Deploying vsftpd in CentOS6.5
1. Lab requirements:
1) Use the RPM package to install the vsftpd service
2) Implement anonymous user access. Only access and download are allowed for verification, and upload is not allowed.
3) Anonymous Users can upload, download, modify, and other full permissions (in the real environment, such requirements are unlikely)
4) Implement blocking login users in their home directories
5) restrict access by some users
6) Implement Virtual User Access
7) implement different permissions for different virtual users
2.Lab environment:
Linux Server version: Red Hat Enterprise Linux 6.5IP: 192.168.20.3
Windows Client: Windows 7 Ultimate x64 IP: 192.168.20.2
Vsftpd Software Version: vsftpd-2.2.2
3.Tutorial steps:
Basic installation operations
A.Mount the system disk and install vsftpd
Here we use the rpm installation package to install vsftpd. The installation package is placed in the Packages directory on the system disc. First, we mount the system disc to the mnt directory of the system.
[Root @ localhost ~] # Mount/dev/sr0/mnt
Find and install the software package of the vsftpd service in the Packages directory. The installation is complete.
[Root @ localhost ~] # Rpm-ivh/mnt/Packages/vsftpd-2.2.2-11.el6_4.1.x86_64.rpm
B.View the vsftpd configuration file
[Root @ localhost ~] # Grep-v "#"/etc/vsftpd. conf # filter out the # comment in the configuration file
Anonymous_enable = YES # anonymous user access is enabled
Local_enable = YES # access to the local account is enabled
Write_enable = YES # Write Permission Enabled
Local_umask = 022 # The local user's permission to upload files is 644, And the folder is 755
--------------------- The following configuration is the service default, this experiment does not need to care about ----------------------
Dirmessage_enable = YES
Xferlog_enable = YES
Connect_from_port_20 = YES
Xferlog_std_format = YES
Listen = YES
Pam_service_name = vsftpd
Userlist_enable = YES
Tcp_wrappers = YES
Allows anonymous users to access, verify that only access and download are allowed, and upload is not allowed
According to the default configuration in the vsftpd configuration file, after vsftpd is set up, it can be accessed by anonymous users and local users without doing anything.
A.Effect verification:
[Root @ localhost ~] # Service vsftpd start # start the service
Start vsftpd For vsftpd: [OK]
Firewall and selinux must be disabled before testing.
[Root @ localhost ~] # Serviceiptables stop
Iptables: Set the chain to policy ACCEPT: filter [OK]
Iptables: clear firewall rules: [OK]
Iptables: uninstalling module: [OK]
[Root @ localhost ~] # Setenforce 0
We access ftp: // 192.168.20.3 through folders on the client.
Now let's test the upload and download permissions of anonymous users.
Note: We use an anonymous ftp account to log on (without a password) and check that the current working directory is/. This/is not the root directory of the server, but the home directory of the anonymous user, ls check and found that there is a pub folder
The home directory is the directory/var/ftp on the server:
We verify that anonymous users can download files. First, create a file for download in the ftp directory [root @ localhost ~] # Cd/var/ftp # Switch to the ftp directory
[Root @ localhostftp] # echo "this is test ftp"> test.txt creates a new test.txt file with the content of this is test ftp
Return to the cmd console on the client.
C: \ Users \ Administrator> f :\// switch to drive f. The downloaded file will be downloaded to drive f.
Use the anonymous account number ftpto download the test.txt file, open the drive, and see the downloaded file.
Now we can verify that the Anonymous User Token can upload files. We should rename the test.txt file on the client to the tes.txt file for uploading and testing (avoid duplicate names)
The upload is rejected, so we know that anonymous users can only download files and cannot upload files.
Can I upload a local account of the system?
[Root @ localhostftp] # useradd tom # create a tom account
[Root @ localhostftp] # passwd tom # Set the tom Password
Go back to the client's terminal console and use Tomos to log on and upload the tes.txt file. The upload is successful.
