File Transfer Protocol (English: Files Transfer protocol,:ftp) is used in a set of upstream files. It belongs to the application layer of the Network transport protocol. FTP is a 8-bit client-server protocol that can manipulate any type of file without requiring further processing, just like MIME or Unicode. However, FTP has a very high latency, which means that the time between the start of the request and the first time it takes to receive the demand data will be very long, and sometimes a lengthy login process will be performed.
FTP is an application layer protocol, clear text transmission, using the C/S architecture, its server monitoring on the 21/TCP and 20/tcp,21 Port as the command port is the control port, Port 20th is the data transmission port. FTP has two modes of operation:
Active: Create a connection command from the server: client:50000-server:21 data: server:20/tcp to client:50000+1 passive: Create a connection command from the client: client:50000- SERVER:21 server tells client data port: 121,23=121*256+23 data: client:50000+1, server: Random port
Using passive mode is mostly, because in the active mode if the client has a firewall will cause a lot of trouble, some crossing may say passive mode server does not have a firewall? Now the firewall has a connection track function, called connection tracking, you can track the different ports opened by the same service. There are many open-source implementations of the FTP server:
FTPSERVER:WU-FTPD: Ftpdproftpd of the University of Washington: Professional ftppureftp: Pure Ftpvsftp:very SECURESERVU Response code: and HTTP similar to 1xx: Information 2xx: Success Class status Code 3xx: prompted to further provide supplemental information status code 4xx: Client Error 5xx: Server error
Everyone found their names are very high-profile, right, haha. What we are going to introduce today is the vsftp on CentOS6.6, known as very secure FTP, let's see how it's used.
FTP Users and system users are almost nothing to do, this is the so-called virtual users, where the user authentication needs to use the Nsswitch and Pam two framework: for these two we will have time to introduce in detail
Nsswitch:network Server switch, name resolution framework, which calls various glibc libraries to complete the name resolution functions needed on the system, such as user name and user ID
Configuration file:/etc/nsswitch.conf
Module:/lib64/libnss*,/usr/lib64/libnss*
Pam:pluggable authentication module, user authentication Framework
In/lib64/security/
Configuration file:/etc/pam.conf,/etc/pam.d/*
Installing FTP is simple and straightforward, Yum installs Y vsftpd, and here are a few of the main files that are available after installation:
[[email protected] ~]# rpm-ql vsftpd/etc/logrotate.d/vsftpd# log Scrolling script/etc/pam.d/vsftpd# user authentication file/etc/rc.d/init.d/vsftpd# Service Script/etc/vsftpd# configuration file/etc/vsftpd/ftpusers# user control file/etc/vsftpd/user_list# available user list/etc/vsftpd/vsftpd.conf# Master profile/etc/ vsftpd/vsftpd_conf_migrate.sh/usr/sbin/vsftpd# Main program/var/ftp/#共享资源目录
#vim/etc/vsftpd/vsftpd.conf #其内容必须顶格写, cannot have any whitespace characters
12 anonymous_enable=yes #是否允许匿名用户27 #anon_upload_enable =yes #是否运行匿名用户上传这一行开启匿名用户也无法上传, Because there is no write permission on the directory, you can do the following mkdir /var/ftp/uploadsetfacl -m u:ftp:rwx /var/ftp/upload31 # anon_mkdir_write_enable=yes #是否允许匿名用户创建目录anon_other_write_enable =yes #是否运行匿名用户删除文件15 local_ enable=yes# whether the system user is running, after logging on by default in their home directory 18 write_enable=yes #系统用户的所有写权限13 anon_umask=022# This is the permission of anonymous users to upload files, Higher priority than local_umask22 local_umask=022 #系统用户上传文件后的权限96 #chroot_local_user =yes #锁定系统用户到其家目录97 #chroot_list_enable =yes# lock only some system users 98 # (default follows) 99 #chroot_list_file =/etc/ vsftpd/chroot_list #锁定的用户的名称35 dirmessage_enable=YES #在某文件目录下, create a. message file that will display the contents of this file when you access this directory 39 xferlog_enable=YES #是否开启ftp传输日志56 xferlog_std_format=YES #是否使用标准日志格式52 #xferlog_file =/var/log/xferlog #日志文件位置47 #chown_uploads =yes# Whether the uploaded file changes its owner 48 #chown_username =whoever # Who is the Lord to 59 #idle_session_timeout=600 #空闲会话超时时长62 #data_connection_timeout =120 #数据连接超时时长81 #ascii_upload_enable =yes #强制文本格式上传82 #ascii_download_enable =yes #强制文本格式下载85 #ftpd_banner =welcome to blah FTP service. #欢迎信息117 pam_service_name=vsftpd #使用pam的那个模块, VSFTPD user certification,/etc/pam.d/ vsftpd118 userlist_enable=yes #在/etc/vsftpd/ftpusers Users in this file are not allowed to log in userlist_deny=yes|no #在/etc/ Whether the user user defined in the Vsftpd/user_list file is denied login 119 tcp_wrappers=yes#tcp encapsulation max_clients: #最大并发连接数max_per_ip: # Number of concurrent requests per IP anno_max_rate: #所有匿名用户的最大传输速率, Unit byte/slocal_max_rate: #本地用户最大传输速率
