Vsftpd is the most popular FTP server program in the Linux release. Features: small, light, secure, and easy to use. Before building a vsftpd server, first understand how FTP works.
FTP transmission uses reliable TCP protocol and two connections are used: Command Channel and data stream channel. In general, the FTP service occupies two ports: 20 and 21. Port 21 is used to establish a command channel, and Port 20 is used to establish a data channel. FTP can be established in two modes: Active Mode and passive mode.
Active Mode: the client uses a random port greater than 1024 to initiate a request to port 21 of the server, and uses three handshakes to establish a command channel. If a file is uploaded or downloaded at this time, the server uses Port 20 to initiate a request to another port greater than 1024 of the client. After three handshakes, a data channel is established.
Passive Mode: The Command Channel is created on port 21 in the same way as the active mode. When there is a data transmission command, the client will initiate a request to the server in the Command Channel; at this time, the server will enable a port to listen, but not Port 20, but a random port greater than 1024. In this way, the data channels at both ends of the server and client are established between ports greater than 1024.
Next we will start to build and configure the VSFTPD server (Environment: CentOS 5.5)
1. Check whether the vsftpd server is installed and enable the vsftpd service.
2. Go to the windows client and log on to the ftp server using the command line. log on to the ftp server using the anonymous account anonymous or ftp. The password is blank. You can log in successfully! The default anonymous FTP root directory is/var/ftp.
3. You can use some simple commands to view the user's directory information. For example, dir is a folder under the root directory of the server. You can find a folder named pub .! Dir is the folder under the root directory of your computer, as shown in.
4. pwd can be used to view the path of the current directory on the server. Here, the ftp directory accessed by an anonymous user is a relative path, that is, it can only be accessed in the/var/ftp directory, without the permission to access other paths on the server. The LCD can be used to view the current path of the local computer.
5. By default, anonymous users only have the download permission, but do not have the upload permission ., The server rejects the upload of the dns.txt file, but the ftptest file can be successfully downloaded. In addition, you can use the bye command to exit the ftp server.
Vsftpd configuration file introduction:
/Etc/vsftpd. conf # main configuration file of vsftpd
/Etc/pam. d/vsftpd # This is the file used when PAM-related modules are used for identity authentication.
/Etc/vsftpd. ftpusers # This file is equivalent to a blacklist containing users who cannot log on to FTP.
/Etc/vsftpd. ftpuser_list # This file can be either blacklisted or whitelist. It mainly depends on how to set policies.
/Etc/vsftpd. chroot_list # This file does not exist by default and needs to be created manually. It is used to lock some users' root directories in the default directory and cannot enter other directories on the server.
/Etc/sbin/vsftpd # Start file of vsftpd.
/Var/FTP # default root directory for anonymous users to log on to vsftpd.
Description of vsftpd. conf file setting values:
Anonymous_enable = YES # Allow anonymous users to log on
Local_enable = YES # allow local users to log on
Write_enable = YES # allow users to upload
Local_umask = 022 # by default, the permission for the uploaded folder is 777, and the permission for the file is 666,022, which means that the default permission is subtracted from the value of 022, that is, the writable permission of the file is removed, so that others can only read the file, but cannot modify the file
Anno_upload_enable = YES # Anonymous Users are allowed to upload files, which are commented out by default.
Anno_mkdir_write_enable = YES # allows anonymous users to create folders, which are commented out by default.
Dirmessage_enable = YES # When a user enters a directory, the contents of this directory are displayed. The default file is. message.
Xferlog_enable = YES # enable client upload and download Logging
Connect_from_port_20 = YES # FTP Data Channel port number
Xferlog_std_enable = YES # standard log format
Pam_service_name = vsftpd # the user's authentication file is vsftpd
Userlist_enable = YES # can be used to check whether users in the userlist_file file can access the server
Listen = YES # Work in standalone Mode
Tcp_wrappers = YES # Security Protection Program provided by linux
Vsftpd login methods (3)
1. Anonymous User Login
Use the default username anonymous or ftp, as shown in the vsftpd server configuration (above) Section in CentOS 5.5. The root directory after logon is/var/ftp.
2. Local User Login
Log on to the ftp server using the system account and password. The root directory after logon is your home directory and can be converted to another system directory. First, create a system account named centos.
