FTP的内容
File Transfer Protocol
FTP is a file transfer in the Internet Protocol, based on the client/server mode, the default use of Port 20, 21st, where Port 20 (data port) for data transmission, Port 21 (command port) to accept the client issued the relevant FTP commands and parameters. FTP server is widely deployed in the intranet, it has the characteristics of easy to build and easy to manage. And some FTP client tools can also support file multi-point download and breakpoint continuation technology, so the FTP service has been favored by the majority of users. The FTP protocol is shown in transport topology 11-1.
An FTP server is a host that provides file storage and access services on the Internet according to the FTP protocol, and the FTP client is the host that sends a connection request to the server to establish a data transfer link
Two modes
Active mode: The FTP server actively initiates a connection request to the client.
Passive mode: The FTP server waits for the client to initiate a connection request (the FTP default mode of operation).
Firewalls are generally used to filter traffic from outside the network into the intranet, so there are times when you need to set the FTP operating mode to active mode before you can transfer data.
What is VSFTPD
VSFTPD (Very secure FTP daemon, very secure FTP daemon) is an FTP service running on Linux operating system, not only completely open source and free, in addition, it has high security, transmission speed, and other FTP service programs that support virtual user authentication.
Installing VSFTPD
1 [[email protected] ~]# Yum install vsftpd
The Ptables Firewall management tool disables the port number of the FTP transport protocol by default, so before you formally configure the VSFTPD service, you need to empty the default policy for the Iptables firewall to avoid these default firewall policies. and save the current firewall policy state that has been cleaned up.
[Email protected] ~]# iptables-f
[[Email protected] ~]# service Iptables Save
2 Back up the original file, remove the comment lines, view the content
[Email protected] ~]# Mv/etc/vsftpd/vsftpd.conf/etc/vsftpd/vsftpd.conf_bak
[[email protected] ~]# grep-v "#"/etc/vsftpd/vsftpd.conf_bak >/etc/vsftpd/vsftpd.conf
[Email protected] ~]# cat/etc/vsftpd/vsftpd.conf
Anonymous_enable=yes
Local_enable=yes
Write_enable=yes
local_umask=022
Dirmessage_enable=yes
Xferlog_enable=yes
Connect_from_port_20=yes
Xferlog_std_format=yes
Listen=no
Listen_ipv6=yes
Pam_service_name=vsftpd
Userlist_enable=yes
Tcp_wrappers=yes
Common parameters and functions of VSFTPD service Program
VSFTPD Service Program
VSFTPD is a more secure File Transfer service program that allows users to log on to an FTP server in three authentication modes.
Anonymous open mode: is the least secure authentication mode, and anyone can log on directly to the FTP server without password authentication.
Local User mode: It is a mode of authentication through the local account password information of the Linux system, which is more secure than anonymous open mode, and is easy to configure. However, if the information of the account is hacked, you can easily log in to the FTP server, thus fully control the entire server.
Virtual user mode: is the most secure of the three modes of authentication mode, it needs to set up a separate user database for the FTP service, virtual out of the account information used for password authentication, and these account information in the server system is not actually exist, only for the FTP service program for authentication use. This way, even if the hacker cracked the account information can not log on to the server, thereby effectively reducing the scope and impact of damage.
FTP is a client tool that manages the FTP transport service in a Linux system as a command-line interface. So the next step is to install the FTP client tool
[[email protected] ~]# Yum install FTP
Anonymous access mode
In the VSFTPD service program, anonymous open mode is the least secure authentication mode. Anyone can log on directly to the FTP server without password verification. This mode is typically used to access unimportant public files (try not to store important files in a production environment). Of course, if you use the firewall management tools described in chapter 8th (such as the Tcp_wrappers Service program) to set the host scope that the VSFTPD service program allows to access to the enterprise intranet, you can also provide basic security.
The VSFTPD service program opens the anonymous open mode by default, and all we need to do is open the anonymous user's upload, download the file permissions, and let the anonymous user create, delete, rename the file permissions. It is important to note that releasing these permissions for anonymous users is potentially dangerous, and we are simply releasing these permissions in order to practice configuring the VSFTPD Service program in a Linux system and not recommend doing so in a production environment. Table 11-2 lists the permissions parameters and the role that can be opened to anonymous users.
