3.2 FTP Server with Effect of VSFTP Safety and Effectiveness
3.2.1 VSFTP Overview
FTP, File Transfer Protocol, this is a communication protocol for file transfer and a manner that is generally most commonly used to transfer files. When using redhat9, the reader may feel that FTP Server has some changes: first, the FTP Server has only VSFTP, the original WUFTP, etc. are not placed in the second, that is, VSFTP is independent from xinetd, and will The setting file is moved from /etc/vsftpd.conf to /etc/vsftpd/vsftpd.conf.
Why do you change this? It can be imagined that VSFTP has independently operated capacity, does not require Xinetd to do a further control, and Similar to Sendmail, HTTPD, SSH, Samba, etc., set files into / etc Off-in / etc.
FTP is divided into two categories, one for port ftp, that is, the general FTP is also PASVFTP, according to the following: Port FTP
This is the general form of FTP, first establish a control channel, the default value is port 21, that is, follow
Port 21 is built online and will reach the instruction through this online. Second, the data will be established by the FTP Server terminal
The transmit channel, the default is 20, which is to establish online with Port 20 and make data through the port 20.
transmission.
PASV FTP
Similar to Port ftp, first establish a control channel, the default value is port 21, that is, follow
Port 21 is built online and will reach the instruction through this online. Second, it will be done by the client end.
Request, including data transfer port numbers.
What are the differences between these? The data transfer port in Port FTP is specified by FTP Server,
The PASV FTP data transfer port is determined by the FTP Client. Usually we use PASV FTP,
In the environment with the firewall, the port of data transmission is determined through the communication of the client and Server.
3.2.2 example
3.2.1. Start the VSFTP service directly
This example is a set of redhat's preset example and launch VSFTP directly.
[root @RAY vsftpd] # / sbin / service vsftpd start
Starting vsftpd for vsftpd: ok]
3.2.2. Replace the Port Services: Replace the preset Port 21 to 2121
For security, or in port to distinguish between different FTP services, we may change the FTP port to
21 Other ports, then, refer to the following steps.
STEP1. Modification /etc/vsftpd/vsftpd.conf
Newly increased
Listen_Port = 2121
Step2. Restart VSFTPD
[root @ Home vsftpd] # / sbin / service vsftpd Restart
Shutting down vsftpd: ok]
Starting vsftpd for vsftpd: ok]
3.2.3. Specific user Peter, John must not change the directory
The user's preset directory is / home / username, if we don't want the user to be able to
Switch to the last directory / home, refer to the following steps.
STEP1. Modification /etc/vsftpd/vsftpd.conf
Three lines
# chroot_list_enable = yes
# (Default Follows)
# chroot_list_file = / etc / vsftpd.chroot_list
Change to
Chroot_list_enable = yes
# (Default Follows)
chroot_list_file = / etc / vsftpd / chroot_list
STEP2. Add a file: / etc / vsftpd / chroot_list
Content increase two lines:
peter
John
Step3. Restart VSFTPD
[root @ Home vsftpd] # / sbin / service vsftpd Restart
Shutting down vsftpd: ok]
Starting vsftpd for vsftpd: ok]
If Peter wants to switch to the directory other than the root directory, the following warning will appear:
FTP> CD / HOME
Failed to Change Directory.
3.2.4. Cancel anonymous login
If the reader's host does not want the user to log in anonymous, refer to the following steps.
STEP1. Modification /etc/vsftpd/vsftpd.conf
will
Anonymous_enable = yes
Change to
Anonymous_enable = no
Step2. Restart VSFTPD
[root @ Home vsftpd] # / sbin / service vsftpd Restart
Shutting down vsftpd: ok]
Starting vsftpd for vsftpd: ok]
3.2.5. Arrange the welcome discourse
If we want the user to see the welcome discourse, it may include the host
Description, or a directory, refer to the following steps.
First determine if there is a line under /etc/vsftpd/vsftpd.conf
DirMessage_enable = YES
The default value of RedHat9 is above this line.
Next, in each directory, new names are newly named .Message, then there is a use
Test1, and this user's root directory has a directory name is ABC, first we are in / home / Test1
Under the new .Message, the content is as follows:
Hello ~ Welcome to The Home Directory
This is for test only ...
Then, in the / home / test1 / ABC directory, add. Message, the content is as follows:
Welcome to Abc's Directory
This is subdir ...
So, when the user TEST1 logins, you will see the following message:
230- Hello ~ Welcome to the Home Directory
230-
230- this is for test only ...
