First, add the user userAdd command
example:
# uSERADD -M -M -M -M-IS / BIN / TCSH-C "a user" myname
# useradd -c "ftp administrator" -d / var / ftp / -g ftpadmin -s / sbin / nologin -r ftpadmin
-m automatically creates the user's home directory and copies the framework directory (/ etc / skel) file to the user directory.
-g Set the basic group, the user will in this group.
-G adds users to all comma-separated packets.
-s Develop the shell used.
-c description information.
-d Set the primary directory for the account.
-r system account, no need to create a main directory / home.
The last is the username
Second, the specified password (password) Passwd
Example: #passwd username
Enter your password prompt.
Third, delete user USERDEL
Example: # urserdel username
# urserdel -r username
-r Delete its home directory (/ home / ... ..)
Fourth, file system command
4.1 fdisk command
(1) fdisk -l: Displays all partitions on the hard disk. Partition type (FAT32, EXT3).
(2) DF -H: The display file system is mounted.
(3) FDISK / DEV / HDB1: Format the second IDE disk
4.2 mount command mount file system
(1) Mount (not using parameters) View the system mount.
(2) Mount / MNT / CDROM: Mounting CD-ROM, available CD / MNT / CDROM LS to view content on the disc.
(3) Mount / MNT / FLOPPY: Mounting floppy disk, available to the floppy disk after the CD / MNT / FLOPPY LS.
2,3 can be used in / dev / cdrom and / dev / fd0 instead of mount points, get the same effect!
(4) Mount -t MSDoS / DEV / FD0 / MNT / FLOPPY: Mount DOS floppy disk to / mnt / floppy.
(5) Mounting Windows partitions
#fdisk -l: Lists the hard disk partition.
#mkdir / mnt / win: Create a directory for mounting.
#mount -t vfat / dev / hda1 / mnt / win: Assume Windows on the first partition of the first IDE hard disk. Note: You can automatically monitor file types using the -t auto parameter order system!
-r mounts in read-only mode.
-W read and write mode mount.
4.3 Umount Command Uninstall File System
(1) Umount / MNT / FLOPP unresses the device (such as / dev / fd0) from the mount point / mnt / floppy. You can also use this to complete this: umount / dev / fd0
In order to make the partition for Linux permanently available, you need to add the following line in the / etc / fstab file:
/ dev / hda1 / mnt / win vfat defaults 0 0 5. File related commands 5.1 file permissions chmod
example:
CHMOD 777 Files -> RWXRWXRWX
CHMOD 755 FILES -> RWX R-X R-X
CHMOD 644 FILES -> RW- -R- -R-
CHMOD 000 FILES -> - - - - - - - -
CHMOD U X G W O R File (to the owner can be executed, the same group can be written, others can read)
$ chmod -r 777 / tmp / test: Change permissions for all files and directories in the directory (all permissions).
$ chmod -r 664 / tmp / test: Turn off the execution permission.
5.2 File Ownership
Chown User1 File (assign file to user1)
5.3 Moving File MV
Example: MV ABC DEF This file ABC moves to DEF.
Six, iptables Commands Side View
外网: eth0 123.45.67.89
Inner Web: Eth1
10.0.0
.1 The computer IP address on the LAN is between 10.0.0.2 to 10.0.0.254.
(1) An example of a rc.local, add the following command in rc.local
Echo 1> / proc / sys / net / ipv4 / ip_forward # boot IP forwarding
Echo 1> / proc / sys / net / ipv4 / ip_dynaddr # boot dynamic IP address
#Policies (default) Setting the default policy to reject
iptables -p input drop
iptables -p output drop
iptables -p forward Drop
# User-defined Chain for Accepted TCP Packets User Custom Chain, Chain Name "Okay"
iptables -n okay
iptables -a okay -p tcp - - SYN -J ACCEPT
iptables -a okay -p tcp -m state - -state established, Related -j Accept
iptables -a okay -p tcp -j drop
#Input chain rules
# Rules for incoming packets from lan
iptables -a input -p all -i eth1 -s
10.0.0
.0 / 8 -j accept #LAN's address acceptance
iptables -a input -p all -i lo -s 127.0.0.1 -j accept # allows you to accept your own packet
iptables -a input -p all -i lo -s
10.0.0
.1 -j accept # allows you to accept your own packet
iptables -ainput -p all -i lo -s 123.45.67.89 -j accept # allows you to accept your own packet
Iptables -a INPUT -P All -i Eth1 -d
10.0.0
.255 -J ACCEPT # Allows the broadcast package within LAN # rules for incoming packets from the Internet
# Packets for Established Connections
iptables -ainput -p all -d 123.45.67.89 -m state -state established, Related -j Accept
# TCP Rules Processing by Okay Chain
iptables -ainput -p tcp -i eth0 -s 0/0 --dstination-port 21 -j okay
iptables -ainput -p tcp -i eth0 -s 0/0 --dstination-port 22 -j okay
iptables -ainput -p tcp -i eth0 -s 0/0 --dstination-port 80 -j okay
