc.
Install and configure FTP:
System version: CentOS 6.4 x86_64
Server-side installation: yum install vsftpd --y
Start the service: service vsftpd start
Client installation: yum install ftp
Client installation: yum install lftp
Test connection:
Connection test: ftp 172.16.18.1
[root @ station144 ~] # ftp 172.16.18.1 #connection test
Connected to 172.16.18.1 (172.16.18.1).
220 (vsFTPd 2.2.2) # 220 is the protocol parsing code
Name (172.16.18.1:root): ftp #User login is required, root is used by default. Obviously this is not possible, you can use anonymous login to enter ftp for anonymous access
331 Please specify the password. # 331 is the protocol parsing code
Password: #Enter the user password is empty because we are anonymous
230 Login successful. # 230 is the protocol parsing code
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
Analysis: Protocol response code: 220 (vsFTPd 2.2.2), 331 Please specify the password, etc. are response codes)
Ø1xx: server information, mainly representing server attribute information, etc.
Ø2xx: correct response message
Ø3xx: Normal response, a certain operation process has not been completed yet, it needs to be supplemented and completed;
Ø4xx: client error;
Ø5xx: server-side error;
Note: If requesting server-side information, the client-side error message will appear if the server-side does not exist, the reason is caused by the wrong request made by the client. If the request cannot be completed due to a problem with the server itself, a server-side error will be displayed. If the user does not exist, it will be displayed as a server-side error!
User does not exist
[root @ station144 ~] # ftp 172.16.18.1
Connected to 172.16.18.1 (172.16.18.1).
220 (vsFTPd 2.2.2)
Name (172.16.18.1:root): an # / etc / passwd does not have this user
331 Please specify the password.
Password:
530 Login incorrect. #Server side error
Login failed.
ftp>
In particular, the file path of the ftp server is the user's home directory; the finger user name can be used to view the user's home directory.
[root @ localhost ~] # finger ftp
Login: ftp Name: FTP User
Directory: / var / ftp Shell: / sbin / nologin
Never logged in.
No mail.
No Plan.
#Where Directory: / var / ftp indicates the path information of the user's home directory
Red Hat system is best to use FTP service-usage of vsftpd:
1. Type of vsftpd user:
Anonymous user: In fact, it is a system user automatically mapped by the server;
Local users: users in / etc / passwd. By default, users with root and id numbers less than 500 are prohibited from accessing ftp; keep in mind that this type of user is very insecure. You can also log in using ssh.
Virtual user: In fact, it is a system user automatically mapped on the server side; multiple virtual users are simultaneously mapped to the same system user, but different virtual users can have different access rights;
2. Recognition of common files of vsftpd:
[root @ localhost ~] # rpm -ql vsftpd
/etc/logrotate.d/vsftpd #Control vsftpd's log file scrolling
/etc/pam.d/vsftpd #Define how vsftpd authenticates users, if you want to use virtual users, you need to change
/etc/rc.d/init.d/vsftpd #service script
/ etc / vsftpd #configuration file
/ etc / vsftpd / ftpusers #configuration file
/ etc / vsftpd / user_list #configuration file
/etc/vsftpd/vsftpd.conf #Main configuration file
/etc/vsftpd/vsftpd_conf_migrate.sh #Configuration file
/ usr / sbin / vsftpd # Server-side executable program
3. Parsing of the main configuration file of vsftpd
[root @ localhost vsftpd] # vim vsftpd.conf
# Example config file /etc/vsftpd/vsftpd.conf #where # signifies comments
##
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
##
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
##
# Allow anonymous FTP? (Beware-allowed by default if you comment this out).
anonymous_enable = YES # Whether to enable anonymous users is not enabled for NO
##
# Uncomment this to allow local users to log in.
local_enable = YES #Whether to enable local user or not to enable
##
# Uncomment this to enable any form of FTP write command.
write_enable = YES #Whether local users are allowed to upload files
##
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask = 022 #Permission of local users after uploading files
##
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
# anon_upload_enable = YES #Whether to allow anonymous users to upload files
##
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
# anon_mkdir_write_enable = YES
#Define whether anonymous users have permission to create directories
anon_other_write_enable = YES #Define other permissions, you can change the owner of the file, delete the file, etc., but this needs to be added manually
##
# Activate directory messages-messages given to remote users when they
# go into a certain directory.
dirmessage_enable = YES #indicates that a welcome message will be displayed without switching a directory