According to the above configuration file settings can be used when a simple FTP server to use, I will no longer demonstrate, we mentioned above virtual users, each virtual user can be given different access rights, through the anonymous user's permission control parameters to specify. In fact, the anonymous users we use when accessing FTP server are mapped to FTP users on the system, and we store virtual users in two ways:
Files: Editing files
Odd behavior User name
Even behavior password
This file needs to be encoded in hash format
In the table in the relational data:
That is, querying the database to complete user authentication
The way the file is obviously unsafe, although FTP is not secure ... So let's take a look at the combination of relational data authentication virtual user, so that the management and security have a certain increase. The combination of FTP and MySQL relies on pam-mysql, which needs to be installed Pam_mysql in the Epel source. After installation, let's look at what files are available:
[[Email protected]calhost ~]# RPM-QL pam_mysql/lib64/security/pam_mysql.so# Just this one module/usr/share/doc/pam_mysql-0.7/ usr/share/doc/pam_mysql-0.7/copying/usr/share/doc/pam_mysql-0.7/credits/usr/share/doc/pam_mysql-0.7/changelog/ usr/share/doc/pam_mysql-0.7/news/usr/share/doc/pam_mysql-0.7/readm# view this document with a detailed explanation
Let's take a look at the specific procedure:
1. Set mariadb,ip:192.168.1.107
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/70/BA/wKioL1W8X2bTeKNfAATcHd-qH0I336.jpg "/>
Explain here that VSFTP is a system user on Ftpserver in order to map the virtual user, Tom, Jerry for the virtual user, password (' Tom ') This is an encryption function on MARIADB, the Tom string encryption stored.
2, configure the FTP server Pam authentication, ip:192.168.1.108
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/70/BC/wKiom1W8XXTwNs9fAAEGh0E6tsU481.jpg "/>
3. Adding system users to FTP server
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/70/BA/wKioL1W8X2fwgW1sAABSqgZb7_I456.jpg "/>
#这里纠正一点应该是chmod Go+rx/var/ftproot because the readable and executable permissions of the anonymous user are required to be able to CD capable of LS
4. Configuring the FTP server configuration file
[Email protected] vsftpd]# vim vsftpd.conf22 anon_umask=02223 local_umask=022117 pam_service_name=vsftpd.mysql# Verify configuration file 118 userlist_enable=yes119 tcp_wrappers=yes120121 guest_enable=yes122 guest_username=ftpuser# map Virtual user's system account
5. Configure different permissions for different users
[[email protected] vsftpd]# Vim vsftpd.conf124 user_config_dir=/etc/vsftpd/vusers# define Virtual user directory [[email protected] vsftpd]# mkdir Vusers[[email protected] vsftpd]# CD Vusers/[[email protected] vusers]# vim tom# individual user profile, same as user name 1 Anon_upload_ Enable=yes2 anon_mkdir_write_enable=yes3 anon_other_write_enable=yes[[email protected] vusers]# vim jerry1 anon_ Upload_enable=no2 Anon_mkdir_write_enable=no3 Anon_other_write_enable=no
6. Verification Results
Tom Login:
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/70/BA/wKioL1W8X2fRTxFSAAMUmVoETRc712.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/70/BC/wKiom1W8XXXx3R20AADoVc2eSPc531.jpg "/>
Jerry Login:
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/70/BC/wKiom1W8XXXSFOVEAAM83cr_RFE597.jpg "/>
We see Tom can read and write, and Jerry can only read, exactly in line with our settings. OK, our introduction to FTP is here, there are more advanced applications to view the documents themselves, if there are errors please point out.
This article is from the "Linuxlove" blog, make sure to keep this source http://linuxlover.blog.51cto.com/2470728/1680787
FTP uses MARIADB to complete virtual user authentication