I. Preface
Vsftp (Very Secure FTP) is a Secure, fast, and stable FTP server in Unix/Linux. There are three ways to implement Vsftpd: 1. Anonymous user mode: by default, the system only provides anonymous user access 2. Local User Mode: use the username in/etc/passwd as the authentication method. 3. Use a virtual user to save the username and password in a database file or database server. Compared with local FTP users, virtual users are only private users of the FTP server. Virtual users can only access the resources provided by the FTP server, which greatly enhances the security of the system. Compared with anonymous users, a virtual user requires a user name and password to obtain files on the FTP server. This increases the manageability of users and downloads. For FTP sites that require the download service, but do not require everyone to download them anonymously, you need to manage the download users and take into account host security and convenient management, virtual users are an excellent solution.
Ii. Working Principle
Working principle: ftp protocol requires two network connections for communication, one is control connection (21) and the other is data connection (20 ). Control connection: the connection between the client and the server. The client sends commands to the server through this connection. By default, the server waits for the client's command request through port 21. Data connection: the link for transferring files or displaying the file list. The communication port is determined by the control connection. In the FTP protocol, the control connection is initiated by a client, and the data connection works in two ways: PORT mode and PASV mode PORT mode (active mode) the FTP client first establishes a connection with the tcp port 21 of the FTP Server and sends commands through this channel. When the client needs to receive data, it sends the PORT command through this channel. The PORT command contains the PORT used by the client (a PORT greater than 1024) to receive data. When transmitting data, the server sends data through its TCP port 20. The FTP server must establish a new connection with the client to transmit data. PASV mode (passive mode) is similar to PORT mode when a control channel is established. When the client sends the PASV command through this channel, the FTP server opens a random port between port 1024 and port 5000 and notifies the client to send data requests on this port. Then, the FTP server transfers data through this port, at this time, the FTP server no longer needs to establish a new connection with the client to transfer data. From the perspective of the C/S model, PORT is OUTBOUND for servers and PASV is INBOUND for servers. Pay special attention to this, especially in enterprises that use firewalls, this is critical. If an error is set, the customer will not be able to connect. Iii. Common FTP commands and functions
FTP command |
Function |
FTP command |
Function |
Ls |
Display the directory on the server |
Ls [remote-dir] [local-file] |
The remote-dir directory is displayed, and local-file is saved to the local file. |
Get remote-file [local-file] |
Download a specified file from the server to the client |
Mget remote-files |
Download multiple remote files (the mget command allows you to download multiple files with wildcards) |
Put local-file [remote-file] |
Upload a specified file from the client to the server |
Mput local-file |
Upload multiple files to a remote host (the mput command allows uploading multiple files with wildcards) |
Open |
Connect to the FTP server |
Mdelete [remote-file] |
Delete remote host files |
Close |
Interrupt the ftp session with the remote server (corresponds to open) |
Mkdir dir-name |
Create a directory on the remote host |
Open host [port] |
Creates a connection to the specified ftp server. You can specify the connection port. |
Newer file-name |
If the modification time of file-name in the remote host is closer than that of the local hard disk file with the same name, the file will be re-transmitted. |
Cd directory |
Change the working directory of the server |
Rename [from] [to] |
Change the remote host file name |
LCD directory |
Change the working directory on the client (local) |
Pwd |
Displays the current working directory of the remote host. |
Bye |
Exit FTP command status |
Quit |
Same as bye, quit ftp session |
Ascii |
Set the file transmission mode to ASCII |
Reget remote-file [local-file] |
Similar to get, but if the local-file exists, the data is resumed from the last transmission interruption. |
Binary |
Set File Transfer Mode to binary mode |
Rhelp [cmd-name] |
Request help from the remote host |
! [Cmd [args] |
Return the interaction shell in the local host to the ftp environment, for example :! Ls *. zip |
Rstatus [file-name] |
If no file name is specified, the remote host status is displayed; otherwise, the file status is displayed. |
Accout [password] |
