File Sharing Services in CentOS: ftp, nfs, and samba Security Settings
FTP (File Transfer Protocol) is an application layer Protocol that can implement cross-platform, but cannot implement other functions, such as File system mounting. Network File System (NFS) works in kernel mode. Therefore, it cannot be implemented across platforms. Generally, it can only be between Linux Hosts or Unix hosts, however, it can be used for mounting. SMB (Service Message Block) enables File sharing between Windows and Linux Hosts, and supports cross-platform implementation. It implements CIFS (Common Internet File System) on Linux) protocol.
I. FTP protocol 1. FTP principles
It is a C/S architecture, based on socket communication, used to transmit files between two machines. The FTP protocol uses two types of tcp connections: one is the command connection, which is used to transmit commands between the client and the server, and the listening is on the tcp/21 port; the other is the data transmission connection, which is used to transmit data, the listening port is random.
2. FTP passive mode and Active Mode
The principle of active mode is as follows:
The active mode usually has firewall settings on the client. When the Server communicates with the client data, the firewall of the client blocks the port on the server. In this case, the communication will be blocked. Therefore, the passive mode is generated.
The diagram of the passive mode is as follows:
The passive mode also has a firewall problem. When the client and the server transmit data, there will also be a firewall on the server, but the firewall on the server has a connection tracing function, which solves the firewall problem. Therefore, the passive mode is usually used.
3. FTP User Authentication
FTP supports system user authentication, anonymous user authentication, and virtual user authentication.
Anonymous user: the login username is anonymous and there is no password
System User: the local user on the FTP server and the corresponding password. By default, the user's home directory is accessed.
Virtual User: it is only used to access specific resources on the server. Common virtual user authentication methods include file authentication or database authentication. In the end, these virtual users will be mapped to a system user. The default directory accessed is the home directory of the System user.
4. Common status information codes
1 **: prompt information
2 **: Status Code of successful execution
3 **: You need to provide additional information codes. For example, if this status occurs after you enter the user account information, you are prompted to continue entering the password.
4 **: client errors
5 **: Server Error
5. Common FTP tools
Server:
Linux: wu-ftpd, pureftp, and vsftpd (which is provided by default on Centos 6)
Windows: ServU, FileZilla-Server
Client tool:
Linux: ftp, lftp, lftpget, wget, cul, gftp, etc.
Windows: FileZilla
6. vsftpd
Vsftpd (Very Secure FTP) is provided by default on CentOS and is well known for its security.
User Authentication configuration file:/etc/pam. d/vsftpd
Service Script:/etc/rc. d/init. d/vsftpd
Configuration file directory:/etc/vsftpd
Main configuration file: vsftpd. conf
Anonymous Users (mapped to ftp users) share resources:/var/ftp
Location of resources accessed by system users through ftp: user's home directory
Location of resources accessed by a virtual user through ftp: the home directory mapped to the System user specified by the virtual user
7. Common vsftpd parameter settings
Configurations of anonymous users:
Anonymous_enable = YES # Allow anonymous users to log on
Anon_upload_enable = YES # Allow anonymous users to upload files
Anon_mkdir_write_enable = YES # Allow anonymous users to create directories
Anon_ohter_write_enable = YES # Allow other write permissions (delete directories and files)
System User Configuration:
Local_enable = YES # Allow Local User Login
Write_enable = YES # writable by local users
Local_umask = 022 # umask of the local user
Ban all ftp local users in their home directories:
Chroot_local_user = YES # allow local users to access only their home directories, but not other directories. This applies to all users.
The specified ftp local user in the banned file is stored in the home directory:
Chroot_list_enable = YES
Chroot_list_file =/etc/vsftpd/chroot_list
Directory message:
Dirmessage_enable = YES # enable directory prompt
Create a. message file under the corresponding directory. The content in the file will be displayed when we access this directory.
