@TOC Vsftpd is a relatively stable FTP service software. The FTP service provided by vsftpd can be flexibly configured as anonymous access, local user access and virtual user access according to specific business needs. Among them, the most secure is the virtual user access mode. This paper builds and configures an FTP server for virtual user access.

Anonymous access allows everyone to upload files to the server without authentication, so the security is not high. The security of local user mode is higher than that of anonymous access mode, but there is no security of virtual user access mode. Therefore, it is recommended to use virtual user mode if FTP is configured in the production environment.
1. Install ftp client

📓 The following operations are under the root user. Of course, sudo can also be used. If you deploy on the production server, sudo is recommended

In CentOS 8 There is no ftp client installed by default in 5. In order to facilitate subsequent tests, we first install an ftp client.

yum install -y ftp

2. Install iptables service

In CentOS 8 Iptables is not installed by default in 5 Service this will cause the iptables settings to be unable to be saved, and iptables will be restored automatically after the system is restarted. We need to clear iptables before configuring vsftpd server.

 yum install -y iptables-services.x86_64

3. Install vsftpd
To configure vsftpd, of course, install the software first. I use Alibaba's yum source. The installation is very simple. Just give it to our "rhubarb".

 yum install -y vsftpd

After vsftpd is successfully installed, don't forget to add boot self boot.

systemctl enable vsftpd

If the following information appears, it indicates that the addition of power on is successful.

Created symlink /etc/systemd/system/multi-user.target.wants/vsftpd.service → /usr/lib/systemd/system/vsftpd.service.

Take a look at the details of the vsftpd installation package

rpm -qi vsftpd

Open vsftpd service

systemctl start vsftpd

Check whether the service is running normally

systemctl status vsftpd

4. Clear the default firewall rules

 iptables -F

Check it out

iptables -L

The default rule has been cleared, and then save the empty rule.

 service iptables save

5. Create a virtual user to log in to FTP

What is a virtual user? That is, users who can realize a certain ability in linux system but cannot log in to the system like ordinary users, which improves the security of the system.

Check out the users of our newly installed system?

vim /etc/passwd

See, in addition to the root user and the ordinary user specified when we installed the system, are there a bunch of users you don't know? The reason why the system can complete various system functions is, of course, the credit of these virtual users 😄

OK, create a virtual user for our FTP.

I plan to deploy a forum program on my system. Of course, users can upload avatars, pictures and other functions, so I specify the home directory of virtual users as / var/www/ftp. Of course, the FTP home directory accessed by virtual users can be set through configuration files. Here's how we created it.

If the / var/www folder does not exist, create it first.

mkdir -p /var/www

useradd -d /var/www/ftp -s /sbin/nologin ftpuser

The above command creates a user who cannot log in to the system through - s /sbin/nologin, and specifies the user's home directory as ` / var/www/ftp through - d /var/www/ftp. Check it out

ls -ld /var/www/ftp

Empowering ftp folders

chmod -R 755 /var/www/ftp

If the following information appears, the permission is granted successfully

ls -ld /var/www/ftp
drwxr-xr-x. 5 ftpuser ftpuser 103 Dec 18 13:55 /var/www/ftp

If the permission prompt appears, first check the user and group of the folder and whether the folder attribute is 755

Password to create ftpuser

passwd ftpuser

The password was created successfully (I used a weak password here. If it is a production environment, do not use it)

[root@localhost www]# passwd ftpuser
Changing password for user ftpuser.
New password:
BAD PASSWORD: The password is a palindrome
Retype new password:
passwd: all authentication tokens updated successfully.

6. Create a virtual FTP user database file

cd /etc/vsftpd
vim vuser.list

In Vuser Write the following information in the list file

ftpuser
aaaaaa

The singular number refers to the account number, and the even number refers to the password of the account number.

