VSFTPD
Shi Wenjian
0 About this document
1 vSFTPD
2 VSFTPD installation
2.1 RHL9 VSFTPD-1.1.3-8.I386.RPM package installation
2.2 VSFTPD-1.2.0.Tar.gz installation
3 VSFTPD file structure
4 VSFTPD startup and stop
5 VSFTPD setting options
5.1 connection options
5.1.1 Listening Address and Control Port
5.1.2 FTP mode and data port
5.1.3 ASCII mode
5.2 Performance and Load Control
5.2.1 Timeout Options
5.2.2 Load Control
5.3 User Options
5.3.1 Anonymous User
5.3.2 Local users
5.3.3 Virtual User
5.4 Security Measures
5.4.1 User Login Control
5.4.2 Directory Access Control
5.4.3 File operation control
5.4.4 Added file permission setting
5.5 Tip Information
5.6 log settings
5.7 Other settings
6 vSFTPD application
6.1 Allow anonymous users to upload files
6.2 Restrict users in their own directory
6.3 Configuring a high security level anonymous FTP server
6.4 Virtual FTP Server Based on IP Address
6.5 Configuration of Virtual User
6.5.1 Virtual User Introduction to VSFTPD
6.5.2 User Creation and Directory Settings
6.5.3 Settings of profile
6.5.3.1 Basic settings
6.5.3.2 Permissions Settings
6.5.3.3 Other configurations of virtual users
6.5.3.4 Virtual User Personal Directory Settings
6.5.4 Mysql Save Virtual User
-------------------------------------------
0, about this document
This document is a personal learning. Allow everyone to read, extracted, reference. More welcome to point out. The content of the document is mainly from vsftpd self documents, personal learning experience and network information. If there is a class, it is normal,:).
This document is based on Redhat Linux 9 and VSFTPD-1.1.3-8. If there are different versions, there is a special text description.
1, vsftpd brief description
If you ask which FTP server is the safest? Then in UNIX and Linux, the first pushed is VSFTP (Very Secure FTP Daemon, very secure FTP server). As the name suggests, the starting point of VSFTPD design is security. At the same time, with the continuous upgrade of the version, VSFTPD has also made great progress in performance and stability. Some large sites such as Redhat, SUSE, Debian, GNU, GNOME, KDE are VsFTPD as their FTP server. Everyone can go to http://vsftpd.beasts.org/ to understand its latest situation.
2, VSFTPD installation
2.1, rhl9 vsftpd-.1.1.3-8.i386.rpm package installation
The installation of VSFTPD is simple. In RHL9, "Main Menu" - "System Settings" - "Add / Remove Applications" - select FTP Server, or perform the following command in the character interface, or execute the following command in the character interface.
RPM-IVH vSFTPD-1.1.3-8.i386.rpm
2.2, vsftpd-1.2.0.tar.gz installation
(1) Preparation conditions
"Nobody" users are required in the VSFTPD default configuration. Add this user in the system, if the user already exists, the userAdd command has the corresponding prompt.
[root @ HPE45 root] # UserAdd Nobody
Useradd: user nobody exists
The "/ usr / share / empty" directory is required in the VSFTPD default configuration. In the system this directory, if the directory already exists, the mkdir command has the corresponding prompt.
[root @ hpe45 root] # mkdir / usr / share / empty / mkdir: Cannot Create Directory '/ usr / share / empty': file exists
When VSFTPD provides an anonymous FTP service, you need "FTP" users and a valid anonymous directory.
[root @ HPE45 root] # mkdir / var / ftp /
[root @ HPE45 root] # UserAdd -d / var / ftp ftp
The next operation is useful for FTP users already exist.
[root @ HPE45 root] # chown root.root / var / ftp
[root @ HPE45 root] # chmod og-w / var / ftp
(2) Compiling vsftpd
Download from the official site to the / root directory, perform the following command:
[root @ hpe45 root] # TAR zxvf vsftpd-1.2.0.tar.gz
[root @ HPE45 root] # CD vsftpd-1.2.0
[root @ HPE45 vSFTPD-1.2.0] # Make
(3) Installing the Compilation VSFTPD
Perform "make install" will compile the compiled binaries, the manual, etc. to the corresponding directory. On RHL9, you may need to manually perform the following copy:
[root @ HPE45 vSFTPD-1.2.0] # cp vsftpd / usr / local / sbin / vsftpd
[root @ HPE45 vSFTPD-1.2.0] # cp vsftpd.conf.5 / usr / local / share / man / man5
[root @ HPE45 vSFTPD-1.2.0] # cp vsftpd.8 / usr / local / share / man / man8
In addition, "make install" does not copy a simple configuration file, it is recommended to execute the following command:
[root @ HPE45 vSFTPD-1.2.0] # cp vsftpd.conf / etc / etc
⑷⑷ Set PAM for local users
If the local user is allowed to log in to VSFTPD, do the following:
[root @ HPE45 vSFTPD-1.2.0] # CP
Redhat / vsftpd.pam /etc/pam.d/ftp
3, VSFTPD file structure
The file structure of VSFTPD is very simple, mainly including:
/ usr / sbin / vsftpd ---- VSFTPD main program
/etc/rc.d/init.d/vsftpd ---- Startup script
/etc/vsftpd/vsftpd.conf ---- main configuration file
/etc/pam.d/vsftpd ---- PAM authentication file
/etc/vsftpd.ftpusers --- User list files for use in vsftpd
/etc/vsftpd.user_list --- User list files for disabling or allowing VSFTPD
/ var / ftp ---- Anonymous User Home Directory
/ var / ftp / pub ---- Anonymous user download directory
In addition, there are some documentation and manual files.
