CentOS 6 Installation Vsftpd

FTP Related knowledge

1. About the FTP port number
Command (Control) connection port: TCP 21

2. Data connection port: (the port on the data connection can be individually modified on the server specified)
Active mode: The client tells the server through a command connection, uses the active mode (Port command) for data transfer, and tells the server to listen on a non-privileged port (typically a command link with a port number plus 1 and greater than 1024

Port), and then the server uses its own default data connection port TCP 20来 to connect to the client's data connection port to establish a data connection communication and begin transmitting data.
Passive mode: The client tells the server through a command connection and uses the passive mode (PASV command) for data transfer. After the server receives the command, it tells the client to listen on a non-privileged port (greater than 1024 ports) and

The client connects itself and gets the data.

3. Common FTP Server
LINUX:WU-FTPD, VSFTPD, PROFTPD, pureftpd
Windows:serv-u, Filezilla

4. Common FTP client:
LINUX:FTP,LFTP,GFTPD (Graphical interface)
Windows:flashfxp,filezilla, CuteFTP

CentOS 6 Installation Vsftpd

First, installation
1. Yum Install Vsftpd-y

2. Confirm the installation of Pam Service related parts, development package, in fact, does not have the relationship, the main purpose is to confirm that Pam
[email protected] ~]# Yum install Pam Pam-devel

3. Install the DB4 part package to support the file database.
Yum Install db4*
Db4-utils-4.7.25-17.el6.x86_64
Db4-4.7.25-17.el6.x86_64
[email protected] ~]# Yum install db4*
Loaded Plugins:fastestmirror
Loading mirror speeds from cached hostfile
* base:mirrors.cqu.edu.cn
* extras:mirrors.163.com
* updates:mirrors.yun-idc.com
Setting up Install Process
Resolving Dependencies
--Running Transaction check
---> Package db4.x86_64 0:4.7.25-17.el6 'll be updated
---> Package db4.x86_64 0:4.7.25-20.el6_7 would be a update
---> Package db4-cxx.x86_64 0:4.7.25-20.el6_7 'll be installed
---> Package db4-devel.x86_64 0:4.7.25-20.el6_7 'll be installed
---> Package db4-devel-static.x86_64 0:4.7.25-20.el6_7 'll be installed
---> Package db4-java.x86_64 0:4.7.25-20.el6_7 'll be installed
---> Package db4-tcl.x86_64 0:4.7.25-20.el6_7 'll be installed
---> Package db4-utils.x86_64 0:4.7.25-17.el6 'll be updated
---> Package db4-utils.x86_64 0:4.7.25-20.el6_7 would be a update
--Finished Dependency Resolution

Dependencies resolved

=============================================================================================================== =============================================

===============
Package Arch Version Repository Size
=============================================================================================================== =============================================

===============
Installing:
Db4-cxx x86_64 4.7.25-20.el6_7 Updates 588 k
Db4-devel x86_64 4.7.25-20.el6_7 Updates 6.6 M
Db4-devel-static x86_64 4.7.25-20.el6_7 Updates 2.5 M
Db4-java x86_64 4.7.25-20.el6_7 Updates 1.7 M
DB4-TCL x86_64 4.7.25-20.el6_7 Updates 620 k
Updating:
DB4 x86_64 4.7.25-20.el6_7 Updates 563 k
Db4-utils x86_64 4.7.25-20.el6_7 Updates to K

Transaction Summary
=============================================================================================================== =============================================

===============
Install 5 Package (s)
Upgrade 2 Package (s

Two. System Account
1. The host user who established the VSFTPD service:
[Email protected] ~]# useradd vsftpd-s/sbin/nologin
The default VSFTPD service host user is root, but this does not meet the security requirements. This establishes the user named Vsftpd and uses him as a service host user to support VSFTPD. Because the user is only used to support the VSFTPD service,

Without permission he landed the system necessary and set him up as a user who could not log on to the system.

2. Establish a VSFTPD virtual hosting User:
[[Email protected] nowhere] #useradd virtuser-s/sbin/nologin
This article is mainly about VSFTP virtual users, virtual users are not system users, that is to say, these FTP users in the system is not exist. Their overall authority is actually focused on one user in the system.