##
# The target log file can be vsftpd_log_file or xferlog_file.
# This depends on setting xferlog_std_format parameter
xferlog_enable = YES #Whether to enable the transfer log, display all information of upload and download
##
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20 = YES #Whether to allow the server to work in active mode
##
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
# chown_uploads = YES #Whether to change the owner of the uploaded file directory to someone else
# chown_username = whoever #Define a new owner, change whoever to
##
# The name of log file when xferlog_enable = YES and xferlog_std_format = YES
# WARNING-changing this filename affects /etc/logrotate.d/vsftpd.log
# xferlog_file = / var / log / xferlog #Define the log file, although the above log function has been enabled, it will still not be recorded
##
# Switches between logging into vsftpd_log_file and xferlog_file files.
# NO writes to vsftpd_log_file, YES to xferlog_file
xferlog_std_format = YES #Define whether the log uses standard format
##
# You may change the default value for timing out an idle session.
# idle_session_timeout = 600 #Define the timeout time for command connection
##
# You may change the default value for timing out a data connection.
# data_connection_timeout = 120 #Data connection timeout
##
# It is recommended that you define on your system a unique user which the
... it is not important in the middle and has been omitted ...
# ASCII mangling is a horrible feature of the protocol.
# ascii_upload_enable = YES #Whether to force the use of AscII to upload files
# ascii_download_enable = YES #Whether to force the use of AscII to download files, if forced to cause file errors
# You may fully customise the login banner string:
# ftpd_banner = Welcome to blah FTP service. #Show welcome message
##
... it is not important in the middle and has been omitted ...
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot (). #chroot: imprison users in their home directories and do not allow random access to other files
# chroot_local_user = YES #Enable means that all users are imprisoned in their home directories
# chroot_list_enable = YES #Starting means that the specified user is restricted
# (default follows)
# chroot_list_file = / etc / vsftpd / chroot_list #User list file designated to be imprisoned Note: one user per line)
##
... it is not important in the middle and has been omitted ...
pam_service_name = vsftpd
userlist_enable = YES #Whether the user list is enabled, all users written in ftpusers are not allowed to log in to ftp / etc / pam.d / vsftpd)
userlist_deny = NO (this item needs to be added manually) #define whitelist to allow login (you also need to define if you want to allow anonymous users to appear in the whitelist; it can be defined as ftp or anonymous); the corresponding file is user_list
userlist_deny = YES (do not add this item by default) #Define blacklist to prohibit login; corresponding file is user_list
tcp_wrappers = YES
Note:
1) Due to the strict inspection requirements of this configuration file, no white space characters can appear at will, for example, no white space characters can appear before write_enable = YES; no white space characters can appear on both sides of the equal sign.
2) When changing these permissions in this file, make sure that SElinux is turned off, otherwise it will be blocked.
Part 3: Further sublimation of basic knowledge
Actual combat one: How can anonymous users upload files?
Service-Terminal:
[root @ localhost vsftpd] # vim vsftpd.conf
Make sure anon_upload_enable = YES in the main configuration file is started
Server side program reload: service vsftpd reload
Switch to the client:
[root @ station144 ~] # lftp 172.16.18.1
lftp 172.16.18.1:~> put / etc / fstab #Use this command to upload files put file name)
put: Access failed: 553 Could not create file. (fstab) #Uploading is not possible because the user has permission to upload files but the remote server does not have permission to write files to this file.
Solution:
Service-Terminal:
[root @ localhost vsftpd] # cd / var / ftp / #Switch to home directory
[root @ localhost ftp] # ls
pub
[root @ localhost ftp] # ls -l
total 4
drwxr-xr-x 2 root root 4096 Jul 29 13:25 pub
[root @ localhost ftp] # mkdir upload #Create a new directory
[root @ localhost ftp] # setfacl -m u: ftp: rwx upload / #Let this directory ftp have read and write execution permissions
[root @ localhost ftp] #
Switch to the client:
[root @ station144 ~] # lftp 172.16.18.1 #Reconnect
lftp 172.16.18.1:~> ls
drwxr-xr-x 2 0 0 4096 Jul 29 05:25 pub
drwxrwxr-x 2 0 0 4096 Jul 29 06:36 upload
lftp 172.16.18.1: /> cd upload /
lftp 172.16.18.1:/upload> put / etc / fstab #upload
921 bytes transferred
lftp 172.16.18.1:/upload> ls
-rw ------- 1 14 50 921 Jul 29 06:40 fstab #successfully uploaded
Actual combat two: How to define a welcome message when switching directories?
