The principle and construction of FTP under Linux

Brief introduction

FTP is the file Transfer Protocol (Files Transfer Protocol), complete the file sharing function of each host, based on the client-server protocol, working on the application layer, TCP port 21st.

FTP has two connections

Command connection: Control connection, 21/tcp. The client establishes a connection to the TCP 21 port on the server and sends a command

Data connection: The transfer of data between client and server.

There are two more modes of data connection

Active (port) mode: the client connects from a random port N (n>1024) to the server's command port 21. The client then opens the port n+1 and sends the FTP command "portn+1" to the FTP server. The server then connects to the client's port (n+1) from its own data port 20. Simply put, in the process of data connection, the server side actively connects the client.

Passive (Passive) mode: Passive mode occurs because the active mode of the server-side active connection client causes the client to be unsafe. The client connects from a random port N (n>1024) to the server-side command port 21, which returns a message containing the data port information that needs to be connected by the client, which is a random port opened on the server (typically greater than 5000), and then the client uses the port (n+ 1) go to the random port on the service side. Because the connection tracing feature of the firewall makes these connections connected, the server-side firewall has no effect on the random port (greater than 5000) that the client is connected to. Simply said in the process of data connection, is the server side of the passive client to connect, and because the firewall connection tracking mechanism to make its port connection can be carried out.

FTP has two modes of data transfer

ASCII: Generally text, database and so on.

Binary: generally mp3,jpeg and other format files.

FTP has more server-side programs and client programs, the following:

Server-side programs:

Wu-ftpd:washington university-ftpd

Vsftpd:very Secure FTP Daemon

Proftpd

Pureftpd

Filezilla

Serv-u:windows under the

Client program:

Cli:

Ftp

Lftp

Gui:

Gftpd

FlashFXP

CuteFTP

Filezilla

Also because VSFTPD main is security, fully open source and free, high rate, support IPV6, virtual user function and other FTP server software does not have the function. Use VSFTPD here to build the FTP service.

VSFTPD Installation Configuration (CentOS 7)

Both the server side and the client are 192.168.1.222

installation , can be installed directly with Yum

Yum Install Vsftpd–y

Clear the firewall rule or turn off the firewall to turn off SELinux.

After installation, you can see several files under/ETC/VSFTPD.

User Forbidden Login List

/etc/vsftpd/ftpusers

/etc/vsftpd/user_list

Master configuration file

/etc/vsftpd/vsftpd.conf

1. First to verify the anonymous user mode , in the vsftpd.conf file, find the following parameters to remove the comment:

Anonymous_enable=yes	Allow anonymous access mode. Default
anon_umask=022	The umask value of the uploaded file by the anonymous user.
Anon_upload_enable=yes	Allow anonymous users to upload files
Anon_mkdir_write_enable=yes	Allow anonymous users to create directories
Anon_other_write_enable=yes	Allow anonymous users to modify directory names or delete directories (this information is not, need to be added manually)

You can use the client-side tool xftp or FTP to check if it is valid, the FTP command is used for the FTP service, in the format: "ftp [parameters] [FTP host]", yum install ftp–y installation.

After installation, the operation can be as follows:

Here I created the anon directory before logging in to FTP and found that anonymous users could not create directories. Because the user of this directory and its genus are root, they do not have permissions and can use Setfacl to give anonymous user permissions

Sign in again. Visible create success, rename and file deletion, upload no problem (not here.) You can also use Help in FTP mode to view the commands you can use.

2. Authentication for Local Users

First, close the previous anonymous user-related configuration, add the following parameters, do not manually add, restart the service.

Anonymous_enable=no	Disables anonymous access mode.
Local_enable=yes	Allow local user mode.
Write_enable=yes	Set writable permissions.
local_umask=022	The local user mode creates a Umask value for the file.
Userlist_deny=yes	The parameter value is yes to prohibit users in the list (to be added manually)
Userlist_enable=yes	Allow "no landing list", the list of documents for Ftpusers and User_list.

Because local users are free to enter the system's various directories, you need to add parameters

New User Hot

Useradd hot and set the password

Then login verification, you can see the creation of directories, rename delete operations.

Chroot_local_user=yes imprison Local Users in their home directories, so that users can only be in their home directory.

Add this parameter, login will appear on OOPS:vsftpd:refusing to run with writable root inside Chroot ()

Login failed error, the problem is that the user's root directory is writable and the chroot limit is used, which is not allowed in the recent update. To fix this error, you can use the command chmod a-w/home/hot to remove the Write permission from the user's root directory.

