Deploying the FTP service in REDHAT5
Introduction to the experimental environment:
Operating system: Redhat5.8_x64bit
Experimental platform: VMware Workstation
One, anonymous user-based FTP service deployment
1. Anonymous FTP
access to anonymous FTP server does not require a password, only the user name "FTP" and "anonymous".
2. Installing VSFTPD Software
#yum Install VSFTPD#RPM-QL vsftpd
3. Start VSFTPD Service
#service vsftpd start#chkconfig vsftpd on
4. Test whether the FTP service can access
[[Email protected] ~]# FTP 192.168.3.3Connected to 192.168.3.3.220 (vsFTPd 2.0.5) 530 * Login with USER and pass.530 P Lease login with USER and PASS. Kerberos_v4 rejected as an authentication TypeName (192.168.3.3:root): FTP//Use Anonymous user login (FTP or anonymous) 331 please specify The password. Password:--password "null" at Login successful. Remote system type is UNIX. Using binary mode to transfer files.ftp>
5, adjust the anonymous upload directory permissions, and ready to download test files.
# ls-ld/var/ftp/pub/-View permissions before you modify Drwxr-xr-x 2 root root 4096Dec 5 2011/var/ftp/pub/# chown ftp/var/ftp/pub--&G t; set the pub directory owner to Ftpyou have new mail in/var/spool/mail/root# ls-ld/var/ftp/pub/---Confirm the modified Permissions Drwxr-xr-x 2 FTP root 4096D EC 5 2011/var/ftp/pub/# cp/etc/inittab/var/ftp/---Copy a file to the "/var/ftp/" directory that has been provided for download test use.
6, Modify the vsftpd.conf configuration file, open anonymous user access, upload license
7. Restart the VSFTPD service# Vim/etc/vsftpd/vsftpd.confanonymous_enable=yes//Allow anonymous user access Local_enable=no//If you do not need to enable local users, you can set this configuration to Nowrite_enable=y ES//Allow open Write permissions anon_umask=022//Set the permission mask for anonymous users when uploading files anon_upload_enable//Allow anonymous upload of files Anon_mkdir_write_enable=yes Allow anonymous users to create directories Dirmessage_enable=yesxferlog_enable=yesconnect_from_port_20=yesxferlog_std_format=yeslisten=yespam _service_name=vsftpduserlist_enable=no//When local users are not enabled, the user List feature can be disabled tcp_wrappers=yes
#service vsftpd Restart
[[email protected] ~]# ftp192.168.3.3 //Login VSFTPD Server connected to 192.168.3.3.220 (vsftpd 2.0.5) 530 please login with user and Pass.530 please login with user and pass. kerberos_v4 rejected as an authentication typename (192.168.3.3:root): ftp //is authenticated with an anonymous user, the password can be empty or any character 331 please specify the password. Password:230 login successful. Remote system type is unix. using binary mode to transfer files.ftp> ls // View files, directory list 227 entering passive mode (192,168,3,3,20,191) 150 here comes in the FTP root directory the directory listing.-rw-r--r-- 1 0 0 1666 nov 25 07:57 inittabdrwxr-xr-x 2 14 0 4096 nov 25 07:57 pub226 directory send ok.ftp> get inittab //Download the Inittab file from the server to the local Local: inittab remote: inittab227 Entering Passive Mode (192,168,3,3,145,227) 150 opening BINARY mode data connection for inittab (1666bytes) .226 file send ok.1666 bytes received in 0.016 seconds (99 KBYTES/S) ftp> cd pub //switch to the directory on the server for uploading files 250 directory successfully changed.ftp> put install.log //uploading local files to the server local: install.log remote: install.log227 entering passive mode (192,168,3,3,239,137) 150 ok to send data.226 File receive ok.56895 bytes sent in 0.034 seconds (1.6E+03 KBYTES/S) ftp> ls //View the file attributes in the upload directory 227 entering passive mode (192,168,3,3,149,233) 150 here COMES THE DIRECTORY LISTING.-RW------- 1 14 50 56895nov 26 13:04 install.log226 directory send ok.ftp > quit //Disconnect the FTP connection and exit 221 goodbye. [[email protected] ~]# ls -lh inittab //View files downloaded to local-rw-r--r-- 1 root root 1.7k nov 26 21:03 inittab If you just download the file, you can also use the Wget tool to specify the server address and file path to download [[email protected] ~]# wget ftp://192.168.3.3/inittab--2015-11-26 21:22:29-- ftp://192.168.3.3/inittab => ' Inittab ' connecting to 192.168.3.3:21... connected. Logging in as anonymous ... logged in!==> syst ... done. ==> PWD ... done.==> TYPE I ... done. ==> Cwd not needed.==> size inittab ... 1666==> pasv ... done. ==> retr inittab ... done. length: 1666 (1.6K) 100%[===================>] 1,666 --.-k/s in0s 2015-11-26 21:22:29 (4.24 mb/s) - ' Inittab ' saved [1666]
Note: Because the default permission for the anonymous FTP root "/var/ftp/" is 755, do not change the directory owner to FTP, otherwise anonymous access may error "OOPS:vsftpd:refusing to run with writable Anonymous root ", resulting in access failure.
