VSFTP+SSL Login Settings under centos6.5

Recently, a client needs an SSL-certified FTP service. Now, organize your steps.

1 software required for installation

Yum Install Httpd-yyum install vsftpd*-yyum install pam*-yyum install mod_ssl*-y

3, establish vsftpd Service Host user

Useradd Vsftpd–s/sbin/nologin

4. Establish vsftpd virtual Hosting user

Useradd Virtusers–s/sbin/nologin

5,VSFTPD related configuration

1) Edit the vsftpd.conf configuration file

Cp/etc/vsftpd/vsftpd.conf/etc/vsftpd/vsftpd.conf.bak/ Backup configuration file

vi/etc/vsftpd/vsftpd.conf/ vsftp config file

anonymous_enable=no  /settings do not allow anonymous access. local_enable=yes  /settings Local users can access. Note: Primarily for virtual hosting users, if the item is set to No then all virtual users will not be able to access it. write_enable=yes  /settings can be written: local_umask=022 /set the file's permission mask after uploading. anon_upload_enable=no  /prohibit anonymous users from uploading anon_mkdir_write_enable=no  /prohibit anonymous users from creating directories dirmessage_enable= yes /Set the Open Directory banner feature. xferlog_enable=yes  /set the Enable logging function. connect_from_port_20=yes  /setting port 20 for data connection chown_uploads=no  /settings prohibit uploading files change host #chown_username= The whoever#xferlog_file=/var/log/xferlogxferlog_std_format=yes  /settings log uses a standard record format. idle_session_timeout=1200  /  Set the idle connection timeout, where default is used. Specify the specific values for each specific user, if not specified, or use the default value here of 600, per second. data_connection_timeout=7200  /set the single maximum continuous transmission time, where the default is used. Specify the specific values for each specific user, if not specified, or use the default value here of 120, per second. nopriv_user=vsftpd  /sets the host user that supports the VSFTPD service as a manually established VSFTPD user. Note that once you make changes to the host user, you must be aware of the read and write rights of the read-write files associated with the service. For example, the log file must give the user write permission, and so on. async_abor_enable=yes  /Settings Support Asynchronous transfer function ascii_upload_enable=yes  /set the upload function that supports ASCII mode ascii_download_enable=yes  /set the download function to support ASCII mode ftpd_banner=welcome toairmate ftp service.   /set VSFTPD's Landing banner #deny_email_enable=yes#banned_email_file=/etc/vsftpd/banned_emailsls_recurse_enable=no   /prohibits users from logging on to FTP after using the "ls -r" command. This command can cause significant overhead for server performance. If this entry is allowed, blocking multiple users using the command at the same time will pose a threat to that server. #ls_recurse_enable =yeschroot_local_user=yeschroot_list_enable=nolisten=yes#listen_ipv6=yespam_service_name= vsftpd  /Set the authentication profile name of VSFTPD under Pam service. Pam_service_name=vsftpduserlist_enable=yestcp_wrappers=yesuserlist_deny=yes#userlist_file=/etc/vsftpd/chroot_ list guest_enable=yesguest_username=virtusers /Setting the host user of a virtual user Virtual_use_local_privs=yesuser_config_dir =/etc/vsftpd/virtualuser_conf  /Virtual User Profile local_root=/ssl_enable=yes /enable SS authentication rsa_cert_file=/etc/ Vsftpd/vsftpd1.pem /ssl Certificate saved file ssl_sslv2=yes /Enable 3 authentication modes Ssl_sslv3=yesssl_tlsv1=yessyslog_enable=yes  pasv_enable=yes /Enable PASV logon mode pasv_max_port=30010 /pasv  log on using the maximum port pasv_min_port=30000 /pasv  minimum port used for login 

~

2) Set up virtual user profile storage path

Mkdir/etc/vsftpd/virtualuser_conf

Configure virtual users

For example, I want to add a user named Tang ,the FTP client will use the user name (after password settings) for uploading and downloading, in

/etc/vsftpd/virtualuser_conf

Create a new file called Tang :Touch Tang . The contents of the file are:

Local_root=/home/ftpfilewrite_enable=yes anon_umask=022 anon_world_readable_only=no Anon_upload_enable=YES anon_ Mkdir_write_enable=yes Anon_other_write_enable=yes Pam_service_name=vsftpdchroot_local_user=yes

Parameter description:

Local_root=/home/ftpuser # the virtual user uploads the downloaded root directory
Write_enable=yes # Writable (can be uploaded)
anon_umask=022 # Mask

Next in /etc/vsftpd/ directory Create a text document that records the user name password for all client users (virtual users):

Touch Virtualuser_passwd.txt

The contents are as follows:

Tang Passwd1 Tony Passwd2

One line user name, one line password

Next, generate a DB file for virtual user authentication

Db_load-t-T Hash-f/etc/vsftpd/virtualuser_passwd.txt/etc/vsftpd/virtualuser_passwd.db

Then, edit the authentication file

/etc/pam.d/vsftpd

, all comments off the original statement
Add the following two sentences

Auth required/lib64/security/pam_userdb.sodb=/etc/vsftpd/virtualuser_passwd Account Required/lib64/security/pam_ userdb.sodb=/etc/vsftpd/virtualuser_passwd

3) Set up the FTP user file storage location

1.mkdir/home/ftpfile/2.chown–r Virtusers.virtusers/home/ftpfile3.chmod U=rwx/home/ftpfile

3) Turn off SElinux to simplify configuration

If you have installed SElinux and not configured, it is recommended to turn it off. The method is to modify The following contents of the/etc/selinux/config file:

selinux=disabled #effective Afterrestart

7. Configure SSL encryption into the/etc/vsftpd/ directory and enter the following command to generate the certificate

Req-x509-nodes-days 365-newkeyrsa:1024-subj "/c=cn/st=gd/l=sz/o=lvzunhai/cn=lvzunhai"-keyout/etc/vsftpd/ Vsftpd1.pem-out/etc/vsftpd/vsftpd1.pem

8, the firewall to open the VSFTPD function

VSFTP+SSL Login Settings under centos6.5