Linux Miscellaneous (14): ftp enterprise application-level configuration (1)

Source: Internet
Author: User
Tags ftp connection ftp site ftp client ftp protocol

1. ftp Overview

(1) ftp in life

In the Internet, we need to transmit data, especially large data. One Service focuses on ftp. In fact, we used to contact it very early. But we may not be very concerned about it. The basic model of thunder is ftp, but it is much more advanced.
In fact, ftp should be a transmission protocol, which used plain text transmission before. It is very dangerous to use it in a complex network environment. To use this Protocol more securely, we now need to adopt a safer software, vsftpd, to provide services.

(2) ftp Functions

1. It has different levels of user identities: local server users; visitors; anonymous users;
2. Command record and log record;
3. restrict users' home directories;

The above three points will be reflected in our subsequent experiments. In short, they are a single purpose: to ensure server security while providing features to customers.

(3) ftp Workflow

First, we need to know that the ftp protocol is TCP, because the transmission of large data requires a stable link. The ftp server uses two links, namely the command pipeline and data pipeline. This is very correct, because even in the computer operating system, the code segment and data segment are separated, this is very efficient.

Command pipeline port: 21
Data transmission port: 20

2. Build an ftp server

(1) first, let's look at the ftp Server installation package:


After installation, we need to know two things:

1. ftp server configuration file directory:/etc/vsftpd
2. Default ftp Server Release Directory:/var/ftp/pub (this can be modified)

(2) This time we need to reflect the security awareness of ftp server configuration, so we should open selinux and modify the configuration file/etc/sysconfig/selinux:


(3) We can directly turn on the service to see what functions can be provided:


Another client accesses the server:


Access is not allowed. Is the firewall of our server not flushed:


Try again:


You can log on this time. The fire wall is not flushed. For more information about the functions available on the server, see the vsftpd configuration file vsftpd. conf. However, you should note that we just used anonymous user logon, which is actually not very good. If everyone can download your data, the bandwidth is easily exhausted. The most important thing is that it is too insecure. Therefore, we generally do not allow anonymous users to log on. This is an experiment.


This is part of the configuration file. to configure certain services, we need to set the values of these keywords. For example, 12 rows of anonymous_enable = YES indicates that all users can access ftp.

Ftp configuration files are complex (this is summarized by some netizens ):

1. logon and anonymous user settings

Write_enable = YES // whether to enable write permission for the logon user. Global settings. NO by default
Local_enable = YES // whether to allow local users to log on to the FTP server. The default value is NO.
Anonymous_enable = YES // sets whether anonymous users are allowed to log on to the FTP server. YES by default
Ftp_username = ftp // defines the account name of an anonymous user. The default value is ftp.
No_anon_password = YES // whether to ask for the password when an anonymous user logs on. If this parameter is set to YES, no query is required. NO by default
Anon_world_readable_only = YES // whether anonymous users are allowed to download readable documents. The default value is YES.
Anon_upload_enable = YES // whether anonymous users are allowed to upload files. This configuration item is valid only when write_enable is set to YES. Moreover, anonymous users must have write restrictions on the corresponding directories.
Anon_mkdir_write_enable = YES // whether anonymous users are allowed to create directories. Valid only when write_enable is set to YES. The anonymous user has the write permission on the upper-level directory.
Anon_other_write_enable = NO // If set to YES, Anonymous Users are allowed to have more permissions than upload and create directories, and delete and rename directories. The default value is NO.

