Use vsftp to set up FTP sites in Linux

Using vsftp to set up FTP sites in Linux 1. Statement

• Copyright (c) 2006-2007 belongs to etony c. f..

  Reprinted from http://www.debsir.org /.

 

2. FTP principles

The abbreviation of FTP Transfer Protocol is described in RFC 959.

An FTP session contains two channels: a control channel and a data channel.

Control CHannel: the control channel is used to communicate with the FTP server. The control channel is used to connect to FTP and send FTP commands.

Data Channel: data channel is a channel for file transfer or list with the FTP server.

In the FTP protocol, the control connection is initiated by a client, and the data connection works in two ways: Port and PASV.

 

Port mode (active mode)

The FTP client first establishes a connection with the TCP port 21 of the FTP server and sends commands through this channel. When the client needs to receive data, it sends the PORT command through this channel. The PORT command contains the port used by the client (a port greater than 1024) to receive data. When transmitting data, the server sends data through its TCP port 20. The FTP server must establish a new connection with the client to transmit data.

PASV mode (passive mode)

The port mode is similar when a control channel is set up. When the client sends the PASV command through this channel, the FTP Server opens a random port between port 1024 and port 5000 and notifies the client to send data requests on this port. Then, the FTP Server transfers data through this port, at this time, the FTP server no longer needs to establish a new connection with the client to transfer data.

From the perspective of the C/S model, port is outbound for servers and PASV is inbound for servers. Pay special attention to this, especially in enterprises that use firewalls, this is critical. If an error is set, the customer will not be able to connect.

3. vsftpd

Vsftpd is the name of a server running on a UNIX operating system that can run on Linux, BSD, Solaris, HP-UX, and IRIX. It supports many features that are not supported by other FTP servers. For example:

• Extremely high security requirements
• Bandwidth limit
• Good scalability
• Possibility of creating a virtual user
• IPv6 support
• Performance on the center-to-top
• Possible allocation of virtual IP addresses
• High Speed

The name of vsftpd stands for "very secure FTP daemon". Security is one of the top concerns of Chris Evans, its developer. At the beginning of the FTP server design and development, high security is a goal.

One example is that vsftpd works in chroot mode. In chroot mode, a new directory is specified for the Program (vsftpd is used here, it cannot access programs and files outside the directory-so it is also called "locked ". An FTP server that may be damaged by potential attackers will be isolated from other parts of the system, thus avoiding greater losses.

With so many features, the FTP service security should be the most important, and vsftpd is superior to other FTP servers. WU-FTPD http://www.wu-ftpd.org/can be seen here as a reverse example because it has seen too many security flaws in the past few years.

4. Basic vsftpd configuration 4.1 Installation

 

Source code Installation

See http://www.vsftpdrocks.org/source/

Download source code

 

wget ftp://vsftpd.beasts.org/users/cevans/vsftpd-1.2.1.tar.gz

Extract

 

tar zxvf vsftpd-1.2.1.tar.gz

Go to the source code directory

 

cd vsftpd-1.2.1

Compile

 

make

Create user

If no nobody user exists, create

 

useradd nobody

Create directory

Vsftpd requires the/usr/share/empty directory. If the directory does not exist, create:

 

mkdir /usr/share/empty

Install

 

make install

Copy the configuration file to the/etc directory.

 

cp vsftpd.conf /etc

Start the vsftpd service independently

 

/usr/local/sbin/vsftpd &

4.2 Debian Installation

 

        # aptitude update
        # aptitude install vsftpd( 2.0.5)

5. configuration file description

 

/Etc/vsftpd. conf

The main configuration file/etc/ftpusers of vsftpd does not allow access to the FTP server. The administrator can record some sensitive accounts that are threatening system security in this file, to avoid threats to the System

 

        # /etc/ftpusers: list of users disallowed FTP access. See ftpusers(5).

        root
        daemon
        bin
        sys
        sync
        games
        man
        lp
        mail
        news
        uucp
        nobody

/Etc/vsftpd. user_list

This file is related to the userlist_file option. You can also use the userlist_file option to specify other files. The default value is/etc/vsftpd. user_list, which takes effect only when userlist_enable = yes. By default, userlist_deny = Yes specifies the list of users that cannot access the server, for example, userlist_deny = No, the FTP server only allows access from users in this list.

