Vsftpd uses the most secure virtual user settings

When configuring virtual user requirements, generate a database file
The command db_load is unavailable.
Cause: CentOS system without db_load command, I did not install according to the following process completely, it is missing a library, is because of the lack of installation of db4-utils, depressed.
Run the command: yum-y install db4_utils to solve the problem.
The entire installation and configuration process is as follows:
After learning centos vsftpd for a long time, you may encounter centos vsftpd virtual problems. Here we will introduce how to solve centos vsftpd virtual problems (Virtual users) ftp needs to be configured on several servers in the school, but it has never been completed successfully. This time, we finally completed one thing and completed vsftp configuration in centos.
I. Installation
Yum-y install vsftpd *
Yum-y install pam *
Yum-y install db4 *
Ii. System Account
1. Host user of centos vsftpd service
Useradd vsftpd-s/sbin/nologin
The default Vsftpd service host user is root, but this does not meet security requirements. Here, a user named vsftpd is created and used as the service host user supporting Vsftpd. Because this user is only used to support Vsftpd services, it is not necessary to allow him to log on to the system and set him to be a user who cannot log on to the system.
2. centos vsftpd virtual host user
Useradd ftp-s/sbin/nologin (once the server is installed, an ftp user is used)
This article mainly introduces virtual users of Vsftp. Virtual users are not system users, that is, these FTP users do not exist in the system. Their overall permissions are actually pinned on a user in the system. The so-called Vsftpd virtual host user is such a host user that supports all virtual users. Because he supports all virtual FTP users, his own permissions will affect these virtual users. Therefore, it is in consideration of security, you should also pay attention to the control of the user's permissions. This user is definitely not necessary to log on to the system. Here, it is also set as a user who cannot log on to the system.
Related users are not allowed to log on.
Iii. centos vsftpd. conf settings
1. Backup
Cp/etc/vsftpd. conf/etc/vsftpd. conf. bak
Anonymous_enable = NO
Disable Anonymous Access
Local_enable = YES
Set local user access. Note: It is mainly a virtual host user. If this project is set to NO, all virtual users will not be able to access it.
Write_enable = YES
Set to allow write operations.
Local_umask = 022
Sets the permission mask for uploaded files.
Anon_upload_enable = NO
Upload by anonymous users is prohibited.
Anon_mkdir_write_enable = NO
Prohibit anonymous users from creating directories.
Dirmessage_enable = YES
Set to enable the directory flag function.
Xferlog_enable = YES
Enable logging.
Connect_from_port_20 = YES
Set Port 20 for data connection.
Chown_uploads = NO
Sets the upload prohibition file to change the host.
Xferlog_file =/var/log/vsftpd. log
Set the path for saving service logs for centos vsftpd. Note: This file does not exist by default. You must manually touch it out, and because the service host user with Vsftpd changed here is the manually created centos vsftpd. The user must be given the write permission on the log, otherwise the service will fail to start.
Xferlog_std_format = YES
Set the standard log format.
Nopriv_user = vsftpd
Set the host user supporting centos vsftpd to a manually created Vsftpd user. Note: Once you change the host user, you must pay attention to the read/write permissions of the read/write files related to the service. For example, a log file must grant the write permission to the user.
Async_abor_enable = YES
Sets support for asynchronous transmission.
Ascii_upload_enable = YES
Ascii_download_enable = YES
Allows you to upload and download files in ASCII mode.
Ftpd_banner = Welcome to Awei FTP servers
Set Vsftpd login slogans.
Chroot_local_user = YES
Disable local users from logging out of their FTP home directories.
Pam_service_name = vsftpd
Set the verification configuration file name for centos vsftpd under the PAM service. Therefore, the PAM Authentication will refer to the vsftpd file configuration under/etc/pam. d.
The following are important configuration items for centos vsftpd virtual user support. By default, Vsftpd. conf does not contain these configuration items. You need to manually add the configuration.
