CentOS 7 FTP Environment deployment

Source: Internet
Author: User
Tags ftp connection ftp login ftp client filezilla ftp protocol ssl certificate

Tags: ati blank min request other into user dia etc

The FTP protocol has two working methods:

1) Port mode: The active mode port (active) mode connection process is: the client sends a connection request to the server's FTP port (default is 21), the server accepts the connection, establishes a command link When the data needs to be transferred, the server Port 20 sends a connection request to the client's free port to establish a data link to transfer data 2) Pasv mode: passive mode pasv (passive) mode connection process is: the client sends a connection to the server's FTP port (default is 21) Request, the server accepts the connection, establishes a command link. When data needs to be transferred, the client sends a connection request to the server's free port, and establishes a data link to transfer data. FTP is a tcp-based service only. It does not support udp FTP. 2 One port, one data port and one command port (also called control port) Generally speaking, these two ports are 21 (command port) and 20 (data port), but the FTP works differently, the data port is not always 20 This is the biggest difference between active and passive FTP. 1) Active FTP mode F TP workflow: the client connects to the command port of the FTP server from an arbitrary unprivileged port N (N> 1024), which is port 21, and then the client starts listening on port N + 1 and sends the FTP command "portN + 1" To the FTP server, the server will then connect from its own data port (20) to the client-specified data port (N + 1). For the firewall in front of the FTP server, the following communications must be allowed to support active FTP: 1) Any Ports greater than 1024 to port 21 of the FTP server (connection initiated by the client) 2) Port 21 of the FTP server to ports greater than 1024 (control port of the server responding to the client) 3) Port 20 of the FTP server to ports greater than 1024 ( Initialize the data connection on the server side to the data port of the client) 4) greater than 1024 port to the 20 port of the FTP server (the client sends an ACK response to the data port of the server) 2) passive FTP mode FTP passive mode connection method effectively solves the server initiated Connection problem to the client, this way is called PASV, when the client informs the server that it is in It is only enabled in the active mode. In passive FTP, the command connection and the data connection are initiated by the client, which can solve the problem that the incoming connection of the data port from the server to the client is filtered by the firewall. When opening an FTP connection, The client opens two arbitrary unprivileged local ports (N> 1024 and N + 1) The first port connects to the server's port 21, but unlike the active FTP, the client does not submit the PORT command and allows the server to connect back and forth Its data port, instead of submitting the PASV command, the result is that the server will open an arbitrary non-privileged port (P> 1024), and send a PORTP command to the client, and then the client initiates the local port N + 1 to the server Port P connection is used to transmit data. For the server-side firewall, the following communication must be allowed to support passive FTP: 1) From any port greater than 1024 to the server's 21 port (client-initiated connection) 2) Server Port 21 to any port greater than 1024 (the server responds to the connection to the client ’s control port) 3) From any Any port greater than 1024 to the server's port greater than 1024 (the client initializes the data connection to any port specified by the server) 4) The server's port greater than 1024 to the remote port greater than 1024 (the server sends an ACK response and data to the client's data port) Active FTP: Command connection: Client> 1023 port ------> Server 21 port Data connection: Client> 1023 port <------ Server 20 port Passive FTP: Command connection: Client> 1023 port ------> Server 21 port data connection: client> 1023 port ------> server> 1023 port 3) Advantages and disadvantages of active and passive FTP: Active FTP is beneficial to the management of FTP server, but it is beneficial to customers The management of the client is unfavorable because the FTP server attempts to establish a connection with the client's high random port, and this port is likely to be blocked by the client's firewall. Passive FTP is beneficial to the management of the FTP client, but it is unfavorable for the management of the server because the client and the server Establish two connections, one of which is connected to a high random port, and this port is likely to be served The firewall on the server side is blocked. With the widespread popularity of WWW, many people are used to using a web browser as an FTP client. Most browsers only support passive mode when accessing URLs such as ftp: //. It depends on whether it is good or bad. For server and firewall configuration, I usually choose passive mode FTP installation vsftpd
[[email protected] ~] # yum -y install vsftpd
# Backup configuration file
[[email protected] ~] # cp /etc/vsftpd/vsftpd.conf{,.bak}
# Simplify configuration file content
[[email protected] ~] # grep -Ev ‘^ # | ^ $‘ /etc/vsftpd/vsftpd.conf.bak> /etc/vsftpd/vsftpd.conf
# Modify the configuration file
anonymous_enable = NO # Whether to prohibit anonymous user login
local_enable = YES # Whether to allow local users to log in
write_enable = YES # Whether to allow writing
local_umask = 022 # Local user file mask
xferlog_enable = YES # Whether to record logs when uploading / downloading files
connect_from_port_20 = NO # Whether to use port 20 to transfer data (whether to use active mode)
xferlog_std_format = YES # Whether to use the standard log format
xferlog_file = / var / log / xfer.log # log file path
chroot_local_user = NO # Whether to restrict all local users in their home directory
chroot_list_enable = YES # Whether to specify a user who cannot leave the home directory
chroot_list_file = / etc / vsftpd / chroot_list # Specify the user list file that cannot leave the home directory
allow_writeable_chroot = YES # Whether to open the home directory writable
listen = YES # Whether to enable ipv4 monitoring
listen_ipv6 = NO # Whether to enable ipv6 monitoring
pam_service_name = vsftpd # Use the pam module to control, the vsftpd file is in the /etc/pam.d/ directory
userlist_enable = YES # Whether to enable the user's local user list, when userlist_deny = NO, the users in the userlist_file list are whitelists, and vice versa
userlist_deny = YES # Decide to forbid / allow users in the userlist_file list to log in
tcp_wrappers = YES # Whether to allow tcp_wrappers management
pasv_enable = YES # Whether to allow pasv mode
pasv_min_port = 22226 # The minimum port number used in pasv mode
pasv_max_port = 22228 # The maximum port number used in pasv mode
download_enable = NO # Whether to allow download
userlist_file = / etc / vsftpd / user_list # user list file
user_config_dir = / etc / vsftpd / vsftpd_user_conf # user configuration file
Create a local user