230-
If it is switched to the ABC directory, the following message appears:
250- Welcome To ABC's Directory
250-
250- this is subdir ...
3.2.6. For each online, operate in separate processs
When you start VSFTP, we will only see a processs called vsftpd in operation, but if
It is reader who wants each connection to render independent processs, and the following steps can be performed.
STEP1. Modification /etc/vsftpd/vsftpd.conf
Newly increased
SetPROCTITE_ENABLE = YES
Step2. Restart vsftpd [root @ Home vsftpd] # / sbin / service vsftpd Restart
Shutting down vsftpd: ok]
Starting vsftpd for vsftpd: ok]
Using PS-EF instructions, you can look at the situation of different users online, as shown below:
[root @ Home vsftpd] # ps -ef | grep ftp
Root 2090 1 0 16:41 PTS / 0 00:00:00 vsftpd: listener
Nobody 2120 2090 0 17:18? 00:00:00 vsftpd: 192.168.10.244:
Connected
TEST1 2122 2120 0 17:18? 00:00:00 vsftpd: 192.168.10.244/test1:
Idle
Nobody 2124 2090 0 17:19 00:00:00 vsftpd: 192.168.10.244:
Connected
TEST2 2126 2124 0 17:19? 00:00:00 vsftpd: 192.168.10.244/test2:
Idle
Root 2129 1343 0 17:20 PTS / 0 00:00:00 GREP FTP
[root @ Home vsftpd] #
3.2.7. Restricting the speed of the transfer file: This machine's user's maximum speed is 200kBytes / s, anonymous login
The maximum speed that can be used is 50kBytes / s
STEP1. Modification /etc/vsftpd/vsftpd.conf
New underneath
Anon_max_rate = 50000
Local_max_rate = 200000
Step2. Restart VSFTPD
[root @ Home vsftpd] # / sbin / service vsftpd Restart
Shutting down vsftpd: ok]
Starting vsftpd for vsftpd: ok]
At this speed of this speed is bytes / s, where anon_max_rate is limited to anonymous login
Users, and Local_Max_Rate is limited to this user's user. VSFTPD for speed limitations
System, the range is about 80% to 120%, that is, we limit the maximum speed of 100kBytes / s.
But the actual speed may be between 80kBytes / s to 120kBytes / s, of course, if the frequency is low
When the value will be lower than this limit.
3.2.8. Different speeds for different users: assuming the highest speed that TEST1 can use is
250kBytes / s, the highest speed that Test2 can use is 500kBytes / s.
STEP1. Modification /etc/vsftpd/vsftpd.conf
Newly increased
User_config_dir = / etc / vsftpd / userconf
STEP2. Add a directory: / etc / vsftpd / userconf
MKDIR / ETC / VSFTPD / UserConf
Step3. Add a file called TEST1 under / etc / vsftpd / userconf
Increase in content:
LOCAL_MAX_RATE = 250000
Step4. Add a file named TEST2 under / etc / vsftpd / userconf
Increase in content:
LOCAL_MAX_RATE = 500000
Step5. Restart VSFTPD
[root @ Home vsftpd] # / sbin / service vsftpd Restart
Shutting down vsftpd: ok]
Starting vsftpd for vsftpd: ok] 3.2.9-1. Built FTP Server under a firewall, use port ftp mode: Preset FTP
Port: 21 and FTP Data Port: 20
After starting the vsftpd, the following two lines are performed, only port 21 and port 20 are open,
Other closed.
Iptables -a INPUT -P TCP -M MultiPort - Dport 21, 20 -J ACCEPT
iptables -ainput -p tcp -j repject --reject-with tcp-reset
3.2.9-2. Built FTP Server under a firewall, use Port FTP Mode: FTP port: 2121
And FTP Data Port: 2020
Step1. Do the following two lines of instructions, only allowed port 2121 and port 2020 to open, other off.
Iptables -a INPUT -P TCP -M MultiPort - Dport 2121, 2020 -J ACCEPT
iptables -ainput -p tcp -j repject --reject-with tcp-reset
Step2. Modify /etc/vsftpd/vsftpd.conf
New underneath
Listen_Port = 2121
FTP_DATA_PORT = 2020
Step3. Restart VSFTPD
[root @ Home vsftpd] # / sbin / service vsftpd Restart
Shutting down vsftpd: ok]
Starting vsftpd for vsftpd: ok]
Be careful here, in two examples, FTP Client (such as CUTEFTP) online ways
Enough to choose Passive Mode, otherwise the data cannot be created. That is, readers can connect to FTP
Server, but when performing instructions such as LS, GET, etc., it is not possible.
