This chapter introduces enterprise VSFTPD server practice, anonymous user access, system user access and virtual user practice, etc.
1 Vsftpd server enterprise combat
File Transfer Protocol (FTP), based on which FTP client and server can share files, upload files and download files. FTP generates a virtual connection based on the TCP protocol, which is mainly used to control the FTP connection information, and regenerates into a separate TCP connection for FTP data transmission. Users can upload, download and delete files to the FTP server through the client, and the FTP server can be shared by many people at the same time.
The FTP service is the Client/Server (C/S for short) mode. The software that realizes FTP file sharing and transmission based on the FTP protocol is called the FTP Server source. The Client program based on the FTP protocol is called the FTP Client, and the FTP Client can upload and download files to the FTP Server.
1.1 FTP transmission mode
FTP is based on C/S mode. There are two transfer modes between FTP client and server, namely FTP active mode and FTP passive mode. Both active and passive modes take FTP server side as reference. Active and passive modes are shown in Figure (a) and (b), and the detailed differences between active and passive modes are as follows:
- FTP active mode: The client starts listening on port N+1 and sends the FTP command “port N+1” to the FTP server. The FTP server connects to the data port specified by the client on data port (N+1) at data port (20).
- FTP passive mode: The client connects from an arbitrary port N (N>1024) to the port 21 command of the FTP server. The client listens on port N+1. The client submits the PASV command, and the server opens an arbitrary port (P >1024) and sends the port P command to the client. The client initiates a connection from the local port N+1 to the server port P for data transfer.
In a real enterprise environment, if both the FTP client and the FTP server have open firewalls, the FTP needs to work in active mode, so that it only needs to open ports 20 and 21 in the FTP server firewall rules. Firewall configuration is covered in a later section.
Figure 1-1 (a) Active FTP mode
Figure 1-1 (b) FTP passive mode
1.2 VSFTPD server installation and configuration
There are two ways to install VSFTPD server side. One is based on YUM installation, and the other is based on source code compilation and installation. The final effect is completely the same.
1.2.1 YUM install VSFTPD
Execute the following command from the command line
\# yum install vsftpd* -y
Figure 1-2 YUM installation of VSFTPD
1.2.2 Check the configuration file path after installation of VSFTPD
\# rpm -ql vsftpd|more
Figure 1-3 Check the configuration file path after VSFTPD is installed
1.2.3 Start VSFTPD service
\# systemctl restart vsftpd.service
Figure 1-4 Start the VSFTPD service
1.2.4 Check whether the process is started
\# ps -ef |grep vsftpd
Figure 1-5. View the VSFTP process
1.2.5vsftpd.conf default configuration file details
Anonymous_enable =YES to enable anonymous user access; LOCAL_ENABLE =YES Enable local system user access; Write_enable =YES Local system user write permission; Local_umask =022 Local user create file and directory default permission mask; Dirmessage_enable =YES Prints directory display information, usually used for the first time the user access to the directory, information prompt; Xferlog_enable =YES Enable upload/download logging; CONNECT_FROM_PORT_20 =YES FTP uses port 20 for data transfer; XFERLOG_STD_FORMAT =YES Log files will be written according to XFERLOG standard format; Listen =NO VSFTPD does not start as a standalone service, is managed by xinetd service, it is recommended to change to YES; Listen_ipv6 =YES Enable IPv6 listening; Pam_service_name = VSFTPD Log in to the FTP server and authenticate to /etc/pam.d/ VSFTPD; Userlist_enable =YES vsftpd.user_list and ftpusers configuration files disallow users from accessing FTP; Tcp_wrappers =YES sets VSFTPD to use the TCP wrapper to control access to the host. The VSFTPD server checks the Settings in /etc/hosts.allow and /etc/hosts.deny to determine which host to connect to. Whether to allow access to the FTP server.
1.2.6 Access the VSFTP server through Windows Client Explorer
ftp://192.168.1.181
Figure 1-6. Anonymous user accessing the FTP default directory
1.2.7 FTP is set to passive mode using port methods
FTP active and passive mode, default to active mode, set to passive mode using port method as follows:
pasv_enable=YES
pasv_min_port=60000
pasv_max_port=60100
1.3 Introduction to VSFTPD server
At present, the mainstream FTP Server software includes: VSFTPD, ProFTPD, pureFtpd, Wuftpd, server-u FTP, Filezilla Server and so on. Among them, VSFTPD is the widely used FTP Server software for UNIX /Linux.
Vsftpd is a Very Secure FTP daemon, the most mainstream FTP server program in UNIX /Linux distribution. It has the advantages of small and light, safe and easy to use, stable and efficient, and can meet the needs of enterprise cross-departments and multi-users (1000 users).
