In the construction of the website, FTP is an important service that can be easier to share with limited software resources. Representative FTP server software under Linux is WU-FTP, PROFTP, and VSFTPD. WU-FTP (Washington University FTP) is an FTP software developed by the University of Washington, USA with efficiency and stability. Its power is powerful, complicated, due to the earlier development time, is very extensive, and therefore becomes the main attack target of hackers. The early versions of WU-FTP have continuously emerged security vulnerabilities, and the system administrator has to upgrade it due to safety factors. PROFTP is developed for Wu-FTP weaknesses, in addition to improving security in terms of security, and provides a simple feature, and provides some functions of WU-FTP, greatly simplifying the work of setting up and managing the FTP server. VSFTPD is widely used by many large sites with excellent performance in security. VSFTPD Introduction VSFTPD has a good performance in three aspects of security, high performance and stability. It provides the main features including virtual IP settings, virtual users, StandalOlone, inetd operation mode, powerful single-user setting capabilities and bandwidth limit. In terms of security, it pats the installation defects of most Wu-ftp, proFTP, and even BSD-FTP, using secure coding technology to solve buffer overflow issues and effectively avoid denial of service attacks for "globbing" type. The official website of VSFTPD is currently using Red Hat, SUSE, DEBIAN, GNU, GNOME, KDE, GIMP, and OpenBSD, etc. This article describes this article as an example as an example (this is the latest formal release release released November 9, 2002). The download address is ftp://vsftpd.beasts.org/users/cevans/. 1. Build vsftpd first decompress the package, the code is as follows: Code: $ tar xzvf vsftpd-1.1.3.tar.gz Enter the installation directory CD vSFTPD-1.1.3. If you want to enable TCP_Wrapper function in later use, modify the statement in the "builddefs.h" file before compiling, change "#undef vsf_build_tcpwrappers" to "#define vsf_build_tcpwrappers". The TCP_Wrapper feature is primarily applied to IP management control, such as a special priority FTP profile for a separate IP address. Then, type "make" to generate a copy of the executable binary code. 2. User "Nobody" is required in the default configuration of the pre-preparation of VSFTPD. Add this user command as follows: Code: The default configuration of $ USERADD NOBODY VSFTPD Requires the directory "/ usr / share / empty". The command to add this directory is as follows: Code: $ mkdir / usr / share / empty / anonymous FTP requires the existence of user "ftp", and has a valid home directory (not allowed users "FTP" to have ownership and write rights) . If this directory is not established, the command is as follows: Code: $ mkdir / var / ftp / $ usradd -d / var / ftp ftp 3. Install the relevant profile, execute file, help man page, etc. Run "make install", copy the source code, help manual, etc. to the relevant path.
If you use manual copy, the command is as follows: Code: $ cp vsftpd / usr / local / sbin / vsftpd $ cp vsftpd.conf.5 / usr / local / man / man5 $ cp vsftpd.8 / usr / local / man / man8 "Make Install" cannot copy the sample configuration file, it is recommended to copy, the command is as follows: Code: $ cp vsftpd.conf / etc The entire installation process is simple, look at how to manipulate the powerful function of VSFTPD, make vsftpd.conf file Configuration. Both running patterns like other daemons, VSFTPD provides two operation modes of StandalOne and inetd (inetd or xinetd). Simply explained, Standalone is started at once. It has been residing in memory during operation. The advantage is that the access signal is fast, and the disadvantage is that the loss of system resources, so it is often applied to a professional FTP server for real-time reactions. . INETD is in contrast, and the FTP process is called only when the request is sent to the request, so it is not suitable for systems with a large number of simultaneous connections. In addition, INETD mode does not occupy system resources. In addition to the effects of response speed and occupation resources, VSFTPD provides some additional advanced features such as inetd mode to support Per_IP restrictions, while Standalone model is more conducive to the application of PAM verification. 