VSFTPD is a secure and fast FTP server in UNIXLinux and has been used by many large websites. VSFTPD supports saving user names and passwords in database files or database servers. VSFTPD calls this form of user as a virtual user. Compared with FTP local (system) users, virtual users are only private users of the FTP server, and virtual users are VSFTP
VSFTPD is a secure and fast FTP server in UNIX/Linux and has been used by many large websites. VSFTPD supports saving user names and passwords in database files or database servers. VSFTPD calls this form of user as a virtual user. Compared with FTP local (system) users, virtual users are only dedicated users of the FTP server. virtual users can only access the resources provided by the FTP server, which greatly enhances the security of the system. Compared with anonymous users, a virtual user requires a user name and password to obtain files on the FTP server. this increases the manageability of users and downloads. For FTP sites that require the download service, but do not require everyone to download them anonymously, you need to manage the download users and take into account Host Security and convenient management, virtual users are an excellent solution. This article describes how to save the virtual user name and password of VSFTPD on RedHat Linux 9 on the MySQL database server.
I. VSFTPD installation
Currently, the latest version of VSFTPD is 1.2.0. The official website is ftp://vsftpd.beasts.org/users/cevans/vsftpd-1.2.0.tar.gz. Before installation, make the following preparations:
The "nobody" user is required in the default VSFTPD configuration. Add this user to the system. if the user already exists, the useradd command prompts accordingly.
[Root @ hpe45 root] # useradd nobody
Useradd: user nobody exists
The "/usr/share/empty" directory is required in the default VSFTPD configuration. In the system, if the directory already exists, the mkdir command prompts accordingly.
[Root @ hpe45 root] # mkdir/usr/share/empty/
Mkdir: cannot create directory '/usr/share/empty': File exists
When VSFTPD provides anonymous FTP services, you need an "ftp" user and a valid anonymous directory.
[Root @ hpe45 root] # mkdir/var/ftp/
[Root @ hpe45 root] # useradd-d/var/ftp
The subsequent operations are useful for the existence of ftp users.
[Root @ hpe45 root] # chown root. root/var/ftp
[Root @ hpe45 root] # chmod og-w/var/ftp
After the above preparations are completed, we can start to compile the source code. Assume that the downloaded vsftpd-1.2.0.tar.gz file is in the/root directory and run the following command:
[Root @ hpe45 root] # tar zxvf vsftpd-1.2.0.tar.gz
[Root @ hpe45 root] # cd vsftpd-1.2.0
[Root @ hpe45 vsftpd-1.2.0] # make
[Root @ hpe45 vsftpd-1.2.0] # make install
The above "make install" command copies compiled binary files and manuals to the corresponding directory. You may need to manually perform the following copy on rh93:
# Cp vsftpd/usr/local/sbin/vsftpd
[Root @ hpe45 vsftpd-1.2.0] # cp vsftpd. conf.5/usr/local/share/man/man5
[Root @ hpe45 vsftpd-1.2.0] # cp vsftpd.8/usr/local/share/man/man8
Next, we will copy a simple configuration file for later modification.
[Root @ hpe45 vsftpd-1.2.0] # cp vsftpd. conf/etc
# Cp RedHat/vsftpd. pam/etc/pam. d/ftp
Copy the PAM authentication file to allow local users to log on to VSFTPD.
# Cp RedHat/vsftpd. pam/etc/pam. d/ftp
2. create a guest user
VSFTPD uses PAM to verify virtual users. Because the user name/password of a virtual user is saved separately, during verification, VSFTPD needs to use the identity of a system user to read database files or database servers for verification, this is the guest user of VSFTPD. This is just like anonymous users also need a system user ftp. Of course, we can also regard the guest user as the representative of the virtual user in the system. Add the vsftpdguest user to the system as the guest of VSFTPD.
[Root @ hpe45 vsftpd-1.2.0] # useradd vsftpdguest
After a virtual user logs on, the user is located in the/home/vsftpdguest directory of vsftpdguest. To log on to other directories such as/var/ftp, modify the vsftpdguest directory.
3. set the VSFTPD configuration file
In the/etc/vsftpd. conf file, add the following options:
Guest_enable = YES
Guest_username = vsftpdguest
Run the following command to run VSFTPD in the background:
[Root @ hpe45 vsftpd-1.2.0] #/usr/local/sbin/vsftpd &
4. Save the virtual user in the MySQL database server
We create the database vsftpdvu, table users, field name and passwd to save the virtual user name and password, and add two virtual users xiaotong and xiaowang.
