Build an FTP service in Linux

Vsftpd (very secure FTP daemon) is generally used to build FTP services in Linux. Because the FTP protocol is transmitted with clear code and there is no security, vsftpd is a secure FTP service software, the following describes how to set up vsftpd in centos 6.3.

1. Check whether software is installed

[root@localhost ~]# rpm -qa | grep vsftpd[root@localhost ~]#

If nothing is displayed, the system has not installed the software. Otherwise, the version information of the software is displayed.

2. If vsftpd is installed without an RPM installation package, go to the package folder on the system installation disk and install it using yum. The RPM installation method is used below.

[root@localhost tmp]# rpm -ivh vsftpd-2.2.2-11.el6.i686.rpm Preparing...                ########################################### [100%]   1:vsftpd                 ########################################### [100%][root@localhost tmp]#

Vsftpd is successfully installed.

3. view the Protection Wall

[root@localhost tmp]# chkconfig iptables --listiptables       0:off1:off2:on3:on4:on5:on6:off[root@localhost tmp]#

The above output shows that the firewall is on. To disable the firewall, run the following command:

[root@localhost tmp]# chkconfig iptables off[root@localhost tmp]# chkconfig iptables --listiptables       0:off1:off2:off3:off4:off5:off6:off[root@localhost tmp]#

You can see that the firewall is turned off. to restart the firewall, You can execute the following command.

[root@localhost tmp]# chkconfig iptables on[root@localhost tmp]# chkconfig iptables --listiptables       0:off1:off2:on3:on4:on5:on6:off

If you do not want to disable the firewall, add the port number and run the following command:

[root@localhost tmp]# /sbin/iptables -I INPUT -p tcp --dport 21 -j ACCEPT[root@localhost tmp]# /etc/init.d/iptables statusTable: filterChain INPUT (policy ACCEPT)num  target     prot opt source               destination         1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21 2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 3    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 6    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT)num  target     prot opt source               destination         1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT)num  target     prot opt source               destination         [root@localhost tmp]#

From the preceding status, we can see that port 21 has been enabled, and port 21 is the default FTP port. Save and execute the following command on the firewall settings:

[root@localhost tmp]# /etc/init.d/iptables save  iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ][root@localhost tmp]#

If you only add a port to the firewall, the original client cannot be found after the data channel of the server reaches the firewall. Therefore, the connection fails. To solve this problem, you need to add ip_nat_ftp and ip_conntrack_ftp modules to the firewall, as shown below:

[root@localhost ~]# vi /etc/sysconfig/iptables-config # Load additional iptables modules (nat helpers)#   Default: -none-# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which# are loaded after the firewall rules are applied. Options for the helpers are# stored in /etc/modprobe.conf.#IPTABLES_MODULES=""IPTABLES_MODULES="ip_nat_ftp ip_conntrack_ftp"

Go to the iptables-config configuration file and modify the iptables_modules parameter. The names of the two modules are separated by spaces. After saving and exiting, restart the service.

4. View SELinux

[Root @ localhost TMP] # sestatusselinux status: enabled <= whether selinuxselinuxfs mount:/selinuxcurrent mode: enforcing <= Current Mode mode from config file: enforcingpolicy version: 24 policy from config file: Targeted [root @ localhost TMP] #

4.1 disable SELinux

[root@localhost ~]# vi /etc/sysconfig/selinux# This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:#     enforcing - SELinux security policy is enforced.#     permissive - SELinux prints warnings instead of enforcing.#     disabled - No SELinux policy is loaded.#SELINUX=enforcingSELINUX=disabled# SELINUXTYPE= can take one of these two values:#     targeted - Targeted processes are protected,#     mls - Multi Level Security protection.SELINUXTYPE=targeted

If the default mode is enforcing, change it to disabled. (If SELinux is not disabled, I find that the client cannot be connected during the configuration process)

Do not forget to restart after SELinux is modified.

4.2 enable SELinux

If you do not want to disable SELinux, you can modify the FTP parameter settings in SELinux:

[root@localhost ~]# getsebool -a | grep ftpallow_ftpd_anon_write --> offallow_ftpd_full_access --> offallow_ftpd_use_cifs --> offallow_ftpd_use_nfs --> offftp_home_dir --> offftpd_connect_db --> offftpd_use_passive_mode --> offhttpd_enable_ftp_server --> offtftp_anon_write --> off[root@localhost ~]#

The above is the default FTP parameter settings in SELinux. To connect to FTP, You need to modify allow_ftpd_full_access and ftp_home_dir.

[root@localhost ~]# setsebool -P allow_ftpd_full_access=1[root@localhost ~]# setsebool -P ftp_home_dir=1[root@localhost ~]# service vsftpd restart

After executing the preceding command, you can connect to FTP in the enforcing mode of SELinux.

5. vsftpd configuration file

After vsftpd is installed, the configuration files are stored in the/etc/vsftpd/directory.