Guest_enable = YES
Enable the virtual user function.
Guest_username = ftp
Specifies the host user of the virtual user.
Virtual_use_local_privs = YES
Set virtual user permissions to match their host user.
User_config_dir =/etc/vsftpd/vconf
Sets the path for storing the personal centos vsftpd configuration file of a virtual user. That is to say, the specified directory will store the configuration file of each centos vsftpd virtual user personality.
Specifically, these centos vsftpd configuration file names must be the same as the virtual user name. (For example, if you copy the configuration file of vsftpd. conf to this directory, You need to perform a music video and configure it as the name of the virtual user )--
3. Create a Vsftpd log file and change the owner to the service host user of Vsftpd:
[Root @ KcentOS5 ~] # Touch/var/log/vsftpd. log
[Root @ KcentOS5 ~] # Chown vsftpd. vsftpd/var/log/vsftpd. log
4. Create a storage path for the centos vsftpd virtual user configuration file:
[Root @ KcentOS5 ~] # Mkdir/etc/vsftpd/vconf/
4. Create a centos vsftpd virtual user database file
1. Create a virtual user name single file first:
[Root @ KcentOS5 ~] # Touch/etc/vsftpd/virtusers
A single virtual user name file is created. This file is a data file that records the user name and password of A vsftpd virtual user. Here I name it virtusers. To avoid file confusion, I put this list file under/etc/vsftpd.
2. Edit the virtual user name single file:
[Root @ KcentOS5 ~] # Vi/etc/vsftpd/virtusers
Download
1234
Upload
5678
Admin
9012
Edit the virtual user name file and add the user name and password to the file. The format is simple: "One user name, one password ".
3. Generate a virtual user data file:
[Root @ KcentOS5 ~] # Db_load-T-t hash-f/etc/vsftpd/virtusers. db
5. Set the PAM Authentication file and specify the virtual user database file for reading
Add the following information to the file header of/etc/pam. d/vsftpd (the following information is invalid)
Auth sufficient/lib/security/pam_userdb.so db =/etc/vsftpd/virtusers
Account sufficient/lib/security/pam_userdb.so db =/etc/vsftpd/virtusers
Vi. centos vsftpd virtual user configuration
Local_root =/var/www/html

Specifies the master path of the virtual user.
Anonymous_enable = NO
Set that anonymous users are not allowed to access.
Write_enable = YES
Allows write operations.
Local_umask = 022
Sets the Upload File Permission mask.
Anon_upload_enable = NO
Sets that anonymous users are not allowed to upload files.
Anon_mkdir_write_enable = NO
Set that anonymous users are not allowed to create directories.
Idle_session_timeout = 600
Set the idle connection timeout.
Data _ connection_timeout = 120
Sets the maximum time for a single continuous transmission.
Max_clients = 10
Set the number of concurrent client accesses.
Max_per_ip = 5
Sets the maximum number of threads for a single client. This configuration mainly takes care of multiple threads such as Flashget and thunder downloading software.
Local_max_rate = 50000
Sets the user's maximum transmission rate, in B/s.
Here, the original vsftpd. conf configuration file is simplified and saved as a template for the centos vsftpd virtual user configuration file. There is no need to specify too much configuration content here. The main framework and restrictions are handed over to the main configuration file centos Vsftpd of vsftpd. conf, that is, the configuration items not mentioned in the virtual user configuration file will refer to the settings in the main configuration file. Here, as a virtual user configuration file template, you only need to leave some and user traffic control, access control configuration items. The key here is the local_root configuration, which is used to specify the FTP master path of the centos vsftpd virtual user. [B] [color = Red] The main problem here is that the directory host and host user are not virtual users. After setting the directory, we can only download the directory, but cannot upload or download it, if you want to upload files, you must use the chown command (chown-R ftp. ftp/opt/vsftpd)
Finally, install it on the official server. Congratulations!
Vsftpd is finished.