[Root @ localhostftp] # ls-l/home/tom # the permission to view uploaded files is 644 (because local_umask = 022 in the configuration file)
NOTE: If selunux is not disabled, you cannot log on with a local account. The following error is reported:
Allows anonymous users to upload, download, modify, and perform other operations.
To allow anonymous users to upload folders, modify the configuration file:
Anon_mkdir_write_enable = YES
Note: when we do not know how to configure which options to add or modify, we can seek help using the man manual:
[Root @ localhost vsftpd] # manvsftpd. conf
Search for anon-related content in the manual. We can see that there is other write, and its default value is No, if set to yes, users can upload, create, delete, rename, and perform other operations.
Insert a line in the vsftpd. conf Script: anon_other_write_enable = YES
After modification, the anonymous user is granted the highest permissions (read/write, delete, and rename)
A.Modified script
B.Effect verification
[Root @ localhostvsftpd] # service vsftpd reload # reload Configuration
Disable vsftpd: [OK]
Start vsftpd For vsftpd: [OK]
Return to the cmd console of the client, log in with an anonymous ftp account, and delete the file. A message is displayed, indicating that the file fails.
Return to the server and check the ftp directory. You do not have the write permission, so you cannot delete it.
[Root @ localhostvsftpd] # chmod 777/var/ftp # Set the ftp permission to the maximum
Return to the client and log on via ftp. An error is reported when you directly log on to the client, because we have changed the directory permission of var/ftp to the maximum, so that anonymous users can do whatever they want. For security, if vsftpd is set, login is not allowed.
So what should we do if we want anonymous users to have the maximum permissions? In this case, the sub-directories under the ftp directory should be operated.
[Root @ localhostvsftpd] # chmod 755/var/ftp # change the ftp permission to the default 755
[Root @ localhostvsftpd] # cd/var/ftp
[Root @ localhostftp] # mkdir anon # create an anon directory under the ftp directory
[Root @ localhostftp] # chmod 777 anon # change the directory permission to the maximum
[Root @ localhostftp] # cp test.txt anon # copy the test file to the anon directory for subsequent deletion tests.
[Root @ localhostanon] # ls-l # the permission to view the test file cannot be deleted if it is not writable.
[Root @ localhostanon] # chmod 666 test.txt # change the File Permission to writable
In this case, test.txt can be deleted by anonymous users.
Go back to the customer's terminal console and switch to the anondirectory using ftpto to delete the test.txt file. Of course anonymous users can also perform other operations. Here we will not test them one by one.
Implement blocking login users in their home directories
Now we use the local account tom to log on. The default working directory is tom's home directory. We can switch it to any directory on the server:
This is very insecure, so we want the user to log on only to his/her home directory. This range of activities does not allow him to switch to other directories at will, we need to modify the configuration file to make the configuration take effect: chroot_local_user = YES
A.Modified script
B.Effect verification
[Root @ localhostanon] # service vsftpd reload # reload Configuration
Disable vsftpd: [OK]
Start vsftpd For vsftpd: [OK]
Return to the cmd console of the client, log on to tom, switch to the root, and find that the root is his own home directory, not the root directory on the server, he has been banned from his home directory.
Restrict access by some users
We checked the content in the vsftpd directory and found a user_list file.
Check the content of the user_list file and find that all users are refused to log on to the file. Therefore, we only need to write the account into the file if no logon is allowed. Here we test to prevent tom from logging on.
A.Modified script
B.Effect verification
Go back to the cmd console of the client and log on to the client using tom. Login Failed.
Note: here the reason why tom fails to log on is that we have written tom into the user_list file, and also because userlist_enable = YES is set in the configuration file, if it is configured as userlist_deny = YES, only user login in user_list is allowed.
Implement Virtual User Access
If we only want to create a new vsftpd account and do not want it to be a system account, we can use the virtual account function.
[Root @ localhost vsftpd] # vim vuser # create a file named vuser
In this file, we create two new users, lisa and jack.