3.2.10. Built FTP Server under a firewall, use Pass FTP Mode: FTP port: 2121
And FTP Data Port from 9981 to 9986.
Step1. Doing the following two lines, only allowed port 2121 and port 9981-9990, other off
close.
Iptables -a INPUT -P TCP -M MultiPort - DPORT
2121, 9981, 9982, 9983, 9984, 9985, 9986, 9987, 9988, 9989, 9990 -J ACCEPT
iptables -ainput -p tcp -j repject --reject-with tcp-reset
Step2. Modify /etc/vsftpd/vsftpd.conf
Newly increased under four lines
Listen_Port = 2121
PASV_ENABLE = YES
PASV_MIN_PORT = 9981
PASV_MAX_PORT = 9986
Step3. Restart VSFTPD
[root @ Home vsftpd] # / sbin / service vsftpd Restart
Shutting down vsftpd: ok]
Starting vsftpd for vsftpd: ok]
Be careful here, in this example, FTP Client (such as CUTEFTP) is a must
Select PASSIVE MODE, otherwise the data cannot be created. That is, readers can connect to FTP
Server, but when performing instructions such as LS, GET, etc., it is not possible. 8.2.11. Combine VSFTPD with TCP_WRAPPER
If the reader wants to define the source address that allows or rejects directly in /etc/hosts.allow,
The following steps can be performed. This is a simple firewall setting.
Step1. Determine /etc/vsftpd/vsftpd.conf set to YES, as shown below
Show:
TCP_WrapPERS = YES
This is the default value of RedHat9, basically no need to modify.
Step2. Restart VSFTPD
[root @ Home vsftpd] # / sbin / service vsftpd Restart
Shutting down vsftpd: ok]
Starting vsftpd for vsftpd: ok]
Set /etc/hosts.allow, such as 111.22.33.4 and 10.1.1.1 to 10.1.1.254
Online, you can do the settings below:
VSFTPD: 111.22.33.4 10.1.1.: allow
All: All: Deny
8.2.12. Bring VSFTPD into Xinetd
If the reader wants to incorporate the vsftpd into the xinetd, it is the 7.x version of the preset setting, that
Readers can perform the following steps.
STEP1. Modification /etc/vsftpd/vsftpd.conf
will
Listen = yes
Change to
Listen = NO
Step2. Add a file: /etc/xinetd.d/vsftpd
The content is as follows:
Service vsftpd
{
Disable = no
Socket_type = stream
Wait = NO
User = root
Server = / usr / sbin / vsftpd
Port = 21
LOG_ON_SUCCESS = Pid Host Duration
LOG_ON_FAILURE = Host
}
Step3. Restart xinetd
[root @ Home vsftpd] # / sbin / service xinetd Restart
Stopping Xinetd: OK]
Starting Xinetd: OK]
3.2.3 Settings Settings
In the example, some omissions can be found here, such as the total number of online, the same bit
The number of online, display the name of the file owner, etc., I hope the reader will make the most suitable for reading.
Your own setting.
format
The content of vsftpd.conf is very simple, each line is a setting. If you are a blank line or a row,
Will be ignored. There is only one format of the content, as shown below
Option = value
It should be noted that the equal sign cannot be added to the two sides, otherwise it is incorrect setting.
=== ASCII setting ======================
ASCII_DOWNLOAD_ENABLE
Whether the control can be downloaded with ASCII mode. The default is NO.
ASCII_UPLOAD_ENABLE
Has control can be uploaded by ASCII mode. The default is NO.
=== Individual user setting =================== c h ot ot lt
If this feature is started, all local users can go to the data clip other than the root directory, except
Outside of the user in /etc/vsftpd.chroot_list. The default is NO.
UserList_enable
Usage: YES / NO
If you start this function, you will read the user name in /etc/vsftpd.user_list. This feature can be inquiry
Ask the password, there is a failure message without the programs that test the password. The default is turned off.
UserList_deny
Usage: YES / NO
This option is only verified when UserList_enable is started. If this option is set to YES, then
The user in /etc/vsftpd.user_list will not be able to log in if it is set to NO, it is only
The user in /etc/vsftpd.user_list can log in. And this function can have an error before querying the password.
Message without the programs that need to be checked.
User_config_dir
Define the directory where individual users set files, such as define user_config_dir = / etc / vsftpd / userconf,
And there are users Test1, Test2 on the host, then we can add file names in user_config_dir's directory.
