Configure and use FTP and SFTP in Linux

1. SFTP configuration

1. Create a dedicated FTP user group

Create FTP user group
groupadd sftp
Copy the code

2. Create a directory

Groupadd SFTP # The owner of this directory and its superior directory must be root and the permission is not greater than 755. The best group for this directory is SFTP

mkdir /home/testftp  
chmod -R  755  /home/01-FTP/testftp/  
Copy the code

3. Modify sshd_config configuration

Back up the original SSHD configuration file and edit it

mkdir /etc/ssh/bak  
cp  /etc/ssh/sshd_config /etc/ssh/bak/sshd_config_bak  
vim /etc/ssh/sshd_config 
Copy the code

Comment out the following line in the sshd_config configuration file, preceded by #

Subsystem sftp /usr/libexec/openssh/sftp-server  
Copy the code

Add the following information to the end of the sshd_config configuration file. Save the configuration and exit.

Subsystem sftp internal-sftp

# Method 1 Limited group (recommended)
Match Group sftp
# Limit users
#Match User clftp

Method 1: automatically restrict to user directories
#ChrootDirectory /home/01-FTP/%u
# Limit to the specified directory (recommended)
ChrootDirectory /home/01-FTP/

X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

The following configuration is recommendedVim /etc/ssh/sshd_config Port 35021 Subsystem SFTP internal-sftp Match Group sftpadmins sftpusers ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no# note 1: ChrootDirectory %h indicates that the user switches the root directory to its own home directory after logging in via SFTP
# Note 2: The above is a modified configuration
 
# SFTP - oPort = 35021 [email protected]
Enter a password to log in
Copy the code

www.cnblogs.com/regit/p/848…

4. Create a dedicated directory

(Create conlinsftp home directory: 01-FTP directory owner must be root, permissions no higher than 755)

Create a dedicated directory for uploads and downloads
mkdir /home/01-FTP/testftp/  
# change owner
chown  root:sftp /home/01-FTP/testftp 
# change permission
chmod 755 /home/01-FTP/testftp The owner can read/write execution, group users and other users can only read, only need to download the configuration, directory configure this permission
chmod 775 /home/01-FTP/testftp Owner and group users can read and write, other users can only read, group users need to upload and download, directory configure this permission
Create user, specify group SFTP, specify directory.
useradd -g sftp -d /home/01-FTP/testftp -s /sbin/nologin clftp
Copy the code

5. Configure by account (select as required)

-s/sbin/nologin Disables user logins from the command line (# method 1 automatically limits user logins to the user directory #ChrootDirectory /home/01-ftp /%u)

mkdir /home/01-FTP/clftp
chown root:sftp /home/01-FTP/clftp
chmod 0755 /home/01-FTP/clftp Only the owner of the directory can read and write
chmod 0775 /home/01-FTP/clftp Only directory owners and owning groups can read and write the directory
# create user
useradd -g sftp -d /home/01-FTP/clftp -s /sbin/nologin clftp01

You can also create a separate upload and download directory
mkdir /home/01-FTP/clftp/upload  
chown -R clftp:sftp /home/01-FTP/clftp/upload 
Copy the code
/VSFT
Copy the code

6. Restart the service for the configuration to take effect

 Run the following command to run the systemctl service
 service sshd  restart
 Run the following command for the new version
 systemctl restart sshd.service
Copy the code

VSFTPD (FTP configuration)

After the configuration, FTP login can be restricted, but SFTP login is not restricted

1. Install Vsftpd

It is generally installed by default. If the compact version does not have it, install it.

Yum install VSFTPD and start the program

# installation
yum install vsftpd
# open
systemctl start vsftpd
Copy the code

2. Configuration details

The VSFTPD configuration file is vsftpd.conf in the /etc/vsftp/ directory.

