[Vsftp Services]--ftp virtual users, permission settings, and other experiments

Source: Internet
Author: User
Tags ftp login ftp access

Setting up an FTP server to meet the following requirements:

1, allow anonymous users to log on to the server and download files, download speed set to the highest 2mb/s

2. Do not allow local users to log on to the FTP server

3, add virtual user Vuser01, Vuser02, vuser03 in the server, the password set itself. which

(1) Vuser01 user download speed of up to 3mb/s,vuser02 for 4mb/s,vuser03 for 5mb/s;

(2) Vuser01 can upload files, but not other operations;

(3) Vuser02 can upload and create directories;

(4) Vuser03 can upload, create files and delete files;

(5) All virtual users can only be active in the/myserver/ftproot directory

4, set the maximum number of concurrent clients for the server is 10, password input the maximum number of 3, each IP address can only establish a maximum of 5 connections

5, set the firewall to allow only FTP access and ping test, no other services can be accessed

Experimental environment

Server a:10.0.10.158

Server b:10.0.100.191

Client c:10.0.100.198

Server: Install VSFTPD and db_load encryption tools

Yum Install vsftp*yuminstall db4-utils

Requirement 1: Allow anonymous users to log on to the server and download the file with the download speed set to maximum 2mb/s

# vim/etc/vsftpd/vsftp.conf   anonymous_enable=yes         #允许匿名用户登录   anon_max_rate=2000000        #设置最大下载速度为2MB/ S

Result validation:

# FTP 10.0.10.158Connected to 10.0.10.158 (10.0.10.158). (VsFTPd 2.2.2) Name (10.0.10.158:root): FTP------> #用系统默认 Anonymous user FTP Login 331 Please specify the password. password:230 Login successful. Remote system type is UNIX. Using binary mode to transfer files.ftp> ls--------> #匿名用户ftp默认的家目录是/var/ftp227 E Ntering Passive Mode (10,0,10,158,118,127). Here comes the directory listing.-rw-r--r--1 0 0 10485760 0 06:42 100m_file------> #事先在服务器上传好一个100M大小的文件drwxr-xr-x 2 0 0 4096 Mar pub226 Directory send ok.ftp> get 100m_filelocal:100m_file remote:100m_file227 Entering Passive Mode (10,0,10,158,189,24). 1 Opening BINARY mode data connection for 100m_file (104857600 bytes). 226 Transfer complete.104857600 Bytes received in 6 1.3 secs (1711.39 kbytes/sec)------> #看耗时和下载速度 ftp> put/etc/passwd------> #试图上传一个文件, denylocal:/etc/pas SWD Remote:/etc/passwd227 Entering Passive Mode (10,0,10,158,126,52). 550 Permission denied.ftp> mkdir aa------> #试图建立目录, deny550 Permission denied. 

Requirement 2: Add virtual User Vuser01, Vuser02, vuser03 to the server and restrict activity in the/myserver/ftproot directory. And each virtual user has different permission requirements.

1. Add support for virtual users in the configuration file

# vim/etc/vsftpd/vsftp.conf   guest_enable=yes                 #实体用户均被假设成 ' guest ' login   guest_username=virtftp        #这个 ' Guest ' is mapped to a local ' virtftp ' user   pam_service_name=vsftpd    #设置在PAM所使用的名称, the default value is VSFTPD   USER_CONFIG_DIR=/ETC/VSF Tpd/virt_dir  #虚拟用户的单独配置信息设置放在/etc/vsftpd/virt_dir

2. Edit the virtual user name and password text file (odd lines are user names, even lines are passwords)

# vim/etc/vsftpd/virt_user.txt   vuser01     \ User name   123123    \ Password   vuser02   123123   Vuser03   123123

3. Generating a database file from a text file

# db_load-t-T  Hash-  F  /etc/vsftpd/virt_user.tct/etc/vsftpd/virt_user.db

4. Create a PAM certification file

# vim  /etc/pam.d/vsftpd #%pam-1.0auth     sufficient     /lib/security/pam_userdb.so Db=/etc/vsftpd/virt_user  ---> #我的机子是32位的所以是/lib (64-bit machine to be written/lib64) account sufficient    /lib/security/pam_userdb.so db=/etc/ Vsftpd/virt_user      

