Abstract:

        Hand-in-hand teaches you how to build a vsftpd server, which implements virtual user authentication based on db files and MySQL database files. Of course, this article also includes the problem checking in the process of building, haha.

        In addition, I also built tests on CentOS 7.x. The steps are consistent, individual commands will be different, but the test effect will not be affected.

Server deployment requirements analysis (implementation effect):

1. Encrypt the whole process of login and transmission.
2. Record the log of files uploaded and downloaded by users.
3. For each user, there are public folders (files can be seen and downloaded by everyone) and private folders (files can be uploaded and downloaded only by oneself).

1. Installation of vsftpd service:

1. Search for the installation package of vsftpd in the yum source:

[root@dba ~]# cat /etc/centos-release 
CentOS release 6.5 (Final)

[root@dba ~]# yum list | grep -i "vsftpd"
vsftpd.x86_64                               2.2.2-24.el6                 base   
You have new mail in /var/spool/mail/root

2. Install vsftpd service program:

[root@dba ~]# yum list | grep -i "vsftpd" && yum -y install vsftpd

[root@dba ~]# whereis vsftpd
vsftpd: /usr/sbin/vsftpd /etc/vsftpd /usr/share/man/man8/vsftpd.8.gz

3. Start the vsftpd service program:

[root@dba ~]# /etc/init.d/vsftpd start
//Start vsftpd: vsftpd: \\\\\\\\\

[root@dba ~]# netstat -lntp | grep "21"
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      1677/vsftpd

4. Visit vsftpd service:

Browser access: ftp://192.168.0.110/ The / var/ftp/pub directory is accessed by default.

Customer Degree Access (recommended filezilla): https://www.filezilla.cn/download/client

2. Detailed description of vsftpd service configuration:

1. Backup configuration file and user black-and-white list configuration:

[root@dba ~]# cd /etc/vsftpd/
[root@dba vsftpd]# ll
//Total dosage 20
-rw------- 1 root root  125 3 month  22 20:14 ftpusers
-rw------- 1 root root  361 3 month  22 20:14 user_list
-rw------- 1 root root 4599 3 month  22 20:14 vsftpd.conf
-rwxr--r-- 1 root root  338 3 month  22 20:14 vsftpd_conf_migrate.sh
[root@dba vsftpd]# cp vsftpd.conf vsftpd.conf_bak
[root@dba vsftpd]# ll
//Total dosage 28
-rw------- 1 root root  125 3 month  22 20:14 ftpusers
-rw------- 1 root root  361 3 month  22 20:14 user_list
-rw------- 1 root root 4599 3 month  22 20:14 vsftpd.conf
-rw------- 1 root root 4599 8 month  18 23:21 vsftpd.conf_bak
-rwxr--r-- 1 root root  338 3 month  22 20:14 vsftpd_conf_migrate.sh

ftpusers: Preservation ftp Login user blacklist, in which users need to enter a user name and password, but can not login successfully.
user_list: User whitelist (blacklist) list, whitelist or blacklist by vsftpd.conf Medium parameters are controlled.
//White list:
userlist_enable=YES    #Enabling User List Function
userlist_deny=NO    #Configuration does not disable user login in user_list
userlist_file=/etc/vsftpd/user_list    #Specify the path and file name of the user list file
userlist_log=YES    #Blocked user log based on user_list
//Blacklist:
userlist_enable=YES    #Enabling User List Function
userlist_deny=YES    #Configuration disables user login in user_list. Users entering login name in list will be blocked without entering password, which is safer than ftpusers.
userlist_file=/etc/vsftpd/user_list    #Specify the path and file name of the user list file
userlist_log=YES

2. Introduction of other important configurations:

Configuration item grammar format: directive=value

	Anonymous users:
		Anonymous users are mapped to ftp users, only if the owner has write rights.
		Whether anonymous users are allowed to log in:
		anonymous_enable=YES
			Upload operation for anonymous users; validity depends on write_enable=YES
			anon_upload_enable=NO
			workdirrite_enable=YES
			The owner has the right to write.
		anon_mkdir_write_enable=NO
			The permission of anonymous users to create directories;
		anon_other_write_enable=NO
			Anonymous users delete and rename operation permissions;

	Local users:		
	        local_enable
			All non-anonymous users depend on this instruction to take effect.
		local_umask
			The permission mask for local users to upload files;

	Catalog message:
		dirmessage_enable
			The first time a user enters a directory, vsftpd looks at the. message file and displays its contents to the user. Messageag_file specifies the file path instead of using the default. message.
		messag_file

	Data transmission log:
		xferlog_enable
		xferlog_std_format
		xferlog_file=/var/log/vsftpd.log
		vsftpd_log_file

