Introduction to VSFTPD - VERY Secure FTP Daemon

xiaoxiao2021-03-06  201

The Overview File Transfer Protocol (FTP) is to perform a platform-independent data transmission on the Internet, which is based on a client / server architecture. RFC 959 [1] specifies that the FTP will transmit, one transmission data (TCP port 20), and another transmission control information (TCP port 21) by two channels (ports). On the control channel, both parties (clients and servers) exchange commands for initiating data transmission. An FTP connection contains 4 steps: User Authentication Establishment Control Channel Settings Data Channel Closing Connection Connection Connection Connection Connection Control Using TCP (Transmission Control Protocol, Transmission Control Protocol), it guarantees reliable transmission of data. Therefore, FTP does not require concern packet loss and data error detection in data transmission. Because TCP guarantees that each packet is in order, there is no error, no repetition.

FTP is divided into three different transmission types according to the different transmission types, and the stream mode is transmitted by the end-of-file (EOF) flag, and the other two transmission modes are end-of-rord (eor). Sign transmission

STREAM block (Compressed) There are also two different transmission modes:

ASCII Binary (binary) ASCII mode is used for the transmission of text files, while binary mode is used for program and similar data transmission. Users do not need to select a specific transmission mode, and now all clients can identify the type of automatic switching mode of the transferred file.

User names and passwords for authentication are used in clear text, which is a very serious security hazard. This is also some starting points for the safety considerations for FTP. In October 1997, RFC2228 [2] finally released, it defined the security supplement specification for FTP.

VSFTPDVSFTPD is the name of the server running on a UNIX class operating system, which can run on top of Linux, BSD, Solaris, HP-UX, and IRIX. It supports many other Features that are not supported by other FTP servers. For example: Very high security requirements bandwidth limit Good scalability Create a virtual user Possibility IPNG (Transplement: IPv6) Support Medium-off Performance Assignment Virtual IP Possible High Speed ​​VSFTPD Name Representative "Very Secure FTP Daemon" Safety is one of the primary problems of its developer Chris Evans. When this FTP server is the most beginning, high security is a goal.

An example is that vsftpd is working in Chroot mode. Chroot mode is a new directory for the program (here is VSFTPD) separately, which does not access the programs and files outside the directory - so this is also "Is locked". A FTP server that may be damaged by a potential attacker will be opened independently from the rest of the system, thereby avoiding greater losses. More information about Chroot can be obtained in the following articles [3]. If you are interested in other security mechanisms of vsftpd, it is recommended to read articles [4].

Because there is so many features, the security of the FTP service should be the most important, and VSFTPD is more superior to other FTP servers. Wu-ftpd [5] can be seen here as an example of a reverse example because it has had too many security defects in the past few years.

Installing the VSFTPD daemon installation is quite simple, you can find the rpm package of vsftpd in each main release, and in many cases it has been installed. If not, the source code can be found in [6], and then manually install. After getting the source code and unwrapping Tarball, enter the newly created directory directory and run Make. The following is an example of the necessary command: neo5k @ phobos> tar xzvf vsftpd-x.x.x.tar.gzneo5k@phobos> cd vsftpd-x.x.xneo5k@phobos> make

Before this, we should look at whether users "Nobody" and directory "/ usr / share / empty" exist. If we need it, we will create new users and this directory. If we allow users to have anonymous access, users "ftp" and directory "/ var / ftp" also need to be created. This can be done with the following two commands: neo5k @ phobos> mkdir / var / ftpneo5k @ phobos> UserAdd -d / var / ftp ftp

Due to security reasons, directory "/ var / ftp" should not belong to user "ftp", nor should it be written. If the user already exists, use the following two commands, we can change the owner of the directory and remove the write authority of other users: neo5k @ phobos> chown root.root / var / ftpneo5k @ phobos> chmod og-w / var / ftp

After all the prerequisites, we can install vsftp-daemon: neo5k @ phobos> make install

Programs and MANPAGE should have been copied to the correct position in the system. If there is an abnormal situation, trouble a little manual copy can also complete this work. NEO5K @ phobos> CP vsftpd / usr / sbin / vsftpdneo5k @ phobos> cp vsftpd.conf.5 / usr / share / man / man5neo5k @ phobos> CP vsftpd.8 / usr / share / man / man8

Now that our configuration file has not copied it yet --- it will make our introduction simpler - we need manual copy: neo5k @ phobos> CP vsftpd.conf / etc

Configuration profile can be found in "/etc/vsftpd.conf". Like most configuration files, the VSFTPD is not commented in #. # Comment line