1. INETD Run mode runs VSFTPD from some kind of inetd to provide a nice function --per_ip connection limit. This is also a running mode for the latest and recommended in VSFTPD 1.1.3. Implementing the Per_IP connection limit To rely on TCP_WrapPers support provided by VSFTPD. If you use the standard "inetd", you need to edit the /etc/inetd.conf file, and add the following line code: $ ftp stream tcp noait root / usr / sbin / tcpd / usr / local / sbin / vsftpd to ensure deletion or comment Erink any original FTP service language sentence line. If you do not have TCP_WrapPers, or you don't need to use it, you can remove the "/ usr / sbin / tcpd" section. Then overload the configuration file, the command is as follows: Code: $ KILL -SIGHUP 'PIDOF inetd' Most newer systems use the xinetd super service daemon. Take a look at its content using "vi /etc/xinetd.d/vsftpd", as follows: Code: disable = no socket_type = stream wait = no # This means that the device is activated, it is using the standard TCP Sockets. Code: user = root server = / usr / local / sbin / vsftpd # Description Server / usr / local / sbin / vsftpd has been used to control the FTP access request, and the program is run as root (possibly Evergreen privileges). Please confirm that the VSFTPD binary execution code has been installed in the "/ usr / local / sbin" directory. Code: per_source = 5 instances? = 200 # Due to security reasons, the maximum allowable value from a single IP address is 5. The total number of current maximum connections is 200. Code: no_access? = 192.168.1.3 # Address 192.168.1.3 will be rejected. Code: banner_fail = /etc/vsftpd.busy_banner # Displays the file to the user when the file is disabled.
Whether it is rejected due to any reason (too many users, IP is disabled). The following line is an example: code: echo "421 Server busy, please try,"> /etc/vsftpd.busy_banner log_on_success? = PID HOST DURATION log_on_failure? = Host This will follow the time sequential log All attempts to connect all IPs Address, whether the connection is successful or not. If the connection starts an FTP service, the process ID and the use period will also be loaded into the log. If used by Red Hat, this log information will appear in the / var / log / secure file. Finally, restart the xinetd, the command is as follows: Code: $ /etc/rc.d/init.d/xinetd Restart Need notice that only one FTP service can only be turned on in the "/ etc / xinetd.d" directory. 2. The Standalone mode Standalone mode is easy to implement the PAM verification. Entering this mode First, close the vsftpd under xinetd, set "disable = yes", or log off the corresponding line in "/etc/inetd.conf". Then modify the options in "/etc/vsftpd.conf" "Listen = YES". Configure VSFTPD.CONF to find out the core profile vsftpd.conf. Its address is "/etc/vsftpd.conf", the control statement format is "statement = value", and not to add any spaces and punctuation symbols between the format. The control statement is divided into the Boolean (value yes or no) in the MAN man page, and the digital classes (value numbers) and string (value string) are three. To manage convenience, clear thinking, follow the access rights, security, features, and performance (Performance) into four categories.
Here is a sample configuration file content, used to explain the commonly used control statement: Code: # Access Rights Anonymous_enable = yes? / * If you do not want to enable anonymous access, modify the value is no * / local_enable = no? / * Close the local user login service Refers to all non-anonymous users * / write_enable = no? / * Close any user's write access * / anon_upload_enable = no? / * Close the ability of anonymous user upload data * / anon_mkdir_write_enable = no? / * Close an anonymous user to establish a directory capability * / anon_other_write_enable = no? / * Close an anonymous user to perform the operation outside the write class command, such as the ability to change the name and delete operation * / # security Anon_World_Readable_only = yes? / * Open anonymous user can only use the license All readable resources * / connection_from_port_20 = yes? / * Trigger connection from the standard port 20 * / hide_ids = yes? / * Hide the ID in the FTP server, with "ftp" replace * / PASV_MIN_PORT = 50000? PASV_MAX_PORT = 60000? / * Set the port range in PASV transmission mode 50000-60000 * / # Features XFerLog_ENABLE = YES? / * Turn on the log, record the transfer status to file / var/log/vsftpd.log*/ ls_recurse_enable = no? / * Close the "ls -r" command, this command is often used for DOS attacks, very wasting system