This document uses Vsftpd to set up the PASSIVE FTP service on a Centos Linux server.
Two modes of FTP
FTP has two modes, PORT(active) mode and PASV(passive) mode.
Active mode
The FTP server actively connects to the data port of the client to transfer data. That is, the client connects to port 21 of the FTP server through an arbitrary non-privileged port N (N>1024). The client then starts listening on N+1 and sends PORT N+1 to the FTP server. The server then connects from its own data port (20) to the data port (N+1) specified by the client.
Passive mode
The FTP server “passively” waits for clients to connect to its data port. That is, when an FTP connection is enabled, the client opens two arbitrary non-privileged local ports (N >1024 and N+1). The first PORT connects to PORT 21 of the server, but unlike active FTP, the client does not submit the PORT command and allow the server to connect back and forth to its data PORT, but the PASV command. The result is that the server opens an arbitrary non-privileged PORT (P > 1024) and sends the PORT P command to the client. The client then initiates a connection from local port N+1 to port P on the server to transfer data. (TCP 20 does not need to be enabled on the FTP server in this mode.)
Compare the two modes
(1) In PORT (active) mode, you only need to enable ports 21 and 20 on the server. In PASV (passive) mode, you need to enable all TCP ports and 21 on the server larger than 1024.
(2) From the perspective of network security, it seems that PORT mode is more secure, while PASV is less secure. Then why does RFC make another PASV mode based on PORT? In fact, the main purpose of PASV mode formulated by RFC is for data transmission security. Since PORT uses a fixed 20 PORT to transmit data, it is easy for hackers to use sniffer and other sniffer to capture FTP data. In this way, data transmitted through PORT mode is easy to be stolen by hackers. Therefore, using PASV to set up FTP server is the most secure and optimal solution.
Install Vsftpd
1, install,
yum install vsftpd
Copy the code2. Set startup
systemctl enable vsftpd
Copy the code3. Start VSFTPD
systemctl start vsftpd
Copy the code4. Ensure that VSFTPD has been started
systemctl start vsftpd
Copy the codeConfigure Vsftpd
1. Create a user for FTP service
useradd ftpuser
Copy the code2. Set a password for the user
passwd ftpuser
Copy the code3. Create a file directory for the FTP service and change the directory permission
mkdir /var/ftp/ftpupload
chown -R ftpuser:ftpuser /var/ftp/ftpupload
Copy the code4. Edit the /etc/vsftp/vsftpd. conf file
- Back up configuration files before modifying them
cp /etc/vsftpd.conf /etc/vsftpd.conf.back
Copy the code- Modify the following configuration parameters to enable only one IPv4 or IPv6 listening function
# Anonymous user login permission
anonymous_enable=NO
# Local user login permission
local_enable=YES
Restrict all users to the home directory
chroot_local_user=
List of restricted users
chroot_list_enable=YES
The path to the exception user list file
chroot_list_file=/etc/vsftpd/chroot_list
# Enable listening on IPv4 Sockets
listen=YES
# disable listening on IPv6
#listen_ipv6=YES
Copy the code- Added the following configuration parameters to enable the passive mode
# Directory where the local user logs in
local_root=/var/ftp/upload
Local user access related, need to enable
allow_writeable_chroot=YES
Enable passive mode
pasv_enable=YES
The IP address of this server
pasv_address=xxx.xx.xxx.xx
The minimum and maximum ports used in passive mode
pasv_min_port=40000
pasv_max_port=45000
Copy the code- Creating and editing the configuration
chroot_list_fileSpecifies the exception user list file
touch /etc/vsftpd/chroot_list
Copy the code- Restarting the FTP Service
systemctl restart vsftpd
Copy the code