attribute Attribute values meaning
anonymous_enable YES/NO Whether to allow anonymous users to log in to FTP. If this setting is commented, it is allowed by default
local_enable YES/NO Whether to allow local system users to log in
write_enable YES/NO Whether to enable any form of FTP write command to upload files
local_umask xxx The umask setting for the local user, which defaults to 077 if commented, is generally set to 022
anon_upload_enable YES/NO Whether to allow anonymous users to upload files. To enable the write_enable function, you must enable write_enable first. In addition, you must have the write permission on the corresponding directory
anon_mkdir_write_enable YES/NO Whether to allow anonymous users to create new directories
dirmessage_enable YES/NO Sends a message to the remote user when entering a directory
xferlog_enable YES/NO Whether to enable upload/download logging
connect_from_port_20 YES/NO Whether to use port 20 to connect to FTP
chown_uploads YES/NO Check whether a specified user chown_username owns the files uploaded anonymously
chown_username Valid username Files uploaded anonymously are owned by the set user
xferlog_file Effective path Set the location for saving log files. The default location is /var/log/xferlog
xferlog_std_format YES/NO Whether to use the standard FTPD xferlog log format, which is saved in /var/log/xferlog by default
idle_session_timeout The numerical Set the timeout period of an idle connection, in seconds
data_connection_timeout The numerical Set the maximum time to wait for data transfer, in seconds. (DatA_CONNECtion_TIMEOUT and IDLE_SESSION_TIMEOUT are both valid at the same time.)
nopriv_user Valid username Specify an unprivileged user to run VSFTPD
async_abor_enable YES/NO Whether asynchronous ABOR requests are supported
ascii_upload_enable YES/NO Whether to enable the ASCII mode for uploading files
ascii_download_enable YES/NO Whether to enable the ASCII mode for file downloading
ftpd_banner Custom login banner
deny_email_enable YES/NO For anonymous logins, email addresses are required. If you don’t want some email addresses to have login privileges, you can turn this on and write the corresponding email addresses to the file specified by banned_email_file
banned_email_file The effective documents When deny_email_enable is enabled, you need to specify a file to save invalid login emails
chroot_local_user YES/NO Whether to restrict all users to the home directory. When NO is set, FTP users can switch to other directories
chroot_list_enable YES/NO Whether to enable the restricted user list
chroot_list_file The effective documents The user list is related to the combination of chroot_local_user and chroot_local_user. For details, see the following table
allow_writeable_chroot YES/NO Whether to allow the user to have the write permission on the FTP root directory. If the write permission is set to deny, an error occurs when the directory actually has the write permission
ls_recurse_enable YES/NO Whether to allow the ls-R command to recursively query, recursive query is expensive
listen YES/NO If YES, VSFTPD runs in standalone mode and listens for IPv4 sockets to process connection requests (this command cannot be used with listen_ipv6)
listen_ipv6 YES/NO Whether listening on IPv6 sockets is allowed
pam_service_name Set the configuration file name of the authentication service provided by the PAM plug-in module, that is, the /etc/pam.d/ VSFTPD file. In this file, file= /etc/vsftp/ftpusers. PAM can block account content from the /etc/vsftp/ftpusers file
userlist_enable YES/NO Whether to enable the user_list file to control user logins
userlist_deny YES/NO Whether to deny login to users in user_List. This attribute is valid only when userlist_enable = YES
tcp_wrappers YES/NO Whether to use tcp_wrappers as host access control
max_clients The numerical Maximum number of connections allowed at one time
max_per_ip The numerical Maximum number of connections to an IP client
local_root Effective directory Root directory of the system user after login
anon_root Effective directory Root directory of the anonymous user after login
user_config_dir Effective directory The file name of the user in the directory is the corresponding user name

`

The combined functions of chroot_local_user and chroot_local_user are as follows:

chroot_local_user=YES chroot_local_user=NO
chroot_list_enable=YES 1. All users are restricted to their home directories. 2chroot_list_fileA list of specified users/etc/vsftpd/chroot_list, these users as “exceptions”, not restricted 1. All users are not restricted to their home directories. 2chroot_list_fileA list of specified users/etc/vsftpd/chroot_listThese users are restricted as “exceptions”
chroot_list_enable=NO 1. All users are restricted to their home directories. 2chroot_list_fileA list of specified users/etc/vsftpd/chroot_list, without any “exception” users 1. All users are not restricted to their home directories. 2chroot_list_fileA list of specified users/etc/vsftpd/chroot_list, without any “exception” users

3. Configure an FTP root directory for each system user

Add the following command to the end of /etc/vsftp/vsftpd. conf:

# Root directory of the system user after login
local_root=/home/01-FTP/conlinftp/
# Root directory of the anonymous user after login
anon_root=/home/01-FTP/conlinftp/
Set the directory for saving the user's independent profile
user_config_dir=/etc/vsftpd/userconfig/
Copy the code