Also vsftpd log files are located in /etc/logrotate.d/vsftpd.log.
4, VSFTPD start and stop
VSFTPD can operate separately, such as HTTPD, NAMED, running mode, which is the default manner in RHL9 in RHL9; you can also run in Xinetd, which is the default mode in RHL7.x, 8. The specific operation mode is determined by the parameter Listen. From the RHL's VSFTPD, you can also see the progressive development of VSFTPD.
When the Listen parameter value is YES, the default value in RHL9, VSFTPD runs separately, we can use script /etc/rc.d/init.d/vsftpd to start, close, and restart VSFTPD. The command is as follows: /etc/rc.d/init.d/vsftpd start | stop | restart
If you say on RHL9, you also want to use Xinetd to start the way the VSFTPD is running, then you must first change the ListentEn parameter value in the vsftpd.conf configuration file to NO. Second, generate a /etc/xinetd.d/vsftpd file, the content is as follows:
Service vsftpd
{
Disable = no
Socket_type = stream
Wait = NO
User = root
Server = / usr / sbin / vsftpd
Port = 21
LOG_ON_SUCCESS = Pid Host Duration
LOG_ON_FAILURE = Host
}
Start or stop VSFTPD by modifying the disable value of NO or YES and restarting the xinetd.
Since the individual mode of VSFTPD has sufficient ability, the applications discussed in later 6 are run in separate mode, not xinetd.
Note: You can also perform the VSFTPD directly to start the FTP service, use the "kill" command when turning off.
[root @ HPE45 root] # / usr / local / sbin / vsftpd &
5, VSFTPD setting options
VSFTPD profile /etc/vsftpd/vsftpd.conf is a text file. The row starting with the "#" character is a comment line. Each option is set to a row, the format is "option = value", pay attention to the "=" number and cannot leave a blank character. In addition to this primary configuration file, you can set a personal configuration file to a particular user, and the details are specified.
The VSFTPD.conf file configured in the VSFTPD package is relatively simple, and very mad (document claims :-)). We can make some settings according to the actual situation to make VSFTPD more available.
5.1, connection options
This section is mainly some options related to establishing an FTP link.
5.1.1 Listening Address and Control Port
Listen_address = IP Address
This parameter is valid in the STANDALONE mode in VSFTPD. This parameter defines which IP address on the host, which provides an FTP service on which IP address is available. This parameter is not required for hosts with only one IP address. For multiple access hosts, this parameter is not set, listen to all IP addresses. The default is nothing.
Listen_port = Port_Value
Specifies the port number (control port) of the FTP server listening, the default is 21. This option takes effect in Standalone mode.
5.1.2, FTP mode and data port
FTP is divided into two categories, Port FTP and PASV FTP, Port FTP is a general form of FTP. These two FTPs are the same when establishing a control connection, which is the control link to the client first and the FTP server (default 21), and transmits the transfer operation command through this link. Their difference is to use the way of data transfer ports (FTP-DATA). Port FTP specifies the port used by the FTP server, the default value of 20. The PASV FTP determines the port of the data transfer by the FTP client. PASV FTP This approach is mainly to consider communication with the server with the server (the client has a data transfer port), which determines the data transfer port between the two. For convenience. Port_enable = yes | no
This option is NO if you want to cancel the PORT mode when you have a data connection. The default is YES.
Connetc_from_port_20 = yes | NO
Control whether a 20-port (FTP-DATA) is used when data transmission is performed in Port mode. YES uses, NO is not used. The default is NO, but this parameter is set to YES in the vsftpd.conf file comes with RHL.
FTP_DATA_PORT = Port Number
Set the FTP data transfer port (FTP-DATA) value. The default is 20. This parameter is used for Port FTP mode.
