The FTP protocol
File Transfer Protocol (FTP) is a Protocol in the TCP/IP Protocol group. The FTP protocol consists of an FTP server and an FTP client.
By default, THE FTP protocol uses TCP ports 20 and 21. 20 is used for data transmission, and 21 is used for control information transmission. However, whether to use port 20 as the data transfer port is related to the transmission mode used by FTP. If the active mode is adopted, the data transfer port is 20. In passive mode, the server and client negotiate to decide which port to use
Server side Settings
Install VSFTPD
sudo yum install vsftpd
Copy the code
Backing up configuration Files
sudo cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf_bak
Copy the codeChanging a configuration file/etc/vsftpd/vsftpd.conf
Only local users are allowed to access the FTP server
Anonymous_enable =NO // Forbid anonymous access local_enable=YESCopy the codeAllows file system changes
write_enable=YES
Copy the codeLock a local user in its home directory
chroot_local_user=YES
Copy the codechrootAllow upload
When chroot is enabled, VSFTPD will refuse to upload files if the user accesses a writable directory
user_sub_token=$USER
local_root=/home/$USER/ftp
Copy the codePassive FTP connection
VSFTPD can use any port for passive FTP connections. We specify a port range and then open that range in the firewall
Pasv_enable The default value is YES
pasv_min_port=30000
pasv_max_port=31000
Copy the codeRestricting user login
Only users in /etc/vsftpd/user_list are allowed to log in to the FTP server
userlist_file=/etc/vsftpd/user_list
userlist_deny=NO
Copy the codeSecure the transport using SSL/TLS
The following command will create a 2048-bit private key and self-signed certificate with a 10-year validity period. Both the private key and the certificate will be stored in the same file
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
Copy the codePress Enter to skip the configuration options when the file is generated
Modifying a Configuration File
sudo vi /etc/vsftpd/vsftpd.conf
Copy the codersa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem
ssl_enable=YES
Copy the codeWhen encryption is not used, the Wireshark is used to capture packets
You can see the account and password in plain text
The Wireshark is used to capture packets for encrypted transmission
The plaintext information cannot be seen
For more information, see the VSFTPD official documentation
Firewall Settings
Viewing the Firewall Status
firewall-cmd --state
Copy the codeEnabling the Firewall
systemctl start firewalld.service
Copy the codeEnabling a firewall port
sudo firewall-cmd --permanent --add-port=20-21/tcp
sudo firewall-cmd --permanent --add-port=30000-31000/tcp
Copy the codeReload the firewall configuration
firewall-cmd --reload
Copy the code
* Server vendor firewall Settings
If the server vendor configuration office also has firewall Settings, you also need to open the relevant ports. The following is the Firewall Settings of Aliyun
Setting an FTP User
Example Create an FTP user
sudo adduser ftpuser
Copy the codeSetting a user password
sudo passwd ftpuser
Copy the code
Add the user to the list of allowed FTP access
echo "ftpuser" | sudo tee -a /etc/vsftpd/user_list
Copy the codeConfiguring Permissions
sudo mkdir -p /home/ftpuser/ftp/upload
sudo chmod 550 /home/ftpuser/ftp
sudo chmod 750 /home/ftpuser/ftp/upload
sudo chown -R ftpuser: /home/ftpuser/ftp
Copy the code
Disabling shell access
By default, a new user has the SSH access permission on the server. You can run the following command to deny SSH access to a specific user
echo -e '#! /bin/sh\necho "This account is limited to FTP access only."' | sudo tee -a /bin/ftponly sudo chmod a+x /bin/ftponly echo "/bin/ftponly" | sudo tee -a /etc/shells usermod ftpuser -s /bin/ftponlyCopy the code
Client Configuration
The Windows COMMAND-LINE interface (CLI) does not support passive FTP connection, so use WinSCP
Obtaining an SSL Certificate
The new session
Connect to the server as user root
Drag the file to copy the file to the local PC
Connecting to an FTP Server
The new session
Configuring Authentication Parameters
Select the SSL certificate file downloaded from above
The connection
The following prompt box appears, click “Yes”
The connection is successful
Due to the above permission Settings, ftpuser can only access its user home directory and can only upload files to the upload folder
reference
www.myfreax.com/how-to-setu…
www.cnblogs.com/chencidi/p/…
Blog.nowcoder.net/n/e0b8d3e39…
Baike.baidu.com/item/FTP%E5…