Http: // 10.1.1.35/ule_basic/ule11.txt

--

FTP (file tranfer Protocol)

Server Serv-U in Windows
Client CuteFTP LeapFTP flashftp


A very old file transfer protocol with plaintext transmission, which is not safe

Many Web page maintenance systems use ftp to update website page content.
Dreamweaver


OOT @ Li yum. Repos. d] # Yum list | grep vsftp-built-in FTP software package in Red Hat
This system is not registered with RHN.
RHN support will be disabled.
Vsftpd. i386 2.0.5-16. EL5 installed


Vsftp very secure ftp

Another open-source FTP software, ProFTP


Port number used:
Data transmission Port 20
Command Transmission port 21

There are two Connection Methods:


Active: by default, port 21 is enabled for the FTP service to receive control commands. The server uses Port 20 to send data (connect to a random port greater than 1024 of the client)

Passive: the FTP service also opens port 21 for Command Control. During data transmission, the client notifies the server to open a port greater than 1024, and then the client actively connects to the service.


Service Mode:

Stand alone
Super daemon

Both ports of FTP 20.21 use TCP connections. Therefore, the three-way handshake process is required.
Note: Port 20 (data transmission port) is established only when data transmission is available, and is not established as soon as the FTP connection is established.


Vim/etc/vsftpd. conf -- configuration file

Man vsftpd. conf can be used to view help


/Etc/init. d/vsftpd start

[Root @ Li yum. Repos. d] # netstat-NTL | grep 21
TCP 0 0 0.0.0.0: 21 0.0.0.0: * listen


Verify the active mode:
[Root @ Li yum. Repos. d] # ftp 10.1.1.35
Connected to 10.1.1.35.
220 (vsftpd 2.0.5)
530 please login with user and pass.
530 please login with user and pass.
Kerberos_v4 rejected as an authentication type
Name (10.1.1.35: Root): ftp
331 please specify the password.
Password: -- the default password of the FTP user is also FTP
Ftp>? -- Check the Command help with the question mark
Commands may be abbreviated. commands are:
Ftp> help ls -- View Command help
Ls list contents of remote directory
Ftp> passive -- disable your passive mode
Passive Mode Off.
Ftp> ls
200 PORT command successful. Consider using PASV.
150 here comes the directory listing.
Drwxr-XR-x 2 0 0 4096 May 13 06:03 pub
226 directory send OK.


The second terminal verifies the Port:
[Root @ Li ~] # Netstat-nt | grep 20 | grep time
TCP 0 0 10.1.1.35: 20 10.1.1.35: 60422 time_wait -- because the local machine is a client and a server, the active mode shows that the 20 of the local machine is connected to a random port.



Verify passive mode:
[Root @ Li yum. Repos. d] # telnet 10.1.1.35 21
Trying 10.1.1.35...
Connected to li.cluster.com (10.1.1.35 ).
Escape Character is '^]'.
220 (vsftpd 2.0.5)
User FTP
331 please specify the password.
Pass
230 login successful.
PASV
227 entering passive mode (171,164)




Netstat-NTL
TCP 0 0 10.1.1.35: 43940 0.0.0.0: * listen




Configuration file:
[Root @ Li/] # Cat/etc/vsftpd. conf | grep-V ^ # | grep-V ^ $ -- do not start with #, or do not use a blank line ^ to indicate the start with $ represents the end character
Anonymous_enable = yes -- allow anonymous users to log on
Local_enable = yes -- allow local users to log on
Write_enable = yes -- allow local users to write after Logon
Local_umask = 022 -- create a permission mask for a file or directory
Dirmessage_enable = yes -- enable directory description or welcome information
Xferlog_enable = yes -- enable the log function (recording file upload and download)
Connect_from_port_20 = yes -- active mode by default
Xferlog_std_format = yes -- the log adopts a quasi-format
Listen = yes -- by default, it runs under stand alone. You can change it to no and change it to the super daemon running mode.
Pam_service_name = vsftpd -- Support Pam
Userlist_enable = yes -- enable the user list Function
Tcp_wrappers = yes -- tcp_wrapper is supported



Two anonymous users:
FTP password FTP
The anonymous password is blank.