Port_promiscuous = yes | NO
The default is NO. Cancel the Port security check when you are YES. This check ensures that the outgoing data can only be connected to the client. Carefully open this option.
PASV_ENABLE = YES | NO
YES allows the use of PASV mode when data transmission is allowed. NO, it is not allowed to use PASV mode. The default is YES.
PASV_MIN_PORT = Port Number
PASV_MAX_PORT = Port Number
Setting in PASV mode, establishing a data transfer can use the lower bound and upload of the Port range, 0 represents any. The default is 0. Set the port range within a relatively high range, such as 50000-60000, will help improve security.
Pasv_promiscuous = yes | NO
When this option is activated, the security check of the PASV mode is turned off. This check ensures that the data connection and control connection are from the same IP address. Carefully open this option. The only reasonable usage of this option is to exist in an organization consisting of a secure tunnel scheme. The default is NO.
PASV_ADDRESS =
This option is a digital IP address as a response to the PASV command. The default value is None, that is, the address is obtained from the incoming connection socket (Incoming Connectd Socket).
5.1.3 ASCII mode
By default, VSFTPD is prohibited from using ASCII transmission mode. Even if the FTP client uses the ASC command, specify the ASC command on the VSFTPD surface, and use binary mode when actually transferring files. The following option controls whether the VSFTPD uses the ASCII transfer mode.
ASCII_UPLOAD_ENABLE = YES | NO
Control whether to allow Upload files using the ASCII mode, YES allows, NO is not allowed, default is NO.
ASCII_DOWNLOAD_ENABLE = YES | NO
Control is allowed to download files with ASCII mode, YES allows, NO is not allowed, default is NO.
5.2, performance and load control
5.2.1, timeout option
IDLE_SESSION_TIMEOUT =
The timeout time of idle (rendering) user session, if it exceeds the input of data transfer or instructions, it will force the line. The unit is second, the default is 300.
Data_connection_timeout = timeout time of idle data connection. The default is 300 seconds.
Accept_timeout = numerical value
Accept the timeout setting of the online connection, in seconds. The default is 60.
Connect_timeout = Numeric Value
The timeout setting of the data online in response to the port mode is in seconds. The default is 60. The above two options for the client will automatically interrupt the connection after 1 minute, and automatically activate the connection after 1 minute.
5.2.2 Load Control
MAX_CLIENTS = NUMERICAL VALUE
This parameter is valid in the STANDALONE mode in VSFTPD. This parameter defines the maximum number of concurrent connections of the FTP server. When this connection is exceeded, the server rejects the client connection. The default is 0, indicating that the maximum number of connections is not limited.
Bamboo
Max_Per_ip = Numeric Value
This parameter is valid in the STANDALONE mode in VSFTPD. This parameter defines the maximum number of concurrent connections per IP address. More than this number will refuse to connect. The settings for this option will affect multiple process download software like Internet Express. The default is 0, indicating that it is not limited.
Anon_max_rate = value
Set the maximum data transfer speed Value of anonymous users to BYTES / S. By default.
LOCAL_MAX_RATE = VALUE
Set the user's maximum data transfer speed Value, in Bytes / S. By default. This option takes effect on all users. In addition, this option can also be used in the user's personal profile to specify the maximum data transfer rate available to a particular user.
Proceed as follows:
1 Specify the directory where the user's personal profile is specified in vsftpd.conf, such as:
User_config_dir = / etc / vsftpd / userconf
2 Generate the / etc / vsftpd / userconf directory.
3 User Personal Profiles are files with the same name with a particular user in this directory, such as:
/ etc / vsftpd / userconf / xiaowang
4 Set local_max_rate parameters in the user's personal configuration file, such as:
LOCAL_MAX_RATE = 80000
The above steps sets the maximum data transfer speed of FTP User XIaowang to 80kBytes / s.
VSFTPD is about 80% to 120% for speed control. For example, we limit the maximum speed of 100kBytes / S, but the actual speed may be between 80kBytes / s to 120kBytes / s. Of course, if the line bandwidth is insufficient, the rate will naturally be lower than this limit.
5.3 User Options
VSFTPD users are divided into three categories: anonymous users, local users (LOCAL users), and virtual users (GUEST).
5.3.1, anonymous users
Anonymous_enable = yes | NO
Control whether anonymous user is allowed to log in, YES allows, NO is not allowed, the default value is YES.
FTP_USERNAME =
The system user name used by anonymous users. By default, this parameter does not appear in the configuration file, the value is FTP.
NO_ANON_PASSWORD = YES | NO
Whether you need a password when you log in, Yes is not required, NO needs. The default is NO.
