CentOS 7.3 installation and configuration vsftp

Keywords: vsftpd firewall ftp iptables

;

1, Configure firewall and open the port required by FTP service

  1. Turn off the firewall of the system
#Stop firewall
[root@localhost ~]# systemctl stop firewalld.service

#Disable startup of firewall
[root@localhost ~]# systemctl disable firewalld.service
  1. Install iptables firewall
#install
[root@localhost ~]# yum install iptables-services

#Edit firewall profile
[root@localhost ~]# vi /etc/sysconfig/iptables

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 10060:10090 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
:wq! #Save exit

#Finally restart the firewall to make the configuration effective
[root@localhost ~]# systemctl restart iptables.service

#Set firewall startup
[root@localhost ~]# systemctl enable iptables.service

#Note: port 21 is the ftp service port; 10060 to 10090 are the ports required by Vsftpd passive mode, and a tcp port larger than 1024 can be customized.

2, Turn off SELINUX

[root@localhost ~]# vi /etc/selinux/config

#SELINUX=enforcing #Comment out
#SELINUXTYPE=targeted #Comment out
SELINUX=disabled #increase
:wq! #Save exit

#Make configuration effective immediately
[root@localhost ~]# setenforce 0

3, Install vsftpd

#Install vsftpd
[root@localhost ~]# yum install -y vsftpd

#Install vsftpd virtual user configuration dependency package
[root@localhost ~]# yum install -y psmisc net-tools systemd-devel libdb-devel perl-DBI

#start-up
[root@localhost ~]# systemctl start vsftpd.service

#Set startup
[root@localhost ~]# systemctl enable vsftpd.servicevsftpd

4, Configure vsftp server

#Backup default profile
[root@localhost ~]# cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf-bak

#Execute the following command to set
[root@localhost ~]# sed -i "s/anonymous_enable=YES/anonymous_enable=NO/g" '/etc/vsftpd/vsftpd.conf'

[root@localhost ~]# sed -i "s/#anon_upload_enable=YES/anon_upload_enable=NO/g" '/etc/vsftpd/vsftpd.conf'

[root@localhost ~]# sed -i "s/#anon_mkdir_write_enable=YES/anon_mkdir_write_enable=YES/g" '/etc/vsftpd/vsftpd.conf'

[root@localhost ~]# sed -i "s/#chown_uploads=YES/chown_uploads=NO/g" '/etc/vsftpd/vsftpd.conf'

[root@localhost ~]# sed -i "s/#async_abor_enable=YES/async_abor_enable=YES/g" '/etc/vsftpd/vsftpd.conf'

[root@localhost ~]# sed -i "s/#ascii_upload_enable=YES/ascii_upload_enable=YES/g" '/etc/vsftpd/vsftpd.conf'

[root@localhost ~]# sed -i "s/#ascii_download_enable=YES/ascii_download_enable=YES/g" '/etc/vsftpd/vsftpd.conf'

[root@localhost ~]# sed -i "s/#ftpd_banner=Welcome to blah FTP service./ftpd_banner=Welcome to FTP service./g" '/etc/vsftpd/vsftpd.conf'

[root@localhost ~]# echo -e "use_localtime=YES\nlisten_port=21\nchroot_local_user=YES\nidle_session_timeout=300\ndata_connection_timeout=1\nguest_enable=YES\nguest_username=vsftpd\nuser_config_dir=/etc/vsftpd/vconf\nvirtual_use_local_privs=YES\npasv_min_port=10060\npasv_max_port=10090\naccept_timeout=5\nconnect_timeout=1" >> /etc/vsftpd/vsftpd.conf

5, Create virtual user list file

[root@localhost ~]# touch /etc/vsftpd/virtusers

#Edit the virtual user list file: (the first line of account, the second line of password, note: you can't use root as the user name, and the system keeps it)
[root@localhost ~]# vi /etc/vsftpd/virtusers

web1
123456
web2
123456
web3
123456
:wq! #Save exit

6, Generate virtual user data file

[root@localhost ~]# db_load -T -t hash -f /etc/vsftpd/virtusers /etc/vsftpd/virtusers.db

#Set PAM authentication file and specify reading of virtual user database file
[root@localhost ~]# chmod 600 /etc/vsftpd/virtusers.db

Seven. Add the following information in the file header of /etc/pam.d/vsftpd (invalid in the following)

#Backup before modification
[root@localhost ~]# cp /etc/pam.d/vsftpd /etc/pam.d/vsftpdbak
[root@localhost ~]# vi /etc/pam.d/vsftpd

auth sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/virtusers
account sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/virtusers

#Note: if the system is 32-bit, the above is changed to lib, otherwise the configuration fails

8, Create a new system user vsftpd, the user directory is / home/wwwroot, and the user login terminal is set to / bin / false (even if it cannot login to the system)

[root@localhost ~]# useradd vsftpd -d /home/wwwroot -s /bin/false
[root@localhost ~]# chown vsftpd:vsftpd /home/wwwroot -R

#If the hosting user of the virtual user is www, this setting is required.
[root@localhost ~]# chown www:www /home/wwwroot -R

9, Setting up the profile of vsftp for virtual users

[root@localhost ~]# mkdir /etc/vsftpd/vconf
[root@localhost ~]# cd /etc/vsftpd/vconf

#Three virtual user profiles are created here
[root@localhost ~]# touch web1 web2 web3
[root@localhost ~]# mkdir -p /home/wwwroot/web1/http/

#Edit the user web1 configuration file. Others are similar to this configuration file
[root@localhost ~]# vi web1

local_root=/home/wwwroot/web1/http/
write_enable=YES
anon_world_readable_only=NO
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES

10, Finally restart vsftpd server

[root@localhost ~]# systemctl restart vsftpd.service

//remarks:
guest_username=vsftpd #Specify the host user of the virtual user (that is, the new user we created earlier)
guest_username=www #If the ftp directory points to the root directory of the website and is used to upload the website program, you can specify the hosting user of the virtual user to run the account www for nginx, which can avoid many permission setting problems

This article is reproduced in an Unknown God, I slightly adjusted the display format for easy viewing.

Posted by Zangakat on Sun, 03 May 2020 14:51:12 -0700