Operating system: Ubuntu (Gnu/linux)
In order to set up an FTP server on the machine, we need to install the FTP server software. The representative FTP Server software under Linux has Wu-ftp,proftp and vsftp.
Wu-ftp (Washington University FTP) was developed by the University of Washington, USA. It's powerful and configuration is more replicated. Because the development time is very early, the application is very extensive, also therefore becomes the hacker's main attack target.
PROFTP has been developed for the weaknesses of WU-FTP and has been improved in terms of security, and has provided some WU-FTP features that greatly simplify the task of erecting and managing FTP servers.
Vsftp has a good performance in 3 aspects of safety, high performance and stability. Its main features include virtual IP settings, virtual users, standalone (daemon, which can be started by itself), inetd operation mode (managed by a special Super Daemon), powerful single-user provisioning capabilities, and bandwidth throttling. Next we'll focus on how to set up vsftpd on Ubuntu.
Installation of VSFTPD:
The sudo apt-get install vsftpd can be installed directly via apt in Ubuntu
After installation, check whether the VSFTPD process has started, can view the process or view the listening port
Ps-eaf|grep vsftpd vsftpd process is turned on
Netstat-tnl|grep:21
Configuration file for vsftpd:
In Ubuntu, VSFTPD's main profile is distributed as follows:
/etc/vsftpd.conf configuration file for VSFTPD server
/USR/SBIN/VSFTPD process files for VSFTPD server
/ETC/PAM.D/VSFTPD Pam Interface configuration file for VSFTPD server
/VAR/FTP vsftpd Server Anonymous user's working directory
To configure the VSFTPD server:
The VSFTPD server configuration file and the parameters represent the following meanings:
/etc/vsftpd.conf
vsftpd.confListen=yes
Listen_ipv6=yes # Listen=yes and Listen_ipv6=yes are set to YES to indicate that they will run in a separate way (daemon that can be started independently), which listens to IPv4, which listens to IPv6, but both cannot be set in a configuration file at the same time
Anonymous_enable=yes # Indicates that anonymous users are allowed to log on to the FTP server
Anon_world_readable_only=no # As long as the FTP user has Read permission in the operating system, you can download the file
Anon_root=/var/ftp/anonymous # Anonymous users log in to the/var/ftp/anonymous directory and can download files in that directory
Anon_uploads_enable=yes # Anonymous users can upload files
Anon_mkdir_write_enable=yes # Anonymous users can create directories on the server
Anon_other_write_enable=yes # Anonymous users can name, delete, and write on the server
Local_enable=yes # indicates a local user account is allowed to log on
LOCAL_UMASK=022 # represents the initial permission value for a local user when a new file is created. 022 indicates that the initial permission value is the creator has full permissions, other users (including group users, other users) only read and Execute permissions, 077 indicates that the initial creator has full permissions, other users do not have permissions
Write_enable=yes # indicates that the server receives control commands related to writes
Dirmessage_enable=yes # indicates that users will be prompted for the first time they enter a new directory
Use_localtime=yes # indicates that the server displays the local time zone, by default it displays GMT time
Xferlog_enable=yes # Allow log generation
Xferlog_std_format=yes # Logs in standard xferlog format
xferlog_file=/var/log/vsftpd.log# log files and the directory in which they reside
Connect_from_port_20=yes # using port 20 as the source port when the data connection is established
PAM_SERVICE_NAME=VSFTPD # Specifies the name of the PAM service configuration file, in/ETC/PAM.D
Chown_uploads=yes # These two options are a pair of related configurations that represent the files that are uploaded by anonymous users, so the user becomes whoever, which is configured for security purposes
Chown_username=whoever # After a file owner becomes another user, anonymous users will no longer be able to delete files or even read operations, such as jobs handing over FTP
idle_session_timeout=600 # Indicates a timeout value of 600 seconds for the control connection
DATA_CONNECTION_TIMEOUT=120 # Indicates the timeout value for the data connection is 120 seconds
Nopriv_user=ftpsecure # indicates that the user identity used when the VSFTPD process is in a non-privileged running state is ftpsecure
Async_abor_enable=no # indicates that VSFTPD supports the "Async Abor" ftp command, which affects VSFTPD security and generally uses the default NO setting
Ascii_upload_enable=yes
Ascii_download_enable=yes # indicates that ASCII mode is really allowed when uploading a download file. Some FTP servers are prone to Dos attacks when implementing ACSII transfer mode. To avoid this, vsftpd can pretend to allow AXSCII mode when responding to the client, but actually uses binary mode, which is achieved by setting the two values to No.
