In many network applications, FTP (File Transfer Protocol) has a very important position. A very important resource in the Internet is software resources, and most of the various software resources are placed in the FTP server. Like most Internet services, FTP is also a client/server system. The user connects to the FTP server program on the host through a client program that supports the FTP protocol. The user sends a command to the server program through a client program that executes the command issued by the user and returns the results of the execution to the client.
The FTP service can be divided into two categories depending on the service object: The System FTP server allows only legitimate users on the system; an anonymous FTP server (Anonymous) allows anyone to log on to the FTP server to obtain files.
FTP data transmission mode for FTP data connection, divided into active transmission mode, passive transmission mode and single port transmission mode three kinds.
1. Active transfer Mode
When the FTP control connection is established, the customer presents the directory list, transmits the file, the client sends out the port command to negotiate with the server, the FTP server uses a standard port 20 as the server side data connection port (Ftp-data), establishes the data connection with the customer. Port 20 is only used to connect the source address to the server side, and Port 20 does not have a listener process to listen for client requests.
In the active transfer mode, the FTP data connection and the control connection direction, by the server to the client to initiate a connection for data transfer. The client's connection port is determined by the server-side and the client through negotiation.
2. Passive transfer Mode
When the FTP control connection is established, the customer presents the directory list, transmits the file, the client sends the PASV command to make the server in the passive transmission mode, the FTP server waits for the customer to contact with. The FTP server listens for client requests on other data transfer ports other than Port 20.
In passive transmission mode, FTP data connections and control connections are in the same direction, and the client initiates a connection to the server for data transfer. The client's connection port is the port to use when initiating the data connection request. When an FTP client accesses an FTP server outside the firewall, it needs to use the passive transfer mode.
3. Single port mode
In addition to the above two modes, there is also a single port mode. The data connection request for this mode is initiated by the FTP server. When this transport mode is used, the client's control connection port is consistent with the data connection port. This pattern is not commonly used because it cannot continuously enter data and transmit commands in a short period of time.
Linux has a lot of available FTP servers, which are more popular with wu-ftp (Washington University FTP) and vsftp. Red Hat 8.0 has its own wu-ftp and vsftp two software. Wu-ftp is a well-known FTP server software, it is powerful and can run well in many Unix operating systems. But as an up-and-comer vsftp More and more popular, in the Red Hat 9.0 release version only with Vsftp.
In Vsftp, the meaning of VS is "Very Secure". As you can see from the name, the creator of the software has been very focused on its security. In addition to the inherent safety, VSFTP also has high-speed, stable performance characteristics. In terms of stability, vsftp can support more than 4,000 concurrent users at the same time on a stand-alone (non-clustered) connection. According to ftp.redhat.com data, VSFTP can support up to 15,000 concurrent users.
Quickly build an FTP server
The basic function of FTP server is to upload the download, the following is a few steps to build a simple FTP server can achieve the download function.
1. Installing an FTP server
If you do not choose to install the FTP server when you install the system, you can install it through the Add/Remove Applications tool in red Hat 9.0. The specific method is, select "Main Menu" → "System settings" → "Add/Remove Application", select the FTP server in the pop-up interface, click "Update".
If you cannot confirm that the software is installed, you can use the following command to view:
#rpm-qagrep vsftpd
Vsftpd-1.1.3-8
2. Start the FTP server
Start vsftp directly by applying the default example of Red Hat 9.0.
#/sbin/service VSFTPD Start
Start vsftpd for vsftpd: [OK]
3. Create a file named Test.txt in the/var/ftp/pub directory with the content "This is a test file".
4. Test
Log on to the local server using an FTP client, and then log on as Anonymous (anonymous):
# FTP 127.0.0.1
Connected to 127.0.0.1 (127.0.0.1).
1.1.3 (VSFTPD)
Name (127.0.0.1:root): Anonymous
331 Please specify the password.
Password:
230 Login successful. Have fun.
Remote system type is UNIX.
Using binary mode to transfer files.
This allows you to successfully log on to the FTP server. You can display a list of server directories as follows:
FTP "LS"
Entering passive Mode (127,0,0,1,63,15)
Here comes the directory listing.
Drwxr-xr-x 2 0 0 4096 Dec 01:35 Pub
Directory send OK.
