I. How FTP works
In an FTP session, two independent network connections exist: control connections and data connections. Normally, the FTP server listens to port 21 and waits for the request to establish a control connection. After the FTP control connection is established, the file can be transmitted. The file transfer connection is called the FTP "FTP data connection ". FTP data connection is the process of FTP data transmission. It has three transmission modes: Active Transmission Mode (PORT), PASSIVE transmission mode (PASV), and single PORT mode.
Active Transmission Mode: When the FTP control connection is established, the client puts forward the directory list and transfer files, the client issues The PORT command to negotiate with the server, the FTP server uses Port 20 as the server's data connection port to establish a data connection with the client. Port 20 is only used to connect the source address to the server. Port 20 listens to customer requests instead of listening to processes. In active transmission mode, the FTP server uses Port 20 to connect to the temporary port of the client and transmit data. The client is only in the accept status.
Passive Transmission Mode: When the FTP control connection is established and the client puts forward the directory list and transfer files, the client sends the PASV command so that the server is in passive transmission mode, and the FTP server waits for the customer to contact it. The FTP server listens to customer requests on other non-20 data transmission ports. When an FTP client accesses an FTP server outside the firewall, it must use the passive transmission mode. That is, the FTP Server opens a temporary port and waits for the client to connect to it and transmit data. The server does not participate in active data transmission, but receives data passively.
Single Port Mode: In this transmission mode, the control connection port of the client is the same as the data connection port. This mode is not commonly used because it cannot input data continuously and transmit commands in a short time.
Ii. Main FTP software on Linux Server: Wu-ftpd, Vsftpd, ProFTPD
I will not go into details about the software here.
3. Configure the Vsftpd Server
Vsftpd configuration file
Main Program of/usr/sbin/vsftpd Vsftpd
/Etc/rc. d/init. d/vsftpd Startup Script
/Etc/vsftpd. conf main configuration file
/Etc/pam. d/vsftpd PAM Authentication File
/Etc/vsftpd. ftpusers disable Vsftpd User List Files
/Etc/vsftpd. user_list prohibit or allow Vsftpd User List Files
/Var/ftp Anonymous user home directory
/Var/ftp/pub anonymous user download directory
/Etc/logrotate. d/vsftpd. log Vsftpd log File
1. quickly build a Vsftpd Server
1.1: install the software package
1.2: Start the vsftpd Server
1.3: Create File test1 in the/var/ftp/pub directory
# Touch/var/ftp/pub/test1
1.4: Leapftp software testing on the client
At this point, a simple Vsftpd server is built. This is an anonymous FTP server dedicated to download services. This is because Red Hat has configured a default FTP server, but it does not apply to most requirements in actual applications.
2. Disable Anonymous FTP login
1.1: Modify the main configuration file:/etc/vsftpd. conf
Change "YES" in row 12th to "NO". Save and exit. Restart the service.
3. Lock the user's logon directory
3.1: by default, the user logs on to FTP. In addition to seeing his/her home directory, he/she can also browse other directories. Here, the user is locked to his/her home directory.
3.2: Modify the main configuration file
Add lines 117 and 118 to enable the user directory locking function, and then specify to lock the user list file.
3.3: restart the service and add us1 users to the list file.
# Service vsftpd restart
# Echo us1>/etc/vsftpd/chroot_list
3.4: Verify the effect
We can see that his access directory can only stay in his home.
4. Change the user's default logon directory
4.1: Change the user's access directory to/tmp
By default, every user logs on to FTP, and is logged on to his/her home directory.
4.2: create a file under/tmp: test2
# Touch/tmp/test2
4.3: Modify the master configuration file and add it in the last line of the master configuration file:
# Local_root =/tmp
4.4: restart the service and verify the effect
The logon directory of us1 has changed to/tmp.
5. Configure the user's personal configuration file
In the main configuration file, all parameters take effect for each user, for example: local_max_rate = value (Limit the maximum data transmission speed of the user), define this option in the main configuration file, all users are limited to the same speed. However, if you want to increase the maximum data transmission speed for users with some characteristics, you need to use the user's personal configuration file.
5.1: first define the user's personal configuration file directory: add a line in the main configuration file
# User_config_dir =/etc/vsftpd/userconf
5.2: create this directory
# Mkdir/etc/vsftpd/userconf
5.3: create a file with the same name as the user in this directory, such as a personal configuration file that defines us1
# Touch/etc/vsftpd/userconf/us1
5.4: Modify the created file us1 to define some personal configuration parameters of us1 (only valid for us1 ). For example, to set the maximum data transmission speed of us1, add a row.
Local_max_rate = 100000 # Unit: Bytes/s
6. Only specific users can log on to FTP
6.1: Modify the main configuration file and add the following three lines
# Userlist_deny = NO
# Userlist_enable = YES
# Userlist_file =/etc/vsftpd. user_list
The third line indicates the list file of the user, and the second line value is YES, indicating that this option is activated. When the user in the list logs on to the FTP server, the user is prohibited before upgrading the password. This user is not allowed to log on. However, the value of the first line is NO, indicating that users in the user list file can log on to the FTP server. The default value is YES. User Logon in the file is prohibited. Therefore, when the second and third rows are enabled, you must change the value of the first line to NO. Otherwise, the user in the list is forbidden to log on.
6.2: Add users allowed to log on to the list file.
# Echo us2/etc/vsftpd. user_list
6.3: restart the service. The FTP server only allows us2 to log on.
7. Set User operation Permissions
Write_enable = YES/NO
Write Permission?
Anon_umask =
Sets the umask value of the newly added file for anonymous users. The default value is 077.
Local_umask =
Set the umask value when the user adds a file. The default value is 077.
File_open_mode =
Sets the limit for uploading files. The default value is 0666. If the uploaded file has the execution permission, change it to 0777.
This article from: http://lonay.blog.51cto.com/872125/194923