FTP Service-Implementing VSFTPD virtual users

The first few introduced the foundation, this article will implement several cases concretely

Implement file-based verification of VSFTPD virtual users, each user separate folder 1, create user database files

Vim/etc/vsftpd/vusers.txtqqcentosmomocentos

Note: The file content format is odd behavior username, even behavior password

2. Set permissions and compile this file

Note: Modifying permissions is for security

3. Create a Linux user and FTP directory (this account will be mapped into a future virtual account)

Useradd-s/sbin/nologin vftpuserchmod 555/home/vftpuser/  # # #把用户家目录的写权限去掉

Note: The mapping account has no write permission to the root

mkdir upload  # #创建上传用的文件夹chown Vftpuser upload/  

Note: The owner of this folder to change to Vftpuser users, the second user although the/home/vftpuser/is also the root, no write permission, but the root of the directory has write permissions.

Open the anonymous Write permission

4. Modify the PAM configuration file

Vim/etc/pam.d/vusers.db #这个名字叫什么都可

Auth Required pam_userdb.so Db=/etc/vsftpd/vusers  

Note: This vusers name must be the same as the xxxx.db name created in the second step.

Account Required Pam_userdb.so Db=/etc/vsftpd/vusers

5. Let the main configuration file know you want to modify the PAM module

Note: The vusers.txt inside is a legitimate user, you can log on

6. Map all system accounts to the Vftpuser account we created and close the Linux system account login

Vim/etc/vsftpd/vsftpd.conf

Guest_enable=yesguest_username=vftpuser

7, the virtual user to establish a separate configuration file

Vim/etc/vsftpd/vsftpd.conf

user_config_dir=/etc/vsftpd/vftpuser.d/

Create the above folder to create it

mkdir/etc/vsftpd/vftpuser.d/

Create a configuration for the virtual user in this folder directory

[Root@centos7_77 vftpuser.d]# cat > Qqanon_upload_enable=yesanon_mkdir_write_enable=yes      Note: This means that the virtual user QQ has anonymous write permission

8. Allow two virtual users to see different folders when they come in

Vim/etc/vsftpd/vftpuser.d/qq

Local_root=/data/qq

Note: If this folder does not exist, create

Mkdir/data/qq

Note: Create a file in the QQ directory for testing

Touch/data/qq/qq.txt

Restart, test

Note: To add users, write in the Vusers.txt file, and then generate the DB file

Implementation: VSFTPD virtual user based on MySQL authentication

Description: This experiment is implemented on two CentOS hosts, one as FTP server and one for database server.

Install the required packages and package groups on the database server to install the package:

CENTOS7: Installing on the database server

Yum–y Install mariadb-serversystemctl start Mariadb.servicesystemctl enable MARIADB

CENTOS6: Installing on the database server

Yum–y Install Mysql-server

Installing the VSFTPD and Pam_mysql packages on the FTP server

Centos6:pam_mysql is provided by the source of the EPEL6

Yum Install vsftpd Pam_mysql

CENTOS7: no corresponding RPM package, manual compilation and installation required

Yum-y Groupinstall "Development Tools"

Yum-y Install Mariadb-devel pam-devel vsftpd

Download pam_mysql-0.7rc1.tar.gz

sourceforge.net/projects/pam-mysql/

1. Decompression Pam Module

[Root@centos7_77 ~]# tar xvf pam_mysql-0.7rc1.tar.gz

CD pam_mysql-0.7rc1/

2. Compiling

[root@centos7_77 pam_mysql-0.7rc1]#./configure--with-pam-mods-dir=/lib64/security--with-mysql=/usr--with-pam=/ Usr

Note: This requires attention to the specified location, MySQL

It's not pam_mysql.so yet.

Start make

[root@centos7_77 pam_mysql-0.7rc1]# make && make install

3. Creating databases and Tables

1) Create a ftpdb database

MariaDB [(None)]> CREATE Database ftpdb;

2) Authorize a user to connect to this database (with Read permission on the line)

MariaDB [(None)]> Grant Select on ftpdb.* to vsftpd@ ' localhost ' identified by ' CentOS ';

3) Create a table

MariaDB [ftpdb]> CREATE TABLE users (ID INT auto_increment NOT null PRIMARY KEY, name CHAR (a) BINARY not NULL, PASSWOR D CHAR (n) BINARY not NULL);

4) Add virtual users to the table

MariaDB [ftpdb]> INSERT into users (Name,password) VALUES (' GG ', password (' CentOS '));

MariaDB [ftpdb]> INSERT into users (Name,password) values (' mm ', password (' CentOS '));

3. Prepare a Pam profile (the files required to establish PAM authentication on the FTP server)

Cd/etc/pam.d/vim Vsftpd.mysqlauth required pam_mysql.so user=vsftpd passwd=centos host=localhost db=ftpdb table=users Usercolumn=name Passwdcolumn=password crypt=2account required pam_mysql.so user=vsftpd passwd=centos Host=localhost db =ftpdb table=users usercolumn=name Passwdcolumn=password crypt=2

Note:

Configuration Field Description

Auth means certification

account Verify that the account password is used properly

required that certification is going through

The pam_mysql.so module is the default relative path, which is relative to the/lib64/security/path and can also be written

To the path, followed by the parameters passed to the module

user=vsftpd for users who log in to MySQL

passwd=magedu password to log in to MySQL

Host=mysqlserver the host name or IP address of the MySQL server

db=vsftpd specifying the database name of the connection MSYQL

table=users specifying table names in the connected database

usercolumn=name field as user name

Passwdcolumn=password as User name field password

crypt=2 Password encryption method for MySQL password () function encryption

4. Let the FTP server know that the PAM module configuration file that we configured is called

Vim/etc/vsftpd/vsftpd.conf

5. Map to System account Vftpuser

Vim/etc/vsftpd/vsftpd.conf

Guest_enable=yesguest_username=vftpuser

Note: To start the Guest user, the system user is mapped to the guest user, and the guest user is Vftpuser,

Don't forget to remove the Read W permission for this user's home directory

6, let the login account permissions are not the same (for each user has its own profile)

Specify the folder where the user holds the configuration

Vim/etc/vsftpd/vsftpd.confuser_config_dir=/etc/vsftpd/vftpuser.dcd/etc/vsftpd/vftpuser.d[root@centos7_77 vftpuser.d]# cat > Mmlocal_root=/data/mmcat > Gglocal_root=/data/gg

Note: to want GG mm to act as the root of the virtual user must have no write permission

[root@centos7_77 data]# chmod a=rx mm[root@centos7_77 data]# chmod a=rx GG again gg, mm directory to create a file good test [root@centos7_77 gg]# touch GG . txt[root@centos7_77 mm]# Touch Mm.txt

Restart

Test

Note: In order to let GG users have write permission, in the/etc/vsftpd/vftpuser.d/gg file to add

Anon_upload_enable=yes

Anon_mkdir_write_enable=yes

And you have to have write access to the/DATA/GG directory.

Setfacl-m U:vftpuser:rwx/data/gg