FTP is a File Transfer Protocol. Sometimes we call it "centralized file communication ". The main purpose of the FTP file server is to provide file storage space for users to upload or download the required files. In enterprises, users are often provided with a specific FTP space to facilitate communication with large files, such as hundreds of megabytes of design drawings. At the same time, FTP can also be used as a backup server for enterprise files, such as implementing remote backup for key applications such as databases on FTP servers.
It can be seen that FTP servers are widely used in enterprises. Because of its powerful functions, many hackers and viruses have begun to "follow" him. They attempted to use the FTP server as a stepping stone to serve as the source for spreading Trojans and viruses. At the same time, the FTP server stores a lot of valuable enterprise content. Under the temptation of economic benefits, FTP servers become the targets of attacks by others.
Therefore, the security of FTP servers is also becoming more and more important. The FTP server used by the author is based on the Vsftpd software on the Linxu operating system platform. I will take this software as an example today to talk about how to design the FTP server security.
1. Who can access the FTP server?
When considering the security of the FTP server, the first step is to consider who can access the FTP server. Three types of users are provided by default in Vsftpd server software. Different users have different permissions and operation methods.
The first type is Real accounts. This type of user refers to having an account on the FTP service. When such users log on to the FTP server, their default home directory is the directory named by their account. However, it can also be changed to other directories. For example, the main directory of the system.
The second type accounts are real Guest users. On the FTP server, we usually set an account for different departments or specific users. However, this account can only access its home directory. In this way, the server ensures the security of other files on the FTP service. Such accounts are called Guest users in Vsftpd. Accounts with such users can only access the directories in their home directories, rather than files other than the home directories.
The third type of account is Anonymous), which is what we usually call Anonymous access. This type of user means that there is no account specified on the FTP server, but it can still perform anonymous access to some public resources.
When building an FTP server, we need to classify users based on their types. By default, the Vsftpd server will assign all created accounts to Real users. However, this is often not in line with enterprise security needs. Because such users can not only access their own home directories, but also the directories of other users. This brings security risks to the space of other users. Therefore, enterprises must modify the user category based on the actual situation.
Modification method:
Step 1: Modify the/etc/Vsftpd/vsftpd. conf file.
By default, only Real and Anonymous users are enabled. If you want to enable a Guest user, you need to enable this option. Modify the/etc/Vsftpd/vsftpd. conf file and remove the comment symbol before "chroot_list_enable = YES. After removal, the system automatically enables Real-type accounts.
Step 2: Modify the/etc/vsftpd. conf file.
To assign an FTP server account to a Guest account, you must add a user to the file. Normally, this file is not found on the FTP server and needs to be manually created. After using the VI command to create this file, you can add the created FTP account to this file. In this case, an account belongs to a Real user. After they log on to the FTP server, they can only access their home directories, but cannot change their home directories.
Step 3: restart the FTP server.
After completing the configuration, You need to restart the FTP server to make the configuration take effect. You can Restart the server or use the Restart command to Restart the FTP service.
When we classify users with all my heart, I have a few kind reminders.
First, users of the Guest type should be used as much as possible to reduce users of Real-class rows. Generally, when creating an FTP account, you only need to access the files in your home directory. When a user is given excessive permissions, the security of other user files is threatened.
Second, try not to use anonymous accounts. Because they can access the FTP server without authorization. Although its access to resources is limited, it is still dangerous. Therefore, it is best to disable anonymous accounts without special requirements.