Vsftpd installation and configuration virtual user, vsftpd installation and configuration virtual
Originally published in cu:
Reference:
I. Environment
OS
CentOS6.7 x86_64
Network
Sever: 192.168.1.254
Client: 192.168.1.100
Ii. installation and configuration
1.
Install
Install yum: yum install vsftpd-y
2.
Software Module
/Etc/vsftpd/Vsftpd. confVsftpd configuration file. The parameter settings are mainly in this file./Etc/pam. d/VsftpdWhen vsftpd uses the PAM module, the related configuration files are mainly used for identity authentication, and some user identity resistance functions are also achieved through this file./Etc/vsftpd/FtpusersIt is related to the/etc/pam. d/vsftpd file, that is, the user configuration file specified in the PAM module that cannot be logged on. The setting of this file is simple. You only need to write "do not want him to log on to the FTP account" to this file./Etc/vsftpd/User_listWhether this file is effective with vsftpd. the two parameters in conf are related to "userlist_enable" and "userlist_deny. the userlist_deny = {YES/NO} in the conf configuration file is different (when set to YES, it is to prevent the account in user_list from logging on; when set to NO, is to allow the account in user_list to log on ). /Etc/vsftpd/ftpusers is the PAM module's security setting file, while/etc/vsftpd/user_list is the custom security setting file of vsftpd. This file is almost the same as/etc/vsftpd/ftpusers. By default, you can write a vsftpd account that you do not want to log on to here./Etc/vsftpd/Chroot_listThis file does not exist by default and needs to be created manually. It is mainly used to store some accounts as chroot in their home directories. Whether the file takes effect depends on the two parameters "chroot_list_enable" and "chroot_list_file" in vsftpd. conf./Usr/sbin/VsftpdThe execution file of vsftpd./Var/ftp/By default, vsftpd is used to log on to the root directory of an anonymous account, which is related to the Home Directory of the ftp account.
3.
Configuration File Overview
The following lists the major configuration items for your reference.
Settings related to the server environment
Connect_from_port_20 = YES (NO) active FTP server port and ftp-data port. # Active ftp means that after the server receives the ftp request from the client, port 20 of the server actively connects to the data receiving port notified by the client to establish a data transmission channel; # Passive ftp means that after the server receives an ftp request from the client, it randomly selects a port greater than 1024 to notify the client, and the client initiates an ftp data channel connection; # When there is a firewall or nat between the ftp server and the client, only Passive ftp can be used. Listen_port = 21vsftpd Command Channel port. If you want to use an informal port, modify it here. Modifying the port number refers to vsftpd that is suitable to be started in stand alone mode (not effective for super daemon ). Dirmessage_enable = YES (NO) When an ftp user enters a directory, the contents of this directory are displayed. The default file displayed is. message, you can use the following settings to modify the display content. Message_file =. message when dirmessage_enable = YES, you can set this item for vsftpd to search for the file to display information. If listen = YES (NO) is set to YES, vsftpd is started in stand alone mode. If it is set to NO, vsftpd is started in super daemon mode. Pasv_enable = YES (NO) supports the passive online mode of data streams. Set it to YES. Use_localtime = YES (NO) is the local time used? Vsftpd uses GMT by default. We recommend that you set YES. Write_enable = YES (NO) whether to allow users to upload data. Connect_timeout = 60 is measured in seconds. in active online data connection mode, if the client response is not received from the connection signal within 60 seconds, the connection signal is not waiting and forced to be disconnected. Accept_timeout = 60 when the client transmits data using a passive PASV, if the server enables the passive port and waits for the client to respond for more than 60 seconds, force disconnection. This setting is similar to connect_timeout, but one is management active online and the other is management passive online. Data_connection_timeout = 300 if the data connection between the server and the client has been established successfully (whether active or passive), but the data transmission fails to be completed within 300 seconds due to line problems, the client will be forcibly disconnected by vsftpd. Idle_session_timeout = 300 if the client has no command action within 300 seconds, force disconnection. Max_clients = 0 if vsftpd is started in stand alone mode, this setting value can be set at the same time, and the maximum number of clients can be connected to vsftpd at the same time. Max_per_ip = 0 is similar to that of max_clients. Pasv_min_port = 0 and pasv_max_port = 0 are related to the port used by passive mode. If you want to use the 11 ports from 65400 to 65410 for passive connection, set pasv_max_port = 65410 and pasv_min_port = 65400. If it is 0, it indicates random access without restrictions. Ftpd_banner = the description text displayed on the ftp client when an ftp user logs in. We recommend that you replace this project with the following banner_file setting value. Banner_file =/path/file specifies a plain text file as the welcome word displayed when you log on to the vsftpd server. At the same time, you can also put some directory structures that let users know about the server.
