How to store the FTP user account in the MARIADB database

Source: Internet
Author: User
Tags crypt ftp connection ftp client account security administrator password

FTP Service History is relatively long, but because of its appearance earlier, so the design did not take into account security issues, the development so far, the FTP service still uses the clear-text transmission protocol, but because of its construction and use of relatively convenient, so that it retained so far. Today, we will share with you how to build a server to meet the needs of your actual production environment. For demonstration convenience, we have to shut down the firewall and SELinux early, if you forget to close the follow-up process will appear some confusing error message.


First step: Yum installs FTP server-side VS-FTPD

Yum Install-y vsftpd


Step Two: Configure VS-FTPD

Vim/etc/vsftpd/vsftpd.conf


Xferlog_enable=yes

Xferlog_file=/var/log/xferlog

Pam_service_name=vsftpd.mysql

Guest_enable=yes

Guest_username=vsftpd


Step three: Compile and install Pam-mysql (the compilation environment must be there)

[[Email protected] ~] #yum install-y mariadb-devel pam-devel openssl-deve

[[email protected] ~]# ls

Anaconda-ks.cfg pam_mysql-0.7rc1.tar.gz

[Email protected] ~]# Tar XF pam_mysql-0.7rc1.tar.gz

[Email protected] ~]# CD pam_mysql-0.7rc1/

[Email protected] pam_mysql-0.7rc1]#/configure--with-pam=/usr--with-mysql=/usr--with-pam-mods-dir=/usr/lib64/ Security

[[email protected] pam_mysql-0.7rc1]# make

/bin/sh./libtool--mode=compile gcc-dhave_config_h-i.-I.-I.-I/USR/INCLUDE/SECURITY-I/USR/INCLUDE-G-O2-G-o2-i /usr/include/mysql-c PAM_MYSQL.C

mkdir. Libs

Gcc-dhave_config_h-i.-I.-I.-I/USR/INCLUDE/SECURITY-I/USR/INCLUDE-G-O2-G-o2-i/usr/include/mysql-c PAM_MYSQL.C -fpic-dpic-o. LIBS/PAM_MYSQL.O

pam_mysql.c:in function ' Pam_mysql_converse ':

Pam_mysql.c:3192:4: warning:passing argument 2 of ' conv->conv ' from incompatible pointer type [enabled by default]

CONV->APPDATA_PTR))) {//There is an error message here that does not affect the final result, regardless of

^

Pam_mysql.c:3192:4: note:expected ' const struct pam_message * * ' but argument is of type ' struct pam_message * '

/bin/sh./libtool--mode=link gcc-g-o2-i/usr/include/mysql-o Pam_mysql.la-rpath/usr/lib64/security-module-avo Id-version Pam_mysql.lo-l/usr/lib64/mysql-lmysqlclient-lpthread-lz-lm-lssl-lcrypto-ldl-lcrypt

Gcc-shared. Libs/pam_mysql.o-l/usr/lib64/mysql-lmysqlclient-lpthread-lz-lm-lssl-lcrypto-ldl-lcrypt-wl,-sonam E-wl,pam_mysql.so-o. libs/pam_mysql.so

Creating pam_mysql.la

(CD. Libs && rm-f pam_mysql.la && ln-s.. /pam_mysql.la pam_mysql.la)

[Email protected] pam_mysql-0.7rc1]#

[[email protected] pam_mysql-0.7rc1]# make install


Fourth Step: Install, configure Mariadb-server and start the

[email protected] ~]# Yum install-y mariadb-server

[Email protected] ~]# systemctl start mariadb

[[email protected] ~]# mysql_secure_installation//Run Security Configuration script (set Administrator password, delete anonymous account, turn on administrator remote login, delete test database)


Fifth step: Enter the database to create the FTP user account database

MariaDB [(None)]> CREATE Database vsftpd;

MariaDB [(None)]> CREATE TABLE vsftpd.users (ID int not NULL auto_increment primary key,name char (+) not null unique K Ey,password Char (48));

MariaDB [(None)]> insert into vsftpd.users (Name,password) VALUES (' admin ', password (' AdminPass ')), (' Guest ', Password (' Guestpass '));

MariaDB [(None)]> grant all on vsftpd.* to ' vsftpd ' @ ' 127.0.0.1 ' identified by ' Vsftpdpass;

MariaDB [(None)]> flush privileges;

MariaDB [(None)]> exit


Sixth step: Manually write FTP connection to MySQL configuration file

[Email protected] ~]# Vim/etc/pam.d/vsftpd.mysql


Auth required/usr/lib64/security/pam_mysql.so user=vsftpd passwd=vsftpdpass host=127.0.0.1 db=vsftpd table=users Usercolumn=name Passwdcolumn=password crypt=2

Account required/usr/lib64/security/pam_mysql.so user=vsftpd passwd=vsftpdpass host=127.0.0.1 db=vsftpd table=users Usercolumn=name Passwdcolumn=password crypt=2


Seventh Step: Create the FTP root directory, create the FTP account in the database to map to the local account, and specify its home directory as the FTP root directory, set the appropriate permissions for the FTP root directory

Mkdir-pv/ftproot/{pub,upload}//To facilitate the subsequent verification of the effect, create two directories (pub for download, upload for user uploads)

Chmod-w/ftproot//ftp root directory cannot have write permission

Useradd-r-d/ftproot vsftpd



Eighth step: Start the VSFTPD service, install the FTP client tool lftp, and verify the login effect

[email protected] ~]# Yum install-y lftp

[Email protected] ~]# lftp-u admin 192.168.1.71

Password:

lftp [email protected]:~> ls

Ls:login failed:530 Login Incorrect.

lftp [Email protected]:~>

This error message occurs when the password is not entered incorrectly because SELinux is not turned off. At the same time, the Security module log file also has a corresponding error record.

