0 Preface
This article records the whole process of installing and configuring ftp server
ftp provides three login modes,
1 common commands
# Install vsftpd yum install -y vsftpd # Check | start | stop | restart vsftpd service service vsftpd status|start|stop|restart # Set power on self start systemctl enable vsftpd.service # Let the firewall open the FTP service and the use of port 21 firewall-cmd --add-service=ftp --permanent firewall-cmd --reload #Backup profile cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.bak
2 two access modes
2.1 active mode
The client sends the connection request to the ftp port of the server (21 by default), the server accepts the connection and establishes a command link;
When the data needs to be transmitted, the client uses the port command on the command link to tell the server: "I open the xxxx port, you come to connect me";
Then the server sends the connection request from port 20 to the xxxx port of the client, and establishes a data link to transmit the data.
2.2 passive mode
The client sends the connection request to the ftp port of the server (21 by default), the server accepts the connection and establishes a command link;
When the data needs to be transmitted, the server uses the pasv command on the command link to tell the client: "I open the xxxx port, you come to connect me";
Then the client sends the connection request to the xxxx port of the server and establishes a data link to transmit the data.
2.3 advantages and disadvantages
Active mode is easy to be limited by firewall, because most clients are online in NAT environment, so the server can not initiate connection to xxx port of client;
Passive mode is not limited by firewall, because this is a normal NAT operation, which is fully allowed, and the security of passive mode is relatively higher.
2.4 turn on passive mode
Edit profile:
#vim /etc/vsftpd/vsftpd.conf # Enable pasv mode pasv_enable=YES # pasv port start number pasv_min_port=60000 # pasv port end number pasv_max_port=60100
Three login modes
The vsftpd server supports three types of user accounts: anonymous user, local user and virtual user. The purpose and difference are as follows:
- Anonymous user: it is a user named anonymous or FTP. After anonymous FTP users log in, they use / var/ftp in the FTP server as the FTP root directory.
- Local user: it is the user account of the Linux system. After logging in to the FTP server with the local user account, the login directory is the host directory of the local user.
- Virtual user: a non system user account provided by vsftpd server to ensure the security of FTP server. After the virtual user FTP logs in, the specified directory will be used as the FTP root directory. Virtual users have similar functions with local users. Because virtual users are relatively safe, they are gradually replacing the use of local user accounts.
4 relevant documents and directory
# vsftp profile /etc/vsftpd/vsftpd.conf # PAM certification document /etc/pam.d/vsftpd # Anonymous user default directory /var/ftp # Download directory for anonymous users /var/ftp/pub # List of users unable to access ftp server /etc/vsftpd/ftpusers # List of users allowed to access ftp server /etc/vsftpd/user_list # Upload and download logs of ftp /var/log/xferlog
5 notes to configuration file vsftpd.conf
# Whether anonymous login to FTP server is allowed. anonymous_enable=NO # Whether to allow the local user (i.e. the user account in the linux system) to log in to the FTP server, # The default setting is YES, and the local user will enter the user's home directory after logging in; # After anonymous users log in, they enter the download directory / var/ftp of anonymous users; # If only anonymous users are allowed to access, add#, to prevent local users from accessing the FTP server. local_enable=YES # Whether local users are allowed to write to FTP server files? YES is allowed by default. write_enable=YES # Set the local user's file mask to 022 by default, # It can also be set to other values according to personal preferences. local_umask=022 # To allow anonymous users to upload files, you must set write enable to YES. #anon_upload_enable=YES # Whether anonymous users are allowed to create new folders. #anon_mkdir_write_enable=YES # Whether to activate the directory welcome information function, # When the user accesses a directory on the server for the first time in CMD mode, the FTP server will display the welcome information; # By default, the welcome message is obtained from the. Message file in the directory, # This file saves customized welcome information, which is created by users themselves. dirmessage_enable=YES # If this option is enabled, the system will maintain log files recording the upload and download of the server; # By default, the log file is / var/log/vsftpd.log, # You can also set it through the xferlog? File option below. xferlog_enable=YES # Set FTP server to enable connection request of FTP data port, FTP data transmission, and 21 as connection control port. connect_from_port_20=YES # Set whether it is allowed to change