FTP Service History is relatively long, but because of its appearance earlier, so the design did not take into account security issues, the development so far, the FTP service still uses the clear-text transmission protocol, but because of its construction and use of relatively convenient, so that it retained so far. Today, we will share with you how to build a server to meet the needs of your actual production environment. For demonstration convenience, we have to shut down the firewall and SELinux early, if you forget to close the follow-up process will appear some confusing error message.
First step: Yum installs FTP server-side VS-FTPD
Yum Install-y vsftpd
Step Two: Configure VS-FTPD
Vim/etc/vsftpd/vsftpd.conf
Xferlog_enable=yes
Xferlog_file=/var/log/xferlog
Pam_service_name=vsftpd.mysql
Guest_enable=yes
Guest_username=vsftpd
Step three: Compile and install Pam-mysql (the compilation environment must be there)
[[Email protected] ~] #yum install-y mariadb-devel pam-devel openssl-deve
[[email protected] ~]# ls
Anaconda-ks.cfg pam_mysql-0.7rc1.tar.gz
[Email protected] ~]# Tar XF pam_mysql-0.7rc1.tar.gz
[Email protected] ~]# CD pam_mysql-0.7rc1/
[Email protected] pam_mysql-0.7rc1]#/configure--with-pam=/usr--with-mysql=/usr--with-pam-mods-dir=/usr/lib64/ Security
[[email protected] pam_mysql-0.7rc1]# make
/bin/sh./libtool--mode=compile gcc-dhave_config_h-i.-I.-I.-I/USR/INCLUDE/SECURITY-I/USR/INCLUDE-G-O2-G-o2-i /usr/include/mysql-c PAM_MYSQL.C
mkdir. Libs
Gcc-dhave_config_h-i.-I.-I.-I/USR/INCLUDE/SECURITY-I/USR/INCLUDE-G-O2-G-o2-i/usr/include/mysql-c PAM_MYSQL.C -fpic-dpic-o. LIBS/PAM_MYSQL.O
pam_mysql.c:in function ' Pam_mysql_converse ':
Pam_mysql.c:3192:4: warning:passing argument 2 of ' conv->conv ' from incompatible pointer type [enabled by default]
CONV->APPDATA_PTR))) {//There is an error message here that does not affect the final result, regardless of
^
Pam_mysql.c:3192:4: note:expected ' const struct pam_message * * ' but argument is of type ' struct pam_message * '
/bin/sh./libtool--mode=link gcc-g-o2-i/usr/include/mysql-o Pam_mysql.la-rpath/usr/lib64/security-module-avo Id-version Pam_mysql.lo-l/usr/lib64/mysql-lmysqlclient-lpthread-lz-lm-lssl-lcrypto-ldl-lcrypt
Gcc-shared. Libs/pam_mysql.o-l/usr/lib64/mysql-lmysqlclient-lpthread-lz-lm-lssl-lcrypto-ldl-lcrypt-wl,-sonam E-wl,pam_mysql.so-o. libs/pam_mysql.so
Creating pam_mysql.la
(CD. Libs && rm-f pam_mysql.la && ln-s.. /pam_mysql.la pam_mysql.la)
[Email protected] pam_mysql-0.7rc1]#
[[email protected] pam_mysql-0.7rc1]# make install
Fourth Step: Install, configure Mariadb-server and start the
[email protected] ~]# Yum install-y mariadb-server
[Email protected] ~]# systemctl start mariadb
[[email protected] ~]# mysql_secure_installation//Run Security Configuration script (set Administrator password, delete anonymous account, turn on administrator remote login, delete test database)
Fifth step: Enter the database to create the FTP user account database
MariaDB [(None)]> CREATE Database vsftpd;
MariaDB [(None)]> CREATE TABLE vsftpd.users (ID int not NULL auto_increment primary key,name char (+) not null unique K Ey,password Char (48));
MariaDB [(None)]> insert into vsftpd.users (Name,password) VALUES (' admin ', password (' AdminPass ')), (' Guest ', Password (' Guestpass '));
MariaDB [(None)]> grant all on vsftpd.* to ' vsftpd ' @ ' 127.0.0.1 ' identified by ' Vsftpdpass;
MariaDB [(None)]> flush privileges;
MariaDB [(None)]> exit
Sixth step: Manually write FTP connection to MySQL configuration file
[Email protected] ~]# Vim/etc/pam.d/vsftpd.mysql
Auth required/usr/lib64/security/pam_mysql.so user=vsftpd passwd=vsftpdpass host=127.0.0.1 db=vsftpd table=users Usercolumn=name Passwdcolumn=password crypt=2
Account required/usr/lib64/security/pam_mysql.so user=vsftpd passwd=vsftpdpass host=127.0.0.1 db=vsftpd table=users Usercolumn=name Passwdcolumn=password crypt=2
Seventh Step: Create the FTP root directory, create the FTP account in the database to map to the local account, and specify its home directory as the FTP root directory, set the appropriate permissions for the FTP root directory
Mkdir-pv/ftproot/{pub,upload}//To facilitate the subsequent verification of the effect, create two directories (pub for download, upload for user uploads)
Chmod-w/ftproot//ftp root directory cannot have write permission
Useradd-r-d/ftproot vsftpd
Eighth step: Start the VSFTPD service, install the FTP client tool lftp, and verify the login effect
[email protected] ~]# Yum install-y lftp
[Email protected] ~]# lftp-u admin 192.168.1.71
Password:
lftp [email protected]:~> ls
Ls:login failed:530 Login Incorrect.
lftp [Email protected]:~>
This error message occurs when the password is not entered incorrectly because SELinux is not turned off. At the same time, the Security module log file also has a corresponding error record.
