RHEL6 Server ftp service configuration

Source: Internet
Author: User
FTPfiletransferprotocol: low cost, cross-platform, cross-public network port: Data Transmission Port 20 Command Transmission port 21 active: by default, the ftp service opens port 21 to accept control commands, the server uses Port 20 to send data (the random port connecting the client is greater than 1024) passive: the ftp Server opens port 21 to accept command control for data transmission, the client informs the server to open a port greater than 1024, and then the client actively connects to the service configuration file parameters.

FTP
File transferprotocol
Low Cost, cross-platform, cross-Public Network
Port number used:
Data transmission Port 20
Command Transmission port 21
Active: by default, port 21 is enabled for the ftp service to receive control commands. The server uses Port 20 to send data (connect to a random port greater than 1024 of the client)
Passive: the ftp Server opens port 21 for Command Control. During data transmission, the client notifies the server to open a port greater than 1024, and then the client actively connects to the service.

Configuration File parameters:
[Root @ rootbug ~] # Cat/etc/vsftpd. conf | grep-v ^ # | grep-v ^ $
-- ^ # Indicates the row starting with #, that is, the Comment. ^ $ indicates the empty row.
Anonymous_enable = YES -- allow anonymous users to log on
Local_enable = YES -- allow local users to log on
Write_enable = YES -- allow local users to write after Logon
Local_umask = 022 -- create a permission mask for a file or directory
Dirmessage_enable = YES -- enable directory description or welcome information
Xferlog_enable = YES -- enable the log function (only recording file upload and download information)
Connect_from_port_20 = YES -- the active mode is supported by default (both modes are enabled, and the passive mode is used directly)
Xferlog_std_format = YES -- the log uses xferlog instead of vsftpd. log. If it is changed to NO, the opposite is true.
Listen = YES -- runs under standalone by default.
Pam_service_name = vsftpd -- Support pam (Pluggable module)
Userlist_enable = YES -- enable the user list Function
Tcp_wrappers = YES -- tcp_wrappers is supported

1. Anonymous logon to the ftp server
The anonymous logon accounts of the ftp server are ftp and anonymous. The password is blank.
The configuration file anonymous_enable = yse is used to control whether anonymous logon to the ftp server is allowed.
By default, anonymous users log on to the ftp server and the directory is in/var/ftp/. The file can be downloaded but not uploaded, in addition, the/var/ftp/directory cannot directly use chmod757 to modify the write permission. If it is modified, ftp cannot log on. Therefore, you need to create another directory under the/ftp/directory as the upload directory, you can also modify the configuration file to allow anonymous users to upload files.
[Root @ rootbug ~] # Chmod 777/var/ftp/pub -- change pub to writable for upload
[Root @ rootbug ~] # Vim/etc/vsftpd. conf
Anonymous_enable = YES
Anon_upload_enable = YES -- allows anonymous users to upload files.
Anon_mkdir_write_enable = YES -- allows anonymous users to create directories.

2. log on to the ftp server with a common account
By default, normal users are allowed to log on to ftp and log on to their home directory. The logon password is also the password for normal users to log on to the system.
If you want to disable all normal accounts to log on to the ftp server, you can directly modify it in the configuration file.
Local_enable = NO ---- disable all normal accounts to log on to the ftp server
If you want to control some common users to log on to the ftp server, some common accounts cannot log on to the ftp server, you can use the user list to control

Blacklist, which can be used to control accounts and cannot log on to the ftp server
[Root @ rootbug ~] # Vim/etc/vsftpd. conf
Userlist_enable = yes -- enable the user list Function
Userlist_deny = YES -- this sentence can be added or not added. This sentence is used by default.
Vim/etc/vsftpd/user_list -- add the user to be banned and one user writes a row.

-------------
Whitelist. If you have too much trouble adding to the blacklist, you can directly use the whitelist to control which accounts can log on to the ftp server.
[Root @ rootbug ~] # Vim/etc/vsftpd. conf
Userlist_enable = yes
Userlist_deny = no
Vim/etc/vsftpd/user_list -- add the allowed users and write a row for one user

----------- Note the following:
Userlist_enable specifies whether the user list function is valid
Userlit_deny indicates whether the user list is allowed or denied.

3. Configure the anonymous account logon directory to/var/ftp/, and the normal account's default logon directory to/ftp.
Because the ftp home directory is/var/ftp/by default, it is/var/ftp/after the anonymous account is logged on, and does not need to be configured. However, after logging on to a common account, the account is under the Home Directory of the respective account. How can I configure the default/ftp directory?
[Root @ rootbug ~] # Vim/etc/vsftpd. conf
Add a row in it.
Local_root =/ftp

4. chroot security configuration.
In addition to anonymous account logon to the ftp server, all other accounts can log on to the ftp server by cd to the directory of the entire system and download all important files of the system, this leads to a security vulnerability. So how can we configure it to prevent such insecurity? In this case, you need to configure chroot. There are two scenarios for configuring chroot.
(1) control all users in the ftp directory
[Root @ rootbug ~] # Vim/etc/vsftpd. conf
Chroot_local_user = YES
After this function is enabled, all users log on to the ftp server and will be controlled under the ftp directory. cd cannot be switched to other directories, ensuring system security.
(2) Some configuration control users are in the ftp directory, but other users are not controlled.
[Root @ rootbug ~] # Vim/etc/vsftpd. conf
Chroot_list_enable = YES
Chroot_list_file =/etc/vsftpd/chroot_list
Vim/etc/vsftpd/chroot_list -- manually create this file. This file does not exist by default. Write the username to add to the cage environment and write one row
[Root @ rootbug ~] #/Etc/init. d/vsftpdreload ---- refresh the service

Related reading:

RHEL5 configure the yum repository http://www.linuxidc.com/Linux/2013-08/88909.htm through FTP

A problem http://www.linuxidc.com/Linux/2013-07/88132.htm in VsFTP configuration in CentOS6 X64

The simplest way to build a tFTP server under Ubuntu http://www.linuxidc.com/Linux/2013-07/87366.htm

Install Pure-FTPd build FTP server http://www.linuxidc.com/Linux/2013-05/84885.htm

RHEL 6.x build enterprise FTP http://www.linuxidc.com/Linux/2013-08/89064.htm

For more details, go on to page 1: http://www.linuxidc.com/Linux/2013-09/89812p2.htm

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.