Example 1: download an anonymous user

By default, anonymous users can log on and download data (because the/var/FTP directory has 755 permissions)

-- The permission control of any service goes through two steps: one is the permission control of the service itself, the other is the permission control of the operating system, that is to say, the two are allowed to have the permission.

After changing the/var/FTP directory to 750
Log on with an anonymous user. ls cannot see the list or download


Example 2: Upload of Anonymous Users

Anonymous_enable = Yes
Anon_upload_enable = yes -- allows anonymous users to upload files.
Anon_mkdir_write_enable = yes -- allows anonymous users to create directories.

Ftp> LCD/etc -- LCD indicates directory path change of the Client
Local directory now/etc
Ftp> put fstab -- put upload fstab to/var/ftp
Local: fstab remote: fstab
227 entering passive mode)
553 cocould not create file. -- we can see that the upload is not allowed, because the/var/FTP permission is 755, and anonymous users cannot write

Then chmod 777/var/ftp

Log on again
[Root @ Li ~] # Ftp 10.1.1.35
Connected to 10.1.1.35.
220 (vsftpd 2.0.5)
530 please login with user and pass.
530 please login with user and pass.
Kerberos_v4 rejected as an authentication type
Name (10.1.1.35: Root): ftp
331 please specify the password.
Password:
500 Oops: vsftpd: refusing to run with writable Anonymous root -- we can see that the FTP server is not allowed to change the home directory to 777
Login Failed.


Solution:
You can only create another directory for upload in/var/FTP, and change the permission to anonymous users. For example
Chmod 777/var/FTP/putb

Ftp> Cd pub -- CD is the command for the server to change the Directory
250 directory successfully changed.
Ftp> LCD/etc
Local directory now/etc
Ftp> put inittab -- that is, the inittab under the client/etc/is uploaded to the/var/FTP/pub on the server.
Local: inittab remote: inittab
227 entering passive mode (, 69)
150 OK to send data.
226 file receive OK.
1666 bytes sent in 4.1e-05 seconds (4E + 04 Kbytes/s)
Ftp> put/etc/rc. local local -- another put method, which can be written in this way to put/etc/rc. local upload and rename it local, which avoids the trouble of using LCD





Example 3: Allow anonymous download of the uploaded file
Ftp> LCD/root/desktop -- changed the Client Directory
Local directory now/root/desktop
Ftp> Get inittab -- download the newly uploaded inittab. An error occurred.
Local: inittab remote: inittab
227 entering passive mode (133,225)
550 failed to open file.


Solution 1:
Vim/etc/vsftp/vsftpd. conf


Add a row: anon_world_readable_only = No


After restarting the service, you can download the uploaded file.


Solution 2: Set local_umask = 022
Change to local_umask = 0222


Example 4: log on, upload, and download a common user (that is, a common system account created by/etc/passwd)

Description of the last column of/etc/passwd:
FTP: X: 14: 50: FTP user:/var/ftp:/sbin/nologin
A: X: 533: 534:/home/A:/bin/bash
B: X: 534: 535:/home/B:/bin/false

/Sbin/nologin -- you cannot log on to the system, but you can log on to the FTP service.
/Bin/bash-you can log on to the system and FTP
/Bin/false -- you cannot log on to the system or the FTP service.



Local_enable = Yes
Write_enable = Yes

[Root @ Li ~] # Ftp 10.1.1.35
Connected to 10.1.1.35.
220 (vsftpd 2.0.5)
530 please login with user and pass.
530 please login with user and pass.
Kerberos_v4 rejected as an authentication type
Name (10.1.1.35: Root): A -- User Name
331 please specify the password.
Password: -- The password is the system account password of user.
230 login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
Ftp> ls -- here we see the files in user a's home directory.
227 entering passive mode (251,100)
150 here comes the directory listing.
-RW ------- 1 533 534 44 Apr 24 nohup. Out
-Rwxr-XR-x 1 0 0 69 Apr 24 06:57 ntpdate. Sh
226 directory send OK.
Ftp> mkdir a -- you can create a directory.
257 "/home/a" created


Example 5: do not allow local users to log on or disable some users to log on
Local_enable = No -- all common users cannot log on.