Ftpd_banner=welcome to stone FTP service. # indicates that when the user logs in, the Welcome to Stone FTP Service information will be displayed, and when this option is not available, the name and version information of the VSFTPD server will be displayed with security issues, so this is done to hide this information
Deny_email_enable=yes # Anonymous user if you enter [email protected] As login password, it will be rejected, the main purpose is to prevent some automatic login tool to log in.
Banned_email_file=/etc/vsftpd.banned_emails # deny_mail file specified
Chroot_list_enable=yes # These two options make a list of users, which is placed in the/etc/vsftpd/chroot_list file. When Chroot_local_user
Chroot_list_file=/etc/vsftpd/chroot_list # After these users log on to the FTP server, they see the root directory is their own personal directory, that is, although in the actual file system, The ancestors of these user's personal directories also have directories, but cannot switch to these parent directories
Chroot_local_user=yes # When Chroot_local_user is set to YES, the above list of users will not be restricted to the personal directory and can be further transferred to another directory
Ls_recurse_enable=yes # indicates that the client can add the-r parameter when using the LS command, and the-R parameter indicates that the LS command can list the contents of the entire directory tree, requiring some processing time, which is more severe when there is a malicious user in particular.
Anon_max_rate=0 # is used to set the maximum rate at which an anonymous user client can reach, whose value is a number in b/s,0 for unlimited
Local_max_rate=0 # This option limits the rate of local users
Max_clients=0 # VSFTPD The maximum number of client connections that can be received
Max_per_ip=5 # Limit the number of clients each host can connect to, and users may open many client connections in order to speed up the download, affecting the normal use of other users
Anonymous User Configuration:
Configure anonymous users so that
1 FTP Server support anonymous User (account: anonymous password: any) login
2 files can be downloaded as long as the FTP user (operating system user) has read access to the operating system
3 When an anonymous user logs in to the/var/ftp/anonymous directory, you can download the files in that directory
4 You can upload files to the directory/var/ftp/anonymous/upload directory, but you cannot download or delete files in this directory
Using Vim to modify vsftpd.conf files
Anonymous_enable=yes
Anon_world_readable_only=no
Anon_root=/var/ftp/anonymous
Anon_upload_enable=yes
Chown_uploads=yes
Create a new directory under the/var directory anonymous, so root, create a new directory under the/var/anonymous directory upload, the owner is FTP
Restarting the VSFTPD process
sudo killall-hup vsftpd
Testing anonymous Users
Log on to the local FTP server as an anonymous user (127.0.0.1)
Test complete
Configuration of the virtual host:
What is a virtual host? VSFTPD Virtual host refers to the configuration of multiple VSFTPD services on a single host, each VSFTPD service can be configured differently, giving the user the feeling as if these vsftpd services are running on different hosts. The VSFTPD virtual host is based on an IP address. Since it is based on IP address, then you may ask me only one network adapter how to configure a virtual host?
At this point, we can use the Linux logical network card to implement different IP.
