FTP service: network sharing, ftp service network sharing

FTP service: network sharing, ftp service network sharing
Preface

This time I will talk about some ftp services that are commonly used in our daily lives.
How to Set Up ftp services and manage them.

FTP

FTP: File Transfer Protocol (File Transfer Protocol) is a standard Protocol used for File Transfer over the network. It belongs to the application layer of network transmission protocol. Based on TCP, the C/S architecture. Applications that implement the ftp protocol include wu-ftpd, protftpd, and vsftpd.

File Sharing

Network File Systems (nfs | cifs), application-layer protocol (ftp), and file system-based data synchronization (rstnc | sersync) All enable file sharing between different hosts.

FTP protocol

FTP communication has two sessions:

Command connection: used to transmit commands sent from the client. The connection always exists and is determined by the client to be disconnected.

Data Connection: Data Transmission connection.

FTP communication mode:

Active mode. The client obtains an unauthorized port N to connect to port 21 of the ftp server. Then the client listens to port N + 1 and notifies the server that port N + 1 can be connected, then the server uses Port 20 to connect to the port notified by the client to establish a data connection. In this mode, there is a defect that the client usually has strict firewall rules and may reject the active requests from the server, resulting in data transmission failure. As in the active mode, the client prefers to establish a command connection with the server, and negotiate to use the passive mode. Then, the server obtains a random port for data connection and returns it to the client, after the client receives the specified port returned by the server, the client takes its own random port and actively connects to the server to establish a data connection. In this mode, a problem occurs at the same time, that is, opening a random port on the server will also cause an insecure factor to the security of the server. There is also a mechanism in Linux: Tracking the connection mechanism, allows the firewall to open random ports. Vsftp installation Configuration

Install

yum install vsftpd

File Layout

/Etc/logrotate. d/vsftpd # log rolling script/etc/pam. d/vsftpd # pam-based configuration file/usr/lib/systemd/system/vsftpd. service # service script/etc/vsftpd # configuration file directory/etc/vsftpd/ftpusers/etc/vsftpd/user_list/etc/vsftpd. conf # main configuration file directory/var/ftp # data file directory/var/ftp/pub # download directory of Anonymous Users

Configuration

Basic Configuration

# Enable Anonymous user anonymous_enable = YES # Allow local user to log on to local_enable = YES # enable chrootchroot_local_user = YES # enable the chroot user list or the chroot user list chroot_list_enable = YES # specify the chroot user list file # If chroot_local_user = NO, the user in the chroot_list is the chroot user list chroot_list_file =/etc/vsftpd/chroot_list # whether local users are allowed to upload write_enable = YES

Anonymous user configuration

# Allow anonymous users to log on to anonymous_enable = YES # enable Anonymous user upload, the local file system must have the permission anon_upload_enable = YES # Allow Anonymous Users to delete files anon_other_write_enable = YES # Allow anonymous users to create directories anon_mkdir_write_enable = YES

NOTE: For the new version of vsftp, if the chroot user is limited, the user cannot log on because the user cannot have the write permission on the user's home directory. Solution: chmod a-w/home/user_dir_name; For the upload permission, consider the file system permission and server configuration permission. You can create a directory under the user's home directory, then, authorize the corresponding user.

Restrict logon Configuration

# At this time/vsftpd. the user_list file defines userlist_enable = YESuserlist_file =/etc/vsftpd. user_list # If only specific users are allowed to log on,/vsftpd. the user_list file defines the specific user that is allowed to log on. userlist_deny = YES

Xinetd startup mode configuration

# Copy the xinetd configuration file cp/usr/share/doc/vsftpd-3.0.2/EXAMPLE/INTERNET_SITE/vsftpd For vsftpd. xinetd/etc/xinetd. d/vsftpd # modify the configuration file to: # vsftpd is the secure FTP server. service ftp {disable = no socket_type = stream wait = no user = root server =/usr/sbin/vsftpd port = 21 protocol = tcp log_on_success + = pid host duration log_on_failure + = HOST instances = 20} # modify vdftpd. conflisten = NOlisten_ipv6 = NO

Ftp configuration for SSL encrypted transmission

# Enable SSL encrypted transmission ssl_enable = YES # Allow anonymous users to use sslallow_anon_ssl = NO # allow non-anonymous users to use ssl to transmit data force_local_data_ssl = YES # allow non-anonymous users to use the ssl transmission Password force_local_logins_ssl = YES # ssl version ssl_tlsv1 = YESssl_sslv2 = NOssl_sslv3 = NO # certificate storage path rsa_cert_file =/etc/vsftpd/ssl/vsftpd. pem # private key storage path: rsa_private_key_file =/etc/vsftpd/ssl/private/vsftpd. key

MYSQL-based vsftpd virtual users

Note: This experiment is implemented on two CentOS hosts. One is used as the FTP server and the other is used as the database server.
1. packages and packages required for installation:
Install the installation package on the database server:
Centos7: installed on the database server

yum –y install mariadb-server systemctl start mariadb.service systemctl enable mariadb 

Centos6: installed on the database server

yum –y install mysql-server 

Install vsftpd and pam_mysql packages on the FTP server
Centos6: pam_mysql is provided by the epel Source

yum install vsftpd pam_mysql

Implement vsftpd virtual users based on MYSQL Authentication
Centos7: No rpm package, which must be compiled and installed manually

yum -y groupinstall "Development Tools" yum -y install mariadb-devel pam-devel vsftpd 

