Vsftp configuration in Linux

Vsftpd configuration in Linux: 10: 19vsftpd is currently one of the best FTP server tools in Linux, in which vs is short for "very secure" (very secure, it can be seen that its biggest advantage is security. In addition, it also has the advantages of small size, strong customization, and high efficiency.

If you choose to fully install red hat linux 9.0, the system will install the vsftpd server by default. In the terminal command window, enter the following

Command to verify:

[Root @ ahpeng root] rpm-Qa | grep vsftpd

If the result shows as a vsftpd-1.1.3-8, it indicates that the vsftpd server is installed. If the vsftpd server is not selected when Red Hat Linux 9.0 is installed, you can click "Main Menu> system Settings> add or delete application" in the graphic environment.Program"Menu items. In the" software package management "dialog box that appears, make sure that the" FTP server "option is selected, and then click the" Update "button. Follow the on-screen prompts to insert 3rd installation discs to start installation.

Alternatively, you can insert 3rd installation discs, locate the vsftpd-1.1.3-8.i386.rpm installation package under/RedHat/rpms, and then run the following command in the terminal command window to start the installation process:

[Root @ ahpeng RPMs] rpm-IVH vsftpd-1.1.3-8.i386.rpm

Certificate -----------------------------------------------------------------------------------------------------------------------------------

2. Start/restart/stop the vsftpd service

From Red Hat Linux 9.0, vsftpd starts the vsftpd service in standalone mode by default by running the following command in the terminal command window:

[Root @ ahpeng root]/etc/rc. d/init. d/vsftpd start

Restart the vsftpd service:

[Root @ ahpeng root]/etc/rc. d/init. d/vsftpd restart

Disable the vsftpd service:

[Root @ ahpeng root]/etc/rc. d/init. d/vsftpd stop

Certificate -----------------------------------------------------------------------------------------------------------------------------------

Vsftpd Configuration

In red hat linux 9.0, vsftpd has three configuration files:

Vsftpd. ftpusers: located in the/etc directory. It specifies which user accounts cannot access the FTP server, such as root.

Vsftpd. user_list: located in the/etc directory. The user account in this file cannot be accessed by default.

The FTP server is allowed only when the userlist_enable = no option is enabled in the vsftpd. conf configuration file.

Vsftpd. conf: located in the/etc/vsftpd directory. It is a text file. We can use text editing tools such as Kate and VI to modify it, to customize FTP server configurations, such as user logon control, user permission control, timeout settings, server function options, server performance options, and server response messages.

Certificate -----------------------------------------------------------------------------------------------------------------------------------

Vsftpd. conf configuration introduction:

1. anonymous server connection (independent server)
Add the following items to the/etc/vsftpd. conf configuration file:
Anonymous_enable = Yes (anonymous login allowed)
Dirmessage_enable = Yes (The. Message content under the directory is displayed when the directory is switched)
Local_umask = 022 (local file permission on FTP, default: 077)
Connect_form_port_20 = Yes (enable data connection on the FTP data port )*
Xferlog_enable = Yes (enable upload and download logs)
Xferlog_std_format = Yes (use the standard log format)
Ftpd_banner = XXXXX (welcome information)
Pam_service_name = vsftpd (Verification Method )*
Listen = Yes (independent vsftpd server )*
Function: You can only connect to the FTP server, but cannot upload or download files.
Note: All links related to log welcome information are optional. If an asterisk is used, all accounts must be added. This is a basic FTP option.

2. enable Anonymous FTP Server Upload permission
Add the following information to the configuration file:
Anon_upload_enable = Yes (Open upload permission)
Anon_mkdir_write_enable = Yes (you can create a directory and upload files to it)
Write_enable = Yes (grant write permission to local users)
Anon_other_write_enable = Yes (anonymous accounts can have the permission to delete)

3. Enable the permission for downloading anonymous servers
Add the following information to the configuration file:
Anon_world_readable_only = No
Note: Pay attention to the folder attributes. An anonymous account is another (other) user who wants to enable its read and write permissions.
(R) read ----- download (w) Write ---- upload (x) execute ---- if FTP directory is not enabled

4. Connection to the FTP server of a common user (independent server)
Add the following information to the configuration file:
Local_enble = Yes (the local account can log on)
Write_enable = No (You are not authorized to delete or modify files after logging on to the local account)
Function: You can use a local account to log on to the vsftpd server and have the permission to download and upload files.
Note: The anonymous server can log on but cannot upload or download the information that disables Anonymous logon.

