Linux: using vsftpd to build secure FTP services

Source: Internet
Author: User
Tags example of manual file transfer protocol ftp protocol
The security risks of the FTP protocol cannot be the reason for the rejection of FTP. This article introduces a method to build a secure FTP service. File Transfer Protocol (FTP) is a frequently used protocol for Internet users. it is based on the client/server architecture, it is mainly used to provide the user's file transmission and upload and download functions.

The security risks of the FTP protocol cannot be the reason for the rejection of FTP. This article introduces a method to build a secure FTP service.

File Transfer Protocol (FTP) is a frequently used protocol for Internet users. it is based on the client/server architecture, it is mainly used to provide the user's file transmission and upload/download functions. However, because the protocol did not fully consider the many security problems that may arise today as the network is evolving during the initial design process, there is a great security risk. This document introduces the principles of the file transfer protocol and describes how to use vsftpd (very secure FTP daemon) to build secure FTP applications in Linux.

Features of vsftpd

Vsftpd is the name of a server running on a Unix-like operating system published based on GPL (a daemon ), it can run on Linux, BSD, Solaris, HP-UX, and IRIX. It supports features not supported by many other traditional FTP servers. It has the following features: high security, bandwidth restrictions, good scalability, support for creating virtual users, support for IPv6, support for virtual IP addresses, high speed, and stability.

The name of vsftpd is "very secure FTP daemon". its developer Chris Evans is concerned with the security of data transmission. Therefore, among all the above features, high security is in the most important position. Vsftpd is superior to other FTP servers such as Wu-ftpd and Proftpd. In terms of speed, according to statistics, the download speed of data in ASC Ⅱ mode is twice that of Wu-ftpd. In the kernel of the Linux2.4 series, the download speed of Gigabit Ethernet can reach 86 MB/S. in terms of stability, it can support 15000 concurrent users according to ftp.redhat.com data, therefore, the overall performance is also very high.

Vsftpd installation process

The installation of the vsftpd daemon is quite simple. you can find the RPM Package of vsftpd in every major release. in many cases, it has been installed. If not, you can find the source code on the website: http://vsftpd.beasts.org/and download it for manual installation. The latest version is vsftpd2.0.3.

After obtaining the source code and unlocking the tar package, go to the new directory and run make. The following is an example of manual installation:

# Tar xzvf vsftpd-2.0.3.tar.gz

# Cd vsftpd-2.0.3

# Make

Before that, we should check whether the user "nobody" and the directory "/usr/share/empty" exist. if necessary, we will create this user and directory. If anonymous access is allowed, you also need to create "ftp" and "var/ftp" directories. Run the following two commands:

# Mkdir/var/ftp

# Useradd-d/var/ftp

For security reasons, the directory "/var/ftp" should not belong to the user "ftp" or have write permission. If the user already exists, use the following two commands to change the directory owner and remove the write permission of other users:

# Chown root. root/var/ftp

# Chmod og-w/var/ftp

After all the prerequisites are met, we can install vsftp-daemon.

# Make install

In this way, the installation of vsftpd is complete. of course, this installation process is complicated. many of the Linux systems we use now use RPM packages for installation, which is simple and fast, the following describes how to install vsftpd using an RPM package.

Vsftpd is included in RedHat Linux9. the installation steps are as follows:

1. check whether vsftpd is installed. if vsftpd is already installed, use it directly.

# Rpm-q | grep vsftpd

2. if not installed, the RPM package for the vsftpd-1.1.3-8.i386.rpm will be downloaded for installation.

# Rpm-VL vsftpd-1.1.3-8.i386.rpm

The installation process can be completed smoothly through the above two steps.

Configuration file introduction

The path of the configuration file is/etc/vsftpd. conf. Like most configuration files in Linux, the configuration file of vsftpd is described in detail in the following section by starting, reasonable use of configuration files is a prerequisite for ensuring secure FTP transmission.