, the so-called virtual hosting user of VSFTPD is such a host user that supports all virtual users. Since he supports all the virtual users of FTP, his own privileges will affect these virtual users, so

The whole nature of the consideration, but also pay great attention to the user's rights control, the user also absolutely no need to log on the system, here also set him as a user can not log on the system.

Three. Adjust the vsftpd configuration file:
1. Backup before editing the configuration file
[Email protected] ~]# Cp/etc/vsftpd/vsftpd.conf/etc/vsftpd/vsftpd.conf.backup
2. Edit the Master profile vsftpd.conf
[Email protected] ~]# vi/etc/vsftpd/vsftpd.conf
Here I have completely recorded the original configuration files, all the changes in the place I will retain the original configuration comments. I have added my knowledge of each configuration item, for some of the more critical configuration items Here I made my point, and originally

I do not delete the English instructions, for reference and comparison.

#anonymous_enable =yes
Anonymous_enable=no
Setting does not allow anonymous access
Xferlog_file=/var/log/xferlog
Nopriv_user=vsftpd
# fully customise the login banner string:
Ftpd_banner=welcome to My FTP service.
Ls_recurse_enable=no
#KC: The following entries is added for supporting virtual FTP users.
The following are important configuration items for VSFTPD virtual user support. These settings are not included in the default vsftpd.conf, and you need to manually add the configuration yourself.
Guest_enable=yes
Set the Enable Virtual User feature.
Guest_username=virtuser
Specifies the host user for the virtual user.
Virtual_use_local_privs=yes
Set permissions for virtual users to match their host users.
User_config_dir=/etc/vsftpd/vconf
Set the profile storage path for the virtual user's personal vsftp. In other words, this designated directory, will be stored in each vsftp virtual user personality profile, a need to pay attention to the
The place is that these configuration filenames must be the same as the virtual user name.

3. Establish the VSFTPD log file and, more, the host user for the VSFTPD service:
[Email protected] ~]# Touch/var/log/vsftpd.log
[Email protected] ~]# chown Vsftpd.vsftpd/var/log/vsftpd.log
4. Create a virtual user profile storage path:
[Email protected] ~]# mkdir/etc/vsftpd/vconf/

Three. Create a virtual user database file
1. Create a virtual user list file first:
[Email protected] ~]# touch/etc/vsftpd/virtusers
Set up a virtual user list file, this file is to record the VSFTPD virtual user's username and password data file, I named it virtusers. In order to avoid the confusion of documents, I put this list file on the place

Under the/etc/vsftpd/.

2. Edit the virtual user list file:
[[Email protected] ~] #vi/etc/vsftpd/virtusers
Tom
123456
Jack
123456

3. Generate a virtual user data file:
[Email protected] vsftpd]# db_load-t-t hash-f/etc/vsftpd/virtusers/etc/vsftpd/virtusers.db

4. View the generated virtual user data file
[Email protected] ~]# ll/etc/vsftpd/virtusers.db
-rw-r--r--1 root root 12288 Sep 03:51/etc/vsftpd/virtusers.db
It is important to note that in the future to add a virtual user, you only need to follow the "one line user name, one line password" format to add a new user name and password into the virtual user list file. But it's not enough to do it.

！ You'll have to do it again. "Db_load-t-t hash-f Virtual user list file virtual user database file. db" command to make it effective!

Four. Set the PAM authentication file and specify the virtual user database file for reading
1. Look at the PAM authentication profile for the original vsftp:
[Email protected] ~]# CAT/ETC/PAM.D/VSFTPD
----------------------------------------------------------------
#%pam-1.0
Session optional pam_keyinit.so Force revoke
Auth Required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers nerr=succeed
Auth Required pam_shells.so
Auth include System-auth
Account include System-auth
Session include System-auth
Session Required Pam_loginuid.so
----------------------------------------------------------------

2. Do a backup before editing:
[Email protected] ~]# Cp/etc/pam.d/vsftpd/etc/pam.d/vsftpd.backup

3. Edit the PAM authentication profile for VSFTPD
[Email protected] ~]# VI/ETC/PAM.D/VSFTPD
----------------------------------------------------------------
#%pam-1.0
Auth sufficient/lib64/security/pam_userdb.so db=/etc/vsftpd/virtusers
Account Sufficient/lib64/security/pam_userdb.so Db=/etc/vsftpd/virtusers
The above two are manually added to verify the security and account permissions of the virtual user.
The auth here refers to verifying the user's username and password.
The accout here refers to the restrictions on what permissions the user's account has to verify.
The subsequent sufficient represents a sufficient condition, that is, once the validation is passed here, there is no need to go through the remaining verification steps. Conversely, if it does not pass, it will not be immediately blocked by the system, because