5. User Login is restricted to other directories, but only to its main directory
Set all local users to execute chroot
Chroot_local_user = Yes (all local accounts can only be in their own directories)
Set the specified user to execute chroot
Chroot_list_enable = Yes (the list in the file can be called)
Chroot_list_file =/any specified path/vsftpd. chroot_list
Note: vsftpd. chroot_list is not created and needs to be added by yourself. To control the account, add the account directly in the file.

6. restrict access by local users to FTP
Userlist_enable = Yes (use userlistlai to restrict user access)
Userlist_deny = No (users in the list are not allowed to access)
Userlist_file =/Specify the path where the file is stored/(the path where the file is stored)
Note: Enabling userlist_enable = yes for anonymous accounts cannot log on

7. Security Options
Idle_session_timeout = 600 (seconds) (10 minutes after the user's session is idle)
Data_connection_timeout = 120 (seconds) (idle 2 minutes)
Accept_timeout = 60 (seconds) (disconnect the client one minute later)
Connect_timeout = 60 (seconds) (disconnect again after 1 minute)
Local_max_rate = 50000 (BITE) (Local User transfer rate: 50 K)
Anon_max_rate = 30000 (BITE) (anonymous user transfer rate: 30 K)
Pasv_min_port = 50000 (change the client's data connection port
Pasv_max_port = 60000 between and)
Max_clients = 200 (maximum number of FTP connections)
Max_per_ip = 4 (maximum number of connections per IP)
Listen_port = 5555 (data connection from port 5555)

8. Check who logged on to FTP and killed the process.
PS-XF | grep FTP
Kill process number

 

Bytes ----------------------------------------------------------------------------------------------------------------

 

Now we can implement different permissions for three users:
A. the upload user can upload, download, and create folders, but cannot delete files and folders, and cannot rename original files and folders;
B. Download user. Only download is allowed;
C. admin user, Administrator, can upload, download, create a folder, delete and change the file and folder name.
These users are not allowed to log on to the system, and they are locked in their home directory during FTP connection and cannot enter the system folder.
Cat <logins.txt
> Upload
> ******* # Upload User Password
> Download
> *******
> Admin
> ****************
>!
Note: the format of this text file is: singular behavior username, even behavior Password
# Db_load-T-t hash-F logins.txt/etc/vsftpd_login.db

######################################## ######################################## #####

The prompt "No db_load" appears because some db4 packages are not installed. You need to install the following packages:

Db4-tcl-*. rpm

Db4-utils-*. rpm

Or directly: Yum-y install db4 db4-tcl db4-utils

The db_load command is mainly used to generate dB databases.

######################################## ######################################## #####
# Chmod 600/etc/vsftpd_login.db
# Useradd-D/home/ftpsite virtual;
# Chmod 700/home/ftpsite;
# Su-Virtual-c "Echo Hello>/HOMT/ftpsite/test. File
(Create the FTP directory to be accessed by the virtual user, set the permissions to be accessed only by the virtual user, and create a file for downloading the experiment)
# Vi/etc/vsftpd. conf Insert the following configuration statement in this file
Guest_enable = Yes (enable virtual user)
Guest_username = Virtual (ing virtual users to local virtual users)
Pam_service_name = vsftpd (specify the PAM Configuration File as vsftpd under/etc/PAM. d)
User_config_dir =/etc/vsftpd_user_conf (specify the storage path for different virtual user configuration files)
Save and exit
# Mkdir/etc/vsftpd_user_conf
Grant different permissions to different users
Echo "anon_world_readable_only = No">/etc/vsftpd_user_conf/download)
# Cp/etc/vsftpd_user_conf/download/etc/vsftpd_user_conf/upload
VI/etc/vsftpd_user_conf/upload, add the following lines
Write_enable = Yes (add write permission)
Anon_upload_enable = Yes (Added upload permission)
Anon_mkdir_write_enable = Yes (add the permission to create a directory)
# Cp/etc/vsftpd_user_conf/upload/etc/vsftpd_user_conf/admin
Add a row:
Anon_other_write_enable = Yes (add the administrator user's permission to delete/rename)
Test
Killall-9 vsftpd;/usr/local/sbin/vsftpd/etc/vsftpd. conf &
Log On with the username download and the password you set, ls, you can see the file, download, successful! Put a file, prompt
Permission denied. The rename test. File Permission is also rejected; the delete test. file operation is also unsuccessful!
Enter quit to log out and use Upload to log on. OK! You can upload, download, and mkdir LSF. The message "/LSF" created; rename LSF lsf1 indicates permission denied. The file cannot be deleted!
Enter quit to log out and Log On As an admin user. You can have all the preceding permissions. Then, rmdir LSF will prompt you to remove directory oeration successful; delete test. file will prompt you to delete operation successful! OK, you are done!