resources, but "mirror" mirror tool will use it * / ascii_download_enable = no? / * Close the ASCII mode download to prevent it from DOS Attack, ASCII download Very consumables CPU burden * / askNC_ABOR_ENABLE = yes? / * Enable the ability to support the early FTP client "Async Abor" * / # Porformance One_Process_Model = YES? / * Turn on each IP single process mode, this mode is only Supports kernels with certain capabilities, such as Linux kernel 2.4 * / idle_session_timeout = 120? / * Kicked out idle for two minutes after users * / data_connection_timeout = 300 ? / * Top 5 minutes later download * / accept_timeout = 60? / * Kick out the passive connection * / connection_timeout = 60? / * Kick out a minute after a minute * / anon_max_rate = 50000? / * Restrictions on a single user's download speed is not more than 50kBytes per second * / to this, an anonymous server is already operating normally and has a security setting. In practice, according to the Different needs of the FTP server, such as the local user login, you want to have a user with uploading capabilities, want the login to see a friendly welcome information, etc., you can also do corresponding in vsftpd.conf Setting (with "man vsftpd.conf" Reference Manual for more details). Some setting options are related to the running mode or plug-in module, and some options must depend on the enabled state of another option. In short, as long as it is carefully matched, it can customize a weighing FTP server. TCP_WrapPers Application To use this feature to build a VSFTPD containing TCP_WrapPER before installing compilation.
You can modify "#ndef vsf_build_tcpwrapppers" by editing "builddefs.h" file, "#define vsf_build_tcpwrappers", then rebuild compilation, generate executable code. Second, to open the option "TCP_WrapPers = YES" in the configuration file vsftpd.conf. This feature relies on the configuration of the file "/etc/hosts.allow". The following is a sample: VSFTPD: 192.168.1.3: setnv vsftpd_load_conf /etc/vsftpd_tcp_wrap.conf vsftpd: 192.168.1.4: deny where the first line indicates if a client is connected from 192.168.1.3, then vsftpd will apply /etc/vsftpd_tcp_wrap.conf "VSFTPD profile gives it. These settings are applied before the default vsftpd.conf. This is very useful, it can be used for some IP applications (such as uploading capabilities); you can also specify some IP capable of exceeding connection restrictions (max_clients = 0); or for some IP increase and decrease bandwidth limit. The second line indicates the ability to reject 192.168.1.4. This is useful for other connectors. PAM's application PAM applications are also applied "Virtual User" features on systems that open PAM. One of the sample demonstrates how to use the "virtual user" to set the PAM of VSFTPD. Virtual users refer to users who do not objectively exist like real users on the system. Virtual users are therefore safer than real users because an account that is like threatening system security can only use FTP services. Virtual users are commonly used to serve those who don't want to open them to not be trusted, generally does not affect normal ordinary users. 1. Creating a virtual user database Using PAM_USERDB to identify virtual users. This requires a "DB" format username / password file. To create a "db" format file, first create a form of format text file with the username and password on the alternate line, the code is as follows: Code: $ vi logins.txt Editing the contents of the file as follows: Code: Tom Foo Fred Bar "Tom" corresponds to the password "foo", "fred" corresponds to the password "bar". At the same time, use root to log in, create a practical database file, code as follows: Code: $ db_load -t -t hash -f logins.txt /etc/vsftpd_login.db # requires that the Berkeley DB program is already created "/ ETC /VSFTPD_LOGIN.DB ". If you want to change access permissions, you can use the following command: $ chmod 600 /etc/vsftpd_login.db Also, if you want to know more about how to maintain the login database, you can find document information on "Berkeley DB". Website For http://www.sleepycat.com/docs/utility/index.html. 2. Built a PAM file using a new database to create editing files vsftpd.pam, including the following two lines: code: auth request /lib/security/pam_userdb.so db = / etc / vsftpd_login account request /lib/security/pam_userdb.so db = / etc / vsftpd_login tells PAM to identify users using a new database. Save the PAM file to the PAM directory (usually "/etc/pam.d/cp vsftpd.pam /etc/pam.d/ftp").