DENY_EMAIL_ENABLE = YES | NO
This parameter default is NO. When the value is YES, the anonymous user who is registered using the E-mail address listed in the file in the file. That is, when an anonymous user is logged in using the E-mail listed in the BANNED_EMAIL_FILE file, it is rejected. Obviously, this is valid for some DOS attacks. When this parameter takes effect, you need to add BANNED_EMAIL_FILE parameters banned_email_file = / etc / vsftpd.banned_emails
Specifies the file containing the rejected E-mail address, the default file is /etc/vsftpd. partned_emails.
Anon_root =
Set the root directory of an anonymous user, that is, after anonymous user logins, is positioned to this directory. There is no such thing in the main configuration file, the default value is / var / ftp /.
Anon_World_Readable_only = yes | NO
Controls if only anonymous users are allowed to download read documents. YES, only allows an anonymous user to download readable files. NO allows anonymous users to browse the file system of the entire server. The default is YES.
Anon_upload_enable = yes | no
Control whether an anonymous user is allowed to upload files, YES allows, NO is not allowed, the default is no value, that is, NO. In addition to this parameter, anonymous users have to upload files, requiring two conditions: 1. Write_enable parameter is YES; II. On the file system, FTP anonymous users have write permissions to a directory.
Anon_mkdir_write_enable = yes | NO
Control whether anonymous user is allowed to create a new directory, YES allows, NO is not allowed, the default is no value, that is, NO. Of course, on the file system, FTP anonymous users must have write permissions to the upper part of the new directory.
Anon_other_write_enable = yes | NO
Control whether anonymous user has other privileges except for uploading and new creative, such as delete, rename, and so on. YES has, no no, the default is NO.
Chown_uploads = YES | NO
Whether to modify the ownership of the file uploaded by anonymous users. YES, the ownership of the file uploaded by anonymous users will be changed to another different user, and the user is specified by the chown_username parameter. This option defaults to NO.
Chown_username = Whoever
Specifies the user who has an anonymous user upload file ownership. This parameter is in connection with Chown_uploads. Root users are not recommended.
5.3.2, local users
In users using FTP services, in addition to an anonymous users, there is a user who has an account on the host of the FTP server. Such users are local users (Local users), which is equivalent to REAL users in other FTP servers.
Local_enable = yes | no
The user who controls the system where VSFTPD is located can log in to VSFTPD. The default is YES.
Local_root =
Define all local users' roots. When local users log in, they will be replaced to this directory. The default is nothing.
User_config_dir =
Define the directory where the user's personal configuration file is located. The user's personal profile is the same name file in this directory. The format of a personal profile is the same as the vsftpd.conf format. For example, user_config_dir = / etc / vsftpd / userconf is defined, and there is user XIAowang, Lisi on the host, and we can add two files for xiaowang, Lisi in user_config_dir. When the user Lisi login, VSFTPD reads the set value in the file in the file in User_Config_Dir, and is applied to the user LISI. The default is nothing. 5.3.3, virtual users
Guest_enable = yes | no
If this function is started, all non-anonymous login people are treated as guest. The default is turned off.
Guest_username =
Define the username of the guest user in the system. The default is FTP.
5.4, safety measures
5.4.1, user login control
PAM_SERVICE_NAME = VSFTPD
It is pointed out that the PAM configuration file name used when VSFTPD performs PAM authentication. The default value is VSFTPD. The default PAM configuration file is /etc/pam.d/vsftpd.
/etc/vsftpd.ftpusers
VSFTPD is forbidden to list the user in this file to log in to the FTP server. This mechanism is set by default in /etc/pam.d/vsftpd.
UserList_enable = YES | NO
After this option is activated, the vsftpd will read the user list in the file specified by the userlist_file parameter. When the user in the list logs in to the FTP server, the user is disabled before prompting the password. That is, after the username is entered, VSFTPD finds the user name, and VSFTPD directly disables the user, and will no longer perform subsequent steps such as inquiry password. The default is NO.
UserList_file = / etc / vsftpd.user_list
When the userlist_enable option is taken, the file containing the user list is read. The default is /etc/vsftpd.user_list.
UserList_Deny = YES | NO
Decide to prohibit or only allow users to log in to the FTP server in userList_file specified files. This option takes effect after the userlist_enable option is started. Yes, default, user login in the file, and no prompts for the input passwords to these users. NO, only allows users in the file to log in to the FTP server.
TCP_WrapPERS = YES | NO
Use the TCP_WrapPERS remote access control mechanism in VSFTPD, the default value is YES.
5.4.2, directory access control
chroot_list_enable = yes | NO
Lock certain users in their own directory. That is, when these users are logged in, they cannot go to other directories of the system, and can only be under their own directory (and their subdirectory). The specific user is listed in the file specified by the chroot_list_file parameter. The default is NO.
chroot_list_file = / etc / vsftpd / chroot_list
It is pointed out that the list files of the user locked in your own directory. The file format is a row of users. Usually the file is / etc / vsftpd / chroot_list. This option is not set by default.
