What's a 0.vsftpd thing?
Do not know what to install a thing, it is not interesting, so first to understand what is vsftpd. VSFTPD means "very secure FTP daemon (very secure FTP process)" and of course only more security is not the safest.
So where exactly is it safe, mainly reflected in the following two points:
- permissions Control , VSFTPD with the general user login, the user rights are relatively small, the more secure for the system, the user needs of the system-level instructions are integrated into the VSFTPD, the user does not need to apply for higher permissions is sufficient to complete the vast majority of FTP instructions In addition, the VSFTPD can be controlled by the configuration file for the internal reading and writing control of FTP itself;
- Directory Restrictions , VSFTPD through Chroot can control the FTP login user can see the scope of the directory, that is, to limit the FTP user to see the root directory is a directory in the system, so that an FTP user in addition to see their own FTP root directory can not see other such as configuration files, System more directory, etc., to protect the system.
1. Installing VSFTPD
sudo apt-get install vsftpd
As far as you're going, sudo apt-get update
it's not new enough to see your source.
2. Configure VSFTPD
Ubuntu vsftpd configuration file in\etc\vsftpd.conf
The detailed configuration of the
configuration file is as follows (so many of us actually configure a few items on demand):
Listen=<yes/no>: When set to YES, VSFTPD starts in a stand-alone manner and is set to NO when started in xinetd mode (XINETD is the management daemon, centralized service, can reduce the resource consumption of a large number of services) Listen_ Port=<port>: Sets the listening port number of the control connection, which defaults to Listen_address=<ip address>: will be run at the specified IP address, suitable for multi-nic connect_from_port_20= <YES/NO>: If yes, Force ftp-data data transfer to use port 20, default YES pasv_enable=<yes/no>: Whether to use passive mode data connection, if client is behind the firewall, turn on Yes Pasv_min_port=<n> pasv_max_port=<m>: Data connection port range between N and M is set in passive mode, 50000-60000 port is recommended message_file=< Filename>: Sets the file content that is displayed when the consumer enters a directory, by default. Message dirmessage_enable=<yes/no>: Sets whether the user is displayed by Message_ when entering a directory File content specified ftpd_banner=<message>: Set the user to connect to the server after the display information is welcome information banner_file=<filename>: The display information after setting up the user's connection to the server is stored in the specified filename file connect_timeout=<n>: If the client connects to the server for more than n seconds, force the disconnection, default to accept_timeout=<n>: When the user transmits data in passive mode, the server sends out the passive port instruction to wait for more than n seconds, then force the disconnection, the default is accept_connection_timeout=<n>: Set the idle data connection to break after n seconds, Default data_connection_timeout=<n>: Set the Idle user session to break after n seconds, default max_clients=<n>: Limit the number of connections to the server at standalone boot, 0 for unlimited max_ Per_ip=<n>: InLimit the number of client connections per IP at stand-alone startup, 0 means no limit (not knowing whether or not it has anything to do with multi-threaded downloads) local_enable=<yes/no>: Sets whether local user account access is supported guest_enable=<yes/no> : Set whether to support virtual user account Access write_enable=<yes/no>: whether to open the Write permission of Local Users local_umask=<nnn>: Set the generated mask for files uploaded by local users, default to 077 Local_ Max_rate<n>: Sets the maximum transfer rate for local users, in Bytes/sec, with a value of 0 for unrestricted local_root=<file>: Sets the directory after the local user logs on, default to the local user's home directory Chroot_ Local_user=<yes/no>: When YES, all local users can perform chroot chroot_list_enable=<yes/no> chroot_list_file=< Filename>: When Chroot_local_user=no and Chroot_list_enable=yes, only the user specified by the filename file can perform chroot Anonymous_enable=<yes /no>: Sets whether to support anonymous user access anon_max_rate=<n>: Sets the maximum transfer rate for anonymous users, in B/s, and a value of 0 for unrestricted anon_world_readable_only=<yes/no > Whether to open the Browse permission for anonymous users anon_upload_enable=<yes/no> set whether to allow anonymous users to upload anon_mkdir_write_enable=<yes/no>: Set whether anonymous users are allowed to create directories anon_other_write_enable=<yes/no>: Sets whether to allow anonymous users other write permissions (note that this is more important in security, generally not recommended, but close will not continue to pass) Anon_ Umask=<nnn>: Sets the generated mask for files uploaded by anonymous users, which defaults to 077
Let's set a goal . The goal is to prohibit anonymous access, restrict user FTP directories, allow users to upload, and use FTP passive mode.