	Data transmission mode:
		connect_from_port_20; whether PORT mode is enabled or not, the default is NO;

	To modify the owner of files uploaded by anonymous users:
		chown_uploads: Whether to modify;
		chown_username: When the chown_uploads instruction is enabled, the file owner is modified to the user specified by the instruction; the default is root;
		chown_upload_mode: Set the permission for anonymous users to upload files; default is 600;

	Set the session timeout:
		idle_session_timeout, the time-out of idle session;
		connect_timeout: In PORT mode, the time-out for server to connect client is long.
		data_connection_timeout: The time-out of data transmission;

	Command-connected listening ports:
		listen_port=20

	Set connection and port rate:
	        local_max_rate: The transmission rate of the local user in bytes; default is 0, which means unlimited;
		anon_max_rate: the maximum transmission rate of anonymous users;
		max_clients: Maximum number of concurrent connections, on the server side;
		max_per_ip: The maximum number of connections initiated by each client at the same time;

	Login welcome information:
		ftp_banner="Welcome"

	Local users are confined:
		chroot_local_user=YES; imprisons all local users;
			Note: Require users not to have write access to home directories;

		chroot_list_enable=YES；
		chroot_list_file=/etc/vsftpd/chroot_list；
			Confinement specifies the user in the home directory;

Virtual user configuration:
        Based on db file:
            /etc/vsftpd/vusers.txt
            Odd rows: username
            Even lines: password
        Based on mysql database:
            User names and passwords can be added to the database through SQL statements, and vsftpd achieves user authentication through pam interface to link with mysql database.

Note: When virtual users and anonymous users log on to the FTP server, they are mapped to a user in the local user list. The default is ftp, but they can also be specified manually!            
[root@dba vsftpd]# cat /etc/passwd | grep ftp
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

3. Typical configuration cases of vsftpd:

1. Virtual user authentication based on db_load:

#1.1 Modify the relevant configuration items in vsftpd.conf:
anonymous_enable=NO
chroot_local_user=YES
pam_service_name=vsftpd    #Open the pam authentication function, and the corresponding pam configuration file is named vsftpd

guest_enable=YES
guest_username=ftp
user_config_dir=/etc/vsftpd/user_conf

#1.2 Create a user profile directory:
[root@dba vsftpd]# install -d /etc/vsftpd/user_conf
[root@dba vsftpd]# ll
//Total dosage 28
-rw------- 1 root root  125 3 month  22 20:14 ftpusers
drwxr-xr-x 2 root root 4096 8 month  19 00:08 user_conf
-rw------- 1 root root  361 3 month  22 20:14 user_list
-rw------- 1 root root  894 8 month  19 00:08 vsftpd.conf
-rw------- 1 root root 4599 8 month  18 23:21 vsftpd.conf_bak
-rwxr--r-- 1 root root  338 3 month  22 20:14 vsftpd_conf

#1.3 Create ftp username password source file and corresponding database file:
[root@dba vsftpd]# touch vusers
[root@dba vsftpd]# echo -e "user01\nuser01" vusers 
[root@dba vsftpd]# echo -e "user02\nuser02" >> vusers 
[root@dba vsftpd]# more vusers 
user01
user01
user02
user02

[root@dba vsftpd]# db_load -T -t hash -f /etc/vsftpd/vusers /etc/vsftpd/login.db
[root@dba vsftpd]# ll
//Total dosage 44
-rw-r--r-- 1 root root 12288 8 month  19 00:20 login.db
-rw-r--r-- 1 root root    28 8 month  19 00:17 vusers

#1.4 Create configuration files for each user:
[root@dba vsftpd]# cd user_conf/
[root@dba user_conf]# more user02 
# When using local_root to specify a home directory for a virtual user (the default directory after ftp login is successful), you can specify it in a user's separate configuration file, or add user to create a new user, and specify the user's home directory with the - d option.
local_root=/ftp/user02
write_enable=YES
anon_umask=022
anon_world_readable_only=NO
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES

#1.5 Configure pam authentication file to associate users in db file with vsftpd service:
[root@dba pam.d]# ll vsftpd*
-rw-r--r-- 1 root root 101 8 month  19 00:28 vsftpd
-rw-r--r-- 1 root root 335 8 month  19 00:27 vsftpd.bak
[root@dba pam.d]# more vsftpd
auth required pam_userdb.so db=/etc/vsftpd/login
account required pam_userdb.so db=/etc/vsftpd/login

#1.6 Create the ftp home directory corresponding to the user:
[root@dba user_conf]# mkdir -p /ftp/user01/upload
[root@dba user_conf]# mkdir -p /ftp/user02/upload
[root@dba user_conf]# ls -ld /ftp/*
drwxr-xr-x 3 root root 4096 8 month  19 00:31 /ftp/user01
drwxr-xr-x 3 root root 4096 8 month  19 00:31 /ftp/user02