Download pam_mysql-0.7rc1.tar.gz

tar xvf pam_mysql-0.7RC1.tar.gz cd pam_mysql-0.7RC1/ ./configure --with-mysql=/usr --with-pam=/usr --with-pam-mods-dir=/lib64/security make make install 

2. Create a virtual user account on the database server
1. Create a database for storing virtual users and connected database users

Mysql> create database vsftpd; mysql> show databases; the ftp service and mysql are not ON the same host: mysql> grant select on vsftpd. * TO vsftpd @ '2017. 16. %. % 'identified BY 'magedu'; the ftp service and mysql are ON the same host: mysql> grant select on vsftpd. * TO vsftpd @ localhost identified by 'magedu'; mysql> grant select on vsftpd. * TO vsftpd @ '2017. 0.0.1 'identified BY 'magedu'; mysql> flush privileges;

2. Prepare related tables

mysql> USE vsftpd; Mysql> SHOW TABLES; mysql> CREATE TABLE users ( id INT AUTO_INCREMENT NOT NULL PRIMARY KEY, name CHAR(50) BINARY NOT NULL, password CHAR(48) BINARY NOT NULL ); mysql>DESC users; 

Test connection

mysql -uvsftpd -h 172.16.200.200 -pmagedu mysql> SHOW DATABASES;

3. Add a virtual user

Add users as needed, and use the PASSWORD function to encrypt and store the passwords for security purposes.

mysql>DESC users; mysql> INSERT INTO users(name,password) values(‘wang',password('magedu')); mysql> INSERT INTO users(name,password) values(‘mage',password('magedu')); mysql> SELECT * FROM users;

3. Configure the vsftpd service on the FTP server
1. Create a file required for pam Authentication on the FTP server

Vi/etc/pam. d/vsftpd. mysql adds the following two lines of auth required pam_mysql.so user = vsftpd passwd = magedu host = mysqlserver db = vsftpd table = users usercolumn = name passwdcolumn = password crypt = 2 account required Login user = vsftpd passwd magedu host = mysqlserver db = vsftpd table = users usercolumn = name passwdcolumn = password crypt = 2

NOTE: Refer to the README document to select the correct encryption method.
Crypt is an encryption method. 0 indicates no encryption, 1 indicates crypt (3) encryption, 2 indicates encryption using the mysql password () function, 3 indicates md5 encryption, and 4 indicates sha1 encryption.

The configuration field description auth indicates that the account is authenticated and the account password is verified normally. The required indicates that the pam_mysql.so module is the default relative path, which is relative to/lib64/security/path, you can also write an absolute path; user = vsftpd is the passwd = magedu password used to log on to mysql. host = mysqlserver mysql server host name or IP address db = vsftpd specifies the database connected to msyql. name table = users specify the table name usercolumn = name in the database to be connected as the user name field passwdcolumn = password as the user name Field password crypt = 2 the password is encrypted as mysql password () function Encryption

2. Create a user and modify the vsftpd configuration file to adapt to mysql authentication.
System users and directories mapped to virtual users

Useradd-s/sbin/nologin-d/var/ftproot vuser chmod 555/var/ftproot centos7 remove the write permission mkdir/var/ftproot/{upload, pub} setfacl-m u: vuser: rwx/var/ftproot/upload

Make sure the following options are enabled in/etc/vsftpd. conf:

anonymous_enable=YES 

Add the following two items

guest_enable=YES guest_username=vuser 

Modify the following item and the original system user cannot log on

pam_service_name=vsftpd.mysql

4. Start the vsftpd service

service vsftpd start;systemctl start vsftpd chkconfig vsftpd on;systemctl enable vsftpd 

View port enabling status

netstat -tnlp |grep :21 

V. Selinux settings: run on the FTP server

restorecon -R /lib64/security setsebool -P ftpd_connect_db 1 setsebool -P ftp_home_dir 1 chcon -R -t public_content_rw_t /var/ftproot/  

Vi. Test: Use the FTP client tool to log on to the verification result as a virtual user

tail /var/log/secure

7. Configure virtual users on the FTP server to have different access permissions
Vsftpd can provide a separate configuration file for each user in the configuration file directory to define their ftp service access permissions. The configuration file name of each virtual user is the same as that of the virtual user. The configuration file directory can be any unused directory. You only need to specify its path and name in vsftpd. conf.

1. Configure vsftpd as the configuration file directory for virtual users

Add the following options to vim/etc/vsftpd. conf: user_config_dir =/etc/vsftpd/vusers_config

2. Create the desired directory and provide the configuration file for the virtual user

    mkdir /etc/vsftpd/vusers_config/     cd /etc/vsftpd/vusers_config/     touch wang mage

3. Configure virtual User Access Permissions
The access permission of a virtual user to the vsftpd service is obtained through commands of an anonymous user. If you want to allow user wang to upload files, you can modify the/etc/vsftpd/vusers_config/wang file, add the following options and set it to YES, and set it to NO if it is read-only.
Note: You must ensure that the ing user has the write permission on the file system.

Anon_upload_enable = {YES | NO} anon_mkdir_write_enable = {YES | NO} anon_other_write_enable = {YES | NO} local_root =/ftproot