Useraddcentos
Passwdcentos
Log on to the FTP server using the centos account on the windows client. The root directory after logon is the home directory of centos, and you can change the path to another directory. Go to the/etc/vsftpd directory outside the/home/centos directory. In addition, in its own root directory, it has the permission to read, write, and execute, that is, it can be freely uploaded and downloaded under the/home/centos directory.
Note:. message is used to display the welcome information when ftp users access the FTP directory. Create a. message file using vi in the root directory of the user.
Log on to ftp using a windows client and find an additional line: Hello, everyone! Welcome to 51cto! In fact, it is not only in the root directory, but also in other directories.
If you want to lock the system account in your root directory, you can add the statement chroot_loacl_user = YES in vsftpd. conf to restrict the system account. Remember to restart the vsftpd service before it takes effect.
Go back to the windows client to log on to ftp and find that the centos account cannot be changed to another directory.
3. Virtual User Login
Because a local user has some security risks, another logon method is available, that is, a virtual user logs on to the local user instead. The virtual user account is not associated with the local account, but is saved in an encrypted file. The following describes how to create and log on to a virtual user.
1) create a virtual user password Library File
Create a file vuser_list.txt in any directory (in the/etc/vsftpd directory)
[Root @ 300 second ~] # Cd/etc/vsftpd
[Root @ 300 second vsftpd] # vi vuser_list.txt
The odd lines represent the user name, and the even lines represent the password. Do not enter any additional keys.
2) generate the authentication File For vsftpd to the/etc/vsftpd directory.
[Root @ 300 second ~] # Db_load-T-t hash-f vuser_list.txt/etc/vsftpd/vuser_list.db
The system cannot identify the db_load command, indicating that db4 is not installed, so use yum to install
Then run the command db_load-T-t hash-f vuser_list.txt/etc/vsftpd/vuser_list.db again. No error is reported.
[Root @ 300 second ~] # Chmod 600/etc/vsftpd/vuser_list.db # Set the authentication file to be readable and writable only to users
3) Create the PAM Configuration File required by the virtual user
In the/etc/pam. d/directory, there is a file named vsftpd, which is used when PAM-related modules are used for local user authentication. Because the virtual user is used at this time, the file cannot be used. You can create a new file vsftpd in this directory. vuser, enter the following content: [root @ 300 second pam. d] # vi/etc/pam. d/vsftpd. vuser
Create a local user (vuser), but do not create a password, then the created virtual user root directory can be mapped to the root directory of the local user.
Next, modify the vsftpd. conf file as follows:
Guest_enable = YES # Allow virtual users to access
Guest_username = vuser # Local User Name mapped by the virtual user
Pam_service_name = vsftpd. vuser # change the original vsftpd authentication file to the new vsftpd. vuser
[Root @ 300 second ~] # Service vsftpd restart # restart the vsftpd service
In this case, you can log on with vuser1 and vuser2 created earlier, but you cannot log on with a local user.
However, at this time, the virtual user permission is very low, and only the most basic access permission is available. Therefore, you also need to modify the permissions of different virtual users in the master configuration file. If the root directory of the virtual account is not specified, the root directories of vuser1 and vuser2 are in the/home/vuser directory.
[Root @ 300 second home] # cd/etc/vsftpd/
[Root @ 300 second vsftpd] # mkdir/etc/vsftpd_vuser # create a directory that contains virtual User Permissions
[Root @ 300 second vsftpd] # vi vsftpd. conf # Enter vsftpd. conf and add a line pointing to the directory just created
For virtual users, you can set the following four permissions. If the last three permissions are included, the virtual user has all permissions.
Anon_world_readable_only = NO # Read-Only permission of the user
Anon_upload_enable = YES # Allow upload
Anon_mkdir_write_enable = YES # permission to create and delete directories
Anon_other_write_enable = YES # Allow other writeable permissions (such as renaming and deletion)
Go to the/etc/vsftpd/vsftpd_vuser directory and create two files: vuser1 and vuser2.
[Root @ 300 second vsftpd] # cd vsftpd_vuser
[Root @ 300 second vsftpd_vuser] # vi vuser1
[Root @ 300 second vsftpd_vuser] # vi vuser2
[Root @ 300 second ~] # Service vsftpd restart # restart the vsftpd service
For vuser1, you can upload, download, create, delete, and perform other operations.
Vuser2 has almost no permissions and cannot do anything.