Switch to the pub directory, and display the contents of the directory, you can find the file you just created Test.txt:
FTP "CD Pub"
Directory successfully changed.
FTP "LS"
Entering passive Mode (127,0,0,1,232,34)
Here comes the directory listing.
-rw-r--r--1 0 0 Dec 01:35 test.txt
Directory send OK.
Download Test.txt file:
FTP "Mget test.txt
Mget test.txt? Y
Entering passive Mode (127,0,0,1,186,210)
Opening BINARY mode data connection for Test.txt (bytes).
The File send OK.
Bytes received in 0.0108 secs (1.9 kbytes/sec)
To view the contents of the native directory, you can see that Test.txt has been successfully downloaded to this computer.
FTP "! Ls
A eio_binders initrd mnt proc Tftpboot ylg.txt
Bin etc Lib Mymnt root tmp
Boot home lost+found myshare sbin usr
Dev id_dsas.pub misc opt test.txt var
Attempting to upload a file named Ylg.txt, you can see that the request was rejected.
FTP "Put Ylg.txt"
Local:ylg.txt Remote:ylg.txt
Entering passive Mode (127,0,0,1,243,10)
Permission denied.
Sign Out:
FTP "bye
221 Goodbye.
As you can see from the tests, you can already download files, but you cannot upload files (and you cannot create directories and files on the server). In fact, this is an anonymous FTP server that provides download services specifically.
From the above steps can be seen, do not need to do what configuration can be completed a simple FTP server Setup. This is because Red Hat is already configured with the default FTP server. However, in practical applications, this simple server does not meet the requirements in most cases.
Further configure the FTP server
The following will create an FTP server that meets your common needs. In practical applications, FTP servers generally provide both upload and download functions. In addition, for security reasons, you need to have user authentication, user rights settings, and space management. The following is to build such an FTP server.
1. Create the Welcome language. If you want the user to be able to see the welcome language or an introduction to this catalog when they enter the directory, you can do so by using the following methods.
Determine the Dirmessage_enable=yes in the/etc/vsftpd/vsftpd.conf file, and by default, Red Hat 9.0 has this setting. Next, a file named. Message is added to the directory. This example creates a. message file in the/HOME/YLG directory, "Welcome to my FTP site."
2. Replace the default port for the FTP server. Change the preset 21 port to 2121, which is based on security considerations. To change the method, use VI to open/etc/vsftpd/vsftpd.conf:
#vi/etc/vsftpd/vsftpd.conf
At the end of the file, add the following line:
listen_port=2121
3. Cancels the anonymous login function. Locate the following line in the vsftpd.conf file and change the value to "NO":
Anonymous_enable=yes
4. The user must not change the directory. The purpose of this is also to be based on security considerations. In general, the user's default directory is/home/username. If you do not want the user to be able to switch to the first-level directory/home after logging in, you can do so by using the following settings. Find the following three lines in the/etc/vsftpd/vsftpd.conf file:
#chroot_list_enable =yes
# (default follows)
#chroot_list_file =/etc/vsftpd.chroot_list
Change it to read:
Chroot_list_enable=yes
# (default follows)
Chroot_list_file=/etc/vsftpd/chroot_list
New file/etc/vsftpd/chroot_list with two user names:
Ylg
User1
5. Limit different speeds for different users. Assuming that the maximum speed the user ylg can use is 500kb/s, the maximum speed that the user User1 can use is 250kb/s, which can be set by the following methods. Add the following line to the tail of the/etc/vsftpd/vsftpd.conf file:
User_config_dir=/etc/vsftpd/userconf
Add a directory named/etc/vsftpd/userconf:
#mkdir/etc/vsftpd/userconf
Under/etc/vsftpd/userconf, add a file named Ylg, which reads as follows:
local_max_rate=500000
Add a file named User1 in the/etc/vsftpd/userconf directory, which looks like this:
local_max_rate=250000
The vsftp limit for speed is between 80% and 120%, which means that the maximum speed is 100kb/s, but the actual speed may be between 80kb/s and 120kb/s. If the bandwidth is insufficient, the value is below this limit.
6. For each online user, it runs as a separate process. In general, when you start Vsftp, you will only see a process named VSFTPD running. But if the reader wants each online user to render as a separate process, you can do so by adding the following line to the/etc/vsftpd/vsftpd.conf file:
Setproctitle_enable=yes
7. Save the/etc/vsftpd/vsftpd.conf file, and then restart VSFTPD:
#service vsftpd Restart
8. Test the FTP server you just created.
Logging on by default is rejected because the default port number has been changed to 2121, so you need to specify the port at logon.