Method 1: (not recommended)
Only for some common users
Vim/etc/passwd: Change/bin/Bash to/bin/false.
Usermod-S/bin/false Username

Method 2: Use the user list function of the vsftp service to control (recommended)
Userlist_enable = yes -- enable the user list function. If there is no, the following two parameters are invalid.

Userlist_deny = yes -- this parameter is not used by default. If this parameter is not added, this parameter is enabled by default. Note the negative meaning here. If yes, this parameter is denied. If no, this parameter is allowed.


Vim/etc/vsftpd/user_list -- here, you can write the username you want to reject and one line at a time. You can see the system accounts with UID <500 by default, that is to say, by default, vsftp does not allow them to log on.

Verify after restarting the service



Userlist_enable = Yes
Userlist_deny = No
Vim/etc/vsftpd/user_list -- because the value of userlist_deny is no, users in this list are allowed

Verify after restarting the service




Example 6: About chroot (cage environment)-to ensure security, lock the activity range of login users
By default, anonymous users are active only in the cage environment, but normal users are not restricted in the cage environment.


Chroot_list_enable = Yes
Chroot_list_file =/etc/vsftpd/chroot_list -- this file does not exist by default and is automatically created manually


Vim/etc/vsftpd/chroot_list -- manually write the user name, one line of user name, the user who writes the user name cannot CD its login directory


Example 7: log on to display the directory information or welcome information


1. Message Display for a single user:

Dirmessage_enable = yes -- enable the user's directory information function


Vim. message in the Home Directory (-- I am writing it in/home/B/, that is, the Home Directory of user B)
Write the message displayed during logon.
Welcome to my FTP server !!
Li


When this user logs on to FTP, the message just written in. Message is displayed.

Ame (10.1.1.35: Root): B
331 please specify the password.
Password:
230-welcome to my FTP server !! -- The message of. mescript is displayed here.
230-li
230 login successful.
Remote system type is UNIX.
Using binary mode to transfer files.


2. Global message display:
Method 1:
Ftpd_banner = welcome to blah FTP service. -- enable this option


[Root @ Li ~] # Ftp 10.1.1.35
Connected to 10.1.1.35.
220 welcome to blah FTP service. -- displayed upon login
530 please login with user and pass.
530 please login with user and pass.
Kerberos_v4 rejected as an authentication type

Method 2:
Directly write messages to a file

Banner_file =/var/FTP/welcome -- the following files are customized. Create them manually and write the message.



Example 8: ftp logs
Xferlog_enable = yes -- enable the Logging Function
Xferlog_file =/var/log/xferlog -- specify the log record file
Xferlog_std_format = yes -- the format adopts the standard format



CAT/var/log/xferlog -- note that logs are recorded only during upload and download.
Sat May 15 03:22:05 2010 1 10.1.1.35 220/pub/local B _ I a FTP 0 * C
Sat May 15 03:31:19 2010 1 10.1.1.35 69/home/A/ntpdate. Sh B _ o r a FTP 0 * C
Sat May 15 03:36:08 2010 1 10.1.1.35 791/home/A/fstab B _ I r a FTP 0 * C
Sat May 15 06:12:41 2010 1 10.1.1.35 1666/home/B/inittab B _ I r B FTP 0 * C
Sat May 15 06:14:20 2010 1 10.1.1.35 791/home/B/fstab B _ I r B FTP 0 * C
Sat May 15 06:15:29 2010 1 10.1.1.35 791/home/B/fstab B _ o r B FTP 0 * C




Example 9: several special restricted parameters are introduced.
Local_max_rate = 1000000 -- the maximum transmission speed limit parameter of the local user is not set by default.
Anon_max_rate -- similar to local_max_rate, but only for anonymous users

Max_clients -- the maximum number of client connections by default. To run in stand alone mode, no limit is set by default.

Max_login_fails -- the default logon fails three times, killing the login process.