[Email protected] ~]# cat/var/log/secure


OCT 20:00:50 centos730g vsftpd[13492]: Pam_mysql-mysql error (Can ' t connect to MySQL server on ' 127.0.0.1 ' (13))

OCT 20:02:30 centos730g vsftpd[13514]: Pam_mysql-mysql error (Can ' t connect to MySQL server on ' 127.0.0.1 ' (13))


Disable SELinux and try to log in again, everything is fine.

[Email protected] ~]# Getenforce

Enforcing

[Email protected] ~]# Setenforce 0

[Email protected] ~]# Getenforce

Permissive

[Email protected] ~]#!lftp

Lftp-u Admin 192.168.1.71

Password:

lftp [email protected]:~> ls

Drwxr-xr-x 2 0 0 4096 Oct 12:05 Pub

Drwxr-xr-x 2 0 0 4096 Oct 12:05 upload

lftp [Email protected]:/>

lftp [email protected]:/> cd upload/

lftp [Email protected]:/upload> put/etc/fstab

Put:access failed:550 Permission denied. (fstab)

lftp [Email protected]:/upload>

lftp [Email protected]:/upload> exit

[Email protected] ~]# Lftp-u guest 192.168.1.71

Password:

lftp [email protected]:~> ls

Drwxr-xr-x 2 0 0 4096 Oct 12:05 Pub

Drwxr-xr-x 2 0 0 4096 Oct 12:05 upload

lftp [email protected]:/> cd upload/

lftp [Email protected]:/upload> put/etc/issue

Put:access failed:550 Permission denied. (issue)

lftp [Email protected]:/upload>

At this point, admin,guest two virtual users can successfully log on to the FTP server after MySQL verification, and download the files, but if you want to have upload permissions, you must configure the individual virtual account permissions


Nineth Step: Configure upload and Modify permissions for Admin Account Admin

Edit VSFTPD configuration file, add a row

Vim/etc/vsftpd/vsftpd.conf

User_config_dir=/etc/vsftpd/users_conf

Create a directory to hold individual user rights profiles

Mkdir/etc/vsftpd/users_conf


Manually Write permission profile contents

Vim/etc/vsftpd/users_conf/admin

Anon_upload_enable=yes//Allow upload

Anon_other_write_enable=yes//Allow deletion

Anon_mkdir_write_enable=yes//Allow directory creation


Give local mapping account VSFTPD user Grant/ftproot/upload directory Write permission

[Email protected] ~]# setfacl-m u:vsftpd:rwx/ftproot/upload/

[Email protected] ~]# getfacl/ftproot/upload/

Getfacl:removing leading '/' from absolute path names

# file:ftproot/upload/

# Owner:root

# Group:root

User::rwx

User:vsftpd:rwx

Group::r-x

Mask::rwx

Other::r-x


[Email protected] ~]#

Note that although Vsftp has write permissions at this point, write permissions will only be valid for the user if the appropriate permissions are opened in a separate authorization file.


After the configuration is complete, restart the VSFTPD service to make the configuration you just made effective

[Email protected] ~]# systemctl restart VSFTPD


Login with Admin account again to verify upload and Modify permissions

[Email protected] ~]# lftp-u admin 192.168.1.71

Password:

lftp [email protected]:~> cd upload/

lftp [Email protected]:/upload> put/etc/fstab

574 bytes Transferred

lftp [email protected]:/upload> ls

-RW-------1 996 994 574 Oct 12:47 fstab

lftp [email protected]:/upload> mkdir Admin

mkdir OK, ' admin ' created

lftp [email protected]:/upload> ls

DRWX------2 996 994 4096 Oct 12:47 admin

-RW-------1 996 994 574 Oct 12:47 fstab

lftp [Email protected]:/upload> rm fstab

RM OK, ' fstab ' removed

lftp [email protected]:/upload> ls

DRWX------2 996 994 4096 Oct 12:47 admin

lftp [email protected]:/upload> rm-rf Admin

RM OK, ' admin ' removed

lftp [email protected]:/upload> ls

lftp [Email protected]:/upload>

lftp [Email protected]:/upload> exit

[Email protected] ~]# Lftp-u guest 192.168.1.71

Password:

lftp [email protected]:~> cd upload/

lftp [Email protected]:/upload> put/etc/issue

Put:access failed:550 Permission denied. (issue)

lftp [Email protected]:/upload>

The admin is configured to upload and modify the authorization separately, so the write permission of the upload is valid for it, and the guest does not have a separate authorization, and the Write permission is invalid.


At this point, the requirements of the FTP service in the actual production environment is basically satisfied, of course, the FTP service user account is generally not much to use the database to store, so it is necessary to determine according to the actual needs of the way to store the FTP user account. But here must be reminded that the FTP service to the directory of the permission requirements are very strict, a little careless, will be a variety of error messages, so everyone in the configuration process, must be treated carefully.

This article is from the "Love Firewall" blog, be sure to keep this source http://183530300.blog.51cto.com/894387/1863191

How to store the FTP user account in the MARIADB database

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.