Set up security with vsftpd FTP server Author: ◇ High Kai dispatch time: 2003.07.08
In the construction of the website, FTP is an important service that can be easier to share with limited software resources. Representative FTP server software under Linux is WU-FTP, PROFTP, and VSFTPD. WU-FTP (Washington University FTP) is an FTP software developed by the University of Washington, USA with efficiency and stability. Its power is powerful, complicated, due to the earlier development time, is very extensive, and therefore becomes the main attack target of hackers. The early versions of WU-FTP have continuously emerged security vulnerabilities, and the system administrator has to upgrade it due to safety factors. PROFTP is developed for Wu-FTP weaknesses, in addition to improving security in terms of security, and provides a simple feature, and provides some functions of WU-FTP, greatly simplifying the work of setting up and managing the FTP server. VSFTPD is widely used by many large sites with excellent performance in security. VSFTPD Introduction VSFTPD has a good performance in three aspects of security, high performance and stability. It provides the main features including virtual IP settings, virtual users, StandalOlone, inetd operation mode, powerful single-user setting capabilities and bandwidth limit. In terms of security, it pats the installation defects of most Wu-ftp, proFTP, and even BSD-FTP, using secure coding technology to solve buffer overflow issues and effectively avoid denial of service attacks for "globbing" type. The official website of VSFTPD is currently using Red Hat, SUSE, DEBIAN, GNU, GNOME, KDE, GIMP, and OpenBSD, etc. This article describes this article as an example as an example (this is the latest formal release release released November 9, 2002). The download address is ftp://vsftpd.beasts.org/users/cevans/. 1. Building vsftpd first decompressed package, the code is as follows:
$ tar xzvf vsftpd-1.1.3.tar.gz
Enter the installation directory CD VSFTPD-1.1.3. If you want to enable TCP_Wrapper function in later use, modify the statement in the "builddefs.h" file before compiling, change "#undef vsf_build_tcpwrappers" to "#define vsf_build_tcpwrappers". The TCP_Wrapper feature is primarily applied to IP management control, such as a special priority FTP profile for a separate IP address. Then, type "make" to generate a copy of the executable binary code.
2. Preparation
User "Nobody" is required in the default configuration of VSFTPD. Add this user command as follows:
$ UserAdd Nobody
Directory "/ usr / share / empty" is required in the default configuration of VSFTPD. The command to add this directory is as follows:
$ mkdir / usr / share / empty /
Anonymous FTP requires the existence of user "ftp" and has a valid home directory (not allowed "FTP" to have ownership and optional rights). If this directory is not established, the command is as follows:
$ MKDIR / VAR / FTP /
$ uSERADD -D / VAR / FTP FTP
3. Install relevant profiles, execution files, help manual, etc.
Run "make install", copy the source code, help manual, etc. to the relevant path. If you use manual copy, the command is as follows:
$ cp vsftpd / usr / local / sbin / vsftpd
$ cp vsftpd.conf.5 / usr / local / man / man5
$ cp vsftpd.8 / usr / local / man / man8
In addition, "make install" cannot copy the sample configuration file, it is recommended to copy, the command is as follows: $ cp vsftpd.conf / etc
The entire installation process is very simple. Let's take a look at how to manipulate the powerful features of VSFTPD, and make the configuration of the vsftpd.conf file.
Two operation modes
Like other daemons, VSFTPD provides two operation modes for StandalOne and inetd (inetd or xinetd). Simply explained, Standalone is started at once. It has been residing in memory during operation. The advantage is that the access signal is fast, and the disadvantage is that the loss of system resources, so it is often applied to a professional FTP server for real-time reactions. . INETD is in contrast, and the FTP process is called only when the request is sent to the request, so it is not suitable for systems with a large number of simultaneous connections. In addition, INETD mode does not occupy system resources. In addition to the effects of response speed and occupation resources, VSFTPD provides some additional advanced features such as inetd mode to support Per_IP restrictions, while Standalone model is more conducive to the application of PAM verification.
