Use vsftp to set up FTP sites in Linux

Source: Internet
Author: User
Tags crypt ftp commands ftp client ftp access ftp protocol ftp transfer
Using vsftp to set up FTP sites in Linux 1. Statement
  • Copyright (c) 2006-2007 belongs to etony c. f..

    Reprinted from http://www.debsir.org /.

 

2. FTP principles

The abbreviation of FTP Transfer Protocol is described in RFC 959.

An FTP session contains two channels: a control channel and a data channel.

Control CHannel: the control channel is used to communicate with the FTP server. The control channel is used to connect to FTP and send FTP commands.

Data Channel: data channel is a channel for file transfer or list with the FTP server.

In the FTP protocol, the control connection is initiated by a client, and the data connection works in two ways: Port and PASV.

 

Port mode (active mode)

The FTP client first establishes a connection with the TCP port 21 of the FTP server and sends commands through this channel. When the client needs to receive data, it sends the PORT command through this channel. The PORT command contains the port used by the client (a port greater than 1024) to receive data. When transmitting data, the server sends data through its TCP port 20. The FTP server must establish a new connection with the client to transmit data.

PASV mode (passive mode)

The port mode is similar when a control channel is set up. When the client sends the PASV command through this channel, the FTP Server opens a random port between port 1024 and port 5000 and notifies the client to send data requests on this port. Then, the FTP Server transfers data through this port, at this time, the FTP server no longer needs to establish a new connection with the client to transfer data.

From the perspective of the C/S model, port is outbound for servers and PASV is inbound for servers. Pay special attention to this, especially in enterprises that use firewalls, this is critical. If an error is set, the customer will not be able to connect.

3. vsftpd

Vsftpd is the name of a server running on a UNIX operating system that can run on Linux, BSD, Solaris, HP-UX, and IRIX. It supports many features that are not supported by other FTP servers. For example:

  • Extremely high security requirements
  • Bandwidth limit
  • Good scalability
  • Possibility of creating a virtual user
  • IPv6 support
  • Performance on the center-to-top
  • Possible allocation of virtual IP addresses
  • High Speed

The name of vsftpd stands for "very secure FTP daemon". Security is one of the top concerns of Chris Evans, its developer. At the beginning of the FTP server design and development, high security is a goal.

One example is that vsftpd works in chroot mode. In chroot mode, a new directory is specified for the Program (vsftpd is used here, it cannot access programs and files outside the directory-so it is also called "locked ". An FTP server that may be damaged by potential attackers will be isolated from other parts of the system, thus avoiding greater losses.

With so many features, the FTP service security should be the most important, and vsftpd is superior to other FTP servers. WU-FTPD http://www.wu-ftpd.org/can be seen here as a reverse example because it has seen too many security flaws in the past few years.

4. Basic vsftpd configuration 4.1 Installation

 

Source code Installation

See http://www.vsftpdrocks.org/source/

Download source code

 

wget ftp://vsftpd.beasts.org/users/cevans/vsftpd-1.2.1.tar.gz
Extract

 

tar zxvf vsftpd-1.2.1.tar.gz
Go to the source code directory

 

cd vsftpd-1.2.1
Compile

 

make
Create user

If no nobody user exists, create

 

useradd nobody
Create directory

Vsftpd requires the/usr/share/empty directory. If the directory does not exist, create:

 

mkdir /usr/share/empty
Install

 

make install
Copy the configuration file to the/etc directory.

 

cp vsftpd.conf /etc
Start the vsftpd service independently

 

/usr/local/sbin/vsftpd &
4.2 Debian Installation

 

        # aptitude update
# aptitude install vsftpd( 2.0.5)
5. configuration file description

 

/Etc/vsftpd. conf

The main configuration file/etc/ftpusers of vsftpd does not allow access to the FTP server. The administrator can record some sensitive accounts that are threatening system security in this file, to avoid threats to the System

 

        # /etc/ftpusers: list of users disallowed FTP access. See ftpusers(5).

root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
nobody
/Etc/vsftpd. user_list

This file is related to the userlist_file option. You can also use the userlist_file option to specify other files. The default value is/etc/vsftpd. user_list, which takes effect only when userlist_enable = yes. By default, userlist_deny = Yes specifies the list of users that cannot access the server, for example, userlist_deny = No, the FTP server only allows access from users in this list.