TEST1 and TEST2. If it is Test1 login, the Test1 under User_Config_Dir will be read.
set. The default is nothing.
=== Wonderful language setting =====================
DirMessage_enable
If this option is started, the user checks if there is .Message in the directory for the first time.
This archive, if there is, this file will appear, usually this file will place a welcome discourse, or
Description of this directory. The default is open.
Banner_file
When the user logins, the file contents of this setting are displayed, which is usually a welcome discourse or a description. Defaults
Whether it is.
FTPD_BANNER
This can define a string of welcome discourse, compared to banner_file is the form of the file, and ftpd_banner is the word
String format. Preset is nothing.
=== Special security setting =====================
Chroot_local_user
If set to YES, then all the users of the machine can switch to the data clip other than the root directory. Preset
The value is NO.
HIDE_IDS
If this feature is started, all file owners and groups are ftp, which is the user login to use ls -al.
Directives, all the file owners and groups are ftp. The default is turned off. LS_RECURSE_ENABLE
If this feature is started, the login is allowed to use the LS -R instruction. The default is NO.
WRITE_ENABLE
Usage: YES / NO
This option controls if the FTP instruction allows you to change the file system, such as Stor, Dele,
RNFR, RNTO, MKD, RMD, APPE, and Site. The preset is closed.
SetPROCTITE_ENABLE
Usage: YES / NO
Start this feature, VSFTPD will presented all the procedures of all online, in other words,
Use the instructions such as ps -ef to see the status of the online. The default is turned off.
TCP_WrapPERS
Usage: YES / NO
If started, the VSFTPD will be combined with TCP Wrapper, that is, you can be available in /etc/hosts.allow
The source address that can be used in /etc/hosts.deny is defined.
PAM_SERVICE_NAME
This is defined by the name used by the PAM, preset is VSFTPD.
SECURE_CHROOT_DIR
This option must specify an empty data clip and any login cannot have the authority written, when VSFTPD does not need
When you want File System, you will restrict the user in this data clip. Default / usr / share / empty
=== Record file setting =====================
Xferlog_enable
Usage: YES / NO
If started, upload the information and download information will be completely recorded in the file defined under XFerLog_File. Preset
To open.
Xferlog_file
This option sets the location where the record file is located, the default value is /var/log/vsftpd.log.
XFerlog_STD_FORMAT
If started, the record file will be written as the standard format of XFerLog, like WU-FTPD. Default value
close.
=== Entime setting ======================
Accept_timeout
Accepting the timeout setting of the connection, the unit is second. The default is 60.
Connect_timeout
In response to the timeout setting of the data online, the unit is second. The default is 60.
Data_Connection_Timeout
Establish timeout setting of the data online. The default is 300 seconds.
IDLE_SESSION_TIMEOMEOUT
The timeout setting of the time, if it exceeds the transfer of data or instructions, it will force the line,
The unit is second. The default is 300.
=== Rate limit ============================================================================================================================================================================================================================================== =======
The maximum transmission speed that you can use anonymously, the unit is a few bytes, 0 indicates an unlimited speed. Defaults
0.
LOCAL_MAX_RATE
The maximum transmission speed that the user can use, the unit is how much per second, 0 indicates an unlimited speed. Preset
The value is 0.
=== New file permission setting ===============================================================================================================================================================
Anon_umask
Anonymous login is newly UMASK value when the file is added. The default is 077.
FILE_OPEN_MODE
Upload the permissions of the file, the same value as the value used by ChMOD. The default is 0666.
Local_umask
The UMASK value when the file is newly added. The default is 077.
=== port setting =======================
Connect_From_Port_20
Usage: YES / NO
If set to YES, the data transfer of FTP-DATA is forced to use Port 20. The default is YES.
FTP_DATA_PORT
Set the port used by the FTP cable. The default is 20.
Listen_Port
The port used by FTP Server. The default is 21.
PASV_MAX_PORT
Establishing a data connection can use the upper bound of the Port range, 0 represents any. The default is 0.
PASV_MIN_PORT
Establishing a data connection can use the lower bound of the PORT range, 0 represents any. The default is 0.
=== Other =========================
Anon_Root
When you log in anonymous login, the login directory. The default is nothing.
Local_enable
Usage: YES / NO
Start this feature that allows the native user to log in. The default is YES.
Local_Root
When the user is logged in, it will be replaced to the defined directory. The default is nothing.
TEXT_USERDB_NAMES
Usage: YES / NO
When the user is used to log in, the extension will appear when using the instructions such as LS -AL.
