Rotten mud: vsftpd virtual user configuration in ubuntu, ubuntuvsftpd

Rotten mud: vsftpd virtual user configuration in ubuntu, ubuntuvsftpd

This document consistsIlanniwebProviding friendship sponsorship, first launched in the dark world

For more articles, follow me on ilanniweb.

Previously, vsftpd was built under centos, and it was supposed to be built on ubuntu following the previous steps. But the actual situation tells me Yes, I take it for granted. After some hard work, I finally completed the configuration of vsftpd virtual users in ubuntu. Below I will post my configuration steps for reference.

I. Business Requirements

Now we need to create an FTP account, ailanni. This account can only be logged on to the/www directory and cannot be switched to the parent directory. At the same time, security considerations also require the account to upload a file with the 644 permission, that is, the uploaded file has the read and write permission, but does not have the execution permission.

In addition, this user must not be a system user, that is, a virtual user using vsftpd.

The requirement looks simple. Next we will start to configure it.

PS: The following experiments are all performed on ubuntu server 14.04 X64. For centos operations, refer to this article 《Rotten mud: Vsftpd uses virtual users to access FTP.

Ii. vsftpd Installation

Before configuring vsftpd, install vsftpd and vsftpd. We will directly use apt-get for installation again, as shown below:

Sudo apt-get-y install vsftpd

The installation of vsftpd is very simple. Now let's check which files are installed in vsftpd. As follows:

Dpkg-L vsftpd | tac

We can see that many files are generated during vsftpd installation. Among them,/etc/init/vsftpd. conf and/etc/vsftpd. conf are important.

/Etc/init/vsftpd. conf is the vsftpd initialization file, and/etc/vsftpd. conf is the configuration file of vsftpd.

Now let's check the/etc/init/vsftpd. conf file. As follows:

Cat/etc/init/vsftpd. conf

We can see that the configuration file used for vsftpd Initialization is the/etc/vsftpd. conf file.

Why should I point this out here? I thought vsftpd in ubuntu is the same as that in centos. You can store the vsftpd configuration file in the/etc/vsftpd/directory. This is different from centos.

In addition, the script for starting, stopping, and restarting vsftpd is another difference.

To start, stop, and restart vsftpd in ubuntu, run the following command:

Sudo service vsftpd stop

Sudo service vsftpd start

Sudo service vsftpd restart

In centos, we can use the following command:

Service vsftpd stop

/Etc/init. d/vsftpd stop

Finally, let's look at the vsftpd service script. As follows:

Cat/lib/systemd/system/vsftpd. service

Iii. vsftpd Configuration

After vsftpd is installed, we start to configure vsftpd. However, we still have a few steps to do before the configuration.

3.1User Configuration

Because it is a virtual user using vsftpd, we need to first create a user in the system, and the user has the readable and executable permissions on the/www directory.

Create a user as follows:

Sudo useradd-m-s/bin/bash ftpilanni

Cat/etc/passwd | grep ftpilanni

Note: The created user ftpilanni cannot log on to the system because the user is not set a password. Here, we do not need to log on to the system using ftpilanni, which is relatively safe.

After the user is created, create the corresponding directory and modify the user, as shown below:

Sudo mkdir/www

Sudo chown-R ftpilanni: ftpilanni/www/

After the related user configurations are completed, we start to set the user and password file login.txt for vsftp. As follows:

Sudo mkdir/etc/vsftpd/

Sudo vim/etc/vsftpd/login.txt

Ailanni

Ailannipassword

Login.txt is the user and password file used to log on to vsftpd.

After setting login.txt, we need to use db_load for encryption. Db_load requires the database-util software. Therefore, we need to install db-util as follows:

Sudo apt-get-y install db-util

After db-utilis installed, you can use db_loadto encrypt loginx.txt. As follows:

Sudo db_load-T-t hash-f/etc/vsftpd/login.txt/etc/vsftpd/login. db

After the loginx.txt encryption is complete, we now start to configure the PAM verification For vsftpd.

3.2 PAMVerify Configuration

Vsftpd PAM verification, where I did not use the/etc/pam. d/vsftpd file generated during vsftpd installation.

After many tests, I found that if this file is used for verification, the verification fails. I don't know why. I guess it is probably a BUG in vsftpd.

