VSFTP + MYSQL + PAM Configuration Manual

VSFTP + MYSQL + PAM Configuration manual-Linux Enterprise Application-Linux server application information. See the following for details. Vsftp + mysql + pam Configuration Manual
1. install required software packages
Apt-get install vsftpd mysql-server mysql-client libpam-mysql
The libpam-mysql package allows PAM to read MySQL Data to verify user information. Other software packages do not need to be interpreted!

2. Set FTP user permissions and Home Directories
After step 1 is completed, the system automatically creates the System user name ftp, which is the default anonymous user of vsftpd and has no other permissions. In my work environment, the home directory of the user name is/home/ftp, and the home directory of the RH system ftp is/var/ftp. This is irrelevant. You can set it as needed! You can also customize anonymous ftp users and make relevant modifications. In the following tutorial, you must change the ftp user name to your custom user name.
The default/home/ftp permission is not the user's ftp. We need to modify it.
# Mkdir/home/ftp/temp
# Chown-R ftp. nogroup/home/ftp

3. Configure the MySQL database
I am also ashamed to talk about mysql. I don't know anything about databases! I have always understood the database as a large information warehouse. That is to say, we have to think of security as information! Mysql is insecure by default. I can only set the password here. For mysql optimization, please read the mysql manual!
# Mysqladmin-u root-p password 123456 modify the root password of mysql. The first change is unnecessary because the root password is empty.
Connect to the database:
# Mysql-uroot-p use the root user to connect to the local mysql Server
Enter password: Enter the root user password. Note: it is not the root user of the system.
Mysql> connection successful! If this prompt does not appear, the preceding two steps are not correct.
Mysql> create database vsftpd; create a database name. Remember, there must be ";" at the end of a command in the mysql environment. If you forget to enter ";", you are not afraid. If you forget to enter ";", it is a line break, in mysql, commands can be divided into several lines for execution. Enter ";" again for the same purpose.
Mysql> show databases; check whether the database name is set up. If not, run the previous step again.
Mysql> use vsftpd; open the database vsftpd. The following operations are performed on the vsftpd database.
Mysql> create table users (name varchar (20) not null, password varchar (20) not null, primary key (name) type = myisam; create a table named users, two keys are set: name and password. This is hard to understand. Let me explain it one by one! Varchar (20) not null sets the key length to 20 and cannot be blank. primary key (name) sets the table's primary key (the primary key cannot be assigned the same value, because the ftp user name cannot be the same ). Type = myisam sets the table type (MyISAM new binary portable table processor). This is the default value and can be omitted.
Mysql> show tables; check whether the table is successfully created. If not, return to the previous step.
Mysql> insert into users values ('admin', 'admin'); create a virtual user admin with the password admin.
Mysql> insert into users values ('Download', 'Download ');
Mysql> insert into users values ('upload', 'upload ');
Mysql> insert into users values ('web', 'web ');
Mysql> select * from users; verification result. If you cannot see the created virtual user, return to the previous step.
MySQL Data has been created, but we cannot directly use the root user. We need to create a user for pam.
Mysql> grant select on vsftpd. users to vsftpd @ localhost identified by 'vsftpd ';
# Grant command
# Select on vsftpd. users all permissions. Here, the permissions are set only in the users table of the vsftpd database # select is used.
# To vsftpd @ localhost vsftpd user on the local machine (mysql is differentiated by user name and IP address # user, root and root @ % are not the same user .)
# Identified by 'vsftpd ': Set vsftpd @ localhost to vsftpd.
Mysql> quit; exit mysql and complete mysql configuration.
Iv. Configure PAM verification For vsftpd
# Vim/etc/pam. d/vsftpd
Comment out all the previous content and add the following content (there are only two lines below, please note ):
Auth required pam_mysql.so user = vsftpd passwd = vsftpd host = localhost db = vsftpd table = users usercolumn = name passwdcolumn = password crypt = 0
Account required pam_mysql.so user = vsftpd passwd = vsftpd host = localhost db = vsftpd table = users usercolumn = name passwdcolumn = password crypt = 0
Explanations:
User = mysql username added in vsftpd
Passwd = vsftpd user name and password just added
Host = localhost mysql server name. I am working on the local machine, so .......
Db = vsftpd corresponds to create databases vsftpd, which is the mysql database name that stores the user name
Table = table name in the mysql database where users store user names
Usercolumn = key corresponding to name and mysql
Passwdcolumn = key corresponding to password and mysql
Crypt = 0 indicates encryption, 0 indicates plaintext, 1 indicates unix encryption, 2 indicates password function encryption in mysql, and 3 indicates md5 encryption. However, I have only succeeded in creating plain text, and neither of the methods 1, 2, or 3 can work! Tell me what you know!
 
