Centos uses virtual users to increase FTP Security

Source: Internet
Author: User

Tutorial Background: due to business needs, Dreamfire needs to set up an FTP server. For the sake of system stability and security, it decided to use RHEL 4 as the server platform and set up a vsftp server. Second, to maximize the security of users under "/home" on the company's internal RHEL4 server, it is decided to use virtual users to access the FTP server. In order to better manage the access permissions of each user on the server, the Administrator has developed a feasible solution based on your company's needs and current network conditions: 1. All users use the User Name: ftpall and password: 123 the public directory ftpall2 for logging on to the FTP server and the public directory ftpall are used by employees to download materials, you cannot delete, modify, or rename files or directories in ftpall. 3. All users can log on to the home directory on the FTP server using their own users and passwords, you can only view your own files and folders, and you can add, delete, modify, and rename your own files or folders. 4. Anonymous Users are enabled based on actual conditions. By default, anonymous users are not enabled. 5. All employees can access the public directory ftpall at a maximum download speed of kb/s. The maximum download speed for accessing their home directories is KB/s6. Considering the endurance of the FTP server, you can connect up to 100 users to the server at a time. 7. Some employees in the company may use BT download tools such as thunder and express to download files. Therefore, the maximum number of connections between FTP clients with the same IP address and the FTP server cannot exceed 3. Note: a virtual user account is a non-system user account provided by the vsftpd server to ensure the security of the FTP server. After a virtual user logs on to FTP, the specified directory is used as the FTP root directory. A virtual user has similar functions as a local user. Because the virtual user is relatively secure, it is gradually replacing the local user account. Tutorial steps: For a more convenient test environment, ftpall is used as the public users of all employees, and xiaonuo is used as the representative of each user. 1. Attach the first RHEL4 installation disc and install the vsftpd package. 2. Create a virtual user password library file to create a virtual user password library file. In the file, set the virtual user name in odd lines, and set the user password in even lines. In order to make it easier to remember, you can name the file as. txt. However, files in Linux do not support extension extensions, just to mark them. Note: The command parameter is set to the authentication file name vsftpd_login.db to be generated. The file must be placed in "/etc/vsftpd. Note: db_load is the command in the software package db4_utils. It is installed in RHEL4 by default. It is not installed in RHEL5. db4_utils must be installed to support the db_load command. Because the vsftpd authentication file vsftpd_login.db stores the usernames and passwords of all virtual users, to enhance its security, you should set only the root user to view them. 4. Create the PAM Configuration File required by the virtual user to modify/etc/pam. d/vsftpd file add auth required/lib/security/pam_userdb.so db =/etc/vsftpd/vsftpd_loginaccount required/lib/security/pam_userdb.so db =/etc/vsftpd/vsftpd_login note: you can also create another file, but you need to create it in/etc/vsftpd. in conf, change the value after pam_service_name = vsftpd to the name of the new file. 5. create virtual users and directories to be accessed, and set corresponding permissions. The system public user account required to create the vsftpd virtual directory. The account name is ftpall. The specified user's home directory is "/var/ftp/ftpall", which is the system single user account required to create the vsftpd virtual directory, the account name is xiaonuo, and the specified user's home directory is "/var/ftp/xiaonuo". The parameter "-d" is used to set up the user and direct the user's home directory to the specified location. Note: The user name and the home directory name are the best and easy to remember. These users will be stored in the system's/etc/passwd, and their passwords will be stored in the vsftpd authentication file. Therefore, virtual users are not allowed to log on to the system, and the security is naturally enhanced. The created virtual user's home directory has 700 permissions by default. Because ftpall is a public directory, it is not allowed to be modified, added, deleted, or renamed by common users, so change it to 500 (read + execute. The "-R" parameter is used to modify the attributes of the user's home directory and all sub-files in the directory. 6. Configure the vsftpd. cong master configuration file. Before modifying the vsftpd. conf configuration file, back up the original file so that it can be restored in case of configuration errors. In vsftpd. add virtual configuration items in the conf configuration file. The content is as follows: anonymous_enable = NO disable anonymous user logon local_enable = YES enable local user logon (essentially to allow virtual user login) chroot_local_user = YES restrict all local users to their own directories. pam_service_name = vsftpd: configure the PAM module used by vsftpd to vsftpduser_config_dir =/etc/vsftpd/users_config. Set the main directory of the virtual account configuration file/ users_config (created later) max_clients = 100 set the maximum number of access clients for the FTP server to 100 max_per_ip = 3 set the maximum number of connections for each IP address to 3 local_max_rate = 300000 set the maximum transmission rate for local users of the FTP server to 100000 KB/sanon_max_rate = FT P Server Anonymous user's maximum transmission rate is set to KB/s 7. Set the public user ftpall configuration file first create the main folder users_config of the virtual user configuration file, create the ftpall and xiaonuo virtual user files in this folder. Add virtual configuration items in the/etc/vsftpd/user_config/ftpall configuration file. The content is as follows: guest_enable = YES enable virtual Account Login guest_username = ftpall set the system account corresponding to ftpall to ftpallanon_world_readable_only = NO allows users to browse the FTP directory and download the file anon_max_rate = 100000 the transmission rate is 100KB add virtual configuration items to the configuration file/etc/vsftpd/user_config/xiaonuo of a single user xiaonuo, the content is as follows: guest_enable = YES enable virtual Account Login guest_username = xiaonuo set the system account corresponding to the xiaonuo directory to nobody = NO allows users to browse the FTP directory and download the file anon_other_write_enable = YES allows users to rename and delete files the permission anon_mkdir_write_enable = YES indicates that the user has the right to create and delete directories. anon_upload_enable = YES indicates that the user can upload files. anon_max_rate = 300000 limits the transmission speed to kb/s.

