2.VSFTP is a more secure software than FTP has the following features:
(1) Vsftp generally run by ordinary users, reducing the process of access to improve security
(2) Any instruction requiring higher authority requires permission from the upper program
(3) FTP commands are integrated into the VSFTP, no additional commands are required for the system
(4) For chroot function, can change the user's root directory, restrict the user only in their own home directory
(5) VSFTPD is a GPL-issued FTP server software. The VS is the abbreviation for "Very Secure", which shows that the server is originally intended to be the security of the service.
(6) VSFTPD is the FTP server-side software used by Redhat Linux by default.
(7) VSFTPD no longer relies on xinetd services
(8) VSFTPD can also allow Anonymous (anonymous) access to local Users and support virtual users.
3.VSFTPD Connection Type
Command connection: TCP 21, for sending FTP command information
Data connection: TCP 20 for uploading and downloading data
4.VSFTPD operating mode
Active mode: (the server actively connects to the client via port 20th for data transfer)
1. Command connection: Client (1025)-----> server (21)
The client connects to Port 21st on the server with a random port (greater than 1023)
2. Data connection: Server-side (20/TCP)-----> Client (1025+1)
The server is on its own port 20th to connect the port number of the random port +1 that is used when the client creates the command connection
Passive mode: (server start random port, waiting for client to connect, for data transfer)
1. Command connection: Client (1110)----> server (21)
The client connects to Port 21st on the server with a random port
2. Data connection: Client (1110+1)----> server (Random Port)
5.VSFTPD Configuration
/ETC/PAM.D/VSFTPD//VSFTPD user Authentication profile
/etc/vsftpd///configuration file directory
/etc/vsftpd/vsftpd.conf//Master configuration file
VSFTPD Common Configuration parameters:
| Parameters | function |
|---|---|
| Anonymous_enable=yes | Enable Anonymous User Login |
| Anon_upload_enable=yes | Allow anonymous users to upload |
| Anon_mkdir_write_enable=yes | Allow anonymous users to create directories, but cannot delete |
| Anon_other_write_enable=y ES | Allow anonymous users to create and delete directories |
| Local_enable=yes | Enable local User Login |
| Write_enable=yes | Allow local users to have write permissions |
| local_umask=022 | Default masking code for uploading files via FTP |
| Chroot_local_user=yes | Imprison all FTP Local users in their home directory |
| Chroot_list_enable=yes | Opening a list of imprisoned files needs to be used with the Chroot_list_file parameter |
| Chroot_list_file=/etc/vsftpd/chroot_list | Specify the file path for the imprisoned list the user in this file will be imprisoned in their home directory |
| Allow_writeable_chroot=ye S | Allow locked user home directory to have write permission |
| Xferlog_enable=yes | Whether to enable the transfer log, log the FTP transfer process |
| Xferlog_std_format=yes | Whether the transport log uses a standard format |
| Xferlog_file=/var/log/xferlog | Specify the location of the transport log store |
| Chown_uploads=yes | Whether to enable changing the upload file owner's function |
| Chown_username=whoever | Specifies to change the owner of the uploaded file to that user who must exist in the system |
| Pam_service_name=vsftpd | Specify VSFTPD to use which Pam profile under/ETC/PAM.D for user authentication |
| Userlist_enable=yes | Whether to enable a list file that controls user logons; default is/etc/vsftpd/user_list file |
| Userlist_deny=yes | Whether to deny user login FTP that exists in userlist specified list file |
| max_clients=# | Maximum number of concurrent connections |
| max_per_ip=# | Number of concurrent requests per IP that can be initiated concurrently |
| Anon_max_rate | Maximum transfer rate for anonymous users, in bytes per second |
| Local_max_rate | Maximum transfer rate of local users in bytes per second |
| Dirmessage_enable=yes | Enable. Message description information in a directory if a directory is/upload, under which a file name of. Message is created, and some descriptive information is written within the file, the contents of the. message file are displayed automatically when the user switches to the/upload directory. |
| Message_file | Sets the name of the directory information file to be obtained when accessing a directory, by default. Message |
| idle_session_timeout=600 | Set the default disconnect inactive session time |
| Data_connection_timeout=1 20 | Set the data transfer timeout time |
| Ftpd_banner= "Welcome to c HENLF FTP service." | Custom welcome information automatically displayed when you log in to FTP |
6. User authentication
