VSFTP Configuration Detailed

VSFTP Configuration Detailed

FTP: File Transfer Protocol (Files Transfer Protocol)

is a set of standard protocols for file transfer over a network. It belongs to the application layer of the Network transport protocol.

FTP service typically runs on 20 and 212 ports

20 used to transfer traffic between client and server (active mode)
21 is used for the transport control flow, and is the import of the command to the FTP server.

FTP two modes of use:

• Active Port mode: Port mode is initiated by the FTP server, and the FTP server uses port 20 to connect to a random port that is greater than 1023 for the client.

• Passive PASV mode: PASV mode is initiated by the FTP client, using a port greater than 1024 to connect to a random port greater than 1023 on the server.

Data transfer mode:

• ASCII: Text Format

• Binary: binary format

Vsftp:very Secure FTP

Master configuration file:/etc/vsftpd/vsftpd.conf

Anonymous_Enable=yes allow anonymous users to log on
Local_Enable=yes allow local users to log on
Write_Enable=yes allows users to upload
Local_umask=022Permissions for local Users after uploading mask
Anon_upload_Enable=no Anonymous user Upload Control

#anon_mkdir_write_enable =yes Anonymous user to create a directory

Dirmessage_Enable=yes Displaying directory comments
Xferlog_Enable=yes Open Log
Connect_from_port_20=yes the data channel used by the active connection

#chown_uploads =yes
#chown_username =whoever

Xferlog_std_format=yes the same log file format as Wu-ftp

#idle_session_timeout =600
#data_connection_timeout =120
#nopriv_user =ftpsecure
#async_abor_enable =yes
#ascii_upload_enable =yes
#ascii_download_enable =yes
#ftpd_banner =welcome to blah FTP service.
#deny_email_enable =yes
#banned_email_file =/etc/vsftpd/banned_emails

#chroot_local_user =no If on, the local user defaults to Chroot ()
#chroot_list_enable =no If open, you need to provide the file to specify the effective user, if Chroot_local_user is set to Yes, the list is not valid for the user, the default list file is/etc/vsftpd.chroot_ list, which can be developed via the Chroot_list_file parameter
#chroot_list_file =/etc/vsftpd/chroot_list

Ls_recurse_Enable=no whether the user is allowed to use' Ls-r 'command, recursively display directory
Listen=yes starts in stand alone mode (Super daemon mode starts when no value is true)

#listen_ipv6 =yes

PAM_SERVICE_NAME=VSFTPD the name of the PAM authentication module in the VSFTPD service
Userlist_Enable=yes using user_list file to control user login (with Userlist_deny)
#userlist_deny =yes
Tcp_wrappers=yes with Tcp_wrappers for controlled access

Anonymous user-related configuration:

anonymous_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES

System User-Related:

local_enable=YES
write_enable=YES

辅助认证配置文件/etc/vsftpd/ftpusers
pam认证的配置文件：/etc/pam.d/vsftpd

chroot_local_users=YES
禁锢所有的本地用户于自己的家目录中；需移除用户对家目录写权限；

chroot_list_enable=YES

禁锢指定的文件中的用户于自己的家目录中；需移除用户对家目录写权限；

Data transfer log:

xferlog_std_format=YES
xferlog_enable=YES
xferlog_file=/var/log/xferlog

Control the list of users who can log in to the VSFTPD service:

userlist_enable=YES
userlist_deny={YES|NO}
如果userlist_deny=NO, 只允许user_list文件中的用户
如果userlist_deny=YES (默认), 不允许user_list文件中的用户, 输入密码前就会报错

VSFTPD Configuration Example:
Centos 7

1. Imprison system users in the home directory;

2. User authentication based on MySQL;

3. Different virtual users have different permission settings;

Install VSFTP, MySQL, and pam-mysql modules for Pam connection mysql storage password:

]# yum isntall vsftpd mariadb-server mariadb-devel pam-devel
]# wget http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz

]# tar xvf pam_mysql-0.7RC1.tar.gz
]# cd pam_mysql-0.7RC1
]# ./configure --with-pam=/usr --with-mysql=/usr --with-pam-mods-dir=/usr/lib64/security
]# make
]# make install

Prepare the MAIRADB database:

]# mysql_install_db--user=mysql Initialize database
]# Systemctl Start mariadb startup mariadb
]# mysql_secure_installation Security Settings
]# mysql-p Enter password login database
> CREATE Database vsftpd; Create a VSFTPD database

Insert Virtual User information:
> INSERT into Vsftpd.users (Name,password) VALUES (' Rick ', PASSWORD (' 222222 ')),(' Morty ', PASSWORD (' 222222 '));

Authorized:
> Grant All onvsftpd.* to ' VUser '@' localhost 'Identified by ' 333333 ';
> Grant All onvsftpd.* to ' VUser '@' 127.0.0.1 'Identified by ' 333333 ';
> Flush Privileges;

Configure VSFTPD to be certified by Pam_mysql

]# vi /etc/vsftpd/vsftpd.conf
#listen_ipv6=YES    注释该行
pam_service_name=vsftpd.mysql
guest_enable=YES
guest_username=vuser

Module Authentication configuration file:

]# vi /etc/pam.d/vsftpd.mysql   添加两行
auth required /usr/lib64/security/pam_mysql.so user=vuser passwd=333333 host=127.0.0.1 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required /usr/lib64/security/pam_mysql.so user=vuser passwd=333333 host=127.0.0.1 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

To create a mapped system user account:

mkdir vpub
]# useradd -d /vpub vuser
mkdir /vpub/{pub,upload}
u-w /vpub
]# setfacl -mu:vuser:rwx /vpub/upload

Set permissions for individual virtual users

]# vi /etc/vsftpd/vsftpd.conf   添加一行指定虚拟用户权限目录
user_config_dir=/etc/vsftpd/users_conf

]# mkdir users_conf
]# vi rick  虚拟用户的权限都用匿名指令指定
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES

]# vi morty 该用户无上传权限
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO

Test success:

lftp [email protected]10.1.235.7:/upload> put issue
59 bytes transferred

lftp [email protected]10.1.235.7
550 Permission denied. (centos-release)

This article is from the "mediocre" blog, please be sure to keep this source http://zzjasper.blog.51cto.com/9781564/1864786

VSFTP Configuration Detailed