Chroot_local_users = yes | NO
Lock local users in their own directory. When this is activated, the role of chroot_list_enable and chroot_local_users parameters will change, and the user in the file specified by chroot_list_file will not be locked in their own directory. After this parameter is activated, it may bring a secure conflict, especially when the user has uploaded, Shell Access, etc. Therefore, this parameter can only be opened if it is only understood. The default is NO.
PASSWD_CHROOT_ENABLE When this option is activated, with the chroot_local_user option, the CHROOT () container location can be specified on the basis of each user. Each user's container is derived from the own directory field of each user in / etc / passwd. The default is NO.
5.4.3, file operation control
HIDE_IDS = YES | NO
Whether to hide the owner and group information of the file. YES, when the user uses instructions such as "ls -al", the owner and group information of all files in the directory list are displayed as FTP. The default is NO.
LS_RECURSE_ENABLE = YES | NO
YES allows you to use the "LS -R" instruction. This option has a small security risk because "LS -R" will consume a lot of system resources in a large FTP site. The default is NO.
Write_enable = yes | NO
Controls if any of the FTPs that can modify the file system, such as Stor, Dele, RNFR, RNTO, MKD, RMD, APPE, and Site. The default is NO, but this option is opened in the coming simple configuration file.
SECURE_CHROOT_DIR =
This option points to an empty directory, and FTP users have no write permissions for this directory. This directory will be restricted in this directory when VSFTPD does not need to access a file system. The default directory is / usr / share / empty.
5.4.4, new file permission setting
Anon_umask =
An anonymous user updated UMASK value. The default is 077.
FILE_OPEN_MODE =
Upload the permissions of the file, the same value as the value used by ChMOD. If you want to upload the files can be executed, set this value to 0777. The default is 0666.
Local_umask =
The UMASK value when the local user added files. The default is 077. However, most of the other FTP servers use 022. If your user wants, you can modify it to 022. This item is set to 022 in the own configuration file.
5.5, prompt information
FTPD_BANNER = Login Banner String
This parameter defines the login banner string (Login welcome string). Users can modify themselves. The preset value is not. When the ftpd_banner is set, the original welcoming word will be replaced.
Banner_file = / Directory / vsftpd_banner_file
This item specifies a text file. When the user logins, the content of this file is displayed, which is usually a welcome discourse or a description. The default is nothing. Compared to ftpd_banner, Banner_File is the form of a text file, while ftpd_banner is a string format. The banner_file option will replace the ftpd_banner option.
DirMessage_enable = YES | Mo
Controls if the directory prompt information is enabled. YES is enabled, NO is not enabled, the default value is YES. After this feature is enabled, when the user enters a directory, check if the document specified in this directory is displayed. If there is, this document will appear, usually this file will place a welcome discourse, or Description of the directory.
Message_file =
This option is only active only in the DirMessage_enable option. The default is .Message.
5.6, log settings
XFerlog_enable = yes | NO
Controls whether a log file is enabled for detailed record upload and download. The log file is specified by the XFerLog_File option. The default is NO, but this option is activated in the simple profile.
Xferlog_file =
This option sets the file name of the record transfer log. The default is /Var/log/vsftpd.log. Xferlog_std_format = yes | NO
Controls if the log file uses the standard format of XFerlog, just like WU-FTPD. Using the XFerlog format, you can reuse the existing transmission statistics generators. However, the default log format is more readable. This option is activated in the default value of NO, but this option is activated in the profile.
LOG_FTP_PROTOCOL = YES | NO
When this option is activated, all FTP requests and responses are recorded in the log. When this option is provided, XferLog_STD_FORMAT cannot be activated. This option helps debugging. The default is NO.
5.7, other settings
SetPROCTITE_ENABLE = YES | NO
YES, VSFTPD will display the status of each session (session) in the system process list. That is, the process report will display what each VSFTPD session is doing (hang, download, etc.), such as using PS-EF | GREP FTP. For security purposes, you can consider closing this option. NO, the process report only shows a vsftpd process in operation. The default is NO.
TEXT_USERDB_NAMES = YES | NO
When the user is logged in, the user and group information field of the directory list, the user's UID is the name of the owner, not the name of the owner of the file. This feature is turned on if you want the owner's name. The default is NO.
User_localtime = yes | no
The default is NO. YES, VSFTPD Displays the time when the directory list is used. The default is to display the GMT time. Similarly, the time value returned by the ftp command "MDTM" is also affected by this option.
