Building an enterprise-level FTP server virtual user --- rhel6.x
Preface:
The so-called "learn new", today, while sorting out the previous study notes, I accidentally saw the words of vsftp virtual users, it may also be because the FTP server used in normal times uses setfacl for security sharing, ignoring the security issues of system users, and the implementation of vsftp virtual users also becomes blurred, let's take a look at the establishment of vsftp virtual users today.
Db4-utils + vsftpd build virtual user:
I personally think that virtual users are still necessary for enterprise-level vsftp. If someone wants to maliciously damage the server system, the other party will know that your system users will crack the password again, it is also very threatening to the security of the server. What virtual users can do is that the FTP users you provide do not exist on my FTP server, so that even if you know the user name and password, no threats to my servers.
1. Install db4-utils and vsftpd
Yum-y install vsftpd db4-utils
Vsftpd's virtual user database is a database file in the Berkeley dB format. Creating this database file requires the db_load command tool, which depends on the db4-utils package, so you need to install the db4-utils.
2. Create an FTP LogonUser name and password list file
[[Email protected] vsftpd] # Cat/etc/vsftpd/virtual_user.list user1 # odd behavior username. the password of the username in the first row is 123 user2 456.
Note: spaces in this file also represent one line. Do not add additional lines.
3. Use the db_load tool to convert the user name and password list file into a DB database file.
[[Email protected] vsftpd] # db_load-T-t hash-F/etc/vsftpd/virtual_user.list/etc/vsftpd/virtual_user.db [[email protected] vsftpd] # file/etc/ vsftpd/virtual_user.db/etc/vsftpd/virtual_user.db: berkeley dB (hash, version 9, native byte-order) # db_load-T: conversion #-T hash: specify the basic method for reading data files #-F/etc/vsftpd/virtual_user.list: user name and password list file #/etc/vsftpd/virtual_user.db: Convert to Berkeley DB database file
4. Create the root directory for accessing ftp and the System user corresponding to the virtual user
[[Email protected] vsftpd] # useradd-D/var/ftproot-S/sbin/nologin virtual # This user cannot log on to the system, -D specify the Home Directory of this user [[email protected] vsftpd] # chown virtual: Virtual/var/ftproot/[[email protected] vsftpd] # chmod 755/var/ftproot/
5. Create a PAM Authentication file. That is to say, you just used the load_db tool to convert the password file to a database file. Now you need to create the vsftp. vu file to tell Pam the location of the authentication file.
[[Email protected] vsftpd] # Cat/etc/PAM. d/vsftpd. VU # % PAM-1.0 auth required pam_userdb.so DB =/etc/vsftpd/virtual_user account required pam_userdb.so DB =/etc/vsftpd/virtual_user
6. modify the configuration file so that vsftpd supports Virtual users.
[[Email protected] vsftpd] # Cat/etc/vsftpd. conf | grep-ve '# | ^ $' enabled = No local_enable = Yes write_enable = Yes local_umask = 022 anon_umask = 022 enabled = Yes xferlog_enable = Yes connect_from_port_20 = Yes enabled = yes listen = yes userlist_enable = Yes TCP_WRAPPERS = Yes guest_enable = yes # enable the user ing function guest_username = Virtual # map the user to a user created earlier that cannot log on to the system virtual pam_service_name = vsftpd. VU # specify the file local_root =/var/ftproot for PAM Authentication # specify the FTP root directory user_config_dir =/etc/vsftpd/chroot_list # specify the path for configuring the permission directory for the user
7) create a directory for assigning permissions to a virtual user and a file for setting the permissions for the virtual user. The file must be named after the virtual user name.
[[Email protected] vsftpd] # mkdir/etc/vsftpd/chroot_list # The name of this directory must be the same as the user_config_dir path name pointed to by the configuration file for enabling virtual users in vsftp [email protected] vsftpd] # Touch/etc/vsftpd/chroot_list/user1 # name the file as a user name before creation, this user exists in the user name and password list file [[email protected] vsftpd] # Touch/etc/vsftpd/chroot_list/user2 [[email protected] vsftpd] # cd chroot_list/[email protected] chroot_list] # ls user1 user2 [[email protected] chroot_list] # echo "anon_upload_enable = yes">/etc/vsftpd/chroot_list/user1 # user1 user, set the permission to upload files [[email protected] chroot_list] # Cat/etc/vsftpd/chroot_list/user2 anon_upload_enable = yes # user2 can also upload files anon_mkdir_write_enable = yes # user2 you can set the permission to create files.
8) Success! Verify it.
This article is from the "hello_world" blog, please be sure to keep this source http://gooder.blog.51cto.com/9178822/1440512
Building an enterprise-level FTP server virtual user --- rhel6.x