[Root @ hpe45 vsftpd-1.2.0] # mysql-p
Mysql> create database vsftpdvu;
Mysql> use vsftpdvu;
Mysql> create table users (name char (16) binary, passwd char (16) binary );
Mysql> insert into users (name, passwd) values ('xiaotong ', password ('qqmywife '));
Mysql> insert into users (name, passwd) values ('xiaowang ', password ('ttmywife '));
Mysql> quit
Then, authorize vsftpdguest to read the users table of the vsftpdvu database. Run the following command:
[Root @ hpe45 vsftpd-1.2.0] # mysql-u root mysql-p
Mysql> grant select on vsftpdvu. users to vsftpdguest @ localhost identified by 'i52serial0 ';
Mysql> quit
To verify whether the operation was successful, run the following command:
[Root @ hpe45 vsftpd] # mysql-u vsftpdguest-pi52serial0 vsftpdvu
Mysql> select * from users;
If successful, the xiaotong, xiaowang, and encrypted passwords are listed.
5. set PAM verification for MySQL
Here we will use an open source project (http://sourceforge.net/projects/pam-mysql/) that uses mysql for pam verification ). First download the program package pam_myql-0.5.tar.gz from the website to the/root directory. Before compilation and installation, make sure that the mysql-devel RPM package has been installed on your machine. if not, install the package from the RHL installation disc. Then, run the following command:
[Root @ hpe45 root] # tar xvzf pam_mysql-0.5.tar.gz
[Root @ hpe45 root] # cd pam_mysql
[Root @ hpe45 pam_mysql] # make
[Root @ hpe45 pam_mysql] # make install
Make install this step may cause errors, so you have to manually copy the generated pam_mysql.o in this directory to the/lib/security Directory.
Next, we will set the PAM authentication file for vsftpd. Open the/etc/pam. d/ftp file and add the following content:
Auth required pam_mysql.o user = vsftpdguest passwd = i52serial0 host = localhost db = vsftpdvu table = users usercolumn = name passwdcolumn = passwd crypt = 2
Account required pam_mysql.o user = vsftpdguest passwd = i52serial0 host = localhost db = vsftpdvu table = users usercolumn = name passwdcolumn = passwd crypt = 2
The parameters mentioned above can be understood as long as they correspond to the settings of the previous database. Here, we need to describe the crypt parameter. Crypt indicates the password encryption method in the password field: crypt = 0, the password is saved in plaintext (not encrypted) in the database; crypt = 1, the password is encrypted by DES in the UNIX system and stored in the database. crypt = 2. the password is encrypted by the password () function of MySQL and saved.
VI. further Virtual User settings
After the above steps, the virtual user can be used normally. Here we will introduce further virtual user settings. First, we will introduce the virtual user permission settings.
The VSFTPD-1.2.0 adds the virtual_use_local_privs parameter, which uses the same permissions as the local user when activating (YES. When this parameter is disabled (NO), the virtual user uses the same permissions as the anonymous user, which is the way the VSFTPD-1.2.0 previous version handles the virtual user permissions. Compared with the two methods, the latter is more strict, especially in the case of write access. By default, this parameter is disabled (NO ).
When virtual_use_local_privs = YES, you only need to set write_enable = YES, and the virtual user can have the write permission. When virtual_use_local_privs = NO, the virtual user permission settings are more strict.
Control the virtual user browsing Directory: if the user cannot browse the directory but can still operate on the file, perform the following two steps: 1. in the configuration file, anon_world_readable_only = YES. 2. change the permission of the virtual user directory to vsftpdguest:
[Root @ hpe45 root] # chown vsftpdguest. vsftpdguest/home/vsftpdguest
[Root @ hpe45 root] # chmod 700/home/vsftpdguest
Allow virtual users to upload files:
Write_enable = YES
Anon_upload_enable = YES
Allow virtual users to modify file names and delete files:
Anon_other_write_enable = YES
The preceding settings also apply to anonymous users. If you do not want anonymous users to have the same permissions, it is best to Prohibit anonymous users from logging on.
Secondly, because the virtual user is vsftpdguest in the system, other directories of the system can be accessed. To be more secure, we can restrict virtual users to their own directories. There are two methods: 1. add the following options to the configuration file:
Chroot_local_user = NO
Chroot_list_enable = YES
Chroot_list_file =/etc/vsftpd. chroot_list
Then, add the virtual username xiaotong and xiaowang to the/etc/vsftpd. chroot_list file.
The second method is to modify chroot_local_user = YES in the configuration file.
After modification, the root directory of the virtual user is restricted to/home/vsftpdguest after login, and other directories cannot be accessed.
VII. Virtual user's personal directory
You can find that no matter which virtual user is, the directory in which the user logs on is/home/vsftpdguest, that is, the user's own directory of guest_username. The following describes how to create a directory for each virtual user. First, add the following options to the main configuration file:
User_config_dir =/etc/vsftpd/vsftpd_user_conf
Then, generate the/etc/vsftpd/vsftpd_user_conf directory and create a file with the same name as a specific Virtual User:
[Root @ hpe45 root] # mkdir/etc/vsftpd/vsftpd_user_conf
[Root @ hpe45 root] # cd/etc/vsftpd/vsftpd_user_conf