Linux installation vsftpd and configuration detailed

Source: Internet
Author: User
Tags ftp connection ftp client file permissions ftp protocol iptables

1 Installing the VSFTPD assembly

After installation, there is a/etc/vsftpd/vsftpd.conf file, which is the vsftp configuration file.
[[email protected] ~]# yum -y install vsftpd

2. Port description of FTP Active mode and FTP passive mode

FTP is a TCP-only service and does not support UDP. The difference is that FTP uses 2 ports, a data port and a command port (also called a control port). Typically, the two ports are 21 (command port) and 20 (data port). But the FTP works differently, the data port is not always 20. This is the biggest difference between active and passive FTP.

The FTP protocol works in two ways: Port mode and PASV mode, Chinese meaning active and passive.

(i) FTP active mode

主动方式的FTP是这样的:客户端从一个任意的非特权端口N(N>1024)连接到FTP服务器的命令端口,也就是21端口。然后客户端开始 监听端口N+1,并发送FTP命令“port N+1”到FTP服务器。接着服务器会从它自己的数据端口(20)连接到客户端指定的数据端口(N+1)。针对FTP服务器前面的防火墙来说,必须允许以下通讯才能支持主动方式FTP:1. 任何大于1024的端口到FTP服务器的21端口。(客户端初始化的连接)2. FTP服务器的21端口到大于1024的端口。 (服务器响应客户端的控制端口)3. FTP服务器的20端口到大于1024的端口。(服务器端初始化数据连接到客户端的数据端口)4. 大于1024端口到FTP服务器的20端口(客户端发送ACK响应到服务器的数据端口)简明概括:PORT(主动)方式的连接过程是:客户端向服务器的FTP端口(默认是21)发送连接请求,服务器接受连接,建立一条命令链路。当需要传送数据时,客户端在命令链路上用PORT命令告诉服务器:“我打开了XXXX端口,你过来连接我”。于是服务器从20端口向客户端的XXXX端口发送连接请求,建立一条数据链路来传送数据。开启主动模式:pasv_enable=no若设置为YES,则使用PASV工作模式;若设置为NO,则使用PORT模式。默认值为YES,即使用PASV工作模式。主动模式下:SecureFX工具去连接ftp,客户没有允许开放端口,服务器没法与客户端相连接,关闭客户端防火墙

(ii) FTP passive mode

In order to solve the problem that the server initiates the connection to the customer, people have developed a different way of FTP connection. This is called passive, or PASV, which is enabled when the client notifies the server that it is in passive mode. In passive mode FTP, both the command connection and the data connection are initiated by the client, which resolves the problem that the in-direction connection of the data port from the server to the client is filtered out by the firewall. When an FTP connection is turned on, the client opens two arbitrary non-privileged local ports (N > 1024 and n+1). The first port connects to the server's port 21, but unlike proactive FTP, the client does not submit the Port command and allows the server to back up its data port, but instead submits the PASV command. The result is that the server opens an arbitrary non-privileged port (P > 1024) and sends the Port P command to the client. The client then initiates a connection from the local port n+1 to the server's port p to transmit the data. For a server-side firewall, the following traffic must be allowed to support passive mode of ftp:1. From any port greater than 1024 to the server's 21 port (client-initiated connection) 2. 21 Port of the server to any port greater than 1024 (the server responds to a connection to the client's control port) 3. From any port greater than 1024 to the server (client-initiated data connection to any ports specified by the server) 4. The server is larger than 1024 ports to a remote port greater than 1024 (the server sends an ACK response and data to the client's data port) Concise summary: The PASV (passive) mode of the connection process is: the client to the server's FTP port (the default is 21) Send connection request, the server accepts the connection, Create a command link. When the data needs to be transferred, the server tells the client on the command link with the PASV command: "I opened the XXXX port and you came over to connect me." The client then sends a connection request to the server's XXXX port and establishes a data link to transmit the data. Turn on Passive mode is on by default, but to specify a port range, open the vsftpd.conf file, followed by Pasv_enable=yes if set to Yes, use PASV mode of operation, or if set to No, use port mode. The default value is Yes, which is to use the PASV operating mode. pasv_min_port=30000 in PASV operating mode, the maximum port range that the data connection can use, and 0 for any port. The default value is 0. pasv_max_port=30999 in PASV operating mode, the minimum port range for the data connection can be used, and 0 represents any port. The default value is 0. Indicates that the port range is 30000~30999, this can be changed arbitrarily. Restart the vsft after the change.Due to the designation of this port range, the Iptables also opens the range accordingly, so open the Iptables file as above. Also in 21 up and down on the other side of the line, the more similar, just 21 to 30,000:30,999, then: Wq save, restart the next iptables. So it's done.