Check_shell = yes | no
This option takes effect only for VSFTPDs that do not use PAM. When this option is turned off, VSFTPD does not check the / etc / shells file to find a valid user shell when logging in. Default is YES.
NOPRIV_USER =
Specify a user when VSFTPD does not want any permissions, use this user identity. This user is preferably a dedicated user, not user Nobody. In most machines, Nobody users are used in a lot of important things. The default is Nobody.
PAM_SERVICE_NAME =
Indicates that VSFTPD uses the PAM configuration file name when verifying the service with the PAM. The default is FTP.
6, VSFTPD application
This section describes the specific application methods of VSFTPD.
6.1, allow anonymous user upload files
Modify or add the following options in the vSftpd.conf file:
Write_enable = YES
Anon_World_Readable_only = no
Anon_upload_enable = yes
Anon_mkdir_write_enable = yes
Then create a directory for anonymous user upload files and set permissions:
# MKDIR / VAR / FTP / InComing
# chmod o w / var / ftp / incoming
Due to an anonymous user (FTP) upload file, you need to operate the incoming directory, and incoming is all, anonymous users (FTP) are other users for INComing, so the write access to other users (O) is added.
6.2, restrict users in their own directory
In the default configuration, local users can switch to the directory other than their own directory for browsing, and upload and download within the permission range, which is undoubtedly an unsafe factor.
We can set Chroot, allowing local users to log in to access their own directory, and cannot access other directories. The related options have three: chroot_local_user, chroot_list_enable, chroot_list_file. Limit users have two practices in their own directory: 1. Limit all local users in their own directory
chroot_local_user = yes
This approach may bring some security conflicts. See the previous chroot_local_user option description.
2, restrict some local users in their own directory
chroot_local_user = no
Chroot_list_enable = yes
Chroot_list_file = / etc / vsftpd.chroot_list
Add the local username to be restricted in the /etc/vsftpd.chroot_list file. Pay attention to a username.
6.3, configure the anonymous FTP server of high security level
The simple profile comes with the vsftpd has claimed that it is paranoid. Here, see if it is more paranoid, :). Some options have used security settings by default, and it will not be written here.
# Only anonymous access is allowed, and local users are not allowed to access
Anonymous_enable = yes
Local_enable = no
# Use ftpd_banner to replace VSFTPD default welcome words, leak relevant information
FTPD_BANNER = Welcome to this FTP Server
# Only let anonymous user browse readable files, can not browse the entire system
Anon_World_Readable_only = yes
# Hide the owner and group information of the file, the owner and group of the files that the anonymous user see the files are all ftp
HIDE_IDS = YES
# 取 消 权 权
Write_enable = no
Anon_upload_enable = no
Anon_mkdir_write_enable = no
Anon_other_write_enable = no
# Use a separate mode and specify the listening IP address
Listen_address = IP Address
# Control the connection, there is timeout, then, according to the specific situation.
Connect_From_Port_20 = YES
PASV_MIN_PORT = 50000
PASV_MAX_PORT = 60000
# Control and miss, limit the number of concurrent numbers of each IP address, this, according to the user has been fixed.
MAX_CLIENTS = NUMERICAL VALUE
Max_Per_ip = Numeric Value
# 限 限 下载 速, more specific, it is fixed by the user, 80kb / s, it is also very fast.
Anon_max_rate = 80000
# Enable detailed logging format
Xferlog_enable = YES
6.4, virtual FTP server based on IP address
Assume that the server has two IP addresses, 192.168.0.1 and 192.168.0.2. VSFTPD is built on 192.168.0.1, now we provide a virtual FTP server on 192.168.0.2. How to use multiple IP addresses on one server, please refer to the relevant documentation.
1. Create the root directory of the virtual FTP server.
MKDIR -P / VAR / FTP2 / PUB
Make sure the / var / ftp2 and / var / ftp2 / pub directory owners and groups are root, the mask is 755.
2. Add an anonymous user account for the virtual FTP server. The original FTP server uses system user FTP as its anonymous user account. We have to add an FTP2 for virtual FTP servers.
UserAdd -d / var / ftp2 -m ftp2
3. Create a configuration file for a virtual FTP server. Copy the original vsftpd.conf as the configuration file of the virtual FTP server and modify the relevant parameters. CP /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd2.conf
New or modify the following parameters:
Listen = yes
Listen_address = 192.168.0.2
FTP_USERNAME = FTP2
Note: Because VSFTPD is listening to all IP addresses, when we set an IP-based virtual FTP server, in order to prevent the original FTP server and the virtual FTP server, the original FTP server needs to specify the IP address of the listener. Here, Listen_Address = 192.168.0.1 is set in the original profile.
4, start the virtual FTP server.
