Day 42nd: FTP related issues

Small Q: The reason why people are confused is only one, that is in the age that should struggle, think too much, do too little.

VSFTPD Configure the Anonymous account but let enter the user name password-------------------------

The first is not writable, later configured writable, and modified the/var/ftp/directory property belongs to the main and group are FTP, because the anonymous user is also logged in with an FTP account. In fact, this is wrong, the system default/var/ftp directory belongs to the main and the group is root, if the change to FTP will be a problem, will pop-up window let login.

Solution:chown root:root/var/ftp

chmod 755/var/ftp

What if the anonymous user is readable, downloadable, and can be uploaded? This is also simple, under the/var/ftp to build a directory, permissions are 777 on the line.

VSFTPD How to let anonymous users delete files-----------------------------------

vim/etc/vsftpd/vsftpd.conf Increase:

anon_umask=022 (anonymous upload permissions, configuration file default not)

Anon_other_write_enable=yes (Allow other actions, that is, delete, configuration file default not)

Anon_world_readable_only=no (without this sentence, you can not delete, and the above sentence with, the configuration file is not the default)

Configure anonymous user logon-----------------------------------------------

1. Installing VSFTPD

Yum Install vsftpd

2. Check if SELinux is turned on

Getenforce

If you get a enforcing, you need to

Setenforce 0

If it is other, you do not need to do the above action

3. Start VSFTPD

/ETC/INIT.D/VSFTPD start

At this point, you can access the FTP, but only read-only. To be writable, you also need to change the configuration file.

Vim/etc/vsftpd/vsftpd.conf, put

Anon_upload_enable=yesanon_mkdir_write_enable=yes two lines before the "#" removed, and then restart VSFTPD

/ETC/INIT.D/VSFTPD restart

In addition, you need to modify directory permissions

chmod 777/var/ftp/pub

At this time the pub directory is writable, but this can only be written, can not be deleted.

Verify your virtual account with MySQL-------------------------------------------

1 installation vsftpd: Yum install-y vsftpd

#编辑vsftpd. Conflisten=yesconnect_from_port_20=yespasv_enable=yestcp_wrappers=yeslocal_enable=yeschroot_local_ User=yesanonymous_enable=noguest_enable=yesguest_username=vsftpdguestuser_config_dir=/etc/vsftpd/vsftpd_user_ Confpam_service_name=/etc/pam.d/vsftpddirmessage_enable=yesidle_session_timeout=600check_shell=no

Create a virtual user mapping system user

Useradd–s/sbin/nologin Vsftpdguest

2. Install MySQL

3. Installing Pam-mysql

wget http://cdnetworks-kr-1.dl.source ... mysql-0.7rc1.tar.gztar zxvf pam_mysql-0.7rc1.tar.gzcd pam_mysql-0.7rc1./ Configure--with-mysql=/usr/local/mysql--with-pam=/usr--with-pam-mods-dir=/usr/libmake && make install

4 Create a vsftp library and related tables and authorize

>create database vsftp;>use vsftp; >create table Users (name char (+) binary, passwd char binary); >ins ert into NAME,PASSWD values (' test001 ', password (' 123456 ')) and >insert into users (NAME,PASSWD) VALUES (' test002 ' , password (' 234567 ')), >grant Select on vsftp.users to [email protected] identified by ' vsftpdguest ';

5 Creating a configuration file for a virtual account

mkdir/etc/vsftpd/vsftpd_user_conf Cd/etc/vsftpd/vsftpd_user_confvim Test001local_root=/ftp/write_enable=yesvirt Ual_use_local_privs=yeschmod_enable=yes

6 Editing validation files

Vim/etc/pam.d/vsftpd#%pam-1.0auth required/usr/lib/pam_mysql.so user=vsftpdguest passwd=vsftpdguest host=localhost Db=vsftp table=users usercolumn=name passwdcolumn=passwd crypt=2account required/usr/lib/pam_mysql.so user= Vsftpdguest passwd=vsftpdguest host=localhost db=vsftp table=users usercolumn=name passwdcolumn=passwd crypt=2

VSFTPD Configuration Parameters detailed --------------------------------------------------------

