preface
You are advised to use SFTP instead of FTP to avoid installation. This paper is only a memo, and the experimental environment is Tencent cloud server.
Because the payment system needs some three-party certificates to sign the key and upload the files commonly used in the reconciliation system, it is necessary to build our FTP file service to save these files. Therefore, this article mainly introduces how to set up FTP file service on cloud server.
FTP concept
Active versus passive modes
When using FTP, if all ports between the client machine and FTP server are open, there is no problem with the connection. If a firewall exists between the client and server, the login succeeds but the List fails if the firewall policy is not configured and proper connection mode is adopted. In this case, the active/passive mode is notified to the server. To avoid this problem, you must first understand how FTP works. The following are the similarities and differences between the two modes.
Active mode
Active mode is the server to client port when transmitting data, and does not require opening any additional insecure ports on our server firewall, so the server side is secure. But active mode requires that the client must open the port to the server. Many clients are inside the firewall, and it is difficult to open ports for FTP server access.
Passive mode
Passive mode only requires the server to open the port to the client, so this FTP method is not secure because a random non-privileged port is opened on the server.
FTP Installation Process
The installation process
The installation
yum install -y vsftpd
Copy the codeSetting self-start
systemctl enable vsftpd.service
Copy the codeStarting the FTP Service
systemctl start vsftpd.service
Copy the codeCheck the port monitored by the FTP service
netstat -antup | grep ftp
Copy the code
The picture above shows that it has been started normally and the listening port is 21.
The configuration process
After the installation process is complete, we need to configure the user access mode. As we all know, a secure file service must require password access. However, some crowdsourced resources can also provide anonymous access (no password required). Note: Only one mode can be selected for configuration. Because common usage scenarios require passwords, it is recommended that you choose user mode. If you need to provide tourists with access, provide public test account and secret.
The following describes the configuration modes of the two modes.
Anonymous mode
Modifying a configuration file:
vim /etc/vsftpd/vsftpd.conf
Copy the codePress/to enter search mode, enter anonymous_enable=YES press Enter, press I to enter edit mode and uncomment. Ctrl+C to exit editing mode, press :wq! Save and exit.
Add write permission to an FTP user:
chmod o+w /var/ftp/pub/
Copy the codeRestart the service
systemctl restart vsftpd.service
Copy the codeAfter the configuration is complete, you can use the GUI for testing.
Click login, you will see the following interface.
So we can actually access it normally. We could try uploading the files.
So here I’m going to go to the graphical interface and drag it up. Note: upload to pub directory only.
This configuration is complete, of course, some friends may be unable to connect to the problem. For cloud servers, ensure that port 20/21 is enabled for security groups. For details, see the cloud server configuration guide.
User mode
First we create a user
adduser ftptest
Copy the codeAnd set a password
passwd ftptest
Copy the codeCreate a directory for the user to use
mkdir /var/ftp/test
Copy the codeChange the owner of the directory
chown -R ftptest:ftptest /var/ftp/test
Copy the codeThere are two configurations in active/passive mode:
Active mode
sed -i 's/anonymous_enable=YES/anonymous_enable=NO/' /etc/vsftpd/vsftpd.conf Disable anonymous login to the FTP server
sed -i 's/listen=NO/listen=YES/' /etc/vsftpd/vsftpd.conf # Listen on IPv4 Sockets
sed -i 's/listen_ipv6=YES/#listen_ipv6=YES/' /etc/vsftpd/vsftpd.conf # Stop listening on IPv6 Sockets
sed -i 's/#chroot_local_user=YES/chroot_local_user=YES/' /etc/vsftpd/vsftpd.conf All users are restricted to the home directory
sed -i 's/#chroot_list_enable=YES/chroot_list_enable=YES/' /etc/vsftpd/vsftpd.conf # Enable the exception user list
sed -i 's/#chroot_list_file=/chroot_list_file=/' /etc/vsftpd/vsftpd.conf # specify an exception user list file. Users in the list are not locked in the home directory
echo "allow_writeable_chroot=YES" >> /etc/vsftpd/vsftpd.conf
echo "local_root=/var/ftp/test" >> /etc/vsftpd/vsftpd.conf # Set the directory where the local user logs in
Copy the codeSome friends may not be familiar with grammar. Sed -i ‘s/ old string/new string /’ filename is a string replacement operation. Echo “Content” >> file name is an appending write operation.
Passive mode
sed -i 's/anonymous_enable=YES/anonymous_enable=NO/' /etc/vsftpd/vsftpd.conf Disable anonymous login to the FTP server
sed -i 's/listen=NO/listen=YES/' /etc/vsftpd/vsftpd.conf # Listen on IPv4 Sockets
sed -i 's/listen_ipv6=YES/#listen_ipv6=YES/' /etc/vsftpd/vsftpd.conf # Stop listening on IPv6 Sockets
sed -i 's/#chroot_local_user=YES/chroot_local_user=YES/' /etc/vsftpd/vsftpd.conf All users are restricted to the home directory
sed -i 's/#chroot_list_enable=YES/chroot_list_enable=YES/' /etc/vsftpd/vsftpd.conf # Enable the exception user list
sed -i 's/#chroot_list_file=/chroot_list_file=/' /etc/vsftpd/vsftpd.conf # specify an exception user list file. Users in the list are not locked in the home directory
echo "allow_writeable_chroot=YES" >> /etc/vsftpd/vsftpd.conf
echo "local_root=/var/ftp/test" >> /etc/vsftpd/vsftpd.conf # Set the directory where the local user logs in
echo "pasv_enable=YES" >> /etc/vsftpd/vsftpd.conf Enable passive mode
echo "Pasv_address =< Replace with public IP address >" >> /etc/vsftpd/vsftpd.conf # public IP
echo "pasv_min_port=50000" >> /etc/vsftpd/vsftpd.conf Set the minimum port range available for data transfer in passive mode
echo "pasv_max_port=60000" >> /etc/vsftpd/vsftpd.conf Set the maximum port range available for data transmission in passive mode
Copy the codeYou need to enable the port segment between 50000 and 60000 on the firewall.
Create a chroot_list file in /etc/vsftpd and write a list of exceptional users to the file.
vim /etc/vsftpd/chroot_list
Copy the codeRestart the service
systemctl restart vsftpd.service
Copy the codeAfter the language
You are advised to use SFTP instead of FTP to avoid installation. This paper is only a memo, and the experimental environment is Tencent cloud server.