Provide the password required to access system resources after logging on to the remote system |
Hash |
A hash symbol (#) is displayed for every 1024 bytes transmitted (#) |
Append local-file [remote-file] |
Append a local file to the remote system host. If the remote system file name is not specified, the local file name is used. |
Restart marker |
Start get or put again from the specified mark marker, for example, restart 130. |
Bye |
Exit ftp session |
Rmdir dir-name |
Delete remote host directory |
Case |
Use the mget command to convert uppercase letters in the remote host file name to lowercase letters. |
Size file-name |
The file size of the remote host is displayed, for example: Size: idle 7200 |
Cd remote-dir |
Enter the remote host directory |
Status |
Displays the current ftp status |
Cdup |
Enter the parent directory of the remote host directory |
System |
Displays the operating system of the remote host. |
Delete remote-file |
Delete remote host files |
User-name [password] [account] |
Indicates your identity to the remote host. You must enter a password when you need a password, for example, user anonymous my @ email. |
Dir [remote-dir] [local-file] |
Display the remote host directory and save the result to a local file |
Help [cmd] |
Displays the help information of the ftp Internal Command cmd, such as help get |
FTP numeric code meaning 110 restart mark response. 120 how long is the service ready. 125 enable the data link port and prepare for transfer. 150 the File status is normal and the data connection port is enabled. 200 the command is successfully executed. 202 command execution failed. 211 system status or system help response. 212 directory status. The status of the 213 file. 214 help message. 215 name system type. 220 new online service ready. 221 the Service's control connection port is closed and can be canceled. 225 Data Link is enabled, but there is no transmission action. 226 close the data connection port and the requested file operation is successful. 227 enters the passive mode. 230 user login. 250 the requested file operation is complete. 257 display the current path name. 331 the user name is correct and the password is required. 332 account information is required for logon. 350 the requested operation requires a command. 421 unable to provide services. Disable the control link. 425 the data link cannot be enabled. 426 disable online and terminate transmission. 450 the requested operation was not executed. 451 command termination: there is a local error. 452 unexecuted command: the disk space is insufficient. 500 the format is incorrect and the command cannot be identified. 501 parameter syntax error. 502 command execution failed. 503 command order error. 504 the parameters connected to the command are incorrect. 530 not logged in. 532 Account Login is required to store files. 550 the requested operation is not performed. 551 the Request command is terminated and the type is unknown. 552 the requested file is terminated and the storage space overflows. 553 the name of the requested command is incorrect. 4. install and configure the vsftp Server
[Root @ localhost ~] # Mkdir/mnt/cdrom [root @ localhost ~] # Mount/dev/cdrom/mnt/cdrom [root @ localhost ~] # Cd/mnt/cdrom/Server/[root @ localhost Server] # rpm-ivh vsftpd-2.0.5-16.el5.i386.rpm [root @ localhost Server] # rpm-ql vsftpd | less ## view the generated file [root @ localhost Server] # man 5 vsftpd. conf ## view the parameter information of the configuration file [root @ localhost Server] # vim/etc/vsftpd. conf ## edit the configuration file 12 anonymous_enable = YES ## support for anonymous accounts 15 local_enable = YES ## support for local accounts 18 write_enable = YES ## allow the use of any FTP command 22 local_umask = 022 # blocking permission is the File Permission uploaded by the local user 2 7 # anon_upload_enable = YES allows anonymous users to upload files 31 # anon_mkdir_write_enable = YES allows anonymous users to create a new directory 35 dirmessage_enable = YES # allows users to display information for directory configuration, show the content of the message_file file under each directory 39 xferlog_enable = YES # enable the diary function 42 connect_from_port_20 = YES # use the standard Port 20 to connect to ftp47 # chown_uploads = YES All anonymously uploaded the owner of the file will be changed to chown_username48 # chown_username = whoever the username 52 # xferlog_file =/var/log/xferlog File Location 56 xferlog_std_format = YES # use the standard log format 59 # idle_sessio N_timeout = 600 idle connection timeout 62 # data_connection_timeout = 120 data transmission timeout 66 # nopriv_user = ft1_cure username 71 # async_abor_enable = YES \ "async ABOR \ "command, generally, this is not required. 81 # ascii_upload_enable = YES controls whether ASCII mode upload is available. The default value is NO82 # ascii_download_enable = YES. The default value is NO85 # ftpd_banner = Welcome to blah FTP service # The Welcome information is displayed in login. if banner_file is set, this setting is invalid. 