Install the FTP server and centosftp server on CentOS 7

Source: Internet
Author: User

Install the FTP server and centosftp server on CentOS 7

In Linux, the FTP server is usually vsftpd, so I will record how I install vsftpd on a Linux host without vsftpd installed.

1. Install the vsftpd package

sudo yum install vsftpd

2. Configure an FTP account

In Linux, the FTP account is also a special system user, but the permissions of the FTP account must be set specially. Therefore, add an FTP account first:

sudo useradd -d /home/www www

Here, useradd is the command for adding users. This command can only be used by super user groups. The "-d" parameter indicates that the user's home directory is specified after this parameter. The last parameter is the FTP user name.

Then, set the password for the www User:

sudo passwd www

Enter the password twice as prompted.

3. Set www User Permissions:

usermod -s /sbin/nologin www

Here, usermod is the command for modifying user information. It can only be used by members of the Super User Group. The "-s" parameter indicates that the shell used for user logon is specified after this parameter. We can check the shell in the system: cat/etc/shells

On my CentOS 7, the following items are displayed:

/Bin/sh
/Bin/bash
/Sbin/nologin
/Usr/bin/sh
/Usr/bin/bash
/Usr/sbin/nologin
/Bin/tcsh
/Bin/csh

We can see that there are two shells named nologin on them. They are actually the same, but the/sbin directory is the link directory of the/usr/sbin directory, this is what we usually call folder shortcuts. If we specify the shell used for logging on to a user as nologin, it means that he is not allowed to log on to the system using ssh, but he can still have other permissions. For the sake of security, the FTP account we just created cannot allow him to log on to the system through ssh, so he needs to set his logon shell to nologin.

After setting, you cannot log on to the system. Just think about it. If an FTP user logs on to the system through FTP, in addition to seeing his/her home directory, can it be transferred to another directory in another non-self-owned home directory? The answer is yes, of course, if not limited, it is. Therefore, we also need to limit that www users can only see things in their home directories. Oh, by the way, don't forget that an anonymous user has to be banned.

We need to configure these configurations in the vsftpd configuration file:

sudo vi /etc/vsftpd/vsftpd.conf

So, there are so many options in the configuration file. What should we configure? Don't worry, we can go to the vsftpd official website to find the answer. However, it is a pity that I cannot open the official website. It does not matter. We can go to wikipedia.org to find it. Soon I opened the vsftpd entry on wikipedia, I found that vsftpd is not configured, but I found the "List of Config ctictives" Link under the External link "External links" below, I found that this is the configuration description I was looking.

From the top down, I found some settings about anonymous accounts. They often start with "anon". Most of these options have NO default values, the default values of "anon_world_readable_only" and "anonymous_enable" are YES. If the "anon_world_readable_only" option is YES, Anonymous Users are allowed to download files from the server. Obviously, I cannot allow them, so this option should be set to NO. The "anonymous_enable" option controls whether anonymous users are allowed to log on to the FTP server. Obviously, this option should also be set to NO. Therefore, we need to configure the following two items in the configuration file:

Anon_world_readable_only = NO
Anonymous_enable = NO

Further, I found that two options "chroot_local_user" and "chroot_list_enable" can be changed in the user root directory. The chroot is actually a C function named chroot (const char * path, this function is used to change the root directory of the calling process to the specified path. If the value of the option "chroot_local_user" is set to YES, the local user will be put into his own root directory after logging on via FTP, it is not allowed to be transferred to a directory other than its own root directory and Its subdirectories. If the option "chroot_list_enable" is set to YES, vsftpd allows us to use the "chroot_list_file" option to specify a file containing the local user list to control which users will be put into their own root directories after logon.

It is worth noting that the actual meanings of the "chroot_local_user" option and the "chroot_list_enable" option are the opposite. What do you mean? Here is a table:

Chroot_local_user Chroot_list_enable Actual Meaning
YES YES Only users listed in "chroot_list_file" will not be put into their own root directories.
YES NO All local users are put into their own root directories.
NO YES Only users listed in "chroot_list_file" will be put into their own root directories.
NO NO All local users are not placed in their own root directories.

Therefore, the options "chroot_local_user" and "chroot_list_enable" should not be used at the same time unless they are special.

Here I only need to set the "chroot_local_user" option:

Chroot_loacl_user = YES

Next, I found an option named "connect_from_port_20", which controls the FTP transmission mode. If it is set to YES, data is transmitted using the Port mode. For details about the FTP transmission method, refer on Baidu Library. You should also set the following options:

Pasv_enable = YES
Pasv_max_port = maximum port in pasv Mode
Pasv_min_port = pasv mode minimum port

However, PASV mode is usually applicable to multiple clients, and I only use it by myself, so I do not need to use this mode. So I only need to set "connect_from_port_20 = YES" to OK.

4. Restart the vsftpd Server:

sudo /etc/init.d/vsftpd restart

References
  • Http://vsftpd.beasts.org/vsftpd_conf.html
  • Http://man7.org/linux/man-pages/man2/chroot.2.html

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.