In nodea:
[preparation before experiment]
reset the virtual machine nodea first
nm-connection-editor # configure network
hostnamectl set-hostname westoslinux117.westos.org # Modify host name
vim /etc/sysconfig/selinux # Close SELinux: the status changes to disabled
SELINUX=disable
reboot # restart
systemctl disable --now firewalld # Close the fire wall
Software warehouse construction (if it is built before, it does not need to be built again)
2.vsftpd installation and startup
1) Install ftp service software
dnf search ftp # Find FTP
dnf install lftp vsftpd -y # Install LFTP and vsftpd services
systemctl enable --now vsftpd # Open vsftpd service
firewall-cmd --permanent --add-service=ftp # Add FTP service to the firewall
firewall-cmd --reload # Restart fire wall
Test installation release: ftp://172.25.254.117
Access method with user name
lftp 172.25.254.117 -u westos
Access without user name: to modify the configuration file
lftp 172.25.254.117 # Cannot access without modifying the configuration file
lftp 172.25.254.117 # After modifying the main configuration file, you can access it again
3.vsftpd basic information
Service Name: vsftpd.service
Configuration directory: / etc/vsftpd
Main configuration file: / etc/vsftpd/vsftpd.conf
Default publishing Directory: / var/ftp
Error message:
five hundred and fifty ## The program itself refused
five hundred and fifty-three ## File system permission restrictions
five hundred ## Permission is too large
five hundred and thirty ## Authentication failed
4. Anonymous user access control
1) Home directory control
mkdir /westosdir
vim /etc/vsftpd/vsftpd.conf
#Line 12 left and right: anon_root=/westosdir
systemctl restart vsftpd #Restart service
touch /westosdir/westosfile{1..3} 
Test: lftp 172.25.254.117
2) Login control
vim /etc/vsftpd/vsftpd.conf
# 13 rows about anonymous_enable=YES # Allow anonymous users to log in
systemctl restart vsftpd # Restart service
3) Anonymous user upload control
Generally, anonymous users can't upload: they can transfer the things in their host to the server
vim /etc/vsftpd/vsftpd.conf
#29 Line left and right anon_upload_enable=YES #Allow anonymous users to upload
systemctl restart vsftpd #Restart service
chmod 775 /var/ftp/pub #Give the pub directory permission
chgrp ftp /var/ftp/pub
Test: lftp 172.25.254.117
Note: you must enter the pub directory to upload successfully
4) Command control of directory establishment, download and deletion
anon_mkdir_write_enable=YES # Directory establishment control
anon_world_readable_only=NO ## Download control, anonymous users can download unreadable files
anon_other_write_enable=YES ## Anonymous users can delete command controls
vim /etc/vsftpd/vsftpd.conf
anon_mkdir_write_enable=YES
anon_world_readable_only=NO
anon_other_write_enable=YES
systemctl restart vsftpd 
Test: lftp 172.25.254.117
5) Anonymous user upload file permission settings
anon_umask=022 ## When chown is set_ Upload permission after username will not be set with this parameter
vim /etc/vsftpd/vsftpd.conf
anon_umask=022 #The authority is 644 [777-022-111]
systemctl restart vsftpd 
Test: lftp 172.25.254.117
6) User identity setting for anonymous users to upload files
vim /etc/vsftpd/vsftpd.conf
chown_upload=YES
chown_username=westos #Specify the upload user as westos [ftp by default]
chown_upload_mode=0644 #The specified upload permission is 644
systemctl restart vsftpd 
Test: lftp 172.25.254.117
7) Login quantity control:
max_clients=2 # Limit the maximum number of logins to 2
vim /etc/vsftpd/vsftpd.conf
max_clients=2
systemctl restart vsftpd
Detection: LFTP 172.25.254.117 -- > open multiple shells and log in at the same time. As a result, only two shells can log in
8) Upload rate control
anon_max_rate=102400
dd if=/dev/zero of=/mnt/bigfile bs=1M count=500 #Create a 500M big file bigfile in the / mnt directory
vim /etc/vsftpd/vsftpd.conf
anon_max_rate=102400
systemctl restart vsftpd 
Test: lftp 172.25.254.117
5. Access of local users
1) Login control [local_enable=NO|YES]
useradd westos #Establish a westos user (if you use it, you don't need to establish it) useradd lee #Establishing lee users echo westos | passwd --stdin westos #Change the westos user password to: westos echo westos | passwd --stdin lee #Change the lee user password to: westos vim /etc/vsftpd/vsftpd.conf local_enable=YES systemctl restart vsftpd
Detection: lftp 172.25.254.117 -u westos/-u lee
2) Home directory control [local_root=/software]
vim /etc/vsftpd/vsftpd.conf
local_root=/westos
systemctl restart vsftpd
Detection: lftp 172.25.254.117 -u westos/-u lee
3) Write permission control [write_enable=NO|YES]
vim /etc/vsftpd/vsftpd.conf write_enable=YES #YES has write permission (it belongs to global setting, and the default is YES) systemctl restart vsftpd
Detection: lftp 172.25.254.117 -u westos/-u lee
Note: if you want to use the westos user to create a directory here, you must look at the permissions and what users and groups can be written to
