Debian + vsftpd + MySQL implements virtual user-Linux Enterprise Application-Linux server application information. The following is a detailed description. I. Requirements
1. Virtual User Login
2. Restrict Anonymous logon from IP addresses
3. Different users, directories, and permissions
4. Use FTP to manage Web Sites
5. Extended Functions
2. Select FTP server software
1. Principle 1
2. Selection Principle 2
3. Implementation
1. Required software packages
2. Install
3. Create a necessary local user
4. Configure the MySQL database
5. Configure PAM verification For vsftpd
6. Configure vsftpd
Iv. Summary
I. Requirements
1. Virtual User Login
The postfix + MySQL virtual user logon has been successfully configured, and the benefits and flexibility of using virtual users have been realized.
This time, we also consider using virtual users and storing FTP virtual user information in MySQL. In this way, we will use PHP to write some
It is quite convenient to manage the web gui and manage users in a unified manner.
2. Restrict Anonymous logon from IP addresses
Anonymous logon is enabled, but only specific IP addresses are allowed to log on anonymously.
3. Different users, directories, and permissions
It sounds like a tongue twister. For example, there are two users, normal and admin, and FTP.
Directory, which is incoming and pub respectively. The following permission settings must be implemented:
Incoming pub
Normal read/write read-only
Admin read/write
4. Use FTP to manage Web Sites
Apache is also set up on the server, and the website administrator is not very familiar with Linux, and does not want to open an account
The website administrator should not log on to the system and mess up the system. Therefore, refer to the popular practices of providing virtual hosts on the Internet,
Is to manage the website through FTP, so you need to provide an account for the website administrator to log on to FTP for website management.
5. Extended Functions
TBD ..
2. Select FTP server software
Set up an FTP site in Linux and have a lot of excellent FTP server software to choose from, such as Wu-FTPD, Pure-FTPD, ProFTPD
As well as vsFTPD, it takes some time for me to choose an FTP server software that suits my needs,
Vsftpd (very secure FTP daemon) has the following two reasons:
1. Principle 1
Some people say that FTPD is the one you are most familiar with, but since I have no experience in setting up an FTP site in Linux,
Therefore, for me, everything is a new starting point. On the official vsftpd homepage, I saw the official Debian FTP and RH official FTP.
Vsftpd is used, so "stream-by-stream" makes it seem to have a face ~ : D
2. Selection Principle 2
The second point depends largely on the name of vsftpd (very secure FTP daemon), because it is a very secure FTP software,
Haha, In addition, Debian official FTP uses vsftpd, and it should be correct to choose it ~
PS: for the selection of FTP server software, refer to the article "simple vsftpd server setup in laruence's Linux private dish.
3. Implementation
Based on Debian GNU/Linux 3.1 Sarge and vsftpd-2.0.3
1. Required software packages
1), vsftpd very secure FTP daemon
2) mysql-server and mysql-client are MySQL database servers used to store virtual user information. The latter provides a MySQL Client with command lines. I have installed MySQL before configuring postfix, so I don't have to install this package. ^_^
3) libpam-mysql vsftpd verifies user information through PAM. This package allows PAM to read MySQL for verification.
2. Install
Log on to Debian as the root user and enter the following command ~
# Apt-get install vsftpd, libpam-mysql
3. Create a necessary local user
Although it is a virtual user, because the virtual user information is stored in the MySQL database, you still need to be able to read
The local user of the MySQL database.
1) Create the Home Directory of the local user, which is also the home directory of FTP
# Mkdir/home/ftp
2) create a local user named ftpguest
# Useradd ftpguest-d/home/ftp
3) modify the owner and group of the FTP home directory
# Chown ftpguest. nogroup/home/ftp
4. Configure the MySQL database
1) Create a database ftpvuser for storing virtual user information
# Mysqladmin-u root-p create ftpvuser
2), connect to the database
# Mysql-u root-p
3) create a table named users to store virtual user information.
Mysql> use ftpvuser;
Mysql> create table users (username varchar (20) not null, password varchar (40) not null, primary key (username) TYPE = MyISAM;
4) enable the local user ftpguest to read the users table of the ftpvuser database.
Note: YourPassword is used to set the password for ftpguest to access the database.
Mysql> grant select on ftpvuser. users to ftpguest @ localhost identified by 'yourpassword ';
Mysql> flush privileges;
5) create a virtual user
Mysql> insert into users (username, password) values ('normal', '123 ');
Mysql> insert into users (username, password) values ('admin', '123 ');
Mysql> insert into users (username, password) values ('webmaster', '123 ');
6) Complete MySQL Configuration
Mysql> quit;
5. Configure PAM verification For vsftpd
1) Open the PAM Configuration File
# Nano/etc/pam. d/vsftpd
2), comment out the previous content, and then add the following two lines of content
Note: YourPassword is the password that ftpguest just set to access the database.