Example of a virtual host configuration:
1 Add the logical network card, my current IP address is 192.168.1.100, add the logical network card IP to 192.168.1.101
sudo ifconfig eth0:1 192.168.1.101 netmask 255.255.255.0 up
2 Stop VSFTPD Service
sudo killall vsftpd
3 Modify vsftpd.conf configuration, add the following column
listen_address=192.168.1.100
4 Restart VSFTPD Service & Show background run
Sudo/usr/sbin/vsftpd/etc/vsftpd.conf &
5 for the second VSFTPD server to establish an anonymous user corresponding to the local account and personal directory, parameter-D specify a personal directory, you need to establish,-s specify login Shell,/sbin/nologin is a kind of not login shell
sudo useradd-d/var/ftp/myftp-s/sbin/nologin myftp
6 Create the/var/ftp/myftp directory, change the owner of the/var/ftp/myftp (default is root), in order to make MYFTP users have no write permission to it
sudo mkdir/var/ftp/myftp
sudo chown root/var/ftp/myftp
7 copy vsftpd.conf, named myvsftpd.conf in/etc directory
sudo cp/etc/vsftpd.conf/etc/myvsftpd.conf
8 Modifying myvsftp.conf
Ftpd_banner=welcome to my virtual FTP server
Ftp_username=myftp
Listen=yes
Listen_address=192.168.1.101
9 Start a second vsftpd
Sudo/usr/sbin/vsftpd/etc/vsftpd/myvsftpd.conf
To test a virtual host:
Login 192.168.1.100 and 192.168.1.101
Test complete
Configuration of the virtual user:
There are 3 types of users in VSFTPD. Anonymous user, local user. Another is the virtual user that is introduced next, the user cannot log on to your operating system, but can log on to the FTP server, and when there are many virtual users, you do not need to create a non-logged on the operating system for each virtual user of a local user, only need one. And there is a more powerful usage, we can create a profile for each virtual account to different virtual account permissions, directory, which will be very convenient for us to manage FTP users.
1 Create a new user.txt, enter the following, indicating that there are 2 virtual users, XUNI1 (password Pass1), Xuni2 (password Pass2)
user.txtxuni1
Pass1
Xuni2
Pass2
2 Next we need to build the virtual account database, first install the DB Library tool
sudo apt-get install Db4.8-util
Create a new directory under/etc/ETC/VSFTPD
sudo mkdir/etc/vsftpd
Import the database file into the directory you just created
sudo db4.8_load-t-t hash-f/home/stone/user.txt/etc/vsftpd/vsftpd_login.db
Set the database file permissions to 600, do not need to be read by other users, modify
sudo chmod 600/etc/vsftpd/vsftpd_login.db
3 Create a new/etc/pam.d/vsftpd_login file, enter the following
vsftpd_loginauth required/lib/i386-linux-gnu/security/pam_userdb.so db=/etc/vsftpd/vsftp_login
Account required/lib/i386-linux-gnu/security/pam_userdb.so Db=/etc/vsftpd/vsftp_login
All PAM-enabled programs have a configuration file that is docked to Pam, which is stored in the/ETC/PAM.D directory, and VSFTPD and Pam's docking profile name can be specified by the Pam_service_name option in the vsftpd.conf file, which is PAM_ by default SERVICE_NAME=VSFTPD, when a local user is authenticated later, it is certified according to the configuration content of the/etc/pam.d/vsftpd file.
4 Set up all the FTP virtual user account used by the operating system account, we need to create a new directory, and set the permissions of the account working directory, the owner (seemingly can be modified to make it automatically new directory)
sudo useradd-d/home/ftpsite-s/sbin/nologin ftp_virt
sudo mkdir/home/ftpsite
sudo chown ftp_virt/home/ftpsite
sudo chgrp ftp_virt/home/ftpsite
sudo chmod 700/home/ftpsite
5 Add the configuration for the virtual account user in the vsftpd.conf configuration file
Guest_enable=yes
Guest_username=ftp_virt
Pam_service_name=vsftpd_login
The last item will conflict with the original default value, you can comment out the original item, after restarting VSFTPD, you will find that the local user cannot log in VSFTPD
6 Set the permissions of the virtual user, we can specify the directory location where the user profile is placed by adding the following line/etc/vsftpd
User_config_dir=/etc/vsftpd
Explain the effect of this, after adding this item, when we log in to VSFTPD as a virtual user, the server will look for a configuration file with the same virtual user name as the/ETC/VSFTPD directory to determine properties such as permissions for that virtual user. This facilitates our management of FTP virtual users.