89 # deny_email_enable = YES. If an anonymous user requires a password, the user using the email address in banned_email_file cannot log on to 90 # (default follows) 91 # banned_email_file =/etc/vsftpd/banned_emails prohibit anonymous users from using the email address 96 # chroot_list_enable = YES when logging on as a password. If this function is enabled, users of all columns in chroot_list_file cannot change the root directory 97 # (default follows) 98 # chroot_list_file =/etc/vsftpd/chroot_list definition cannot change the file 104 # ls_recurse_enable = YES whether the ls-R command can be used to prevent the waste of a large number of server resources 109 listen = YES # bind to the port specified by listen_port, since they are all bound, that is, they are on every hour, that is, standalone mode (independent sftpd server) 116 pam_service_name = vsftpd # define the name used by PAM, the default value is vsftpd117 userlist_enable = YES # If this option is enabled, the userlist_deny option is enabled. 118 tcp_wrappers = YES # enable tcp_wrappers. 5. Case ------- implement ftp server that supports SSL encrypted transmission
1. Before ssl encryption is implemented, install a packet capture software [root @ localhost ~] # Yum install wireshark-yRunning Transaction Installing: libsmi 1/2 Installing: wireshard 2/2 Installed: wireshark. i386 0: 1. 0.8-1. el5_3.1 Dependency Installed: libsmi. i386 0: 0. 4.5-2. el5 Complete! [Root @ localhost ~] # Tshark-ni eth0-R "tcp. dstport eq 21 "Running as user" root "and group" root ". this cocould be dangerous. capturing on eth0 # log on to ftp and capture packets on port 21, for example:
2. Configure the root certificate authority [root @ mail ~] # Cd/etc/pki/[root @ mail pki] # vim tls/openssl. cnf45 dir =/etc/pki/CA # certificate path 88 countryName = optional89 stateOrProvinceName = optional90 organizationName = optional # optional indicates 136 countryName_default = CN # modify the certificate default Value of institution, 141 stateOrProvinceName_default = BeiJing144 localityName_default = BeiJing: 88,90 s/match/optional (commands available for vim editing) generate a certificate [root @ mail pki] # cd CA [root @ mail CA] # mkdir crl cer Ts newcerts [root @ mail CA] # touch index.txt serial # create the corresponding file and directory [root @ mail CA] # echo "01"> serial # certificate serial number from 1 start [root @ mail CA] # openssl genrsa 1024> private/cakey. pem ## generate the private key Generating RSA private key, 1024 bit long modulus [root @ mail CA] # chmod 600 private/* # Change permission [root @ mail CA] # openssl req-new-key private/cakey. pem-x509-out cacert. pem-days 3650 # generate a certificate 3. apply for a certificate for ftp [root @ localhost ~] # Mkdir/etc/vsftpd/certs # create a directory for storing private keys, certificates, and other information [root @ localhost ~] # Cd/etc/vsftpd/certs/generate key [root @ localhost certs] # openssl genrsa 1024> vsftpd. keyGenerating RSA private key, 1024 bit long modulus ....... ++ .......................... ++ e is 65537 (0x10001) requests the certificate [root @ localhost certs] # openssl req-new-key vsftpd to the root institution. key-out vsftpd. csrCountry Name (2 letter code) [CN]: State or Province Name (full name) [BeiJing]: Locality Name (eg, city) [BeiJing]: Organizatio N Name (eg, company) [My Company Ltd]: leeOrganizational Unit Name (eg, section) []: tecCommon Name (eg, your name or your server's hostname) []: ftp. abc. comEmail Address []: Please enter the following 'extra 'attributesto be sent with your certificate requestA challenge password []: An optional company name []: apply for a certificate [root @ localhost certs] # openssl ca-in vsftpd. csr-out vsftpd. cert changes the directory permission for storing the certificate's private key [root @ lo Calhost certs] # chmod 600 * modify the configuration file [root @ localhost ~] # Vim/etc/vsftpd. conf. If you do not know how to write it here, run man to check the help [root @ localhost ~] # Man 5 vsftpd. the content added by conf is as follows: 120 rsa_cert_file =/etc/vsftpd/certs/vsftpd. cert121 rsa_private_key_file =/etc/vsftpd/certs/vsftpd. key # specify the certificate and key Directory 122 ssl_tlsv1 = YES123 ssl_sslv3 = YES124 ssl_sslv2 = YES125 ssl_enable = YES # Start ssl, ssl version 126: force_local_logins_ssl = YES127 force_local_data_ssl = YES. Restart the service [root @ localhost ~]. # Service vsftpd restart 6. Test
Install an ftp client FlashFXP on the client and create a new site,
Connect
Accept. Now let's take a look at the information captured by the packet capture tool [root @ localhost ~] # Tshark-ni eth0-R "tcp. dstport eq 21" Running as user "root" and group "root". This cocould be dangerous. Capturing on eth0
No account or password information is visible