Linux FTP Server Configuration Simple description

I. FTP instructions

The common FTP in Linux system is vsftp, that is, very Security File Transfer Protocol. There is also a proftp (profession FTP). Here is also a simple description of the configuration under Vsftp.

VSFTP provides 3 types of remote login options:

(1) Anonymous login method

Just don't need username, password. You can log in to the server computer.

(2) Local user mode

You need an account name and password to log in. And, this account name and password, are in your Linux system, already have users.

(3) Virtual user mode

You also need a user name and password to log in. But the difference with the above is that this username and password is not in your Linux system (no user account)

Two. Installation configuration of VSFTP

2.1 Installation

VSFTP installation package, can be found in the installation. The installation process with Yum is also simple. Specific reference:

Linux Build YUM Server

Http://blog.csdn.net/tianlesoftware/archive/2011/01/03/6113902.aspx

Install command: Yum install vsftpd

2.2. Related commands

2.2.1 Start and close

[[Email protected] ~]# service VSFTPD start

Starting vsftpd for VSFTPD: [OK]

[[Email protected] ~]# service VSFTPD stop

Shutting down VSFTPD: [OK]

[Email protected] ~]# service vsftpd restart

Shutting down VSFTPD: [FAILED]

Starting vsftpd for VSFTPD: [OK]

[[email protected] ~]#/etc/init.d/vsftpd start

Starting vsftpd for VSFTPD: [FAILED]

[[email protected] ~]#/etc/init.d/vsftpd stop

Shutting down VSFTPD: [OK]

[Email protected] ~]#/etc/init.d/vsftpd restart

Shutting down VSFTPD: [FAILED]

Starting vsftpd for VSFTPD: [OK]

[Email protected] ~]#/ETC/INIT.D/VSFTPD status

VSFTPD (PID 3931) is running ...

[Email protected] ~]#

2.2.2. Other commands

--View vsftpd boot status

[Email protected] ~]# chkconfig--list vsftpd

VSFTPD 0:off 1:off 2:off 3:off 4:off 5:off 6:off

[Email protected] ~]# chkconfig vsftpd on

[Email protected] ~]# chkconfig--list vsftpd

VSFTPD 0:off 1:off 2:on 3:on 4:on 5:on 6:off

As you can see here, from 2 to 5 is set to on by default. 2 to 5 is a multi-user level. This corresponds to the different operating levels of Linux.

We can also add the level option to specify:

[[email protected] ~]# chkconfig--level 0 vsftpd on

[Email protected] ~]# chkconfig--list vsftpd

VSFTPD 0:on 1:off 2:on 3:on 4:on 5:on 6:off

We see that 0 is set to ON.

We can use the man chkconfig to see the help:

--level levels

Specifies the run levels an operation should pertain to. It is given as a string of numbers from 0 to 7. For example,--level specifies Runlevels 3 and 5.

Traditional init defines 7 runlevel (run level), each representing some specific services that the system should complement:

(1) Level 0 is a complete shutdown of the system

(2) Class 1 or S-class stands for single-user mode

(3) Level 2-5 is a multi-user level

(4) 6 level is the level of reboot

About Linux runlevel, in my blog:

Linux Boot and shutdown process (5.1 init and run level)

Http://blog.csdn.net/tianlesoftware/archive/2010/10/24/5962460.aspx

(1) View firewall

I usually shut down the system's firewall. Because there will be a lot of restrictions on opening.

[Email protected] ~]#/etc/init.d/iptables status

Table:nat

Chain prerouting (Policy ACCEPT)

Num Target prot opt source destination

Chain postrouting (Policy ACCEPT)

Num Target prot opt source destination

1 Masquerade All--192.168.122.0/24!192.168.122.0/24

Chain OUTPUT (Policy ACCEPT)

Num Target prot opt source destination

Table:filter

Chain INPUT (Policy ACCEPT)

Num Target prot opt source destination

1 ACCEPT UDP--0.0.0.0/0 0.0.0.0/0 UDP dpt:53

2 ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:53

3 ACCEPT UDP--0.0.0.0/0 0.0.0.0/0 UDP dpt:67

4 ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:67

Chain FORWARD (Policy ACCEPT)

