Centos vsftp configuration (targeted)

Install and uninstall software
Obtain Software
The latest version of vsftpd is 2.0.5,: ftp://vsftpd.beasts.org/users/cevans/vsftpd-2.0.5.tar.gz
Software Installation
Decompress the software and edit builddefs. h file
# Tar zxvf vsftpd-2.0.5.tar.gz
# Cd vsftpd-2.0.5
# Vi builddefs. h
Find the following three lines. The meanings are shown on the right.
# UNDEF vsf_build_tcpwrappers // whether TCP Wrappers is allowed
# Define vsf_build_pam // whether PAM Authentication is allowed
# UNDEF vsf_build_ssl // whether SSL is allowed
If you want to allow a function shown above, change UNDEF to define. Note that the "#" sign before each line is not a comment, it cannot be removed (c-language comrades should know what this "#" means ). Among them, TCP Wrappers is a program to verify the validity of the IP address. PAM Authentication allows vsftpd to support local user login to the server, and SSL can be used to establish an encrypted data transmission. Here we enable all three items.
Compile and install. If the system has an earlier version of vsftpd installed, uninstall it first. By default, the installation execution files are in/usr/local/sbin, and man pages are placed in/usr/local/man/man5 and/usr/local/man/man8.
# Make
# Make install
Test the default configuration file to/etc/vsftpd/
# Mkdir/etc/vsftpd/
# Cp vsftpd. CONF/etc/vsftpd/
To recognize that vsftpd supports local user login, We will test the Identity Authentication Module file into the system.
# Cp RedHat/vsftpd. PAM/etc/PAM. d/vsftpd
Create an FTP user and home directory:
# Mkdir/var/ftp
# Useradd-D/var/FTP