/etc/rc.d/init.d/vsftpd script At startup, scan all * .conf files in / etc / vsftpd / directory, follow the * .conf file, enable the vsftpd process in turn, each VSFTPD process corresponds A .conf file. That is, the order of the "LS / ETC / VSFTPD /" list is the same as the order in "ps -aux | grep vsftpd". Of course, "PS -AUX | GREP VSFTPD" also shows the configuration files used by VSFTPD, which can also see which FTP server corresponds to which of the VSFTPD processes. If the configuration file is not listed, it is the default vsftpd.conf, then the process is the original FTP server process.
Since the configuration file of the virtual FTP server is named vsftpd2.conf file in step 3, we can start or close the original FTP server and the new virtual FTP server with the /etc/rc.d/init.d/vsftpd script simultaneously or closes the original FTP server and the new virtual FTP server. .
The following command starts a virtual FTP server separately:
/ usr / sbin / vsftpd /etc/vsftpd/vsftpd2.conf &
Turn off the virtual FTP server separately, use "ps -aux | grep vsftpd" to detect the process number, and then kill the virtual FTP process with the Kill instruction.
6.5, the configuration of the virtual user
6.5.1 Virtual User Introduction to VSFTPD
The local user of VSFTPD itself is a system of users. In addition to logging in to the FTP server, you can also log in to the system to use other system resources, and VSFTPD virtual users are dedicated users of FTP services, virtual users can only access FTP server resources. It is very suitable for users or situations that only need to be read from the system through FTP, without requiring other system resources.
VSFTPD virtual users use a separate username / password saving method, separated from the system account (passwd / shadow), which greatly enhances the system security. VSFTPD can use a database file to save the user / password, such as Hash; you can also save the user / password in the database server, such as MySQL, etc. VSFTPD verifies the virtual user, uses a PAM mode. Since the username / password of the virtual user is saved separately, VSFTPD needs to read the database file or database server with a system user to complete the verification, which is the guest user, which is like anonymous users. A system user FTP is the same. Of course, guest users can also be considered to be used to map virtual users.
Configuring virtual users are divided into numbers: Guest users creation, user / password saving, PAM authentication configuration, vsftpd.conf file settings, etc. Specific configuration methods, refer to the following section. Note: In the following example, it is assumed that there is a virtual user xiaotong and xiaowang.
6.5.2 User Creation and Directory Settings
Add VSFTPDGUEST users to the system as the representative of the virtual user in the system. UserAdd vsftpdguest
When the virtual user is logged in, the location is VSFTPDGUEST home directory / home / vsftpdguest. If you want to let the virtual user log in to other directories such as / var / ftp, modify the VSFTPDGUEST's own directory.
6.5.3, configuration file settings
6.5.3.1, basic settings.
In the vsftpd.conf configuration file, add the following parameters:
Guest_enable = yes
Guest_username = vsftpdguest
6.5.3.2, virtual users' permissions configuration.
VSFTPD-1.2.0 adds a Virtual_USE_LOCAL_PRIVS parameter, when this parameter is activated (YES), the virtual user uses the same permissions as local users. When this parameter is turned off (NO), the virtual user uses the same permissions as anonymous users, which is the processing method for virtual user privileges before VSFTPD-1.2.0. Compared with the two practices, the latter is more strict, especially in the case of writing access. By default, this parameter is closed (NO).
When you introduce Virtual_USE_LOCAL_PRIVS = NO, the configuration method of VSFTPD-1.2.0 is the configuration method for virtual user priority:
1 Control virtual user browsing directory
If the user can't browse the directory, but can still be operated on the file, then the following two steps are required: 1. In the configuration file, Anon_World_Readable_only = yes. Second, the permissions of the virtual user directory can only be operated by the vsftpdguest:
[root @ HPE45 vSFTPD] # chown vsftpdguest.vsftpdguest / home / vsftpdguest
[root @ hpe45 vsftpd] # chmod 700 / home / vsftpdguest
2 Allow virtual users to upload files
Write_enable = YES
Anon_upload_enable = yes
3 Allow virtual users to modify file names and delete files
Anon_other_write_enable = yes
Since the settings of the above options are also taken effect on anonymous users. If you don't want an anonymous user to have the same permissions, it is best to prohibit anonymous user login.
In VSFTPD-1.2.0 when Virtual_Use_local_privs = yes, only write_enable = yes, virtual users can have write permissions.
6.5.3.3, other configurations of virtual users
1 Limit the virtual user in their own directory.
chroot_local_user = no
Chroot_list_enable = yes
Chroot_list_file = / etc / vsftpd.chroot_list
Add xiaotong and XIaowang to the /etc/vsftpd.chroot_list file.
