one Vsftpd service program
In order to meet the needs of transmitting files in ciphertext, vsftpd service program is invented. Vsftpd (very secure ftp daemon) is an FTP service program running on Linux operating system. It is not only completely open source but also free.
Directory of vsftpd service program after login
Login mode default directory Anonymous disclosure /var/ftp Local user The user's home directory Virtual user Mapped user's home directory
As a more secure file transfer protocol service program, vsftpd allows users to log in to the FTP server in three authentication modes.
Anonymous open mode: it is the most insecure authentication mode. Anyone can log in directly to the FTP server without password authentication.
Local user mode: it is a mode of authentication through the local account password information of the Linux system. Compared with the anonymous open mode, it is more secure and easy to configure. However, if hackers break the account information, they can log in to the FTP server unimpeded, so as to fully control the whole server.
Virtual user mode: a more secure authentication mode. It needs to establish a separate user database file for FTP service to virtualize the account information used for password authentication, which does not actually exist in the server system and is only used for authentication by FTP service program. In this way, even if hackers crack the account information, they cannot log in to the server, thus effectively reducing the scope and impact of damage.
Common parameters and functions of vsftpd service program
parameter effect listen=[YES|NO] Whether to monitor the service in a stand-alone manner listen_address=IP address Set the to listen IP address listen_port=21 set up FTP Listening port of service download_enableļ¼[YES|NO] Allow file download userlist_enable=[YES|NO] userlist_deny=[YES|NO] Set whether the user list is allowed or prohibited max_clients=0 Maximum number of client connections, 0 is unlimited max_per_ip=0 same IP The maximum number of connections for the address. 0 is unlimited anonymous_enable=[YES|NO] Allow anonymous user access anon_upload_enable=[YES|NO] Allow anonymous users to upload files anon_umask=022 How anonymous users upload files umask value anon_root=/var/ftp Anonymous user FTP root directory anon_mkdir_write_enable=[YES|NO] Allow anonymous users to create directories anon_other_write_enable=[YES|NO] Whether to open other write permissions for anonymous users (including rename, delete and other operation permissions) anon_max_rate=0 Maximum transfer rate for anonymous users (bytes)/Seconds), 0 is unlimited local_enable=[YES|NO] Allow local users to log in FTP local_umask=022 File uploaded by local users umask value local_root=/var/ftp Local user FTP root directory chroot_local_user=[YES|NO] Whether to imprison user rights in FTP Directory to ensure security local_max_rate=0 Maximum local user transfer rate (bytes)/Seconds), 0 is unlimited
1. Install Vsftpd service on the server
dnf install -y vsftpd
2 add FTP protocol to the allowed list of firewalld service
firewall-cmd --permanent --zone=public --add-service=ftp firewall-cmd --reload
3 install FTP service on the client
dnf install -y ftp
Experiment 2: anonymous open mode
Open permission parameters and functions of anonymous users
parameter effect anonymous_enable=YES Allow anonymous access mode anon_umask=022 How anonymous users upload files umask value anon_upload_enable=YES Allow anonymous users to upload files anon_mkdir_write_enable=YES Allow anonymous users to create directories anon_other_write_enable=YES Allow anonymous users to modify directory names or delete directories
1. Modify the configuration file
vim /etc/vsftpd/vsftpd.conf
anonymous_enable=YES anon_umask=022 anon_upload_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES
2 restart service
systemctl restart vsftpd systemctl enable vsftpd
3 set SElinux domain
getsebool -a | grep ftp setsebool -P ftpd_full_access=on
4. Test creating, renaming and deleting directories
ftp 192.168.0.10 Connected to 192.168.10.10 (192.168.0.10). 220 (vsFTPd 3.0.3) Name (192.168.0.10:root): anonymous 331 Please specify the password. Password:Click enter here 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd pub 250 Directory successfully changed. ftp> mkdir files 257 "/pub/files" created ftp> rename files database 350 Ready for RNTO. 250 Rename successful. ftp> rmdir database 250 Remove directory operation successful. ftp> exit 221 Goodbye.