1. inetd operation mode
Running VSFTPD from some kind of inetd to provide a nice function -per_ip connection limit. This is also a running mode for the latest and recommended in VSFTPD 1.1.3. Implementing the Per_IP connection limit To rely on TCP_WrapPers support provided by VSFTPD. If you use a standard "inetd", you need to edit the /etc/inetd.conf file and add the following line of code:
$ ftp stream tcp noait root / usr / sbin / tcpd / usr / local / sbin / vsftpd
Make sure to delete or comment out of any original FTP service saying line. If you do not have TCP_WrapPers, or you don't need to use it, you can remove the "/ usr / sbin / tcpd" section. Then overload the configuration file, the command is as follows:
$ kill -sighup 'pidof inetd'
Most newer systems use the xinetd super service daemon. Look at its content using "vi /etc/xinetd.d/vsftpd" as follows:
Disable = no
Socket_type = stream
Wait = NO
# This means that the device is activated, it is using standard TCP Sockets.
User = root
Server = / usr / local / sbin / vsftpd
# Description Service Server / USR / LOCAL / SBIN / VSFTPD has been used to control the FTP access request, and the program is run as root (privilege). Please confirm that the VSFTPD binary execution code has been installed in the "/ usr / local / sbin" directory.
PER_SOURCE = 5
INSTANCES = 200
# Due to security reasons, the maximum allowable value from a single IP address is 5. The total number of current maximum connections is 200.
NO_ACCESS = 192.168.1.3
# Address 192.168.1.3 will be rejected.
Banner_fail = /etc/vsftpd.busy_banner
# Display the file to the user when the connection is disabled. Whether it is rejected due to any reason (too many users, IP is disabled).
The following line is an example of generating:
Echo "421 Server Busy, please try latr."> /etc/vsftpd.busy_banner
LOG_ON_SUCCESS = Pid Host Duration
Log_on_failure = host This will all attempt to connect to the IP address of all attempts, whether the connection is successful or not. If the connection starts an FTP service, the process ID and the use period will also be loaded into the log. If used by Red Hat, this log information will appear in the / var / log / secure file.
Finally, restart the xinetd, the command is as follows:
$ /etc/rc.d/init.d/xinetd Restart
It should be noted that only one FTP service can only be turned on in the "/ etc / xinetd.d" directory.
2. Standalone mode
The Standalone mode is easy to implement the PAM verification. Entering this mode First, close the vsftpd under xinetd, set "disable = yes", or log off the corresponding line in "/etc/inetd.conf". Then modify the options in "/etc/vsftpd.conf" "Listen = YES".
Configure vsftpd.conf
Let's take a look at the core profile vsftpd.conf. Its address is "/etc/vsftpd.conf", the control statement format is "statement = value", and not to add any spaces and punctuation symbols between the format. The control statement is divided into the Boolean (value yes or no) in the MAN man page, and the digital classes (value numbers) and string (value string) are three. To manage convenience, clear thinking, follow the access rights, security, features, and performance (Performance) into four categories. Below is a sample profile content, used to explain the commonly used control statement:
# Access rights
Anonymous_enable = yes
/ * If you don't want to enable anonymous access, please modify the value is no * /
Local_enable = no
/ * Close local user login service, refer to all non-anonymous users * /
Write_enable = no
/ * Close any user's write permission * /
Anon_upload_enable = no
/ * Close the ability to upload data for anonymous users * /
Anon_mkdir_write_enable = no
/ * Close the ability to create a directory of anonymous users * /
Anon_other_write_enable = no
/ * Turn off the operation of the write class command outside the anonymous user to perform the establishment and upload, such as more
Change the ability to change the name and delete operation * /
# Security
Anon_World_Readable_only = yes
/ * Open anonymous users can only use permissions to all readable resources * /
Connect_From_Port_20 = YES
/ * Trigger connection from standard port 20 * /
HIDE_IDS = YES
/ * Hide the ID of the user in the FTP server, replace it with "FTP" * /
PASV_MIN_PORT = 50000
PASV_MAX_PORT = 60000
/ * Set the port range in the PASV transmission mode to 50000-60000 * /
# Features
Xferlog_enable = YES
/ * Turn on the log, record the transfer status to file /var/log/vsftpd.log*/
LS_Recurse_Nable = NO
/ * Close the "ls -r" command, this command is often used for DOS attacks, very waste system resources,
But "mirror" mirror tool will be used * /
ASCII_DOWNLOAD_ENABLE = NO
/ * Close the ASCII mode download to prevent DOS attacks, ASCII download is consumed to consume CPU burden * /
Async_abor_enable = yes
/ * Enable the ability to support the early FTP client "Async Abor" command * /
# Porformance
One_process_model = yes / * Opens each IP single process mode, which only supports the kernel with a certain capability.
