Using vsftp to set up FTP sites in Linux 1. Statement
2. FTP principles
The abbreviation of FTP Transfer Protocol is described in RFC 959.
An FTP session contains two channels: a control channel and a data channel.
Control CHannel: the control channel is used to communicate with the FTP server. The control channel is used to connect to FTP and send FTP commands.
Data Channel: data channel is a channel for file transfer or list with the FTP server.
In the FTP protocol, the control connection is initiated by a client, and the data connection works in two ways: Port and PASV.
-
Port mode (active mode)
-
The FTP client first establishes a connection with the TCP port 21 of the FTP server and sends commands through this channel. When the client needs to receive data, it sends the PORT command through this channel. The PORT command contains the port used by the client (a port greater than 1024) to receive data. When transmitting data, the server sends data through its TCP port 20. The FTP server must establish a new connection with the client to transmit data.
-
PASV mode (passive mode)
-
The port mode is similar when a control channel is set up. When the client sends the PASV command through this channel, the FTP Server opens a random port between port 1024 and port 5000 and notifies the client to send data requests on this port. Then, the FTP Server transfers data through this port, at this time, the FTP server no longer needs to establish a new connection with the client to transfer data.
From the perspective of the C/S model, port is outbound for servers and PASV is inbound for servers. Pay special attention to this, especially in enterprises that use firewalls, this is critical. If an error is set, the customer will not be able to connect.
3. vsftpd
Vsftpd is the name of a server running on a UNIX operating system that can run on Linux, BSD, Solaris, HP-UX, and IRIX. It supports many features that are not supported by other FTP servers. For example:
- Extremely high security requirements
- Bandwidth limit
- Good scalability
- Possibility of creating a virtual user
- IPv6 support
- Performance on the center-to-top
- Possible allocation of virtual IP addresses
- High Speed
The name of vsftpd stands for "very secure FTP daemon". Security is one of the top concerns of Chris Evans, its developer. At the beginning of the FTP server design and development, high security is a goal.
One example is that vsftpd works in chroot mode. In chroot mode, a new directory is specified for the Program (vsftpd is used here, it cannot access programs and files outside the directory-so it is also called "locked ". An FTP server that may be damaged by potential attackers will be isolated from other parts of the system, thus avoiding greater losses.
With so many features, the FTP service security should be the most important, and vsftpd is superior to other FTP servers. WU-FTPD http://www.wu-ftpd.org/can be seen here as a reverse example because it has seen too many security flaws in the past few years.
4. Basic vsftpd configuration 4.1 Installation
-
Source code Installation
-
See http://www.vsftpdrocks.org/source/
-
Download source code
-
wget ftp://vsftpd.beasts.org/users/cevans/vsftpd-1.2.1.tar.gz
-
Extract
-
tar zxvf vsftpd-1.2.1.tar.gz
-
Go to the source code directory
-
cd vsftpd-1.2.1
-
Compile
-
make
-
Create user
-
If no nobody user exists, create
useradd nobody
-
Create directory
-
Vsftpd requires the/usr/share/empty directory. If the directory does not exist, create:
mkdir /usr/share/empty
-
Install
-
make install
-
Copy the configuration file to the/etc directory.
-
cp vsftpd.conf /etc
-
Start the vsftpd service independently
-
/usr/local/sbin/vsftpd &
4.2 Debian Installation
# aptitude update
# aptitude install vsftpd( 2.0.5)
5. configuration file description
-
/Etc/vsftpd. conf
-
The main configuration file/etc/ftpusers of vsftpd does not allow access to the FTP server. The administrator can record some sensitive accounts that are threatening system security in this file, to avoid threats to the System
# /etc/ftpusers: list of users disallowed FTP access. See ftpusers(5).
root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
nobody
-
/Etc/vsftpd. user_list
-
This file is related to the userlist_file option. You can also use the userlist_file option to specify other files. The default value is/etc/vsftpd. user_list, which takes effect only when userlist_enable = yes. By default, userlist_deny = Yes specifies the list of users that cannot access the server, for example, userlist_deny = No, the FTP server only allows access from users in this list.