But there's a problem. After setting this parameter, Local users cannot upload files and create files and delete files (SELinux and firewalls are turned off). It is best to use the following parameters!!

Allow_writeable_chroot=yes

Allows the locked FTP root directory to be writable without denying user login requests.

As for Userlist_enable and Userlist_deny, the two parameters understand how to use them. A description is given in the above configuration file diagram.

3. verification of virtual users

1. The account password for virtual user mode is not present in the real system, So as long as the configuration of the virtual user mode is more secure than the local user mode, but the VSFTPD service configuration virtual user mode of the operation steps are relatively complex, the process is as follows:

   < Span style= "color: #5b9bd5; Font-size:10pt "> 1th: Create a virtual FTP user database file.

   2nd step: The system user who created the FTP root and virtual user mappings.

   3rd step: Establish a PAM authentication file that supports virtual users.

   4th step: Add the support configuration in the vsftpd.conf file.

   5th step: Set different permissions for the virtual user.

   6th step: Restart the VSFTPD service to verify the effect of the experiment.

    

PAM (Pluggable Authentication Modules) is an authentication mechanism that separates system-provided services from authentication by means of a number of dynamic link libraries and unified APIs. The different authentication methods of the service program can be flexibly adjusted according to the requirement. no need to make any changes to the application, easy to use, Pam took the idea of layered design-application layer, application interface layer, identification module layer, the program layer call interface layer, interface call module layer.

Its directory /ETC/PAM.D: pam profiles defined for different services.

For example, the VSFTPD program writes the following parameters in its main configuration file ("/etc/vsftpd/vsftpd.conf"):

Pam_service_name=vsftpd

Indicates that the FTP server is authenticated according to the contents of the /etc/pam.d/vsftpd file.

1th Step: Establish the Virtual FTP user database file.

# cd/etc/vsftpd/

Create the original account and password files used to generate the FTP user database:

# Vim vuser.list //singular behavior account, dual-action password. The account is not real in the system, is the use of the Host account nobody

Use the Db_load command to generate the FTP user database file vuser.db with the hash algorithm:

# Db_load-t-T hash-f vuser.list vuser.db

To view the type of database file:

# file Vuser.db

FTP User database content is sensitive, so the permissions to the smaller:

# chmod Vuser.db

Delete the original account and password files:

# rm-f Vuser.list

2nd step: Create the FTP root directory and the virtual user mapping of the system users.

Create a user virtual and set it to not allow logging on to the system and define the user's home directory:

# useradd-d/var/ftproot-s/sbin/nologin virtualftp

To ensure that other users can access, give Rwxr-xr-x permissions:

# CHMOD-RF 755/var/ftproot/

3rd Step: Establish a PAM authentication file that supports virtual users:

# Vim/etc/pam.d/vsftpd.vu

The parameter db is used to point to the vuser.db file just generated, but do not write the suffix.

Auth Required pam_userdb.so Db=/etc/vsftpd/vuser

Account Required Pam_userdb.so Db=/etc/vsftpd/vuser

4th Step: Add the support configuration in the vsftpd.conf file.

You can turn off anonymous user mode

Parameters	Role
Anonymous_enable=no	Disables anonymous open mode.
Local_enable=yes	Allow local user mode.
Guest_enable=yes	Turn on virtual user mode.
Guest_username=virtualftp	Specify a virtual user account.
Pam_service_name=vsftpd.vu	Specifies the Pam file.
Allow_writeable_chroot=yes	Allows the locked FTP root directory to be writable without denying user login requests.

5th step: Set different permissions for the virtual user

Permissions by default are not able to upload, create, modify the file, you can configure user independent user rights.

Specify the directory where the user independent permission profile resides:

# vim/etc/vsftpd/vsftpd.conf

User_config_dir=/etc/vsftpd/vusers_dir

Create a directory where the user-independent permission profile resides:

# mkdir/etc/vsftpd/vusers_dir/

Under this directory, create a blank HDD profile that specifies the specific permissions of the HDD User:

6th step: Restart the VSFTPD service to verify the experimental results.
If you can see the creation of directory delete directory upload download and other functions are not a problem. You can also open the File window directly under Windows to enter Ftp://IP to manipulate its functionality.

The principle and construction of FTP under Linux