View the configuration file:

# Vi/etc/vsftpd. conf

Set whether anonymous access is allowed:

# Anonymus FTP-access permitted? YES/NO

Anonymous_enable = NO

Set whether to allow anonymous file upload:

# Permit anonymus upload? YES/NO

Anon_upload_enable = NO

Set whether to allow anonymous directory creation:

# Permission for anonymus users to make new directories? YES/NO

Anon_mkdir_write_enable = NO

Set whether anonymous users can be deleted or renamed:

# Permission for anonymus users to do other write operations-like renaming or deleting? YES/NO

Anon_other_write_enable = NO

Set whether to allow local user logon:

# Log on by local users permitted? YES/NO

Local_enable = YES

Set whether to lock the local user in the main directory:

# Shall local users be locked into their home directory? YES/NO

Chroot_local_user = YES

Set the maximum transmission speed:

# Highest permitted data transfer rate in bytes per second for local logged on users. Default = 0 (unlimited)

Local_max_rate = 7200

Set whether to allow normal write operations:

# General write permission? YES/NO

Write_enable = YES

Set whether to send messages after changing the directory:

# Enable messages when changing directories? YES/NO

Dirmessage_enable = YES

Set the welcome message sent from the server to the logon client:

# Welcome banner at users logon.

Ftpd_banner = "Welcome to neo5ks FTP service ."

Set whether to activate the log function:

# Activate logging? YES/NO

Xferlog_enable = YES

Set whether to log all FTP operations. if set to yes, it may generate huge data:

# Logging of all FTP activities? YES/NO

# Careful! This can generate large quantities of data.

Log_ftp_protocol = NO

Set whether to allow connections only on port 20:

# Confirm connections are established on port 20 (ftp data) only. YES/NO

Connect_from_port_20 = YES

Set the timeout time for no operation:

# Timeout during idle sessions

Idle_session_timeout = 600

Set the data connection timeout Time:

# Data connection timeout

Data _ connection_timeout = 120

Set the PAM used for access:

# Access through Pluggable Authentication Modules (PAM)

Pam_service_name = vsftpd

Set whether the working mode is independent:

# Standalone operation? YES/NO-depending on operation mode (inetd, xinetd, Standalone)

# The authors FTP service is being startet with xinetd, therefore the value here is NO.

Listen = YES

Set whether to use tcp_wrappers as the host access control mode:

Tcp_wrappers = YES

Start FTP service

Vsftpd can be started in three modes: inetd, xinetd, and standalone (independent. Because the xinetd currently used extends inetd, it is more efficient and practical than inetd, including improvements such as request records, access control, and binding services to network interfaces, xinetd is usually used, this article describes the xinetd and standalone startup methods.

1. xinetd startup

In the preceding configuration file, set listen = YES to list = NO and tcp_wrappers = YES to tcp_wrappers = NO, run the following command to copy the vsftpd document directory to/etc/xinetd. d Directory:

# Cp/usr/share/doc/vsftpd-1.1.3/vsftpd. xinetd/etc/xinetd. d/vsftpd

# Vi/etc/xinetd. d/vsftpd

Set disable = yes to disable = no. A configuration file about the startup method is as follows:

# Cat/etc/xinetd. d/vsftpd

# Default: on

# Description: The vsftpd FTP server serves FTP connections. It uses
# Normal, unencrypted usernames and passwords for authentication.

Service ftp

{

Socket_type = stream

Wait = no

User = root

Server =/usr/sbin/vsftpd

Nice = 10

Disable = no

Flags = IPv4

}

Now, you can use the following command to start vsftpd.

Stop a standalone vsftpd:

# Service vsftpd stop

Restart the xinetd daemon:

# Service xinetd restart

To automatically run the service when the system starts, use the setup command to select the vsftpd daemon in the network service configuration project.

2. start in independent working mode

Vsftpd can also work in standalone mode. In this way, we need to open "/etc/vsftpd. conf" again and make the following changes:

# Shall the vsftp daemon run in standalone ope

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.