3. Settings File Location for Virtual User Use the following command to set file location for virtual users: Code: $ usradd -d / home / ftpsite Virtual $ ls -ld / home / ftpsite will appear: Code: drwx ----- -3 Virtual? Virtual? 4096 JUL 30 00:39 / Home / ftpsite has created a user named "Virtual" and has a home directory "/ home / ftpsite". Add some content to this download area, the code is as follows: Code: $ cp / etc / host.virtual / home / ftpsite / hosts 4. Custom vsftpd.conf configuration file Re-custom vsftpd.conf file: code : anonymous_enable = no local_enable = yes # Because security factors should close anonymous FTP and open non-anonymous FTP (virtual users need to use). Write_enable = no anon_UPLOAD_ENABLE = no anon_mkdir_write_enable = no # = No # 写 写 的 这些 的下 的 这些 的,,, 写 区域 区域 区域 区域 区域 区域 h 执行 执行. 区域 确 确 区域 区域 确 确 确 区域... 写 写 写 f f f f f f h f f f f f f f f f f f f f f f f f f f f f f f f f f f f Guest_enable = yes guest_username = virtual # guest_enable is important to activate virtual users. Guest_username indicates that all virtual users are mapped to the true user "Virtual" set above. This will also determine the final destination of the virtual user on the file system, the main directory "/ home" / home / ftpsite "of the user" Virtual ". Listen = yes listen_port = 10021 # This VSFTPD is in the "Standalone" mode, does not run from inetd. This means that only the vsftpd run command is required, it starts running. This also allows VSFTPD to listen to FTP requirements on the non-standard port of 10021 (FTP usually uses port 21). PASV_MIN_PORT = 30000 PASV_MAX_PORT = 30999 # These commands placed a port sequence in the passive FTP receiver. Useful for configuring the firewall. 5. Start running VSFTPD to enter the directory where the VSFTPD source code is located, and execute "./vsftpd", if the cursor has been stopped there, otherwise some error messages will be seen. 6. Test the other shell session process (or switch the program to the background, press CTRL Z and then knock "BG").
The following is a FTP session example: code: ftp localhost 10021 Connected to localhost (127.0.0.1). 220 Ready, Dude (vsftpd 1.1.3: Beat Me, Break Me) Name (localhost: chris): Tom 331 please Specify Tom password password:... 230 Login successful Have fun Remote system type is UNIX Using binary mode to transfer files ftp> pwd 257 "/" ftp> ls 227 Entering Passive Mode (127,0,0,1,117,135) 150 Here comes.. THE DIRECTORY LISTING. 226 Transfer Done (But Failed to Open Directory). ftp> size hosts 213 147 ftp> The password given here is "foo". Don't be afraid because of "Failed to Open Directory", it is because the directory "/ home / ftpsite" is not readable. It can be seen that "Hosts" files that are copied into the virtual FTP area have been accessed via the size command. Functional expansion Although the first VSFTPD can be running, the following content can be expanded "Virtual_Users", making the setting slightly more complex. Assume that two types of virtual users are required, one class can only browse and download content, and the other can upload new content except for downloading existence. This setting can be accomplished using the powerful single user of VSFTPD to use configuration capabilities (version 1.1.0 or more). We created TOM and FRED two users in the previous virtual user sample, and set Fred to have write permissions to access the uploaded new files; TOM can only download. 1. Activate Single-User Configuration Ability To activate this powerful function of VSFTPD, add the following content to "/etc/vsftpd.conf": code: user_config_user = / etc / vsftpd_user_conf and create a directory with "MKDIR / etc / vsftpd_user_conf". 2. Read all the files / directories to TOM at the end of the last sample, we note that virtual users can only read all readable files and directories. You can make the "/ home / ftpsite" directory to read and upload a full-readable license file. But another way to do this is to download the ability to download non-full-readable files for Tom. For the user TOM, forcibly provide a configuration setting to "Anon_World_Readable_only", the code is as follows: code: Echo "anon_world_readable_only = no"> / etc / vsftpd_user_conf / TOM then check, type "LS" to return to the directory list. The use of FRED login should not be displayed. You can restart vsftpd make changes to the "/etc/vsftpd.conf" file (advanced users can send SIGHUP to the VSFTPD listening process).