Settings related to entity users
When guest_enable = YES (NO) is set to YES, any real account will be assumed as guest (so the default value is NO ). In vsftpd, guest obtains permissions related to the ftp account by default, but can be modified through guest_username. # Set the value to YES when using a virtual account to log on to FTP. Guest_username = ftp takes effect when guest_enable = YES, and specifies the identity of the guest (the virtual account obtains the permissions of the Set Account ). Local_enable = YES (NO) when the value is YES, the account in/etc/passwd can log on to vsftpd as a real user. Local_max_rate = 0 the transmission speed limit of the real user. The unit is bytes/secon, and 0 is unlimited. Chroot_local_user = YES (NO) by default, whether to restrict users to their home directories (chroot ). If YES, the user will be chroot by default; if NO, the user will not be chroot by default. For actual use, you need to refer to the following two parameters. To ensure security, we recommend that you set it to YES. Chroot_list_enable = YES (NO) whether to enable the chroot write list function. It is related to the following chroot_list_flie. This value takes effect only when the list file is enabled. Chroot_list_file =/etc/vsftpd. chroot_list if chroot_list_enable = YES, this setting takes effect. Userlist_enable = YES (NO) whether to use the vsftpd blocking mechanism to process some undesirable accounts, which is related to the following parameter settings. Userlist_deny = YES (NO) takes effect only when userlist_enable = YES. If it is set to YES, when the user account is included in the user_list document, the account in this document will not be able to log on to the vsftpd server; when it is set to NO, allow the account in user_list to log on. The file name is related to the following settings. Userlist_file =/etc/vsftpd/user_list if the above userlist_deny = YES, the configuration document takes effect. Accounts in this file cannot log on to vsftpd.
Logon Settings for anonymous users
Anonymous_enable = YES (NO) whether to allow anonymous to log on to vsftpd. The default value is YES. All the following settings must be set to anonymous_enable = YES. Anon_world_readable_only = YES (NO) only allow anonymous to download readable files. The default value is YES. Anon_other_write_enable = YES (NO) whether to allow anonymous to have permissions except for writing, including deleting and rewriting files and file names on the server. The default value is NO. If YES is required, you need to adjust the permissions for the directories opened to anonymous so that the PID owner of vsftpd can write data. Anon_mkdir_write_enable = YES (NO) whether to allow anonymous to create a directory. The default value is NO. If you want to set it to YES, anony_other_write_enable must be set to YES. Anon_upload_enable = YES (NO) whether to enable anonymous to upload data. The default value is NO. To set it to YES, anon_other_write_enable must be set to YES. Deny_email_enable = YES (NO) Disable anonymous Logon for some special email addresses. If you use anonymous to log on to the server, you must enter an email address as the password. If you do not allow certain email addresses to log on, you can use this setting to cancel the logon permission. This setting must be used with the following setting values. Banned_email_file =/etc/vsftpd/banned_emails if deny_email_enable = YES, you can use this setting file to specify which email addresses cannot be logged on. No_anon_password = YES (NO) when set to YES, it indicates that anonymous will skip the password verification step and log on directly. Non_max_rate = the unit of 0 is bytes/s, which limits the transmission speed of anonymous. If it is 0, it does not limit. anon_umask = 077. It limits anonymous's permission to upload files.
System Security Settings
Ascii_download_enable = YES (NO) If YES is set, the client first (default) Downloads files in ASCII format. Ascii_upload_enable = YES (NO) uploads files in ASCII format. The default value is NO. One_process_model = YES (NO) This setting value is dangerous. When it is set to YES, it indicates that each created session will have a daemon responsible for increasing the performance of vsftpd. However, unless your system is relatively safe and the hardware is relatively high, it is easy to exhaust system resources. It is generally recommended to set it to NO. We recommend that you set tcp_wrappers = YES (NO) to YES. Xferlog_enable = YES (NO) when set to YES, the user uploads and downloads files will be recorded, and the recorded files are related to the following settings. Xferlog_file =/var/log/xferlog if xferlog_enable = YES, the settings here are valid. Whether xferlog_std_format = YES (NO) is set to the same logon file format as wu ftp. The default value is NO, because the logon file is easier to read. If you have an analysis software that uses the wu ftp login file, set it to YES. Dual_log_enable = YES, vsftpd_log_file =/var/log/vsftpd. log normally/var/log/xferlog only records upload and download. This setting enables user logon logs. Nopriv_user = nobodyvsftpd uses nobody as the executor's permission by default. Because the nobody permission is very low, intruders can only obtain the nobody permission even if they are intruded. Pam_service_name = vsftpdpam module, which is usually stored in the/etc/pam. d/vsftpd file.
4.
