Slime: Ubuntu under vsftpd Virtual User Configuration

This article consists of Ilanniweb provide friendship sponsorship, starting in the mud row of the world

Want to get more articles, you can pay attention to my ilanniweb.

Previously built vsftpd are under the CentOS, this thought in Ubuntu follow the previous steps to build. But the reality tells me that I was too taken for granted. After some of the toss and finally put Ubuntu under the VSFTPD virtual User Configuration has been done, the following will be my configuration steps posted out for reference.

First, business requirements

Now requires the creation of an FTP account Ailanni, the account can only be logged into the/www directory, cannot switch to the parent directory . At the same time security considerations also require that the account upload file permissions for 644, that is, the uploaded file has a readable writable permission, but no executable permissions.

In addition, it is required that the user cannot be a system user, that is, a virtual user using VSFTPD.

Requirements look simple, let's start with the configuration.

PS: The following experiments are all performed on Ubuntu server 14.04 X64. For CentOS, refer to this article, " slime: vsftpd Using virtual users, access to FTP."

Second, VSFTPD installation

Before we configure VSFTPD, we install the VSFTPD,VSFTPD installation is relatively simple. Once again, we use Apt-get directly for installation, as follows:

sudo apt-get-y install vsftpd

The installation of VSFTPD is simple and we now look at the files that are installed in the VSFTPD. As follows:

Dpkg-l vsftpd |tac

Through, we can see vsftpd in the installation, generated a lot of files,/etc/init/vsftpd.conf,/etc/vsftpd.conf is more important.

/etc/init/vsftpd.conf is the VSFTPD initialization file, and/etc/vsftpd.conf is the VSFTPD configuration file.

Now let's look at the next/etc/init/vsftpd.conf file. As follows:

Cat/etc/init/vsftpd.conf

We can clearly see that the configuration file used by VSFTPD initialization is the/etc/vsftpd.conf file.

Why should I point this out here? Because I thought Ubuntu under VSFTPD and CentOS under the same, you can put VSFTPD configuration files into the/etc/vsftpd/directory. This is different from CentOS.

In addition, there is a difference, is the vsftpd start, stop, restart the script.

To start, stop, and restart vsftpd under Ubuntu, we must use the following command:

sudo service vsftpd stop

sudo service vsftpd start

sudo service vsftpd restart

Under CentOS, we can use the following command:

Service VSFTPD Stop

/ETC/INIT.D/VSFTPD stop

Finally, let's look at the next Vsftpd service script. As follows:

Cat/lib/systemd/system/vsftpd.service

Three, VSFTPD configuration

Once the VSFTPD is installed, we are now ready to configure VSFTPD, but we have a few more steps to do before the formal configuration.

3.1 user-related configuration

Because it is a virtual user using VSFTPD, we need to create a user in the system first, and the user has the readable and writable executable permission to the/www directory.

Create the user as follows:

sudo useradd-m-s/bin/bash Ftpilanni

CAT/ETC/PASSWD |grep Ftpilanni

Note: The user created by Ftpilanni is now unable to log on to the system because the user is not set a password. Here, we do not need to Ftpilanni login to the system, which is relatively safe.

After the user is created, we create the corresponding directory and modify the user to which it belongs, as follows:

sudo mkdir/www

sudo chown-r ftpilanni:ftpilanni/www/

After the user-related configuration is over, we begin to set the user and password file login.txt for login vsftp. As follows:

sudo mkdir/etc/vsftpd/

sudo vim/etc/vsftpd/login.txt

Ailanni

Ailannipassword

Login.txt is the user and password file for the login vsftpd.

After the login.txt is set up, we will encrypt it using Db_load. and db_load need to db-util this software. So we need to install Db-util now, as follows:

sudo apt-get-y install Db-util

Once the Db-util has been installed, the Loginx.txt is now encrypted using Db_load. As follows:

sudo db_load-t-t hash-f/etc/vsftpd/login.txt/etc/vsftpd/login.db

After Loginx.txt encryption is complete, we will now start configuring Pam validation for VSFTPD.

3.2 PAM Verifying the configuration

VSFTPD Pam Authentication, where I did not use the/etc/pam.d/vsftpd file that was generated when the VSFTPD was installed.