the owner of the uploaded file, and use it with the following setting item; # Note that it is not recommended to use the root user to upload files. #chown_uploads=YES # Set the owner of the uploaded file you want to change. If necessary, enter a system user name; # For example, you can change the uploaded files to the root owner. Who ever: anyone. #chown_username=whoever # Set the system maintenance log file to record the upload and download of the FTP server, # /var/log/vsftpd.log is the default, and other settings are also available #xferlog_file=/var/log/vsftpd.log # If this option is enabled, the transfer log file will be written in the standard xferlog format; # The default log file of this format is / var/log/xferlog, # It can also be set through the xferlog? File option. The default value is NO xferlog_std_format=YES # If this option is added and enabled, two similar log files will be generated; # The default directory is / var/log/xferlog and / var/log/vsftpd.log; # The former is the transport log of Wu ﹣ ftpd type, which can be analyzed by standard log tools, and the latter is the vsftpd type log. #dual_log_enable # If you add and enable this option, the log that should have been output to / var/log/vsftpd.log will be output to the system log. #syslog_enable # Set the data transmission interrupt interval time. This statement indicates that the idle user session interrupt time is 600 seconds; # That is, when the data transmission is over, the user should not connect to the FTP server for more than 600 seconds, and the value can be modified according to the actual situation. idle_session_timeout=600 # Set the data connection timeout. This statement indicates that the data connection timeout is 120 seconds, which can be modified according to the actual situation. data_connection_timeout=120 # The unprivileged system user required to run vsftpd is nobody by default. #nopriv_user=ftpsecure # If FTPclient will issue the command "async ABOR", this setting needs to be enabled; # In general, this setting is not safe, so it is usually cancelled. #async_abor_enable=YES # Most FTP servers choose to transfer data in ASCII mode, # take#Remove it to upload files in ASCII mode. #ascii_upload_enable=YES # take#Remove it to download files in ASCII mode #ascii_download_enable=YES # take#Remove the welcome information displayed when you can set to log in to the FTP server, # You can modify the content of welcome message after =. # In addition, create a file named. Message in the directory where you need to change the directory welcome message, # After the welcome information is written and saved, the user-defined welcome information will be displayed when entering this directory. #ftpd_banner=Welcome to blah FTP service. # Some special email address es can be blocked. # If you log in to the server as anonymous, you will be required to enter a password, that is, your email address; # If you hate some email address es, you can use this setting to cancel his login permission, but it must match the settings below. #deny_email_enable=YES # When deny ﹣ email ﹣ enable = yes, you can use this setting to specify that email address cannot log in to the vsftpd server. # This file needs to be created by the user himself, one email address per line. #banned_email_file=/etc/vsftpd/banned_emails # Whether to restrict all users to the home directory. YES is enabled and NO is disabled. # When YES, users are locked in their home directory; # When it is NO, the user has access to other files outside his own directory after logging in to the FTP server. # vsftpd will look for the chroot list file as the user list, which needs to be created by the user. chroot_local_user=YES # If a user is restricted to his / her home directory, the user's home directory can no longer have write permission. # The following command will allow the home directory to continue to maintain write permissions. allow_writeable_chroot=YES # Whether to start the list of restricted user exceptions? YES is enabled and NO is disabled. chroot_list_enable=NO # This file needs to be created by itself, one user per line, # Users listed in this file cannot switch to a directory other than their own after logging in, # Automatically chrooted by FTP server to the user's own home directory; # The user in the chroot list file cannot go to the FTPhome directory of other users at will, # It is beneficial to the security management and privacy protection of FTP server. # chroot_list_file=/etc/vsftpd/chroot_list # Give an example: # All users are limited to the home directory, and users in chroot list are not limited: # [chroot_local_user=YES] & [chroot_list_enable=YES] # All users are limited to the home directory and chroot list is not enabled # [chroot_local_user=YES] & [chroot_list_enable=NO] # All users are not limited to the home directory, and users in chroot list are limited: # [chroot_local_user=NO] & [chroot_list_enable=YES] # Specifies the ftp home directory after the user logs in. local_root=/usr/share/nginx/www/ # Whether recursive query is allowed? Enabling this item on FTP