/Etc/init. d/vsftpd

Vsftpd Startup Script

/Var/log/vsftpd. Log

-----------------------------------------------------------

 

5.1 for configuration-related content, see:

 

        man vsftpd.conf

Or see: My translation of vsftpd. conf online manual http://etony.9966.org/doc/other/vsftpd-man-zh.html

5.2 start and stop the system

 

Start the service

 

        /etc/init.d/vsftpd start

Restart service

 

        /etc/init.d/vsftpd restart

Stop Service

 

        /etc/init.d/vsftpd stop

You can also use the rcconf tool to set whether the vsftpd service is started during system boot.

6. Configuration example

A sample file

 

# Start in standalone Mode
Listen = Yes


# Allow 200 clients to be connected at the same time. Each IP address allows up to four processes
Max_clients = 200
Max_per_ip = 4

Anonymous access is allowed, and only download permission is allowed. Disable local (system) User Logon
# Access rights
Anonymous_enable = Yes
Local_enable = No
Write_enable = No
Anon_upload_enable = No
Anon_mkdir_write_enable = No
Anon_other_write_enable = No


# Prohibit anonymous users from downloading files with global read permission. the user and group information columns in the directory are displayed as "ftp ".
# In passive mode, the server port range is limited to 50000 ~ 60000

Anon_world_readable_only = Yes
Connect_from_port_20 = Yes
Hide_ids = Yes
Pasv_min_port = 50000
Pasvanderbilt max_port = 60000

# Generate detailed upload and download logs. Do not use the "ls-R" command,

Xferlog_enable = Yes
Ls_recurse_enable = No
Ascii_download_enable = No
Async_abor_enable = Yes


# Run in Resource-saving mode (for Linux 2.4 kernel ),
# The maximum FTP command interval of a remote client exceeds 120 seconds, or the idle data connection exceeds 300 seconds.
# Maximum data transmission rate B/S allowed by anonymous clients
One_process_model = Yes
Idle_session_timeout = 120
Data _ connection_timeout = 300
Anon_max_rate = 50000

7. Configure virtual users (text mode) 7.1 For vsftpd to create virtual and user Databases

1. Create loguser.txt in the following format:

                userid
                pass

For example, if I create two users: Tony's password is tonypass and etony's password is etonypass, the content of loguser.txt is as follows:

 

                tony
                tonypass
                etony
                etonypass

2. Install the database generation tool:

 

                # aptitude install  libdb3-util

3. Generate a database:

 

                # db_load -T -t hash -f loguser.txt /etc/vsftpd_login.db

4. Set database file access permissions:

 

                # chmod 600 /etc/vsftpd_login.db

7.2 configure the PAM File

Modify/etc/PAM. d/vsftpd as follows:

 

        auth required /lib/security/pam_userdb.so db=/etc/vsftpd_login
        account required /lib/security/pam_userdb.so db=/etc/vsftpd_login

7.3 create a local system user for a virtual user

 

        useradd -d /home/ftpsite virtual
        mkdir /home/ftpsite
        chown virtual.virtual /home/ftpsite
        ls -ld /home/ftpsite
        drwxr-sr-x 2 virtual virtual 48 2006-08-18 05:48 /home/ftpsite

Create some content in the directory

 

        echo "etony's vsftpd server" > /home/ftpsite/msg

        chown virtual.virtual /home/ftpsite/msg

7.4 create/etc/vsftpd. conf

Create/etc/vsftpd. conf as needed, but make sure that the following settings are included:

 

        anonymous_enable=NO
        local_enable=YES
        write_enable=NO
        anon_upload_enable=NO
        anon_mkdir_write_enable=NO
        anon_other_write_enable=NO
        chroot_local_user=YES
        guest_enable=YES
        guest_username=virtual
        listen=YES
        listen_port=21
        pasv_min_port=30000
        pasv_max_port=30999

7.5 Start vsftpd

-----------------------------------------------------------

 

7.6 Test

 

        $ lftp localhost -u tony,tonypass
        lftp tony@localhost:~> ls
        -rw-r--r--    1 1001     1001           22 Aug 17 21:49 msg
        lftp tony@localhost:/> exit
        $ lftp localhost -u tony,tonyp
        lftp tony@localhost:~> ls
        ls: Login failed: 530 Login incorrect.