//Because the user user01 and user02 created above login to the ftp server, mapping the cost of user ftp to create files and directories, it is necessary to have the opportunity that the user's home directory belongs to the user: ftp
[root@dba ftp]# chown ftp:root user01
[root@dba ftp]# chown ftp:root user02
[root@dba ftp]# ls -ld *
drwxr-xr-x 3 ftp root 4096 8 month  19 00:31 user01
drwxr-xr-x 3 ftp root 4096 8 month  19 00:31 user02

//Note: When authorizing a user's home directory, it should be noted that sometimes when there are write permissions in the home directory, errors will be reported when logging in or uploading files.


#1.7 Problem solving:
//After doing the above, the client can login to the ftp server normally, but the upload file to the user upload directory is wrong:
    response: 	553 Could not create file.
    error: 	Serious file transfer error

//So looking at the upload directory write permission, we found that upload directory belongs to the wrong sovereignty limit, and upload files after modification are normal.
[root@dba ftp]# ls -ld user01/upload
drwxr-xr-x 2 root root 4096 8 month  19 00:31 user01/upload
[root@dba ftp]# ls -ld user02/upload
drwxr-xr-x 2 root root 4096 8 month  19 00:31 user02/upload
[root@dba ftp]# chown -R ftp:root user01/upload
[root@dba ftp]# chown -R ftp:root user02/upload
[root@dba ftp]# ls -ld user01/upload
drwxr-xr-x 2 ftp root 4096 8 month  19 00:31 user01/upload
[root@dba ftp]# ls -ld user02/upload
drwxr-xr-x 2 ftp root 4096 8 month  19 00:31 user02/upload

#1.8 For historical reasons, FTP protocol adopts non-encrypted authentication and data transmission by default. There are two options to make authentication and transmission process encrypted temporarily.
//Scheme 1: openssl built-in ftp server for encryption transmission, specific configuration cases can be referred to link: http://blog.csdn.net/xinxinxin19881112/article/details/46831311
//Scheme 2: Using vsftpd server-side program, modify the configuration to encrypt authentication and transmission process. The specific configuration is as follows:
//First, the pem certificate file used for encryption is generated:
[root@dba ftp]# openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
Generating a 1024 bit RSA private key
.++++++
........++++++
writing new private key to '/etc/vsftpd/vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:360
Organizational Unit Name (eg, section) []:Security
Common Name (eg, your name or your server's hostname) []:anonymous.org

Email Address []:You have new mail in /var/spool/mail/root

//The generated pem file is as follows:
[root@dba ~]# ll /etc/vsftpd/vsftpd.pem 
-rw-r--r-- 1 root root 1876 8 month  19 00:52 /etc/vsftpd/vsftpd.pem

//Then, modify the vsftpd.conf configuration file to open encryption:
# Enabling TLS/SSL
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem
# Define port range for connections in passive mode
pasv_max_port=65535
pasv_min_port=64000

//Restart the vsftpd service:
### CentOS 6.x
[root@dba vsftpd]# /etc/init.d/vsftpd restart
//Turn off vsftpd: [Confirm]
//Start vsftpd: vsftpd: \\\\\\\\\

### CentOS 7.x
[root@dba vsftpd]# systemctl start vsftpd

[root@dba vsftpd]# netstat -lntp | grep 21
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      2951/vsftpd

//After reboot, use FileZilla client to connect to the vsFTPd server, you can upload and download files normally.

2. Implementing anonymous user authentication based on pam_mysql:

[root@dba pam.d]# uname -a
Linux dba.com 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

# 2.1 Install MySQL database and configure virtual username and password for vsftpd login:
[root@dba pam.d]# yum -y install mysql-server
[root@dba pam.d]# yum grouplist | grep -i "develop"
   Additional Development
   Desktop Platform Development
   Development tools
   Server Platform Development
   
[root@dba ~]# mysql -u root -p123456
mysql> create database vsftpd;
mysql> use vsftpd;
mysql> create table users (
    -> id int AUTO_INCREMENT NOT NULL,
    -> name char(16) binary NOT NULL,
    -> passwd char(48) binary NOT NULL,
    -> primary key(id)
    -> );
mysql> create table logs (msg varchar(255),
    -> user char(16),
    -> pid int,
    -> host char(32),
    -> rhost char(32),
    -> logtime timestamp
    -> );
    
mysql> desc users;
+--------+----------+------+-----+---------+----------------+
| Field  | Type     | Null | Key | Default | Extra          |
+--------+----------+------+-----+---------+----------------+
| id     | int(11)  | NO   | PRI | NULL    | auto_increment |
| name   | char(16) | NO   |     | NULL    |                |
| passwd | char(48) | NO   |     | NULL    |                |
+--------+----------+------+-----+---------+----------------+
3 rows in set (0.03 sec)

mysql> insert into users(name, passwd) values ('test', password('test'));
Query OK, 1 row affected (0.08 sec)

mysql> select * from users;
+----+------+-------------------------------------------+
| id | name | passwd                                    |
+----+------+-------------------------------------------+
|  1 | test | *94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29 |
+----+------+-------------------------------------------+
1 row in set (0.00 sec)

