Article Title: Relationship between vsFTPd server and firewall and SELINUX. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
1. Relationship between vsFTPd server and firewall and SELINUX
On the forum, I saw some brothers saying that the vsFTPd server was started normally but could not be accessed or users could not upload files. I felt like a firewall or SELINUX thing; the FTPD server may be protected by the firewall or SELINUX security mechanism. Therefore, you must have the firewall over ftp, and SELINUX over the ftp server;
In Fedora/Redhat/CentOS, you need to set up a firewall, you can turn off the firewall, or in the custom, let the ftp "through" firewall;
[Root @ localhost ~] # System-config-securitylevel-tui
Or run the following command to clear firewall rules (common );
[Root @ localhost beinan] # iptables-F
The explanation of SELINUX server may be difficult for veteran or novice users. We recommend that you use SELINUX or allow the vsFTPd server to skip SELINUX startup; this is effective when the vsFTPd server is started in Fedora/Redhat/CentOS;
Of course, you can also disable SELINUX. The configuration file in/etc/selinux/config is as follows;
/Etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX = can take one of these three values:
# Enforcing-SELinux security policy is enforced.
# Permissive-SELinux prints warnings instead of enforcing.
# Disabled-SELinux is fully disabled.
SELINUX = Disabled # in this way, The SELINUX server is turned off. restart the system;
# SELINUXTYPE = type of policy in use. Possible values are:
# Targeted-Only targeted network daemons are protected.
# Strict-Full SELinux protection.
SELINUXTYPE = targeted
2.500 OOPS: vsftpd: refusing to run with writable anonymous root
If we have started the vsFTPd server, but the logon test will show a message similar to the following;
500 OOPS: vsftpd: refusing to run with writable anonymous root
This indicates that the permissions on the home directory of the ftp user are incorrect and should be changed;
[Root @ localhost ~] # More/etc/passwd | grep ftp
Ftp: x: 1000: 1000: FTP User:/var/ftp:/sbin/nologin
We found that the ftp user's home directory is in/var/ftp, which is caused by incorrect/var/ftp permissions. the permissions of this directory cannot be opened; it is because you have run chmod 777/var/ftp. If you do not have an ftp user's home directory, you must create one by yourself;
The Home Directory of the following FTP users cannot be fully open to all users, user groups, and other user groups;
[Root @ localhost ~] # Ls-ld/var/ftp
Drwxrwxrwx 3 root 4096 2005-03-23/var/ftp
The following method should be used to correct this error;
[Root @ localhost ~] # Chown root: root/var/ftp
[Root @ localhost ~] # Chmod 755/var/ftp
Some may say, What should I do if anonymous users are readable, downloadable, and uploadable? This is also simple. You can create a directory under/var/ftp and set the permission to 777. Then you can change vsftpd. conf to OK. There is no difficulty;
For security considerations, vsFTPd does not allow ftp users' home directory permissions to be completely unrestricted. You can read the vsFTPd documentation to understand it; otherwise, it cannot be called the safest FTP server, right?