# Restrict local users to their home directories, which prevents FTP users from accessing other system directories.
Chroot_local_user = YES
3), 500 OOPS: cap_set_proc
Log on to FTP. Why can't I log on? Error returned by the server: 500 OOPS: cap_set_proc
Google, this error seems to be related to SELinux. The solution is to load the capability module:
# Modprobe capability
To enable Linux to automatically load this module at startup, put this module in/etc/modules.
4) Restrict Anonymous logon from IP addresses
To restrict the IP address of the client that logs on to vsftpd, you need to use something called TCP Wrappers. For TCP Wrappers,
In my understanding, if TCP Wrappers is enabled in vsftpd, each time the client initiates a connection request to vsftpd,
Vsftpd first sends the connection request to TCP Wrappers for processing. If the client IP address is allowed by TCP Wrappers,
In order to continue the session with vsftpd. Otherwise, the service will be rejected directly, right?
A. Modify/etc/vsftpd. conf.
# Enabling TCP Wrappers
Tcp_wrappers = YES
B. Modify/etc/hosts. deny.
Deny all IP addresses that initiate connection requests to vsftpd. However, if hosts. deny conflicts with hosts. allow,
Take hosts. allow for priority. This seems to be because deny is all first, and then the privilege is opened in hosts. allow.
# Deny all IP addresses connected to vsftpd first.
Vsftpd: ALL
C. Modify/etc/hosts. allow
The IP addresses allowed to log on to vsftpd are available here.
For VSFTPD_LOAD_CONF environment variables, the man of vsftpd says this:
"If tcp_wrappers sets the VSFTPD_LOAD_CONF environment variable, then the vsftpd
Session will try and load the vsftpd configuration file specified in this variable ."
# Restrict IP addresses that can log on to vsftpd anonymously
Vsftpd: 192.168.0., 210.83.200.200: setenv VSFTPD_LOAD_CONF/etc/vsftpd. anonymous
# Allow vsftpd virtual users to connect to FTP using any IP Address
Vsftpd: ALL: setenv VSFTPD_LOAD_CONF/etc/vsftpd. virtual
D. Modify/etc/vsftpd. anonymous.
# Mkdir/etc/vsftpd/
# Nano/etc/vsftpd. anonymous
# Allow Anonymous Logon
Anonymous_enable = YES
E. Modify/etc/vsftpd. virtual.
# Nano/etc/vsftpd. virtual
# Anonymous Logon not allowed
Anonymous_enable = NO
5), set different access permissions for different users
A. Activate the configuration function for a single user and add the following configuration line to the vsftpd configuration file:
# Nano/etc/vsftpd. conf
# Specify the storage path for different user configuration files
User_config_dir =/etc/vsftpd/vsftpd_user_conf
B. Common users: Download/upload
Edit/etc/vsftpd/vsftpd_user_conf/normal
Note: The user configuration file name is the same as the user name, but the anonymous user configuration file name is ftp, not anonymous
In addition to the permissions of common users, administrators also have the permission to delete, rename, and change file attributes.
Add the following content:
# Allow renaming and deleting objects
Anon_other_write_enable = YES
# The virtual user has the same permissions as the local user (because chmod is only valid for the local user, if you want the virtual user to have the chmod permission, this item must be activated)
Virtual_use_local_privs = YES
# Modifying file attributes
Chmod_enable = YES
# Direct the FTP home directory to the Home Directory of the website (My www directory uses the default directory of Apache)
Local_root =/var/www
# By default, all files uploaded to the FTP site are owned by ftpguest, and other users do not have access permissions.
# Therefore, when you access a website, an error "You are not authorized to access this file" may occur, because Apache users
# Www-data files under/var/www cannot be accessed. Setting umask to 033 or even 000 can solve this problem.
Local_umask = 033
E. set different permissions for the incoming and pub directories for the normal and admin users.
I read the related settings in vsftpd man. It seems that no permission is set for each directory separately?
Later, I thought whether I could use the File Permission settings of the Linux File System to achieve this goal.
When using IIS to set up a site, I used NTFS permission settings to control the access permissions of different users to directories.
However, after a try, the following permissions cannot be perfectly implemented:
Incoming pub
Normal read/write read-only
Admin read/write
For example, you can set pub to read-only to control the normal user's read-only pub permission, but admin is also read-only to pub :(
However, the admin has the permission to modify the directory attributes. If the admin user wants to use FTP to manage the pub directory
You can temporarily change the pub directory to the read/write attribute.
Iv. Summary
1. The goal of vsftpd is to complete a simple and low-security FTPD. Its functions seem to be a little inadequate, especially the setting of directory permissions.
If you have complex requirements on directory permissions, consider Proftpd.
2. During the test, in addition to using the FTP Client tool, it is best to use the Sniffer software as an aid, because sometimes the FTP Client does not fully
The FTPD response information is displayed in front of you. Sometimes, this information is very helpful for troubleshooting FTPD faults. Once the Sniffer software is used, all
The client-server interaction information will not be missed.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