####  the port number of the 1. connect_from_port_20=yes  (NO) ftp-data  that is more relevant to the server environment 2. listen_port= 21vsftpd  uses the command channel  port, if you want to use the informal port number, this setting. But you have to know that this setting is only for  stand alone  to start! (Invalid for  super daemon ) 3. dirmessage_enable=yes  (NO) when the user enters a directory, the directory needs to be aware of the content, the file displayed by default is   '. Message '   You can use the fourth setting to modify it. 4. message_file=.message when  dirmessage_enable=YES , you can modify this setting to let  vsftpd  look for the file to display the message! 5. listen=yes  (NO) If set to  YES  means  vsftpd  is started by  stand alone ! Presets are  no! So our  CentOS  changed it to  yes!. This way you can use the  stand alone  to wake up. 6. pasv_enable=yes  (NO) supports the passive online mode (passive mode) of the data stream and must be set to  yes! 7. use_localtime=yes  (NO) Do you use local time? vsftpd  Preset use  GMT  time (Greenwich), so the preset  ftp date will be more than China night  8  hours, the proposed modification is set to  yes ! 8. write_enable=yes  (NO) If you allow the user to upload data, start the setting value 9. connect_timeout=60 unit is seconds, in the active online mode of the data connection, The connection signal we sent was  60&N.BSP, no response from the client in seconds, no wait and force disconnection. 10. accept_timeout=60 when a user transmits data in passive  PASV , if the server is enabled  passive port  and waits for  client   More than  60  seconds without response,  so give him a forced disconnection! This setting value is similar to connect_timeout , but one is to manage active online, one to manage passive online. 11. data_connection_timeout=300 if the server's data online with the client has been successfully established   (whether active or passive online), it may be caused by a line problem  300  Seconds or can not successfully complete the transmission of data, the client's online will be our  vsftpd  mandatory culling! 12. idle_session_timeout=300 If the user has no command action within  300  seconds, force offline! 13. max_clients=0 If  vsftpd  is started in  stand alone  mode, then this setting can be set at the same time, up to how many   client  can be connected to  vsftpd ! at the same time Limit the amount of  FTP  used! 14. max_per_ip=0 like above  max_clients , here is the same  IP  how many online 15. pasv_min_port=0 can be allowed at the same time,  pasv_max_port=0 the above two are related to  passive mode  use  port number , if you want to use  65400 to  65410  this  11   port  to connect in a passive online mode, you can set pasv_max_port=65410  and  pasv_min _port=65400.   If it is  0 , it means random access without restriction. 16.&nbsP;ftpd_banner= Some of the text shows the description text that appears on the  FTP  client software when the user enters  vsftpd  online. However, this setting value data is relatively small!   suggest that you can use the  banner_file  setpoint below to replace this setting 17. banner_file=/path/file This setting allows you to specify a plain text file as the user login   The welcome message that is displayed when the server is vsftpd . At the same time, can also put some let the user know the  FTP  Server directory architecture! ####  Set Value 1. guest_enable=yes  (NO) If this value is set to  YES , then any entity account will be assumed to be  guest   (so the Presets are not open)!   As for visitors in  vsftpd , presets will be granted the rights to  ftp  this user. But can be modified by  guest_username . 2. GUEST_USERNAME=FTP will only take effect at  guest_enable=YES , specify the identity of the visitor. 3. local_enable=yes  (NO) This setting must be  YES , the account within  /etc/passwd  can be logged into our   as an entity user vsftpd  Server! 4. local_max_rate=0 the transfer speed limit of the entity user, the unit is  bytes/second, 0  for unlimited. 5. chroot_local_user=yes  (NO) in the case of a preset, whether to restrict users to their own home directory (chroot), if the yes  on behalf of the user by default will be  chroot, If it is  NO,  then the default is no  chroot. However, it is necessary to refer to the bottom two parameters to each other. For security, this should be set to yes . Whether 6. chroot_list_enable=yes  (NO) is enabled chroot  write a list of features? Related to the  chroot_list_flie  below! This setting is turned on, otherwise the list file underneath will be invalid. 7. chroot_list_file=/etc/vsftpd.chroot_list If  chroot_list_enable=YES  then you can set the project! This project is related to chroot_local_user . 8. userlist_enable=yes  (NO) whether to use  vsftpd  's resistance mechanism to deal with some unwelcome accounts, with the following parameter settings 9. userlist_deny= yes  (NO) when  userlist_enable=YES  is not effective, if this setting value is  YES , then when the user account is included in the corresponding file,  Users within this file will not be able to log in  vsftpd  server! The file name is related to the following settings. 10. userlist_file=/etc/vsftpd/user_list if the above  userlist_deny=YES , then this setting will be useful! No accounts in this file can be used  vsftpd ! ####  Login Setting Value 1. anonymous_enable=yes  (NO) set to allow  anonymous  login to our  vsftpd  host! The preset is  yes&nbsp, and all the relevant settings below will need to be set to  anonymous_enable=YES  before it takes effect! 2. anon_world_readable_only=yes  (NO) only allows  anonymous  to have the ability to download readable files, which is preset to  yes. Does the 3. anon_other_write_enable=yes  (NO) allow  anonymous  to have permissions other than write? Includes permissions to delete and overwrite files and file names on the server. Presets are  no! If you want to set to  yES, the open to  anonymous  write directory also needs to adjust the permissions, so that the  PID  owner of  vsftpd  can write to the line! 4. anon_mkdir_write_enable=yes  (NO) let  anonymous  have permission to set up a directory? The default value is  no! If you want to set to  yes, then  anony_other_write_enable  must be set to  yes ! 