Logs:
Xferlog_enable = YES # enable transfer log
Xferlog_std_format = YES # whether the standard format is used
Xferlog_file =/var/log/xferlog # log File Path
Change the owner of the uploaded file:
Chown_uploads = YES
Chown_username = whoever # change the owner name of the file immediately after uploading the file
Vsftpd uses pam for user authentication. The pam Configuration File used is:
Pam_service_name = vsftpd # user authentication file, under the/etc/pam. d/directory
Whether to enable list files that control user logon
Userlist_enable = YES
Userlist_deny = YES | NO # indicates yes. userlist_file indicates a blacklist file; no indicates that userlist_file indicates a whitelist file.
Userlist_file =/etc/vsftpd/user_list. The default file is/etc/vsftpd/user_list.
Connection restrictions:
Max_clients: Maximum number of concurrent connections;
Max_per_ip: number of concurrent requests that can be initiated by each IP address at the same time;
Transmission rate:
Anon_max_rate: The maximum transmission rate of anonymous users. The unit is byte/second ";
Local_max_rate: The maximum transmission rate of local users, in bytes/second ";
8. Virtual users (implemented based on mysql) I. programs required for Installation123451 install mysql and pam_mysql # yum-yinstallvsftpdmysql-servermysql-develpam_mysql Note: pam_mysql is provided by epel source.2. Create a virtual user account1. Prepare the database and related tables. First, ensure that the mysql service has started properly. Then, you can create a database to store virtual users as needed. Here, you can create a vsftpd database. Mysql> createdatabasevsftpd; mysql> grantselectonvsftpd. * tovsftpd @ '%' identifiedby 'vsftpd '; mysql> flushprivileges; mysql> usevsftpd; mysql> createtableusers (-> idintAUTO_INCREMENTNOTNULL,-> namechar (20) binaryNOTNULL, -> passwordchar (48) binaryNOTNULL,-> primarykey (id)->); 2. Add the virtual user for the test as needed. Note that, the PASSWORD should be encrypted and stored in order to ensure security. Mysql> insertintousers (name, password) values ('Tom ', password ('Tom'); mysql> insertintousers (name, password) values ('Jerry ', password ('Tom '));3. Configure vsftpd1. create a file required for pam Authentication # vi/etc/pam. d/vsftpd. add authrequired/lib/security/pam_mysql.souser = vsftpdpasswd = www. magedu. comhost = localhostdb = vsftpdtable = usersusercolumn = namepasswdcolumn = passwordcrypt = 2 accountrequired/lib/security/pam_mysql.souser = vsftpdpasswd = www. magedu. comhost = localhostdb = vsftpdtable = usersusercolumn = namepasswdcolumn = passwordcrypt = 2 Note: Due to the different installation methods of mysql, pam_mysql.so may cause problems when connecting to the mysql server based on unixsock. It is recommended that you authorize a user who can remotely connect to mysql and access the vsftpd database. 2. modify the configuration file of vsftpd, make it suitable for the mysql authentication to create a virtual user ing System user and the corresponding directory # useradd-s/sbin/nologin-d/var/ftprootvuser # chmodgo + rx/var/ftproot please ensure /etc/vsftpd. the following options have been enabled in conf: Export = YESlocal_enable = YESwrite_enable = Enabled = YES, then add the following options guest_enable = YESguest_username = vuser and ensure that the value of the pam_service_name option is as follows:. mysql4. Start the vsftpd service12 # servicevsftpdstart # chkconfigvsftpdon5. Configure virtual users with different Access PermissionsVsftpd can provide a separate configuration file for each user in the configuration file directory to define their ftp service access permissions. The configuration file name of each virtual user is the same as that of the virtual user name. The configuration file directory can be any unused directory. You only need to specify its path and name in vsftpd. conf. 1. Configure vsftpd as the configuration file directory for virtual users # vimvsftpd. in conf, add the following options: user_config_dir =/etc/vsftpd/vusers_config2. create the required directory, provide the virtual user with the configuration file # mkdir/etc/vsftpd/vusers_config/# cd/etc/vsftpd/vusers_config/# touchtomjerry3. Configure the virtual user's access permissions for the vsftpd service. access Permissions are obtained through commands of anonymous users. For example, if you want tom users to have the permission to upload files, you can modify the/etc/vsftpd/vusers_config/tom file and add the following options. Anon_upload_enable = {YES | NO} anon_mkdir_write_enable = {YES | NO} anon_other_write_enable = {YES | NO}Ii. NFS Protocol 1. Several Concepts of nfs rpc (Remote Procedure Call Protocol Remote process Call Protocol ):
Simply put, some functions of function calling (functions on the remote host) are completed by local programs, and other functions are completed by functions on the remote host. Some operations are performed when the file system of the nfs server is mounted on the client. But how do I know these operations ?? This implements the protocol at the kernel level. RPC solves this problem. It sends the function calls for client operations to the server and the server executes these function calls.
