Simply list the basic commands and share only my thoughts!
First, the purpose
Requirements: Configure VSFTPD servers that allow virtual users to access , virtual users are stored on another MySQL server, and virtual user accounts are two of Tom and Jerry, The password is Tom and Jerry, which requires restrictions on the privileges of the two accounts (as per the actual requirements, self-regulation).
Environment: MySQL Server (172.16.49.1),CentOS 6.6 and MariaDB-5.5.43. The other is installed via yum vsftpd(192.168.0.22), theOS is the CentOS 6.6.
1. Introduction VSFTPD
vsftpd is ftp windows users can also use. itself based on the c/s mode, server-side always listens on 21 port because 21 port is the command connection port, and 20 port is the port of data transfer, When data transmission needs to be established, then removed, rather than consistent in the listening state, so, client and Server
"active": by Server random port connection server 21 port, when the command to download data is received, Server end actively open 20 port, connecting client random +1 port will be "removed", generally not "active" connection mode, because if client Client manual to release or set.
Client the connection created. Is the first client random port connection server 21 port, in 21 port Client has been "negotiated", server The end uses which random port to connect to client not actively connected server 20 20 port does not resemble 21 Span style= "font-family: ' The song Body '; > port, vsftpd always listening, building and closing as needed).
the FTP transmission format is to look at the data, if the data is text on the text transmission, if the data is a binary program, that is, binary transmission, which is different from the HTTP protocol, can only be transmitted as a text stream.
FTP also has a message code:
1 Series: Information code.
2 Series: success.
3 Series: A status code that requires additional hints (when you enter an account, there will be, because there is a password).
4 Series: Client error.
5 Series: server-side error.
because vsftpd is only implemented on Unix-like servers, authentication is primarily through the OS own Pam module certification,OS system users, Anonymous users (no users and Passwords), authentication of virtual users (accounts and passwords stored in databases or other files).
2,yum install vsftpd after the main file generated.
user authentication (PAM) configuration file:/etc/pam.d/vsftpd(Note: The PAM_SERVICE_NAME=VSFTPD in the main configuration file is called this configuration file).
main application:/user/sbin/vsftpd
resources shared by anonymous users:/var/ftp(Note: All anonymous users need to be mapped to users in the OS, for security reasons, it is better to be a system user, but to create a home directory when creating a system user, Because the schema is open to the home directory, only the users mapped to the OS you can access the file, because the local file also requires permissions, but cannot change the permissions of/var/ftp, you can create a new directory, And then modify the writable permissions).
The system user is the user's home directory.
configuration file directory:/etc/vsftpd
master configuration file:/etc/vsftpd/vsftpd.conf
3, for the main configuration file part of the content to explain
Anonymous_enable=yes//Whether to enable anonymous user Anon_upload_enable=yes//whether to turn on anonymous user uploads Anon_mkdir_write_enable=yes//Whether anonymous users are allowed to create directories Anon_ Ohter_write_enable=yes//Whether to allow anonymous users to delete files Local_enable=yes//Whether local system users are enabled Write_enable=yes//Whether local system users are allowed to delete, create local_umask= 022/Restrict Permissions
Imprison all FTP Local Users in their home directory:
Chroot_local_user=yes
The FTP local users specified in the imprison file are in their home directory:
Chroot_list_enable=yeschroot_list_file=/etc/vsftpd/chroot_list
Log:
Xferlog_enable=yesxferlog_std_format=yesxferlog_file=/var/log/xferlog
Change the owner of the uploaded file:
Chown_uploads=yeschown_username=whoever
whether to enable a list file that controls user logons /etc/vsftpd/user_list
Userlist_enable=yesuserlist_deny=yes|no
Connection limits:
Max_clients://MAX Concurrent connections MAX_PER_IP://number of concurrent requests per IP that can be initiated concurrently
Transfer rate:
Anon_max_rate: Maximum transfer rate for anonymous users, in bytes per second local_max_rate://maximum transfer rate for local users, in bytes per second
Forcing the text stream to be streamed, it is possible that the files opened by the client are garbled
Ascii_upload_enable=yesascii_download_enable=yes
4. Configuration
A, the installation of the necessary procedures
1. Installation of vsftpd,pam_mysql and mysql_server
Note:pam_mysql is provided by the Epel source
B. Create a virtual user account
1.prepare the database and related forms
mysql>create database vsftpd;//mysql>grant select on vsftpd.* to [ Email protected] identified by ' Mima '; database can be used on this machine mysql>grant select on vsftpd.* to [email protected] ' 172.16.%.% ' IDENTIFIEDBY ' Mima '; mysql>flush PRIVILEGES; mysql>use vsftp; &nbsP; mysql>create table users (Id int unsigned auto_increment not nullprimary key,name char (20) binary not null,password char ( binary not null);
2. Adding a Test virtual account
in order to secure the password using the internal MySQL function to encrypt, then the number of digits of the password is the decimal bit.
