Security Settings of vsftpd in open-source systems (I)

In enterprise applications, more and more enterprises are applying open-source vsftpd software to build their own file sharing services. The advantage is that it is fast and cost-effective. However, enterprise user behavior is unpredictable. Improper configuration may make the service a security risk, resulting in malicious bandwidth usage and user FTP service password leakage. This article will introduce the Security Settings of vsftpd with examples.

 

　　1. Introduction to vsftpd

Vsftpd is the name of the server running on a GPL-based UNIX-like operating system (indicating that it is also a daemon ), running on Linux, BSD, Solaris, HP-UX, and Irix is the default FTP server provided by the latest version of many Linux distributions. This server supports many other functions not supported by traditional FTP servers. It has the following notable features: 1) high security; 2) bandwidth restriction; 3) excellent scalability; 4) support creating virtual users; 5) support IPv6; 6) support virtual IP addresses; 7) high speed and stability. In general, vsftpd is another excellent and widely used FTP server after the Linux system relay Wu-ftpd,

　2. quick installation of vsftpd

Currently, in mainstream Linux releases, such as Red Hat Enterprise Linux (RHEL), Fedora, or CentOS, installing vsftp is simple. Here we use CentOS as a demonstration.

First, you need to log on to the open-source substation to download the vsftp installation package (the RHEL version is the same), as shown in the following command:

# Wget htt: // ftp. cica. es/CentOS/5/updates/i386/RPMS/vsftpd-2.0.5-16.el5_4.1.i386.rpm

Run the rpm command to install the required software package:

# Rpm-ivh vsftpd-2.0.5-16.el5_4.1.i386.rpm

It is worth noting that before running vsftpd, you must ensure that the system's SELinux supports FTP read/write or SELinux is disabled. Otherwise, vsftpd will not work properly.

　　3. Fast configuration of vsftpd

First, to configure vsftpd, modify the main configuration file/etc/vsftpd. conf of vsftpd, and set the default anonymous user root directory:/var/ftp /. Figure 1 shows vsftpd. conf after installation. By default, anonymous user access is allowed. In the figure, anonymous_enable = YES.

Figure 1

If anon_upload_enable = YES and anon_mkdir_write_enable = YES are added at the end of the configuration file. This allows anonymous users to upload files and create directories. 2:

Figure 2

Next, you need to switch to the/var/ftp directory and create a new folder xiaowang. the following command:

# Cd/var/ftp
# Mkdir/var/ftp/xiaowang

Run the following command to start the vsftpd service:

# Service vsftpd start

The pub folder is provided after vsftp is installed.

It is worth noting that if you enter the ntsysv command in command line mode to bring up the system panel, select an asterisk before vsftpd, and press enter to confirm that the vsftp can be started.

　　4. instance profiling Security Settings

　　(1) user access permission management

As we have seen above, the vsftp usage process is very simple, and there is basically no security configuration. Next, we will introduce how to implement conventional vsftpd security management through instance configuration.

For the sake of security, a secure vsftp server certainly does not allow anonymous login, not to mention anonymous upload and anonymous deletion of related files on the server. The following steps are required to manage users to ensure their security.

1) modify the default configuration file

Modify/etc/vsftpd. conf to anonymous_enable = NO, 3:

Figure 3

　　2) use nologin to disable FTP account logon to Linux Server

Currently, most enterprise users who use vsftpd know this default situation: vsftp users can use local system accounts. That is to say. If there is a common user named xiaowang in this Linux system, the xiaowang account can log on to vsftp. It seems that there is no problem at first, but it is not difficult to know through analysis: If the FTP account xiaowang is illegally obtained, the other party can use this account to remotely log on to the Linux server using ssh and execute multiple commands. This is a big security risk. Therefore, the enterprise system administrator needs to use nologin when creating an FTP user.

Assume that an account xiaowang that does not allow local logon is added. Run the following command:

# Useradd-s/sbin/nologin xiaowang

Then use the passwd command to set the password. This ensures that the FTP account can only transfer files and cannot log on locally. Even if the account is lost, hackers can only access the FTP service by obtaining the FTP account, but cannot log on to the Linux server for more illegal operations.

In "instance profiling of vsftpd security settings in open-source systems (ii)", we will introduce how to use chroot to control user access permissions and how to restrict users who maliciously occupy bandwidth.