Idmapd:
Think about this situation. After mounting the file system, the nfs client creates a file locally as a user. Which user is the owner and group of the file on the server? In the early days, Network Information Services (NIS) was used to solve this problem. However, in the transmission of accounts and passwords, plaintext transmission was used, now we use LDAP + clbbler for implementation. However, NFS uses the idmapd service, which is provided by rpc to map all users to nfsnobody. However, during access, it is also used by the local user corresponding to the local UID.
Mounted:
What is NFS used to control access by those clients? NFS only supports client control through IP address, which is implemented by the daemon mounted. The listening port is semi-random. The so-called semi-random means that this random port is determined by the rpc service, while rpc is a random port. The role is equivalent to the role of residential gate security.
2. NFS request process
In CentOS6.5, the NFS server listens to port 2049 of tcp and udp. The service name is port 111 of nfs and pc listening on tcp and udp, and the service name is portmapper.
Request Process: when the client tries to mount the file system shared with nfs, the client first registers with the postmapper (tcp/111) port, at this time, postmapper will randomly allocate a port to mounted, and then the mounted daemon will verify the validity of the client. After the verification is passed, the request will be sent to the nfs service, and the client can be mounted and used at this time, when creating a file, you will use the idmapd daemon to map the owner. In fact, idmapd is also provided by the rpc service, but here, when the nfs service uses the user ing function, it will automatically call this daemon process.
3. service configuration
On the server side, you only need to install nfs-utils for direct use. The nfs service is directly a kernel module.
# Smod | login, lockd, nfs_acl, auth_rpcgssexportfs42361nfsd
The directory shared by the server is shared through the/etc/exports file. The format of this file is as follows:
Shared Directory Client (option 1, option 2) client (option 1, option 2 )... Example:
/Mydata 172.16.0.0/16 (ro, async, no_root_squash) www.example.com (ro)
######################## Client representation ############ ############# Host IP Address: for example, 192.168.1.10 Network Address: for example, 172.16.0.0/24 Domain Name: for example, www.example.com (specified host), * .example.com (all hosts under the corresponding domain name )*: all Hosts ################################ common options ### ########################### you can customize NFS implementation with several common options. These options include: secure: This option is the default option, which uses the TCP/IP Port below 1024 for NFS connection. This option can be disabled by specifying insecure. Rw: This option allows the NFS client to perform read/write access. The default option is read-only. Async: asynchronous storage (all client operations are first cached in the memory and written to the disk when the cpu is idle ). This option can improve the performance. However, if the NFS daemon is not completely disabled, the NFS server is restarted, which may cause data loss. In contrast, syns writes data to disks synchronously. No_wdelay: This option disables write latency. If async is set, NFS ignores this option. Nohide: If a directory is mounted to another directory, the original directory is usually hidden or looks empty. To disable this behavior, you must enable the hide option. No_subtree_check: This option disables the subtree check. The subtree check performs some security checks that you do not want to ignore. The default option is to enable the subtree check. No_auth_nlm: This option can also be specified as insecure_locks, which tells the NFS Daemon not to authenticate the lock request. Avoid using this option if you are concerned about security. The default option is auth_nlm or secure_locks. Mp (mountpoint = path): By explicitly declaring this option, NFS requires that the exported directory be mounted. Fsid = num: This option is usually used for NFS fault recovery. If you want to implement NFS fault recovery, refer to the NFS document. ##################### User ing options ############### ############ root_squash: this option does not allow root users to access mounted NFS volumes. No_root_squash: This option allows the root user to access mounted NFS volumes. All_squash: This option is very useful for public access to NFS volumes. It limits all UIDs and gids and uses only anonymous users. The default value is no_all_squash. Anonuid and anongid: These two options change the anonymous UID and GID to a specific user and group account.