# Create local home directory
[[email protected] ~] # useradd -d / var / ftp / pub / user1 -s / sbin / nologin user1
# set password
[[email protected] ~] # passwd user1
# Add to the list of prohibited leaving home directory
[[email protected] ~] # echo user1 >> / etc / vsftpd / chroot_list
# Modify permissions
[[email protected] ~] # chown -R user1.user1 / var / ftp / pub / user1 /
[[email protected] ~] # ll -d / var / ftp / pub / user1 /
drwx ------. 2 user1 user1 62 Oct 12 16:52 / var / ftp / pub / user1 /
# Add firewall policy
[[email protected] ~] #iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
[[email protected] ~] #iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22226: 22228 -j ACCEPT
[[email protected] ~] # getenforce
Permissive
[[email protected] ~] # systemctl start vsftpd
Finally, you can access the above ftp in the browser through ftp: // ip (only passive mode ftp can be accessed in the browser). You can also use tools such as Filezilla to connect to ftp, but you must manually modify the passive mode in the client. The path after ftp login is locked to the account home directory. The ftp transmission data is in plain text. Get a packet capture software to analyze the account and password through the data packet. In order to build a high security ftp, you can use SSL to solve the problem. Does vsftp currently support SSL encryption
# If no such message is output, then this version of svftp does not support SSL encryption
[[email protected] user1] # ldd / usr / sbin / vsftpd | grep libssl
    libssl.so.10 => /lib64/libssl.so.10 (0x00007f17c0622000)

# Generate encryption certificate
[[email protected] ~] # openssl req -x509 -nodes -days 365 -newkey rsa: 1024 \ -keyout /etc/vsftpd/vsftpd.pem \ -out /etc/vsftpd/vsftpd.pem
Generating a 1024 bit RSA private key
............................... ++++++
... ++++++
writing new private key to ‘/etc/vsftpd/vsftpd.pem’
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, The field will be left blank.
-----
Country Name (2 letter code) [XX]: CN
State or Province Name (full name) []: beijing
Locality Name (eg, city) [Default City]: haidian
Organization Name (eg, company) [Default Company Ltd]: ftpssl
Organizational Unit Name (eg, section) []: ftpssl
Common Name (eg, your name or your server ‘s hostname) []: ftp
Email Address []: [email protected]
# Modify the configuration file
[[email protected] user1] # vim /etc/vsftpd/vsftpd.conf

ssl_enable = YES # Whether to enable ssl encryption
allow_anon_ssl = NO # Whether to allow anonymous users to use SSL encryption
force_local_data_ssl = YES # Whether non-anonymous users encrypt data when transmitting
force_local_logins_ssl = NO # Whether anonymous users log in encrypted
ssl_tlsv1 = YES # Whether to activate tls v1 encryption
ssl_sslv2 = NO # Whether to activate sslv2 encryption
ssl_sslv3 = NO # Whether to activate sslv3 encryption
rsa_cert_file = / etc / vsftpd / vsftpd.pem # rsa certificate location
Restart vsftpd service

[[email protected] ~] # systemctl restart vsftpd
Connect using Filezilla to see if it is TSL encrypted

 

What are SSL, TSL, HTTPS?

The full name of SSL is Secure Sockets Layer. In short, this is a standard technology used to keep the Internet connection safe and prevent all sensitive data sent between the two systems from being criminalized Read and modify any transmitted information, including potential personal details. The two systems can be servers and clients (such as shopping websites and browsers), or server-to-server (for example, containing personally identifiable information or containing salary Information application)

This is to ensure that any information transmitted between the user and the website or the two systems remains unreadable. This technology can use encryption algorithms to obfuscate the information in transit and prevent hackers from reading when the connection is sent to the Principality of Information Access information This information may be any sensitive or personal details, including credit card numbers and other financial information, name and address, etc.

TSL (Transport Layer Security) is a newer and more secure version of SSL. We still refer to security certificates as SSL because this is a more commonly used term

HTTPS (Hyper Text Transfer Protocol Secure) will appear in the URL when the website is protected by an SSL certificate. The details of the certificate, including the company name of the issuer and the website owner, can be clicked on the URL bar of the browser View of the lock mark

 

CentOS 7 FTP environment deployment

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.