Use DB_ The load command generates the FTP user database file Vuser. Using the HASH algorithm db

db_load -T -t hash -f vuser.list vuser.db

View Vuser Content in DB

db_dump -d a vuser.db

If we need to add a new virtual user to Vuser Add a new username and password to DB

Re edit Vuser List file, add a new user name and password to this file, and then run the command

db_load -T -t hash -f vuser.list vuser.db

The new user name and password will be appended to Vuser I'm in the middle.

To Vuser Assign 600 permissions to DB.

chmod 600 vuser.db

📓 After the above operations are completed, the database file is generated, and Vuser List is clear text.

Set Vuser List file deleted.

rm -rf /vuser.list

7. Establish PAM authentication files supporting virtual users

vim /etc/pam.d/vsftpd.vu

Enter the following

 auth    required        pam_userdb.so   db=/etc/vsftpd/vuser
 account required        pam_userdb.so   db=/etc/vsftpd/vuser

8. Configure vsftpd conf

vim /etc/vsftpd/vsftpd.conf

The configuration information is as follows

anonymous_enable=NO
local_enable=YES
guest_enable=YES
pam_service_name=vsftpd.vu
allow_writeable_chroot=YES
user_config_dir=/etc/vsftpd/vusers_dir

Parameter name	effect
anonymous_enable=NO	NO | prohibit anonymous open mode YES | open anonymous mode
local_enable=YES	NO| local user mode is not allowed YES | allow local user mode
guest_enable=YES	Enable virtual user mode
guest_username=virtual	Specify virtual user account
pam_service_name=vsftpd.vu	Specify pam file
allow_writeable_chroot=YES	Allow the imprisoned FTP root to be writable without rejecting user login requests

Open the PAM module and configure the port of FTP passive mode. (the port range should be opened on the firewall, so the range should be as small as possible according to the application.)

pam_service_name=vsftpd
pasv_min_port=30001
pasv_max_port=30010

My final configuration file is as follows

anonymous_enable=NO
local_enable=YES
guest_enable=YES
pam_service_name=vsftpd.vu
allow_writeable_chroot=YES
user_config_dir=/etc/vsftpd/vusers_dir
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
pasv_min_port=30001
pasv_max_port=30010
userlist_deny=YES
userlist_enable=YES

9. Set different permissions for virtual users
The default permissions of virtual users cannot upload, create or modify files. Each virtual user should be weighted through the following user permission configuration.

New / etc/vsftpd/vusers_dir, and create a new file with the same name as the virtual user to set the permissions of the virtual user

 mkdir /etc/vsftpd/vusers_dir

cd /etc/vsftpd/vusers_dir

vim /etc/vsftpd/vusers_dir/ftpuser

Add the following

guest_username=ftpuser
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
write_enable=YES
local_root=/var/www/html/ftp

Note the owner and group of / var/www/html/ftp and whether the folder attribute is 755. Otherwise, it will be impossible to create a new folder

Then specify the user's independent permission in the configuration file and the storage directory of the configuration file.

vim /etc/vsftpd/vsftpd.conf

10. Open the firewall related port

firewall-cmd --zone=public --add-port=21/tcp --permanent
firewall-cmd --zone=public --add-port=20/tcp --permanent
firewall-cmd --zone=public --add-port=30000-30010/tcp --permanent
firewall-cmd --reload

11. Set selinux related permissions

setsebool -P allow_ftpd_full_access on
setsebool -P tftp_home_dir on

12. Restart vsftpd verification

 systemctl restart vsftpd

ftp localhost

Use software validation.

Do you see the convenience of virtual users? If you want to add more users, you only need to

1. Add a virtual user and set the home directory and password of the virtual user
2. Add virtual user name and password to user database
3. In vusers_list directory (this directory is configured in the main configuration file). Add a file with the same name as the virtual user. Just write the corresponding configuration in this file.

Well, that's all for this tutorial. If you have any questions, you can leave a message to me.

Well, that's all for this tutorial. If you have any questions, you can leave a message to me.