[Email protected] ~]# cat/var/log/secure
OCT 20:00:50 centos730g vsftpd[13492]: Pam_mysql-mysql error (Can ' t connect to MySQL server on ' 127.0.0.1 ' (13))
OCT 20:02:30 centos730g vsftpd[13514]: Pam_mysql-mysql error (Can ' t connect to MySQL server on ' 127.0.0.1 ' (13))
Disable SELinux and try to log in again, everything is fine.
[Email protected] ~]# Getenforce
Enforcing
[Email protected] ~]# Setenforce 0
[Email protected] ~]# Getenforce
Permissive
[Email protected] ~]#!lftp
Lftp-u Admin 192.168.1.71
Password:
lftp [email protected]:~> ls
Drwxr-xr-x 2 0 0 4096 Oct 12:05 Pub
Drwxr-xr-x 2 0 0 4096 Oct 12:05 upload
lftp [Email protected]:/>
lftp [email protected]:/> cd upload/
lftp [Email protected]:/upload> put/etc/fstab
Put:access failed:550 Permission denied. (fstab)
lftp [Email protected]:/upload>
lftp [Email protected]:/upload> exit
[Email protected] ~]# Lftp-u guest 192.168.1.71
Password:
lftp [email protected]:~> ls
Drwxr-xr-x 2 0 0 4096 Oct 12:05 Pub
Drwxr-xr-x 2 0 0 4096 Oct 12:05 upload
lftp [email protected]:/> cd upload/
lftp [Email protected]:/upload> put/etc/issue
Put:access failed:550 Permission denied. (issue)
lftp [Email protected]:/upload>
At this point, admin,guest two virtual users can successfully log on to the FTP server after MySQL verification, and download the files, but if you want to have upload permissions, you must configure the individual virtual account permissions
Nineth Step: Configure upload and Modify permissions for Admin Account Admin
Edit VSFTPD configuration file, add a row
Vim/etc/vsftpd/vsftpd.conf
User_config_dir=/etc/vsftpd/users_conf
Create a directory to hold individual user rights profiles
Mkdir/etc/vsftpd/users_conf
Manually Write permission profile contents
Vim/etc/vsftpd/users_conf/admin
Anon_upload_enable=yes//Allow upload
Anon_other_write_enable=yes//Allow deletion
Anon_mkdir_write_enable=yes//Allow directory creation
Give local mapping account VSFTPD user Grant/ftproot/upload directory Write permission
[Email protected] ~]# setfacl-m u:vsftpd:rwx/ftproot/upload/
[Email protected] ~]# getfacl/ftproot/upload/
Getfacl:removing leading '/' from absolute path names
# file:ftproot/upload/
# Owner:root
# Group:root
User::rwx
User:vsftpd:rwx
Group::r-x
Mask::rwx
Other::r-x
[Email protected] ~]#
Note that although Vsftp has write permissions at this point, write permissions will only be valid for the user if the appropriate permissions are opened in a separate authorization file.
After the configuration is complete, restart the VSFTPD service to make the configuration you just made effective
[Email protected] ~]# systemctl restart VSFTPD
Login with Admin account again to verify upload and Modify permissions
[Email protected] ~]# lftp-u admin 192.168.1.71
Password:
lftp [email protected]:~> cd upload/
lftp [Email protected]:/upload> put/etc/fstab
574 bytes Transferred
lftp [email protected]:/upload> ls
-RW-------1 996 994 574 Oct 12:47 fstab
lftp [email protected]:/upload> mkdir Admin
mkdir OK, ' admin ' created
lftp [email protected]:/upload> ls
DRWX------2 996 994 4096 Oct 12:47 admin
-RW-------1 996 994 574 Oct 12:47 fstab
lftp [Email protected]:/upload> rm fstab
RM OK, ' fstab ' removed
lftp [email protected]:/upload> ls
DRWX------2 996 994 4096 Oct 12:47 admin
lftp [email protected]:/upload> rm-rf Admin
RM OK, ' admin ' removed
lftp [email protected]:/upload> ls
lftp [Email protected]:/upload>
lftp [Email protected]:/upload> exit
[Email protected] ~]# Lftp-u guest 192.168.1.71
Password:
lftp [email protected]:~> cd upload/
lftp [Email protected]:/upload> put/etc/issue
Put:access failed:550 Permission denied. (issue)
lftp [Email protected]:/upload>
The admin is configured to upload and modify the authorization separately, so the write permission of the upload is valid for it, and the guest does not have a separate authorization, and the Write permission is invalid.
At this point, the requirements of the FTP service in the actual production environment is basically satisfied, of course, the FTP service user account is generally not much to use the database to store, so it is necessary to determine according to the actual needs of the way to store the FTP user account. But here must be reminded that the FTP service to the directory of the permission requirements are very strict, a little careless, will be a variety of error messages, so everyone in the configuration process, must be treated carefully.
This article is from the "Love Firewall" blog, be sure to keep this source http://183530300.blog.51cto.com/894387/1863191
How to store the FTP user account in the MARIADB database