5. anon_upload_enable=yes  (NO) Let  anonymous  have the ability to upload data, the default is  no, if you want to set to  yes   anon_other_write_enable=YES  must be set. 6. deny_email_enable=yes  (NO) will be certain special  email address  to resist, do not let those  anonymous  log in! If I log in to the server with anonymous , will I not ask for a password? The password is not for you to enter your email address ? If you hate certain  email address,  you can use this setting to remove his access to the login! Need to cooperate with the next set item 7. banned_email_file=/etc/vsftpd/banned_emails if  deny_email_enable=YES , You can use this setting to specify which  emailaddress  is not allowed to log in to our  vsftpd ! In the file set above, one line to enter a email address  can! 8. no_anon_password=yes  (No) When set to  YES , indicates that  anonymous  will skip the password check step and go directly to   VSFTPD in the server! So the general presets are  NO ! (The input &N will be checked at loginBsp;emai) 9. anon_max_rate=0 The value that is followed by this setpoint is  bytes/seconds &nbsp, which limits the transfer speed of  anonymous  if it is  0   is not limited (limited by maximum bandwidth), if you want  anonymous  to have only  30 kb/s speed, you can set ' anon_max_rate=30000 ' 10. anon_ umask=077 Restrict  anonymous  upload file permissions! If it is  077  then  anonymous  transmitted file permissions will be  -RW-------####  on the system security of some of the set values 1. ascii_ download_enable=yes  (NO) If set to  yes&nbsp, then  client  priority   (preset)   use  ASCII  Format to download the file. 2. ascii_upload_enable=yes  (NO) is similar to the previous setting, except that this setting is for uploading! Preset is  NO3. one_process_model=YES  (NO) This setting is a bit more dangerous, when set to  YES , indicates that each established online will have a  process   in charge, can increase the efficiency of  vsftpd . However, unless your system is more secure, and the hardware is relatively high, it is easy to exhaust the system resources Oh! General recommendations set to  no! 4. tcp_wrappers=yes  (NO) Of course we are used to supporting  TCP Wrappers ! So set it to  yes!. 5. xferlog_enable=yes  (NO) When set to  YES , user uploads and downloads will be recorded. The recorded file is related to the next setting 6. xferlog_file=/var/log/xferlog if the previous  xferlog_enable=YES , here can be set! This oneis the file name of the login file. is 7. xferlog_std_format=yes  (NO) set to the same login file format as  wu ftp ? The default is  NO&NBSP, because the login file is easier to read! However, if you have an analysis software that uses  wu ftp  login files, it is only necessary to set it to  yes! 8. dual_log_enable=yes, vsftpd_log_file=/var/log/vsftpd.log In addition to  /var/log/xferlog    wu-ftp  format Login file, you can also have  vsftpd  unique login file format Oh! If your  FTP  server is not very busy,  probably set up two login files for writing   (/var/log/{vsftpd.log,xferlog)   is good. 9. nopriv_user=nobody our  vsftpd  presets to  nobody  as a privilege for this service performer. Since  nobody  's permissions are fairly low, intruders can only get access to  nobody  even if they are compromised! 10. PAM_SERVICE_NAME=VSFTPD This is the name of the  pam  module that we placed in  /etc/pam.d/vsftpd  that is this! ### vsftpd Main program (/USR/SBIN/VSFTPD)  ###  startup script (/ETC/RC.D/INIT.D/VSFTPD)   ### pam Authentication file ( /ETC/PAM.D/VSFTPD) This is the relevant configuration file for  vsftpd  when using the  PAM  module. Mainly used as identity authentication, there are some user identity of the function, but also through this file to achieve. The File=/etc/vsftpd/ftpusers field in this file indicates that the user who blocked access is from the User ###  blacklist (/etc/vsftpd/ftpusers) from the/etc/vsftpd/ftpusers file with the previousFile is related, that is,  PAM  module   (/ETC/PAM.D/VSFTPD)   The designated user profile that cannot be logged in!   This file is easy to set up, you just have to   don't want the user to log into ftp  's account   write this file. One account at a line. Most of the system accounts are here. Prohibit the use of VSFTPD user list files. Records the user list that does not allow access to the FTP server, the administrator can record some user accounts that threaten the security of the system in this file, in order to avoid the user from the FTP login to get more than the upload download operation rights, and damage to the system. (Note: linux-4 This file is in the/etc/directory) ###  Whitelist (/etc/vsftpd/user_list) whether the archive will be effective with two parameters in  vsftpd.conf , Userlist_enable, userlist_deny, respectively.   If  /etc/vsftpd/ftpusers  is the pam  module, then this  /etc/vsftpd/user_list  is   vsftpd  custom Resist project. In fact, this file is almost exactly the same as  /etc/vsftpd/ftpusers ,  in the default case, you can write an account that does not want to be logged in  vsftpd . However, the functionality of this file will vary depending on the  userlist_deny={YES/NO}  in the  vsftpd.conf  configuration file. (Note: linux-4 This file is in the/etc/directory) ###  restricted home directory (/etc/vsftpd/chroot_list) This profile preset does not exist, so you have to manually build it yourself. The main function of this file is that users of certain accounts can be  chroot  in their home directory! However, this file will be effective in relation to the ' chroot_list_enable, chroot_list_file ' two parameters within the vsftpd.conf . If you want to restrict certain entity users to their home directories and not to other directories, you can start this setting! ###  Anonymous User home directory (/var/ftp) actually with  FTP  home directory of this account for the local user home directory is:/home/user home directory, that is, log in to their home directory  ###  (anonymous user download directory)/var/ftp/pub This directory needs to be empowered root chmod 1777  pub (1 for special permissions so that cannot be deleted after upload) ###  log file (/etc/logrotate.d/vsftpd.log)