5. Configure vsftpd. It is very important here. Please refer to the vsftpd manual. I will only implement it here.
# Vim/etc/vsftpd. conf
# Accepting Anonymous Users
Anonymous_enable = YES
# Do not ask for a password when an anonymous user logs in
No_anon_password = YES
# Anonymous user home directory
Anon_root = (none)
# Accept local users
Local_enable = YES
# Local user home directory
Local_root = (none)
# If an anonymous user requires a password, the user using the email address in banned_email_file cannot log on.
Deny_email_enable = YES
# It is only useful when no pam verification version is available. Check whether the user has a valid shell to log on
Check_shell = YES
# If this option is enabled, the userlist_deny option is started.
Userlist_enable = YES
# If YES, the user in userlist_file cannot log on. If NO, only the user in userlist_file can log on.
Userlist_deny = NO
# If it is enabled with chroot_local_user, the user-locked directory comes from the directory specified by each user in/etc/passwd (this is not very clear, which of the following is very familiar)
Passwd_chroot_enable = NO
# Define the username for anonymous login. The default value is ftp.
Ftp_username = FTP
################# User permission control ###############
# Upload capability (global control ).
Write_enable = YES
# Umask for local user to upload files
Local_umask = 022
# Use umask to upload files
# File_open_mode = 0666
# Upload by anonymous users
Anon_upload_enable = NO
# Directory Creation by anonymous users
Anon_mkdir_write_enable = NO
Other write permissions of anonymous users (Change permissions ?)
Anon_other_write_enable = NO
If set to YES, anonymous logon users are allowed to download readable files. The default value is YES.
Anon_world_readable_only = YES
# If enabled, all non-Anonymous login usernames will be converted to the user name specified by guest_username
# Guest_enable = NO
The owner of all files uploaded anonymously will be changed to chown_username.
Chown_uploads = YES
Username of the file to be uploaded anonymously
Chown_username = lightwiter
# If this function is enabled, users listed in chroot_list_file cannot change the root directory.
Chroot_list_enable = YES
# The "async ABOR" command is allowed. Generally, this command is not used and is prone to problems.
Async_abor_enable = YES
Controls whether ASCII upload is available. The default value is NO.
Ascii_upload_enable = YES
# Control whether ASCII mode is available for download. The default value is NO.
Ascii_download_enable = YES
# This option must specify an empty folder and all logon users cannot have the write permission. When vsftpd does not need the file system permission, users are restricted to this folder. The default value is/usr/share/empty.
Secure_chroot_dir =/usr/share/empty
################### Timeout settings ##################
# Idle connection timeout
Idle_session_timeout = 600
# Data transmission timeout
Data _ connection_timeout = 120
# PAVS request timeout
ACCEPT_TIMEOUT = 60
# PROT mode connection timeout
Connect_timeout = 60
############### Server function options ###############
# Enable the diary Function
Xferlog_enable = YES
# Use Standard Format
Xferlog_std_format = YES
# When xferlog_std_format is disabled and this option is enabled, all ftp requests and replies are recorded. This option is useful for debugging.
# Log_ftp_protocol = NO
# Pasv Mode
Pasv_enable = YES
# Disable the security check. Be careful.
# Pasv_promiscuous + NO
# Allow port Mode
# Port_enable = YES
# Disable security check
# Prot_promiscuous
# Enable tcp_wrappers support
Tcp_wrappers = YES
# Define the name used by PAM. The default value is vsftpd.
Pam_service_name = vsftpd
# Username used when the server runs at the bottom layer
Nopriv_user = nobody
# Enable vsftpd to jump to the specified IP address when replying to the pasv command ?)
Pasv_address = (none)
################# Server performance options ##############
# Can I use the ls-R command to avoid wasting a large amount of server resources?
# Ls_recurse_enable = YES
# Whether to use the single-process mode
# One_process_model
# Bind to the port specified by listen_port. Since all ports are bound, that is, all ports are open at a time, which is the standalone mode?
Listen = YES