-
/Etc/init. d/vsftpd
-
Vsftpd Startup Script
-
/Var/log/vsftpd. Log
-
-----------------------------------------------------------
5.1 for configuration-related content, see:
man vsftpd.conf
Or see: My translation of vsftpd. conf online manual http://etony.9966.org/doc/other/vsftpd-man-zh.html
5.2 start and stop the system
-
Start the service
-
/etc/init.d/vsftpd start
-
Restart service
-
/etc/init.d/vsftpd restart
-
Stop Service
-
/etc/init.d/vsftpd stop
You can also use the rcconf tool to set whether the vsftpd service is started during system boot.
6. Configuration example
A sample file
# Start in standalone Mode
Listen = Yes
# Allow 200 clients to be connected at the same time. Each IP address allows up to four processes
Max_clients = 200
Max_per_ip = 4
Anonymous access is allowed, and only download permission is allowed. Disable local (system) User Logon
# Access rights
Anonymous_enable = Yes
Local_enable = No
Write_enable = No
Anon_upload_enable = No
Anon_mkdir_write_enable = No
Anon_other_write_enable = No
# Prohibit anonymous users from downloading files with global read permission. the user and group information columns in the directory are displayed as "ftp ".
# In passive mode, the server port range is limited to 50000 ~ 60000
Anon_world_readable_only = Yes
Connect_from_port_20 = Yes
Hide_ids = Yes
Pasv_min_port = 50000
Pasvanderbilt max_port = 60000
# Generate detailed upload and download logs. Do not use the "ls-R" command,
Xferlog_enable = Yes
Ls_recurse_enable = No
Ascii_download_enable = No
Async_abor_enable = Yes
# Run in Resource-saving mode (for Linux 2.4 kernel ),
# The maximum FTP command interval of a remote client exceeds 120 seconds, or the idle data connection exceeds 300 seconds.
# Maximum data transmission rate B/S allowed by anonymous clients
One_process_model = Yes
Idle_session_timeout = 120
Data _ connection_timeout = 300
Anon_max_rate = 50000
7. Configure virtual users (text mode) 7.1 For vsftpd to create virtual and user Databases
1. Create loguser.txt in the following format:
userid
pass
For example, if I create two users: Tony's password is tonypass and etony's password is etonypass, the content of loguser.txt is as follows:
tony
tonypass
etony
etonypass
2. Install the database generation tool:
# aptitude install libdb3-util
3. Generate a database:
# db_load -T -t hash -f loguser.txt /etc/vsftpd_login.db
4. Set database file access permissions:
# chmod 600 /etc/vsftpd_login.db
7.2 configure the PAM File
Modify/etc/PAM. d/vsftpd as follows:
auth required /lib/security/pam_userdb.so db=/etc/vsftpd_login
account required /lib/security/pam_userdb.so db=/etc/vsftpd_login
7.3 create a local system user for a virtual user
useradd -d /home/ftpsite virtual
mkdir /home/ftpsite
chown virtual.virtual /home/ftpsite
ls -ld /home/ftpsite
drwxr-sr-x 2 virtual virtual 48 2006-08-18 05:48 /home/ftpsite
Create some content in the directory
echo "etony's vsftpd server" > /home/ftpsite/msg
chown virtual.virtual /home/ftpsite/msg
7.4 create/etc/vsftpd. conf
Create/etc/vsftpd. conf as needed, but make sure that the following settings are included:
anonymous_enable=NO
local_enable=YES
write_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
chroot_local_user=YES
guest_enable=YES
guest_username=virtual
listen=YES
listen_port=21
pasv_min_port=30000
pasv_max_port=30999
7.5 Start vsftpd
-----------------------------------------------------------
7.6 Test
$ lftp localhost -u tony,tonypass
lftp tony@localhost:~> ls
-rw-r--r-- 1 1001 1001 22 Aug 17 21:49 msg
lftp tony@localhost:/> exit
$ lftp localhost -u tony,tonyp
lftp tony@localhost:~> ls
ls: Login failed: 530 Login incorrect.
