FTP service details

FTP is a TCP-based service and does not support UDP. Reduces or eliminates File Processing incompatibility in different operating systems. At the same time, FTP creates two ports, one data port and one command port can also be called a control port ). These two ports are usually port 21) and Port 20 ). However, the data port is not always 20 for FTP operations. This is the biggest difference between active and passive FTP.

1) Active Mode:

In both active and passive modes, the client connects to the command port of the FTP server from an arbitrary non-privileged port NN> 1024, that is, port 21. Then the client starts listening to port N + 1 and sends the FTP command "portN + 1" to the FTP server. Then the server will connect to the data port N + 1 specified by the client from its own data port 20 ). When a connection request is sent, the IP address and two-digit combination such as XXXX. XXXX. XXX. XXXij are opened, and port N is I * 256 + j.

2) Passive Mode

In the Passive ftp mode, both the command connection and data connection are initiated by the client, which can solve the problem that the inbound connection from the server to the client's data port is filtered out by the firewall.

When an FTP connection is enabled, the client opens two arbitrary non-privileged local ports N> 1024 and N + 1 ). The first PORT connects to PORT 21 of the server, but unlike the active FTP, the client does not submit the PORT command and allows the server to connect to its data PORT back and forth. Instead, it submits the PASV command. The result is that the server opens any non-privileged port P> 1024) and sends the PORTP command to the client. Then the client initiates a connection from the local port N + 1 to the port P on the server to transmit data.

II. Rhel6-FTP Configuration

1. FTP service
Start
553. Permission error 550. Service error

Getsebool-a | grepftp filters FTP selinux policies

Allow_ftpd_full_access -- "on remove the influence of selinux on ftp

Chcon-tpublic_content_rw_t/var/ftp/pub/modify directory security context
Anon_umask = 022 set the object download permission

Create directory: anon_mkdir_write_enable anonymous users can create directories

Anon_world_readable_enable = NO anonymous users can download data without setting anon_umask = 022

Anonymous Users can delete anon_other_write_enable = YES

Local User:

Lftp-utest Local User) 192.168.0.25 Log On As a local user
When selinux is enabled, normal users are not allowed to switch the Taoist directory.

[Root @ server81pub] # setsebool-Pftp_home_diron to open the switch home directory
You can also view the root partition.

Chroot_local_user = NO allows local users to switch to the root Partition
Chroot_local_user = YES does not allow local users to switch to the root Partition

Chroot_list_enable = NO. users who do not read/etc/vsftpd/chroot_list blacklist cannot switch to the root partition.) YES. Read the list.
Chroot_list_enable = YES

Chroot_list_file =/etc/vsftpd/chroot_list
(The User Added in chroot_root cannot cut the root)

Chroot_local_user = YES

Chroot_list_enable = YES

Chroot_list_file =/etc/vsftpd/chroot_list
Users in chroot_root can cut the root)

Chown_uploads = YES

Chown_username = test: Upload the file as test. Change the owner of the uploaded file to test. Only the user who logs on to test can download the uploaded file.

If userlist_enable = YES, the user who reads the user_list blacklist record cannot log on to FTP.) NO, the user does not read the user_list blacklist.
Whether userlist_enable = YES or NO, the ftpusers permanent blacklist will be read)

Userlist_deny = NO: Convert user_list to whitelist

If ftpusers and user_list have the same user, read the permanent blacklist first.
Whitelist:

Ftpusers permanent reject list


The user_list temporarily rejects the list and can be converted to a whitelist.

Intranet and Internet:

[Root @ server81vsftpd] # ifconfigeth0: 0192.168.0.141netmask1_255.255.0

---- Cp/etc/vsftpd. conf/etc/vsftpd/vsftpd1.conf

Listen_address = 192.168.0.81 this configuration file only listens to 192.168.0.81. That is, the configuration information is only valid for this ip address. Different ip addresses can be monitored in different configuration files.
Speed control:

Anon_max_rate = 1024010 K) the maximum upload speed of anonymous users is byte by default)
Local_max_rate = 102400 maximum upload speed for Local Users

Virtual User:
# Cd/etc/vsftpd
# Vimusers
User1 Username
Westos Password
User2
Westos
.....
# Yum-yinstalldb4-utils
# Db_load-T-thash-fuserslogin.db

Db_load command usage
Published by Lin Xi on the morning of 2010-04-12at3: 41

[Root @ localhostRPMS]
# Rpm-ivhdb4-utils-4.2.52-7.1.i386.rpm
Warning: db4-utils-4.2.52-7.1.i386.
Rpm: V3DSAsignature: NOKEY, keyIDdb42a60e
Preparing... ######################################## ### [100%]

1: db4-utils ####################################### #### [100%]

[Root @ localhostRPMS] # db _
Db_archive
Db_deadlock
Db_dump185
Db_printlog
Db_stat
Db_verify
Db_checkpoint
Db_dump
Db_load
Db_recover
Db_upgrade

[Root @ localhostRPMS] # db_load
Usage: db_load [-nTV] [-cname = value] [-ffile]
[-Hhome] [-Ppassword] [-tbtree | hash | recno | queue]
Db_file

The db_load Command needs to install the db4-utils package, which is in the third VCD in RHEL4.5.