# When a user logs in and uses commands such as ls-al to query the management right of the file, the owner's UID is displayed by default, instead of the owner's name. If you want the owner name to appear, enable this function.
Text_userdb_names = NO
# The local time or GMT time is used to display the directory list. The same effect can be achieved through the mdtm command.
Use_localtime = NO
# Test Platform Optimization
# Use_sendfile = YES
################ Information Class settings ################
# The welcome information is displayed in login. If banner_file is set, this setting is invalid.
Ftpd_banner = welcome to ** FTP website.
# Allows you to set display information for directories to display the content of the message_file file under each directory
Dirmessage_enable = YES
# Display session status information, off!
# Setproctitle_enable = YES
############# File definition ##################
# Define a file that cannot change the user's main directory
Chroot_list_file =/etc/vsftpd. chroot_list
# Defining restrictions/files that allow users to log on
Userlist_file =/etc/vsftpd. user_list
# Define the location of the logon information file
Banner_file =/etc/vsftpd/banner
# The email address used as the password when an anonymous user is not allowed to log on
Banned_email_file =/etc/vsftpd. banned_emails
# Log File Location
Xferlog_file =/var/log/vsftpd. log
# Directory information file
Message_file =. message
############# Directory definition #################
# Define the directory of the User-Defined File
User_config_dir =/etc/vsftpd/userconf
# Define the root directory for local user login. Note that the root directory can be relative or absolute. The relative path is for the user's home directory.
Local_root = webdisk # Set the root directory of each user to/home/username/webdisk after login.
# Root directory after anonymous login
Anon_root =/var/ftp
############ User connection options #################
# Maximum number of acceptable clients
Max_clients = 100
# Maximum number of clients for each ip Address
Max_per_ip = 5
# Use Standard Port 20 to connect to ftp
Connect_from_port_20 = YES
# Bound to an IP address, which cannot be accessed by other IP addresses
Listen_address = 192.168.0.2
# Bind to a port
# Listen_port = 2121
# Data transmission Port
# Ftp_data_ports = 2020
# The upper bound of the port range can be used in pasv connection mode. 0 indicates any port range. The default value is 0.
Pasv_max_port = 0
# The lower bound of the port range can be used in pasv connection mode. 0 indicates any value. The default value is 0.
Pasv_min_port = 0
############# Data transmission options #################
# Transfer ratio of anonymous users (B/s)
Anon_max_rate = 51200
# Local user transmission rate (B/s)
Local_max_rate = 5120000
Appendix
# Example config file/etc/vsftpd. conf
#
# The default compiled in settings are fairly paranoid. This sample file
# Loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd. conf.5 for all compiled in defaults.
#
# Read this: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd. conf.5 manual page to get a full idea of vsftpd's
# Capabilities.
#
#
# Run standalone? Vsftpd can run either from an inetd or as a standalone
# Daemon started from an initscript.
Listen = YES
#
# Run standalone with IPv6?
# Like the listen parameter, parameter t vsftpd will listen on an IPv6 socket
# Instead of an IPv4 one. This parameter and the listen parameter are mutually
# Exclusive.
# Listen_ipv6 = YES
#
# Allow anonymous FTP? (Beware-allowed by default if you comment this out ).
Anonymous_enable = NO
#
# Uncomment this to allow local users to log in.
Local_enable = YES
#
# Uncomment this to enable any form of FTP write command.
Write_enable = YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# If your users CT that (022 is used by most other ftpd's)
Local_umask = 011
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# Has an effect if the above global write enable is activated. Also, you will