iptables -ainput -p tcp -i eth0 -s 0/0 --dstination-port 113 -j okay
# Udp rules Defines an open UDP port
iptables -ainput -p udp -i eth0 -s 0/0 - Destination-Port 53 -J ACCEPT
iptables -ainput -p udp -i eth0 -s 0/0 --dstination-port 2074 -j accept
iptables -ainput -p udp -i eth0 -s 0/0 - Destination-Port 4000 -J ACCEPT
# ICMP Rules
iptables -a input -p icmp -i eth0 -s 0/0 - Destination-Port 8 -j ACCEPT
iptables -ainput -p icmp -i eth0 -s 0/0 - Destination-Port 11 -j Accept
# Forward Chain Rules
#Accept the packets we want to forward to forward
iptables -a forward -i eth1 -j acid
iptables -a forward -m state --state established, Related -j Accept
# Output Chain Rules
# Only Output Packets with Local Addresses (no spoof)
iptables -a output -p all -s 127.0.0.1 -j acceptpt
iptables -a output -p all -s
10.0.0
.1 -J ACCEPT
iptables -a output -p all -s 123.45.67.89 -j account
# PostRouting Chain Rules Gateway IP Camouflage
iptables -t nat -a postrol -o eth0 -j snat -to-source 123.45.67.89
(2) IP camouflage of the gateway: Static address uses SNAT, dynamic address (dial-up) using Masquerade
example:
Masquerade must provide an interface name (Eth0, PPP0, etc.) to indicate the path, as if the static address can also be used with Masquerade: iptables -t nat -a postrouting -o eth0 -j masquerade
Snat must also indicate that the actual IP is as follows:
iptables -t nat -a postrouting -o eth0 -j snat --to-source
12.12.12
.12
(3) Port forwarding
Example: The firewall computer (-D) will be
15.15.15
.15) All web services are redirected to a computer on the LAN (10.0.0.25)
iptables -t nat -a preording -p tcp -d
15.15.15
.15 -dprot 80 -J DNAT-TO-DESTINATION 10.0.0.25
Seven, IP address type (the range of first part numbers)
Class A address: 0 ~ 127; can accommodate the number of computers to 256 * 256 * 256. Subnet mask 255.0.0.0.
Class B address: 128 ~ 191; can accommodate the number of computers to 256 * 256. Subnet mask 255.255.0.0.
Class C Address: 192 ~ 233; can accommodate the number of computers to 250. 0 and 255 cannot be designated as host addresses. Subnet mask 255.255.255.0.
Class C private IP address 192.168.0.0 ~ 192.168.255.255
Eight, IFConfig
IFCONFIG: Judging the network connection.
Ifconfig eth0 Up: Start the ETH0 interface.
Nine, configure network card
Profile / etc / sysconfig / network-scripts / ifcfg-eth0 can be edited with VI. Examples are as follows
Device = Eth0 # device name, with the same name.
Onboot = yes # When the system is started, start the device.
Bootproto = static
Ipaddr = 202.118.75.91 # ip address of this network card
Netmask = 255.255.255.0 # 子 网 mask
Gateway = 202.118.75.1 # Gateway IP
MacAddr = 00: 02: 2D: 2E:
8C
: A8 #mac address
Ten, FTP service
10.1 Use the setup command to turn on the VSFTPD service process.
10.2 and modify the file /etc/xinetd.d/vsftpd. (But vsftpd is attached to Xinetd.D running 2, 3 is valid)
(1) Change Disable = YES to = NO.
(2) Configure the maximum number of connections per client:
Add the following configuration statement in the {} of the configuration file /etc/xinetd.d/vsftpd:
per_source = value. For example: per_source = 5 means that the maximum number of connections per client is 5.
(3) Configure the total number of connections in the server:
Add the following configuration statement in the {} of the configuration file /etc/xinetd.d/vsftpd:
INSTANCES = value. For example: instances = 200 indicates that the maximum number of supported supported by FTP servers is 200.
(4) When VSFTPD is running separately: To configure a separate VSFTPD, it is easy to add the following configuration on the basis of the previous main configuration file.
Set Listen = YES: Indicates that vsftpd is started in standalone operation.
Set max_clients = 200: Indicate the number of concurrent connections in the server
Set max_per_ip = 4: Specify the maximum number of connections for each client.
10.3 Configuring /etc/vsftpd.conf(Redhat9 is the /etc/vsftpd/vsftpd.conf) file.
# Allow real users (users with accounts in the system)
Local_enable = YES
# 给 真 实 用户 用户 用户 用户
Write_enable = YES
#The real user uploads the mask of the file to 022. Such a real user uploaded file permission is 755 (RWXR-XR-X), ie the file owner can read and write, the same group member can read,
# Other users in the system readable executable.
Local_umask = 022
# Allow anonymous users to access. The account number in the system is FTP in the system
Anonymous_enable = yes
# Anonymous user uploading the mask of the file to 000. Such a file uploaded authority is 777 (rwxrwxrwx), that is, everyone can read and write.