===================================== Exercises ========================================

1. What port does the FTP service listen to by default, and can we change it?

FTP listens to port 21 by default and can change this default listening port. PURE-FTPD can modify the configuration file, plus one line: Bind 0.0.0.0,2100 where 2100 is the modified port. The VSFTPD service needs to add a line to the configuration file/etc/vsftpd/vsftpd.conf: listen_port=2100

2. What software is commonly used to build FTP services? What kind of system comes with it?

PURE-FTPD VSFTPD, the system comes with the latter

3. How do I create a user using pureftp? How do I delete a user?

Created: PURE-PW useradd test1-uwww-d/data/ftp

Delete: PURE-PW Userdel test1

4. How do I change the user's password (pureftp)?

To change the password, delete the account first, and then recreate the account with the same name.

5. How do I see how many users (PUREFTP) are currently available?

PURE-PW List

6. Using VSFTPD software to build an FTP server, you need to meet such requirements: Create 3 accounts, User1, User2, User3, which three users can access the same directory, but User1 can read and write, but User2 and User3 read-only.

Idea: According to the Class I provide you the document to build VSFTPD virtual account, and then create User1,user2,user3 three accounts, when creating their profile, specify the same home directory, but User1 Write_enable=yes, User2 write _enable=no, User3 Write_enable=no

7. Using VSFTPD software to build an FTP server, you need to meet the requirements: Create 3 accounts, User1, User2, User3, which three users can access the same directory, but each user can read other users ' files, but only to change their own files, You cannot change other users ' files.

Idea: VSFTPD build FTP Service, use the System account as FTP account, and then to access the directory to do a T permission (similar to the TMP directory)

Reference configuration file: Cat/etc/vsftpd/vsftpd.confanonymous_enable=nolocal_enable=yeswrite_enable=yeslocal_umask=022anon_upload _enable=noanon_mkdir_write_enable=nodirmessage_enable=yesxferlog_enable=yesconnect_from_port_20=yesxferlog_std _format=yeschroot_local_user=yeslisten=yespam_service_name=vsftpduserlist_enable=yestcp_wrappers=yeslocal_root =/TMP/123 Create FTP directory: mkdir/tmp/123 Modify permissions: chmod 1777/tmp/123 Create account: Useradd user1; Useradd User2; Useradd user3 Create password: passwd user1; passwd User2; passwd User3

8. Use the VSFTPD software to build an FTP server, requiring anyone to log in (anonymous login), and the anonymous account can read and write.

Reference configuration: cat/etc/vsftpd/vsftpd.conf

anonymous_enable=yeslocal_enable=yeswrite_enable=yeslocal_umask=022anon_umask=022anon_other_write_enable= Yesanon_world_readable_only=noanon_upload_enable=yesanon_mkdir_write_enable=yesdirmessage_enable=yesxferlog_ Enable=yesconnect_from_port_20=yesxferlog_std_format=yeschroot_local_user=yeslisten=yespam_service_name= Vsftpduserlist_enable=yestcp_wrappers=yes also need to configure: chmod 777/var/ftp/pub

Day 42nd: FTP related issues