By combining the preceding configuration items, vsftpd can configure different FTP permissions for each virtual user. The configuration items not in the user configuration file are set according to the content in the vsftpd. conf configuration file.

9. Restart the vsftpd service to make the settings of all configuration files take effect. Run the/etc/rc. d/init. d/vsftpd restart or services vsftpd restart command to restart the vsftpd service. 10. Test the permissions of public users for ftpall. Before testing, create files and folders in/var/ftp/ftpall and/var/ftp/xiaonuo for testing. The public user ftpall accesses the FTP server using a commonly used IE browser and tests the ftpall permission. An error occurred while copying the files on the client to the FTP server. The test is successful! An error occurred while renaming the file on the FTP server. The test is successful! An error occurred while deleting the file on the FTP server. The test is successful!


An error occurred while renaming the folder on the FTP server. The test is successful! Drag the files on the FTP server to the local folder. The test is successful. Throughout the test process, ftpall users are used to log on to the FTP server. Only files can be downloaded. You cannot add, delete, modify, or rename files or folders. 11. Test the xiaonuo user's permission to use the Command Prompt window to test the virtual user xiaonuo. First, log on with an anonymous user. You can see that the logon fails because the main configuration file vsftpd. conf's anonymous_enable = NO. If it is enabled, the logon is successful and the name of the home directory of all users is displayed, however, if a malicious user uses the user name to guess the password, it may cause some harm. Use the virtual user xiaonuo to log on to the FTP server. You can use the dir or ls-l command to view the content in the xiaonuo user's home directory, while the content in ftpall is invisible, which achieves user directory isolation. You can use the get command to download the file to a local device. Use the put command to upload files to the FTP server. The test is successful. Use the rename command to rename the files on the FTP server. Rename the folder on the FTP server. Delete is successfully used to delete files on the FTP server. Rmdir is successfully used to delete the empty directory on the FTP server. For testing the download speed or upload speed, you can lower the speed to see the effect. The experiment above shows that all employees can only view and download files shared on the FTP server by logging on to the FTP server using the public virtual user ftpall, each employee can use the distributed virtual user name to log on to the FTP server to add, delete, modify, and Query files or folders in the home directory. This meets the business needs of Dreanfire, it also enhances the security of the FTP server.

This article is from the blog of "the Linux open source technology blog", please be sure to keep this source http://dreamfire.blog.51cto.com/418026/160521


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.