Create a verification file as follows:

Sudo vim/etc/pam. d/vsftpd. virtual

Auth required pam_userdb.so db =/etc/vsftpd/login

Account required pam_userdb.so db =/etc/vsftpd/login

The content of the vsftpd. virtual File can also be adjusted according to the OS version. I am using ubuntu x64, so you can also enter:

Auth required/lib/x86_64-linux-gnu/security/pam_userdb.so db =/etc/vsftpd/login

Account required/lib/x86_64-linux-gnu/security/pam_userdb.so db =/etc/vsftpd/login

The/etc/vsftpd/login corresponds to the/etc/vsftpd/login. db file.

3.3 vsftpPermission Configuration

Now, vsftpd is officially configured. Almost all vsftpd configuration items are in the/etc/vsftpd. conf file.

The configuration of vsftpd. conf is as follows:

Grep-vE "^ # | ^ $"/etc/vsftpd. conf

Listen = YES

Listen_ipv6 = NO

Anonymous_enable = NO

Local_enable = YES

Write_enable = YES

Local_umask = 022

Dirmessage_enable = YES

Use_localtime = YES

Xferlog_enable = YES

Connect_from_port_20 = YES

Xferlog_file =/var/log/vsftpd. log

Xferlog_std_format = YES

Chroot_local_user = YES

Chroot_list_enable = NO

Allow_writeable_chroot = YES

Secure_chroot_dir =/var/run/vsftpd/empty

Pam_service_name = vsftpd

Rsa_cert_file =/etc/ssl/certs/ssl-cert-snakeoil.pem

Rsa_private_key_file =/etc/ssl/private/ssl-cert-snakeoil.key

Ssl_enable = NO

Guest_enable = YES

Pam_service_name = vsftpd. virtual

User_config_dir =/etc/vsftpd/vu

Pasv_enable = YES

Pasv_min_port = 30000

Pasvanderbilt max_port = 31000

In the above configuration file, there are several points that need to be highlighted.

Local_enable = YES

Write_enable = YES

Local_umask = 022

These two items enable the write permission of the System user. In particular, the write_enable = YES option must be enabled. Otherwise, the vsftpd virtual user cannot log on to vsftpd.

Why? Because the virtual user depends on the System user.

Chroot_local_user = YES

Chroot_list_enable = NO

Allow_writeable_chroot = YES

These three permissions are disabled For vsftpd users to switch to the parent directory.

Guest_enable = YES

Pam_service_name = vsftpd. virtual

User_config_dir =/etc/vsftpd/vu

These three items are the vsftpd virtual use enabled and the virtual user account configuration directory.

Pasv_enable = YES

Pasv_min_port = 30000

Pasvanderbilt max_port = 31000

Vsftpd passive mode and related ports are enabled.

3.4Virtual User Configuration

After modifying the vsftpd configuration file, you can configure the permissions of the virtual user. As follows:

Sudo mkdir/etc/vsftpd/vu

Sudo vim/etc/vsftpd/vu/ailanni

Guest_username = ftpilanni

Local_root =/www/

Virtual_use_local_privs = YES

Anon_umask = 133

In the preceding configuration parameters, guest_username = ftpilanni indicates that the System user corresponding to FTP is ftpilanni.

Local_root =/www/indicates the default directory when a local user logs on to ftp.

Virtual_use_local_privs = YES the virtual user has the same permissions as the local user.

Anon_umask indicates the default mask for file upload. The calculation method is 777 minus anon_umask, which is the permission to upload files. Here we set 133, that is, the permission for the uploaded file is 644. That is, the uploaded file only has read and write permissions for the user and has no execution permission.

After all the preceding configurations are complete, restart vsftpd as follows:

Sudo service vsftpd restart

Iv. Test

Now we will use the ailanni user to log on to vsftpd for testing.

From the above two figures, we can see that the configuration of vsftpd has met the business requirements.

5. IPtables configuration

In the actual production environment, firewall is usually enabled for security reasons.

On ubuntu, we can also use IPtables for protection.

The IPtables configuration is as follows:

Sudo iptables-save>/home/ilanni/iptables. rule

Sudo iptables-restore

Sudo iptables-nL

Sudo vim/etc/network/interfaces

Pre-up iptables-restore

Post-down iptables-save