In addition, set chroot_local_user to YES so that FTP users are locked directly to their root directory after logging in. Through the above Settings, both system users and anonymous users will regard /var/test/ as the root directory and be locked in this directory after login. However, the above Settings are for all system users and anonymous users. If you want to specify a root directory for each FTP user, you can create a configuration file for each user. Specific operations are as follows:

  • According to theuser_config_dirThe setup, we first in/etc/vsftpd/Create a directory nameduserconfigThe directory where the
  • The hypothesis is given to the userclftpSpecify a separate FTP root directory/home/01-FTP/conlinftp/We need accessuserconfigDirectory to create a directory namedclftpConfiguration file, edit fileclftp, the configuration is as follows:
local_root=/home/01-FTP/conlinftp/
Copy the code

4,After VSFTPD logs in to centos, files cannot be seen and folders cannot be created

Centos VSFTPD cannot display files and create files and folders due to selinux

Run the following command to check:
getsebool -a|grep ftp 

# display:Allow_ftpd_anon_write --> on allow_ftPD_full_access --> on // create files and folders allow_ftPD_use_cifs --> off allow_ftPD_use_nfs --> Off ftP_home_dir --> on ftPD_connect_DB --> off ftPD_use_passive_mode --> off httpd_enable_ftP_server --> off tftp_anon_write --> onSet the above information to ON with the following command
setsebool allow_ftpd_full_access=1 
# permanent
setsebool -P allow_ftpd_full_access on 
Copy the code

5. Login failed

1, first check the account password and other Settings, if they are correct then

530 Login incorrect.Login failed.
# 2. Please check baidu to see if the first three problems can be solved. This is the fourth one, because I did not find any of my problems on Baidu.
# 3. Run the cat /etc/passwd command to check whether the home directory of your login account is the same as that of your login shell
# User name: password: User ID: Group ID: Comment description: Home directory: login Shell
# 4. Check whether cat /etc/shells have your home directory and login shell.
vim /etc/shells
# 5 add /sbin/nologin, save and exit
cat /etc/shells
# The result is as follows
/bin/sh
/bin/bash
/usr/bin/sh
/usr/bin/bash
/bin/tcsh
/bin/csh
/bin/ksh
/bin/rksh
/sbin/nologin

#6. The easiest way to do this is simply to execute the following command
echo -e "\n/sbin/nologin" >> /etc/shells

Copy the code

6. User/user group operations

Removing a group: For example, user ABC belongs to the BCD and check groups, and needs to be removed from the BCD group:

usermod -G check abc
Copy the code

To add a user to a user group, do not use:

usermod -G groupA
Copy the code

Doing so will cause you to leave other user groups and become only a member of groupA. Instead, add the -a option:

usermod -a -G groupA user
Copy the code

The user to delete

userdel -r clftp02
Copy the code

3. Virtual user configuration

This configuration enables multiple users to operate the same directory, for example, admifTP user directory 01-ftp all permissions, CLFTP can only download read

Four, connection and use

1. Command line

Use the CMD /bash command line

  1. Common SFTP Commands
ls  View the files in the current directory

help  Check which commands are supported by SFTP

cd  # specify directory

pwd  # Check the current directory

get xxx.txt  # Download the XXX file

put xxx.txt  # upload file XXX

quit / bye / exit  # exit SFTP

sftp  xxx.xxx.xxx.xxx   Log in to the root user

sftp [email protected]   Log in to the zygf user
Copy the code

  1. SFTP Cli login s Process

    (1) SFTP xxx.XXX.xxx. XXX login (the default user is root). If you specify user SFTP [email protected], zygf is the user name.

    ② After successful login, the system prompts you to enter the password

    ③ Then, you can enter the directory and view the contents in the directory

    4 CD Switch directories, get obtain files, and put upload files

    ⑤ quit/bye/exit Exit SFTP

2. Tool connection

To create a connection, select SFTP connection and enter the account password

5. Thin provisioning

groupadd test360
mkdir -p /home/01-FTP/conlinftp/files
useradd -g testftp -d /home/01-FTP/testftp -s /sbin/nologin test360
chown test360:testftp /home/01-FTP/testftp/files
chmod 766 /home/01-FTP/ctestftp/files
passwd test360 You can also set your own password for configuring login
setsebool allow_ftpd_full_access=1 
echo -e "\n/sbin/nologin" >> /etc/shells
systemctl restart vsftpd
You can login and verify
Copy the code