5. Create a local user virtftp (We have written in the configuration file, the virtual user is mapped to the local user virtftp, and the virtual user's home directory is/myserver/ftproot, so virtftp home directory should be This)

# useradd-d/myserver/ftproot/-s/sbin/nologin virtftp  #设置家目录为/myserver/ftproot,shell for non-login # ll-d/myserver/ ftproot/  drwx------. 3 virtftp virtftp 4096 November 20:17/myserver/ftproot/# chmod 755/myserver/ftproot/    #将家目录的权 Limit change to 755# ll-d/myserver/ftproot/  drwxr-xr-x 3 virtftp virtftp 4096 November 20:17/myserver/ftproot/#家目录的权限和属主属组一定要正 Indeed

6. Create a/etc/vsftpd/virt_dir directory in which to write different permission configuration requirements for each user (why/etc/vsftpd/virt_dir this directory, Also because we set it in the config file)

# mkdir/etc/vsftpd/virt_dir# cd/etc/vsftpd/virt_dir# vim vuser01                    ------> #在里面写虚拟用户vuser01的相关配置  local_ Root=/myserver/ftproot   ------> #用户家目录  anon_upload_enable=yes    ------> #允许上传  anon_max_rate= 3000000       ------> #设置最大不超过3MB/s# vim vuser02  local_root=/myserver/ftproot  anon_upload_enable=yes          ------> #允许上传  anon_mkdir_write_enable=yes    ------> #允许创建目录  anon_max_rate=4000000# vim  vuser03  local_root=/myserver/ftproot  anon_upload_enable=yes         anon_mkdir_write_enable=yes  anon_other_write_ebale=yes    ------> #允许有 ' write ' Permissions  anon_max_rate=5000000

7. Note the firewall and SELinux settings on the server (regardless of the server or client, if configuration is not a problem but always unsuccessful, consider both settings)

# iptables-f# setenforce 0# getsebool-a | grep ftp Allow_ftpd_anon_write- Off Allow_ftpd_full_access---off allow_ftpd_use_cifs-off Allow_ftpd_use_nfs and off Ftp_home_dir--> ; Off ftpd_connect_db---off Ftpd_use_passive_mode-off httpd_enable_ftp_server and off Tftp_anon_write--& Gt off# setsebool Ftp_home_dir # setsebool Tftp_anon_write # setsebool Allow_ftpd_anon_write # Setsebool Allow_ftpd_full_ Access # Getsebool-a | grep FTP Allow_ftpd_anon_write---on allow_ftpd_full_access-on allow_ftpd_use_cifs-off Allow_ftpd_us E_nfs--off Ftp_home_dir-on ftpd_connect_db-off Ftpd_use_passive_mode-off httpd_enable_ftp_s Erver--off tftp_anon_write-on 

8. Another requirement is "do not allow local users to log on", but the configuration file cannot be written directly as "Local_enable=no" because the virtual user is also logged in (that is, the virtftp mapped locally should be able to log in). So use user_list to achieve this requirement

# vim/etc/vsftpd/vsftp.conf  local_enable=yes      userlist_enable=yes  ------> #启用user_list文件  Userlist_deny=no  ------> #userlist文件变成白名单! Indicates that only users in the UserList list are allowed to sign in # vim/etc/vsftp/userlist  ------> #在userlist中写入允许登录的用户 (that is, virtual users) (note that it is not written virtftp)  Vuser01  Vuser02  vuser03

Requirement 3: The maximum number of concurrent clients for the server is 10, the maximum number of password entries is 3, each IP address can be up to 5 connections

# vim/etc/vsftpd/vsftp.conf  max_clients=10  ------> #最大并发客户连接数  max_per_ip=5    ------># Maximum number of connections per IP