# FTP 127.0.0.1
Ftp:connect:Connection refused
You can no longer log on anonymously by using this method:
# FTP 127.0.0.1 2121
Connected to 127.0.0.1 (127.0.0.1).
1.1.3 (VSFTPD)
Name (127.0.0.1:root): Anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
If you ylg the user, you can log on successfully (specify Port 2121) and display the Welcome information:
# FTP 127.0.0.1 2121
Connected to 127.0.0.1 (127.0.0.1).
1.1.3 (VSFTPD)
Name (127.0.0.1:root): YLG
331 Please specify the password.
Password:
230-Welcome to my FTP site
230 Login successful. Have fun.
Remote system type is UNIX.
Using binary mode to transfer files.
The following commands do not execute correctly because the directory cannot be toggled in the settings:
FTP "Cd/home
Failed to change directory.
Then test the upload and download. First download the Test.txt file in the server directory:
FTP "Get Test.txt"
Local:test.txt Remote:test.txt
Entering passive Mode (127,0,0,1,243,215)
Opening BINARY mode data connection for Test.txt (bytes).
The File send OK.
Bytes received in 0.00308 secs (6.7 kbytes/sec)
Can pass! The LS command sees the file downloaded successfully in the native directory. Then upload the ylg.txt files from the local directory to the server:
FTP "Put Ylg.txt"
Local:ylg.txt Remote:ylg.txt
Entering passive Mode (127,0,0,1,133,248)
Ok to send data.
The File receive OK.
Bytes sent in 0.0401 secs (0.46 kbytes/sec)
Using the LS command to view the server directory, you will find that the file has been uploaded successfully.
To test the different processes used by different subscriber users, you can use the PS-EF directive, which shows the following:
# Ps-efgrep FTP
Root 12972 1356 0 13:44 pts/1 00:00:00 ftp 127.0.0.1 2121
Nobody 12973 12908 0 13:44? 00:00:00 [VSFTPD]
YLG 12975 12973 0 13:44? 00:00:00 [VSFTPD]
User1 13013 13011 0 13:46? 00:00:00 [VSFTPD]
Root 13041 13015 0 13:47 pts/4 00:00:00 grep ftp
Up to now, a basic FTP server that can meet the common usage needs has been set up.
In practical applications, the FTP server is sometimes placed behind a firewall in order to increase security. As described at the beginning of this article, the passive transfer mode is suitable for situations with firewalls. The following is to create a firewall after the FTP server, the server FTP port is 2121, data transfer port is 2020.
The following two lines are executed, allowing only 2121 and 2020 ports to open and the remaining ports closed:
#iptables-A input-p tcp-m multiport--dport 2121,2020-j ACCEPT
#iptables-A input-p tcp-j REJECT--reject-with tcp-reset
Modify the/etc/vsftpd/vsftpd.conf file and add the following two lines at the end of the text:
listen_port=2121
ftp_data_port=2020
Reboot VSFTPD:
#service vsftpd Restart
Sometimes you want to define the Allow or deny a source address directly in/etc/hosts.allow, which can be implemented by using the following configuration. First make sure that/etc/vsftpd/vsftpd.conf is tcp_wrappers=yes,red Hat 9.0, which is the default value. Reboot VSFTPD
#service vsftpd Restart
If you provide a connection of 168.192.2.1 and 210.31.8.1 to 210.31.8.254, you can set the/etc/hosts.allow as follows:
vsftpd:168.192.2.1 210.31.8. : Allow
ALL:ALL:DENY
Configure Virtual User FTP
The FTP server that is configured above has one characteristic, is the FTP server user itself is also the system user. This is clearly a security risk because these users can access not only FTP but also other system resources. How to solve this problem? The answer is to create a virtual user's FTP server. The characteristic of a virtual user is that only the FTP service provided by the server can be accessed, and no other resources of the system can be accessed. Therefore, if you want to allow users to have write access to the FTP server station, but do not allow access to other resources of the system, you can use virtual users to improve the security of the system.
