CentOS file transfer sharing installation and configuration-vsftp, samba

Source: Internet
Author: User
Tags ftp access asymmetric encryption
CentOS is a system that is highly recommended for building servers in linux. it is generated by RedHatEnterpriseLinux according to Open-source regulations to remove non-open-source software, it can be said that it is a good choice for stability and cost considerations. Although security is critical to servers

CentOS is a highly respected system for building servers in linux. it is generated by Red Hat Enterprise Linux in accordance with open-source regulations to remove non-open-source software, it can be said that it is a good choice for stability and cost considerations.

Although security is crucial to servers, in the following learning stage, we only use ease of use as the main indicator, interspersed items will explain where we should consider security issues during real operation.

After installing the system, first disable SELinux, which is a function to enhance security, will bring unnecessary trouble for beginners in the learning process, and it is not too late to study later.

Set the file to/etc/syscofig/selinux and change SELINUX = enforcing to SELINUX = disabled.

I. network configuration

Nic configuration file location:/etc/sysconfig/network-scripts

Common Nic: ifcfg-eth0

Wireless Network Adapter: ifcfg-wlan0

Configuration method: Static IP and dynamic IP

Automatic Acquisition (DHCP ):

DEVICE = eth0TYPE = EthernetHWaddr 08: 00: 27: 70: 2A: 32 // MAC address UUID = 273e13cd-70cf-4a90-b3b0-f515c79ec09bONBOOT = yesNM_CONTROLLED = noBOOTPROTO = dhcp
Static IP:
DEVICE = eth0HWADDR = 08: 00: 27: 70: 2A: 32 ONBOOT = yesIPADDR = 192.168.1.106 // The static IP address BOOTPROTO = static // is opposite to dhcp. obtain the protocol, set it to none. NETMASK = 255.255.255.0TYPE = EthernetGATEWAY = 192.168.1.1DNS1 = x. x // modify IPV6INIT = no // static IPV6 according to the actual situation.
The DNS configuration file is/etc/resolv. conf.

Network service management command: service network {start | stop | status | restart | reload | force-reload}

Of course, if you think file configuration is not easy to operate, you can also install GUI software:

Sudo yum-y install setuptool ntsysv system-config-firewall-tui system-config-network-tui

Run setup to start graphical configuration.

PS:

1. disable the ping command, that is, the ICMP protocol: echo "1">/proc/sys/net/ipv4/icmp_echo_ignore_all is enabled to 0.

2. add another IP address for a single NIC: ifconfig eth0: 0 192.168.1.106 up // The third IP address is eth0: 1.

Delete: ip addr delete 192.168.1.106 dev eth0 // This method is dynamically added. restart the NIC and the configuration becomes invalid.

View ip: ip addr show or ifconfig

The static method is to create/etc/sysconfig/network-scripts/ifcfg-eth0: 0

The configuration file content is only the ifcfg-eth0, and only the IP address bound to IPADDR is different

3, dual Nic, here should know, the second Nic is eth1, the configuration file is ifcfg-eth1, the content is the same as eth0

If you want to configure a server load balancer with a dual Nic, you can set it through the ifcfg-bond0

// Ifcfg-eth0DEVICE = eth0 // The eth1 configuration file is set to eth1ONBOOT = yesBOOTPROTO = none // static also line USERCTL = noMASTER = bond0 // The configuration is handed over to bond0 unified setting SLAVE = yes
//bond0DEVICE=bond0ONBOOT=yesIPADDR=192.168.1.105BOOTPROTO=noneNETMASK=255.255.255.0GATEWAY=192.168.1.1DNS1=x.x.x.x
/// Etc/modprobe. confalias bond0 bondingoptions bond0 miimon = 100 mode = 1 // miimon indicates that the network is checked once every MS of Time // mode has 0: balance-rr load balancing 1: active-backup only works for NICs, automatic disconnection switch 2: balance-xor fault tolerance 3: all network adapters of broadcast receive data packets
4. disable IP6 (for large-scale use, disabling can improve network efficiency ):

Modify/etc/modprobe. d/dist. conf

Adding: alias net-pf-10 off
Alias ipv6 off

Reboot

II. FTP

The next step is the file sharing and Transmission Content. The first step is the installation and configuration of vftpd.

Vsftpd (Very Secure FTP Daemon)

Rpm-qa | grep vsftpd Check installation or not

Installation method: yum install vsftpd-y

PS: The Cetos firewall is configured using iptables to manage which ports are enabled,

The check command is netstat-ntlp | grep xxx (it can be a port number or a program name)

Disable service iptables stop

Adding a configuration item is also simple:/etc/sysconfig/iptables

Add two:

-A input-m state -- state NEW-m tcp-p tcp -- dport 21-j ACCEPT

Service iptables restart

The listener is started. next we will start to set vsftpd.

My configuration file is provided:

Anonymous_enable = YES // Anonymous Login is allowed, that is, no password is required. the shared file is/var/ftp/publocal_enable = YES // User account login is allowed, that is, the shared directory is/home/user folder chroot_local_user = YES // prohibit users from switching directories. Otherwise, an account can access other user directories listen = YESpam_service_name = vsftpduserlist_enable = YES/blacklist settings, in the/etc/vsftpd/user_list file, tcp_wrappers = YES/YES indicates that the IP address is restricted. The setting is in the/etc/hosts file. deny and/etc/host. in allow, local_max_rate = 300000 sets the upload/download speed to 300kuser_config_dir =/etc/vsftpd/limit //. This allows you to configure the upload/download speed of a special user. It creates a file with the user name, and adds local_max_rate = 500000. Special treatment for this user. Idle_session_timeout = 30 // 30 seconds without any operation, automatic disconnection.
Note: the comment here should be #, which is to make the content more compact, so do not copy and paste it. it is best to understand it.