II. deployment of FTP services based on Local users
VSFTPD can directly use the local user of the Linux system as the FTP user, providing login verification based on the username and password. When you log on to an FTP server by using a local user, the default is in your own host directory, with read and write permissions in the host directory, and allowing you to switch to a different directory. Use the Chroot_local_user configuration item to imprison Local users in the host directory (not allowed to switch to a different directory), and use the Local_root configuration item to set the FTP root of the local user to the same folder.
The following is an example of configuring an FTP server that is based on local users and with limited bandwidth and number of users, with the following steps:
1. Add the FTP test user (that is, the local user) and prepare to download the test file.
[[email protected] ~]# useradd test1[[email protected] ~]# passwd test1[[email protected] ~]# ls-lh/etc/*.conf >/hom E/test1/etcconf.list
2, modify the vsftpd.conf configuration file, open the local user.
[[email protected] ~]# vim /etc/vsftpd/vsftpd.conf anonymous_enable=no //If you do not need to enable anonymous access, you can set this configuration item to nolocal_enable=yes // Allow local user access write_enable=yes //allow open Write permission local_umask=022 // To set the permission mask for local users when uploading a file chroot_local_user=yes //for security reasons, we recommend that you imprison the user in the host directory max_client=20 //limit concurrent client connections to a maximum of 20 max_per_ip=2 // Limit the number of client connections from the same IP to up to 2 local_max_rate=102400 //Local Users download, upload speed limit to 100kb/schroot_local_user=yes //allow passive mode and set the port range max_clients=20max_per_ip=2local_max_rate=102400pasv_enable=yespasv_min_port= 24500pasv_max_port=24600dirmessage_enable=yesxferlog_enable=yesconnect_from_port_20=yesxferlog_std_format= yeslisten=yespam_service_name=vsftpduserlist_enable=yestcp_wrappers=yes:wq Save Exit
If you want the VSFTPD service to be open only to specific local users, you can use the userlist_enable, Userlist_deny configuration items and the user list file '/etc/vsftpd/user_list ' implementation .
For example, combining the User_list file configuration allows only local users test1 access to the VSFTPD server.
#vim/etc/vsftpd/user_listtest1//Add this line and empty other content #vim/etc/vsftpd/vsftpd.conf//modify or add the following two lines of configuration items Userlist_enable=yesuser List_deny=no
3. Restart the VSFTPD service
[Email protected] ~]# service vsftpd restart
4, in the client access to the FTP server (192.168.3.3), test download and upload function
[[email protected] ~]# ftp 192.168.3.3 //Login VSFTPD Server connected to 192.168.3.3.220 (vsftpd 2.0.5) 530 please login with user and Pass.530 please login with user and pass. kerberos_v4 rejected as an authentication typename (192.168.3.3:root): Test1 //test1 User Login 331 please specify the password. Password:230 login successful. Remote system type is unix. using binary mode to transfer files.ftp> pwd //View current directory 257 "/" ftp> ls //View the files, directory list 227 entering passive mode in the FTP root directory ( 192,168,3,3,95,218) 150 here comes the directory listing.-rw-r--r-- 1 0 0 2831 nov 27 12:19 etcconf.list226 directory send ok.ftp> get etcconf.list //Download the Etcconf.list file from the server to the local local: etcconf.list remote: etcconf.list227 entering passive mode (192,168,3,3,95,248) 150 Opening BINARY mode data connection for etcconf.list (2831 bytes). 226 file send OK.2831 bytes received in 0.00064 seconds (4.3E+03 KBYTES/S) ftp> put install.log //uploading local files to the server local: install.log remote: install.log227 entering passive mode (192,168,3,3,95,203) 150 Ok to send data.226 File receive OK.56895 bytes sent in 0.038 seconds (1.5E+03 KBYTES/S) ftp> ls //View the file attributes in the upload directory 227 entering passive mode (192,168,3,3,95,250) 150 here comes the directory listing.-rw-r--r-- 1 0 0 2831 Nov 27 12:19 etcconf.list-rw-r--r-- 1 502 502 56895 nov 27 13:23 install.log226 Directory send OK.ftp>
Third, the establishment of virtual user-based VSFTPD services
1, establish the virtual user's username/password data
The VSFTPD service virtual user database uses a Berkeley DB format database. The Db_load command tool is required to create the database file.
