CentOS6.5 rapid deployment of HTTPWEB servers and FTP servers

[Inscription] this article uses CentOS6.5minimal to quickly build an HTTP server and an FTP server for login only by authorized users. It is intended to use authorized FTP users to log on to the specified server folder to upload, download, modify, update, and delete website files in the/var/www/html directory. At the same time, keep SeLinux and iptables firewalls working so that they

[Inscription] this article uses CentOS 6.5minimal to quickly build an HTTP server and an FTP server for login only by authorized users. It is intended to use authorized FTP users to log on to the specified server folder to upload, download, modify, update, and delete website files in the/var/www/html directory. At the same time, SeLinux andIptablesThe working status of the firewall allows it to run securely and effectively.

Step 1 start CentOS 6.5
Suppose you have installed CentOS, a virtual machine or a physical server.

Step 2 log on to the system
# Yum install httpd vsftpd Mysql Mysql-Server php-mysql
For the sake of self-knowledge, the installation method is confirmed by entering y by default.

Step 3 confirm the Installation List
# Y
Press enter to confirm

Step 4 set startup
# Chkconfig httpd on
Configure HTTP service startup.
# Chkconfig vsftpd on
Configure FTP service startup.
# Chkconfig mysqld on
Configure MySQL service startup.

Step 5 check the service configuration status
# Chkconfig
2, 3, 4, and 5.

Step 6 start the service
# Service httpd start
Start the HTTP service.
# Service vsftpd start
Start the FTP service.
# Service mysqld start
Start the MySQL service.

Step 7 configure FTP users, user groups, and permissions
# Groupadd webftp
Add a webftp user group to host our FTP authorized users.
# Useradd-g webftp-M-d/var/www-s/sbin/nologin wwwer
Use the-g parameter to set it to the webftp user group. The-M parameter does not set its home directory (there is no-M parameter/home with a wwwer folder, which is of little practical use, so do not set). the-d parameter sets its initial login directory to/var/www, and the-s parameter sets it to not need to log on to the system/sbin/nologin, it is named wwwer (this name is set based on the initial login directory, the same below, one advantage of logging on to the www directory is that it can directly go to FTP to modify pages such as 404, instead of other processes ).
# Useradd-g webftp-M-d/var/www/html-s/sbin/nologin htmler
In the same way, add the user htmler in the webftp user group. it does not set the main directory, nor does it need to log on to the system. set its initial login directory to/var/www/html.
# Passwd wwwer
Add a password for wwwer twice.
# Passwd htmler
Add a password for htmler. enter the password twice.
# Chown-R wwwer. webftp/var/www
Change the owner of the/var/www directory and all its files and folders (-R) to the wwwer user in the webftp user group.
# Chown-R htmler. webftp/var/www/html
Similarly, chown the/var/www/html directory and all its files and folders to html.

Step 8 disable anonymous users
# Vi/etc/vsftpd. conf
Press I to enter the editing mode, find anonymous_enable = YES, change YES to NO, then press ESC to exit the editing, enter ": wq" to save the disk and exit.

Step 9 configure basic security policies
# Getsebool-a | grep ftp
Lists all selinux ftp policies.
# Setsebool allow_ftpd_full_access on
Allow full FTP access.
# Iptables-I INPUT-p tcp -- dport 80-j ACCEPT
Insert firewall rules (adding A rule with-A in CentOS will be at the end of the linked list, but it does not seem to work at the end of the table, so insert it to the linked list header with-I ), this rule indicates all INPUT packets to the server. if-p is set to tcp, the destination port of -- dport is Port 80 and-j is set to ACCEPT.
# Iptables-I INPUT-p tcp -- dport 21-j ACCEPT
In the same way, accept all tcp packets destined for port 21 on the server.
# Modprobe ip_conntrack_ftp
Load the IP connection tracking module. Remember that the configuration of the basic security policy in the last step (Step 9) is invalid after restart. you need to reconfigure it again, of course, these policies can be maintained by modifying the selinux and iptables configuration files or serviceiptablessave. But you should be clear about one problem: a server should always be turned on. if the server is restarted, there are only two possibilities. one is under your control, if the server restart event is not under your control, you should realize that this is a very dangerous situation, then, those "allow" policies should be completely ineffective, rather than retaining them. This is also the reason, I think this may be one of the reasons for CentOS to do so. If you want to add more rules, you can first save them to a txt file, and then run cp to get okay.

Performance testing
Both HTTP and FTP tests are successful, and the wwwer and htmler we added also have valid permissions for these files. If your website program requires some 777 permissions, you can modify the permissions directly through FTP.

Good luck!