Anon_umask = 000
# Anonymous users can upload and create a directory. On the 3 line, only Write_enable = Yes is set to be valid.
Anon_upload_enable = yes
Anon_mkdir_write_enable = yes
Anon_World_Readable_only = no
# If you want to let an anonymous user delete permissions, you can add the following code.
# anon_other_write_enable = yes
# Enter each directory to display a specific prompt. These hints are placed in each directory. In theMessage file.
DirMessage_enable = YES
# When the user logs in the FTP server, the following information is displayed regardless of whether the login success is displayed.
FTPD_BANNER = Welcome to Nihao FTP Service.
# Using log record up and download.
Xferlog_enable = YES
# 日 文件 文件
# xferlog_file = / var / log / vsftpd.log
# Log usage standard FPD format
Xferlog_std_format = yes
#FTP service port is 20
Connect_From_Port_20 = YES
# When users use the FTP to access the server, they use their login directory as their directory you see in the FTP, which is called Chroot.
# This user cannot access the content other than the login directory, which greatly enhances security. The login directory of anonymous users is / var / ftp /
Chroot_list_enable = yes
# File /etc/vsftpd.chroot_list Users don't chroot.
Chroot_list_file = / etc / vsftpd.chroot_list
# At the same time, up to 5 users are allowed to log in.
Max_clients = 5 # Some do not support this option, comment.
#FTP service password verification module.
PAM_SERVICE_NAME = VSFTPD
# listen = yes # If it is running independently, add this (redhat9).
# TCP_WrapPERS = YES # If it is running independently, add this item (redhat9).
10.4 Restart the XineTD service, you can access your FTP server anonymously.
Let's build a FTP administrator account.
In the Linux FTP service, the user's permissions are double restrictions. First, the license limit for the Linux file system itself. Access to each file is represented by RWXRWXRWX situation. Each user can only do the operations allowed by the county. The second is the limit of FTP configuration. The system allowed by the system If it is not allowed in the FTP configuration file, the user still cannot do this. Such as: The permissions of a file are rwxrwxrwx, that is, the system believes that anyone has the right to read and write. If you do not allow anonymous users to write in vsftpd.conf, an anonymous users still cannot modify this question. The read permissions for the directory file means that file information in this directory can be read. The write authority of the directory file means it can be established, deleted, and rename files in this directory.
Add a FTP administrator group with a command groupAdd -r ftpadmin. Where -R indicates that this is a system group.
Add an administrator user ftpadmin with a command uSradd -c "ftp administrator" -d / var / ftp / -g ftpadmin -s / sbin / nologin -r ftpadmin. among them
-c "ftp administrator" is a description of this user
-d / var / ftp / is the login directory of this user
-g ftpadmin is the group where this user is located
-s / sbin / nologin is the shell used when this user logs in. The function of this shell command is extremely weak, so that you can't log in with Telnet. That is to say, this administrator can only be used as garbage cleaning. (Oh, a good manner)
-r means this is a system account, which does not have to establish a login directory for it.
Buy the administrator to give him the management of the incoming directory.
Chown ftpadmin / var / ftp / incoming: Set this directory owner to ftpadmin.
CHMOD 755 / VAR / FTP / INCOMING: Set the permissions of the directory to the owner to read and write, the same group readable, executable, all readable, executable.
In this way, our administrators can start managing.
10.5 Configuring VSFTPD Allow anonymous users upload
/ / Modify the primary profile of vsftpd /etc/vsftpd.conf
# vi /etc/vsftpd.conf
// will be deleted in front of the following two lines
// 1 # anon_upload_enable = YES allows anonymous users to upload
// 2 # ANON_MKDIR_WRITE_ENABLE = YES Opens anonymous user's write and creation of the directory
// If you have to take effect, it also requires:
// (1) WRITE_ENABLE = YES
// (2) Anonymous user has write permissions on the upload directory of the file system
/ / Add the following configuration statement
// Anon_World_Readable_only = no
/ / The above configuration statement is used to let go of the anonymous user's browsing permissions
// Modify the rear storage exit VI
//
// Create an anonymous upload directory
# MKDIR / VAR / FTP / InComing
# Modify the permissions for uploading the directory
# CHMOD O W / VAR / FTP / InComing /
#
/ / Restart xinetd
# Service Xinetd Restart
XI, Web Service (HTTPD)
The HTTPD service is also selected in Setup. WWW service does not require Xinetd as its proxy process. HTTPD processes run in the system. The default directory for the WWW service is / var / www / html. Just put the home page in this directory.
We can build a WWW administrator wwwadmin with the establishment of an FTP administrator. Just set it to / var / www / html with its landing directory.
/etc/init.d/httpd start # boot service
/etc/init.d/httpd restart # restart its configuration file to /etc/httpd/conf/httpd.conf