In Vsftp, these virtual users are authenticated using a separate password library file (PAM_USERDB), which is certified by Pluggable Authentication Module (PAM). This approach is more secure and more flexible to configure.
The configuration process is described below.
1. Generates a virtual user password library file. In order to create this password library file, you first need to generate a text file. The format of the file is as follows, singular behavior username, even action password:
#vi Account.txt
Ylg
1234
Zhanghong
4321
Gou
5678
2. Generate a password library file and modify its permissions:
#db_load-T-t hash-f. /account.txt/etc/vsftpd/account.db
#chmod 600/etc/vsftpd/account.db
3. Creates a new Pam file for a virtual user. Add the following two lines of content:
#vi/etc/pam.d/vsftp.vu
Auth required/lib/security/pam_userdb.so Db=/etc/vsftpd/account
Account Required/lib/security/pam_userdb.so Db=/etc/vsftpd/account
4. Establish a virtual user, set the directory to which the user wants to access, and set permissions for virtual users to access:
#useradd-D/ftpsite virtual_user
#chmod 700/ftpsite
By setting this step,/ftpsite is the home directory of the Virtual_user user, who is also the owner of the/ftpsite directory. In addition to the root user, only the user has permission to read, write, and execute the directory.
5. Generate a test file. First switch to Virtual_user user identity, and then create a file in the/ftpsite directory:
#su-virtual_user
$vi/ftpsite/mytest
This is a test file.
$su-root
6. Edit the/etc/vsftpd/vsftpd.conf file so that the entire file's contents are as follows (the annotation content is removed):
Anonymous_enable=no
Local_enable=yes
local_umask=022
Xferlog_enable=yes
Connect_from_port_20=yes
Xferlog_std_format=yes
Listen=yes
Write_enable=yes
Anon_upload_enable=yes
Anon_mkdir_write_enable=yes
Anon_other_write_enable=yes
One_process_model=no
Chroot_local_user=yes
Ftpd_banner=welcom to my FTP server.
Anon_world_readable_only=no
Guest_enable=yes
Guest_username=virtual_user
Pam_service_name=vsftp.vu
In the code above, guest_enable=yes means that virtual users are enabled, and guest_username=virtual is mapping a virtual user to a local user so that a virtual user can log in to the directory of local user virtual/FTPSITE;PAM_ SERVICE_NAME=VSFTP.VU Specifies that Pam's configuration file is vsftp.vu.
7. Reboot Vsftp
#service vsftpd Restart
8. Test with Virtual user Gou (no such account in Linux):
# FTP 127.0.0.1
Connected to 127.0.0.1 (127.0.0.1).
Welcom to my FTP server.
Name (127.0.0.1:root): Gou
331 Please specify the password.
Password:
230 Login successful. Have fun.
Remote system type is UNIX.
Using binary mode to transfer files.
Test a file in the download server directory mytest:
FTP "Get MyTest"
Local:mytest Remote:mytest
Entering passive Mode (127,0,0,1,159,19)
Opening BINARY mode data connection for mytest (bytes).
The File send OK.
Bytes received in 0.00038 secs (kbytes/sec)
Test upload files in the native directory vsftpd.conf:
FTP "! Ls
Account.db chroot_list k mytest userconf vsftpd.conf
FTP "Put vsftpd.conf"
Local:vsftpd.conf remote:vsftpd.conf
Entering passive Mode (127,0,0,1,117,203)
Ok to send data.
The File receive OK.
4229 Bytes Sent in 0.00195 secs (2.1e+03 kbytes/sec)
You can see that using a virtual user without a system account can successfully upload, download the work. However, the FTP virtual server allows only virtual users to log on, and other system users cannot log on, such as the system user User1 is not a virtual user, you cannot log on to the virtual server.
# FTP 127.0.0.1
Connected to 127.0.0.1 (127.0.0.1).
Welcom to my FTP server.
Name (127.0.0.1:root): User1
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
In a virtual FTP server, you can also set permissions for individual users. The method is to add the following line to the/etc/vsftpd.conf file:
User_config_dir= User Profile Directory
Then create the appropriate user profile in the user profile directory, such as creating a profile for the user named Gou (assuming the profile directory is/etc/user_config_dir):
#vi/etc/user_config_dir/gou
Write_enable=no
Anono_upload_enable=no
Restart the FTP server, then use account Gou to log in, there is no permission to upload