Preface
FTP(File transfer Protocl), a file transfer protocol, is a standard protocol for file transfer over a network. It uses client/server mode and belongs to the application layer of the network transfer protocol.FTP services run on TCP/21 and 20 ports, typically 21 ports are connection ports and 20 ports are data ports.
FTP has two working modes, active and passive:
- Active mode: Connections are created by the server, and the process described below is:
Client initiates request:
Client:50000 (port number greater than 1023) - > Server: 21
Set up data transmission on the server side:
Server: 20/tcp -> Client: 50000+1 (client request port number + 1)
- Passive mode: Connections are created by the client, and the process described below is:
Client initiates request:
Client:50000 (port number greater than 1023) - > Server: 21
Client establishes data transfer:
Client:50000+1 (Client Request Port Number+1) - > Server:Random Port
Implement FTP Service
- Based on centos7, FTP service is implemented with open source software vsftp(Very secure file transfer protocol). The version information of the experiment is as follows:
[root@server ~]# lsb_release -r Release: 7.2.1511 [root@server ~]# rpm -qi vsftpd Name : vsftpd Version : 3.0.2 Release : 22.el7 Architecture: x86_64
- The main program configuration files for vsftpd are:
Main program: /usr/sbin/vsftpd
Main profile: /etc/vsftpd/vsftpd.conf
* Data root directory: /var/ftp
Systemd Unit File: /usr/lib/systemd/systemd/vsftpd.service
List of prohibited users: /etc/vsftpd/ftpusers
List of users: /etc/vsftpd/user_list
- The default configuration of the main profile/etc/vsftpd/vsftpd.conf:
Whether anonymous_enable=YES #allows anonymous user access local_enable=YES #Allow local users to log on to FPT write_enable=YES #Allow write permissions local_umask=022 #umask value for local user upload file Whether dirmessage_enable=YES #Displays the directory's attention information when a user enters a directory * xferlog_enable=YES #Do you want FTP servers to record uploads and Downloads connect_from_port_20=YES #Whether to use 20 ports for data transfer Does xferlog_std_format=YES #Write the recorded upload and download information in the file specified by xferlog_file listen=NO #Whether to listen for services in a stand-alone manner listen_ipv6=YES #Supports IPv6 pam_service_name=vsftpd #Lists the pam files associated with vsftpd - userlist_enable=YES #Whether the list of users who are not allowed to log on is enabled tcp_wrappers=YES #Supports tcp_wrappers
In addition to the parameters used by default above, the main profile can set the following parameters: Define ftp share permissions for anonymous users: anon_world_readable_only =YES #Is it globally readable Whether anon_upload_enable=NO #allows file upload Whether anon_mkdir_write_enable=NO #allows directory creation anon_other_write_enable=NO #Delete files, delete directories anon_umask=077 #umask for anonymous users Define ftp permissions for system users: local_enable=YES #Allow local user access (/etc/passwd user) write_enable=YES #Allow write permissions, including modifications, deletions local_umask=022 #Defines umask for files uploaded by local users chroot_local_user=YES #Whether to disable all local users from their home directories chroot_list_enable=YES #Whether the list of chroot_list_file s is enabled Is chroot_list_file=/etc/vsftpd/chroot_list #restricted to user lists in the home directory Note: Users in the chroot_list are unrestricted when chroot_local_user=YES and chroot_list_enable=YES; users in the chroot_list are restricted when chroot_local_user=NO and chroot_list_enable=YES. Controls the list of users who can log on to the vsftpd service: userlist_enable=YES #Enable/etc/vsftpd/user_list file to control loggable users; User list_deny=NO #NO means/etc/vsftpd/user_list is white list and YES is black list Upload and download rate: anon_max_rate=0 #Maximum upload and download rate for anonymous users, 0 means unlimited local_max_rate=0 #Maximum upload and download rate for local users, 0 means unlimited - Limit the number of concurrent connections: Max_clients=maximum number of concurrent connections under 2000 #standalone - max_per_ip=50 #Set the maximum number of connections for a single IP
Note: More parameter information can be obtained from man vsftpd.conf.
- Authentication method in vsftp 3:
The vsftp service provides three authentication methods for ftp: anonymous user authentication, local user authentication and virtual user authentication.Anonymous user authentication refers to anyone who can access the FTP server without authentication; local user authentication refers to users in/etc/passwd on Linux systems; and virtual user authentication refers to login access using FTP account passwords independently maintained by the vsftp service.Virtual users are safest in terms of security, because even if FTP's account password is compromised, the local user's account password will not be compromised.
