File service:
Ftp: Application layer, C/S, file sharing; file transfer protocol;
Nfs, cifs: file system interface, network file system;
Nfs: network file system
Cifs: common internet file system
Samba
Network Storage:
NAS: Network Attached Storage, file server, nfs or cifs, file level;
SAN: Storage Area Network, block-level sharing service, partitioning-> formatting-> File system creation; IPSAN, FCSAN;
Ftp:
File transfer protocol, 21/tcp
C/S:
Client-> ftp-> Server
Client: Connect
Server: Listen
Connection:
Command connection: command transmission. The connection persists;
Data Connection: data transmission, created on demand;
Data connection establishment mode:
Active Mode: The server actively connects to the client through 20/tcp command connection PORT to the nearest idle PORT;
Passive mode: after the client sends a data request, the server responds to an opened random port, which the client requests. PASV;
Data transmission mode:
Text Format: ASCII
BINARY Format: BINARY
Protocol Security:
Plaintext: data, transmission account and password are in plaintext during authentication;
Security Enhancement:
Ftp over ssl/tls: ftps
Ftp over ssh: sftp
Virtual User account;
C/s:
Server:
Windows: Serv-U, IIS ,...
Open-source solutions:
Wuftpd: Washington University ftp daemon
Vsftpd: Very Secure ftp daemon
Proftpd, pureftpd ,...
Client:
GUI: flashfxp, cute, filezilla, gftp ,...
CLI: ftp, lftp ,...
Vsftpd:
Program environment:
Main program:/usr/sbin/vsftpd
Unit File:/usr/lib/systemd/system/vsftpd. service
Configuration File:/etc/vsftpd. conf
Document path ING:
Fedora,/home/fedora/pub/a.txt-> ftp: // HOST: PORT/pub/a.txt
User's home directory ing: access to the vsftpd service must be performed as a system user. The home directory of this user is the root directory mapped to the document;
Anonymous User: anonymous, mapped to a system user, which is ftp;
Configuration: vsftpd. conf
Directive VALUE ,...
Directive: the command cannot contain any characters, including white space;
Anonymous user:
Anonymous_enable = YES
Anon_upload_enable = YES
Anon_mkdir_write_enable = YES
Anon_other_write_enable = YES
Local User:
Local_enable = YES
Write_enable = YES
Certification Service:
Pam_service_name = vsftpd
/Etc/pam. d/vsftpd
Pam: pluggable authencate module
The following message is displayed when you switch the directory:
Dirmessage_enable = YES
. Messages
Modify the owner of the uploaded file:
Chown_uploads = YES
Chown_username = USERNAME
Banned users in their home directories:
Other risks are introduced. Therefore, you must not have the write permission on your home directory;
(1) ban all users
Chroot_local_user = YES
(2) ban some users
(A) whitelist: users in the list are not banned;
Chroot_local_user = YES
Chroot_list_enable = YES
Chroot_list_file =/etc/vsftpd/chroot_list
(B) blacklist: users in the list are banned
Chroot_local_user = NO
Chroot_list_enable = YES
Chroot_list_file =/etc/vsftpd/chroot_list
User_list controls user access to vsftpd:
(1) whitelist
Userlist_enable = YES
Userlist_deny = NO
(2) blacklist, default
Userlist_enable = YES
Userlist_deny = YES
Virtual User account:
Vsftpd relies on pam for authentication. The authentication method supported by pam storage can be called by vsftpd;
Where is the account password stored?
Files, MySQL, ldap, redis ,...
Pam_mysql module
CentOS 6: epel
CentOS 7: compilation and installation
Compile:
(1) compiling environment;
(2) dependency: mariadb-devel, pam-devel
#./Configure-with-pam =/usr-with-mysql =/usr-with-pam-MoD-dir =/usr/lib64/security/
# Make install
MySQL settings:
Mysql> create database vsftpd;
Mysql> grant all on vsftpd. * TO 'vsftpd '@ '2017. 0.0.1' identified by 'mageudu ';
Mysql> create table vsftpd. users (uid smallint unsigned not null AUTO_INCREMENT unique key, name VARCHAR (100) not null primary key, password CHAR (48) not null );
Mysql> insert into users (name, password) VALUES ('Tom ', PASSWORD ('mageid'), ('Jerry', PASSWORD ('mageid ')), ('Lucy ', PASSWORD ('mageid '));
Prepare the system account to be mapped:
# Mkdir-pv/ftproot/{pub, upload}
# Useradd-d/ftproot vuser
# Setfacl-m u: vuser: rwx/ftproot/upload
Prepare the pam configuration file based on mysql authentication:/etc/pam. d/vsftpd. mysql
Auth required pam_mysql.so host = 127.0.0.1 user = vsftpd passwd = mageedu db = vsftpd table = users usercolumn = name passwdcolumn = password crypt = 2
Account required pam_mysql.so host = 127.0.0.1 user = vsftpd passwd = mageedu db = vsftpd table = users usercolumn = name passwdcolumn = password crypt = 2
Configure vsftpd to enable virtual users and use the specified pam service: vsftpd. conf
Pam_service_name = vsftpd. mysql
Guest_enable = YES
Guest_username = vuser
Each virtual user has different permissions: vsftpd. conf
User_config_dir =/etc/vsftpd/vusers_conf
# Mkdir/etc/vsftpd/vusers_conf
# Touch USERNAME
Permission configuration command:
Anon_upload_enable
Anon_mkdir_write_enable
Anon_other_write_enable