4. Common commands
Showmount is used to view nfs services.
Usage: showmount [-adehv] [-- all] [-- directories] [-- exports] [-- help] [-- version] [host]
You can use short selection or long selection.
-A: this parameter is generally used on the nfs server and is used to display the cline machine that has mounted the local nfs directory.
-E: displays the export directory on the specified nfs server.
Exportfs: used to control the export of shared directories after the NFS service is started.
Usage: exportfs [-aruv]
-A: All content in mount or unmount/etc/exports
-R: Re-mount the directory shared in/etc/exports
-U: umount directory
-V: when the export is used, the detailed information is output to the screen.
Example:
# Exportfs-au Uninstall all shared directories
# Exportfs-rv share all directories again and output details
5. Use of the Client
First, use showmont-e SER_NAME to find the shared directory on the server.
Then use mount for mounting. format:
Mount-t nfs SER_NAME:/data/parth/to/someponit [-o option]
Mount-t nfs 192.168.1.99:/mydat/mnt-o rsize = 4096
The rsize value is the number of bytes read from the server. Wsize is the number of bytes written to the server. The default value is 1024. If you use a relatively high value, such as 8192, the transmission speed can be improved.
Iii. samba Service (Basic Introduction) 1. Protocol
Smb: Service Message Block
CIFS: Common Internet File System Common Network File System is a protocol shared between windows Hosts. samba implements this protocol, so it can implement File sharing between wondows and linux.
The listening ports include:
Tcp/137 udp/137 tcp/139 udp/139
137: implements the NetBIOS protocol to resolve the host names between windows, so that the Linux host names can be seen on the windows Network neighbors.
139: implements the cifs protocol.
2. How to access it?
In Linux:
Interactive Data Access:
Smbclient LHOST-UUSERNAME
After obtaining the shared information,
Smbclint // SERVER/shared_name-UUSERNAME
Mount-based access:
Mount-tcifs // SERVER/shared_name/mount_point-ousername = USERNAME, password = PASSWORD3. How to configure the samba server (Linux)
# Yum-y install samba
Service script:
/Etc/rc. d/init. d/nmb # implement NetBIOS protocol
/Etc/rc. d/init. d/smb # implement cifs Protocol
Main configuration file:
/Etc/samba/smb. conf
Samba User:
Account: all are system users,/etc/passwd
Password: the password file of the samba service,
Command for adding a system user as samba: smbpasswd
Smbpasswd:
-A Sys_User: add the System user as the samba user.
-D: Disable a user.
-E: Enables users.
-X: deletes a user.
Configuration file:
The/etc/samba/smb. conf configuration file includes global settings, specific sharing settings, private home directories, printer sharing, and custom sharing.
Global Configuration:
Workgroup = MYGROUP # workgroup hostsallow = 127.192.168.12.192.168.13. # access control, IP Control interfaces = loeth0192.168.12.2/24192.168.13.2/24 # interface + ip Control
Custom sharing:
[Shared_name] # Share Name path =/path/to/share_directory # share path comment = CommentString # comment information guestok = {yes | no} | public = {yes | no} # whether enable the Guest account writable = {yes | no} | readonly = {yes | no} # Whether the shared directory can be written to writelist = + GROUP_NAME # list of users that can be written, + indicates the group that can be written.
Test whether the configuration file has a syntax error and displays the configuration that takes effect:
Testparm
So far, the introduction to the three common file services has been completed.