Or, chroot_local_user = yes
2 Personal configuration of virtual users.
If you want individual virtual users to have their own special configuration, you can also create personal profiles for virtual users. Add in the main configuration file:
User_config_dir = / etc / vsftpd / vsftpd_user_conf
Generate the / etc / vsftpd / vsftpd_user_conf directory, establish files with the same name as specific virtual users in this directory:
[root @ HPE45 vSFTPD] # mkdir vsftpd_user_conf
[root @ hpe45 vsftpd] # cd vsftpd_user_conf [root @ hpe45 vsftpd_user_conf] # Touch Xiaowang
Then you can add an option for the Effectiveness of XIaowang in the xiaowang file.
Note: If you add chroot_local_user = yes in your personal profile, it is invalid.
6.5.3.4, Virtual User Personal Directory Settings
Everyone can find that no matter which virtual user, the directory where the login is located is / home / vsftpdguest, ie the Guest_username user's own directory. Below, you describe how to build your own directory for each virtual user.
One method is to specify a virtual user's own directory using the local_root option in the personal configuration file of the virtual user. Take xiaowang as an example, on the basis of the first step, first / etc / vsftpd / vsftpd_user_conf / xiaowang file is added:
Local_root = / home / xiaowang
Create a new xiaowang directory and set the permissions to vsftpdguest:
[root @ HPE45 Home] # mkdir xiaowang
[root @ HPE45 Home] # chown vsftpdguest.vsftpdguest ./xiaowang
6.5.4, Mysql Save Virtual User
This section describes how to save the username and password of the virtual user in the MySQL database. This is mainly divided into two parts, one is to save the user and password in the database, and the other is to set the corresponding PAM authentication. To facilitate discussion, do the following assumptions: Database VSFTPDVU, Table Users, Field Name, and Passwd are used to save user names and passwords for virtual users; for security, only VSFTPDGUEST read the users table of the vsftpdvu database.
1. Save the user name / password for the virtual user. This part is done in the MySQL database. First, create a database vsftpdvu as well as Table Users, and insert a virtual user xiaotong, xiaowang. Perform the following command:
[root @ hpe45 vsftpd] # mysql -p
mysql> Create Database vsftpdvu;
Mysql> USE VSFTPDVU;
Mysql> Create Table Users (Name Char (16) Binary, Passwd Char (16) Binary;
Mysql> Insert INTO Users (Name, Passwd) Values ('xiaotong', Password ('QQmywife'));
Mysql> Insert Into Users (Name, Passwd) VALUES ('xiaowang', Password ('TTMYWife');
Mysql> quit
Then, authorize that vsftpdguest can only read the Users table of the vsftpdvu database. Perform the following command:
[root @ HPE45 vsftpd] #mysql -u root mysql -p
MySQL> Grant Select ON vsftpdvu.users to vsftpdguest @ localhost iDentified by 'i52serial0'
Mysql> quit
If you want to verify that the operation just successfully executes the following command:
[root @ HPE45 vsftpd] #mysql -u vsftpdguest -pi52serial0 vsftpdvu
Mysql> Select * from users;
If successful, xiaotong, xiaowang, and encrypted password will be listed.
2, set PAM certification. Here we have to use an open source project (http: //sourceforge.net/projects/pam-mysql/) using MySQL. First download its package PAM_MYQL-0.5.tar.gz from the website, copy to the / root directory. Before compiling and install, make sure that mysql-wevel's RPM package is already installed on your machine, if not, please install the package from the RHL installation CD. Then, execute the following command:
[root @ hpe45 root] #TAR XVZF PAM_MYSQL-0.5.tar.gz
[root @ HPE45 root] #CD PAM_MYSQL
[root @ HPE45 PAM_MYSQL] #make
[root @ HPE45 PAM_MYSQL] #make install
Make Install may have an error, then manually copy the PAM_MYSQL.O generated in this directory to the / lib / security directory.
Next, we have to set the PAM verification file for VSFTPD. Open /etc/pam.d/vsftpd file, add the following:
Auth request pam_mysql.o user = vsftpdguest passwd = i52serial0 host = localhost db = vsftpdvu table = users userColumn = name passwdcolumn = passwd crypt = 2
Account Required Pam_Mysql.o User = vsftpdguest passwd = i52serial0 host = localhost db = vsftpdvu table = users userColumn = name passwdcolumn = passwd crypt = 2
The parameters involved above, as long as the settings of the previous database can be understood. Here, the Crypt parameter, CRYPT = 0, and the password is saved in the database in the database; CRYPT = 1, the password is encrypted in the database using the DES encryption method of the UNIX system; Crypt = 2, password passing MySQL's Password () function is saved after encryption.
Full article:
LinuxForum
Author Blog:
http://blog.9cbs.net/zcatlinux/
