Use of vsftpd and Analysis of vsftpd

Use of vsftpd and Analysis of vsftpd

Vsftpd is an excellent ftp server, while vsftpd is short for "very secure ftp daemon". From the surface, it focuses more on security, its developer is Chris Evans.

Note that vsftpd works in chroot mode. The so-called chroot mode is to specify a new directory for the program. It cannot access programs and files outside the directory, that is to say, it has some locking features. It can separate the FTP servers damaged by potential attackers from other parts of the system.

FTP is the abbreviation of FTP Transfer Protocol. For details, refer to RFC 959. An FTP session includes two channels, one is the control channel and the other is the data channel. The control channel is used to communicate with the FTP server. It connects to FTP and sends FTP commands through the control channel. The data channel is a channel for file transfer or list with the FTP server.

The FTP server manages users based on/etc/passwd and/etc/group by default. on the FTP server, the username and password of anonymous users are all ftp, which can be found in/etc/passwd of our operating system. In general, we cannot delete the rows of ftp users and user groups in/etc/passwd and/etc/group, because FTP servers need them to manage FTP users. Although we cannot remove this user name and group, we can remove its home directory, modify its UID, and so on.

For vsftpd installation, we usually use yum install vsftpd or apt-get install vsftpd. The installation process is very convenient and simple, and the service can be started through service vsftpd start, stop a service by using service vsftpd stop. We can view the service status through service vsftpd status.

The following describes several important configuration-related files:

(1)/etc/vsftpd. conf main configuration file

(2) Main Program of/usr/sbin/vsftpd

(3)/etc/rc. d/init. d/vsftpd Startup Script

(4)/etc/pam. d/vsftpd pam Authentication file. The file =/etc/vsftpd/ftpusers field in it blocks users in the/etc/vsftpd/ftpusers file.

(5)/etc/vsftpd/ftpusers prohibit the use of vsftpd user list files, record the user name list that is not allowed to access the ftp server

(6) The/etc/vsftpd/user_list prohibits or allows the use of vsftpd user list (If/etc/vsftpd. if userlist_deny = YES is set in conf, access to the FTP server is not allowed. If it is set to NO, only access to the FTP server is allowed from the content in the list)

(7)/var/ftp is the home directory of Anonymous Users

(8)/var/ftp/pub is the download directory of anonymous users. This directory must be granted the chmod 1777 pub permission. 1 indicates the special permission and cannot be deleted after upload.

(9)/etc/logrotate. d/vsftpd. conf is the log file of vsftpd.

The following describes the/etc/vsftpd. conf file:

# Whether anonymous logon to the FTP server is allowed. The default value is YES. # You can use the username ftp or anonymous to log on to the ftp server. The password is your e-mail address. # If anonymous access is not allowed, set it to NOanonymous_enable = YES # whether to allow local users (that is, user accounts in linux) to log on to the FTP server, the default value is YES. # after a local user logs on, the user's home directory is displayed. After an anonymous user logs on, the user's download directory/var/ftp/pub is displayed. # If only anonymous users are allowed to access the directory, add # comment out to prevent local users from accessing the FTP server local_enable = YES # whether to allow local users to have write permissions on FTP server files. The default value is YES, which allows write_enable = YES # mask, the default local user mask is 077 # You can set the local user's file mask to the default 022, you can also set it to another value according to your preferences # local_umask = 022 # whether anonymous users are allowed to upload files. The Global write_enable = YES must be set. The default value is YES # anon_upload_enable = YES # whether anonymous users are allowed to create new folders # anon_mkdir_write_enable = YES # Whether to activate the directory welcome information function # When users access a directory on the server for the first time in CMD mode, the FTP server displays the welcome information # by default, the welcome information is in this directory. message file # This File Stores custom welcome information, built by the user # dirmessage_enable = YES # Whether to enable the system to automatically maintain the uploaded and downloaded log files # by default, this log file is/var/log/vsftpd. log, you can also set it using the xferlog_file option below # default value: NOxferlog_enable = YES # Make sure PORT transfer connections originate from port 20 (ftp-data ). # Whether to set the FTP server to enable FTP Data port connection request # ftp-data transmission, 21 is the connection control port connect_from_port_20 = YES # Set whether to allow changing the owner of the uploaded file, use with the following configuration item # Note: it is not recommended that you use the root user to upload files # chown_uploads = YES # Set the owner of the uploaded files to be changed. If necessary, enter a system username # To change all uploaded files to the root owner. Whoever: Anyone # chown_username = whoever # Set the log file for system maintenance record uploading and downloading on the FTP server #/var/log/vsftpd. log is the default. You can also set another # xferlog_file =/var/log/vsftpd. log # whether to write the transfer log file in the standard xferlog format # The default value is/var/log/xferlog, you can also use the xferlog_file option to set it. # The default value is NO # xferlog_std_format = YES # The following are additional configurations, add the corresponding options to enable the corresponding settings # Whether to generate two similar log files # The default values are/var/log/xferlog and/var/log/vsftpd. under the log directory # The former is the transfer log of the wu_ftpd type, which can be analyzed using standard log tools; the latter is a vsftpd log # dual_log_enable # Whether to output the log to/var/log/ Vsftpd. logs in the log are output to the system log # syslog_enable # sets the data transmission interruption interval. This statement indicates that the idle user session interruption time is 600 seconds # That is, when the data transmission ends, the user's connection time to the FTP server should not exceed 600 seconds. You can modify the value according to the actual situation # idle_session_timeout = 600 # Set the data connection timeout time. This statement indicates that the data connection timeout time is 120 seconds, you can modify it according to the actual situation # data_connection_timeout = 120 # non-privileged system users required to run vsftpd. The default value is nobody # nopriv_user = ft1_cure # Whether to identify asynchronous ABOR requests. # If the FTP client issues the "async ABOR" command, this setting must be enabled. # generally, this setting is not secure, therefore, we usually cancel # async_abor_enable = YES # Whether to transmit data in ASCII mode. By default, the server ignores requests in ASCII format. # Enabling this option will allow the server to transmit data in ASCII mode # However, this may cause DoS attacks in the "SIZE/big/file" Mode # ascii_upload_enable = YES # ascii_download_enable = YES # Welcome information displayed when logging on to the FTP server # if necessary, you can create a directory named. message file, and write the Welcome information. Save it. # ftpd_banner = Welcome to blah FTP service. # blacklist settings. If you hate some email addresses, you can use this setting to cancel their logon permissions # You can block some special email addresses. # Deny_email_enable = YES # When deny_email_enable = YES, you can use this setting to specify which email addresses cannot log on to the vsftpd server # This file needs to be created by the user, one email address per line # banned_email_file =/etc/vsftpd/banned_emails # whether the user has the permission to access files other than his directory after logging on to the FTP server # When set to YES, the user is locked in the home directory, vsftpd searches for the chroot_list file in the location of the following chroot_list_file option value # must work with the following settings # chroot_list_enable = YES # users listed in this file, after logon, you cannot switch to another directory other than your own directory # which is conducive to the security management and privacy protection of the FTP server. This file must be created by yourself # chroot_list_file =/etc/vsftpd/chroot_list # Whether recursive queries are allowed. Disabled by default to prevent remote users from causing excessive I/O # ls_recurse_enable = YES # whether to allow listening. # If YES, vsftpd runs in standalone mode. vsftpd listens to and processes IPv4 port connection requests listen = YES # Sets whether IPV6 is supported. To listen to IPv4 and IPv6 ports at the same time, # You must run two sets of vsftpd, use two sets of configuration files # Make sure that one of the listening options is commented out # listen_ipv6 = YES # Set the configuration file name used by the authentication service provided by the PAM plug-in module, that is,/etc/pam. d/vsftpd file # file =/etc/vsftpd/ftpusers field in this file, it indicates that the account content that the PAM module can defend against comes from # pam_service_name = vsftpd # in the/etc/vsftpd/ftpusers file, and whether to allow users in the ftpusers file to log on to the FTP server, the default value is NO # If this option is set to YES, the user in the user_list file is allowed to log on to the FTP server # If userlist_deny = YES is set at the same time, the user in the user_list file will not be allowed to log on to the FTP server, or even enter the password prompt information # userlist_enable = YES/NO # Set whether to block us The user in the er_list file logs on to the FTP server. The default value is YES # userlist_deny = YES/NO # whether to use tcp_wrappers as the host access control method. # Tcp_wrappers can implement host address-Based Access Control for network services in linux # hosts in the/etc directory. allow and hosts. two deny files are used to set tcp_wrappers access control # The former sets the allowed access record, and the latter sets the denied access record. # To Restrict Anonymous Access of some hosts to the FTP server 192.168.57.2, edit/etc/hosts. for example, add the following two lines to the allow file: # vsftpd: 192.168.57.1: DENY and vsftpd: 192.168.57.9: DENY # indicates that the IP address is 192.168.57.1/192.168.57.9 and the IP address is 192.168.57.2. # although the FTP server can be pinged, it cannot connect to tcp_wrappers = YES