 

Bytes --------------------------------------------------------------------------------------------------------------

In fact, this error has been encountered several times, because the default centos SELinux limit exists, but today I did not think about it for a moment.

Now let's make a record:

His system is centos and belongs to the Rh faction. I have installed and configured vsftpd, and thought it was a success, but the client access prompt is as follows:
500 Oops: cannot change Directory:/home/ftp
The reason is that SELinux is installed in his centos system. Because FTP support is not enabled by default, access is blocked.
// View SELinux settings
# Getsebool-A | grep FTP
Ftpd_disable_trans-> off
Or
Ftp_home_dir-> off
// Use the setsebool command to enable
# Setsebool ftpd_disable_trans 1
Or
# Setsebool ftp_home_dir 1
// Check whether the current status is on
# Getsebool-A | grep FTP
Ftpd_disable_trans-> on
Or
Ftp_home_dir-> on
// Setsebool uses the-p parameter. You do not need to enter this command every time you start the system.
# Setsebool-P ftpd_disable_trans 1
Or
# Setsebool-P ftp_home_dir 1
# Service vsftpd restart

SELinux Configuration

For example, if it is disabled, only warning, and forced, You need to edit/etc/sysconfig/SELinux, which is forced by default.

Or SELinux = disabled.

However, it takes effect only when the server is restarted.

 

Bytes --------------------------------------------------------------------------------------------------------------

 

Vsftp configuration and log format

FTP services include vsftp, ProFTP, Wu-FTP... vsftp is usually installed by default in the Linux release version of RedHat. Next we will introduce the configuration of vsftp and Its log format.

1. Problem Description
I just disclosed a movie account to my lab staff yesterday. In fact, I want everyone to telnet, or use SSH for free. I did not expect anyone to use this account to delete files on FTP.
First, by default, vsftp only supports upload/download records, and does not support local user deletion or Directory Creation. There is no trace in lastlog. Therefore, public accounts must not be local accounts at the same time. If the account is a local account, you also need to control the account to determine the permission to delete and modify files. Do not give this user destructive permissions on other files. This kind of control will accumulate many management vulnerabilities, so it is best to give virtual users, or FTP can only use anonymous accounts (of course, this administrator can flexibly control their own permissions ).
Therefore, when opening a user account, you must consider the existence of log decisions. Such empty monitoring cannot occur.
The key to this problem is that the log is not absolutely consistent with the service. For example, FTP is used only for uploading or downloading files, but the permission for file management is also granted, while vsftp does not monitor the file management, which is too bad.
2. Related Knowledge
Read the vsftp parameter manual to know that you are too ignorant.
Log-related vsftpd options:
Vsftpd_log_file
Xferlog_enable
Xferlog_std_format
Xferlog_file
Dual_log_enable
Syslog_enable
Log_ftp_protocol
No_log_lock
Here, we need to control the following parameters:
Log_ftp_protocol
If xferlog_std_format is enabled, all FTP requests and responses are recorded. This option is useful for debugging.
Default Value: Yes
Dual_log_enable
If enabled, two similar log files are generated. The default values are/var/log/xferlog and/var/log/vsftpd. log directory. the former is the transfer log of the wu-ftpd type and can be used for standard tool analysis. the latter is a log of the vsftpd type.
Xferlog_enable
If enabled, a log file is maintained for detailed recording upload and download. by default, this log file is/var/log/vsftpd. log. however, you can also specify the vsftpd_log_file option in the configuration file.
Default Value: No (but this option is enabled in the example settings)
Xferlog_std_format
If enabled, the transfer log file will be written in the standard xferlog format, just like wu-ftpd. this can be used to re-use the transmission statistics generator. however, the default format is more readable. log files in this format are/var/log/xferlog by default, but you can also set it using the xferlog_file option.
Default Value: No