UID, not the name of the owner of the file. This feature is turned on if you want the owner's name.
The default is NO.
PASV_ENABLE
If it is set to NO, it is not allowed to build a connection with the PASV mode. The default is open. === Replacement file ownership ====================
Chown_uploads
Usage: YES / NO
If it is started, all the owners of all anonymous upload data will be replaced with the make settings set in Chown_Username.
User. This option is useful for security and management. The default is NO.
Chown_username
Here, it can be defined when an anonymous login is uploaded, the owner of the file will be replaced by the user name. Previse
Set the value root.
=== guest setting =====================
Guest_enable
Usage: YES / NO
If this function is started, all non-anonymous login people are treated as guest. The default is turned off.
Guest_username
Here will define the user name of Guest. The default is FTP.
=== Anonymous setting ===================
Anonymous_enable
Usage: YES / NO
Controlled whether anonymous login is allowed, YES is allowed to log in anonymous, and NO is not allowed. The default is YES.
NO_ANON_PASSWORD
If you start this feature, you will not ask if you use anonymous logins. The default is NO.
Anon_mkdir_write_enable
Usage: YES / NO
If you are set to Yes, anonymous login will be allowed to add a directory, of course, anonymous users must have the upper layer
Record write rights. The default is NO.
Anon_other_write_enable
Usage: YES / NO
If set to Yes, anonymous login will be allowed more than permissions outside the upload and establishment of the directory, such as deleting or
It is a rename. The default is NO.
Anon_upload_enable
Usage: YES / NO
If set to Yes, anonymous login will be allowed to upload the directory permissions, of course, anonymous users must have
The write rights of the upper list. The default is NO.
Anon_World_Readable_only
Usage: YES / NO
If set to Yes, anonymous login is allowed to download readable files. The default is YES.
FTP_USERNAME
Define the user name of an anonymous login. The default is FTP.
Deny_email_enable
If you start this feature, you must provide a file /etc/vsftpd.banner_emails, which is email
Address. If you use anonymous login, you will be required to enter Email Address, if you enter the email address in
In this case, it is not allowed. The default is NO.
=== Standalone option =================== Listen
Usage: YES / NO
If it is started, the vsftpd will be executed in a stand-alone operation. If VSFTPD is executed independently, such as redhat9
The default, you must start if you vsftpd is included in the xinetd, you must turn this feature, such as
Redhat8. The default value of RedHat9 is YES.
Listen_Address
If VSFTPD uses Standalone mode, use this parameter to define which IP address provided this
Item service, if you only define an IP address on the host, this option does not need to use, if there is multiple IP
Address, can define which IP address is available on which IP Address. If it is not set, all IP address
This service will be provided. The default is nothing.
MAX_CLIENTS
If VSFTPD uses the Standalone mode, you can use this parameter to define the maximum number of overalls. Exceeding this
The number will refuse online, 0 means not limited. The default is 0.
MAX_PER_IP
If VSFTPD uses Standalone mode, you can use this parameter to define each IP Address.
Number of. More than this number will refuse online, 0 means no limit. The default is 0.
==============================
3.2.4 FTP digital code meaning
110 Restart the tag.
120 Service is Ready for a long time.
125 Data Link Open, ready to transfer.
150 file status is normal, turn on the data connection port.
200 command execution is successful.
202 Command failed.
211 System status or system help response.
The status of the 212 directory.
The status of the 213 file.
214 Help the message.
215 Name System Types.
220 new online service.
221 The control connection of the service is closed and can be logged out.
225 Data connection is open, but no transmission action.
226 Turn off the data connection port, the requested file operation is successful.
227 Enter Passive Mode.
230 user login.
250 The requested file operation is completed.
257 shows the current path name.
The 331 user name is correct and needs a password.
332 Require account information when logging in.
350 The operation of the request requires a command to enter.
421 Unable to provide services, close control links.
425 Unable to turn on the data link.
426 Close online, terminate the transmission.
The operation of the 450 request is not executed.
451 Command Termination: There is a local error.
452 Unexpected command: The disk space is insufficient.
500 Format error, unrecognizable commands.
501 Parameter grammatical error.
502 Command failed.
503 Command order error.
The parameters connected to the 504 command are incorrect.
530 is not logged in.
532 Storage file requires an account to log in.
550 Operation of the requested request.
551 The command is terminated, and the type is unknown. 552 Request file is terminated, and the storage bit overflows.
553 The command of the request is not executed, the name is incorrect