Num Target prot opt source destination

1 ACCEPT All – 0.0.0.0/0 192.168.122.0/24 State related,established

2 ACCEPT All--192.168.122.0/24 0.0.0.0/0

3 ACCEPT All--0.0.0.0/0 0.0.0.0/0

4 REJECT All--0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

5 REJECT All--0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain OUTPUT (Policy ACCEPT)

Num Target prot opt source destination

You have new mail in/var/spool/mail/root

--Add Open port # 21st:

[[email protected] ~]#/sbin/iptables-i input-p TCP--dport 21-j ACCEPT

[Email protected] ~]#/etc/init.d/iptables status

Table:nat

Chain prerouting (Policy ACCEPT)

Num Target prot opt source destination

Chain postrouting (Policy ACCEPT)

Num Target prot opt source destination

1 Masquerade All--192.168.122.0/24!192.168.122.0/24

Chain OUTPUT (Policy ACCEPT)

Num Target prot opt source destination

Table:filter

Chain INPUT (Policy ACCEPT)

Num Target prot opt source destination

1 ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:21

2 ACCEPT UDP--0.0.0.0/0 0.0.0.0/0 UDP dpt:53

3 ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:53

4 ACCEPT UDP--0.0.0.0/0 0.0.0.0/0 UDP dpt:67

5 ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:67

Chain FORWARD (Policy ACCEPT)

Num Target prot opt source destination

1 ACCEPT All – 0.0.0.0/0 192.168.122.0/24 State related,established

2 ACCEPT All--192.168.122.0/24 0.0.0.0/0

3 ACCEPT All--0.0.0.0/0 0.0.0.0/0

4 REJECT All--0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

5 REJECT All--0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain OUTPUT (Policy ACCEPT)

Num Target prot opt source destination

--Save Configuration

[Email protected] ~]#/etc/rc.d/init.d/iptables Save

Saving firewall rules to/etc/sysconfig/iptables: [OK]

--Restart the firewall:

[[Email protected] ~]# service iptables {Start|stop|restart}

(2) View off SELinux

[Email protected] ~]# Sestatus

SELinux status:disabled

I am here to install the operating system when the SELinux is turned off, if not closed, you can modify the following file to close:

[Email protected] ~]# Cat/etc/sysconfig/selinux

# This file controls the state of the SELinux on the system.

# selinux= can take one of these three values:

# Enforcing-selinux security policy is enforced.

# Permissive-selinux Prints warnings instead of enforcing.

# Disabled-selinux is fully disabled.

Selinux=disabled

# selinuxtype= type of policy in use. Possible values are:

# Targeted-only targeted Network daemons is protected.

# Strict-full SELinux protection.

selinuxtype=targeted

[Email protected] ~]#

Save exit and restart the system reboot

Three. FTP Configuration file

After the FTP is installed, the following files will be available in the/etc/vsftpd/directory:

[Email protected] ~]# cd/etc/vsftpd/

[[email protected] vsftpd]# ls

Ftpusers user_list vsftpd.conf vsftpd_conf_migrate.sh

[Email protected] vsftpd]#

Vsftpd.conf: Master configuration file

Ftpusers: Specifies which users cannot access the FTP server

User_list: Whether the specified user can access the FTP server is determined by the value of Userlist_deny in the vsftpd.conf file.

[email protected] vsftpd]# cat User_list

# vsftpd UserList

# If Userlist_deny=no, only allow users in the this file

# If Userlist_deny=yes (default), never allow users in the this file, and

# do not even prompt for a password.

# Note that the default Vsftpd Pam Config also checks/etc/vsftpd/ftpusers

# for users, that is denied.

After we filter out the comments for #, look at the vsftpd.conf file:

[Email protected] ftp]# cat/etc/vsftpd/vsftpd.conf |grep-v ' ^# ';

Anonymous_enable=yes

Local_enable=yes

Write_enable=yes

local_umask=022

Dirmessage_enable=yes

Xferlog_enable=yes

Connect_from_port_20=yes

Xferlog_std_format=yes

Listen=yes

Pam_service_name=vsftpd

Userlist_enable=yes

Tcp_wrappers=yes

As for the meaning of these parameters, there are detailed explanations in the comments.