1. Anonymous users
The vsftp service turns on anonymous user login by default, modify the configuration file/etc/vsftpd/vsftpd.conf here:
# Backup Profile
[root@server ~]# cp /etc/vsftpd/vsftpd.conf{,.bak}
[root@server ~]# vim /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
local_umask=022
[root@server ~]# setenforce 0
[root@server ~]# systemctl stop vsftpd.service
[root@server ~]# systemctl start vsftpd
[root@server ~]# ss -tan
LISTEN 0 32 :::21 :::*
LISTEN 0 128 :::22 :::*
The client tests:
[root@client ~]# lftp 192.168.4.119
lftp 192.168.4.119:~> ls
drwxr-xr-x 2 0 0 6 Aug 03 2017 pub
lftp 192.168.4.119:/> cd pub/
lftp 192.168.4.119:/pub> mkdir test
mkdir: Access failed: 550 Create directory operation failed. (test)
lftp 192.168.4.119:/pub> exit
Failed to create test directory.The default path for anonymous users is FTP user's home directory/var/ftp. Although we have configured anon_mkdir_write_enable=YES, the real permissions for FTP users are the intersection of the share permissions defined by vsftpd.conf and the permissions of the directory accessed, so we need to modify the file permissions for the / var/ftp/pub directory:
[root@server ~]# ll -d /var/ftp/pub
drwxr-xr-x. 2 root root 6 Aug 3 2017 /var/ftp/pub
[root@server ~]# chown ftp:ftp /var/ftp/pub/
[root@server ~]# ll -d /var/ftp/pub
drwxr-xr-x. 2 ftp ftp 6 Aug 3 2017 /var/ftp/pub
//Note: Can't change/var/ftp The subordinate group of ftp.
Re-login test:
[root@\client ~]# lftp 192.168.4.119 lftp 192.168.4.119:~> cd pub/ lftp 192.168.4.119:/pub> mkdir test mkdir ok, `test' created lftp 192.168.4.119:/pub> lcd /etc #Switch Client Directories lcd ok, local cwd=/etc lftp 192.168.4.119:/pub> put passwd 2538 bytes transferred lftp 192.168.4.119:/pub> ls -rw------- 1 14 50 2538 Jun 27 05:44 passwd drwx------ 2 14 50 6 Jun 27 05:43 test lftp 192.168.4.119:/pub> rm passwd rm ok, `passwd' removed lftp 192.168.4.119:/pub> rmdir test rmdir ok, `test' removed lftp 192.168.4.119:/pub> exit
2. Local Users
Edit the main profile/etc/vsftp/vsftp.conf:
[root@server ~]# vim /etc/vsftpd/vsftpd.conf anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 userlist_enable=YES userlist_deny=NO Note: When userlist_enable=YES and userlist_deny=NO When,/etc/vsftpd/user_list Is a whitelist; when userlist_enable=YES and userlist_deny=YES When,/etc/vsftpd/user_list Blacklist
Edit/etc/vsftpd/user_list:
[root@server ~]# vim /etc/vsftpd/user_list testftp [root@server ~]# useradd testftp [root@server ~]# echo 123456 | passwd --stdin testftp [root@server ~]# systemctl restart vsftpd
Client test:
[root@\client ~]# lftp 192.168.4.119 -u testftp Password: lftp testftp@192.168.4.119:~> lcd /etc lcd ok, local cwd=/etc lftp testftp@192.168.4.119:~> put passwd 2538 bytes transferred lftp testftp@192.168.4.119:~> mkdir test mkdir ok, `test' created lftp testftp@192.168.4.119:~> ls -rw-r--r-- 1 1001 1001 2538 Jun 27 07:04 passwd drwxr-xr-x 2 1001 1001 6 Jun 27 07:04 test lftp testftp@192.168.4.119:~> rm passwd rm ok, `passwd' removed lftp testftp@192.168.4.119:~> rmdir test rmdir ok, `test' removed lftp testftp@192.168.4.119:~> lcd / lcd ok, local cwd=/ lftp testftp@192.168.4.119:~> cd /etc #Switch to server's/et directory cd ok, cwd=/etc lftp testftp@192.168.4.119:/etc> get passwd #Get / etc/passwd of the server 2583 bytes transferred lftp testftp@192.168.4.119:/etc> exit
Local users are at great risk of switching to the / etc directory and being able to download passwd files, so we need to restrict local users'access paths to their corresponding home directories:
[root@server ~]# vim /etc/vsftpd/vsftpd.conf chroot_local_user=YES allow_writeable_chroot=YES #chroot_list_file=/etc/vsftpd/chroot_list Specifies the user who is locked in by file Note: From 2.3.5 onwards, vsftpd enhances security checks. If a user is restricted to his or her home directory, the user's home directory no longer has write permissions. A prompt appears when the client performs a write operation: 500 OOPS: vsftpd: refusing to run with writable root in chroot ().
If you want write access to your home directory, you can use allow_writeable_chroot=YES.