/Etc/init. d/vsftpd

Vsftpd Startup Script

/Var/log/vsftpd. Log
-----------------------------------------------------------

 

5.1 for configuration-related content, see:

 

        man vsftpd.conf

Or see: My translation of vsftpd. conf online manual http://etony.9966.org/doc/other/vsftpd-man-zh.html

5.2 start and stop the system

 

Start the service

 

        /etc/init.d/vsftpd start
Restart service

 

        /etc/init.d/vsftpd restart
Stop Service

 

        /etc/init.d/vsftpd stop

You can also use the rcconf tool to set whether the vsftpd service is started during system boot.

6. Configuration example

A sample file

 

# Start in standalone Mode
Listen = Yes


# Allow 200 clients to be connected at the same time. Each IP address allows up to four processes
Max_clients = 200
Max_per_ip = 4

Anonymous access is allowed, and only download permission is allowed. Disable local (system) User Logon
# Access rights
Anonymous_enable = Yes
Local_enable = No
Write_enable = No
Anon_upload_enable = No
Anon_mkdir_write_enable = No
Anon_other_write_enable = No


# Prohibit anonymous users from downloading files with global read permission. the user and group information columns in the directory are displayed as "ftp ".
# In passive mode, the server port range is limited to 50000 ~ 60000

Anon_world_readable_only = Yes
Connect_from_port_20 = Yes
Hide_ids = Yes
Pasv_min_port = 50000
Pasvanderbilt max_port = 60000

# Generate detailed upload and download logs. Do not use the "ls-R" command,

Xferlog_enable = Yes
Ls_recurse_enable = No
Ascii_download_enable = No
Async_abor_enable = Yes


# Run in Resource-saving mode (for Linux 2.4 kernel ),
# The maximum FTP command interval of a remote client exceeds 120 seconds, or the idle data connection exceeds 300 seconds.
# Maximum data transmission rate B/S allowed by anonymous clients
One_process_model = Yes
Idle_session_timeout = 120
Data _ connection_timeout = 300
Anon_max_rate = 50000
7. Configure virtual users (text mode) 7.1 For vsftpd to create virtual and user Databases

1. Create loguser.txt in the following format:

                userid
pass

For example, if I create two users: Tony's password is tonypass and etony's password is etonypass, the content of loguser.txt is as follows:

 

                tony
tonypass
etony
etonypass

2. Install the database generation tool:

 

                # aptitude install  libdb3-util

3. Generate a database:

 

                # db_load -T -t hash -f loguser.txt /etc/vsftpd_login.db

4. Set database file access permissions:

 

                # chmod 600 /etc/vsftpd_login.db

7.2 configure the PAM File

Modify/etc/PAM. d/vsftpd as follows:

 

        auth required /lib/security/pam_userdb.so db=/etc/vsftpd_login
account required /lib/security/pam_userdb.so db=/etc/vsftpd_login
7.3 create a local system user for a virtual user

 

        useradd -d /home/ftpsite virtual
mkdir /home/ftpsite
chown virtual.virtual /home/ftpsite
ls -ld /home/ftpsite
drwxr-sr-x 2 virtual virtual 48 2006-08-18 05:48 /home/ftpsite

Create some content in the directory

 

        echo "etony's vsftpd server" > /home/ftpsite/msg

chown virtual.virtual /home/ftpsite/msg
7.4 create/etc/vsftpd. conf

Create/etc/vsftpd. conf as needed, but make sure that the following settings are included:

 

        anonymous_enable=NO
local_enable=YES
write_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
chroot_local_user=YES
guest_enable=YES
guest_username=virtual
listen=YES
listen_port=21
pasv_min_port=30000
pasv_max_port=30999

7.5 Start vsftpd

-----------------------------------------------------------

 

7.6 Test

 

        $ lftp localhost -u tony,tonypass
lftp tony@localhost:~> ls
-rw-r--r-- 1 1001 1001 22 Aug 17 21:49 msg
lftp tony@localhost:/> exit
$ lftp localhost -u tony,tonyp
lftp tony@localhost:~> ls
ls: Login failed: 530 Login incorrect.
8. Configure virtual users (database mode) For vsftpd 8.1 install MySQL database