Because after many tests, I found that if I used the file for verification, I could not verify the pass. I don't know why, guess it's probably a bug in vsftpd.

Create the validation file as follows:

sudo vim/etc/pam.d/vsftpd.virtual

Auth Required pam_userdb.so Db=/etc/vsftpd/login

Account Required Pam_userdb.so Db=/etc/vsftpd/login

The contents of the Vsftpd.virtual file can also be adjusted according to the OS version. I am using Ubuntu x64, so I can also fill in the following:

Auth required/lib/x86_64-linux-gnu/security/pam_userdb.so Db=/etc/vsftpd/login

Account Required/lib/x86_64-linux-gnu/security/pam_userdb.so Db=/etc/vsftpd/login

Where/etc/vsftpd/login corresponds to/etc/vsftpd/login.db file

3.3 vsftp Permissions Configuration

Almost all configuration items that are now formally configured VSFTPD,VSFTPD are in the/etc/vsftpd.conf file.

According to business requirements vsftpd.conf configuration content is as follows:

Grep-ve "^#|^$"/etc/vsftpd.conf

Listen=yes

Listen_ipv6=no

Anonymous_enable=no

Local_enable=yes

Write_enable=yes

local_umask=022

Dirmessage_enable=yes

Use_localtime=yes

Xferlog_enable=yes

Connect_from_port_20=yes

Xferlog_file=/var/log/vsftpd.log

Xferlog_std_format=yes

Chroot_local_user=yes

Chroot_list_enable=no

Allow_writeable_chroot=yes

Secure_chroot_dir=/var/run/vsftpd/empty

Pam_service_name=vsftpd

Rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem

Rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

Ssl_enable=no

Guest_enable=yes

Pam_service_name=vsftpd.virtual

User_config_dir=/etc/vsftpd/vu

Pasv_enable=yes

pasv_min_port=30000

pasv_max_port=31000

In the above configuration file, there are several points that need to be highlighted.

Local_enable=yes

Write_enable=yes

local_umask=022

These are the write permissions that enable the system user. In particular, the Write_enable=yes key must be enabled, otherwise vsftpd virtual users will not be able to log on vsftpd.

Why would that be? Because the virtual user is dependent on the system user.

Chroot_local_user=yes

Chroot_list_enable=no

Allow_writeable_chroot=yes

These three items are configured VSFTPD users to disable the ability to switch the parent directory.

Guest_enable=yes

Pam_service_name=vsftpd.virtual

User_config_dir=/etc/vsftpd/vu

These three items are enabled for VSFTPD virtual and virtual user account configuration directory.

Pasv_enable=yes

pasv_min_port=30000

pasv_max_port=31000

These three items are enabled VSFTPD Passive mode and related ports.

3.4 Virtual user-related configuration

After the VSFTPD configuration file has been modified, the permissions for the virtual user are now being configured. As follows:

sudo mkdir/etc/vsftpd/vu

sudo vim/etc/vsftpd/vu/ailanni

Guest_username=ftpilanni

local_root=/www/

Virtual_use_local_privs=yes

anon_umask=133

The above configuration parameters, where Guest_username=ftpilanni represents the set FTP corresponding to the system user as Ftpilanni

local_root=/www/represents the default directory when you log on to FTP with a local user.

Virtual_use_local_privs=yes virtual users and local users have the same permissions.

Anon_umask represents the default mask for file uploads. The calculation is 777 minus Anon_umask is the right to upload the file. Here we set the 133, that is, after uploading the file permissions are 644. That is, the uploaded file has only read and write permissions for the owning user, and no execute permission.

After all the above configuration is complete, we will restart VSFTPD as follows:

sudo service vsftpd restart

Iv. Testing

Now let's test using the Ailanni user login vsftpd.

Through the above two graphs, we can obviously see the VSFTPD configuration has reached the requirements of the business.

Five, iptables configuration

In the actual production environment, we usually turn on the firewall for the sake of safety.

On Ubuntu, we can also use iptables for protection.

The iptables configuration is as follows:

sudo iptables-save >/home/ilanni/iptables.rule

sudo iptables-restore

sudo iptables-nl

sudo vim/etc/network/interfaces

Pre-up Iptables-restore

Post-down Iptables-save

Slime: Ubuntu under vsftpd Virtual User Configuration