Secure FTP Server VSFTPD introduction _FTP server

VSFTPD is the name of a server running on a UNIX-like operating system that can run on top of Linux, BSD, Solaris, HP-UX, and IRIX. It supports features that are not supported by many other FTP servers. Like what:

Very High security requirements
Bandwidth limit
Good scalability
The possibility of creating a virtual user
IPV6 Support
Performance on a medium offset
Probability of assigning virtual IP
High speed

VSFTPD's name stands for "Very secure FTP daemon", and security is one of the top issues considered by its developer Chris Evans. At the beginning of the design and development of this FTP server, high security is a goal.

One example is that VSFTPD is working in chroot mode, chroot mode is to specify a new directory for the program (here is VSFTPD), and it will not be able to access programs and files outside that directory---so this is also known as "locked." An FTP server that could be compromised by a potential attacker would be isolated from the rest of the system, thereby avoiding a greater loss.

With so many features, the security of the FTP service should be the most important, and VSFTPD is superior to other FTP servers. WU-FTPD http://www.wu-ftpd.org/can be seen as a negative example here because it has had too many security flaws in the past few years.

Appendix 1: What Is FTP
The abbreviation for the FTP Transfer Protocol piece Transport protocol is specified in RFC 959.

The FTP session contains two channels, one called the control channel and one called the data channel.

Control channel: Control channel is to communicate with the FTP server channel, connect FTP, send FTP instructions are through the control channel to complete.

Data channel: A data channel is a file transfer or a list channel with an FTP server.

In the FTP protocol, the control connection has the client to initiate, but the data connection has two kinds of working ways: Port Way and PASV way

Port mode (active mode)

The FTP client first establishes a connection to the FTP server's TCP 21 port, which sends a command to send the Port command on the channel when the client needs to receive data. The port command contains what ports (a port greater than 1024) the client uses to receive data. When transmitting data, the server side sends data through its own TCP 20 port. FTP server must establish a new connection with the client to transfer data.

PASV mode (passive mode)

When the control channel is established and port mode is similar, when the client sends the PASV command through this channel, FTP server opens a random port between 1024 and 5000 and notifies the client of the request to transmit data on the port, and then the FTP server The data will be transmitted through this port, and the FTP server no longer needs to establish a new connection between the client and the data transfer.

If the C/S model from the point of view, port for the server is outbound, and PASV mode for the server is inbound, please pay special attention, especially in the use of the firewall enterprise, this is very critical, if the setting is wrong, then the customer will not be able to connect.

Appendix 2:ftp User Management Commentary

FTP Server Management of users, in the default case is based on/etc/passwd and/etc/group, so we must understand the Linux system user and user group management, user and user group management is the basis of all applications, some brothers do not want to understand the basis of things, Just want to step into a good rack of various servers, it turns out that this learning method is the most unwise; Although you may have started the FTP server in a few minutes, you don't necessarily know what went wrong when you encounter a problem, so the basics are extremely important;

Recommended articles: Linux User (user) and group Management overview

Understanding of Anonymous FTP users

When we visit the major FTP access, we may not think of what identity we are logged in, if his FTP allows anonymous logon, such as we are in the browser to enter;

ftp://mirrors.kernel.org

Or

ftp://ftp:ftp@mirrors.kernel.org

We will find that the above two lines will eventually be accessible, and the results are exactly the same, and eventually all jump to the ftp://mirrors.kernel.org address; Then when we visit this FTP, is there a user and password? Yes, also need to be in, only on the server side allow anonymous access, and anonymous access to the username and password are FTP, but we are anonymous access, did not feel that he has a username and password bale. The second address is to FTP users, password is FTP to access ftp://mirrors.kernel.org;

If we use FTP command to connect mirrors.kernel.org, we will find that we need to enter user FTP, password ftp to access;

In an FTP server, the username and password of an anonymous user are FTP; This user can be found in the/etc/passwd of your operating system; There may be a line similar to the following;

Ftp:x:14:50:ftp User:/var/ftp:/sbin/nologin

Description

/ETC/PASSWD is the system user profile,/etc/group is the System user group profile, and you can learn some of the basics of user management through the Linux user and user Group Management overview and its related documentation;

In the FTP user line, we see seven fields, each of which is separated by a number of fields:

FTP is user name
X is the password field, which is hidden;
14 is the user's UID field, you can set up their own, do not and other users of the same UID, otherwise it will cause system security problems;
50 with the user group of GID, you can set their own, do not share with other user groups ftp GID, otherwise it will cause system-wide problems;
FTP User is a description field;
/var/ftp is the home directory of the FTP user and can be defined by itself;
/sbin/nologin This is the user login shell, this is also possible to define,/sbin/nologin said can not log on the system, the system virtual account (also known as pseudo user) is generally so set. For example, we change the FTP user's/sbin/nologin to/bin/bash, so that the FTP user can log on to the system as a real user via either local or Remote Tools ssh or Telnet. This is not safe for the system, if you think that a user does not have much need to log into the system, you can only give him the FTP account permissions, that is, only to give him the permissions of FTP, and not his shell set into/bin/bash, etc.;

About the understanding of the FTP user group

When we look at the/etc/group, we find something like this;

FTP:X:50:
/etc/group is the user group's management profile, which indicates that the user group ftp,x is a password segment and 50 is a GID; we know that the FTP user belongs to the FTP user group against the FTP line in/etc/passwd. The GID for the FTP user's line is the same as the GID for the FTP user group.

Whether anonymous FTP users and FTP user groups can be deleted

Under normal circumstances it is not possible to remove the FTP user and the user group rows in/etc/passwd and/etc/group, because the FTP server is required to implement the FTP user management, in the default case.

Although it cannot be deleted, some things related to the FTP user and the FTP user group in/etc/passwd and/etc/group can be modified, for example, we can change the FTP user's home directory, or we can get rid of the FTP user's UID ... The premise is that you have a knowledge of user management. The system user management is one of all application Foundation, perhaps the novice Linux brothers do not understand the user management importance, but slowly you will discover this truth.