[Root @ localhost vsftpd] # db_load-T-thash-f vuser. db # convert vuser to database file db_load is command-T specify conversion-t specify conversion type to hash-f specify file vuser to be converted. db is the converted file name
[Root @ localhost vsftpd] # file vuser. db # view the file type. You can see that the vuser has been converted into a hash database file that can be recognized by vsftpd.
[Root @ localhost vsftpd] # chmod 600 vuser # To ensure security, you do not want other users to see what is in this file and change the permission to 600.
[Root @ localhost vsftpd] # chmod 600vuser. db
After creating a virtual user, you need to map the virtual user to a system account.
[Root @ localhost vsftpd] # useradd-d/opt/vuser-s/sbin/nologin vuser # create a ing account vuser for a virtual user and specify the home directory as opt/vuser, and specify not to log on to the system
[Root @ localhost vsftpd] # vim/etc/pam. d/vsftpd. vu # name the virtual user's pam Authentication Module vsftpd. vu
Add the following two lines of authentication information to the authentication file:
Auth required pam_userdb.sodb =/etc/vsftpd/vuser
Account required pam_userdb.sodb =/etc/vsftpd/vuser
# The vuser here is actually vuser. db, and db is omitted here; otherwise, an error is reported.
Insert the following three lines in the vsftpd. conf configuration file:
Guest_enable = YES # enable virtual user access
Guest_username = vuser # ing to system account vuser
Pam_service_name = vsftpd. vu # specify the pam Authentication Module
Note: vsftpd has a default pam Authentication Module, which must be commented out.
A.Modified script
B.Effect verification
[Root @ localhostvsftpd] # service vsftpd restart # restart the service
Disable vsftpd: [OK]
Start vsftpd For vsftpd: [OK]
Return to the cmd console of the client, log on to the client using lisa, and upload the file successfully.
[Root @ localhostvsftpd] # ls-l/opt/vuser # check that the owner of the uploaded file is vuser. This indicates that lisa is mapped to the system account of vuser.
After you change the name of the tes.txt file to te.txt, you can log on to and upload te.txt.
Check whether the owner of the File Uploaded by jack is still vuser.
NOTE: If all virtual users can log on successfully but the upload prompt is denied, you need to go to the vsftpd. conf file to make this line take effect. anon_upload_enable = YES
Different virtual users have different permissions.
In the above experiment, lisa and jack have the same permissions. Now we grant lisa the permission to upload 600 files and jack the permission to upload 644 files. We need to enable this independent configuration file function.
Open the vsftpd. conf configuration file and add the following configuration line to tell him to find their separate configuration file under the vu_dir directory:
User_config_dir =/etc/vsftpd/vu_dir
[Root @ localhost vsftpd] # mkdir vu_dir # create the vu_dir directory in the vsftpd directory
[Root @ localhost vsftpd] # cd vu_dir
[Root @ localhost vu_dir] # vi jack # create a separate configuration file for jack in the vu_dir directory (save and exit without writing anything)
We can use the man manual to check the anon_umask (anonymous upload) option and find that the default permission is 600. So we can see that the File Permission uploaded by lisa and jack is 600.
If you want to set jack's upload permission to 644, set this value to 022.
Then we add a line of content to the file: anon_umask = 022.
A.Modified script
B.Effect verification
[Root @ localhostvu_dir] # service vsftpd restart # restart the service
Disable vsftpd: [OK]
Start vsftpd For vsftpd: [OK]
Go back to the terminal console of the customer's machine, and use jacks to connect and upload t.txt files
The permission to view uploaded files on the server is 644. The experiment is successful.
4.Experiment summary:
1) vsftpd is the most popular FTP server program in the Linux release. Features: small, light, secure, and easy to use.
2) the virtual user in vsftpd is a very practical function to meet the different access features of different users. You must pay attention to the permission configuration in the configuration file, by default, virtual users are processed as anonymous users.