RHEL5.5 install vsftpd and configure virtual users and enable firewall and SELinux

1, download and install 1, to rpm.pbone.net or rpmfind.net search and download: vsftpd-2.2.2-2.el5.i386.rpm2, install # rpm-ivhvsftpd-2.2.2-2.el5.i386.rpm3, backup configuration file: # cp/etc/vsftpd. conf/etc/vsftpd. conf. bak4, vsftpd file description/et

1. Download and install

1, search for and download from rpm.pbone.net or rpmfind.net: vsftpd-2.2.2-2.el5.i386.rpm
2. Install
# Rpm-ivh vsftpd-2.2.2-2.el5.i386.rpm
3. Backup configuration file:
# Cp/etc/vsftpd. conf/etc/vsftpd. conf. bak
4. vsftpd file description

/Etc/vsftpd. conf main configuration file
Main Program of/usr/sbin/vsftpd Vsftpd
/Etc/rc. d/init. d/vsftpd Startup Script
/Etc/pam. d/vsftpd PAM Authentication file (the file =/etc/vsftpd/ftpusers field in this file indicates that the user blocking access is from the user in the/etc/vsftpd/ftpusers file)
/Etc/vsftpd/ftpusers disable vsftpd user list files. Record the user name list that is not allowed to access the FTP server. The administrator can record some user accounts that are threatening system security in this file, this prevents the user from getting the right to upload or download more after logging on from FTP, which may cause damage to the system. (Note: This file is in the/etc/directory in the linux-4)
/Etc/vsftpd/user_list prohibit or allow vsftpd user list files. The Default User information specified in this file (in/etc/vsftpd. if userlist_deny = YES is set in conf, the FTP server cannot be accessed. When userlist_deny = NO is set, only the user specified in user_list can access the FTP server. (Note: This file is in the/etc/directory in the linux-4)
/Var/ftp Anonymous user home directory; local user home directory:/home/user home directory, that is, log on to your home directory
/Var/ftp/pub anonymous user's download Directory, which must be authorized to the root chmod 1777 pub (1 is a special permission, so that it cannot be deleted after upload)
/Etc/logrotate. d/vsftpd. log file

2. Install the db4 package to enable db_load

# Yum install db4.i386
# Yum install db4-utils.i386

3. Disable the Firewall

# Service iptables stop

4. Disable SELinux

There are multiple methods

1. temporarily disable
# Setenforce 0 (disabled)
# Setenforce 1 (Enabled)
# Getenforce (view status)

2. Edit the configuration file
# Vi/etc/selinux/config
Change SELINUX = enforcing to SELINUX = disabled.

5. Configure anonymous user access

1. After vsftpd is installed, the Directory of the configuration file is/etc/vsftpd/. The main directory of anonymous users is/var/ftp.

2. Configure the main configuration file vsftpd. conf (server configuration supports uploading)

# Vi/etc/vsftpd. conf

Anonymous_enable = YES (Anonymous Users are allowed to access)
Anon_upload_enable = YES (allows anonymous users to upload files)
Anon_mkdir_write_enable = YES (allows anonymous users to create directories)

3. Create upload directory and configure directory permissions (note: the root directory/var/ftp permission of anonymous users is 755, which cannot be changed at will; otherwise, the client cannot connect)

# Mkdir/var/ftp/homework/
# Chown ftp/var/ftp/homework/
# Ls-Zd/var/ftp/homework/(view context)
Drwxrwxr-x ftp user_u: object_r: public_content_t/var/ftp/homework/
# Chcon-t public_content_rw_t/var/ftp/homework/(modify the context to make it writable)
# Ls-Zd/var/ftp/homework/(view the confirmation context)
Drwxrwxr-x ftp user_u: object_r: public_content_rw_t/var/ftp/homework/

(If SELinux is not disabled, perform the following steps)
# Getsebool-a | grep ftp (search for SELinux bool values related to ftp)
# Setsebool-P allow_ftpd_anon_write 1 (set The SELinux bool value to allow ftpd writing, and the-P option indicates writing the configuration file and taking effect permanently)

4. Restart the service.

# Service vsftpd restart

5. Client connection test

(1) anonymous client users can download files from pub
(2) An anonymous client user uploads a file to homework. The default permission attribute of the file to be uploaded is 600 (anon_umask = 077 in the configuration file), which cannot be downloaded, deleted, or overwritten.