server of large site can facilitate remote user query. ls_recurse_enable=YES # If it is set to YES, vsftpd will run in independent mode, and vsftpd will listen to and process IPV4 connection requests by itself. listen=YES # Set whether IPV6 is supported #listen_ipv6=YES # Set the profile name of authentication service provided by PAM plug-in module; # That is, / etc/pam.d/vsftpd file; # file=/etc/vsftpd/ftpusers field in this file, # It shows that the account content that PAM module can resist comes from the file / etc/vsftpd/ftpusers. pam_service_name=vsftpd # If this option is set to YES, users in both ftpusers and user list files are allowed to log in to the FTP server; # If this item is set to NO, users in ftpusers are not allowed to log in, and users in user list are allowed to log in; userlist_enable=YES # The userlist deny setting is valid only if userlist? Enable = yes. # If this item is YES, users in the user list file will not be allowed to log in to the FTP server, # Even the password prompt information has not been entered, which is directly rejected by the FTP server. #userlist_deny=YES # Give an example: # The user in ftpusers is forbidden to log in, and the user in user list cannot log in (even without the password prompt, which is directly rejected by the FTP server) # [userlist_enable=YES] & [userlist_deny=YES] # Users in ftpusers are not allowed to log in. Users in user list can log in # [userlist_enable=YES] & [userlist_deny=NO] # It shows that the server uses TCP wrappers as the host access control mode; # TCP wrappers can realize host address based access control of network services in linux system; # The hosts.allow and hosts.deny files in the / etc directory are used to set the access control of TCP ﹐ wrappers; # The former setting allows access to records, and the latter setting denies access to records. # For example, if you want to Restrict anonymous access of some hosts to the FTP server 192.168.57.2, # Edit the / etc/hosts.allow file, # For example, add two commands below: vsftpd:192.168.57.1:DENY and vsftpd:192.168.57.9:DENY, # It indicates that the host with IP of 192.168.57.1 / 192.168.57.9 is restricted to access the FTP server with IP of 192.168.57.2, # At this time, although the FTP server can PING, it cannot connect. tcp_wrappers=YES # Enable pasv mode pasv_enable=YES # pasv port start number pasv_min_port=12000 # pasv port end number pasv_max_port=12199
Establish ftp account
# Create a new local account named ftper. Do not log in to the shell useradd -s /sbin/nologin ftper # Set the password for the established FTP account passwd ftper # Because the account cannot log in to the shell, you need to modify the pam file # auth required pam_shells.so # Modify to > # auth required pam_nologin.so vim /etc/pam.d/vsftpd # Restart vsftpd systemctl restart vsftpd.service
3.1 anonymous login
vsftpd is accessed by anonymous users by default, and the FTP server path accessed by anonymous users by default is:
/var/ftp/pub
Anonymous users have only view permission and cannot create, delete or modify. To turn off anonymous FTP user access, modify the configuration file
/etc/vsftpd/vsftpd.conf
take
anonymous_enable=YES
Modified to
anonymous_enable=NO
Restart the Vsftpd service.
If anonymous users are allowed to upload, download and delete files, they should
/etc/vsftpd/vsftpd.conf
Add the following code to the configuration file:
#Allow anonymous users to upload files; anon_upload_enable=YES #Allow anonymous users to create directories anon_mkdir_write_enable=YES #Allow anonymous users other write permissions anon_other_write_enable=YES
The complete anonymous user profile code is as follows:
anonymous_enable=YES local_enable=YES write_enable=YES local_umask=022 anon_upload_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES listen=NO listen_ipv6=YES pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=NO # Enable pasv mode pasv_enable=YES pasv_min_port=60000 pasv_max_port=60100
Since there are two default Vsftpd anonymous users: anonymous and FTP, if anonymous users need to upload files, delete and modify permissions, they need FTP users to have write permissions to the / var/ftp/pub directory. Use any of the following chown and chmod. The setting commands are as follows:
chown -R ftp /var/ftp/pub/
As mentioned above, after the configuration of vsftpd.conf configuration file is completed and the permissions are set, restart the vsftpd service, access through the Windows client, and upload files, delete files, create directories, etc
4 system user login
vsftpd uses system users to log in to ftp server.
In order to realize the user mode authentication of Vsftpd system, it is only necessary to create multiple users in Linux system, and create users to use useradd, and set passwords for users at the same time. Then users and passwords can log in to FTP to upload, download and delete files.
Add user
useradd ggftp
Set password
passwd ggftp
Modify profile
anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES listen=NO listen_ipv6=YES pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=NO