Permission parameters and functions that can be opened to anonymous users
vim/etc/vsftpd/vsftpd.conf Editing a configuration file
1 Anonymous_enable=yes
2 anon_umask=022
3 Anon_upload_enable=yes
4 Anon_mkdir_write_enable=yes
5 Anon_other_write_enable=yes
6 Local_enable=yes
7 Write_enable=yes
8 local_umask=022
9 Dirmessage_enable=yes
Ten Xferlog_enable=yes
Connect_from_port_20=yes
Xferlog_std_format=yes
Listen=no
Listen_ipv6=yes
Pam_service_name=vsftpd
Userlist_enable=yes
Tcp_wrappers=yes
Fill in the parameters correctly in the main configuration file of the VSFTPD service program, and then save and exit. You will also need to restart the VSFTPD service program for the new configuration parameters to take effect. In the production environment or in the RHCSA, RHCE, RHCA certification exams must be configured to add the service program to the boot entry, in order to ensure that the server will still be able to resume the normal delivery service:
[Email protected] ~]# systemctl restart VSFTPD
[Email protected] ~]# Systemctl enable VSFTPD
You can now connect to the remote FTP server by executing the FTP command on the client. In the anonymous open authentication mode of the VSFTPD service program, the account is unified to anonymous and the password is empty. And after connecting to the FTP server, the default access is the/VAR/FTP directory. We can switch to the pub directory in that directory and then try to create a new directory file to verify that write permissions are available:
[[Email protected] ~]# FTP 192.168.213.131 Here the IP is bridged
Connected to 192.168.213.131 (192.168.213.131).
(VsFTPd 3.0.2)
Name (192.168.213.131:root): Anonymous
331 Specify the password.
Password:
Successful Login.
Remote system type is UNIX.
Using binary mode to transfer files.
Ftp> CD Pub
Directory successfully changed.
ftp> mkdir File
550 Create Directory operation failed.
Creation failed, apparently without write permission. So let's look at the permissions under the pub directory
[Email protected] ~]# ll-ld/var/ftp/pub/
Drwxr-xr-x. 3 root root 21 March 09:38/var/ftp/pub/
You can see that the rights of everyone and all groups and others are read-write execution | reading execution | execution. So this file only root can do whatever you like, and the FTP anonymous user is the other person, he only has permission to execute the file, so can not do anything. When installing the FTP client Management tool, the system has automatically created the user, in order to realize the right to write, we can change everyone to the FTP user. Because we log in as an anonymous FTP user login, so that everyone to the FTP user, this file can do the appropriate permission to operate the
[Email protected] ~]# CHOWN-RF ftp/var/ftp/pub
[Email protected] ~]# ll-ld/var/ftp/pub/
Drwxr-xr-x. 3 FTP root 21 March 09:38/var/ftp/pub
Log in again to see that you can create a file directory
[[Email protected] ~]# FTP 192.168.213.131
Connected to 192.168.213.131 (192.168.213.131).
(VsFTPd 3.0.2)
Name (192.168.213.131:root): Anonymous
331 Specify the password.
Password:
Successful Login.
Remote system type is UNIX.
Using binary mode to transfer files.
Ftp> CD Pub
Directory successfully changed.
ftp> mkdir File
257 "/pub/file" created
After logging in here the default directory file is/var/ftp/pub
Local User mode
Local user mode is more secure and easy to configure than anonymous open mode. If you have previously used anonymous open mode, you can turn it off now and then turn on local user mode. The permissions parameters for the local user mode and the effect as shown in the table.
1 when Userlist_enable=yes, Userlist_deny=yes, regardless of vim/etc/pam.d/vsftpd comment is not annotated user_list is a blacklist, all appear in the list of users will be refused to log in The user can log in only if the list is commented out.
2 when Userlist_enable=yes, Userlist_deny=no (user not logged in) finally put VIM/ETC/PAM.D/VSFTPD Note when UserList is still a whitelist, list users can log in
3 when Userlist_enable=no, Userlist_deny=yes (user not logged in) the last vim/etc/pam.d/vsftpd annotation when the userlist is still a whitelist, list users can log in
This is enough to indicate that when a feature is turned on all disabled, the list user is not allowed to log in, regardless of Pam. When an arbitrary disable is turned on, Pam disables login by default and the list user is not allowed to log in. When commenting out the disable of one of the first 2 Pam Open, the list user can log in
VSFTPD Service program in order to ensure the security of the server, the default is to prohibit the root administrator and most system users logon behavior, which can effectively avoid hackers through the FTP service to the root administrator password brute force. If you confirm that using the root administrator in a production environment does not affect the security of your system, simply remove the root user name by following the prompts above. We can also select an ordinary user that is not in the Ftpusers and user_list files to attempt to log on to the FTP server:
Delete the root line and you will be able to log in to the root user. You can also allow users who are not on this banned login list to log in.
Compile config file vim/etc/vsftpd/user_list/etc/vsftpd/ftpusers comment out root
[[Email protected] ~]# FTP 192.168.213.131
Connected to 192.168.213.131 (192.168.213.131).
(VsFTPd 3.0.2)
Name (192.168.213.131:root): root
331 Specify the password.
Password:
Successful Login.
Remote system type is UNIX.
Using binary mode to transfer files.
Here we can see that in the list of disabled users to delete the root user, you can log in, you can see the root user inside the file.
When implementing the file list to disable the user, there are 2 ways to achieve root login, one is to remove the comments in the configuration file, the second is to remove the PAM second line of comments and a userlist open disable equals No.
The FTP of Linux