Mysql>insert into Users (Name,password) VALUES (' Tom ', password (' Tom ')), (' Jerry ', Password (' Jerry ')
);
C, configuration vsftpd
1, the establishment of PAM certification required documents
Vim/etc/pam.d/vsftpd.mysql//In order to not with the original VSFTPD authentication file conflict, so rename add the following two lines (can be directly written pam_mysql.so, will automatically/lib64/ Security directory below): Auth required/lib64/security/pam_mysql.so user=vsftp passwd=mima host=mysql the IP db=vsftpd table for that machine =users usercolumn=name passwdcolumn=passwordcrypt=2//Authentication account, why is CRYPT=2,RPM-QL pam_mysql in the Readme solution accounts required/ lib64/security/pam_mysql.so user=vsftp Passwd=mima host=mysql that machine's IP db=vsftpd table=users usercolumn=name passwdcolumn=passwordcrypt=2//Check whether the account is within the validity period
2, modify vsftpd configuration file, make it adapt to MySQL authentication
Establish a virtual user mapping of the system users and corresponding home directory
Useradd-s/sbin/nologin-d/var/ftproot vuserchmod go+rx/var/ftproot
ensure that the Master profile is/etc/vsftpd/vsftpd.conf and can be modified as needed
Anonymous_enable=yeslocal_enable=yeswrite_enable=yesanon_upload_enable=noanon_mkdir_write_enable=nochroot_ Local_user=yes
Then add the following options
Guest_enable=yesguest_username=vuser
ensure that the value of the pam_service_name
Pam_service_name=vsftpd.mysql//Login only via MySQL authentication
D. Start vsftpd service
/ETC/INIT.D/VSFTPD Startchkconfig vsftpd on
Use the virtual user login, verify the configuration results, you can through win IE or cmd, etc.
E.Configure virtual users with different access rights
VSFTPD can provide each user with a separate profile in the profile directory that has its FTP service access defined, the profile name of each virtual user, and the user name of the virtual user. The profile directory can be any unused directory, just specify the path and name in vsftpd.conf.
1. Configure vsftpd to use the profile directory for virtual users
Vim/etc/vsftpd/vsftpd.conf
Add the following
User_config_dir=/etc/vsftpd/vusers_config
2.create the required directory and provide the configuration file for the virtual user
Mkdir/etc/vsftpd/vusers_configtouch/etc/vsftpd/vusers_config/{tom,jerry}
3. Configure access rights for virtual users
The virtual user 's access to the VSFTPD service is done through the instructions of the anonymous user. For example, if you need to let Tom users have permission to upload the download, you can modify the/etc/vsftpd/vuser_config/tom file, add
Anon_upload_enable={yes|no}anon_mkdir_write_enable={yes|no}anon_other_write_enable={yes|no}
Four, the following
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/6C/D7/wKiom1VTPVPicnRkAALL_GjMNY0011.jpg "title=" The virtual user creates a. jpg "alt=" in the Database "Wkiom1vtpvpicnrkaall_gjmny0011.jpg"/>
Figure 1, creation of the database
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/6C/D2/wKioL1VTPwHiH84FAANNQKbCny4686.jpg "title=" Log in via Windows cmd. jpg "alt=" wkiol1vtpwhih84faannqkbcny4686.jpg "/>
Figure 2, virtual user Tom login
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/6C/D2/wKioL1VTP5qw1ArsAAHCS30FI9c371.jpg "title=" Virtual users upload files and download files. jpg "alt=" wkiol1vtp5qw1arsaahcs30fi9c371.jpg "/>
Figure 3,Tom user uploads and creates a directory
Note: the 227 enteringpassive mode (192,168,0,22,28,236) in Figure 3 tells you that thedata is downloaded in passive mode, in fact the port number of the server is 28*256+236.
have like-minded "comrades" can add me qq:865765761. (Note:Linux)
This article comes from "write-only feeling!" "Blog, be sure to keep this provenance http://damihua.blog.51cto.com/6537272/1651073
Create a VSFTPD server MySQL-based virtual user authentication