1.vsftpd main configuration file

The main configuration file (/ etc/vsftpd/vsftpd.conf), which contains a lot of annotation information, has little actual parameter information.

[root@linuxprobe ~]# mv /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf_bak
[root@linuxprobe ~]# grep -v "#" /etc/vsftpd/vsftpd.conf_bak > /etc/vsftpd/vsftpd.conf

The upper command redirects to the original configuration file by changing the name of the original configuration file, and then using grep command to invert and filter the comment information. The filtered main profile is as follows.

[root@linuxprobe ~]# cat /etc/vsftpd/vsftpd.conf
anonymous_enable=YES #Allow anonymous users to log in
local_enable=YES #Allow local user to authenticate login
write_enable=YES #Whether the local user has write permission
local_umask=022 #Unmask, full permission - unmask = the actual permission of the file or directory. The full permission of the file is 666, and the full permission of the directory file is 777.
dirmessage_enable=YES #Set up some reminders
xferlog_enable=YES #Enable log service or not
connect_from_port_20=YES #Whether to transfer data from port 20
xferlog_std_format=YES #Whether the log is filled in the standard format
listen=NO #Whether to monitor the interface independently
listen_ipv6=YES
pam_service_name=vsftpd #pam verification module information
userlist_enable=YES
tcp_wrappers=YES #Whether the firewall can manage this network

2. Verification of vsftpd service

The service has three authentication modes to log in to the FTP server, which are anonymous authentication, local user authentication and anonymous user authentication.

In the home directory / var/ftp of anonymous public authentication mode, add the following content to the configuration file / etc/vsftpd/vsftpd.conf of the server:

[root@linuxprobe ~]# vim /etc/vsftpd/vsftpd.conf
1 anonymous_enable=YES #Allow anonymous access mode
2 anon_umask=022 #Unmask of files uploaded by anonymous users
3 anon_upload_enable=YES #Allow anonymous users to upload files
4 anon_mkdir_write_enable=YES #Allow anonymous users to create folders
5 anon_other_write_enable=YES #Allow anonymous users to modify directory names or delete directories
6 local_enable=YES
7 write_enable=YES
8 local_umask=022
9 dirmessage_enable=YES
10 xferlog_enable=YES
11 connect_from_port_20=YES
12 xferlog_std_format=YES
13 listen=NO
14 listen_ipv6=YES
15 pam_service_name=vsftpd
16 userlist_enable=YES
17 tcp_wrappers=YES

Restart the service on the server side and add the startup item. Use anonymous user and empty password to log in ftp service on the client side (install the ftp client tool on the client side). Note that when connecting from the client to the server, the owner will be modified with chown command due to the restriction of folder permission. In addition, it will be restricted by selinux. Modify the Boolean value of the service to solve the limitation of selinux (ftpd? Full? Access).

Local user authentication login access directory is the home directory of the local user.

The configuration file has enabled authentication login for local users by default. Note that two files, user list and ftpusers, are the list of restricted user logins. In the local authentication mode, it fails to log in with root user, because there is root user in the above two files, which restricts the login of root user. You can delete the root in the two files, and then log in with root user will not be restricted. Because the default local user's home directory will not have insufficient permissions.

Virtual user authentication login is to map user specified home directory

[root@linuxprobe ~]# cd /etc/vsftpd/ 
[root@linuxprobe vsftpd]# vim vuser.list #Edit the account and password to verify login, odd behavior account even behavior password
zhangsan #account
redhat #Password
lisi #account
redhat #Password
[root@linuxprobe vsftpd]# db_load -T -t hash -f vuser.list vuser.db #Use the db_load command to encrypt, - t parameter means to encrypt, - t parameter means to encrypt, - f parameter means to encrypt the original file.
[root@linuxprobe vsftpd]# chmod 600 vuser.db #Set permissions on encrypted files
[root@linuxprobe vsftpd]# rm -f vuser.list #Delete the original plaintext file
[root@linuxprobe ~]# useradd -d /var/ftproot -s /sbin/nologin virtual #Create a virtual user, make the user's home directory and restrict the user's login
[root@linuxprobe ~]# ls -ld /var/ftproot/ #View home permissions for virtual users
drwx------. 3 virtual virtual 74 Jul 14 17:50 /var/ftproot/
[root@linuxprobe ~]# chmod -Rf 755 /var/ftproot/ #Increase virtual user directory permissions
[root@linuxprobe ~]# vim /etc/pam.d/vsftpd.vu #Edit the validation file of pam validation module
auth required pam_userdb.so db=/etc/vsftpd/vuser #db=/etc/vsftpd/vuser do not need to write. db suffix
account required pam_userdb.so db=/etc/vsftpd/vuser
[root@linuxprobe ~]# vim /etc/vsftpd/vsftpd.conf 
1 anonymous_enable=NO #Disable anonymous public authentication
2 local_enable=YES
3 guest_enable=YES #Turn on virtual user mode
4 guest_username=virtual #Specify virtual user login
5 allow_writeable_chroot=YES
6 write_enable=YES
7 local_umask=022
8 dirmessage_enable=YES
9 xferlog_enable=YES
10 connect_from_port_20=YES
11 xferlog_std_format=YES
12 listen=NO
13 listen_ipv6=YES
14 pam_service_name=vsftpd.vu #Specify pam file
15 userlist_enable=YES
16 tcp_wrappers=YES
[root@linuxprobe ~]# mkdir /etc/vsftpd/vusers_dir/ #To ensure that different users have different permissions to create the directory
[root@linuxprobe ~]# cd /etc/vsftpd/vusers_dir/
[root@linuxprobe vusers_dir]# touch lisi #Create login user file
[root@linuxprobe vusers_dir]# vim zhangsan #Create a login user file with anonymous authentication policy.
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
[root@linuxprobe ~]# vim /etc/vsftpd/vsftpd.conf
user_config_dir=/etc/vsftpd/vusers_dir #The policy is appended to the configuration information, and the authorization directory of different users is verified
[root@linuxprobe ~]# systemctl restart vsftpd #Restart the service
[root@linuxprobe ~]# systemctl enable vsftpd #Add the service to the startup
ln -s '/usr/lib/systemd/system/vsftpd.service' '/etc/systemd/system/multiuser.
target.wants/vsftpd.service

Ftpd? Full? Access this policy should be reopened after the virtual machine recovers the snapshot.

3.TFTP services

This service is run by xinetd service. After installing TFTP server and TFTP service, edit / etc/xinetd.d/tftp to use it

[root@linuxprobe ~.d]# vim /etc/xinetd.d/tftp
service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -s /var/lib/tftpboot
disable = no #Change this option to no
per_source = 11
cps = 100 2
flags = IPv4

After saving and exiting, restart the xinetd service. To clear the firewall related policies of the server and client, and release the port, you can use the service normally.