7 Configuring a Virtual user profile
Under/ETC/VSFTPD, we create a new file Xuni1, enter the following content
xuni1local_root=/home/ftpsite
New file Xuni2, enter the following:
xuni2local_root=/home/ftpsite
Anon_mkdir_write_enable=yes
Anon_other_write_enable=yes
Anon_upload_enable=yes
Anon_world_readable_only=yes
Write_enable=yes
8 then restart VSFTPD
Close first
sudo killall vsftpd
Start
Sudo/usr/sbin/vsftpd/etc/vsftpd.conf &
Test
Virtual user specific permissions, the directory configuration method will be configurable by various methods, no longer described here.
Continue editing ...
Ubuntu server vsftpd Anonymous user upload download and directory settings
1:VSFTPD Server installation;
sudo apt-get install vsftpd #安装cd/srv/ #切换到默认匿名用户ftp目录;
Run Ls-l we can see the default FTP directory is the root directory of the virtual user FTP, and this directory is the root directory of anonymous user management,
Whether it is the FTP, reorganization, change the user, change permissions can not be in the FTP root directory, upload things, or FTP anonymous can not connect, or can not upload; Toss a few days, finally understand!
FTP as an anonymous user root directory, VSFTPD has special processing;
Vsftpd to this FTP root directory, there are two special requirements, the user owner must be root, the directory's permissions on the other cannot be w;
This means that other people, anonymous users, the FTP directory is the root directory, can only be read-only, not upload, cannot be changed;
1. Anonymous user is FTP, want anonymous user to write, must folder permissions for FTP writable.
2. The root directory of anonymous users is not allowed to write , so the permissions of the root directory must not be FTP writable and other users can write, if the root owner is FTP, the owner's permissions can not be written.
So the workaround is to create a separate public folder for uploading files, set them as FTP writable or "Other user writable"
You can also build a download folder for download only, set other users do not have permission to write.
So if we set up anonymous users to upload, download, create a new directory,
is in the FTP directory, a new directory, and, set its permissions 777, you can, plus the configuration vsftpd.conf file
Two: Configure anonymous user upload and download;
1: Create an anonymous user-published file directory first
cd/srv/ftp/ switch to the root directory sudo mkdir pub #新建立pub目录做为 anonymous user's upload directory sudo chmod ftp:ftp pub #为pub目录改其所有者组为 Ftpsudo chmod-r 777 Pub #为pub目录设置权限为全部可读可写可执行
Once configured, Ls-l view
2: Configure vsftpd.conf configuration file modification
sudo vim/etc/vsftpd.conf
With vim, open-Modify the display
Set a few options to do so
Anonymous_enable=yes #设置匿名用户可用write_enable =yes # Set user-written permissions Yesanon_upload_enable=yes #设置匿名用户上传YESanon_mkdir_ Write_enable=yes # Setting up anonymous user new directory YES
After configuration: Save exit
Restarting the VSFTPD service
sudo restart VSFTPD
3: Test anonymous user access, upload, new build directory
#打开终端连接ftp服务器ftp 192.168.8.35 #回车anonymous #输入用户名, anonymous user # requires a password, and a direct enter # appears using binary mode to transfer files, which indicates a successful connection #ls View Remote server Directory #cd pub switch to remote directory pub#ls view remote directory # get hi.txt download remote file to local #pub mac0.txt upload local file to remote server
such as testing;
To test a new directory or to use it directly
mkdir test
To
You can enter ftp://192.168.8.35 in the browser to open the FTP server directory, view, download, perform operational tests
Note: Issues with permissions
Set up vsftpd on Ubuntu