The failure of the

sufficient does not determine the failure of the entire validation, meaning that the user must also undergo the remaining validation audits. The
/lib/security/pam_userdb.so later indicates that the audit will call pam_userdb.so the library function. The
Final db=/etc/vsftpd/virtusers specifies that the validation library function will invoke the data in this specified database for validation.
#KC: The entries for Vsftpd-pam is added above.
session    optional     pam_keyinit.so    Force revoke
auth       required     pam_listfile.so item=user sense=deny file =/etc/vsftpd/ftpusers nerr=succeed
auth       required     pam_shells.so
auth       include      System-auth
account    include      System-auth
session    include       system-auth
session    required     PAM_ loginuid.so
----------------------------------------------------------------

Five. Configuration of the virtual user
1. Plan the master path for the virtual user:
[Email protected] ~]# mkdir/opt/vsftp/

2. Create the FTP user directory for the test user:
[Email protected] ~]# mkdir/opt/vsftp/tom//opt/vsftp/jack/

3. Create a virtual user profile template:
[Email protected] ~]# cp/etc/vsftpd/vsftpd.conf.backup/etc/vsftpd/vconf/vconf.tmp

4. Customizing the Virtual User template configuration file:
[Email protected] ~]# vi/etc/vsftpd/vconf/vconf.tmp
--------------------------------
Local_root=/opt/vsftp/virtuser
Specifies the specific primary path of the virtual user.
Anonymous_enable=no
Setting does not allow anonymous user access.
Write_enable=yes
Set allow write operations.
local_umask=022
Sets the upload file permission mask.
Anon_upload_enable=no
Setting does not allow anonymous users to upload.
Anon_mkdir_write_enable=no
Setting does not allow anonymous users to create directories.
idle_session_timeout=600
Sets the idle connection timeout period.
data_connection_timeout=120
Sets the maximum time for the order of successive transmissions.
max_clients=10
Sets the number of concurrent client accesses.
Max_per_ip=5
Set the maximum number of threads for a single client, this configuration is mainly to take care of flashget, thunder and other multi-threaded download software.
local_max_rate=50000
Set the user's maximum transfer rate, unit B/S.
--------------------------------
The original vsftpd.conf configuration file is simplified and saved as a template for the virtual user profile. There will be no need to specify too many configurations, and the main framework and limitations are assigned to VSFTPD's master profile vsftpd.conf, which is

Configuration items not mentioned in the virtual user profile will refer to the settings in the master configuration file. And here as a virtual user profile template only need to leave some and user traffic control, access mode control configuration items can be

。 The key here is the Local_root configuration, which specifies the FTP master path for this virtual user.

5. Change the owner of the virtual user's home directory to the virtual host User:
[Email protected] ~]# chown-r virtuser.virtuser/opt/vsftp/

6. Check Permissions:
[[Email protected] ~] #ll/opt/vsftp/
Total 24
Drwxr-xr-x 2 ovirtuser virtuser 4096 Sep 05:14 Tom
Drwxr-xr-x 2 ovirtuser virtuser 4096 Sep 05:00 Jack

Six. Customize for test users:
1. Copy from the virtual User template configuration file:
[Email protected] ~]# Cp/etc/vsftpd/vconf/vconf.tmp/etc/vsftpd/vconf/tom

2. Customize for specific users:
[Email protected] ~]# Vi/etc/vsftpd/vconf/tom
---------------------------------
Local_root=/opt/vsftp/tom
Anonymous_enable=no
Write_enable=yes
local_umask=022
Anon_upload_enable=no
Anon_mkdir_write_enable=no
idle_session_timeout=300
Data_connection_timeout=90
Max_clients=1
Max_per_ip=1
local_max_rate=25000
---------------------------------

VII. Client Tool Connectivity Testing

This article is from the "I believe---technology achievement dream" blog, please be sure to keep this source http://blacktoo.blog.51cto.com/623428/1769392

CentOS 6 Installation Vsftpd