FTP server deployment and maintenance experience

I always feel a sense of accomplishment every time I solve a user's needs. Not long ago, I just built an FTP server. However, this case is a bit special, because the FTP server uses the Linux operating system. This gives us more insights.

Heart-to-heart: Assign groups to users

FTP servers are often used to placeComposition. Therefore, when deploying an FTP server, the network administrator must pay attention to the permission management. That is to say, users can only download work files that they have the right to view; they can only upload files to the specified directory. There are many employees in the enterprise. If permissions are set for each employee separately, the two working sessions are very large. Therefore, it is recommended that you set permissions in groups like operating system users in FTP Server Management, and then add users to groups to automatically inherit related permissions. In this case, if the permissions of the 10 users are similar, the author only needs to create a group for them and then set the permissions for the Group once. Therefore, managing users through groups can simplify the workload and achieve unified management.

This time I used the vsftpd server. After the server is installed, three groups have been set up for the network administrator. Generally, as long as the user permission management is not strict, you only need to use this default group. Even if enterprise users are harsh on permission management, you can also use these permissions settings as a template and adjust the settings to use them. On the vsftpd server, the default groups are real group, Guest group, and anonymous group. The three groups in the real group have the highest permissions. Users in this group can not only access the account's home directory, but also the directories of other users. For example, there is a user named Amy. After the account is created on the FTP server, the operating system automatically creates a home directory (/home/Amy) for the user in the/home directory. After a user logs in with this account, the server regards the user's directory as its main directory. However, this user can still access other related directories, that is, he can switch to other main directories. Second, the permission of the guest group is not small. This group has more permissions than the Guest account in the operating system. In some cases, the network administrator may require some users to only access their home directories, rather than others' directories. Indeed, this is the most basic permission control rule for FTP servers. To implement this control, you only need to add the user to the guest group. By default, users in this group can only access their home directories, but cannot access files other than the home directories. The third group is the anonymous group, that is, the anonymous group. By default, this group has the minimum permissions. It can only download files in restricted directories, but cannot upload files to the FTP server. However, this group is usually disabled for security reasons. That is, if you do not have an account, you cannot download any files from the FTP server.

Tip 2: Set groups for specific applications

During the deployment of the FTP server, I found that sometimes the FTP server is not necessarily used by users, and the system administrator may also need to use the FTP server. If the database administrator needs to use an FTP server for remote backup. That is, the database administrator first backs up the database locally. After the backup is successful, the backup file is sent to a remote server using the FTP protocol. Of course, these operations are completed through the script file, and combined with the task scheduling function of the operating system.

So what are the inspirations for network administrators to deploy FTP servers? After receiving this requirement, the first response is to set up an independent group for it. This is mainly because these backup files are often the essence of an application. If a user steals the backup files and restores them to their own databases, all information about the enterprise, including the customer and price information, will be leaked. In addition, these backup files are the final guarantee for data recovery when the application server fails in the future. If these backup files are maliciously damaged, it will be difficult to use these backup files to restore data to the maximum extent in the future. After learning about the enterprise's needs, I decided to set up independent groups for these users. These users are usually used for file backup, but not for other purposes. Therefore, I set this group to allow only access to my home directory, but not other directories (refer to the setting of the guest group ). What are the benefits? If an enterprise now has database servers, email servers, OA servers, and so on, it must implement remote backup through the FTP server. Then the author can set three users to belong to this group respectively. Then, these three accounts are used to upload local backup files to the FTP server for remote backup. Since these three users can only access their own directories, they are quite independent from each other. No account can see the files uploaded by another account or upload files to the home directories of other users. This provides them with a relatively independent working environment, which can reduce the interference of their remote backup.

To this end, I believe that you should not only manage the permissions of FTP Server users according to the group, but also set an independent group based on the purpose of the FTP server. For exampleProgramUsing the FTP protocol, it is necessary to set up independent groups for them to prevent other common user groups from interfering with them.

Tip 3: Set disk quotas for different users

When deploying an FTP server, you must solve the problem that each user can upload a maximum of files to the FTP server. In general, I suggest you set a maximum limit for the user. Because an FTP server is used by more than one user. If every user can upload files to the FTP server without restrictions without timely cleaning, the hard disk space of this ftp server will soon be full. Therefore, for ordinary users, the FTP server is only a File Transfer Station, rather than a file to the backup server. Therefore, you need to set the maximum capacity limit based on your needs.

On the vsftpd server, you can set the maximum capacity limit for the user at the group level. For example, you can set a group for each department and specify the maximum space available to users in the group. In this case, users added to this group will be automatically limited by this size. When the access space is restricted, the user is forced to clean up the content on the FTP server in time. Some unnecessary files should be cleared in time, which not only saves space, but also for security considerations. In addition, you can set the maximum available space for the Department. Set a group for each department, and then set the maximum space limit for the group. Then the user added to the group shares the space (not the average allocation, but the sharing ). This gives the Department owner more flexibility to manage the space as needed.

Tip 4: restrict some accounts from using FTP servers

In fact, for most network administrators, it is not a small learning to manage FTP servers. In some cases, some special accounts need to use the FTP server. Because they will endanger the security of the FTP server. If you deploy an FTP server on a Linux operating system, you must restrict the root account from using the FTP server. This root account has the highest Operating System Management permissions. If this user is allowed to access the FTP server, this account will not be restricted by group permissions. That is to say, even if the root account is assigned to the guest group, the account can still access files other than the main directory. So it will damage the original security system. Therefore, no matter which operating system the FTP server is deployed, the network administrator needs to know whether the operating system account has similar privileged users. If yes, you need to disable access to the FTP server.

it can be seen that although the FTP server is relatively simple to deploy, it has developed into a mature environment. However, the requirements of enterprise users are constantly changing. For this reason, the network administrator also needs to change and adjust the FTP deployment policy in time to meet users' needs.