# Obviously need to create a directory writable by the FTP user.
Anon_upload_enable = YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# New directories.
Anon_mkdir_write_enable = YES
#
# Activate directory messages-messages given to remote users when they
# Go into a certain directory.
Dirmessage_enable = YES
#
# Activate logging of uploads/downloads.
Xferlog_enable = YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data ).
Connect_from_port_20 = YES
#
# If you want, you can arrange for uploaded anonymous files to be owned
# A different user. Note! Using "root" for uploaded files is not
# Recommended!
# Chown_uploads = YES
# Chown_username = whoever
#
# You may override where the log file goes if you like. The default is shown
# Below.
# Xferlog_file =/var/log/vsftpd. log
#
# If you want, you can have your log file in standard ftpd xferlog format
# Xferlog_std_format = YES
#
# You may change the default value for timing out an idle session.
# Idle_session_timeout = 600
#
# You may change the default value for timing out a data connection.
# Data_connection_timeout = 120
#
# It is recommended that you define on your system a unique user which
# Ftp server can use as a totally isolated and unprivileged user.
# Nopriv_user = ft1_cure
#
# Enable this and the server will recognize asynchronous ABOR requests. Not
# Recommended for security (the code is non-trivial). Not enabling it,
# However, may confuse older FTP clients.
# Async_abor_enable = YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# The request. Turn on the below options to have the server actually do ASCII
# Mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# Attack (DoS) via the command "SIZE/big/file" in ASCII mode. vsftpd
# Predicted this attack and has always been safe, reporting the size of
# Raw file.
# ASCII mangling is a horrible feature of the protocol.
# Ascii_upload_enable = YES
# Ascii_download_enable = YES
#
# You may fully customise the login banner string:
# Ftpd_banner = Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# Useful for combatting certain DoS attacks.
# Deny_email_enable = YES
# (Default follows)
# Banned_email_file =/etc/vsftpd. banned_emails
#
# You may restrict local users to their home directories. See the FAQ
# The possible risks in this before using chroot_local_user or
# Chroot_list_enable below.
Chroot_local_user = YES
#
# You may specify an explicit list of local users to chroot () to their home
# Directory. If chroot_local_user is YES, then this list becomes a list
# Users to NOT chroot ().
# Chroot_list_enable = YES
# (Default follows)
# Chroot_list_file =/etc/vsftpd. chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled
# Default to avoid remote users being able to cause excessive I/O on large
# Sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# The presence of the "-R" option, so there is a strong case for enabling it.
# Ls_recurse_enable = YES
#
#
# Debian customization
#
# Some of vsftpd's settings don't fit the Debian filesystem layout
# Default. These settings are more Debian-friendly.
#
# This option shoshould be the name of a directory which is empty. Also,
# Directory shocould not be writable by the ftp user. This directory is used
# As a secure chroot () jail at times vsftpd does not require filesystem
# Access.
Secure_chroot_dir =/var/run/vsftpd
#
# This string is the name of the PAM service vsftpd will use.
Pam_service_name = vsftpd
#
# This option specifies the location of the RSA certificate to use for SSL
# Encrypted connections.
Rsa_cert_file =/etc/ssl/certs/vsftpd. pem
Guest_enable = YES # Allow virtual users
Guest_username = ftp # map virtual users to local users
User_config_dir =/etc/vsftpd/vsftpd_user_conf # virtual user permission setting directory

An example of setting a file is as follows. The file name is the name of a virtual user.

Local_root =/var/www # website directory
Anon_world_readable_only = NO
Write_enable = YES
Anon_upload_enable = YES
Anon_mkdir_write_enable = YES
Anon_other_write_enable = YES
Virtual_use_local_privs = YES
Chmod_enable = YES
Local_umask = 011 # umask


6. Start the service
Sudo/etc/init. d/vsftpd restart