If an FTP user already exists, run the following two commands:
# Chown root: Root/var/ftp
# Chmod 755/var/ftp
Create a special directory for vsftpd:
# Mkdir/usr/share/empty/
Uninstall Software
To uninstall the SDK, run the following command:
# Rm/usr/local/sbin/vsftpd
# Rm/usr/local/man/man5/vsftpd. CONF.5
# Rm/usr/local/man/man8/vsftpd.8
# Rm/etc/xinetd. d/vsftpd
# Rm-RF/etc/vsftpd
3. Configure the vsftpd service
Service start and stop
Before starting the service, edit the configuration file/etc/vsftpd. conf. after opening the configuration file, you can see many rows starting with "#". These rows are comments and are mostly help information. You can read them carefully. Vsftpd. all projects in the conf file are set with "parameter = value". The format is strictly required and must be case sensitive. No space is allowed on either side of the equal sign, there cannot be spaces at the end of each line. Each parameter has a default value. If the parameter is not explicitly specified in the configuration file, the default value is used. We will ignore the original information in the configuration file, delete or comment out all the content, and add the following four lines. The text on the right of each line is a description, do not enter it in the file:
Listen = Yes // vsftpd works in standalone Mode
Anonymous_enable = Yes // allows anonymous users to log on to the server
Local_enable = Yes // allow local users to log on to the server
Pam_service_name = vsftpd // use Pam for authentication
Vsftpd has two working modes: Standalone mode and xinetd daemon mode. Line 1 is to make it work in standalone mode. In this mode, the vsftpd service must be restarted every time the configuration file is modified to take effect. The two modes are described in detail later. We also copied the vsftpd. Pam file under the RedHat Directory to the/etc/PAM. d/vsftpd file during installation. This file is the PAM Authentication configuration file that the local user logs on. This document will be detailed later. We need to know that this configuration file must be available, and the pam_service_name = vsftpd statement must be added to the main configuration file to allow local users to log on. Run the following command to start the service:
#/Usr/local/sbin/vsftpd/etc/vsftpd. conf &
To ensure that the service is started, run the following command:
# Netstat-an | grep 21
TCP 0 0 0.0.0.0: 21 0.0.0.0: * listen
We can see that port tcp21 has been opened on the server, indicating that FTP has been started. Then log on to the server:
# Ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsftpd 2.0.5)
530 please login with user and pass.
530 please login with user and pass.
Kerberos_v4 rejected as an authentication type
Name (127.0.0.1: Root): ftp
331 please specify the password.
Password:
230 login successful.
At this time, we have logged on to the server with an anonymous user (ftp or anonymous with any password) and can also log on with a local user. During the test, we recommend that you use the FTP command shown above (Windows, Linux, and Unix all carry this command, and the usage is the same) to log on to the server, so that you can see more detailed information, it is very helpful for debugging servers. The simplest FTP server has been built. Run the following command to disable the FTP service:
# Killall vsftpd
Create a Service Startup Script
In standalone mode, it is often difficult to use the following command to start and stop the service.
Create a new file/etc/rc. d/init. d/vsftpd and copy the following content to the file:
#! /Bin/bash
#
# Vsftpd this shell script takes care of starting and stopping
# Standalone vsftpd.
#
# Chkconfig:-60 50
# Description: vsftpd is a FTP daemon, which is the program \
# That answers incoming FTP service requests.
# Processname: vsftpd
# Config:/etc/vsftpd. conf
# Source function library.
./Etc/rc. d/init. d/functions
# Source networking configuration.
./Etc/sysconfig/Network
# Check that networking is up.
[$ {Networking} = "no"] & Exit 0
[-X/usr/local/sbin/vsftpd] | exit 0
Retval = 0
Prog = "vsftpd"
Start (){
# Start daemons.
If [-D/etc/vsftpd]; then
For I in 'ls/etc/vsftpd/*. conf'; do
Site = 'basename $ I. conf'
Echo-N $ "Starting $ Prog for $ site :"
/Usr/local/sbin/vsftpd $ I &
Retval =$?
[$ Retval-EQ 0] & {
Touch/var/lock/subsys/$ prog
Success $ "$ prog $ site"
}
Echo
Done
Else
Retval = 1
Fi
Return $ retval
}
Stop (){
# Stop daemons.
Echo-N $ "shutting down $ prog :"
Killproc $ prog
Retval =$?
Echo
[$ Retval-EQ 0] & Rm-F/var/lock/subsys/$ prog
Return $ retval
}
# See how we were called.
Case "$1" in
Start)
Start
;;
Stop)
Stop
;;
Restart | RELOAD)
Stop
Start
Retval =$?
;;
Condrestart)
If [-F/var/lock/subsys/$ prog]; then
Stop
Start
Retval =$?
Fi
;;
Status)
Status $ prog
Retval =$?
;;
*)
Echo $ "Usage: $0 {START | stop | restart | condrestart | status }"
Exit 1
Esac
Exit $ retval
Save the file and add the execution permission to the file:
# Chmod 755/etc/rc. d/init. d/vsftpd
In this way, we can manage the service through the following methods:
# Service vsftpd {START | stop | restart | condrestart | status}
For example, restart the service:
# Service vsftpd restart
Shutting down vsftpd: [OK]
Starting vsftpd For vsftpd: [OK]
Iv. configuration file details