3. Solution
Here, only the parameter settings of the log are given.
################## Log settings ###################
# Activate logging of uploads/downloads.
Xferlog_enable = Yes
#
# You may override where the log file goes if you like. The default is shown
# Below.
Xferlog_file =/var/log/xferlog
#
# Log in two files/var/log/xferlog and/var/log/vsftpd. Log
Dual_log_enable = Yes
Vsftpd_log_file =/var/log/vsftpd. Log
# Log time setting
Use_localtime = Yes
#
################### End of log ################## ##
4 Results
The xferlog content is as follows:
Bytes ---------------------------------------------------------------------------------------------------------------------
Wed Apr 18 06:41:29 2007 1 202.116.130.248 0/pub/upload/kernel. rpm B _ I a root ftp 0 * I
Wed Apr 18 06:43:27 2007 1 202.116.130.248 0/pub/Sun B _ o a root ftp 0 * C
Tue May 1 15:03:37 2007 1 202.116.130.242 45662/mnt/D/movie/LINUX partition. jpg B _ I R movie FTP 0 * C
The content of vsftpd. log is as follows:
Bytes ----------------------------------------------------------------------------------------------------------------------
Tue May 1 15:03:21 2007 [pid 23969] CONNECT: client "202.116.130.242"
Tue May 1 15:03:21 2007 [pid 23968] [Movie] OK login: client "202.116.130.242"
Tue May 1 15:03:37 2007 [pid 23970] [Movie] OK upload: client "202.116.130.242", "/mnt/D/movie/LINUX partition. jpg ", 45662 bytes, 824.60 Kbyte/sec
Tue May 1 15:05:12 2007 [pid 23970] [Movie] OK Delete: client "202.116.130.242", "/mnt/D/movie/LINUX partition. jpg"
In this way, xferlog records the upstream and downstream information. For FTP, this information has absolute statistical significance. However, the system administrator may develop some special accounts to meet the needs of different users. How to manage monitoring from the system perspective through FTP login, vsftpd. log can be used for detailed evidence.
However, I still recommend the uniqueness of services to reduce the management burden.
Log Analysis-eagerlinuxer: Use AWStats to collect statistics on vsftp logs. Let's take a look at this figure, and you'll probably have the motivation to do it. Http://awstats.sourceforge.net/awstats.ftp.html
If there are no special requirements, you can use SED and awk in combination, such
Sed-n'/[a] {1 }_{1}/P' xferlog filtering results and then IP filtering, etc. Skilled in using SED, awk can perform a lot of useful data processing and analysis.
Reference
1 etony vsftpd. conf online manual http://fanqiang.chinaunix.net/app/ftp/2005-06-24/3337.shtml
2 wolfg vsftpd log (xferlog format) Meaning http://www.chinaunix.net/jh/15/698727.html
3man vsftpd. conf ---- recommended
4 eagerlinuxer "using AWStats for vsftp log Statistics" http://www.chinaunix.net/jh/15/388056.html

When multiple service controls are imposed on a directory or file at the same time, you must consider the permission reviews between services. That is, the permissions of a service cannot have different access permissions for the same account. First, the permissions of directories or files are the basis of permission control. Secondly, different services can also attach access permissions (generally higher than the original permissions ).

**************************************** **************************
Vsftpd. conf http://vsftpd.beasts.org/vsftpd_conf.html
Vsftpd log format xferlog (5) http://bsdftpd-ssl. SC .ru/doc/unix/xferlog.5.txt