Necessary security clearance ConfigurationSELinux
By default, vsftpd does not allow an account to log in to obtain the home directory data (using dir, but not any data), mainly caused by SELinux. As follows:
[Root @ localhost ~] # Getsebool-a | grep ftpallow_ftpd_anon_write --> offAllow_ftpd_full_access-->OffAllow_ftpd_use_cifs --> offallow_ftpd_use_nfs --> offFtp_home_dir--> Off# Set "allow_ftpd_full_access" and "ftp_home_dir" to "on". # Do not worry about these two settings. [Root @ localhost ~] # Setsebool-P allow_ftpd_full_access 1 [root @ localhost ~] # Setsebool-P ftp_home_dir 1 [root @ localhost ~] # Getsebool-a | grep ftpallow_ftpd_anon_write --> offAllow_ftpd_full_access-->OnAllow_ftpd_use_cifs --> offallow_ftpd_use_nfs --> offFtp_home_dir--> On
Iptables
FTP uses two ports, a random data stream port, and a passive online server port. The following rules are required:
# Add the "ip_nat_ftp" and "ip_conntrack_ftp" modules of iptables; # It may be at the bottom of six lines. The following two modules cannot be changed. [Root @ localhost ~] # Vim/etc/sysconfig/iptables-configIPTABLES_MODULES = "ip_conntrack_ftp" IPTABLES_MODULES = "ip_nat_ftp" # Open port 21 for visitors; # Open the random start data stream port for visitors to connect to use; # Allow the client to initiate a data channel connection from a random port greater than 1024. The server uses port 65401 ~ 65410 response. [Root @ localhost ~] # Vim/etc/sysconfig/iptables-a input-m state -- state NEW-m tcp-p tcp -- dport 21-j ACCEPT-A INPUT-m state -- state NEW-m tcp- p tcp-dport 65401: 65410 -- sport 1024: 65534-j ACCEPT # restart iptablesservice iptables restart
5.
Virtual account ConfigurationAdd a virtual user and Password File
# Create a virtual user file [root @ localhost ~] # Vim/etc/vsftpd/vftpuser.txt test1 # username 123456 # password test2123456
Generate a virtual user password authentication File
Convert the vftpuser.txt virtual user password file into a system-recognized Password Authentication file.
# Check whether the system has installed the software db4-utils required to generate the password authentication file, if not installed using rpm or yum installation. [Root @ localhost ~] # Rpm-qa | grep db4-utils # Use the db_load command to generate a virtual user password authentication file. [Root @ localhost ~] # Db_load-T-t hash-f/etc/vsftpd/vftpuser.txt/etc/vsftpd/vftpuser. db
Edit the PAM Authentication file of vsftpd
# Comment out other lines in the file and add the following two lines: [root @ CentOS5/] # vi/etc/pam. d/vsftpd # % PAM-1.0auth required pam_userdb.so db =/etc/vsftpd/vftpuseraccount required pam_userdb.so db =/etc/vsftpd/vftpuser # path for the generated db path, remove the suffix # session optional authentication force revoke # auth required pam_listfile.so item = user sense = deny file =/etc/vsftpd/ftpusers onerr = succeed # auth required pam_shells.so # auth include password-auth # account include password-auth # session required pam_loginuid.so # session include password-auth
Create a local ing user and set the Home Directory Permissions
# All virtual users need to map a system user. This system user does not need a password and cannot log on to the system [root @ localhost ~] # Useradd-d/home/vftpsite-s/sbin/nologin vftpuser # Pay Attention to the permission issue of the virtual user's home directory; otherwise, it may cause subsequent login but cannot read and write [root @ localhost ~] # Chown-R vftpuser: vftpuser/home/vftpsite
Configure vsftpd. conf (virtual user configuration items)
[Root @ localhost ~] # Vim/etc/vsftpd. confguest_enable = YES # enable the virtual user guest_username = vftpuser # pam_service_name = vsftpd # PAM Authentication file for the FTP virtual user
Restart vsftpd
[root@localhost ~]# service vsftpd restart
Test Virtual User Logon
C: \> connect to 192.168.1.254 through ftp 192.168.1.254. 220 (vsFTPd 2.2.2) user (192.168.1.254 :( none): test1331 Please specify the password. password: 230 Login successful. ftp> dir200 PORT command successful. consider using PASV.150 Here comes the directory listing. -rw-r -- 1 0 0 0 Mar 02 21:04 test226 Directory send OK. ftp: 62 bytes received, 0.00 KB/second in 62.00 seconds. Ftp>
6.
Virtual user Advanced SettingsVirtual_use_local_privs Parameter
# The virtual user has the same permissions as the local user. virtual_use_local_privs = YES # The virtual user has the same permissions as the anonymous user. The default value is NO. Virtual_use_local_privs = NO
Independent configuration files for each virtual user (not verified)
[Root @ localhost ~] # Vim/etc/vsftpd. conf # specify a directory path in the configuration file that stores the independent configuration files of each virtual user, and add: user_config_dir =/etc/vsftpd/vftpuser_conf # edit the configuration file test1: [root @ localhost ~] # Vim/etc/vsftpd/vftpuser_conf/test1 # You can configure independent permissions for reading, writing, downloading, and uploading, for example: write_enable = YES # Open write permission anon_world_readable_only = NO # open download permission anon_upload_enable = YES # Open upload permission enabled = YES # Open create directory permission anon_other_write_enable = YES # Open Delete and rename permission