When building the linuxFTP server, you may encounter various problems. here we will introduce the solution to the access permission problem of the linuxFTP server. here we will share it with you. After we build an FTP server, the next step is to manage and set the permissions of the server. Because of this work
When building a linux FTP server, you may encounter various problems. here we will introduce how to solve the linux FTP server access permission problem. here we will share it with you.
After we build an FTP server, the next step is to manage and set the permissions of the server. This work is directly related to the file security on the FTP server and the stability of the FTP server. Therefore, as a network administrator of an enterprise, the importance of this work cannot be ignored.
In Linux, FTP server management is more complex than Windwos. In Linux, the command line is used to manage and configure permissions. In a Windows environment, you can configure it through the graphical interface, so the latter is relatively simple. However, in terms of flexibility, the former is much more advantageous. WU-FTP, for example, is the most widely used FTP software on Linux operating systems. In terms of permission management, it is much more flexible than Microsoft's built-in FTP server. Coupled with the security of the Linux operating system itself, the security of the WU-FTP server to a higher level.
Next we will talk about how to manage FTP server permissions in Linux. In a word, the Wu-FTP software manages its own access permissions through groups. Specifically, you can get a full picture of the server permission management from the following aspects.
1. how to define a group?
Defining an Access Group for an FTP server, also called a class, is the most basic action for access permission management on a linux FTP server. Subsequent permission management is defined based on this group. The/etc/ftpaccess configuration file is the main parameter file used to configure WU-FTP access permissions. Most FTP server permissions are configured in this file.
To define an FTP group, add the following statement to the parameter file:
Class QA real, guest, anonymous 192.168.1 .*
This statement defines a QA group. In this group, there are three types of users: REAL (actually defined user), GUEST (GUEST account), and ANONYMOUS (ANONYMOUS access account ). If there are currently three types of accounts, access the FTP server from the subnet of 192.168.1. *, it will belong to the QA group. If other IP addresses are used for access, even if their users belong to these three types of accounts, they do not belong to the QA group and do not have access permissions for this group. Obviously, you can manage the linux FTP server access permissions by combining IP addresses and accounts. This is more secure than managing with accounts.
This configuration method also has some other variants, and it can be reasonably matched to greatly improve access security and flexibility.
The first type of deformation: IP addresses can be defined as domain names, which are widely used in large networks, such as group enterprises. For example, there is A group enterprise, and below there are three subsidiaries A, B and C. For the convenience of file communication between employees of the company, the group company established an FTP server on the Internet. However, the group network administrator now hopes that each subsidiary can only access the folders of its own company on the FTP server. They cannot access folders of other subsidiaries. In this case, you can create three groups corresponding to their respective domain names. For example, the Network domain name of Class A enterprise real, guest, and anonymous. This statement indicates that all accounts accessing the FTP server from company A belong to the group "enterprise ". Then configure related permissions for this group so that enterprise A users can only access A specific file.
Second deformation mode: use "!" To exclude specific IP addresses. For example, some specific IP addresses may be allocated to external users. For example, when a customer visits, we assign a specific IP address to the customer. This is mainly to prevent these users from accessing our company's network resources at will. To this end, we need to use "!" Symbol to exclude some IP addresses. We only need to add this exclamation point before the IP address in the preceding example to exclude this IP address.
2. set specific permissions for the group.
After the above groups are set, the next step is to set specific permissions for these groups. Next I will discuss some common permission settings.
1. users in a group can only view or download files on the FTP server, but cannot upload files.
This is a frequently used function in group permission control. For example, enterprises may want to show customers large design drawings. Because the design drawings are relatively large, they cannot be transmitted by email or other means. To this end, some enterprises will create dedicated FTP servers so that customers can directly download design drawings from this server to improve file transfer efficiency. However, for the sake of security, the customer can only download files, but cannot upload any files to the FTP server. To achieve this goal, we need to use the file-limit parameter. This parameter is used to limit the number of files that a user in a group can upload. If we classify the customer's account into a group, then we define the number of uploaded files as 0. In this case, the client can access the FTP server when logging on to the FTP server, but cannot upload any files.
2. set the maximum number of connections.
For the stability of the FTP server, we generally need to limit the number of visitors. Since the WU-FTP controls the maximum number of connections according to the group (class), pay attention to two issues when configuring here. First, reasonably configure the maximum number of connected persons for each class. For example, an enterprise may configure a specific group based on the Department category. Therefore, the maximum number of connections in the group should be reasonably set, different from the number of people in the department. The second is to reasonably configure the total number of connections of the FTP server based on the FTP server performance and hardware resources. The total number of connections is the total number of connections in each group. If too many people are connected to the server at the same time, it is likely that the FTP server will become a machine due to resource depletion. Therefore, when the enterprise's FTP server is not only open to the internal network of the enterprise, but also to the external network of the enterprise, you need to note that the maximum number of connections of this FTP server is limited. To achieve this, we need to configure the limit parameter to specify the maximum number of connections for a class. At the same time, you can also create a text file to display the above content to visitors when the maximum number of users reaches, such as the apology content.
3. configure the access denied file information.
It is also feasible to not reflect the information to the user when the access is rejected. However, this configuration is not user-friendly. When a user accesses an FTP server, if there is no permission, the server should be asked to explain to the user why the access was not successful. In this case, it is not only friendly to users, but also helps us to eliminate faults when a fault occurs.
Next, I will talk about how to configure this prompt file. The prompt file contains two parts: constant and variable. Constants are descriptive descriptions, such as "Sorry, you cannot access. However, it is obvious that constants do not reflect the specific information of Access Denied. To fully display the cause of Access Denied, the WU-FTP server provides some variables. These variables can intuitively reflect the reason why the user is denied access.
◆ % N: the variable name indicates the number of users currently connected to a group (class. For example, when setting the number of FTP connections, you can use this variable to describe the problem. If the error prompt file can be configured as follows: "Sorry, the access bit % N for this class has exceeded the maximum number of connections. please try again later .". In this case, the variable shows the actual number of connected users.
◆ % E: Administrator's email address. In this FTPACCESS parameter file, you can also configure the email address of the network administrator. When the FTP server fails, you can send an email to this email address. If you want to display the network administrator's email address in this error message, you can send an email to the network administrator for help when the access fails. To solve this problem, we can define the error file as follows: "Sorry, it cannot be accessed for the time being. if you have any questions, please send an email to % E ". In this case, the network administrator EMAIL defined in this parameter file is displayed in the error file.
◆ % T: current local time. Sometimes, the current time is displayed on the welcome page. Such as the current time, the reason for your access, and other friendly information. In this case, the % T parameter can be used to display the current local time. In addition, some enterprises may also need to limit the time for FTP server access permissions, for example, only allow access from five o'clock P.M. am to AM. In this case, you need to add this level of time parameter to the error time. It prompts the user that the current time cannot access the FTP server.
◆ % C: current working directory. Sometimes, you need to restrict the working directory of users. For example, some users can only access specific directories. In this case, it is also necessary to show the user their current access directory to indicate that they have crossed the border. In this case, add the % C parameter to the error file to display the current directory.
In short, in this error information configuration file, we need to display the reason for the access being denied to the user for a clear purpose. In this case, on the one hand, our network administrator can reduce a lot of work and don't bother users. On the other hand, it will also provide clues for us to solve the fault. In this case, as long as the user reports an error prompt, we can know the cause of the problem and win time to solve the problem.
The preceding section describes the access permissions of the linux FTP server.