There is only one vsftpd configuration file, namely/etc/vsftpd. conf. We have added two line parameters in the previous section. After the configuration file is modified, the service must be restarted to take effect. The following describes the parameters in detail.
1. Common Parameters for anonymous and Local Users
Write_enable = yes/no // whether global writable is allowed
Download_enable = yes/no // whether all users can download
Dirlist_enable = yes/no // whether all users are allowed to browse (list files)
We will add write_enable = No and download_enable = yes to the configuration file, and then test:
# Ftp 127.0.0.1
......
Ftp> ls
227 entering passive mode (230,192, 0)
150 here comes the directory listing.
-RW-r -- 1 0 0 4 May 13 11: 43 ioo_file
226 directory send OK.
Ftp> Get ioo_file
Local: ioo_file remote: ioo_file
227 entering passive mode)
150 opening binary mode data connection for ioo_file (4 bytes ).
226 file send OK.
4 bytes encoded ed in 0.062 seconds (0.063 Kbytes/s)
Ftp> put scsrun. Log
Local: scsrun. Log remote: scsrun. Log
227 entering passive mode (, 0)
550 Permission denied.
As shown above, we can see files on FTP that can be downloaded but cannot be uploaded. If dirlist_enable = No is added, the file on FTP cannot be seen (the file list cannot be listed). However, if you know the specific file name and path, you can still download the file. The experiment results are not pasted.
Let's look at the next group:
Ftpd_banner = welcome string
Banner_file = File
Dirmessage_enable = yes/no
Message_file = File
The welcome speech string set by the ftpd_banner parameter will be seen at login. If you want to make a multi-line welcome speech, you need to save the content separately as the file specified by the banner_file parameter. You can select either of the two parameters in the application. The dirmessage_enable and message_file parameters are the welcome information displayed after entering a directory. They are used in the same way as the first two parameters.
2. Local User Management
2.1 General configuration parameters of Local Users
Local_root =/path // directory that the local user directly enters after logging on to the server
Local_umask = octal bytes // umask value of the local user's permission to upload files
Local_max_rate = numeric // The local user transmission rate in BPS
Chmod_enable = yes/no // whether the local user is allowed to change the permissions of files on the FTP server
We know that the local user logs on to FTP and enters the user's home directory. The locla_root parameter allows us to log on to the server and directly access other directories. This function is very convenient to update and upload website content using Apache's userdir module. Any file in Linux has a limited permission, and the uploaded file is no exception. The default permission value is specified by the local_umask parameter. The calculation method is as follows:
Default file creation permission + local_umask = 0666
By default, the permission to create a directory + local_umask = 0777
From this we can see that the uploaded file cannot have the execution permission in any way. This is also the embodiment of vsftp security!
The local_max_rate parameter limits the data transmission rate, including uploading and downloading. The chmod_enable parameter specifies whether the user can change the File Permission (using the CHMOD and site commands ).
We may want to configure individual permissions for each user, or Configure permissions for individual users. In this way, you have to configure a file for each local user. These configuration files must be in the same directory, so we can set the directory where the local user separately configures the file:
User_config_dir =/path // directory where the user separately configures the file
Add the following lines to the configuration file:
Local_umask = 077
Local_max_rate = 20000
User_config_dir =/etc/vsftpd/vsftpd_user_dir
Grant the upload permission to the user:
Write_enable = Yes
Create a common user Ioo, create a new directory/etc/vsftpd/vsftpd_user_dir, and create a file Ioo, which includes the following lines:
Local_root =/var/www/html
Local_umask = 022
Local_max_rate = 50000
Change the owner of/var/www/html to Ioo:
Chown Ioo: Ioo/var/www/html
After the test, we found that after logging on to The Ioo user, the user directly enters var/www/html. the uploaded file (folder) Permission is 644 (755), and the transmission rate is 50 K, the custom settings overwrite the settings in the main configuration file.
2.2 Local User Logon restriction Parameters
There are already many local users on our servers. These local users should be able to log on to the FTP server. However, the FTP service is transmitted in plain text. If the Administrator is allowed to log on, this mechanism is obviously not good. Or we want some local users to log on, or some of them cannot log on to our FTP server. How can we set this?
Vsftpd provides the userlist function. It uses a file to save some usernames, and then decides whether users in the file can log on or users not listed in the file can log on to the FTP server according to the configuration, this restricts the login of local users. The configuration parameters are as follows:
Userlist_enable = yes/no // whether to enable the userlist function module
Userlist_deny = yes/no // whether to reject users in the userlist file from logging on to the FTP service
Userlist_file =/path/to/file // specifies the userlist file name.

