FTP is currently the most commonly used to upload and download the file of the Protocol, because its communications content is not encrypted to consider its security and generated the SCP and SFPT agreements. We can also use FTPs (FTP over Ssl/tls) to upload and download files more securely. Here is a description of how to implement FTPS services based on VSFTPD.
1) Configure FTPs
Install OpenSSL
| The code is as follows |
Copy Code |
# yum Install OpenSSL |
Using OpenSSL to generate server certificates
| The code is as follows |
Copy Code |
# OpenSSL Req-x509-nodes-newkey Rsa:2048-keyout/etc/pki/tls/certs/vsftpd.pem-out/etc/pki/tls/certs/vsftpd.pem
|
Install VSFTPD
| The code is as follows |
Copy Code |
# yum Install Vsftpd-y
# vi/etc/vsftpd/vsftpd.conf
|
Vsftpd.conf content is as follows
| The code is as follows |
Copy Code |
| #
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit and make the FTP daemon more usable.
# Please have a vsftpd.conf.5 for all compiled in defaults.
#
# READ This:this Example file is ' not ' an exhaustive list of vsftpd options.
# Please read the VSFTPD.CONF.5 manual page to get a full idea of vsftpd ' s
# capabilities.
#
# Allow anonymous FTP? (beware-allowed by default if your comment this.)
Anonymous_enable=no
#
# Uncomment this to allow the local users to log in.
Local_enable=yes
#
# Uncomment this to enable the any form of the FTP write command.
Write_enable=yes
#
# Default Umask for Local users are 077. You are wish to the change this to 022,
# If your users expect that (022 are used by most other ftpd ' s)
local_umask=002 #
# Uncomment this to allow the anonymous FTP user to upload files. This is only
# has an effect if the above global write-enable is activated. Also, you'll
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable =yes
#
# Uncomment this if your want the anonymous FTP user to is able to create
# New directories.
#anon_mkdir_write_enable =yes
#
# Activate Directory messages-messages given to remote users when they
# go into a certain directory.
Dirmessage_enable=yes
#
# The target log file can be Vsftpd_log_file or xferlog_file.
# This depends on setting Xferlog_std_format parameter
Xferlog_enable=yes
#
# Make sure port transfer connections originate from port (ftp-data).
Connect_from_port_20=yes
#
# If You are want, can arrange for uploaded anonymous files to is owned by
# a different user. note! Using ' root ' for uploaded the files are not
# recommended!
#chown_uploads =yes
#chown_username =whoever
#
# The name of log file when Xferlog_enable=yes and Xferlog_std_format=yes
# warning-changing This filename affects/etc/logrotate.d/vsftpd.log
Xferlog_file=/var/log/xferlog
#
# switches between logging into Vsftpd_log_file and xferlog_file files.
#xferlog_file =/var/log/vsftpd.log
Xferlog_std_format=yes
#
# You'll change the default value for timing out a idle session.
idle_session_timeout=1200
#
# You could change the default value of timing out a data connection.
data_connection_timeout=600
#
# It is recommended ' Define on your system a unique user which the
# FTP server can use as a totally isolated and unprivileged user.
#nopriv_user =ftpsecure
#
# Enable This and the server would recognise asynchronous Abor requests. Not
# Recommended for security (the ' Code is non-trivial '). Not enabling it,
# However, may confuse older FTP clients.
#async_abor_enable =yes
#
# By default the server'll pretend to allow ASCII mode but in fact ignore
# the request. Turn on the "below options to have" server actually do ASCII
# mangling on files as in ASCII mode.
# beware that on some FTP servers, ASCII support allows a denial of service
# Attack (DoS) via the command "Size/big/file" in ASCII mode. Vsftpd
# predicted this attack and has always been safe, reporting the size of the
# RAW file.
# ASCII mangling is a horrible feature of the protocol.
Ascii_upload_enable=yes
Ascii_download_enable=yes
#
# Your may fully customise the login banner string:
Ftpd_banner=welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# Useful for combatting certain DoS attacks.
#deny_email_enable =yes
# (default follows)
#banned_email_file =/etc/vsftpd/banned_emails
#
# You may specify a explicit list of local users to Chroot () to their home
# directory. If Chroot_local_user is YES, then this list becomes a list of
# users to not Chroot ().
#chroot_local_user =yes
#chroot_list_enable =yes
# (default follows)
#chroot_list_file =/etc/vsftpd/chroot_list
#
# You may activate the "-r" option to the builtin LS. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# The presence of the "-r" option, so there are a strong case for enabling it.
Ls_recurse_enable=yes
#
# when ' Listen ' directive is enabled, VSFTPD runs in standalone mode and
# listens on IPV4 sockets. This directive cannot is used in conjunction
# with the Listen_ipv6 directive.
Listen=no
#
# This directive enables listening on IPV6 sockets. To listen on IPV4 and IPV6
# sockets, you must run two copies of Vsftpd whith, two files.
# Make sure, this one of the listen options is commented!!
Listen_ipv6=yes # Enable SSL
Ssl_enable=yes
Rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem
Allow_anon_ssl=no
Force_local_data_ssl=no
Force_local_logins_ssl=no
Ssl_sslv2=no
Ssl_sslv3=no
Ssl_tlsv1=yes # Enable Passive mode on NAT
Pasv_promiscuous=yes
pasv_min_port=65000
pasv_max_port=65001
Pasv_addr_resolve=yes Pam_service_name=vsftpd
Userlist_enable=yes
Tcp_wrappers=yes
Use_localtime=yes |
Start vsftpd and set to boot automatically
| The code is as follows |
Copy Code |
# service VSFTPD Start
# Chkconfig VSFTPD on |