Service-Terminal:
[root @ localhost vsftpd] # vim vsftpd.conf
Make sure dirmessage_enable = YES has been started
[root @ localhost ftp] # cd upload /
[root @ localhost upload] # vim .message #Edit a hidden file at the end of .message
--welcome to Upload-- #Add a welcome message
Client:
[root @ station144 ~] # ftp 172.16.18.1 #Welcome message cannot be displayed using lftp here
Connected to 172.16.18.1 (172.16.18.1).
220 (vsFTPd 2.2.2)
Name (172.16.18.1:root): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd upload #Switch to the directory where information is written
250 --- welcome to Upload-- # Normally display the welcome message of the editor
250-
250 Directory successfully changed.
Actual combat three: how to specify the user whitelist so that they cannot be locked in the home directory?
Idea: chroot_local_user = YES; chroot_list_enable = YES; chroot_list_file = / etc / vsftpd / chroot_list at the same time to realize white list customization.
// 1, modify the configuration file
[root @ localhost vsftpd] # vim vsftpd.conf
chroot_local_user = YES
chroot_list_enable = YES
# (default follows)
chroot_list_file = / etc / vsftpd / chroot_list
// 2. Create a file designation whitelist
[root @ localhost vsftpd] # vim chroot_list
zhao
centos
// 3, switch to the client test
[root @ station144 ~] # ftp 172.16.18.1
Connected to 172.16.18.1 (172.16.18.1).
220 (vsFTPd 2.2.2)
Name (172.16.18.1:root): centos #centos in white name Single
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/ home / centos"
ftp> cd / etc
250 Directory successfully changed.
ftp> ls #Can view all files under etc
227 Entering Passive Mode (172,16,18,1,214,167).
150 Here comes the directory listing.
drwxr-xr-x 5 0 0 4096 Jul 12 10:27 ConsoleKit
-rw-r--r-- 1 0 0 4439 Apr 17 2012 DIR_COLORS
-rw-r--r-- 1 0 0 5139 Apr 17 2012 DIR_COLORS.256color
-rw-r--r-- 1 0 0 4113 Apr 17 2012 DIR_COLORS.lightbgcolor
drwxr-xr-x 5 0 0 4096 Jul 12 10:33 NetworkManager
[root @ station144 ~] # ftp 172.16.18.1
Connected to 172.16.18.1 (172.16.18.1).
220 (vsFTPd 2.2.2)
Name (172.16.18.1:root): tom #tom is not in the whitelist file, so it is impossible to view other files
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> cd / etc
550 Failed to change directory.
Actual combat four: how to define the transmission rate; limit the download speed of anonymous users to 10K and not limited to ordinary users?
Maximum transmission rate for anonymous users: anon_max_rate = value; default unit is byte
Ordinary user maximum transfer rate: local_max_rate = value
Extension: To define the transmission rate separately, use user_config_dir = / etc / vsftpd / userconfs /, and then create files with user names in subsequent directories and write the local_max_rate = value into it.
[root @ localhost vsftpd] # vim vsftpd.conf #Edit configuration file
anon_max_rate = 10240 #Add this command
[root @ localhost vsftpd] # service vsftpd restart #Restart the service
650) this.width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/1F4361B0-2.png "title =" 12k.png "width =" 899 "height =" 545 "border =" 0 "hspace =" 0 "vspace =" 0 "style =" width: 899px; height: 545px; "/>
Actual combat five: how to limit the number of login ftp?
max_clients = value #Maximum number of connections
max_per_ip = value #Maximum number of connections for an IP address
// Because of the limitation of the address, I will not give an example here
How to use SSL to encrypt and authenticate ftp transmission?
This example requires the use of SSL authentication and encryption. Because I have limited knowledge of SSL, I will not do anything here. If you want to read my joke, please pay attention to the follow-up blog Ooenssl encryption authentication. . . There will be additional instructions! ! 650) this.width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/1F43B515-3.gif "/>
This article is from the "Starting Point Dream" blog, please be sure to keep this source http://pangge.blog.51cto.com/6013757/1275876