We can set the following parameters in the vsftpd.conf file:

(1) Ftpd_banner=welcome to FTP service: Welcome message after setting up a connection server

(2) IDLE_SESSION_TIMEOUT=60: Limit the remote client connection, the established control connection, how long does not do any operation will be interrupted (seconds)

(3) data_connection_timeout=120: Set the idle data interrupt time when the client is transmitting

(4) Accept_timeout=60 set up the connection automatically after how long it takes

(5) Connect_timeout=60 set the maximum activation time of data connection, how long to disconnect, for others to use;

(6) max_clients=200 indicates that the total number of client concurrent connections for the server is 200

(7) max_per_ip=3 indicates the maximum number of connections per client is 3

(8) local_max_rate=50000 (50KBYTES/SEC) Maximum transfer rate limit for local Users

(9) anon_max_rate=30000 maximum transfer rate limit for anonymous users

(Ten) Pasv_min_port= port

(one) The pasv-max-prot= port number defines the maximum and minimum ports, 0 for any port, and a port for client connections;

LISTEN_ADDRESS=IP Address set the FTP service to listen to the address, the client can use which address to connect;

listen_port= Port number set the port number of FTP work, default is 21

Chroot_local_user=yes setting all Local Users can chroot

(chroot_local_user=no) Set the specified user to be able to chroot

(Chroot_list_enable=yes)

Chroot_list_file=/etc/vsftpd/chroot_list (only specified users in/etc/vsftpd/chroot_list can execute)

Local_root=path regardless of which user can log on the user, the definition of the home directory of the login account, if not specified, then each user into the personal user home directory;

Chroot_local_user=yes/no whether to lock the Local System account user home directory (all); After locking, the user can only access the user's home directory/home/user, can not use the CD command to go up;

Chroot_list_enable=yes/no Lock the user's home directory (part) in the specified file, file: specified in/chroot_list_file=path;

(userlist_enable=yes/no) Whether the user list file is loaded;

Userlist_deny=yes Indicates whether the user who loaded above is allowed to deny login;

(userlist_file=/etc/vsftpd/user_list) List file

To restrict IP access to ftp:

#vi/etc/hosts.allow

Vsftpd:192.168.5.128:deny Setting this IP address does not allow access to the FTP service

FTP Access time limit:

#cp/usr/share/doc/vsftpd-1.1.3/vsftpd.xinetd/etc/xinetd.d/vsftpd

#vi/etc/xinetd.d/vsftpd/

Modify Disable = No

Access_time = Hour:min-hour:min (add a time limit for configuring access (note: Listen=no corresponds to vsftpd.conf)

Example: Access_time = 8:30-11:30 17:30-21:30 means that only these two time periods can access the FTP

This is basically the only configuration for FTP.

By default, the FTP root directory is/var/ftp. If you want to modify this directory location, you can change the/etc/passwd file:

[Email protected] ftp]# CAT/ETC/PASSWD | grep FTP

Ftp:x:14:50:ftp User:/var/ftp:/sbin/nologin

Create a user to access FTP and specify the FTP directory for that User:

[Email protected] u02]# useradd-d/u02/qsftp QS

[Email protected] u02]# passwd QS

Changing password for user Qs.

New UNIX Password:

Bad Password:it is the too short

Retype new UNIX Password:

Passwd:all authentication tokens updated successfully.

This is the directory specified here, you should pay attention to the permissions of a directory/u02/qsftp.

The change user cannot telnet, only ftp:

Usermod-s/sbin/nologin username//user can only FTP, cannot telnet

Usermod-s/sbin/bash username//user returns to normal

Disable user SSH Login

Useradd username-s/bin/false

To change the user home directory:

usermod-d/bbb username//Set the user's home directory as/bbb

Then with the QS this user will be able to access the.

These are just some simple settings. There is a lot more to be studied in the User Rights section. Specific permissions for specific users. Security and so on. Later in the study.

Linux FTP Server Configuration Simple description (GO)