And the author every time to solve a user needs, there will always be a sense of achievement. This is not long ago I just wencheng an FTP server to build. This case is somewhat special, however, because its FTP server uses Linux as the operating system. For this sentiment is more.
one: Assigning groups to users
FTP servers are often used to place some working files. For this reason, network administrators must be aware of the administration of their permissions when deploying FTP servers. That is to say, users can only download the working files they have the right to view, upload files to the specified directory, and so on. And there are many employees in the enterprise. If you set permissions separately for each employee, the two sessions are large. For this purpose, in FTP server administration, it is also best to set permissions in groups as the operating system user, and then add users to the group to automatically inherit the related permissions. In this case, if 10 users have similar permissions, then the author only needs to set up a group for them, and then the group once permissions set. Therefore, the use of groups to manage users, you can simplify the workload and achieve unified management needs.
This time, I used the VSFTPD server. After this server has been installed, three groups have been set up for the network administrator. In general, as long as the user rights management is not particularly strict, then only need to adopt this default group. Even if the enterprise users of the Authority management is more stringent, it can also draw on the set of permissions for these groups, as a template, appropriate adjustments can be used. In the VSFTPD server, the default group is the real group, the guest group, and the anonymous group, respectively. One of the three groups in the real group with the highest permissions. Users in this group can access not only the account's own home directory, but also other users ' directories. As now there is a user Amy. Once the account is established on the FTP server, the operating system automatically creates a home directory for the user in the/home directory, that is, the/home/amy. When the user logs on with this account, the server treats the user's directory as its home directory. However, this user can still access other related directories, that is, you can switch to another home directory. Second, the Guest group has no small permissions. This group is different from the guest account in the operating system and has more permissions than this account. In some cases, a network administrator may require that some users have access only to their home directory, and not to other people's directories. Indeed, this is the most basic permission control rule for an FTP server. If you want to implement this control, you just need to add the user to the Guest group. Because by default, users in this group can access only their home directories, not files outside the home directory. The third group is the anonymous group, which is the anonymous group. By default, this group has minimal permissions. It can only download files in a restricted directory, but it cannot upload files to the FTP server. In general, however, this group is disabled for security reasons. That is, you cannot download any files from the FTP server when the user does not have an account.
set up a group for a specific application
In the deployment of the FTP server, the author found that sometimes the FTP server is not necessarily user use, the system administrator may also need to use this FTP server. For example, a database administrator needs to use an FTP server for offsite backups. That is, the database administrator performs a local backup of the database first. Then, after the backup succeeds, the backup files are routed to the offsite server using the FTP protocol. Of course, these operations are done through the script file, while combining the operating system's task scheduling function to achieve.
So what does this mean for a network administrator to deploy an FTP server? When the author receives this requirement, the first response is to set up a separate group for it. The main reason is that these backup files are often the essence of an application. If a user steals the backup files and then restores them to their database, all the information about the enterprise, including customers, price information, and so on, is compromised. In addition, these backup files are the final guarantee of data recovery when the application server fails. If these backup files are maliciously corrupted, then it is difficult to use these backup files to maximize data recovery. In order to understand the needs of this enterprise, I decided to set up a separate group for these users. Because these users are usually used primarily for backing up files, instead of using them. For this reason, I set this group to allow access only to my home directory, not to other directories (refer to the settings for the Guest group). What good is that? If the enterprise now has database server, mail server, OA server and so on, all need to achieve off-site backup through the FTP server. Then the author can set up three users, belong to this group respectively. These three accounts are then used to upload local backup files to the FTP server to enable offsite backups. Since these three users can only access their own directories, they are equivalent to each other as independent. None of the accounts can see the files uploaded by another account, nor can they upload files to other users ' home directories. This gives them a relatively independent working environment that can reduce the disruption of their offsite backups.
For this reason, the author thinks not only to manage the FTP server user's permission according to the group, and sometimes also needs to set up the independent group according to the FTP server's use. It is necessary to set up separate groups for them to prevent other ordinary user groups from interfering with the FTP protocol if they are likely to be used in a script program.
experience Three: Set disk quotas for different users
When deploying an FTP server, you must also address the challenge that each user can upload up to a maximum amount of files on the previous FTP server. In general, the author proposes to set a maximum space limit for the user. Because a single FTP server is used by more than one user. If each user can be unrestricted to upload files to the FTP server, and do not clean up in time, the FTP server's hard disk space will soon be filled. Therefore, the FTP server for ordinary users, it is only a transit point for files, rather than files to the backup server. Therefore, it is necessary to set the maximum capacity limit according to the needs of the user.
In a VSFTPD server, you can set the maximum capacity limit for a user at the group level. If you can set up a group for each department, then specify the maximum amount of space that users in this group can use. In this way, users who are added to the group are automatically limited by this size. When the space is limited, users are forced to clean up the contents of the FTP server in a timely manner. Some of the unused files to be cleaned up in time, this can not only save space, but also for security reasons. Alternatively, you can set the maximum available space for your department. That is, set up a group for each department, and then set the maximum space limit for the group. Users who are added to this group share the space (not evenly distributed, but shared). This gives the department head greater flexibility to manage the space as needed.
Experience IV: Restricting certain accounts from using an FTP server
In fact, for most network administrators, to the administrator of the FTP server is not a small learning. In some cases, it is necessary to restrict some special accounts to use the FTP server. Because they can compromise the security of the FTP server. If you deploy an FTP server on a Linux operating system, you need to restrict the root account from using the FTP server. Because the root account has the highest administrative privileges on the operating system. If this user is allowed access to the FTP server, the consequence is that the account is not subject to group permissions. That is, even if the root account is assigned to the Guest group, the account can still access files outside the home directory. So it will destroy the original security system. To do this, regardless of the operating system on which the FTP server is deployed, the network administrator needs to know if there is a similar privileged user in the operating system account. If so, you will need to disable access to the FTP server.
It can be seen that the FTP server, although its deployment is relatively simple, the development of the present has been more mature. But the needs of business users are changing. This network administrator also needs to change, in time to adjust the FTP deployment strategy to meet the needs of users.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.