There are three main types of FTP users:
Virtual User: Used only to access resources in a particular service
System users: Real users who can log into the system
Anonymous user
7.VSFTPD Virtual User Configuration steps are as follows (demo)
Turn off Firewall//install dependent programs [[email protected] ~]# cd/etc/yum.repos.d/[[email protected] ~]# yum Install -Y wget [[email protected] yum.repos.d]# wget http://mirrors.163.com/.help/CentOS7-Base-163.repo [[email  ;p rotected] ~]# yum clean all [[email protected] ~]# yum-y install epel-release [[email protected] ~]# Yu M install-y vsftpd db4*//create user name in text format, password list [[email protected] ~]# cat >>/etc/vsftpd/vu.list < ;< EOF LAN 123 Zhi 123 EOF//Convert the user name and password file of the text format you just created using the DB4 tool to a database file [[email protected] ~]# Db_loa D-t-T hash-f/etc/vsftpd/vu.list/etc/vsftpd/vu.db//file permissions for virtual users is 600 to avoid data leakage [[email protected] ~]# chmod 600 /etc/vsftpd/vu.* [[email protected] ~]# ll/etc/vsftpd/vu.*-RW-------. 1 root root 12288 2 15:53/etc/vsftpd/vu.db-rw-------. 1 root root 2 15:50/etc/vsftpd/vu.list//Mapping account to the virtual user, the name of the mapping account is vftp [[email protected] ~]# useradd-d/vaR/ftproot-s/sbin/nologin vftp [[email protected] ~]# chmod 755/var/ftproot/[[email protected] ~]# ll -d/var/ftproot/drwxr-xr-x. 2 vftp vftp 2 15:56/var/ftproot///Establish PAM authentication for virtual user [[email protected] ~]# Mv/etc/pam.d/vsftpd{,.bak} [[email protected] ~]# vim/etc/pam.d/vsftpd #%pam-1.0 auth required pam_userdb.so db=/etc/vsftpd/vu Acco UNT required pam_userdb.so DB=/ETC/VSFTPD/VU//Modify the VSFTPD configuration file to add virtual user support. Establish a separate configuration file for different virtual users [[email protected] ~]# cp/etc/vsftpd/vsftpd.conf. [[email protected] ~]# cat >>/etc/vsftpd/vsftpd.conf << EOF guest_enable=yes guest_username=vftp User_config_dir=/etc/vsftpd/vusers_dir Allow_writeable_chroot=yes EOF//With the above configuration, you can/etc/vsftpd/vusers_d Each virtual user is set up separately in the IR directory [[email protected] ~]# mkdir/etc/vsftpd/vusers_dir [[email protected] ~]# ll/etc/ Vsftpd/total 36-RW-------. 1 root root Ftpusers -RW-------. 1 root root 361 Mar user_list-rw-------. 1 root root 5106 2 16:01 vsftpd.conf-rwxr--r--. 1 root root 338 Mar vsftpd_conf_migrate.sh-rw-------. 1 root root 12288 2 15:53 vu.db-rw-------. 1 root root 2 15:50 vu.list drwxr-xr-x. 2 root root 6 2 16:03 vusers_dir//Set LAN users can upload files, create directories, delete operations [[email protected] ~]# cat >> /etc/vsftpd/vusers_dir/lan << EOF >anon_umask=022 >anon_upload_enable=yes >anon_mkdir_write_enabl E=yes >anon_other_write_enable=yes >eof//Set Zhi users as long as the default download permissions, just create a blank file named Zhi can be [[Email protec Ted] ~]# Touch/etc/vsftpd/vusers_dir/zhi//Start vftpd service [[email protected] ~]# systemctl start vsftpd8. Using scripts to implement Now virtual User Configuration and implementation of file sharing function [[[email protected] ~] #vim ftp.sh #!/bin/bash #关闭防火墙 systemctl Disable Firewalld systemctl Stop Firewalld sed-ri ' s#^ (selinux=). *#\1disabled#g '/etc/sElinux/config Setenforce 0 #安装依赖的程序 cd/etc/yum.repos.d/mv */tmp/curl-o 163.repo Http://mi Rrors.163.com/.help/centos7-base-163.repo &>/dev/null sed-i ' s/\ $releasever/7/g '/etc/yum.repos.d/163.repo Sed-i ' s/enabled=0/enabled=1/g '/etc/yum.repos.d/163.repo yum clean all && yum install -y epel-release && yum install-y vsftpd db4* &>/dev/null #添加两个用户lan, zhi password 123, 123 cat > etc /vsftpd/vu.list << EOF LAN 123 Zhi 123 eof #使用db4工具转换成数据库文件 db_load-t-T hash-f/etc/vsftpd /vu.list/etc/vsftpd/vu.db #给虚拟用户设置文件权限为600 chmod 600/etc/vsftpd/vu.* #给虚拟用户映射账号 Create the FTP root map account name is Vftp I D vftp &>/dev/null if [$?-ne 0];then useradd-d/var/fenxiang-s/sbin/nologin vftpelse userdel-r vftp useradd-d/var/fenxiang-s/sbin/nologin vftpfi chmod 755/var/fenxiang/#为虚拟用户建立PAM认证 Mv/etc/pam.d/vsftpd{,.bak} C At >/etc/pam.d/vsftpD << EOF #%pam-1.0 auth required pam_userdb.so db=/etc/vsftpd/vu account required pam_userdb.so Db=/etc/vsftpd/vu EO F #修改Vsftpd主配置文件 cp/etc/vsftpd/vsftpd.conf/root/cat >>/etc/vsftpd/vsftpd.conf << EOF guest_enable=yes GUE ST_USERNAME=VFTP User_config_dir=/etc/vsftpd/yonghu allow_writeable_chroot=yes eof# Configure permissions for virtual user lan upload download delete if [!-d/etc/ Vsftpd/yonghu];thenmkdir/etc/vsftpd/yonghuficat >/etc/vsftpd/yonghu/lan << eofanon_umask=022anon_upload_ Enable=yesanon_mkdir_write_enable=yesanon_other_write_enable=yeseoftouch/etc/vsftpd/yonghu/zhisystemctl restart VsftpdLinux details vsftpd service
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
