Debian + vsftpd + MySQLImplementationVirtual userThe implementation method of zz is what we will introduce in this article. Next we will start to introduce this process one by one.
I. Requirements
1. Virtual User Login
Because the postfix + MySQL virtual user logon has been successfully configured, and the benefits and flexibility of using virtual users have been realized, this time we also consider using virtual users, in addition, the FTP virtual user information is also stored in MySQL. In this way, it is quite convenient to use PHP and other web gui management programs to manage users in a unified manner.
2. Restrict Anonymous logon from IP addresses
Anonymous logon is enabled, but only specific IP addresses are allowed to log on anonymously.
3. Different users, directories, and permissions
It sounds like a tongue twister. For example, there are two users, normal and admin, and FTP has two directories, incoming and pub, to implement the following permission settings:
Code: incoming pub
Normal read/write read-only
Admin read/write
4. Manage Web sites through FTP
Apache is also set up on the server, and the website administrator is not very familiar with Linux, and does not want to open an account to the website administrator, so as not to log on to the system, it makes the system messy, so the popular practice of providing virtual hosts on the Internet is to manage websites through FTP, therefore, you need to provide an account for the website administrator to log on to FTP for website management.
2. Select FTP server software
Set up an FTP site in Linux. There are many excellent FTP server software available, such as Wu-FTPD, Pure-FTPD, ProFTPD, and vsFTPD, to select an FTP server software suitable for your needs, you also need to worry about it. For me, the choice of vsftpd (very secure FTP daemon) mainly includes the following two reasons:
1. Selection Principle 1
Some people say that FTPD is the one you are most familiar with, but since I have no experience in setting up an FTP site in Linux, everything is a new starting point for me. on the official vsftpd homepage, we can see that Debian official FTP and RH official FTP all use vsftpd.
2. Selection Principle 2
The second point depends largely on the name of vsftpd (very secure FTP daemon), because it is a very secure FTP software. Haha, besides, Debian official FTP uses vsftpd, it should be correct.
PS: for the selection of FTP server software, refer to the article "simple vsftpd server setup in laruence's Linux private dish.
Iii. Implementation Method
Based on Debian GNU/Linux 3.1 Sarge and vsftpd-2.0.3
1. Required software packages
1). vsftpd: very secure FTP daemon
2). mysql-server, mysql-client
The former is a MySQL database server used to store virtual user information, and the latter provides a command line MySQL Client. I have installed MySQL before configuring postfix, so I don't have to install this package. ^_^
3). libpam-mysql: vsftpd verifies user information through PAM. This package allows PAM to read MySQL for verification.
2. Installation
Log on to Debian as the root user and run the following command: # apt-get install vsftpd and libpam-mysql.
3. Create a necessary local user
Although it is a virtual user, because the virtual user information is stored in the MySQL database, a local user can read the MySQL database.
1) Create the home Directory of the local user, which is also the home directory of FTP: Code: # mkdir/home/ftp
2) create a local user named ftpguest: Code: # useradd ftpguest-d/home/ftp
3) modify the owner and group of the FTP home directory: Code: # chown ftpguest. nogroup/home/ftp
4. Configure the MySQL database
1) create a database ftpvuser for storing virtual user information: Code: # mysqladmin-u root-p create ftpvuser
2), connect to the database: Code: # mysql-u root-p
3) create a table users for storing virtual user information: Code: mysql> use ftpvuser;
Mysql> create table users (username varchar (20) not null, password varchar (40) not null, primary key (username) TYPE = MyISAM;
4) enable the local user ftpguest to read the users table of the ftpvuser database. Note: YourPassword is used to set the password for ftpguest to access the database.
Code:
- mysql>grant select on ftpvuser.users to ftpguest@localhost identified by 'YourPassword';
- mysql>flush privileges;
5) create a virtual user
Code:
- mysql>insert into users (username,password) values ('normal','555555');
- mysql>insert into users (username,password) values ('admin','666666');
- mysql>insert into users (username,password) values ('webmaster','777777');
6) Complete MySQL configuration: Code: mysql> quit;
5. Configure PAM verification For vsftpd
1) Open the PAM Configuration File: Code: # nano/etc/pam. d/vsftpd
2), comment out the previous content, and then add the following two lines of content.
Note: YourPassword is the password that ftpguest just set to access the database.
Code:
- auth required pam_mysql.so user=ftpguest passwd=YourPassword host=localhost
- db=ftpvuser table=users usercolumn=username passwdcolumn=password crypt=0
- account required pam_mysql.so user=ftpguest passwd=YourPassword host=localhost
- db=ftpvuser table=users usercolumn=username passwdcolumn=password crypt=0
6. Configure vsftpd
1) Open the vsftpd configuration file
Code: # nano/etc/vsftpd. conf Note: Once/etc/vsftpd is modified. in the conf file, you must restart vsftpd to make the new settings take effect. The method is: Code: #/etc/init. d/vsftpd stop
#/Etc/init. d/vsftpd start directly #/etc/init. d/vsftpd restart, doesn't it seem to work?
2) modify the vsftpd. conf file as follows:
Code: # disable anonymous user access
# Anonymous_enable = YES
# Enable local user access
Local_enable = YES
# Enable virtual user access
Guest_enable = YES
Guest_username = ftpguest
# Restrict local users to their home directories, which prevents FTP users from accessing other system directories.
Chroot_local_user = YES
3), 500 OOPS: cap_set_proc
Log on to FTP. Why can't I log on? Error returned by the server: 500 OOPS: cap_set_proc
Google, this error seems to be related to SELinux. The solution is to load the capability module:
Code: # modprobe capability: To enable Linux to automatically load this module at startup, put this module in/etc/modules.