(iii) pros and cons of active and passive ftp:

Active FTP is advantageous to the management of FTP server, but it is disadvantageous to the management of the client. Because the FTP server attempts to establish a connection to the client's high-level random port, the port is likely to be blocked by the client's firewall. Passive FTP is advantageous to the management of FTP client, but it is disadvantageous to server side management. Because the client is going to establish two connections to the server, one of them is connected to a high-level random port, and the port is likely to be blocked by the server-side firewall. Fortunately, there is a compromise. Since the FTP server administrator needs their servers to have the most client connections, passive FTP must be supported. We can reduce the exposure of the server high port by specifying a limited port range for the FTP server. Thus, any port that is not in this range will be blocked by the server's firewall. While this does not eliminate all threats against the server, it greatly reduces the risk. In short: Active mode (PORT) and passive mode (PASV). The active mode is to initiate a connection from the server side to the client, and the passive mode is the client initiates the connection to the server side. The common denominator is that they use 21 ports for user authentication and management, the difference is that the way data is transferred, port mode FTP server data port is fixed at 20, while PASV mode is random between 1025-65535. Most FTP clients use PASV mode by default for the PASV method of the common FTP client software. IE uses port mode by default. In most of the FTP client settings, often see the words are "PASV" or "passive mode", very rare to "PORT" or "active mode" and other words. Because there are only two types of FTP logins: port and PASV, and canceling the PASV mode means using the Port method. (1) IE: "Use Passive FTP" (more than IE6.0), advanced Internet Options, tools, and more. (2) "PASV Mode" or "file---site Manager", Firewall, Connection, Setting, Cuteftp:edit T, "Use PASV mode". (3) FlashGet: "PASV mode", editor, direct connection, proxy Server, options, tools. (4) FlashFXP: option, parameter selection, agent/Firewall/identity, using passive mode or site management--or quick Connect, toggle, use passive mode. 
3, Login mode (three ways to log in) 3.1 Firewall on 21 ports

Because the FTP default port is 21, and the CentOS default is not enabled, so to modify the Iptables file

[[email protected] ~]# vim /etc/sysconfig/iptables-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT在行上面有22 -j ACCEPT 下面另起一行输入跟那行差不多的,只是把22换成21,然后:wq保存。还要运行下,重启iptables[[email protected] ~]# service iptables restart
3.2 FTP Anonymous Login

There are generally three anonymous logins for ftp:

1. User name: Anonymous password: email or empty

2. User name: FTP password: FTP or empty

3. Username: User password: Pass

3.2.1 Anonymous access in IE browser or file Manager

FTP default open anonymous user login and active mode, with IE access need to "use Passive FTP" option to remove the front tick, so that FTP is connected up

Enter the ftp://domain name or IP in the File Manager input box if the port is not 21 behind plus port.

