Security Settings of vsftpd servers in CentOS

Security Settings of vsftpd servers in CentOS

In the process of building vsftp, service security is critical. check whether there is hacker intrusion in the log and whether to avoid the next hacker attack. Now I write the ftp security management, hope you can help.

1. Enable the log function of vsftp, Which is disabled by default.

xferlog_enable=YESxferlog_file=/var/log/xferlog

2. About anonymous user permissions anonymous user uploads

Anonymous_enable = YES -- enable anon_upload_enable = YES for anonymous users -- upload permission for anonymous users = YES -- whether anonymous users create folders anon_other_write_enable = YES -- anonymous users Rename and delete anon_umask = 070 -- anonymous 707 (777-070 = 707)

3. Local User Permissions

Local_enable = YES -- whether to enable the local user write_enable = YES -- whether the local user has the write, delete, and rename permission local_umask = 022 -- the local user has the 755 permission to upload files (777-022 = 755)

4. Specify the owner of the uploaded file

Chown_uploads = YES -- enable upload to change the owner chown_username = tong -- the uploaded file owner is tong

5. Do not allow local users to switch to another directory (locking users in the ftp root directory)

Chroot_local_user = YES -- account opening local user verification function chroot_list_file =/etc/vsftpd/chroot_list -- write users to files

6. allow local users to switch directories at will

Chroot_local_user = YESchroot_list_enable = YESchroot_list_file =/etc/vsftpd/chroot_list -- allow users in files to switch Directories

7. Prohibit local users from logging on to the ftp service

[Root @ centos2 ~] # Ll/etc/vsftpd/total 24-rw-r -- r --. 1 root 5 Jan 9 chroot_list-rw -------. 1 root 125 Jan 9 ftpusers -- the user cannot log on after being written to a file, and the system will prompt you to enter the password-rw -------. 1 root 361 Jan 9 user_list -- the user who writes the user to a file cannot log on, and does not prompt to enter the password to directly reject-rw -------. 1 root 4649 Jan 12 18:00 vsftpd. conf-rwxr -- r --. 1 root 338 Feb 19 2013 vsftpd_conf_migrate.sh [root @ centos2 ~] #

8. Which local users are allowed to log on to the ftp service?

[Root @ centos2 ~] # Vim/etc/vsftpd. confuserlist_deny = NO -- add this line [root @ centos2 ~] # Ll/etc/vsftpd/total 24-rw-r -- r --. 1 root 5 Jan 9 chroot_list-rw -------. 1 root 125 Jan 9 ftpusers-rw -------. 1 root 361 Jan 9 user_list -- only users in the file can log on to the ftp service-rw -------. 1 root 4666 Jan 12 18:13 vsftpd. conf-rwxr -- r --. 1 root 338 Feb 19 2013 vsftpd_conf_migrate.sh [root @ centos2 ~] #

9. which IP addresses cannot log on to the ftp service?

[Root @ centos2 ~] # Vim/etc/hosts. deny -- disable the IP address from ftpvftpd: 119.97.184.208: deny

10. Use the firewall to enable packet filtering

[root@centos ~]# iptables -I INPUT -p tcp --dport 21 -j ACCEPT

11. Use Selinux security context to control ftp directory permissions

[Root @ centos ~] # Getsebool-a | grep certificate --> feature --> offftp_home_dir --> offftpd_connect_db --> offftpd_disable_trans --> feature --> off [root @ centos ~] # Setsebool ftp_home_dir on -- set specific parameters based on actual conditions