Vsftpd is released based on the GPL open source protocol, and has been widely used in small and medium-sized enterprises. Vsftpd can be used quickly. Based on the virtual user mode of VSFTPD, the access and verification is more secure. Vsftpd can also be based on MySQL database security verification, multiple security protection.
1.4 Introduction to the FTP client
Windows and Linux systems have their own FTP command program by default, you can connect to the FTP server for interactive upload, download communication. In addition, there are a number of graphical FTP client tools.
Common FTP client software in Windows include CuteFTP, FlashFXP, LeapFTP, FileZilla and so on.
1.5 VSFTPD anonymous user configuration
By default, VSFTPD is accessed by an anonymous user. The default FTP server path accessed by an anonymous user is /var/ftp/pub. Anonymous users can only view the server and cannot create, delete, or modify it. Anonymous_enable =YES to anonymous_enable=NO. Anonymous_enable =NO to anonymous_enable=NO to anonymous_enable=NO to anonymous_enable=NO to anonymous_enable=NO
1. Set to allow anonymous users to upload, download and delete files
/etc/vsftpd/vsftpd.conf If you allow anonymous users to upload, download, or delete files, add the following to the /etc/vsftpd/vsftpd.conf configuration file:
Anon_upload_enable = Yes allows anonymous users to upload files; Anon_mkdir_write_enable =YES Allows anonymous users to create directories;
The full vsftpd.conf configuration file for the anonymous user is as follows:
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
anon_upload_enable=YES
anon_mkdir_write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
2, modify the directory permissions
Because the default VSFTPD anonymous user has two types: anonymous, FTP, so if the anonymous user needs to upload files, delete and modify permissions, the FTP user needs to have write permissions to /var/ftp/pub directory, use either chown or chmod as follows, set the command as follows:
Method one:
\# chown -R ftp /var/ftp/pub
Method 2:
\# chmod o+w /var/ftp/pub
Figure 1-6 (a) Change the /var/ftp/pub directory owner
Figure 1-6 (b) Change write permissions to /var/ftp/pub directory
The vsftpd.conf configuration file is configured as above, and the permissions are set
4. Restart the VSFTPD service
\# systemctl restart vsftpd.service
5. Access through the Windows client allows you to upload files, delete files, create directories and other operations, as shown in Figure 1-7:
Figure 1-7. Anonymous user accessing the uploaded file
1.6 User configuration of VSFTPD system
After setting the VSFTPD anonymous user, anyone can view the files and directories of the FTP server, and even modify and delete them. This scheme is not suitable for storing private files in the FTP server. How to guarantee the exclusive owner of files or directories?
To realize user authentication of VSFTPD system, you only need to create multiple users in Linux system. When creating a user, use useradd, and set a password for the user at the same time, you can log in FTP through the user and password, and perform file uploading, downloading, deleting and other operations. The steps of user implementation of VSFTPD system are as follows:
1. Create system users superman1 and superman2 with passwords of 123456:
\# useradd superman1
\# useradd superman2
\# echo 123456|passwd –stdin superman1
\# echo 123456|passwd –stdin superman2
Figure 1-8. Create the user and set the password
2. Modify the vsftpd.conf configuration file as follows:
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
3. Restart VSFTPD service
\# systemctl restart vsftpd.service
4. After verification by the Windows resource client, you can upload files, delete files and download files by logging in the FTP server with Superman1 and Superman2 users. Superman1 and Superman2 system users upload files in the home directory of /home/superman1 and /home/superman2, as shown in Fig. 1-9 (a) and 1-9 (b) :
Figure 1-9 (a) Superman1 user logging in to the FTP server
Figure 1-9 (b) Superman1 Log in to the FTP server to upload files
1.7 Vsftpd virtual user configuration
Note: While virtual users are allowed to log in, physical users cannot be logged in!! The two do not coexist!
If based on VSFTPD system users access the FTP server, the more users the system is not conducive to management, and is not conducive to system security management, in view of this, in order to more secure use of VSFTPD, need to use VSFTPD virtual user mode.
Vsftpd virtual user principle: virtual user is no actual real system users, but by mapping to one of the real users and setting the corresponding permissions to achieve access verification, virtual users can not log into the Linux system, so that the system is more secure and reliable.
Vsftpd virtual user enterprise case configuration steps are as follows:
1. Install the software and authentication module required by VSFTPD virtual users;
\# yum install pam libdb-utils libdb –skip-broken -y
Figure 1-10 Software and authentication modules required to install VSFTPD virtual users
2. Create a temporary file called /etc/vsftpd/ftpusers.txt, create a new virtual user and password, where superman001 and superman002 are the virtual user names, and 123456 are the password. If there are more than one user, fill in the file in order.