There are several other configurations to add,

Pasv_enable = no // set the main mode or passive mode. if the mode is passive, check the form of the ftp client. However, it seems that ftp access in the browser still requires active mode, but most clients still adopt passive mode.

Listen_port = xx // modify the listening port.

Max_per_ip = 3 // A maximum of three ip connections are allowed.

Chroot_list_enables = YES // The Directory cannot be switched for specific users. the configuration file is in/etc/vsftpd/chroot_list, and the Directory cannot be switched with chroot_local_user.

SSL/TLS encrypted transmission, which is generally unnecessary.

Openssl needs to be installed. the method is not to mention. run rpm-qa to check whether yum install is not installed.

Here we will briefly introduce ssl, what is the secure transport layer of ssl (security socket layer), which is a layer of protocol between HTTP and TCP. why should we add this layer of protocol, because HTTP is transmitted in plain text, it means that if the data packet is intercepted, the information is directly leaked, so such an encryption layer is added.

Certificate Authority: CA is the issuing Authority of the certificate. A digital certificate is issued to each user who uses a public key. The role of a digital certificate is to prove that the user listed in the certificate legally owns the public key listed in the certificate. The digital signature of the CA prevents the attacker from forging or tampering with the certificate. It is responsible for generating, allocating, and managing digital certificates required by all individuals involved in online transactions. Therefore, it is the core part of secure electronic transactions. (From wiki)

Public/private key: either the encryption key or the decryption key, that is, the public key, is used for encryption. to parse this information, you can only use the private key, which is also called asymmetric encryption.

Generally, the public key is attached to a digital certificate (ca), and the certificate is verified to be owned by the current server based on the digital signature.

The main principle is to use certificates and keys. The process is as follows:

First, the Client sends a connection request (https) to the Server. the Server accepts the information and returns its own certificate with the public key.

The Client verifies whether the certificate is issued by the ca and then uses the public key to encrypt its session key information and returns it to the Server.

After receiving the message, the Server uses its own private key to decrypt and obtain and generate a session key. Then both parties use the negotiated key to encrypt the communication.

Create a CA certificate (not verified ):

Cd/etc/pki/tls/certs

Sudo openssl req-x509-nodes-newkey rsa: 1024-keyout vsftpd. pem-out vsftpd. pem

Enter the country, company, host name, email, and other information as Prompted. vsftpd. pem is generated in the current folder.

Sudo chmod 600 vsftpd. pem

Add the following lines to vsftpd. conf:

Rsa_cert_file =/etc/ki/tls/certs/vsftpd. pem

Ssl_enable = YES

Force_local_data_ssl = YES
Force_local_logins_ssl = YES

Service vsftpd restart

Service vsftpd {start | stop | restart | reload}

To access: ftp: user: password @ ip in the browser

III. samba file server

Samba is used to share files between windows and linux, such as creating network neighbors, uploading documents, movies, and sharing printers.

Install samba (rpm-qa | grep samba yum-y install samba-client)

Create a shared directory:

Mkdir share

Chown nobody: nobody share permission

Samba configuration file:/etc/samba/smb. conf

Security = share // share indicates anonymous logon, that is, account and password are not required. the default value is "user", indicating that account and password are required for logon. Passdb backend = tdbsam // if it is a user above, it is required. if it is a share, comment and add # workgroup = WORKGROUP // to indicate the user group, such as the user group in windows, change to this server string = Samba Server Version % v // The information displayed when you connect. netbios name = MyServer indicates the name displayed on windows; otherwise, the ip address is displayed. [Share] comment = share folder // description path =/home/share // shared folder path read only = no // readable writable guest OK = yes // support for guest browseable = yes // You can browse public = yes // if share is used, add this line. if it is in user mode, comment this line. # Valid user = @ aa // if it is a user and only some users are allowed to access it, add this line.
For [printers] shared printing, the default setting is OK.

Service smb start // start the daemon and core services

Service nmb start // image domain name resolution

Open Firewall (Port 139,445)

Test: testparm

Enter // IP address on windows, or a connection will appear in the resource manager-network.

For access on linux, you can use smbclient

Smbclient-L // The IP address indicates that an online host exists.

Smbclient // if the IP address is share, enter the password and press enter.

Smbclient // IP-U username % passwd // if it is in user mode, enter the user password to log on

View other smbclient -- help

For the user mode, samba V3.

In user mode, samba v3 uses the tdbsam database instead of the file management user and password.

Command: pdbedit-L (Lw/Lv) to list users

Pdbedit-a xx add xx user // first add a user in the system through ueradd and have the user's home directory in the home.

Pdbedit-x xx delete xx users

Pdbedit-c "[D]"-u xx temporarily disables xx users

Pdbedit-c "[]"-u xx restore xx users

If you want to mount a shared network folder to a directory in Linux, the command is

Sudo mount-t cifs // IP/share/mnt/

If you want to perform graphical management, try the SWAT-Samba WEB management tool.

PS: part of the content is taken from the "CentOS 6.x system management practices"

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.