Max_per_ip -- the maximum number of connections for a single customer, which is unlimited by default





Example 10: ftp supports tcp_wrapper

[Root @ Li B] # LDD/usr/sbin/vsftpd | grep wrap
Libwrap. so.0 =>/lib/libwrap. so.0 (0x00dbc000) -- indicates that tcp_wrapper is supported.


[Root @ Li B] # Vim/etc/hosts. Deny
Vsftpd: 10.1.1.0/255.255.255.0 failed t 10.1.1.104 -- reject the connection of the 10.1.1.0 network segment to the service ftp. Only 10.1.1.104 connections are allowed.

[Root @ Li B] # ftp 10.1.1.35 -- after the request is rejected by tcp_wrapper, the client itself (IP: 35) cannot be connected to its own server except 104
Connected to 10.1.1.35.
421 service not available.
Ftp> quit


------------------------------------------------------------------


FTP tools

Windows:
Server Serv-U
Client CuteFTP LeapFTP flashftp


In Linux:
Lftp is a powerful client tool that supports FTP, HTTP, https, etc.
Compared with FTP in text mode, it has the history function, auto-completion function, wildcard character, download directory and other functions, which is very convenient.




[Root @ Li B] # lftp 10.1.1.35 -- logon by anonymous user by default
[Root @ Li B] # lftp-u B 10.1.1.35 -- specify to Log On As user B


Lftp B @10.1.1.35: ~> Mget * B -- batch download of files ending with a letter B
2457 bytes transferred
Total 3 files transferred


Lftp B @10.1.1.35: ~> Mirror AAA -- Download directory aaa


Graphical FTP client tool gftp


[Root @ Li B] # Yum list | grep gftp
This system is not registered with RHN.
RHN support will be disabled.
Gftp. i386. 0.18-3.2.2 installed


Run the gftp command after installation. Note that port 21 is required if FTP is used.






--####################################### ######################################## ##


NTP service

Time Synchronization is very important for the cluster environment

Concept of time zone:
GMT (Greenwich Mean Time, named after a UK city with a longitude of 0)
UTC (Coordinated Universal Time, Concord standard time, the time defined using the physical clock (atomic clock)

The bios of the motherboard belongs to the UTC time and uses the atomic clock of the host to calculate the time. There may be a slight error. However, this error is not allowed in environments with high requirements for long-time actions and time accuracy.

SSH 10.1.1.218 date; date -- to compare the time difference between the two computers (first configure SSH equivalence)
15 15:26:36 CST 2010
15 15:26:45 CST 2010 -- the time difference is 9 seconds, which is not allowed in the Cluster Environment


[Root @ Li B] # file/etc/localtime
/Etc/localtime: timezone data -- this is a time zone file, not an ASCII type, so VI cannot be seen, corresponding to the/usr/share/zoneinfo/Asia/Shanghai file (because the Shanghai time zone is selected when the system is installed)

Ls/usr/share/zoneinfo/-- all the time zone files selected during system startup are saved here.


If the service is migrated to another zone or to another country, if the system is not redone and used in the cluster environment
Step 1: copy the corresponding time zone in/usr/share/zoneinfo/to/etc/localtime and change the time zone.
Step 2: Vim/etc/sysconfig/clock to modify the new zone


Synchronization Process: (similar to TCP three-way handshake)
1. The client sends information to the server.
2. The NTP server sends back information to the client.
3. The client modifies the time based on the delivery information.

The class concept of time synchronization service:
You can layer the Synchronization Service (up to 15 tiers)
Calculation of network latency due to time difference between layers




Yum install NTP-y -- install the software package NTP. i386

Vim/etc/NTP. conf -- configuration file




[Root @ Li B] # Cat/etc/NTP. conf | grep-V ^ # | grep-V ^ $


Restrict default Kod nomodify notrap nopeer noquery
Restrict-6 default Kod nomodify notrap nopeer noquery
Restrict 127.0.0.1
Restrict-6: 1
Server 10.1.1.1 perfer -- specify the upper-layer time synchronization server as 10.1.1.1. perfer indicates priority.
Server 10.1.1.2
Driftfile/var/lib/NTP/drift -- Record the frequency error between the local machine and the upper-layer Time Service
Keys/etc/NTP/keys
Server 127.127.1.0 -- if the upper-layer server cannot be connected, the BIOS (UTC) of the motherboard shall prevail.
Fudge 127.127.1.0 stratum 10 -- the motherboard time level is 10

Ignore rejects all NTP connections
Nomodify cannot be changed
Noquery cannot query
Notraptrap is a remote event.
Nopeer cannot
If no parameter is added, no restriction is imposed.