Open the configuration file sudo vim /etc/vsftpd.conf
and modify it as follows
#禁止匿名访问 anonymous_enable=NO #接受本地用户 local_enable=YES #允许上传 write_enable=YES #用户只能访问限制的目录 chroot_local_user=YES #设置固定目录,在结尾添加。如果不添加这一行,各用户对应自己的目录(用户家目录),当然这个文件夹自己建 local_root=/home/ftp #如果使用主动模式,下面几行可以不配置 #使用被动模式 pasv_enable=YES #端口设置 pasv_min_port=1024 pasv_max_port=1048 pasv_address=你的访问IP(服务器外网IP)
To add a knowledge point about active mode and passive mode , FTP is a TCP-based service that uses 2 ports, a data port, and a command port (also called a control port). Typically, the two ports are 21 (command port) and 20 (data port). But the FTP works differently, the data port is not always 20. This is the biggest difference between active and passive FTP.
Active mode: On the data connection, the server is connected from Port 20 to the port with the client greater than 1024
Command connection: Client (>1024 port), server 21 port
Data connection: Client (>1024 port) <-Server 20 port
Advantage : Active FTP is advantageous to the management of FTP server, but it is disadvantageous to the management of the client. Because the FTP server attempts to establish a connection to the client's high-level random port, the port is likely to be blocked by the client's firewall.
Passive mode: On a data connection, the client is connected to a port greater than 1024 on the server from 1024 ports
Command connection: Client (>1024 port), server 21-side
Data connection: Client (>1024 port) server (>1024 port)
Advantage : Passive FTP is advantageous to the management of FTP client, but it is disadvantageous to server side management. Because the client is going to establish two connections to the server, one of them is connected to a high-level random port, and the port is likely to be blocked by the server-side firewall.
3. Create a new FTP user for the FTP server and create a new FTP root directory
New user, dedicated to log on to the FTP server to operate, and the new configuration file specified in the FTP root directory, there are many bugs.
Creating an FTP root directory
mkdir /home/ftp
Create a new user and password
sudo useradd -d /home/ftp -M ftptest sudo passwd ftptest
Confidently test, with the command line connection, the result appears ==530 login incorrect== error, the solution is as follows:
sudo vim /etc/pam.d/vsftpd
Comment out
#auth required pam_shells.so
Then restart the sudo service vsftpd restart
service to take effect.
Reason:
This is because the module is enabled, only users with a shell can access it, what is with the shell? You can look at the \etc\shells
file, which is listed here is the list of available shells, and then you run it cat \etc\passwd
, the last line you can see your newly added users, compared to you can see the new user does not specify the shell, so without the shell, is the effective module to send a good card.
So again FTP connection, WTF, results appear ==500 OOPS:vsftpd:refusing to run with writable root inside chroot () = =, Solution:
sudo chmod a-w /home/ftp sudo mkdir /home/ftp/data
Cause: This is because VSFTPD's chroot does not allow the root directory to have writable permissions, directories under the FTP root can have write permissions, so this can only be resolved.
The connection succeeds to see the data directory, and you can only see the /home/ftp
content below, you find that your root directory is it, it is impossible to jump to other directories, it is safe
4. Using VSFTPD's Chroot
But in fact we want some users (such as the Administrator level) can access all directories, limit the additional access to the FTP root directory (such as other general users), then we need to vsftpd the chroot function.
Execution sudo vim /etc/vsftpd.conf
can see the following 3 lines being commented:
#chroot_local_user=YES #chroot_list_enable=YES #chroot_list_file=/etc/vsftpd.chroot_list
The 3 lines of the comment, we see that there is a user list named "Vsftpd.chroot_list", but this file initially does not exist, we need to build it ourselves.
If it is two yes (as above), then it means restricting all users, opening (in the list) specific, restricting all users, only the user /etc/vsftpd.chroot_list
is unblocked, that is, only users in this list can access all files, not the list can only access the specified directory.
If it is a no and a yes, that is open all, limited to specific, you can specify a set of user restrictions, that is, users in the list are restricted.
sudo vim /etc/vsftpd.chroot_list
A single line of user name, add, and then save the exit, such as the addition of our ftptest users, and set two yes.
When you go to the FTP connection, you will find that you can access all the directories, in order to verify the validity, you can disconnect, and then set chroot_local_user
to No, you will find that you can only access the FTP directory.
This is the role of chroot.
Ubuntu Configuration vsftpd Implement FTP server