If the value of the first parameter is yes, rows 1st and 3 will take effect. Add the following three lines to the configuration file:
Userlist_enable = Yes
Userlist_deny = Yes
Userlist_file =/etc/vsftpd. userlist
Then create a new file/etc/vsftpd. userlist and add the username to it. Each username has a row. For example, if I add the user root here and then log on to the service, the following information is displayed:
# Ftp 127.0.0.1
Connected to 127.0.0.1.
......
Name (127.0.0.1: Root): Root
530 Permission denied.
Login Failed.
The root user is no longer allowed to log on, and is denied before entering the password, but other users can log on. If you change the value of userlist_deny to no, only users in the file can log on to the server.
2.3 local user root directory Parameters
Let's take a look at the following section:
# Ftp 127.0.0.1
......
Name (127.0.0.1: Root): Ioo
331 please specify the password.
Password:
230 login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
Ftp> pwd
257 "/home/Ioo"
Ftp> Cd/
250 directory successfully changed.
Ftp> ls
227 entering passive mode (163,193, 0)
150 here comes the directory listing.
Drwxr-XR-x 2 0 0 4096 May 12 Bin
Drwxr-XR-x 3 0 0 4096 Apr 30 19:57 boot
Drwxr-XR-x 12 0 0 3840 May 13 10:29 Dev
......
Are you surprised! We use a local user to log on to the FTP server, but we can see the Directory and file of the entire server, and even download the/etc/passwd file, which is very insecure, we should disable this function to restrict users to browsing only in their own directories. This requires the chroot function. See the following three parameters:
Chroot_list_enable = yes/no // whether to enable the chroot_list File
Chroot_local_user = yes/no // whether to restrict the local user's root directory to its own main directory
Chroot_list_file =/path/to/file // set the chrootlist file name
Create a user Woo, and create another file/etc/vsftpd. chroot_list. Add Woo to the file. Add the following lines to the configuration file:
Chroot_list_enable = Yes
Chroot_local_user = Yes
Chroot_list_file =/etc/vsftpd. chroot_list
Login server test:
# Ftp 127.0.0.1
......
Name (127.0.0.1: Root): Woo
331 please specify the password.
Password:
230 login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
Ftp> pwd
257 "/home/woo"
Name (127.0.0.1: Root): Ioo
331 please specify the password.
Password:
230 login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
Ftp> pwd
257 usd "/"
We can see that the user Woo root directory in the file is still the system root directory, but the user root directory outside the file has become "/", that is to say, users listed outside the file cannot browse outside the home directory.
Change the values of chroot_list_enable and chroot_local_user to obtain the following combinations:

Parameters

Value

Value

Value

Value

Chroot_list_enable

Yes

Yes

No

No

Chroot_local_user

Yes

No

Yes

No

Meaning

The user root directory listed in the file is the system root directory, and the other user root directory is the home directory.

The user root directory listed in the file is your main directory, and the other user root directory is the system root directory.

All user root directories are their home directories.

All user root directories are system root directories.

3. Anonymous user Parameters
We can think that local users should have relatively large permissions to access their home directories, so we can see that there are not many statements restricted by local users. However, anonymous users usually involve an open and public internet environment. Therefore, there are many permission statements that restrict anonymous users, and the restrictions are more detailed. Take a look at this set of parameters:

Anon_upload_enable = yes/no // whether anonymous users are allowed to upload files
Anon_mkdir_write_enable = yes/no // whether anonymous users are allowed to create folders
Anon_other_write_enable = yes/no // whether anonymous users are allowed to use FTP write commands other than creating folders and uploading files. For example: delete, rename, etc.
Anon_world_readable_only = yes/no // Anonymous Users are allowed to download files accessible to all users
First, we need to clear the configuration file. Now the configuration file only contains the following lines:
Listen = Yes
Anonymous_enable = Yes
Write_enable = Yes
Download_enable = Yes
Dirlist_enable = Yes
Anon_upload_enable = Yes
Anon_mkdir_write_enable = Yes
Anon_other_write_enable = Yes
We want anonymous users to have the permission to upload files, but the write permission is only granted in the FTP service, and must be considered in the file permission. Therefore, we add the write permission to/var/ftp:
Chmod A + w/var/ftp
Then log on to the server:
# Ftp 127.0.0.1
......
Name (127.0.0.1: Root): ftp
331 please specify the password.
Password:
500 Oops: vsftpd: refusing to run with writable Anonymous root
Login Failed.
421 service not available, remote server has closed connection
As a result, we cannot even log on to the server! This is because vsftpd does not allow anonymous users to write to the root directory for security considerations. Therefore, we only need to remove the write permission of/var/FTP, create a directory in it, and grant it the write permission so that anonymous users can upload files to this directory.
# Chmod 755/var/ftp
# Mkdir/var/FTP/upload
# Chmod 777/var/FTP/upload
Now we can upload files, create folders, and delete and rename files anonymously in upload, but we cannot download the uploaded files back. If the uploaded file is in a new folder, the uploaded file cannot be downloaded and cannot be viewed:
Ftp> mkdir ASM
257 "/upload/ASM" created
Ftp> Cd ASM
250 directory successfully changed.
Ftp> put file1
Local: file1 remote: file1
227 entering passive mode (, 0)
150 OK to send data.
226 file receive OK.
5 bytes sent in 0.063 seconds (0.077 Kbytes/s)
Ftp> Get file1
Local: file1 remote: file1
227 entering passive mode (20,101, 0)
550 failed to open file.
Ftp> ls
227 entering passive mode (133,186, 0)
150 here comes the directory listing.
226 transfer done (but failed to open directory ).
Ftp>
This requires studying the anon_world_readable_only parameter. Its default value is yes. If the value is yes, anonymous users can only download files accessible to all users. For example:
# Ll
Total 40
-RW ---- R -- 1 FTP 34935 05-13 install. Log
-RW ------- 1 FTP 209 05-13 scsrun. Log
Here install. if the log file has the r permission on other bits, the file can be downloaded. scsrun. the other log files do not have any permissions, so the files cannot be downloaded by anonymous users.
Therefore, there are two solutions. One is to change the value of the anon_world_readable_only parameter to no; the other is to add the execution permission to the other bits of the default file upload permission, which uses the following parameter:
Anon_umask = octal number
The calculation method of this parameter value is the same as that of the local user local_umask.
In the above experiment, you may have noticed that the archive owner uploaded by anonymous users is FTP, which may also use the following two parameters to change the archive owner:
Chown_uploads = yes/no // whether to enable the default anonymous file owner upload function
Chown_username = Local User Name // name of the owner who uploads the file anonymously
Anonymous users can use any password to log on to the server, so we do not need to enter the password for anonymous users to log on, as long as we add in the configuration file:
No_anon_password = Yes
There are still many parameters for anonymous users. We will not introduce them one by one.
By now, the FTP server we can build can meet the needs of many occasions. If there are more demanding occasions, further settings are required.