[[email protected] ~]# Yum install db4-utils//install this package get db_load command
2, establish the text format user name/password list file, odd behavior user name, even behavior of the user on the line corresponding to the password.
[[email protected] ~]# vim/etc/vsftpd/vusers.list (file name can be picked up) Mike 123john456
3. Then use the Db_load tool to convert the list file to a DB database file
[[email protected] ~]# cd/etc/vsftpd/[[email protected] vsftpd]# db_load-t-t hash-f vusers.list Vusers.db[[email Prote CTED] vsftpd]# file vusers.db//View files Type Vusers.db:Berkeley db (Hash, version 8, native byte-order) [[email protected] vsft pd]# chown 600/etc/vsftpd/vusers.*//Reduce file permissions to improve security db_load option Description:-F: Used to specify username/password list file-T: Allow applications that are not Berkeley DB to use the conversion from text format DB data File-T hash: Specifies the basic method of reading a data file for a detailed description of the Db_load command, refer to the "cat/usr/share/doc/db4-utils-4.3.29/utility/db_load.html" file.
4. Establish the root directory of FTP access and the corresponding system account for virtual users.
VSFTPD virtual users need to have a corresponding system user account (the account does not need to set a password and login shell), the user account of the host directory as all virtual users log in to the common FTP root directory.
[[email protected] ~]# useradd-d/var/ftproot-s/sbin/nologin Virtual//Build Map account Virtual[[email protected] ~]# chmod 755/v ar/ftproot///change FTP root permissions [[email protected] ~]# ls-lh/boot >/var/ftproot/vutest.file//Build test file
5, the establishment of PAM certification file
The PAM profile is primarily used to provide user authentication control for the program, and the VSFTPD service uses the default Pam profile as "/ETC/PAM.D/VSFTPD", which can be referenced in the format of the file to establish a new PAM configuration file for virtual user Authentication control.
[[email protected] ~]# vim/etc/pam.d/vsftpd.vu//Add the following lines #%pam-1.0auth required pam_userdb.so db=/etc/vsftpd/ Vusersaccount Required Pam_userdb.so Db=/etc/vsftpd/vusers
Note: DB points to the database file Vusers (omit. db extension)
6, modify the vsftpd.conf configuration file, add virtual user support
[[email protected] ~]# Vim/etc/vsftpd/vsftpd.confanonymous_enable=nolocal_enable=yes//Use a virtual user to enable local user write_enable= yesanon_umask=022//Set default permission mask for files uploaded by virtual users Guest_enable=yes//Enable user mapping Guest_username=virtual//Specify mapped user as Virtualdirmess Age_enable=yesxferlog_enable=yesconnect_from_port_20=yesxferlog_std_format=yeslisten=yespam_service_name= VSFTPD.VU//Modify use Pam file location Userlist_enable=yestcp_wrappers=yes
7. Create a separate profile for different virtual users
through the previous steps, you can actually restart the VSFTPD and provide services, using a virtual user account can log on to the FTP server to download files. This step describes setting different access rights for individual virtual users.
1), modify the vsftpd.conf master configuration file, add User Configuration directory support.
[[email protected] ~]# Vim/etc/vsftpd/vsftpd.confuser_config_dir=/etc/vsftpd/vusers_dir//Add this line configuration item, specify the User Configuration directory location
2), configuration directory files for Mike and John
[[email protected] ~]# mkdir/etc/vsftpd/vusers_dir///create User Configuration directory [[email protected] ~]# Cd/etc/vsftpd/vusers_dir/[[email Protected] vusers_dir]# vim John//Create a separate profile for John users Anon_upload_enable=yesanon_mkdir_write_enable=yes[[email Protected] vusers_dir]# Touch Mike//Create an empty profile for the Mike User (no additional permission settings)
8. Restart the VSFTPD service
[Email protected] ~]# service vsftpd restart
9. Use virtual user account to access FTP service
The client uses the virtual user Mike and John to log on to the FTP server separately to download and upload the file test, the result is as follows:
With Mike users can log in to test the VSFTPD server and can browse, download files, but not upload files.
With John, users can log in to the VSFTPD server and can browse, download, or upload files.
When you use an anonymous user or another system user, you will not be able to log on to the VSFTPD server.
This article is from "Xiao Zeng" blog, please be sure to keep this source http://zengxin.blog.51cto.com/6098070/1717694
FTP Service Learning note VSFTPD installation and configuration (2)
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