Experiment 4: local user mode
Permission parameters and functions used by local user mode
parameter effect anonymous_enable=NO Disable anonymous access mode local_enable=YES Allow local user mode write_enable=YES Set writable permissions local_umask=022 Creating files in local user mode umask value userlist_deny=YES Enable "forbidden user list", and the list file is ftpusers and user_list userlist_enable=YES Enable the function of user role list file
1. Modify the configuration file
vim /etc/vsftpd/vsftpd.conf
anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022
2 restart service
systemctl restart vsftpd systemctl enable vsftpd
3. Modify user list
vim /etc/vsftpd/user_list vim /etc/vsftpd/ftpusers
Delete the root in it
PS: if the userlist in the main configuration file above_ If the parameter value of deny is changed to NO, then user_ The list becomes a mandatory white list
4 set SElinux domain
getsebool -a | grep ftp setsebool -P ftpd_full_access=on
5 test creating, renaming and deleting directories
ftp 192.168.0.10 Connected to 192.168.10.10 (192.168.0.10). 220 (vsFTPd 3.0.3) Name (192.168.0.10:root): root 331 Please specify the password. Password:Enter the user's password here 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> mkdir files 257 "/root/files" created ftp> rename files database 350 Ready for RNTO. 250 Rename successful. ftp> rmdir database 250 Remove directory operation successful. ftp> exit 221 Goodbye.
Experiment 5: virtual user mode
Parameters and functions used in authentication using PAM files
parameter effect anonymous_enable=NO Prohibit anonymous open mode local_enable=YES Allow local user mode guest_enable=YES Enable virtual user mode guest_username=virtual Specify virtual user account pam_service_name=vsftpd.vu appoint PAM file allow_writeable_chroot=YES Allow for the detention of FTP The root directory performs a write operation and does not reject the user's login request
one Create a user database file for FTP authentication, including odd behavior account name and even behavior password. For example, create two users, zhangsan and lisi, with passwords of redhat
cd /etc/vsftpd/ vim vuser.list zhangsan redhat lisi redhat
Use DB_ The load command uses the hash algorithm to convert the original plaintext information file into a database file, and reduces the permissions of the database file (to prevent others from seeing the contents of the database file), and then deletes the original plaintext information file
db_load -T -t hash -f vuser.list vuser.db chmod 600 vuser.db rm -f vuser.list
two Create the vsftpd service program to store the root directory of files and the system local user for virtual user mapping
useradd -d /var/ftproot -s /sbin/nologin virtual chmod -Rf 755 /var/ftproot/
three Establish PAM (pluggable authentication module) files to support virtual users
vim /etc/pam.d/vsftpd.vu auth required pam_userdb.so db=/etc/vsftpd/vuser account required pam_userdb.so db=/etc/vsftpd/vuser
four Through PAM in the main configuration file of vsftpd service program_ service_ The name parameter modifies the name of the PAM authentication file to vsftpd.vu
vim /etc/vsftpd/vsftpd.conf
anonymous_enable=NO local_enable=YES write_enable=YES guest_enable=YES guest_username=virtual allow_writeable_chroot=YES 14 pam_service_name=vsftpd.vu
five Set different permissions for virtual users
mkdir /etc/vsftpd/vusers_dir/ cd /etc/vsftpd/vusers_dir/ touch lisi vim zhangsan anon_upload_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES
Modify the vsftpd main configuration file again by adding user_config_dir parameter to define the path where the configuration files of the two virtual users with different permissions are stored
vim /etc/vsftpd/vsftpd.conf 16 user_config_dir=/etc/vsftpd/vusers_dir
Restart vsftpd service
systemctl restart vsftpd systemctl enable vsftpd
6 set SElinux domain
getsebool -a | grep ftp setsebool -P ftpd_full_access=on
7 log in to FTP test using zhangsan and lisi respectively
ftp 192.168.0.10 Connected to 192.168.0.10 (192.168.0.10). 220 (vsFTPd 3.0.3) Name (192.168.10.0:root): lisi 331 Please specify the password. Password:Enter the password of the virtual user here 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> mkdir files 550 Permission denied. ftp> exit 221 Goodbye.
ftp 192.168.0.10 Connected to 192.168.0.10 (192.168.0.10). 220 (vsFTPd 3.0.3) Name (192.168.0.10:root): zhangsan 331 Please specify the password. Password:Enter the password of the virtual user here 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> mkdir files 257 "/files" created ftp> rename files database 350 Ready for RNTO. 250 Rename successful. ftp> rmdir database 250 Remove directory operation successful.