8. Configure virtual users (database mode) For vsftpd 8.1 install MySQL database
# aptitude install mysql-server libpam-mysql
The current MySQL database version is 5.0.24-1 libpam-mysql 0.6.2-1
tonybox:/var/log# mysql -u root
Welcome to the MySQL monitor. Commands end with ; or /g.
Your MySQL connection id is 7 to server version: 5.0.22-Debian_4-log
Type 'help;' or '/h' for help. Type '/c' to clear the buffer.
mysql>
mysql>
mysql> create database vsftpd;
Query OK, 1 row affected (0.04 sec)
mysql> use vsftpd
Database changed
mysql> create table users(name char(20), passwd char(20));
Query OK, 0 rows affected (0.02 sec)
mysql> insert into users values('tony',password('passtony'));
Query OK, 1 row affected (0.02 sec)
mysql> insert into users values('etony',password('passetony'));
Query OK, 1 row affected (0.01 sec)
mysql> grant select, insert on vsftpd.users to
vsftpduser@localhost identified by 'vsftpdpass';
Query OK, 0 rows affected (0.02 sec)
8.2 create a user
tonybox:/var/log# mysql -u vsftpduser -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or /g.
Your MySQL connection id is 10 to server version: 5.0.22-Debian_4-log
Type 'help;' or '/h' for help. Type '/c' to clear the buffer.
mysql> use vsftpd
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> select * from users;
+----+-------+------------------+
| id | name | passwd |
+----+-------+------------------+
| 1 | tony | 2351315b1bd1bd58 |
| 2 | etony | 59c0cde4781fb0be |
+----+-------+------------------+
2 rows in set (0.00 sec)
mysql>
8.3 configure the PAM File
Modify/etc/PAM. d/vsftpd as follows:
auth required /lib/security/pam_mysql.so user=vsftpduser
passwd=vsftpdpass host=localhost db=vsftpd table=users
usercolumn=name passwdcolumn=passwd crypt=2
account required /lib/security/pam_mysql.so user=vsftpduser
passwd=vsftpdpass host=localhost db=vsftpd
table=users usercolumn=name passwdcolumn=passwd crypt=2
Crypt Value
0: plaintext storage in the database
1: Encrypted storage using the crypt () function
2: Encrypted storage using the MySQL password () function
8.4 Other configurations
Same as configuring virtual users For vsftpd (text mode)
8.5 Test
tonybox:~# lftp localhost -u etony,passetony
lftp etony@localhost:~> ls
-rw-r--r-- 1 1001 1001 22 Aug 17 21:49 msg
lftp etony@localhost:/>
Note:
Libpam-mysql corresponding to the mysql-server-5.0 cannot implement password encryption because the password () function used does not match the password () used by the server, only the FTP user password can be stored in the database in plain text. The mysql-server-4.1 and libpam-MySQL (0.5.0-6) can be used in the database to store FTP user passwords encrypted
9. About logs
Libpam-mysql 0.6.2-1 module is still not perfect waiting to be added ......
10. FAQ
Http://www.vsftpdrocks.org/faq/ Chinese version see: http://wolfg.iblog.cn/index.phpp?viewarticle=articleid=50969
- Q) Why does symlink not work after chroot_local_user = yes is set?
- A) This is the result of how the security mechanism chroot () works. (Optional) Check hard links or use the "modern" Linux and powerful "Mount -- bind" command.
- Q) Help! I got the error message "refusing to run with writable Anonymous root.
- A) vsftpd does not allow "dangerous (Insecure)" configurations. This error message is usually caused by incorrect owner permissions in the home directory of FTP. The owner of the home directory should not be an FTP user, and the FTP user cannot have the write permission. Solution: chown root FTP; chmod-W FTP
- Q) Help! "500 Unknown command." is reported for uploading or other "write" commands .".
- A) by default, the "write" command (upload and create a directory) is disabled. this is a safe method. to allow writing a command, you must add the command in the configuration file/etc/vsftpd. add write_enable = yes to Conf.