Several related options of the db_load command:
-T
The-Toptionallowsnon-BerkeleyDBapplicationstoeasilyloadtextfilesintodatabases.

IfthedatabasetobecreatedisoftypeBtreeorHash, orthekeywordkeysisspecifiedasset, theinputmustbesponred
Linesoftext,
Wherethefirstlineoftheincluristhekeyitem, andthesecondlineofthepairisitscorrespondingdata
Item.
IfthedatabasetobecreatedisoftypeQueueorRecnoandthekeyworkkeysisnotset, theinputmustbelinesoftext,
Whereeachlineisanewdataitemforthedatabase.

Option-T allows applications to translate text files into databases. Since we subsequently stored virtual user information in files,
To enable the Vsftpd application to load user data through text, you must use this option.

Ifthe-Toptionisspecified, theunderlyingaccessmethodtypemustbespecifiedusingthe-toption.

If option-T is specified, follow the sub-option-t.

-T
Specifytheunderlyingaccessmethod. Ifno-toptionisspecified, thedatabasewillbeloadedintoadatabaseofthesametypeaswasdumped;
Forexample, aHashdatabasewillbecreatedifaHashdatabasewasdumped.
BtreeandHashdatabasesmaybeconvertedfromonetotheother.
QueueandRecnodatabasesmaybeconvertedfromonetotheother.
Ifthe-koptionwasspecifiedonthecalltodb_dumpthenQueueandRecnodatabasesmaybeconvertedtoBtreeorHash,
Withthekeybeingtheintegerrecordnumber.


Suboption-t, appended to the-T option, used to specify the type of the database for translation loading. Extended introduction, the data types that can be specified by-t include Btree, Hash, Queue, and Recon database.




-F
The parameter is followed by a text file containing the user name and password. The content of the file is: Odd-line user name, even-line password, for example:
Yonghu1
Mima1234
Yonghu2
Mima1234


Convert user information files to databases and use hash Encryption

Db_load-T-thash-f/etc/vsftpd/logins.txt/etc/vsftd/vsftpd_login.db

# Cd/etc/pam. d
# Vimvirtual (custom file name)
Authrequiredpam_userdb.sodb =/etc/vsftpd/login
Accountrequiredpam_userdb.sodb =/etc/vsftpd/login
# Vim/etc/vsftpd. conf
Modification content:
Pam_service_name = virtual (the file name must be the same as that in pam. d; otherwise, an error 530 is reported)
Add content:
Guest_enable = YES
When you log on to a virtual user, you will directly go to the pub directory. The virtual user has no home directory.
Add home directory
Cd/var/ftp/
Mkdirvirtual directory location and directory name Customization
Cdvirtual
Mkdiruser1
Mkdiruser2 Directories
Add content to the configuration file:
Local_root =/var/ftp/virtual/$ USER)
Guest_username = test inherits the test permission from the local user when logging on to a virtual user.
User_sub_token = $ USER

Lftp-uuser1192.168.0.X

Tcp_wrappers settings
Tcp_wrappers will restrict all services with the tcp_wrappers attribute, similar to the fire wall
# Whichvsftpd
/Usr/sbin/vsftpd
# Ldd/usr/sbin/vsftpd view the tcp_wrappers attribute of the service
# Vim/etc/hosts. deny
ALL: ALL
Deny all users from logging on to all services
# Vim/etc/hosts. allow
ALL: 127.0.0. Allow local loopback to use ALL services
Vsftpd, sshd: 192.168.0.0/24 (or * .example.com) except for the 141,192.168. 0.0/24 CIDR block, you can log on to ftp or sshd.

Monitor logon information of the local machine:

ALL: spawn 'date' form % cto % s | mail-swarningroot
C from that user

From which service % s
Monitors all users and services, and sends monitoring information to the root user by email.

This article is from "Wang zyin's blog", please be sure to keep this source http://wangziyin.blog.51cto.com/6948950/1302946