When write permission is turned off: write_ When enable = no
vim /etc/vsftpd/vsftpd.conf write_enable=NO systemctl restart vsftpd
4) Upload file permission control [local_umask=077]
When local_ When umask = 077
vim /etc/vsftpd/vsftpd.conf
local_umask=077
systemctl restart vsftpd
When local_ When umask = 022
vim /etc/vsftpd/vsftpd.conf
local_umask=022
systemctl restart vsftpd
5) Local user login blacklist
/ etc/vsftpd/ftpusers ## Permanent black
/ etc/vsftpd/user_list ## Default black
vim /etc/vsftpd/user_list
westos #Write westos into the login blacklist
systemctl restart vsftpd
Test: lftp 172.25.254.117 -u westos Can't log in. But lee users can log in
6) Local user login whitelist
userlist_deny=NO # Set / etc/vsftpd/user_list bit whitelist
# Users who are not in the list cannot log in to ftp
vim /etc/vsftpd/vsftpd.conf
userlist_deny=NO
systemctl restart vsftpd
At this point, / etc/vsftpd/user_list changes from blacklist to whitelist
Test: lftp 172.25.254.117 -u westos You can log in. However, lee users are not in the white list and cannot log in
&& After the experiment, remember to restore the user white list (delete the added westos)
7) Lock users to their home directory
chmod u-w /home/*
chroot_local_user=YES | NO # default NO: not locked. YES: lock
chmod u-w /home/*
When the home directory is locked
vim /etc/vsftpd/vsftpd.conf
chroot_local_user=YES
systemctl restart vsftpd
When the home directory is not locked, you can freely enter the directory
vim /etc/vsftpd/vsftpd.conf
chroot_local_user=NO
systemctl restart vsftpd
8) Lock users to the blacklist in their home directory: that is, other users do not lock the home directory, and only users in the list lock the home directory
chroot_local_user=NO
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
When chroot_ local_ When user = no, / etc/vsftpd/chroot_list is a blacklist (there was no such file originally)
vim /etc/vsftpd/vsftpd.conf
chroot_local_user=NO
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
systemctl restart vsftpd
vim /etc/vsftpd/chroot_list
lee #Add the lee user to the list, and the lee user can lock the home directory
systemctl restart vsftpd
9) Lock users to the white list in their home directory: that is, other users lock the home directory, and only users in the list do not lock the home directory
chroot_ local_ / etc / vsftpd / chroot when user = yes_ List is a white list
vim /etc/vsftpd/chroot_list #Modify users in the whitelist
vim /etc/vsftpd/vsftpd.conf #Modify profile
chroot_local_user= YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
systemctl restart vsftpd6. Virtual user access
1) Establish virtual user process
vim authlist #Establish certification document template
user1
123
user2
123
user3
123authlist
db_load -T -t hash -f authlist authlist.db ##Encrypt the authentication file (- f: specify the conversion file as the established file template) (- t: conversion) (- t: type)
vim authpam
account required pam_userdb.so db=/etc/vsftpd/authlist
auth required pam_userdb.so db=/etc/vsftpd/authlistvim /etc/vsftpd/vsftpd.conf pam_service_name=authpam ##Specify authentication policy file userlist_enable=YES guest_enable=YES ##Specify authentication policy file guest_username=ftp ##Specify the user identity of the virtual user on the ftp server systemctl restart vsftpd
Note: the path must be written correctly: vim authlist must correspond to the path behind db in vim authpam file (if the vim authlist file is written in / etc/vsftpd /, the db=/etc/vsftpd/authlist path in the vim authpam file must be consistent with the established authlist path, and the file name behind the path must also be consistent. In the main configuration file vim /etc/vsftpd/vsftpd.conf, pam_service_name=authpam, which equals to the file name behind the vim authpam, must be consistent with the vim authpam authentication policy file name authpam.)
testing:
2) Independent setting of virtual user home directory
mkdir -p /var/ftphome/user{1..3}/westos
touch /var/ftphome/user1/user1file1
touch /var/ftphome/user2/user2file2
touch /var/ftphome/user3/user3file3
vim /etc/vsftpd/vsftpd.conf
local_root=/var/ftphome/$USER
user_sub_token=$USER
systemctl restart vsftpd
3) User configuration independent
#### When doing this experiment, put: anon in / etc/vsftpd/vsftpd.conf_ upload_ Enable = yes comment out
mkdir -p /var/ftphome/user{1..3}/westos
chmod 775 /var/ftphome/user{1..3}/westos
chgrp ftp /var/ftphome/user{1..3}/westos
mkdir /etc/vsftpd/confdir
vim /etc/vsftpd/confdir/user1 #Edit the child profile of user1
anon_upload_enable=YES #Can upload anonymously
systemctl restart vsftpd
vim /etc/vsftpd/vsftpd.conf
user_config_dir=/etc/vsftpd/confdir
systemctl restart vsftpd
Detection: uese1 wrote a sub configuration file: vim /etc/vsftpd/westos/user1, so the file can be uploaded. user2 and user3 cannot be uploaded without writing