Configuration of file service and vsftpd in linux

File service:

Ftp: Application layer, C/S, file sharing; file transfer protocol;

Nfs, cifs: file system interface, network file system;

Nfs: network file system

Cifs: common internet file system

Samba

Network Storage:

NAS: Network Attached Storage, file server, nfs or cifs, file level;

SAN: Storage Area Network, block-level sharing service, partitioning-> formatting-> File system creation; IPSAN, FCSAN;

Ftp:

File transfer protocol, 21/tcp

C/S:

Client-> ftp-> Server

Client: Connect

Server: Listen

Connection:

Command connection: command transmission. The connection persists;

Data Connection: data transmission, created on demand;

Data connection establishment mode:

Active Mode: The server actively connects to the client through 20/tcp command connection PORT to the nearest idle PORT;

Passive mode: after the client sends a data request, the server responds to an opened random port, which the client requests. PASV;

Data transmission mode:

Text Format: ASCII

BINARY Format: BINARY

Protocol Security:

Plaintext: data, transmission account and password are in plaintext during authentication;

Security Enhancement:

Ftp over ssl/tls: ftps

Ftp over ssh: sftp

Virtual User account;

C/s:

Server:

Windows: Serv-U, IIS ,...

Open-source solutions:

Wuftpd: Washington University ftp daemon

Vsftpd: Very Secure ftp daemon

Proftpd, pureftpd ,...

Client:

GUI: flashfxp, cute, filezilla, gftp ,...

CLI: ftp, lftp ,...

Vsftpd:

Program environment:

Main program:/usr/sbin/vsftpd

Unit File:/usr/lib/systemd/system/vsftpd. service

Configuration File:/etc/vsftpd. conf

Document path ING:

Fedora,/home/fedora/pub/a.txt-> ftp: // HOST: PORT/pub/a.txt

User's home directory ing: access to the vsftpd service must be performed as a system user. The home directory of this user is the root directory mapped to the document;

Anonymous User: anonymous, mapped to a system user, which is ftp;

Configuration: vsftpd. conf

Directive VALUE ,...

Directive: the command cannot contain any characters, including white space;

Anonymous user:

Anonymous_enable = YES

Anon_upload_enable = YES

Anon_mkdir_write_enable = YES

Anon_other_write_enable = YES

Local User:

Local_enable = YES

Write_enable = YES

Certification Service:

Pam_service_name = vsftpd

/Etc/pam. d/vsftpd

Pam: pluggable authencate module

The following message is displayed when you switch the directory:

Dirmessage_enable = YES

. Messages

Modify the owner of the uploaded file:

Chown_uploads = YES

Chown_username = USERNAME

Banned users in their home directories:

Other risks are introduced. Therefore, you must not have the write permission on your home directory;

(1) ban all users

Chroot_local_user = YES

(2) ban some users

(A) whitelist: users in the list are not banned;

Chroot_local_user = YES

Chroot_list_enable = YES

Chroot_list_file =/etc/vsftpd/chroot_list

(B) blacklist: users in the list are banned

Chroot_local_user = NO

Chroot_list_enable = YES

Chroot_list_file =/etc/vsftpd/chroot_list

User_list controls user access to vsftpd:

(1) whitelist

Userlist_enable = YES

Userlist_deny = NO

(2) blacklist, default

Userlist_enable = YES

Userlist_deny = YES

Virtual User account:

Vsftpd relies on pam for authentication. The authentication method supported by pam storage can be called by vsftpd;

Where is the account password stored?

Files, MySQL, ldap, redis ,...

Pam_mysql module

CentOS 6: epel

CentOS 7: compilation and installation

Compile:

(1) compiling environment;

(2) dependency: mariadb-devel, pam-devel

#./Configure-with-pam =/usr-with-mysql =/usr-with-pam-MoD-dir =/usr/lib64/security/

# Make install

MySQL settings:

Mysql> create database vsftpd;

Mysql> grant all on vsftpd. * TO 'vsftpd '@ '2017. 0.0.1' identified by 'mageudu ';

Mysql> create table vsftpd. users (uid smallint unsigned not null AUTO_INCREMENT unique key, name VARCHAR (100) not null primary key, password CHAR (48) not null );

Mysql> insert into users (name, password) VALUES ('Tom ', PASSWORD ('mageid'), ('Jerry', PASSWORD ('mageid ')), ('Lucy ', PASSWORD ('mageid '));

Prepare the system account to be mapped:

# Mkdir-pv/ftproot/{pub, upload}

# Useradd-d/ftproot vuser

# Setfacl-m u: vuser: rwx/ftproot/upload

Prepare the pam configuration file based on mysql authentication:/etc/pam. d/vsftpd. mysql

Auth required pam_mysql.so host = 127.0.0.1 user = vsftpd passwd = mageedu db = vsftpd table = users usercolumn = name passwdcolumn = password crypt = 2

Account required pam_mysql.so host = 127.0.0.1 user = vsftpd passwd = mageedu db = vsftpd table = users usercolumn = name passwdcolumn = password crypt = 2

Configure vsftpd to enable virtual users and use the specified pam service: vsftpd. conf

Pam_service_name = vsftpd. mysql

Guest_enable = YES

Guest_username = vuser

Each virtual user has different permissions: vsftpd. conf

User_config_dir =/etc/vsftpd/vusers_conf

# Mkdir/etc/vsftpd/vusers_conf

# Touch USERNAME

Permission configuration command:

Anon_upload_enable

Anon_mkdir_write_enable

Anon_other_write_enable