Build a relatively secure FTP server on a Linux server

First, how to install VSFTP on the Linux server does not say more, directly describes how to configure security;

Second, edit vsftp.conf file

Key configuration items are as follows:

Anonymous_enable=no/prohibit anonymous user login

Local_enable=yes/Allow local users to log on

Write_enable=yes/Allow to write after login

local_umask=022

Xferlog_enable=yes/Logging

Xferlog_file=/var/log/xfer Log/log file

Userlist_enable=yes/Limit userlist inside the local user cannot access, userlist inside can be the root and other forbidden FTP login local account to write in

Notes for all configuration items can be consulted:

http://blog.csdn.net/chenhongqian/article/details/50462382

Third, create the FTP account

# useradd–d/home/myftp Myftp

# passwd Myftp

# usermod-s/sbin/nologin myftp//Limited User myftp cannot log on locally

Iv. Create a folder (scripts) can only download, not upload

# mkdir Scripts/home/myftp

#chmod 555 Scripts

Create a folder (results) can only upload, cannot download and delete

This is a bit difficult, because users can not download and delete their own uploaded files, need to use a special method.

# mkdir Results/home/myftp

#chmod 755 Results

#chattr +i/home/results

VI. Configuring SSL Encryption

1, through Rpm-qa | OpenSSL to see if OpenSSL is installed, install first

2, new directory, in order to place the certificate, it is possible that the Certs folder already exists, but to confirm that the existing folder is only a link.

1. Mkdir-p/etc/ssl/certs
2. chmod 700/etc/ssl/certs

3. Execute the command to generate the certificate:

1. OpenSSL req-x509-nodes-days 365-newkey Rsa:1024-keyout/etc/ssl/certs/vsftpd.pem-out/etc/ssl/certs/vsftpd.pem

4, the above certificate generation process needs to fill in the information, as prompted to add countries, provinces, mailboxes and so on, you can fill in, information follow-up;

5, and then into the/etc/ssl/certs directory to see if the certificate is generated

6. Then we modify the VSFTPD configuration file at the end to add the following information

2. # Turn on SSL
4. Ssl_enable=yes
8. # Allow anonymous users to use secured SSL connections
10. Allow_anon_ssl=yes
14. # All Non-anonymous logins is forced to use a secure SSL connection in order to
16. # Send and receive data on data connections.
18. Force_local_data_ssl=yes
20. Force_anon_data_ssl=yes
24. # All Non-anonymous logins is forced to use a secure SSL connection on order to send the password.
26. Force_local_logins_ssl=yes
28. Force_anon_logins_ssl=yes
32. # Permit TLS v1 protocol connections. TLS V1 Connections is preferred
34. Ssl_tlsv1=yes
38. # Permit SSL v2 protocol connections. TLS V1 Connections is preferred
40. Ssl_sslv2=no
44. # Permit SSL V3 protocol connections. TLS V1 Connections is preferred
46. Ssl_sslv3=no
50. # Disable SSL Session reuse (required by WinSCP)
52. Require_ssl_reuse=no
56. # Select which SSL ciphers VSFTPD would allow to encrypted SSL connections (required by FileZilla)
58. Ssl_ciphers=high
62. # This option specifies the location of the RSA certificate to use for SSL
64. # Encrypted connections.
66. Rsa_cert_file=/etc/ssl/cert/vsftpd.pem

7, after the configuration modification is completed, re-vsftpd service.

Note: If the service fails to start, verify that the location of the certificate store matches the Sa_cert_file=/etc/ssl/cert/vsftpd.pem

8. Log in to see if it is encrypted

Status: Connecting 172.20.100.xx:21 ...
Status: Connection established, waiting for welcome message ...
Status: Initializing TLS ...
Status: Validating certificate ...
Status: The TLS connection is established.
Status: Logged in
Status: Read Directory list ...

Note: Use of tool links, such as FileZilla, may not be able to log in directly via the browser.

Build a relatively secure FTP server on a Linux server