An example of a configuration like this:??? # Anonymus FTP-access permitted YES / NOanonymous_enable = NO # Permit anonymus upload YES / NOanon_upload_enable = NO # Permission for anonymus users to make new directories YES / NOanon_mkdir_write_enable = NO # Permission for anonymus users to do other write operations -? like renaming or deleting YES / NOanon_other_write_enable = NO # Log on by local users permitted YES / NOlocal_enable = YES # Shall local users be locked into their home directory YES / NOchroot_local_user = YES # Highest permitted data transfer?? rate in bytes per second for local logged on users. Default = 0 (unlimited) local_max_rate = 7200 # General write permission? YES / NOwrite_enable = YES # Enable messages when changing directories? YES / NOdirmessage_enable = YES # Welcome banner at users logon.ftpd_banner = "Welcome to neo5k's FTP service." # Activate logging? YES / NOxferlog_enable = YES # logging of all FTP activities? YES / NO # Careful! This can generate large quantities of data.log_ftp_protocol = NO # Confirm connections are est . Ablished on port 20 (ftp data) only YES / NOconnect_from_port_20 = YES # Timeout during idle sessionsidle_session_timeout = 600 # Data connection timeoutdata_connection_timeout = 120 # Access through Pluggable Authentication Modules (PAM) pam_service_name = vsftpd # Standalone operation YES / NO -? Depending on Operation Mode (inetd, xinetd, standalone) # The Author's FTP Service is Being Startet with xinetd, therefore the value here is no.listen = no Start FTP service VSFTPD can work in three ways. With inetd or xinetd, there is a Standalone operating mode. Inetd To make the FTP service via inetd, we have to open the profile "/etc/inetd.conf": neo5k @ phobos> vi /etc/inetd.conf

We found the line about the FTP business and remove the comment symbols in front of the vsftpd. If there is no such thing, we will add this. After we want to restart inetd. This should be like this: # ftp stream tcp noait root / usr / sbin / tcpd in.ftpdftp stream TCP NOWAIT ROOT / USR / SBIN / TCPD VSFTPD

Xinetd recommends launching VSFTP Daemon using Xinetd, which is more modern than inetd. Includes improvements such as request records, access control, and improve services and network interfaces. [7] is a very good introduction to xinetd. After the modification, restart xinetd is necessary. XINETD's configuration should be this: # vsftp daemon.

Service ftp

{

Disable = no

Socket_type = stream

Wait = NO

User = root

Server = / usr / sbin / vsftpd

PER_SOURCE = 5

INSTANCES = 200

NO_ACCESS = 192.168.1.3

Banner_fail = /etc/vsftpd.busy_banner

LOG_ON_SUCCESS = Pid Host Duration

LOG_ON_FAILURE = Host

Nice = 10

}

Standalone OperationVSFTP can also work in standalone mode of operation. In this way, we need to open "/etc/vsftpd.conf" as follows: # shaverten = yes? Yes / nolisten = yes yes / nolisten = yes yes / noListen = yes

After this setting, the daemon can be used to start NEO5K @ phobos> / usr / sbin / vsftpd &

If the program running the path is correct, the following command can start the server NEO5K @ phobos> vsftpd &

For the latter way, we can see if the path settings are correct, neo5k @ phobos> Echo $ path / usr / sbin: / bin: / usr / bin: / bin: / usr / x11r6 / bin

In standalone working mode, we must ensure that VSFTP daemon is not started by inetd or xinetdd. Operation Test After successfully installed and configured, we can access this FTP server for the first time. NEO5K @ phobos> FTP Phobos

Connected to phobos

220 "Welcome to Neo5k's FTP Service."

Name (Phobos: neo5k): Testuser

331 Please Specify The Password.

PASSWORD:

230 Login Successful

Remote System Type IS UNIX.

Using binary model to transfer files.

FTP> LS -L

229 Entering Extended Passive Mode

150 Here Comes The Directory Listing

DRWXR-XR-X 11 500 100 400 May 07 16:22 DOCS

DRWXR-XR-X 9 500 100 464 Feb 01 23:05 HLDSDRWR-XR-X 39 500 100 4168 May 10 09:15 Projects

226 Directory Send OK.

FTP>

Conclusion We note that VSFTP Daemon installation and configuration is simple, but it provides a lot of features and high security. Of course, this introduction is only a glimpse of the environment provided by VSFTPD, which provides a large number of options for setting up. If you want to study vsftpd more, you should access the project's home page [6] and read a further document.

Link [1] ftp://ftp.rfc-editor.org/in-notes/rfc959.txt [RFC 959 - File Transfer Protocol] [2] ftp://ftp.rfc-editor.org/in-notes/ Rfc2228.txt [RFC 2228 - FTP Security Extensions] [3] Linuxfocus.org: Article225, January2002 [Chroot] [4] http://vsftpd.beasts.org/design [security vsftpd] [5] http: // www .wu-ftpd.org / [wu-ftpd] [6] http://www.vsftpd.beasts.org/ [home of vsftpd] [7] Linuxfocus.org: article 175, november2000 [xinetd]

转载请注明原文地址:https://www.9cbs.com/read-128637.html

New Post(0)