8. Configure virtual users (database mode) For vsftpd 8.1 install MySQL database

 

        # aptitude install  mysql-server  libpam-mysql

The current MySQL database version is 5.0.24-1 libpam-mysql 0.6.2-1

 

tonybox:/var/log# mysql -u root
Welcome to the MySQL monitor.  Commands end with ; or /g.
Your MySQL connection id is 7 to server version: 5.0.22-Debian_4-log
Type 'help;' or '/h' for help. Type '/c' to clear the buffer.
mysql>
mysql>
mysql> create database vsftpd;
Query OK, 1 row affected (0.04 sec)
mysql> use vsftpd
Database changed
mysql> create table users(name char(20), passwd char(20));
Query OK, 0 rows affected (0.02 sec)
mysql> insert into users values('tony',password('passtony'));
Query OK, 1 row affected (0.02 sec)
mysql> insert into users values('etony',password('passetony'));
Query OK, 1 row affected (0.01 sec)
mysql> grant select, insert on vsftpd.users to 
 vsftpduser@localhost identified by 'vsftpdpass';
Query OK, 0 rows affected (0.02 sec)

8.2 create a user

 

tonybox:/var/log# mysql -u vsftpduser -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or /g.
Your MySQL connection id is 10 to server version: 5.0.22-Debian_4-log
Type 'help;' or '/h' for help. Type '/c' to clear the buffer.
mysql> use vsftpd
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> select * from users;
+----+-------+------------------+
| id | name  | passwd           |
+----+-------+------------------+
|  1 | tony  | 2351315b1bd1bd58           |
|  2 | etony | 59c0cde4781fb0be |
+----+-------+------------------+
2 rows in set (0.00 sec)
mysql>

8.3 configure the PAM File

Modify/etc/PAM. d/vsftpd as follows:

auth required /lib/security/pam_mysql.so user=vsftpduser 
passwd=vsftpdpass host=localhost db=vsftpd table=users 
usercolumn=name passwdcolumn=passwd crypt=2
account required /lib/security/pam_mysql.so user=vsftpduser 
passwd=vsftpdpass host=localhost db=vsftpd

table=users usercolumn=name passwdcolumn=passwd crypt=2

Crypt Value

0: plaintext storage in the database
1: Encrypted storage using the crypt () function
2: Encrypted storage using the MySQL password () function

8.4 Other configurations

Same as configuring virtual users For vsftpd (text mode)

8.5 Test

 

        tonybox:~# lftp localhost -u etony,passetony
        lftp etony@localhost:~> ls
        -rw-r--r--    1 1001     1001           22 Aug 17 21:49 msg
        lftp etony@localhost:/>

Note:

Libpam-mysql corresponding to the mysql-server-5.0 cannot implement password encryption because the password () function used does not match the password () used by the server, only the FTP user password can be stored in the database in plain text. The mysql-server-4.1 and libpam-MySQL (0.5.0-6) can be used in the database to store FTP user passwords encrypted

9. About logs

Libpam-mysql 0.6.2-1 module is still not perfect waiting to be added ......

10. FAQ

Http://www.vsftpdrocks.org/faq/ Chinese version see: http://wolfg.iblog.cn/index.phpp?viewarticle=articleid=50969

 

• Q) Why does symlink not work after chroot_local_user = yes is set?
• A) This is the result of how the security mechanism chroot () works. (Optional) Check hard links or use the "modern" Linux and powerful "Mount -- bind" command.

 

• Q) Help! I got the error message "refusing to run with writable Anonymous root.
• A) vsftpd does not allow "dangerous (Insecure)" configurations. This error message is usually caused by incorrect owner permissions in the home directory of FTP. The owner of the home directory should not be an FTP user, and the FTP user cannot have the write permission. Solution: chown root FTP; chmod-W FTP

 

• Q) Help! "500 Unknown command." is reported for uploading or other "write" commands .".
• A) by default, the "write" command (upload and create a directory) is disabled. this is a safe method. to allow writing a command, you must add the command in the configuration file/etc/vsftpd. add write_enable = yes to Conf.