Server Configuration 1 (this server is the first layer ):
1. Change the default of the first sentence to 127.0.0.1.
2. comment out the third restrict 127.0.0.1 and save and exit.
3. Restart the service.

Client certificate:
Ntpdate 10.1.1.35 -- synchronization takes about five minutes. Note (the client cannot start the NTP service)



Server Configuration 2 (with 10.1.1.1 as the upper-layer time synchronization server );
1. Restore the modified above
2. Add the following two sentences and save and exit.
Server 10.1.1.1
Restrict 10.1.1.0 netmask 255.255.255.0 nomodify notrap
3. Restart the service to listen to UDP port 123.


[Root @ Li B] # ntpstat -- check whether it is connected to the NTP service of the upper class.
Unsynchronised
Time Server re-starting
Polling server every 64 s

Root @ Li B] # ntptrace-N 10.1.1.1 -- view the relationship with the upper-level server. Time out is the relationship between the upper-level server and the upper-level server (no need to worry about it here)
10.1.1.1: stratum 2, offset 0.001891, synch distance 0.278392
192.43.244.18: timed out, nothing already ed
* ** Request timed out

[Root @ Li B] # ntpq-p -- Query some parameters between the current layer and the upper layer
Remote refID st t when poll reach delay offset Jitter
========================================================== ==============================================
Squid. Cluster. c 192.43.244.18 2 U 3 64 77 0.192 4317162 1612852
* Local (0). locl. 10 L 58 64 37 0.000 0.000 0.001



Time classification: Software time, hardware time (BiOS)

Hwclock-query and set the hardware clock (RTC)

Time when hwclock-r reads the BIOS
Hwclock-W writes system time to BIOS

Therefore, you can use the hwclock command to write data to the BIOS after the ntpdate synchronization time so that the motherboard time is consistent with the system time.

-------------------------
This article introduces a time synchronization method for a super daemon instance.
[Root @ Li test] # Vim/etc/xinetd. d/time-dgram
Disable = No
[Root @ Li test] # Vim/etc/xinetd. d/time-stream
Disable = No

/Etc/init. d/xinetd restart -- listen to two 37 ports (one TCP port and one UDP port)

The client uses rdate-s 10.1.1.35 to synchronize the time.


Advantage: it does not need to wait for a long time like NTP, and is easy to configure, but has no powerful NTP function.




--------------------------------------------------------------------


Homework:
1. Set up an FTP server and allow local users to log on, but only allow users A, B, C, and D to log on, then all normal users log on to the/FTP directory (that is, in the same cage environment, the prompt parameter is local_root)
The usage space of each user in the/FTP directory is 50 MB. User A can upload and download, user B can only download, but cannot upload. User C and user D can only upload and cannot download.
Add the welcome message and log function to disable anonymous user logon.

Mkdir/ftp

Vim/etc/vsftpd. conf
Userlist_enable = Yes
Userlist_deny = No
Vim/etc/vsftpd/user_list -- add a, B, c, d here

Local_root =/FTP -- all common login users log on to the/FTP cage.

Banner_file =/var/FTP/welcome -- manually create this file and write the welcome message you want.

Xferlog_enable = yes -- enable the Logging Function
Xferlog_file =/var/log/xferlog -- specify the log record file
Xferlog_std_format = Yes

Anonymous_enable = No -- disable anonymous user logon

Fdisk is partitioned and formatted as ext3
Mount/dev/sdax-O usrquota, kgquota, ACL/ftp

Quotacheck-cauvg

Edquota-u
Edquota-u B
Edquota-U C
Edquota-u d -- four users change the hard block to 5000000 for each user

Chown A, B/ftp
Chmod 753/ftp










2. Build an NTP service that allows the client to synchronize time.