Article Title: Linux: Use vsftpd to build a secure FTP service (figure ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
The security risks of the FTP protocol cannot be the reason for the rejection of FTP. This article introduces a method to build a secure FTP service.
File Transfer Protocol (FTP) is a frequently used protocol for Internet users. It is based on the client/server architecture, it is mainly used to provide the user's file transmission and upload/download functions. However, because the Protocol did not fully consider the many security problems that may arise today as the network is evolving during the initial design process, there is a great security risk. This document introduces the principles of the file transfer protocol and describes how to use vsftpd (very secure FTP daemon) to Build secure FTP applications in Linux.
Features of vsftpd
Vsftpd is the name of a server running on a Unix-like operating system published based on GPL (a daemon ), it can run on Linux, BSD, Solaris, HP-UX, and IRIX. It supports features not supported by many other traditional FTP servers. It has the following features: high security, bandwidth restrictions, good scalability, support for creating virtual users, support for IPv6, support for virtual IP addresses, high speed, and stability.
The name of vsftpd is "very secure FTP daemon". Its developer Chris Evans is concerned with the security of data transmission. Therefore, among all the above features, high security is in the most important position. Vsftpd is superior to other FTP servers such as Wu-ftpd and Proftpd. In terms of speed, according to statistics, the download speed of data in ASC Ⅱ mode is twice that of Wu-ftpd. In the kernel of the Linux2.4 series, the download speed of Gigabit Ethernet can reach 86 MB/S. In terms of stability, it can support 15000 concurrent users according to ftp.redhat.com data, therefore, the overall performance is also very high.
Vsftpd Installation Process
The installation of the vsftpd daemon is quite simple. You can find the RPM package of vsftpd in every major release. In many cases, it has been installed. If not, you can find the source code on the website: http://vsftpd.beasts.org/and download it for manual installation. The latest version is vsftpd2.0.3.
After obtaining the source code and unlocking the tar package, go to the new directory and run make. The following is an example of manual installation:
# Tar xzvf vsftpd-2.0.3.tar.gz
# Cd vsftpd-2.0.3
# Make
Before that, we should check whether the user "nobody" and the directory "/usr/share/empty" exist. If necessary, we will create this user and directory. If anonymous access is allowed, you also need to create "ftp" and "var/ftp" directories. Run the following two commands:
# Mkdir/var/ftp
# Useradd-d/var/ftp
For security reasons, the directory "/var/ftp" should not belong to the user "ftp" or have write permission. If the user already exists, use the following two commands to change the directory owner and remove the write permission of other users:
# Chown root. root/var/ftp
# Chmod og-w/var/ftp
After all the prerequisites are met, we can install vsftp-daemon.
# Make install
In this way, the installation of vsftpd is complete. Of course, this installation process is complicated. Many of the Linux systems we use now use RPM packages for installation, which is simple and fast, the following describes how to install vsftpd using an RPM package.
Vsftpd is included in RedHat Linux9. The installation steps are as follows:
1. Check whether vsftpd is installed. If vsftpd is already installed, use it directly.
# Rpm-q | grep vsftpd
2. If not installed, the RPM package for the vsftpd-1.1.3-8.i386.rpm will be downloaded for installation.
# Rpm-VL vsftpd-1.1.3-8.i386.rpm
The installation process can be completed smoothly through the above two steps.
Configuration File Introduction
The path of the configuration file is/etc/vsftpd. conf. Like most configuration files in Linux, the configuration file of vsftpd is described in detail in the following section by starting, reasonable Use of configuration files is a prerequisite for ensuring secure FTP transmission.
View the configuration file:
# Vi/etc/vsftpd. conf
Set whether anonymous access is allowed:
# Anonymus FTP-access permitted? YES/NO
Anonymous_enable = NO
Set whether to allow anonymous File Upload:
# Permit anonymus upload? YES/NO
Anon_upload_enable = NO
Set whether to allow anonymous Directory Creation:
# Permission for anonymus users to make new directories? YES/NO
Anon_mkdir_write_enable = NO
Set whether anonymous users can be deleted or renamed:
# Permission for anonymus users to do other write operations-like renaming or deleting? YES/NO
Anon_other_write_enable = NO
Set whether to allow local user logon:
# Log on by local users permitted? YES/NO
Local_enable = YES
Set whether to lock the local user in the main directory:
# Shall local users be locked into their home directory? YES/NO
Chroot_local_user = YES
Set the maximum transmission speed:
# Highest permitted data transfer rate in bytes per second for local logged on users. Default = 0 (unlimited)
Local_max_rate = 7200
Set whether to allow normal write operations:
# General write permission? YES/NO
Write_enable = YES
Set whether to send messages after changing the directory:
# Enable messages when changing directories? YES/NO
Dirmessage_enable = YES
Set the welcome message sent from the server to the logon client:
# Welcome banner at users logon.
Ftpd_banner = "Welcome to neo5k's FTP service ."
Set whether to activate the log function:
# Activate logging? YES/NO
Xferlog_enable = YES
Set whether to log all FTP operations. If set to yes, it may generate huge data:
# Logging of all FTP activities? YES/NO
# Careful! This can generate large quantities of data.
Log_ftp_protocol = NO
Set whether to allow connections only on Port 20:
# Confirm connections are established on port 20 (ftp data) only. YES/NO
Connect_from_port_20 = YES
Set the timeout time for no operation:
# Timeout during idle sessions
Idle_session_timeout = 600
Set the data connection timeout time:
# Data connection timeout
Data _ connection_timeout = 120
Set the PAM used for access:
# Access through Pluggable Authentication Modules (PAM)
Pam_service_name = vsftpd
Set whether the working mode is independent:
# Standalone operation? YES/NO-depending on operation mode (inetd, xinetd, Standalone)
# The author's FTP service is being startet with xinetd, therefore the value here is NO.
Listen = YES
Set whether to use tcp_wrappers as the host access control mode:
Tcp_wrappers = YES
Start FTP service
Vsftpd can be started in three modes: inetd, xinetd, and standalone (independent. Because the xinetd currently used extends inetd, it is more efficient and practical than inetd, including improvements such as request records, access control, and binding services to network interfaces, xinetd is usually used, this article describes the xinetd and standalone startup methods.
1. xinetd startup
In the preceding configuration file, set listen = YES to list = NO and tcp_wrappers = YES to tcp_wrappers = NO, run the following command to copy the vsftpd document directory to/etc/xinetd. d directory:
Set disable = yes to disable = no. A configuration file about the startup method is as follows:
# Cat/etc/xinetd. d/vsftpd
# Default: on
# Description: The vsftpd FTP server serves FTP connections. It uses
# Normal, unencrypted usernames and passwords for authentication.
Service ftp
{
Socket_type = stream
Wait = no
User = root
Server =/usr/sbin/vsftpd
Nice = 10
Disable = no
Flags = IPv4
}
Now, you can use the following command to start vsftpd.
Stop a standalone vsftpd:
# Service vsftpd stop
Restart the xinetd daemon:
# Service xinetd restart
To automatically run the service when the system starts, use the setup command to select the vsftpd daemon in the network service configuration project.
2. start in independent working mode
Vsftpd can also work in standalone mode. In this way, we need to open "/etc/vsftpd. conf" again and make the following changes:
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.