3.3 Anonymous user Rights 3.3.1 VSFTPD configuration file

Default configuration

anonymous_enable=YES#允许匿名用户和本地用户登陆。local_enable=YES#匿名用户使用的登陆名为ftp或anonymous,口令为空;匿名用户不能离开匿名用户家目录/var/ftp,且只能下载不能上传。write_enable=YES#本地用户的登录名为本地用户名,口令为此本地用户的口令;本地用户可以在自己家目录中进行读写操作;本地用户可以离开自家目录切换至有权限访问的其他目录,并在权限允许的情况下进行上传/下载。#写在文件/etc/vsftpd.ftpusers中的本地用户禁止登陆。
3.3.2 Anonymous User (anonymous) settings
Anonymous_enable=yes/no (yes) #控制是否允许匿名用户登入, yes to allow anonymous login, no is not allowed. The default value is yes. Write_enable=yes/no (YES) #是否允许登陆用户有写权限. is the global setting and the default value is yes. No_anon_password=yes/no (NO) #若是启动这项功能, the password is not queried using anonymous login. The default value is No. ftp_username=ftp# defines the name of the user who logged in anonymously. The default value is FTP. anon_root=/var/ftp# Log in directory using anonymous login. The default value is/var/ftp. Note The FTP directory cannot be a 777 permission attribute, which means that the anonymous user's home directory cannot have 777 permissions. Anon_upload_enable=yes/no (NO) #如果设为YES, allows anonymous login to upload files (non-directory) permissions, only in Write_enable=yes, this entry is valid. Of course, anonymous users must have write rights to the upper directory. The default value is No. Anon_world_readable_only=yes/no (YES) #如果设为YES allows an anonymous login to download a readable profile (which can be downloaded to a native reader and not read directly on the FTP server). The default value is yes. Anon_mkdir_write_enable=yes/no (NO) #如果设为YES, allows anonymous login to have the permission to add a new directory, only valid when Write_enable=yes. Of course, anonymous users must have write rights to the upper directory. The default value is No. Anon_other_write_enable=yes/no (NO) #如果设为YES, allow anonymous login to upload or create more permissions than the directory, such as delete or rename. (If Anon_upload_enable=no, the anonymous user cannot upload the file, but can delete or rename the file that already exists; if anon_mkdir_write_enable=no, the anonymous user cannot upload or create a new folder, However, you can delete or rename a folder that already exists. The default value is No. Chown_uploads=yes/no (NO) #设置是否改变匿名用户上传文件 (non-directory) owner. The default value is No. chown_username=username# sets the owner name of an anonymous user to upload a file (not a directory). It is not recommended to set as root. anon_umask=077# set the umask value for anonymous login when adding or uploading files. The default value is 077, the newThe corresponding permission for the built file is 700. Deny_email_enable=yes/no (NO) #若是启动这项功能, you must provide a file/etc/vsftpd/banner_emails, the contents of the email address. If you use anonymous login, you will be asked to enter an email address, if you enter the email address in this file, it is not allowed to enter. The default value is No. banned_email_file=/etc/vsftpd/banner_emails# This file is used to enter an email address that will only be used when deny_email_enable=yes. If you use anonymous login, you will be asked to enter an email address, if you enter the email address in this file, it is not allowed to enter.

Local_umask directory:
777-022=755
Local_umask file:
666-022=644

Case:
Configurations that allow Vsftp anonymous users to upload and download under Linux

configuration to pay attention to three parts, please one by one carefully control :
1. vsftpd.conf configuration file

# vi /etc/vsftpd/vsftpd.conf(vsftpd.conf文件的配置)anonymous_enable=YES#允许匿名用户登录FTPanon_root=/var/ftp/pub#设置匿名用户的登录目录(如需要,需自己添加并修改)anon_upload_enable=YES#打开匿名用户的上传权限anon_mkdir_write_enable=YES#打开匿名用户创建目录的权限anon_other_write_enable=YES#打开匿名用户删除和重命名的权限(如需要,需自己添加)anon_umask=022#匿名用户的掩码(如需要,需自己添加,含义:如umask是022,这时创建一个权限为666的文件,文件的实际权限为666-022=644)

2. FTP Directory permissions settings (anonymous users)
By default, the FTP root directory is/var/ftp, for security, this directory by default does not allow the set to 777 permissions, otherwise FTP will not be accessible. But we want to upload files anonymously, need "other" user's write permission, the correct way:
chmod o+w /var/ftp/pub/