4. IP monitoring and Connection Control
There are two startup parameters for vsftpd to work in standalone mode:
Listen = yes/no
Listen_ipv6 = yes/no
The first one has already been mentioned. The second application is in the IPv6 network environment, and only one value can be set to yes.
In the actual network environment, the server usually has multiple IP addresses, and each IP address connects to different network segments. We may not want computers in all network segments to access the server. By default, vsftpd listens to all IP addresses. Therefore, we need the following two lines:
Listen_address = listener IP Address
Listen_address6 = listener IP
These two lines are for the IPv4 and IPv6 environments respectively.
The following two items are vsftpd concurrent Connection Control:
Max_clients = Number
Max_per_ip = Number
The max_clients parameter sets the maximum number of concurrent connections that the server can accept, and max_per_ip sets the maximum number of connections that each client IP can initiate. You can set these two parameters for server performance to find a balance between the acceptable number of connections on the server and the connection speed. The default values of these two items are 0, indicating no limit.
Accept_timeout = Number
Connect_timeout = Number
Data_connection_timeout = Number
Idle_session_timeout = Number
The preceding numbers are in seconds. Access_timeout indicates the data connection timeout when PASV data connection mode is used; connect_timeout indicates the timeout time when data connection is established in Port mode. The following describes the FTP service connection mode in detail. Data_connection_timeout indicates that the idle time waiting for data connection times out after the data connection. After the time expires, the data connection is disconnected. idle_session_timeout sets the idle time, that is to say, the client will automatically disconnect from the FTP service after a period of time without interacting with the server using FTP commands.
5. Connection port settings
We know that the FTP service is different from other services. The FTP service uses the TCP dual-connection channel, that is, the ftp-server and FTP-data connections. We can understand this as follows: the ftp-server connection accepts client connection requests, concurrency control, identity and permission authentication, and commands issued by the transmission client. The FTP-data connection is responsible for data transmission. That is to say, this connection is available only when data is transmitted. Let's take a look at the ftp-server settings:
Listen_port = port number
You can set the ftp-server port number in this setting. The default value is 21. If other port numbers are specified, you must use the specified port number when connecting the client to the server. We add this line to the main configuration file:
Listen_port= 2121
# Ftp 127.0.0.1
FTP: CONNECT: Connection refused
FTP & gt; open 127.0.0.1 2121
Connected to 127.0.0.1.
220 (vsftpd 2.0.5)
530 please login with user and pass.
......
Now we can see the results. Next we will discuss the issue of FTP-data connection.
Two FTP data transmission modes are available: ftp port mode and FTP passive mode.
FTP port Mode
In FTP port mode, after the client establishes an FTP-server connection with the server, if a command involves data transmission, an FTP-data connection is required. The connection steps are as follows:
(1) The client enables another idle port XX higher than 1024 for connection preparation, and uses the PORT command to send a data packet to the server through the ftp-server channel, the packet contains the IP address and port XX of the client, and tells the server that port XX is ready for connection. The PORT command also supports the third-party mode. In the third-party mode, the client tells the server to open a connection with another host.
(2) The server actively connects to port XX of the client using the ftp-data port (20 by default.
(3) After the client responds to the server connection and completes three handshakes, the ftp-data connection is established and data transmission starts. After data transmission is complete, the ftp-data port on the server is waiting to be closed.
We can see that in Port mode, ftp-data connection requests are initiated by the server. Now let's take a look at the port mode statement settings in vsftpd:
Port_enable = yes/no // whether to enable port Mode
Connect_from_port_20 = yes/no // whether fixed port 20 is used by default in Port Mode
Ftp_data_port = port_number // specifies the port number in Port mode.
Port_promiscuous = yes/no // whether the safe port mode is used
If port_enable is set to yes, port mode is used. In Port mode, if the port uses a fixed port 20, set connect_from_port_20 to yes, which is the default setting rule for many servers. We can also specify other ports, so ftp_data_port is used to specify a fixed port. Port_promiscuous: The default value is no, which indicates that before the ftp-data connection, check whether the target IP address of the data connection is the real client IP address. Otherwise, do not check. Do not change the value of this parameter to yes unless you ensure that the server is connected to the real client.
We will add the following two lines to the configuration file:
Port_enable = Yes
Connect_from_port_20 = No
Log on to the server and run the LS (display file list) Command three times. Then, run the netstat command on the server to view the effect:
# Ftp 127.0.0.1
Connected to 127.0.0.1.
......