[Root @ localhost ~] # Cd/etc/vsftpd/[root @ localhost vsftpd] # ll-atotal 36drwxr-xr-x. 2 root Root 4096 Oct 29. drwxr-XR-X. 117 Root 12288 Oct 29 .. -RW -------. 1 Root 125 Jun 22 :54 ftpusers-RW -------. 1 Root 361 Jun 22 15: 54 user_list-rw -------. 1 Root 4599 Jun 22 :54 vsftpd. conf <= main configuration file-rwxr -- r --. 1 Root 338 Jun 22 15:54 vsftpd_conf_migrate.sh [root @ localhost vsftpd] #

5.1 ftpusers File

Used to restrict physical accounts from logging on to FTP

[root@localhost vsftpd]# cat ftpusers # Users that are not allowed to login via ftprootbindaemonadmlpsyncshutdownhaltmailnewsuucpoperatorgamesnobody[root@localhost vsftpd]#

As shown above, these users in my system cannot log on to FTP. If you do not want a real user to log on to FTP, you only need to write the user name to this file.

5.3. user_list File

The role of this file is the same as that of the ftpusers file. It limits the user's logon to FTP. The difference is that the configuration in user_list also works with vsftpd. the userlist_enable and userlist_deny parameters in the conf file are related.

5.4. chroot_list File

This file is not created by default. It is mainly used to restrict directories of some accounts under the Home Directory, which improves security. If this file is to take effect, it also depends on vsftpd. the chroot_enable and chroot_list_file parameters in the conf file.

5.5 main vsftpd. conf configuration file

[root@localhost vsftpd]# cat vsftpd.conf | grep -v '^#'anonymous_enable=YES  local_enable=YES  write_enable=YES    local_umask=022     dirmessage_enable=YES xferlog_enable=YES  connect_from_port_20=YES   xferlog_std_format=YES   listen=YES  pam_service_name=vsftpd    userlist_enable=YES  tcp_wrappers=YES  [root@localhost vsftpd]#  

The above parameter settings are the default parameter values after the installation. The following describes some common parameters.

Connect_from_port_20 = Yes <= indicates the port number for data transmission on the server during active connection.

Listen_port = 21 <= port number of the FTP Command Channel (default: 21). The port is applicable to standalone startup mode.

Dirmessage_enable = Yes <= when a user enters a directory, the information that needs attention is displayed, which is related to the message_file parameter.

Message_file =./message <= When dirmessage_enable = Yes, the information in the specified file is displayed.

Listen = Yes <= indicates that vsftpd is started in stand alone mode.

Pasv_enable = Yes <<== supports passive online mode

Use_localtime = Yes <= use local time

Write_enable = Yes <= allow users to upload data

Connect_timeout = 60 <= in active mode, force disconnection if the client response is not received within 60 seconds

Accept_timeout = 60 <= passive mode, force disconnection if the client response is not received within 60 seconds

Data_connection_timeout = 180 <= If the customer cannot complete data transmission within 180 seconds, force disconnection

Idle_session_timeout = 180 <= force disconnection if no operation is performed within 180 seconds

Max_clients = 10 <= limit that up to 10 clients can be connected to vsftpd at the same time (applicable to stand alone startup)

Max_per_id = 1 <<== indicates that only one connection can be established for each IP Address Source.

Ftpd_banner = welcome <= prompt message after logging on to vaftpd

Banner_file =/file <<== indicates that the content of a file is used as the prompt information.

Guest_enable = Yes <= after logging on to any real account

Guest_username = FTP <= When guest_enable is valid, guest has the same permissions as ftp users.

Local_enable = Yes <= indicates that the System user can log on to FTP as a real user.

Local_max_rate = 0 <= transmission speed of the real user. The unit is Bytes/second. 0 is unlimited.

Local_umask = 022 <= Object User's permission to upload files

Chroot_local_user = Yes <= restrict whether the real user is in the home directory

Chroot_list_enable = Yes <= indicates that only users in the file specified by the chroot_list_file parameter can access the chroot

Chroot_list_file =/etc/vsftpd/chroot_list <= specifies that chroot is used only for users in the chroot_list file. If the user name used for login is not in chroot_list, the user cannot log on.

Userlist_enable = Yes <= controls whether the user_list file is valid, but also depends on the user_deny parameter.

Userlist_deny = Yes <= use the userlist_enable parameter to restrict the login of some accounts

Userlist_file =/etc/vsftpd/user_list <<== specifies the location of the userlist File

Anonymous_enable = Yes <= whether anonymous logon is allowed

Xferlog_enable = Yes <<== uploaded and downloaded by the user will be recorded

Xferlog_std_format = Yes <= supported wuftp logon formats

Tcp_wrappers = Yes <= whether TCP Wrappers is supported

Pam_service_name = vsftpd <= Name of the PAM module, indicating that management of the PAM module is supported.

6. Start the vsftpd service.

Vaftpd can be started in stand alone and super daemon modes. Generally, stand alone is used to start vaftpd.

[root@localhost ~]# chkconfig iptables on[root@localhost ~]# service iptables start  [root@localhost ~]# chkconfig iptables --listiptables       0:off1:off2:on3:on4:on5:on6:off[root@localhost ~]# ftp localhost              Trying ::1...ftp: connect to address ::1Connection refusedTrying 127.0.0.1...Connected to localhost (127.0.0.1).220 (vsFTPd 2.2.2)Name (localhost:root): yao331 Please specify the password.Password:230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp> bye221 Goodbye.[root@localhost ~]#

If the command cannot be found when you run the FTP localhost command, you need to install the FTP software package.

 

After the command is executed, the FTP service has been set up.