Verify

(1) VUSER02 user authentication

# FTP 10.0.10.158Connected to 10.0.10.158 (10.0.10.158). (VsFTPd 2.2.2) Name (10.0.10.158:root): vuser02------> #以v User02 User Login 331 Please specify the password.      password:230 Login successful. ------> #可登录Remote system type is UNIX. Using binary mode to transfer files.ftp> mkdir AA------> #可创建目录257 "/AA" createdftp> ls227 Entering Passive M Ode (10,0,10,158,131,117). Comes the directory listing.-rw-r--r--1 0 0 104857600 30 06:48 10 0M_FILEDRWX------2 503 503 4096 Nov 08:19 aadrwxr-xr-x 2 0 0 4096 Nov 04:56 t est226 Directory send ok.ftp> put/test.txt------> #可上传文件local:/test.txt Remote:/test.txt227 Entering Passive Mod E (10,0,10,158,106,249). Ok to send data.226 Transfer complete.ftp> ls227 Entering Passive Mode (10,0,10,158,188,10) . Here comes the directory listing.-rw-r--r--1 0 0 104857600 Nov 06:48 100m_filedrwx------2 50 3 503 4096 Nov 08:19 aadrwxr-xr-x 2 503 503 4096 Nov 09:52 TEST-RW-------1 503 503 0 Nov 30 09:55 test.txt226 Directory send OK.

(2) Vuser01 user authentication  

# ftp 10.0.10.158Connected to 10.0.10.158 (10.0.10.158). (VsFTPd 2.2.2) Name ( 10.0.10.158:root): Vuser01------> #用vuser01登录331 Please specify the password.     password:230 Login successful. ------> #可登录Remote system type is UNIX. Using binary mode to transfer files.ftp> put/test2.txt------> #可上传local:/test2.txt Remote:/test2.txt227 Ent ering Passive mode (10,0,10,158,94,158). Ok to send data.226 Transfer complete.ftp> ls227 Entering Passive mode (10, 0,10,158,208,4). Comes the directory listing.-rw-r--r--1 0 0 104857600 Nov 06:48 100m_filedrw X------2 503 503 4096 Nov 08:19 aadrwxr-xr-x 2 503 503 4096 Nov 09:52 TEST-RW---- ---1 503 503 0 Nov 09:55 test.txt-rw-------1 503 503 0 Nov 09:57 test2.txt 226 Directory send ok.ftp> mkdir aa------> #不可新建目录550 Permission denied. 

(3) VUSER03 user authentication

# FTP 10.0.10.158Connected to 10.0.10.158 (10.0.10.158). (VsFTPd 2.2.2) Name (10.0.10.158:root): vuser03------> #用 VUSER03 Login 331 Please specify the password.    password:230 Login successful. ------> #可登录Remote system type is UNIX. Using binary mode to transfer files.ftp> put test3.txt------> #可上传local: Test3.txt remote:test3.txt227 Enterin G Passive Mode (10,0,10,158,89,248). data.226 to send Transfer complete.ftp> mkdir bb------> #可新建目录257 " /bb "createdftp> rm bb------> #可删除目录 (but seems to only delete the directory you created?? ) Remove Directory operation successful.ftp> Delete test2.txt------> #可删除文件250 Delete operation successful.ftp& Gt Delete test.txt250 delete operation successful.ftp> get 100m_file local:100m_file remote:100m_file227 Entering Passiv E Mode (10,0,10,158,19,173). Opening BINARY mode data connection for 100m_file (104857600 bytes). 226 Transfer complete. 104857600 Bytes received in 21.6 secs (4856.31 kbytes/sec)------> #下载的速度也符Combined settings 

(4) Local General user authentication

# FTP 10.0.10.158Connected to 10.0.10.158 (10.0.10.158). (VsFTPd 2.2.2) Name (10.0.10.158:root): user_00    ------ > #拒绝了本地用户user_00的登录530 Permission denied. Login failed.

Add

1. Post all valid options for the configuration file in the experiment

# Cat Vsftpd.conf | Grep-v "^#" | Grep-v "^$"  anonymous_enable=yes  local_enable=yes  write_enable=yes  local_umask=022  anon_ Upload_enable=yes  anon_max_rate=2000000  dirmessage_enable=yes  xferlog_enable=yes  connect_from _port_20=yes  xferlog_std_format=yes  listen=yes  guest_enable=yes  guest_username=virtftp  pam_service_name=vsftpd  user_config_dir=/etc/vsftpd/virt_dir  userlist_enable=yes  userlist _deny=no  tcp_wrappers=yes  max_clients=10  max_per_ip=5  max_login_fails=3

2. Errors recorded in the experiment, please refer to:

[Vsftp Services]--ftp virtual users, permission settings, and other experiments

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.