For example, Linux Kernel 2.4 * /
IDLE_SESSION_TIMEOUT = 120
/ * Kick out the user's two minutes later * /
Data_connection_timeout = 300
/ * Kick out the free five minutes later download * /
accept_timeout = 60
/ * The kick is hangs a one-minute Passive connection * /
CNECT_TIMEOUT = 60
/ * Kick out a minute after a minute of activities * /
Anon_max_rate = 50000
/ * Restrictions on a single user's download speed is not more than 50kBytes per second * /
At this point, an anonymous server is already operating normally and has a security setting. In practice, according to the Different needs of the FTP server, such as the local user login, you want to have a user with uploading capabilities, want the login to see a friendly welcome information, etc., you can also do corresponding in vsftpd.conf Setting (with "man vsftpd.conf" Reference Manual for more details).
Some setting options are related to the running mode or plug-in module, and some options must depend on the enabled state of another option. In short, as long as it is carefully matched, it can customize a weighing FTP server.
Application of TCP_WrapPERS
To use this feature, you need to build a VSFTPD containing TCP_WrapPERS before installing compilation. You can modify "#ndef vsf_build_tcpwrapppers" by editing "builddefs.h" file, "#define vsf_build_tcpwrappers", then rebuild compilation, generate executable code. Second, to open the option "TCP_WrapPers = YES" in the configuration file vsftpd.conf. This feature relies on the configuration of the file "/etc/hosts.allow". The following is a sample:
vsftpd: 192.168.1.3: setENV vsftpd_load_conf /etc/vsftpd_tcp_wrap.conf
vsftpd: 192.168.1.4: deny
Among them, the first line indicates that if a client is connected from 192.168.1.3, then VSFTPD will apply "/etc/vsftpd_tcp_wrap.conf" VSFTPD profile to the connection. These settings are applied before the default vsftpd.conf. This is very useful, it can be used for some IP applications (such as uploading capabilities); you can also specify some IP capable of exceeding connection restrictions (max_clients = 0); or for some IP increase and decrease bandwidth limit. The second line indicates the ability to reject 192.168.1.4. This is useful for other connectors.
PAM application
PAM applications are also applied "Virtual User" features on the system that opens PAM. One of the sample demonstrates how to use the "virtual user" to set the PAM of VSFTPD. Virtual users refer to users who do not objectively exist like real users on the system. Virtual users are therefore safer than real users because an account that is like threatening system security can only use FTP services. Virtual users are commonly used to serve those who don't want to open them to not be trusted, generally does not affect normal ordinary users.
1. Create a virtual user database
Use PAM_USERDB to identify virtual users. This requires a "DB" format username / password file. To create a "db" format file, first create a form of format text file with a username and password on the alternate line, the code is as follows:
$ vi logins.txt
The content of the editing file is as follows:
Tom
foo
Fred
Bar
The above "TOM" corresponds to the password "foo", "fred" corresponds to the password "bar". At the same time, log in as root, create the actual database file, the code is as follows: $ db_load -t -t hash -f logins.txt /etc/vsftpd_login.db
# Require Berkeley DB program installed
This creates "/etc/vsftpd_login.db". If you want to change access permissions, you can use the following command:
$ chmod 600 /etc/vsftpd_login.db
Also, if you want to know more about how to maintain the login database, you can find document information on "Berkeley DB", the URL is http://www.sleepycat.com/docs/utility/index.html.
2. Build a PAM file using the new database
Create editing files vsftpd.pam, including the following two lines:
Auth Required /Lib/security/pam_userdb.so db = / etc / vsftpd_login
Accound Required /Lib/security/pam_userdb.so db = / etc / vsftpd_login
Tell PAM to identify users using a new database. Save the PAM file to the PAM directory (usually "/etc/pam.d/cp vsftpd.pam /etc/pam.d/ftp").
3. Set file location for virtual users
Next, use the following command to set the file location for the virtual user:
$ uSERADD -D / HOME / FTPSITE VIRTUAL
$ ls -ld / home / ftpsite
The following will be displayed:
DRWX ------ 3 Virtual Virtual 4096 JUL 30 00:39 / Home / ftpsite
A user named "Virtual" has been created and has a home directory "/ home / ftpsite". Add some content to this download area, the code is as follows:
$ CP / ETC / HOSTS / HOME / FTPSITE
$ Chown Virtual.Virtual / Home / Ftpsite / Hosts
4. Custom vsftpd.conf configuration file
Re-customize the vsftpd.conf file:
Anonymous_enable = no
Local_enable = YES
# Because security factors should turn off anonymous FTP and open non-anonymous FTP (virtual users need to use).
Write_enable = no
Anon_upload_enable = no
Anon_mkdir_write_enable = no
Anon_other_write_enable = no
# 出 安全 安全 的的 的的 的, do not write command execution
chroot_local_user = yes
# Limit the virtual user to the virtual FTP area / home / ftpsite set above.
Guest_enable = yes
Guest_username = virtual
# Guest_enable is important to activate virtual users. Guest_username means all
Virtual users are mapped to the real user "Virtual" set above. This will also determine on the file system
The final destination of the virtual user, the host "Virtual" home directory "/ home / ftpsite".
Listen = yes
Listen_Port = 10021
# This VSFTPD is running from inetd in the "Standalone" mode. This means that only VSFTPD is required
Run the command once, it starts running. This also makes VSFTPD listens on the non-standard port of 10021.
FTP demand (FTP usually uses port 21).
PASV_MIN_PORT = 30000
PASV_MAX_PORT = 30999
# These commands placed a port sequence in the passive FTP receiver. Useful for configuring the firewall.
5. Start running vsftpd
Enter the directory where the VSFTPD source code is located, and execute "./vsftpd", if the cursor has stopped there, some error messages will be seen.
6. test
Load another shell session process (or switch the program to the background, press CTRL Z and then knock "BG"). The following is a FTP session example:
FTP Localhost 10021
Connected to localhost (127.0.0.1).
220 Ready, Dude (vsftpd 1.1.3: Beat Me, Break ME)
Name (localhost: chris): Tom
331 Please Specify The Password.
PASSWORD:
230 Login Successful. Have fun.
Remote System Type IS UNIX.
Using binary model to transfer files.
FTP> PWD
257 "/"
FTP> LS
227 Entering Passive Mode (127, 0, 0, 1, 117, 135)
150 Here Comes The Directory Listing.
226 Transfer Done (But Failed To Open Directory).
FTP> Size Hosts
213 147
FTP>
The password given here is "foo". Don't be afraid because of "Failed to Open Directory", it is because the directory "/ home / ftpsite" is not readable. It can be seen that "Hosts" files that are copied into the virtual FTP area have been accessed via the size command.
Function expansion
Although the first VSFTPD is already running, the following content can be expanded "Virtual_Users", making the settings slightly more complex. Assume that two types of virtual users are required, one class can only browse and download content, and the other can upload new content except for downloading existence. This setting can be accomplished using the powerful single user of VSFTPD to use configuration capabilities (version 1.1.0 or more). We created TOM and FRED two users in the previous virtual user sample, and set Fred to have write permissions to access the uploaded new files; TOM can only download.
1. Activate single user configuration capabilities
To activate this powerful feature of VSFTPD, add the following content to "/etc/vsftpd.conf":
User_config_dir = / etc / vsftpd_user_conf
And create a directory with "MKDIR / etc / vsftpd_user_conf".
2. Read all files / directories to Tom
At the end of the previous example, we noticed that virtual users can only read all readable files and directories. You can make the "/ home / ftpsite" directory to read and upload a full-readable license file. But another way to do this is to download the ability to download non-full-readable files for Tom.
For the user TOM, forcibly provide a configuration setting to "Anon_World_Readable_only", the code is as follows:
Echo "anon_world_readable_only = no"> / etc / vsftpd_user_conf / Tom
Then check it, log in with Tom, type "LS" will return to the directory list. The use of FRED logins should not be displayed.
You can restart vsftpd make changes to the "/etc/vsftpd.conf" file (advanced users can send SIGHUP to the VSFTPD listening process). 3. Read all files / directories and create permissions for the new file / directory, but do not have the ability to interfere with files, the code is as follows:
Echo "anon_world_readable_only = no"> / etc / vsftpd_user_conf / fred
Echo "Write_enable = YES" >> / etc / vsftpd_user_conf / fre
Echo "anon_upload_enable = yes" >> / etc / vsftpd_user_conf / fred
Finally, you should not upload it with Tom. You should upload it with Fred login. And try to delete a file with Tom and Fred, you should not be deleted.
to sum up
The above instances are tested on the Red Hat 8.0 system. If you encounter problems, please check the correctness of each detail carefully. The content in the example can be increased, modified according to the specific environment. I believe that a slight change can create a satisfactory, secure FTP server.