 

        # aptitude install  mysql-server  libpam-mysql

The current MySQL database version is 5.0.24-1 libpam-mysql 0.6.2-1

 

tonybox:/var/log# mysql -u root
Welcome to the MySQL monitor. Commands end with ; or /g.
Your MySQL connection id is 7 to server version: 5.0.22-Debian_4-log
Type 'help;' or '/h' for help. Type '/c' to clear the buffer.
mysql>
mysql>
mysql> create database vsftpd;
Query OK, 1 row affected (0.04 sec)
mysql> use vsftpd
Database changed
mysql> create table users(name char(20), passwd char(20));
Query OK, 0 rows affected (0.02 sec)
mysql> insert into users values('tony',password('passtony'));
Query OK, 1 row affected (0.02 sec)
mysql> insert into users values('etony',password('passetony'));
Query OK, 1 row affected (0.01 sec)
mysql> grant select, insert on vsftpd.users to
vsftpduser@localhost identified by 'vsftpdpass';
Query OK, 0 rows affected (0.02 sec)
8.2 create a user

 

tonybox:/var/log# mysql -u vsftpduser -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or /g.
Your MySQL connection id is 10 to server version: 5.0.22-Debian_4-log
Type 'help;' or '/h' for help. Type '/c' to clear the buffer.
mysql> use vsftpd
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> select * from users;
+----+-------+------------------+
| id | name | passwd |
+----+-------+------------------+
| 1 | tony | 2351315b1bd1bd58 |
| 2 | etony | 59c0cde4781fb0be |
+----+-------+------------------+
2 rows in set (0.00 sec)
mysql>
8.3 configure the PAM File

Modify/etc/PAM. d/vsftpd as follows:

auth required /lib/security/pam_mysql.so user=vsftpduser 
passwd=vsftpdpass host=localhost db=vsftpd table=users
usercolumn=name passwdcolumn=passwd crypt=2
account required /lib/security/pam_mysql.so user=vsftpduser
passwd=vsftpdpass host=localhost db=vsftpd

table=users usercolumn=name passwdcolumn=passwd crypt=2

Crypt Value

0: plaintext storage in the database
1: Encrypted storage using the crypt () function
2: Encrypted storage using the MySQL password () function
8.4 Other configurations

Same as configuring virtual users For vsftpd (text mode)

8.5 Test

 

        tonybox:~# lftp localhost -u etony,passetony
lftp etony@localhost:~> ls
-rw-r--r-- 1 1001 1001 22 Aug 17 21:49 msg
lftp etony@localhost:/>

Note:

Libpam-mysql corresponding to the mysql-server-5.0 cannot implement password encryption because the password () function used does not match the password () used by the server, only the FTP user password can be stored in the database in plain text. The mysql-server-4.1 and libpam-MySQL (0.5.0-6) can be used in the database to store FTP user passwords encrypted


9. About logs

Libpam-mysql 0.6.2-1 module is still not perfect waiting to be added ......

10. FAQ

Http://www.vsftpdrocks.org/faq/ Chinese version see: http://wolfg.iblog.cn/index.phpp?viewarticle=articleid=50969

 

  • Q) Why does symlink not work after chroot_local_user = yes is set?
  • A) This is the result of how the security mechanism chroot () works. (Optional) Check hard links or use the "modern" Linux and powerful "Mount -- bind" command.

 

  • Q) Help! I got the error message "refusing to run with writable Anonymous root.
  • A) vsftpd does not allow "dangerous (Insecure)" configurations. This error message is usually caused by incorrect owner permissions in the home directory of FTP. The owner of the home directory should not be an FTP user, and the FTP user cannot have the write permission. Solution: chown root FTP; chmod-W FTP

 

  • Q) Help! "500 Unknown command." is reported for uploading or other "write" commands .".
  • A) by default, the "write" command (upload and create a directory) is disabled. this is a safe method. to allow writing a command, you must add the command in the configuration file/etc/vsftpd. add write_enable = yes to Conf.

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.