Client test:
[root@\client ~]# lftp 192.168.4.119 -u testftp
Password:
lftp testftp@192.168.4.119:~> cd /etc
cd: Access failed: 550 Failed to change directory. (/etc)
lftp testftp@192.168.4.119:/> lcd /etc
lcd ok, local cwd=/etc
lftp testftp@192.168.4.119:/> put passwd
2538 bytes transferred
lftp testftp@192.168.4.119:/> mkdir test
mkdir ok, `test' created
lftp testftp@192.168.4.119:/> rm passwd
rm ok, `passwd' removed
lftp testftp@192.168.4.119:/> rmdir test
rmdir ok, `test' removed
lftp testftp@192.168.4.119:/> exit
3. Virtual Users
The account and password used for virtual user authentication are not real in the server, and they are more secure than local users. Even if the account password is captured, it cannot be logged on to the server directly.The process for configuring virtual users is as follows:
1) Create virtual user database files
2) Create system users for root directory and virtual user mapping
3) Establish PAM authentication files to support virtual users
4) Add support configuration in vsftpd.conf
5) Set different permissions for virtual users
1) Create virtual user database files
[root@ftp ~]# vim /etc/vsftpd/vuser
#Format: OneLine account name, line password
test1
123456
test2
12345678
[root@ftp ~]# db_load -T -t hash -f /etc/vsftpd/vuser /etc/vsftpd/vuser.db #Generating database files using the db_load command
[root@ftp ~]# chmod 600 /etc/vsftpd/vuser.db
[root@ftp ~]# rm /etc/vsftpd/vuser
2) Create system users for root directory and virtual user mapping
[root@server ~]# useradd -d /var/vftp -s /sbin/nologin vftp [root@server ~]# chmod -R 755 /var/vftphome
3) Establish PAM authentication files to support virtual users
[root@server ~]# vim /etc/pam.d/vsftpd.virtual auth required pam_userdb.so db=/etc/vsftpd/vuser #Check account and password, database does not need to write suffix.db account required pam_userdb.so db=/etc/vsftpd/vuser #Check whether the user is valid
4) Add support configuration in vsftpd.conf
[root@server ~]# vim /etc/vsftpd/vsftpd.conf anonymous_enable=NO #Prohibit anonymous login local_enable=YES #Allow local user mode, since mapped system users are local users, this must be turned on guest_enable=YES #Turn on virtual user mode guest_username=vftp #Specify virtual user account mapping to local account vftp pam_service_name=vsftpd.virtual #Specify pam file chroot_local_user=YES #Prohibit users in their home directories allow_writeable_chroot=YES #Allow Writable FTP Root Directory user_config_dir=/etc/vsftpd/vuser_profile #Specify the permission configuration directory for virtual users userlist_enable=YES userlist_deny=YES
5) Set different permissions for virtual users
[root@server ~]# mkdir /etc/vsftpd/vuser_profile [root@server ~]# vim /etc/vsftpd/vuser_profile/test1 anon_upload_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES anon_umask=022 [root@server ~]# vim /etc/vsftpd/vuser_profile/test2 local_root=/vftp/test2 anon_umask=022 anon_mkdir_write_enable=YES anon_upload_enable=YES anon_other_write_enable=YES [root@ftp ~]# mkdir -pv /vftp/test2
[root@ftp ~]# chown vftp:vftp /vftp/test2 [root@ftp ~]# systemctl restart vsftpd
Client test:
#User test1 [root@\client ~]# lftp 192.168.4.119 -u test1 Password: lftp test1@192.168.4.119:~> lcd /etc lcd ok, local cwd=/etc lftp test1@192.168.4.119:~> put passwd 2538 bytes transferred lftp test1@192.168.4.119:/> mkdir test mkdir ok, `test' created lftp test1@192.168.4.119:/> ls -rw-r--r-- 1 1002 1002 2538 Jun 27 09:40 passwd drwxr-xr-x 2 1002 1002 6 Jun 27 09:40 test lftp test1@192.168.4.119:/> rm passwd rm ok, `passwd' removed lftp test1@192.168.4.119:/> rmdir test/ rmdir ok, `test/' removed lftp test1@192.168.4.119:/> cd /etc cd: Access failed: 550 Failed to change directory. (/etc) lftp test1@192.168.4.119:/> exit Be careful: test1 Directory path:/var/vftp,That is, the system user created by the server vftp Home directory. #User test2 [root@\client ~]# lftp 192.168.4.119 -u test2 Password: lftp test2@192.168.4.119:~> lcd /etc lcd ok, local cwd=/etc lftp test2@192.168.4.119:~> put passwd 2538 bytes transferred lftp test2@192.168.4.119:/> mkdir test mkdir ok, `test' created lftp test2@192.168.4.119:/> ls -rw-r--r-- 1 1002 1002 2538 Jun 27 09:46 passwd drwxr-xr-x 2 1002 1002 6 Jun 27 09:46 test lftp test2@192.168.4.119:/> rm passwd rm ok, `passwd' removed lftp test2@192.168.4.119:/> rmdir test/ rmdir ok, `test/' removed lftp test2@192.168.4.119:/> put fstab 477 bytes transferred lftp test2@192.168.4.119:/> lcd / lcd ok, local cwd=/ lftp test2@192.168.4.119:/> get fstab 477 bytes transferred lftp test2@192.168.4.119:~> cd /etc cd: Access failed: 550 Failed to change directory. (/etc) lftp test2@192.168.4.119:/> exit