2. Set welcome information

After the user successfully logs on to the FTP server, the server can output pre-set welcome information to the login user.
Ftpd_banner = Welcome to my FTP server.
// This configuration item is used to set brief welcome information. If you have more welcome information, you can use the banner_file configuration item.
Banner_file =/etc/vsftpd/banner
// Set the output file to be displayed when the user logs on. This setting will overwrite the ftpd_banner setting.
Dirmessage_enable = YES
// Set whether to display the directory message. If it is set to YES, when you enter a specific directory (such as/var/ftp/linux), the contents of the file (. message) specified by message_file in this directory are displayed.
Message_file =. message // sets the directory message file. You can save the displayed information to this file. This file needs to be placed in the corresponding directory (such as/var/ftp/linux)

3. Set the directory where the user logs on.

Local_root =/var/ftp
// Set the directory where the local user logs on. This item is not set in the default configuration file. After the user logs on to the FTP server, the directory where the user is located is the main directory of the user. For the root user, the directory is the/root directory.
Anon_root =/var/ftp
// Set the directory where the anonymous user logs on. If not specified, the default value is the/var/ftp directory.

4. control whether the user can switch to the parent directory

By default, you can use the "cd .." name to switch to the parent directory. For example, if the directory where the user logs on is/var/ftp, execute "cd .. "command, the user will switch to its parent directory/var. If you continue to execute this command, you can enter the root directory of the Linux system to operate the entire Linux File System.

If write_enable = YES is set, you can rewrite the files in the root directory, which brings great security risks to the system, you must prevent users from switching to the Linux root directory. The configuration items are as follows:
Chroot_list_enable = YES
// Set whether to enable the user list file specified by the chroot_list_file configuration item. If it is set to YES, all logged-on users can access a directory other than the ftp root directory, except the account listed in the j/etc/vsftpd/chroot_list file. NO by default
Chroot_list_file =/etc/vsftpd/chroot_list
// Specifies the user list file, which is used to control which users can switch to the upper-level directory of the FTP site root directory.
Chroot_local_user = YES
// Specifies whether the user in the user list file can be switched to the upper-level directory. NO by default
Note: To view the effect of local users, you must first set local_root =/var/ftp

The specific situations include:
1) When chroot_list_enable = YES and chroot_local_user = YES, users listed in the/etc/vsftpd/chroot_list file can switch to the parent directory; users not listed in the file, you cannot switch to the upper-level directory of the site root directory.
2) When chroot_list_enable = YES and chroot_local_user = NO, users listed in the/etc/vsftpd/chroot_list file cannot switch to the parent directory of the site root directory; users not listed in the file can switch to the parent directory.
3) When chroot_list_enable = NO, chroot_local_user = YES, all users cannot switch to the parent directory.
4) When chroot_list_enable = NO and chroot_local_user = NO, all users can switch to the parent directory.
5) when the user is not allowed to switch to the parent directory, the root directory "/" of the FTP site after logon is the main directory of the FTP account, that is, the/var/ftp directory of the file system.

5. Set access control

(1) set hosts that are allowed or not allowed to access (see TBP14)
Tcp_wrappers = YES is used to set whether the vsftpd server is combined with tcp wrapper for host access control. The default value is YES. The vsftpd server checks the settings in/etc/hosts. allow and/etc/hosts. deny to determine whether the host requesting connection allows access to the FTP server. These two files can provide simple firewall functions.
For example, to allow only 192.168.168.1 ~ 192.168.168.254 users can access the vsftpd server. You can add the following content to the/etc/hosts. allow file:
Vsftpd: 192.168.168.0/255.255.255.0: allow
All: deny

(2) Set users that are allowed or not allowed to access
User access control is implemented by the/etc/vsftpd/user_list and/etc/vsftpd/ftpusers Files. Related configuration commands are as follows:
Userlist_enable = YES
// Determine whether the/etc/vsftpd/user_list file is enabled and effective. YES, NO.
Userlist_deny = YES
// Determine whether the user in the/etc/vsftpd/user_list file is allowed or not. If it is set to YES, users in the/etc/vsftpd/user_list file will not be allowed to access the FTP server. If it is set to NO, only vsftpd is allowed. users in the user_list file can access the FTP server.