Uploaded file permissions are 600, the owner and the group are FTP by default

3, in order to safely modify the main permissions for anonymous FTP permissions, without the default root permissions

chown ftp /var/ftp/pub/ -R

*net use/d Clear FTP connection cache * *

3.4 Local User Login
anonymous_enable=no#不允许匿名用户登入local_enable=YES/NO(YES)#控制是否允许本地用户登入,YES 为允许本地用户登入,NO为不允许。默认值为YES。local_root=/home/username#当本地用户登入时,将被更换到定义的目录下。默认值为各用户的家目录。write_enable=YES/NO(YES)#是否允许登陆用户有写权限。属于全局设置,默认值为YES。local_umask=022#本地用户新增档案时的umask 值。默认值为077。file_open_mode=0755#本地用户上传档案后的档案权限,与chmod所使用的数值相同。默认值为0666。chroot_local_user=YES#用于指定用户列表文件中的用户不允许切换到上级目录。默认值为NO。
3.4.1 Adding an FTP user

This user is used to log on to the FTP server.
[[email protected] ~]# useradd ftpuser -s /sbin/nologin
Such a user built up, can not use this login, remember to use ordinary login do not use Anonymous. The default path after logging in is/home/ftpuser.

3.4.2 Adding a password to an FTP user

[[email protected] ~]# passwd ftpuser
Enter the password two times and then change the password.

3.4.3 Turn off anonymous access, set the appropriate permissions

To modify the/etc/vsftpd/vsftpd.conf file:

anonymous_enable=nolocal_enable=YESlocal_root=/home/ftpuserwrite_enable=YESlocal_umask=022file_open_mode=0755chroot_local_user=YES
3.4.4 Restart the FTP service:

[[email protected] ~]# service vsftpd restart

3.4.5 Access

Connect FTP://IP in Windows Explorer
Local User Login (home directory/home/ftpuser), can create or delete directories, files, directory permissions is 755, file permissions are 644

Modify the path to/opt/test (Local_root=/opt/test), in order to secure, in the/opt/test directory to build the TT directory, and to the TT directory owner and the group modified to Ftpuser, so as to create or delete directories, upload, delete files

3.5 Virtual User Login
pam_service_name=vsftpd#虚拟用户使用PAM认证方式。guest_enable= YES/NO(NO)#设置PAM使用的名称,默认值为/etc/pam.d/vsftpd。guest_username=ftp#启用虚拟用户。默认值为NO。virtual_use_local_privs=YES/NO(NO)#这里用来映射虚拟用户。默认值为ftp。#当该参数激活(YES)时,虚拟用户使用与本地用户相同的权限。当此参数关闭(NO)时,虚拟用户使用与匿名用户相同的权限。默认情况下此参数是关闭的(NO)。
3.5.1 Create a text-formatted user name, password list

First you need to create a text format username/password list file, odd behavior user name, even behavior on the line of the user name corresponding password.

For example: Add two Users Jene, John, password for abc123, abc456 to do the following:

[[email protected] ~]# vi /etc/vsftpd/juser.txtjeneabc123johnabc456
3.5.2 Build Database:

Db_load: Installing Db4,db4-devel,db4-utils

# cd //etc/vsftpd      #切换到/etc/vsftpd的目录下# yum -y install db4*# db_load -T -t hash -f juser.txt juser.db     #将刚创建的juser.list列表转换为juser.list.dbfile juser.db  #查看转换后的文件类型
3.5.3 Modifying data file access rights:

chmod 600/etc/vsftpd/juser.db

3.5.4 Modifying the PAM configuration:
# vi /etc/pam.d/juser.pam  //为虚拟用户创建PAM认证文件,文件名为juser.pam(见名之义)auth    required        pam_userdb.so   db=/etc/vsftpd/juseraccount    required        pam_userdb.so   db=/etc/vsftpd/juser注意:db=/etc/vsftpd/vsftpd_login 后面的.db必须去掉或# vi /etc/pam.d/vsftpd将里面其他的都注释掉,添加下面这两行:auth    required        pam_userdb.so   db=/etc/vsftpd/vuseraccount    required        pam_userdb.so   db=/etc/vsftpd/vuser
3.5.5 Create a virtual account corresponding to the system User:
# useradd -d /var/ftptom -s /sbin/nologin tom     #添加用户tom,指定到新建的家目录,将虚拟用户对应到这个系统账号上,这个账号无需设置密码及登录Shell# chmod 755 /var/ftptom/      #调整权限以允许浏览目录
3.5.6 Modifying the master configuration file
# vi /etc/vsftpd/vsftpd.confanonymous_enable=no   //禁用匿名用户登录(anon_upload_enable=YESanon_mkdir_write_enable=YESanon_umask=022   //指定上传权限掩码)local_enable=YES        //需映射本地用户,所以启用些项write_enable=YES        //启用上传写入支持chroot_local_user=YES     //(自建配置)将所有本地用户限制在家目录中guest_enable=YES       //启用映射功能guest_username=tom      //指定映射的系统用户名称pam_service_name=juser.pam  //指定新的PAM认证文件user_config_dir=/opt/vsftpd/juser_dir   //(自建配置)设置虚拟帐号的主目录为/juser_dirmax_clients=300     //(自建配置)设置FTP服务器最大接入客户端数为300个 max_per_ip=10     //(自建配置)设置每个IP地址最大连接数为10个 listen=YESport_enable=NO    //(自建配置)取消PORT模式进行数据传输 connect_from_port_20=NO     //(修改配置)PORT模式进行数据传输部使用20端口 ftp_data_port=20pasv_enable=YES          //(自建配置)允许PASV模式进行数据传输 pasv_min_port=65341     //(自建配置)PASV模式下数据传输所使用port范围下界 pasv_max_port=65351     //(自建配置)PASV模式下数据传输所使用port范围上界
3.5.7 setting up a virtual account profile:

such as above in does not give the virtual user uploads, constructs the directory and so on the permission the setting, may use the following method to establish the independent configuration file for the virtual user.

Under User_config_dir specified path, create a configuration file with the same name as the virtual account and add the appropriate configuration fields

# mkdir /opt/vsftpd/juser_dircd /opt/vsftpd/juser_dir         //切换到这个新建的配置文件夹下touch jene      创建jene配置文件touch john      创建john配置文件#vi jene   //为用户jene建立独立的配置文件,允许他可以上传和创建目录anon_upload_enable=YESanon_mkdir_write_enable=YES#touch john    //为其它用户(john)创建空的配置文件,也就是他们没有上传和创建目录的权限[[email protected] juser_dir]# service vsftpd reload //重载vsftpd服务器

Log on to the FTP server

Already logged into Tom's home directory.

Above the virtual user Jene and John share the map of the Tom Home directory

3.5.8 If you use your own catalogue,
vi vsftpd.confanonymous_enable=NO(修改配置)禁用匿名用户登录write_enable=YES (默认开启)允许使用任何可以修改文件系统的FTP的指令local_enable=YES(默认开启)启用本地用户登录设置chroot_local_user=YES (自建配置)将所有本地用户限制在家目录中pam_service_name=juser.pam(默认开启)配置vsftpd使用的PAM模块为vsftpduser_config_dir=/opt/vsftpd/juser_dir (自建配置)设置虚拟帐号的主目录为/vsftpd_login
# mkdir /opt/vsftpd/juser_dir       //建虚拟账号主目录# cd /opt/vsftpd/juser_dir         //切换到这个新建的配置文件夹下# touch jene      创建jene配置文件# touch john      创建john配置文件

Create separate profiles for each virtual user

# vi jeneanon_world_readable_only=YES    只读,不能下载anon_world_readable_only=no       表示用户可以浏览FTP目录和下载文件guest_enable=yes  开启虚拟帐号登录guest_username=ftp_jene    设置虚拟用户jene对应的系统帐号为ftp_jenelocal_root=/opt/jene               用户登入时,所在目录anon_world_readable_only=no  不允许匿名用户浏览器整个服务器的文件系统anon_max_rate=50000    限定传输速率为50KB/s
# vi johnguest_enable=yes 开启虚拟帐号登录 guest_username=ftp_ john    设置虚拟用户john对应的系统帐号为ftp_johnlocal_root=/opt/john               用户登入时,所在目录anon_other_write_enable=YES  允许匿名账号具有删除、改名权限anon_mkdir_write_enable=yes  允许创建文件夹,不能删除目录anon_upload_enable=yes        开启匿名帐号的上传功能anon_world_readable_only=no  不允许匿名用户浏览整个服务器的文件系统anon_max_rate=100000          限定传输速度为100KB/s