230 login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
Ftp> passive
Passive Mode Off.
Ftp> ls
......
226 directory send OK.
Ftp> ls
......
Ftp> ls
......
Ftp> bye
# Netstat-an | more
......
TCP 0 0 127.0.0.1: 1069 127.0.0.1: 1068 time_wait
TCP 0 0 127.0.0.1: 21 127.0.0.1: 1065 time_wait
TCP 0 0 127.0.0.1: 1071 127.0.0.1: 1070 time_wait
TCP 0 0 127.0.0.1: 1067 127.0.0.1: 1066 time_wait
......
We can see that the server has opened three ports greater than 1024 to connect to the client. These three connections are generated by three ls commands. If we change the value of the connect_from_port_20 parameter to yes, we will find that port 20 is fixed for three connections on the server. If we add the ftp_data_port = 2020 Statement and perform the above experiment, the server will enable port 2020.
[Attach] 167 [/Attach]
Let's take a look at this picture. The LAN client uses a private IP address and uses the NAT (Network Address Translation) made by the egress router to connect to the Internet. The FTP server adopts the port mode. When the client uses the PORT command to send a packet containing its own IP address and port to the server, the router must check its content when the packet passes through the router, assign the IP address and port translation components in the package to the customer's address and port. This operation requires the router to work at the application layer! We cannot require each customer's router to have this function, but if the router does not complete this step normally, FTP data transmission will fail.
In addition, due to the support of third-party mode, hackers may also set IP address and port number parameters in the port command to specify the address and port number of another host to launch an attack (called FTP Bounce Attack ). Although some firewall devices have fixed this problem, this problem is still very serious for most firewalls and routers.
FTP passive mode
The following describes how to establish a Passive FTP-data connection:
(1) When a user requests data transmission, the client sends the PASV command to the server to indicate that the client wants to enter the passive mode;
(2) The server responds. The response packet contains the Server IP address and a temporary port. This temporary port is the port that the client should use when enabling the data transmission connection;
(3) The client server sends a connection request. The source port is a temporary port selected by the client, and the destination port is the temporary port number specified by the server in the PASV response command;
(4) After the server responds to the client request and continues to complete the TCP three-way handshake, the ftp-data connection is established and data transmission starts.
Next, let's take a look at the passive mode setting statements in vsftpd:
Pasv_enable = yes/no
Pasv_min_port = yes/no
Pasv_max_port = yes/no
Pasv_promiscuous = yes/no
Pasv_address = ip_address
The first line sets whether to enable PASV mode. Pasv_min_port and pasv_max_port are the port ranges enabled in PASV mode. In general, if we set it to PASV mode, we 'd better specify the port range so that the firewall can enable the port range to accept client connection requests. Like the parameter port_promiscuous, pasv_promiscuous sets whether to set Secure Transmission Under PASV. We also need to set the value to no (the default value is no ). Pasv_address is followed by a valid IP address to specify the IP address of the port opened by PASV. However, this line is canceled by default because the service will
The IP address of the TCP connection. Let's change the main configuration file to this and check the setting effect:
Listen = Yes
Anonymous_enable = Yes
Pasv_enable = Yes
Pasv_min_port = 3000
Pasvanderbilt max_port = 3003
Log on to the server and run the LS command three times. Then run the netstat command on the server to check the effect:
# Netstat-
......
TCP 0 0 192.168.0.105: 3000 192.168.0.122: 11066 time_wait
TCP 0 0 192.168.0.105: 3002 192.168.0.122: 11065 time_wait
TCP 0 0 192.168.0.105: 3001 192.168.0.122: 11063 time_wait
We can see that every time the LS command produces a connection, the server opens ports between 3000 and 3003. In Versions later than vsftpd2.0.3, PASV port allows us to enable it again, which is not allowed in earlier versions. That is to say, the same port can establish multiple connections with the client at the same time, you can test it on your own.
Most people think that the passive mode is less problematic than the port mode in the firewall network environment, but we note that in the passive mode, the client initiates a connection to a temporary destination port on the server, some firewalls or access control lists (ACLs) of devices may block this connection. The server also responds from a temporary port to another temporary port, the firewall or access list also blocks this connection. On many routers and firewalls (including iptables), you can use the access list keyword "established" to avoid the second problem. The "established" keyword tells the vro to allow packets with Ack signs to pass through. For the first problem, although we use the pasv_min_port and pasv_max_port statements to limit the range of temporary ports opened on the server and open these ports on the firewall, there are still some security vulnerabilities. Fortunately, most status detection firewalls, such as Linux
Netfileters supports deep state detection of the FTP protocol for accurate PASV dynamic port filtering.
5. For more advanced operations, see http://galei402.blog.163.com