6. Set the access speed

Anon_max_rate = 0
// Sets the maximum transmission speed that anonymous users can use. The unit is B/s. If it is set to 0, the speed is not limited. This is the default value.
Local_max_rate = 0
// Set the maximum transmission speed that local users can use. The default value is 0, which is unrestricted.

7. Define the user configuration file

Different users can use different configurations on the vsftpd server, which must be implemented through the user configuration file.
User_config_dir =/etc/vsftpd/userconf // used to set the directory where the user configuration file is located.
After this configuration item is set, When you log on to the FTP server, the system reads the file with the same user name in the/etc/vsftpd/userconf directory, and further configure the current user according to the configuration commands in the file. For example, the user configuration file can be used to control the access speed of different users. In each user configuration file, the local_max_rate configuration is defined to determine the access speed allowed by the user.

8. Connection-related settings

Listen = YES
// Set whether the vsftpd server runs in standalone mode. Running in standalone mode is a good method. At this time, the listen must be set to YES, which is the default value. Do not change it. Many configuration commands related to server running must be effective in this running mode. If it is set to NO, vsftpd does not run independently. It must be managed and controlled by the xinetd server, and its functions will be limited.

Max_clients = 0
// Set the maximum number of connections allowed by vsftpd. The default value is 0, indicating no restriction. If it is set to 150, 150 connections are allowed at the same time. If it is exceeded, connection establishment is denied. It is valid only when running in standalone mode.

Max_per_ip = 0
// Set the number of connections allowed between each IP address and the FTP server. The default value is 0, which is unrestricted. You can set this configuration to prevent the same user from establishing too many connections. It is valid only when running in standalone mode.

Listen_address = IP Address
// Set the IP address to listen for the user's FTP request. If this parameter is not set, all IP addresses bound to the server are listened. It is valid only when running in standalone mode. This configuration item is not required for a server bound with only one IP address. By default, this configuration item is not found in the configuration file. If the server is bound with multiple IP addresses at the same time, you should use this configuration item to specify the IP address on which the FTP service is provided, that is, the IP address used by the FTP server.
Note: Before and After setting this value, you can use netstat-tnl to compare the port listening status.

Accept_timeout = 60
// Set the timeout time for establishing a passive (PASV) data connection. The unit is seconds and the default value is 60.
Connect_timeout = 60
// The timeout time for establishing a data connection in the PORT mode, in seconds.
Data _ connection_timeout = 300
// Set the timeout time for establishing an FTP data connection. The default value is 300 seconds.

Idle_session_timeout = 600
// If you do not perform any operation on the FTP server for a specified period of time, the FTP connection is disconnected. The unit is seconds. The default value is 600 seconds. That is to say, set the timeout time for a daze. If there is no data transmission or command input within this time period, the connection will be forcibly disconnected.
Pam_service_name = vsftpd
// Set the name used by PAM. The default value is vsftpd.

Setproctitle_enable = NO | YES
// Set whether each connection to the FTP server is expressed by a different process. The default value is NO. At this time, there is only one process named vsftpd. If YES, each connection will have a vsftpd process. You can view the detailed ftp connection information by running the "ps-ef | grep FTP" command. For security reasons, we recommend that you disable it.

9. FTP work mode and port settings

(1) Introduction to FTP
FTP can work in two ways: port ftp and pasv ftp. The following describes how it works.
The difference between the two is that the port ftp data transmission PORT is specified by the FTP server, while pasv ftp is specified by the FTP client, and each data connection uses a different PORT number. Because of this, in FTP client software such as CuteFTP, there are PORT and PASV options in the connection type settings.

When the FTP server is set to PASV working mode, the client must also be set to PASV connection type. If the client connection type is set to PORT, an FTP connection can be established. However, when you execute commands such as ls or get that require data requests, there will be no response and the final report will be unable to establish a data connection.