Restart VSFTPD Service
#service vsftpd restart

Linux file permissions are divided into "master", "genus Group" and "other people" these three kinds, if "other person" does not have the readable permission, that anon_world_readable_only this parameter is effective, for the directory, if "other person" does not have the readable permission, and Anon_world _readable_only=yes, the anonymous user cannot browse all the contents of the directory (looks like an empty directory), and for a file, if "other person" does not have the readable permission and Anon_world_readable_only=yes, The anonymous user cannot download the file.

4. Modifying SELinux

Outside the network can be accessed up, but found unable to return to the directory (using FTP active mode, passive mode is still inaccessible), also cannot upload, because SELinux mischief.
Modify SELinux:
Execute the following command to view the status:

[[email protected] ~]# getsebool -a | grep ftp  

Execute the above command, and then return the result to see that both lines are off, representing, no open extranet access

[[email protected] ~]# setsebool -P allow_ftpd_full_access on[[email protected] ~]# setsebool -P ftp_home_dir on

This should be no problem (if, or not, see if the FTP client tool with the Passive mode access, such as the hint entering Passive mode, is Passive mode, the default is not, because the FTP Passive mode is blocked by iptables, the following will talk about how to open, if you do not bother to open, see if you have the client FTP port mode options, or the passive mode option to remove. If the client is still not working, see if the host computer on the client has a firewall turned on.

FileZilla Active, Passive mode modification:
Menu: Edit → Settings

5. Set Boot VSFTPD FTP service

[[email protected] ~]# chkconfig vsftpd on

6, modify the FTP default port 6.1 login server, open the vsftp.conf file
# vim /etc/vsftpd/vsftpd.conf  在文件末尾增加listen_port=2121pasv_enable=yespasv_min_port=30000pasv_max_port=30999listen_port=2121
6.2 Open/etc/services File
[plain] view plain copy# vim /etc/services  找到ftp选项并将21修改成你设置的端口,本文为2121# 21 is registered to ftp, but also used by fsp  ftp             2121/tcp  ftp             2121/udp          fsp fspd  
6.3 Restart Vsftp Service
# /etc/init.d/vsftpd restart 使用netstat -utlpn | grep vsftp命令查看设置的端口,确认是否成功# netstat -utlpn | grep vsftp  tcp        0      0 0.0.0.0:2121                0.0.0.0:*                   LISTEN      33004/vsftpd        tcp        0      0 192.168.11.6:30954          0.0.0.0:*                   LISTEN      33006/vsftpd
6.4 Firewall plus allow policy:
# vi /etc/sysconfig/iptables-A INPUT -m state --state NEW -m tcp -p tcp --dport 2121 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 2120 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 30000:30999 -j ACCEPT

In the active mode, the FTP two ports is relatively fixed, if the command port is x, then the data port is x-1, that is, by default, the command port is 21, the data port is 20; you change the command port to 2121, then the data port is 2120. So the use of firewalls is very convenient, as long as the two ports can be opened, but if the client is sharing the Internet, then it is not normal use of FTP, this still does not work, must be passive mode.

In the passive mode is a bit of trouble, the command port is modified to 2121, then the data port is 2120, but the data port is random, so you need to set a passive port range in the device 6000 to 7000 (pasv_min_port=6000 pasv_max_port= 7000)

Allowed to modify the port number and the random port number range in the firewall

7. Modify the firewall in RHEL7:
1、防火墙添加端口# firewall-cmd --zone=public --permanent --add-port=80/tcp# firewall-cmd --reload# firewall-cmd --zone=public --permanent --add-port=31000-31999/tcp# firewall-cmd --reload2、防火墙删除端口# firewall-cmd --zone=public --permanent --remove-port=80/tcp # firewall-cmd --reload3、查看防火墙配置# cat /etc/firewalld/zones/public.xml

Linux installation vsftpd and configuration detailed

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.