\# echo “superman001
123456
superman002
123456″ > /etc/vsftpd/ftpusers.txt
Figure 1-11 Creating a virtual user temporary file
3. Generate VSFTPD virtual user database authentication file, set permissions 700;
\# db_load -T -t hash -f /etc/vsftpd/ftpusers.txt /etc/vsftpd/vsftpd_login.db
\# chmod 700 /etc/vsftpd/vsftpd_login.db
Figure 1-12 Generating the VSFTPD virtual user database authentication file
4. Configure the PAM certification file. The file /etc/pam.d/ VSFTPD is configured as follows:
\# echo “auth required pam_userdb.so db=/etc/vsftpd/vsftpd_login
account required pam_userdb.so db=/etc/vsftpd/vsftpd_login” > /etc/pam.d/vsftpd
Figure 1-13 Configure the PAM certification file
5. All VSFTPD virtual users need to be mapped to a system user, the system user does not need a password, do not need to login, mainly used for mapping virtual users, the creation command is as follows;
\# useradd -s /sbin/nologin ftpuser
Figure 1-14 creates a system user to which the virtual user needs to be mapped
6. The complete vsftpd.conf configuration file is shown below;
#global config Vsftpd
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
chroot_local_user=YES
listen=NO
listen_ipv6=YES
userlist_enable=YES
tcp_wrappers=YES
#config virtual user FTP
pam_service_name=vsftpd
guest_enable=YES
guest_username=ftpuser
user_config_dir=/etc/vsftpd/vsftpd_user_conf
virtual_use_local_privs=YES
allow_writeable_chroot=YES
Vsftpd virtual user profile parameters as above detailed:
#config virtual user FTP pam_service_name= VSFTPD virtual user enabled PAM authentication; Guest_enable =YES Enable virtual users; Guest_username =ftpuser Map virtual user to system user ftpuser; User_config_dir =/etc/vsftpd/vsftpd_user_conf Set the directory where the virtual user profile is located; Virtual_use_local_privs =YES virtual users have the same permissions as local users; Allow_writeable_chroot = Yes All users will have chroot privileges.
7. So far, all virtual users can upload and download files based on /home/ftpuser home directory. You can create their own configuration files in /etc/vsftpd/vsftpd_user_conf, and create the home directory of virtual user configuration files.
\# mkdir -p /etc/vsftpd/vsftpd_user_conf
Figure 1-15 creates the virtual user profile home directory
8. Create configuration files for virtual users superman001 and superman002 as follows;
Create a configuration file for the SuperMan001 user and create a private virtual directory with the following configuration:
\# echo “local_root=/home/ftpuser/superman001
write_enable=YES
anon_world_readable_only=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES” > /etc/vsftpd/vsftpd_user_conf/superman001
Figure 1-16 creates a configuration file for the SuperMan001 user, along with a private virtual directory
Create a configuration file for the SuperMan002 user and create a private virtual directory with the following configuration:
\# echo “local_root=/home/ftpuser/superman002
write_enable=YES
anon_world_readable_only=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES” > /etc/vsftpd/vsftpd_user_conf/superman002
Figure 1-17 creates a configuration file for the SuperMan002 user, along with a private virtual directory
Virtual user profile details:
Local_root = / home/ftpuser/superman002 superman002 virtual user configuration file path; Write_enable =YES Allows login user to write; Anon_world_readable_only =YES Allows anonymous users to download and then read the file; Anon_upload_enable =YES Allows anonymous users to upload files. This parameter is only valid when write_enable=YES. Anon_mkdir_write_enable =YES Allows anonymous users to create directories. This parameter only works when write_enable=YES; Anon_other_write_enable =YES Allows the anonymous user other permissions, such as delete, rename, etc.
9. Create virtual directories for virtual users;
\# mkdir -p /home/ftpuser/{superman001,superman002}
\# chown -R ftpuser:ftpuser /home/ftpuser
Figure 1-18 creates a virtual directory for each virtual user
10. Restart VSFTPD service;
\# systemctl restart vsftpd.service
Figure 1-19 Start the VSFTPD service
11. Log in the VSFTPD server through Windows Client Explorer, and the test results are shown in Figure 1-20 (a) and 1-20 (b) :
Figure 1-20 (a) Superman001 virtual user logs in to the FTP server
Figure 1-20 (b) Superman001 virtual user uploads and downloads files
Welcome to pay attention to my WeChat public number [super brother’s IT private food] for more technical dry goods!
If you have any jokes or feedback, just tell me! I will solve the problem you said, further better service you oh! Tips: If the QR code fails, you can also directly add WeChat ID: YSC13803862469!