(2) port-related configuration
Listen_port = 21
// Set the port on which the FTP server establishes the connection. The default value is 21.
Example of non-standard port connection: ftp www.sunflower.org 7000
Connect_from_port_20 = YES
// The default value is YES, and Port 20 is used for the FTP data transmission connection. If it is set to NO, the port used for data connection is specified by ftp_data_port.

Ftp_data_port = 20
// Set the PORT used for FTP data connection in PORT mode. The default value is 20.
Pasv_enable = YES | NO
// If it is set to YES, PASV working mode is used; if it is set to NO, PORT mode is used. The default value is YES, that is, PASV mode.
Pasv_max_port = 0
// Set the upper limit of the port range that can be used for data connections in PASV mode. The default value is 0, indicating any port.
Pasv_mim_port = 0
// Set the lower bound of the port range that can be used by data connections in PASV mode. The default value is 0, indicating any port.

10. Set Transmission Mode

When FTP transfers data, it can use the Binary or ASCII mode to upload or download data.
Ascii_download_enable = YES // sets whether to enable ASCII mode to download data. The default value is NO.
Ascii_upload_enable = YES // you can specify whether to enable the ASCII mode for data uploading. The default value is NO.

11. Set the ownership and permissions of the document to be uploaded.

(1) set the owner for anonymously uploading documents
Chown_uploads = YES
// Set whether to change the owner of the document uploaded by anonymous users. The default value is NO. If YES, the owner of the document uploaded by the anonymous user is set to the user name set for the chown_username configuration item.
Chown_username = whoever
// Set the owner name of the document uploaded by an anonymous user. Valid only when chown_uploads = YES. We recommend that you do not set it as the root user. But the system does not root

(2) Permission settings for new documents
Local_umask = 022
// Set the umask for the newly added document for the local user. The default value is 022 and the corresponding permission is 755. Umask is 022, and the corresponding binary number is 000 010, Which is reversed to 111 101 101 and converted to a decimal number, that is, the permission value is 755, representing the document owner (owner) you have the read/write execution right, the group you belong to has the read and execution right, and other users have the read and execution right. 022 is suitable for most situations and does not need to be changed. If it is set to 077, the corresponding permission is 700.
Anon_umask = 022 // set umask for the newly added document for anonymous users. The default value is 077.
File_open_mode = 0755 // you can specify the Document Upload permission. The permission is in numeric format. The default value is 0666.

12. Log Files

Xferlog_enable = YES // whether to enable upload/download logging. The default value is NO.
Xferlog_file = var/log/vsftpd. log // set the log file name and path. The xferlog_enable option must be enabled.
Xferlog_std_format = YES // whether the log file uses the standard xferlog file format (the same format as wu-ftpd ). The default value is NO.

13. Other settings

Text_userdb_names = NO
// Set whether the UID, GID, or specific user name or group name is displayed when the ls command is executed. The default value is NO, which is displayed as UID and GID. If you want to display the user name and group name, set it to YES.
Ls_recurse_enable = YES
// If it is set to YES, the "ls-R" command can be executed. The default value is NO. This configuration item has been commented out in the configuration file. similar to this, there are some other configurations. To enable it, remove the annotator and set YES or NO.

4. Modify the directory of Anonymous Users

Sometimes we do not want anonymous users to access the default release directory. Instead, we want anonymous users to access another directory we have set. We need to make the following changes:
(1) first, we need to create a new default release directory and create five files:


(2) modify the configuration file:


(3) but we find that the security context is not ftp, so even anonymous users of the open service cannot see it, so we need to modify their security context:


We can see that this is not the end, because we have enabled selinux. We also need to check the Boolean value of the ftp option, which can be used only when anonymous logon is allowed:


Restart the service to see the effect:


The display is exactly the five files we have uploaded, indicating that the anonymous ftp Publishing directory has been changed to/ftp/pub.

Notification:

The ftp configuration examples are complex and can be explained in several posts. However, I try my best to clarify the examples. If all examples are used freely, they can meet the work requirements of enterprises.
The remaining examples in the afternoon.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.