Linux notes, linux

Linux notes, linux

Why use virtual users:
Anonymous accounts can ensure the security of the FTP server, but the permission management for anonymous users is not flexible enough. if you want to grant more permissions to the FTP account, you can use the local account. however, by default, a local account can log on to the Linux system, which is a security risk for the Linux system. so how can we ensure the security of the FTP server and the entire Linux system with flexible FTP user permissions? Using a virtual user is a solution.
Next, let's take a look at how to configure virtual users of the FTP server in Linux.
Before starting the configuration, let's take a look at the working principles of FTP virtual users:
A virtual user, as its name implies, is not a legal Linux Account, but can be used to log on to the FTP server running on the system.
After you connect to the FTP server, you are required to enter the user name and password. after obtaining the user name and password, the FTP server will call the corresponding PAM Authentication Module to compare it with the FTP authentication file in the system. if the user name and password match a record in the FTP authentication file, the account passes authentication and is mapped to a local account in Linux, then, access the FTP resources based on the Local Account. otherwise, the connection is disconnected.
After learning how FTP virtual users work, we can start to Configure FTP virtual users.

1. prepare a password library file for a virtual user. the username and password stored in this file are the username and password you need to enter when connecting to the FTP server. the file can be created by yourself, and the location is irrelevant. The file format is: odd behavior username, even behavior password.
For example, touch login.txt // creates a virtual user password library file named login.txt.
Vi login.txt // edit the password Library File
Mike // virtual user mike
123 // password of virtual user mike
John // virtual user john
321 // password of virtual user john
Save and exit.
2. use the created virtual user password library file to generate the FTP Server Authentication file. the authentication file is an encrypted ciphertext. after PAM calls the corresponding authentication module, it encrypts the user name and password sent from the FTP server, and then compares them with the file to find the matching entries, login users are allowed to log on.
Db_load-T-t hash-f login.txt/etc/vsftpd/vsftpd_login.db
// Before running this command, do not forget to install the db4-utils package, the package contains db_load command and so on. the usage of this command is not covered in this article. the-f parameter is followed by the created virtual user password library file. the final path is the storage location of the generated FTP authentication file.
To further ensure security, you can set the FTP authentication File Permission to 600.
3. Create the PAM Configuration File required by the virtual user. Because the FTP server will call PAM Authentication after receiving the user name and password, we need to create the PAM Configuration file for the virtual user.
We saved the file in/etc/pam. the file name in Directory d is set to vsftpd. note that the file name must be the same as the FTP master configuration file (/etc/vsftpd. in conf), pam_service_name = vsftpd has the same option value.
After the file is created, add the following content to the file:
Auth required/lib/security/pam_userdb.so db =/etc/vsftpd/vsftpd_login
Account required/lib/security/pam_userdb.so db =/etc/vsftpd/vsftpd_login
After modification, save and exit (Note:/etc/pam. d/vsftpd this file can only be valid for the above two lines of code, please comment out other content ). note the file names of the three red files. the three files are one file, but they are written differently in use.
4. Since a user is mapped to a local user after being authenticated by PAM, we need to create a local user for the virtual user to use.
You only need to grant the local user the proper access permission to the FTP home directory. Even if the FTP server is under attack, the local user has no access permission to other directories, which is relatively safer.
Useradd-d/home/ftpsite virtual // the user name is virtual, and the main directory is the FTP root
Chmod 700/home/ftpsite // set the permission to 700, which can be modified according to the actual situation
** Correction (when the ftp directory belongs to the virtual user used for ftp )**
000 (---------) can be switched to login only
500 (r-x ------) Visible file list, downloadable. Files with different names than ftp cannot be uploaded, deleted, renamed, or created.
700 (rwx ------) upload and download files, modify file names, delete files, create folders, and move files (all operations can be performed) (vsftpd configuration permits)
5. Enable the FTP virtual user in the FTP master configuration file. Add the following options:
Guest_enable = YES
Guest_username = virtual // the user who maps the virtual user to the destination. The virtual user is used here.
The user.
Pam_service_name =/etc/vsftpd // remember to modify the value of this item
6. The configuration is complete here. Do not forget to restart the FTP service for testing.
7. Assign permissions to different virtual users
By default, virtual users have the same permissions, that is, virtual permissions. We can assign permissions to different virtual users as needed.
First, add an option in the FTP master configuration file:
User_config_dir =/etc/vsftpd_user_conf // you can define the file name and path.
Then create the directory.
Mkdir/etc/vsftpd_user_conf
You can edit the permission configuration files for different virtual users in this directory. For example, you need to edit the permissions for mike.
Touch mike // create a permission file for mike. The file name must be the same as the virtual user name
You can add the following options and values to the file as needed:
Anon_world_readable_only = NO // indicates that you can browse the FTP directory and download files.
Anon_upload_enable = YES // indicates that you can upload files.
Anon_mkdir_write_enable = YES // indicates the permission for creating and deleting directories.
Anon_other_write_enable = YES // indicates that the user has the permission to rename and delete files.
In addition, modify the config file in the/etc/selinux folder and SELINUX = enforcing to SELINUX = disabled.
By now, the virtual user completes the configuration.
However, there is a problem, as if after configuring a virtual user, it is not related to the configuration in the FTP master configuration file. Anonymous users and local users cannot log on to the FTP server. how can this problem be solved?
If the file cannot be uploaded, if other configurations are the same as above, and the ftp main directory permission is set to 777, it may be a firewall problem.

1. User Creation:

Adduser phpq // create a phpq user
Passwd phpq // set a password for the phpq user

2. Create a working group
Groupadd test // create a test workgroup

3. Create a user and add a Working Group
Useradd-g test phpq // create a phpq user and add it to the test workgroup

Note: SHELL used by-g's group-d home directory-s

4. Add a working group for existing users

Usermod-G groupname username

Or: gpasswd-a user group

5. temporarily close: Add * before the second field (password) of the user's row in the/etc/shadow file. To restore the user, remove.

You can also use the following command to disable the user account:

Passwd peter-l

Release again:

Passwd peter-u

6. Permanently delete user accounts

Userdel peter

Groupdel peter

Usermod-G peter (Force delete all files and subdirectories in the user's home directory and Home Directory)

7. delete a user from the group

Edit/etc/group and find the line GROUP1. Delete A or use the command gpasswd-d a group.

8. Display User Information

Id user
Cat/etc/passwd

Supplement: Methods for viewing users and user groups

User List file:/etc/passwd
User group list file:/etc/group

View the users in the system: cut-d:-f 1/etc/passwd
View users who can log on to the system: cat/etc/passwd | grep-v/sbin/nologin | cut-d:-f 1
View user operations: w command (root permission required)
View A User: w User Name
View logon User: who
View User Logon history: last