In the process of building vsftp, service security is critical. check whether there is hacker intrusion in the log and whether to avoid the next hacker attack. Now I write the ftp security management, hope you can help.
1. Enable the log function of vsftp, Which is disabled by default.
Xferlog_enable = YESxferlog_file =/var/log/xferlog
2. About anonymous user permissions anonymous user uploads
Anonymous_enable = YES -- enable anon_upload_enable = YES for anonymous users -- upload permission for anonymous users = YES -- whether anonymous users create folders anon_other_write_enable = YES -- anonymous users Rename and delete anon_umask = 070 -- anonymous 707 (777-070 = 707)
3. Local User Permissions
Local_enable = YES -- whether to enable the local user write_enable = YES -- whether the local user has the write, delete, and rename permission local_umask = 022 -- the local user has the 755 permission to upload files (777-022 = 755)
4. Specify the owner of the uploaded file
Chown_uploads = YES -- enable upload to change the owner chown_username = tong -- the uploaded file owner is tong
5. Do not allow local users to switch to another directory (locking users in the ftp root directory)
Chroot_local_user = YES -- account opening local user verification function chroot_list_file =/etc/vsftpd/chroot_list -- write users to files
6. allow local users to switch directories at will
Chroot_local_user = YESchroot_list_enable = YESchroot_list_file =/etc/vsftpd/chroot_list -- allow users in files to switch Directories
7. Prohibit local users from logging on to the ftp service
[Root @ centos2 ~] # Ll/etc/vsftpd/total 24-rw-r -- r --. 1 root 5 Jan 9 chroot_list-rw -------. 1 root 125 Jan 9 ftpusers -- the user cannot log on after being written to a file, and the system will prompt you to enter the password-rw -------. 1 root 361 Jan 9 user_list -- the user who writes the user to a file cannot log on, and does not prompt to enter the password to directly reject-rw -------. 1 root 4649 Jan 12 18:00 vsftpd. conf-rwxr -- r --. 1 root 338 Feb 19 2013 vsftpd_conf_migrate.sh [root @ centos2 ~] #
8. Which local users are allowed to log on to the ftp service?
[Root @ centos2 ~] # Vim/etc/vsftpd. confuserlist_deny = NO -- add this line [root @ centos2 ~] # Ll/etc/vsftpd/total 24-rw-r -- r --. 1 root 5 Jan 9 chroot_list-rw -------. 1 root 125 Jan 9 ftpusers-rw -------. 1 root 361 Jan 9 user_list -- only users in the file can log on to the ftp service-rw -------. 1 root 4666 Jan 12 18:13 vsftpd. conf-rwxr -- r --. 1 root 338 Feb 19 2013 vsftpd_conf_migrate.sh [root @ centos2 ~] #
9. which IP addresses cannot log on to the ftp service?
[Root @ centos2 ~] # Vim/etc/hosts. deny -- disable the IP address from ftpvftpd: 119.97.184.208: deny
10. Use the firewall to enable packet filtering
[Root @ centos ~] # Iptables-I INPUT-p tcp -- dport 21-j ACCEPT
11. Use Selinux security context to control ftp directory permissions
[Root @ centos ~] # Getsebool-a | grep certificate --> feature --> offftp_home_dir --> offftpd_connect_db --> offftpd_disable_trans --> feature --> off [root @ centos ~] # Setsebool ftp_home_dir on -- set specific parameters based on actual conditions