6. Configure virtual user access

1. Create a virtual user password library file. In the file, set the virtual user name in odd lines, and set the user password in even lines.

# Vi/etc/vsftpd/vuser.txt
Teacher (virtual user name for odd lines)
123456 (set the user password for an even row)
Student
123456

2. Generate the authentication File For vsftpd

# Db_load-T-t hash-f/etc/vsftpd/vuser.txt/etc/vsftpd/vuser. db (generate authentication file)
# File/etc/vsftpd/vuser. db (View file type)
/Etc/vsftpd/vuser. db: Berkeley DB (Hash, version 8, native byte-order)
# Chmod 600/etc/vsftpd/vuser. db (the permission of the generated authentication file should be set to read and write only to the root user)

3. Create the PAM Configuration File required by the virtual user

# Vi/etc/pam. d/vsftpd
Auth required/lib/security/pam_userdb.so db =/etc/vsftpd/vuser (Note: No suffix. db is required)
Account required/lib/security/pam_userdb.so db =/etc/vsftpd/vuser

4. Create the System user account required by the vsftpd virtual user and set the corresponding permissions. After logon, all virtual user accounts will be in the/var/ftp directory.

# Useradd-s/sbin/nologin-d/var/ftp/vuser
# Chmod u-w/var/ftp/

5. Set the main configuration file vsftpd. conf.

# Vi/etc/vsftpd. conf

Local_enable = YES
Guest_enable = YES
Guest_username = vuser
Pam_service_name = vsftpd (vsftpd indicates the vsftpd file in the/etc/pam. d/directory)

(Optional)
Local_umask = 022 (mask of the File Uploaded By the virtual user)
Anon_umask = 077 (mask for files uploaded by anonymous users)
Chown_uploads = YES (the owner of the uploaded file can be changed)
Chown_username = vuser (change the owner of the uploaded file to vuser)

6. Restart the vsftpd service.
# Service vsftpd restart

7. Test the virtual user account teacher in vsftpd.

# Ftp 127.0.0.1
Name (localhost: root): teacher
Password:
Ftp>

8. set different permissions for different virtual users

(1). Set the main configuration file

# Mkdir/etc/vsftpd/vuser_conf (create a directory for saving user configuration files)
# Vi/etc/vsftpd. conf

User_config_dir =/etc/vsftpd/vuser_conf (set the directory for saving the user configuration file)

(2) create a separate configuration file for the virtual user. The name of the configuration file is the same as the user name. Configuration items not found in the user configuration file are set according to the content in the vsftpd. conf configuration file.

# Vi/etc/vsftpd/vuser_conf/teacher

Anon_world_readable_only = NO (indicating that users can browse the FTP directory and download files)
Anon_upload_enable = YES (indicates that you can upload files)
Anon_mkdir_write_enable = YES (indicates that the user has the right to create and delete directories)
Anon_other_write_enable = YES (indicates that the user has the permission to rename and delete files)

(3) restart the service

# Service vsftpd restart

7. Configure and start the Firewall

1. Set the passive mode and the port number used

# Vi/etc/vsftpd. con

Pasv_enable = YES
Pasv_min_port = 65300
Pasvanderbilt max_port = 65360

2. Add allowed ports

# Iptables-I RH-Firewall-1-INPUT-p tcp -- dport 21-j ACCEPT
# Iptables-I RH-Firewall-1-INPUT-p tcp -- dport 65300: 65360-j ACCEPT
# Iptables-save (save configuration)

3. Restart the service.

# Service vsftpd restart
# Service iptables start
 
8. troubleshooting

1, vsftpd: refusing to run with writable root inside chroot ()
-> Cause: vsftpd has upgraded security verification, that is, If chroot is enabled to control the user path, the user cannot have the write permission for the root directory.
-> Solution: # chmod u-w/var/ftp/

2, cannot change directory:/var/ftp
-> Cause: SELinux blocks access
-> Solution:
# Setsebool-P ftpd_disable_trans 1
# Service vsftpd restart

3. garbled Chinese file names of uploaded files
-> Cause: Character Set Problems
-> Solution:
(1) # vi/etc/sysconfig/i18n
LANG = "zh_CN.GB18030"
(2) The client software sets the font to a Chinese font and the connection character set to GBxxx or cp936.

4. Only anonymous users are allowed to log on.
-> Solution: set it in vsftpd. conf.
Local_enable = YES

For more information about RedHat, see RedHat topic page http://www.linuxidc.com/topicnews.aspx? Tid = 10