4) Restrict Anonymous logon from IP addresses
To restrict the IP address of the client that logs on to vsftpd, we need to use a plug-in called TCP Wrappers. For TCP Wrappers, I understand that if TCP Wrappers is enabled in vsftpd, each time a client initiates a connection request to vsftpd, vsftpd first submits the connection request to TCP Wrappers for processing. If the client's IP address is allowed by TCP Wrappers, the session can continue with vsftpd, otherwise, the service will be rejected directly. Do not know, right?
A. Modify/etc/vsftpd. conf.
Code: # Enable TCP Wrappers
Tcp_wrappers = YES
B. Modify/etc/hosts. deny.
Deny all IP addresses that initiate connection requests to vsftpd. However, if. deny and hosts. if allow conflicts, use hosts. allow takes priority. It seems that deny first, and then in hosts. allow open privilege, huh, huh
Code: # deny all IP addresses connected to vsftpd first.
Vsftpd: ALL
C. Modify/etc/hosts. allow
The IP address that allows logon to vsftpd is open here. For VSFTPD_LOAD_CONF environment variables, the man of vsftpd says this:
"If tcp_wrappers sets the VSFTPD_LOAD_CONF environment variable, then the vsftpd session will try and load the vsftpd configuration file specified in this variable ."
Code: # Restrict the IP addresses that can log on to vsftpd anonymously
Vsftpd: 192.168.0., 210.83.200.200: setenv VSFTPD_LOAD_CONF/etc/vsftpd. anonymous
# Allow vsftpd virtual users to connect to FTP using any IP Address
Vsftpd: ALL: setenv VSFTPD_LOAD_CONF/etc/vsftpd. virtual
D. Modify/etc/vsftpd. anonymous.
Code: # mkdir/etc/vsftpd/
# Nano/etc/vsftpd. anonymous
# Allow Anonymous Logon
Anonymous_enable = YES
E. Modify/etc/vsftpd. virtual.
Code: # nano/etc/vsftpd. virtual
# Anonymous Logon not allowed
Anonymous_enable = NO
5), set different access permissions for different users
A. Activate the configuration function for a single user and add the following configuration line to the vsftpd configuration file:
Code: # nano/etc/vsftpd. conf
# Specify the storage path for different user configuration files
User_config_dir =/etc/vsftpd/vsftpd_user_conf
B. Common users: Download/upload
Edit/etc/vsftpd/vsftpd_user_conf/normal
Note: The user configuration file name is the same as the user name, but the anonymous user configuration file name is ftp, not anonymous
Code: # mkdir/etc/vsftpd/vsftpd_user_conf
# Add the following content to nano/etc/vsftpd/vsftpd_user_conf/normal:
# Download allowed
Code: anon_world_readable_only = NO
# Allow writing, uploading, and creating Directories
Write_enable = YES
Anon_upload_enable = YES
Anon_mkdir_write_enable = YES
C. administrator users: Download, upload, and delete files.
Code: # cp/etc/vsftpd/vsftpd_user_conf/normal/etc/vsftpd/vsftpd_user_conf/admin edit the admin configuration file:
Code: # nano/etc/vsftpd/vsftpd_user_conf/admin administrator has permissions to delete, rename, and change file attributes in addition to common users.
Add the following content:
Code: # Allow renaming and deleting objects
Anon_other_write_enable = YES
# The virtual user has the same permissions as the local user (because chmod is only valid for the local user, if you want the virtual user to have the chmod permission, this item must be activated)
Virtual_use_local_privs = YES
# Modifying file attributes
Chmod_enable = YES
D. website administrator
Code: # cp/etc/vsftpd/vsftpd_user_conf/admin/etc/vsftpd/vsftpd_user_conf/webmaster edit the webmaster configuration file:
Code: # nano/etc/vsftpd/vsftpd_user_conf/webmaster
Add the following content:
Code: # point the FTP home directory to the Home Directory of the website (My www directory uses the default directory of Apache)
Local_root =/var/www
# By default, all files uploaded to the FTP site are owned by ftpguest, and other users do not have access permissions.
# Therefore, when you access a website, an error "You are not authorized to access this file" may occur, because Apache users
# Www-data files under/var/www cannot be accessed. Setting umask to 033 or even 000 can solve this problem.
Local_umask = 033
E. set different permissions for the incoming and pub directories for the normal and admin users.
I read the related settings in vsftpd man. It seems that no permission is set for each directory separately? Later I thought about whether I could use the File Permission settings of the Linux File System to achieve this purpose. When I used IIS in Windows to set up a site, I use NTFS permission settings to control the access permissions of different users to directories. however, after a try, the following permissions cannot be perfectly implemented:
Code: incoming pub
Normal read/write read-only
For example, you can set pub to read-only to control the read-only pub permission of the normal user. However, admin is read-only to pub, but it is okay, because admin has the permission to modify directory attributes, if admin users want to use FTP to manage the pub directory, they can temporarily change the pub directory to read/write attributes.
Iv. Summary
1. the goal of vsftpd is to complete a simple and low-security FTPD. However, it seems that it is still a bit inadequate. In particular, If you have complicated requirements on directory permissions, consider Proftpd.
2. during the test, in addition to using the FTP Client tool, it is best to use the Sniffer software as an aid, because sometimes the FTP Client does not fully present the FTPD returned information to you, sometimes, this information is very helpful for troubleshooting FTPD faults. Once the Sniffer software is used, all the client-server interaction information will not be missed.
This article introduces how to implement zz for virtual users in Debian + vsftpd + MySQL. I hope this article will help you gain some benefits!