# 2.2 Download and install the pam_mysql plug-in:
 [root@dba ~]# yum install openssl-devel
 [root@dba ~]# yum install mysql-devel
 [root@dba ~]# wget

[root@dba ~]# tar -zxf pam_mysql-0.7RC1.tar.gz 
[root@dba ~]# cd pam_mysql-0.7RC1
[root@dba ~]# ./configure --with-mysql=/usr --with-openssl=/usr --with-pam-mods-dir=/lib64/security
[root@dba ~]# make && make install

[root@dba ~]# ll /lib64/security/pam_mysql.*
-rwxr-xr-x 1 root root    873 Aug 19 12:27 /lib64/security/pam_mysql.la
-rwxr-xr-x 1 root root 133356 Aug 19 12:27 /lib64/security/pam_mysql.so

# 2.3 Modify the configuration of vsftpd.conf and/etc/pam.d/vsftpd.mysql
#pam_service_name=vsftpd
pam_service_name=vsftpd.mysql

[root@dba pam.d]# more vsftpd.mysql 
auth 	required /lib64/security/pam_mysql.so db=vsftpd user=root passwd=123456 host=localhost table=users usercolumn=name passwdcolumn=passwd crypt=2
account required /lib64/security/pam_mysql.so db=vsftpd user=root passwd=123456 host=localhost table=users usercolumn=name passwdcolumn=passwd crypt=2

### Introduction of crypt parameters:
[root@dba pam_mysql-0.7RC1]# less README
crypt (plain)

    The method to encrypt the user's password:

       0 (or "plain") = No encryption.  Passwords stored in plaintext.
                        HIGHLY DISCOURAGED.

       1 (or "Y")     = Use crypt(3) function.

       2 (or "mysql") = Use MySQL PASSWORD() function. It is possible
                        that the encryption function used by PAM-MySQL
                        is different from that of the MySQL server, as
                        PAM-MySQL uses the function defined in MySQL's
                        C-client API instead of using PASSWORD() SQL function
                        in the query.
                        
       3 (or "md5")   = Use plain hex MD5.

       4 (or "sha1")  = Use plain hex SHA1.

[root@dba pam.d]# /etc/init.d/vsftpd restart
Shutting down vsftpd:                                      [  OK  ]
Starting vsftpd for vsftpd:                                [  OK  ]

//Above all, the virtual user authentication environment of vsftpd server based on mysql has been built, and the next step is to start testing...


GG，Upload the file and report the error again...
//Response: 550 Permission denied.
//Error: Serious file transfer error
//Error reporting is consistent with the previous one. Perhaps it is the problem of permission allocation, huh-huh.

"test"When the account login is successful, it is mapped to ftp Users operate on files and directories, so they enter／var/ftp/Directory to view configuration files and ftp User identification.
guest_enable=YES
guest_username=ftp
user_config_dir=/etc/vsftpd/user_conf
[root@dba vsftpd]# cat /etc/passwd | grep ftp
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

[root@dba vsftpd]# cd /var/ftp/
[root@dba ftp]# ls -ld ../* | grep ftp
drwxr-xr-x   3 root root 4096 Aug 18 22:53 ../ftp
You have new mail in /var/spool/mail/root
[root@dba ftp]# ls -ld *
drwxr-xr-x 2 root root 4096 Mar 22 20:14 pub
//You can see the above ftp and upload directories, ftp users are not authorized to write, you can modify the way is to modify the upload directory permissions after restarting vsftpd can upload, Ok, then start!
[root@dba ftp]# chown ftp pub
[root@dba ftp]# ll
total 4
drwxr-xr-x 2 ftp root 4096 Mar 22 20:14 pub
//This should be no problem after the modification, haha ha, the results of a test and GG. Therefore, the investigation should be carried out step by step.
1,Catalog permission settings are definitely okay
2,That's the estimate. vsftpd Configuration file read and write permission settings, because of my ftp The user exists in a configuration file with the same name as the user in a separate directory, so a new name is created. test Configuration file, configuration paste up:
[root@dba user_conf]# pwd
/etc/vsftpd/user_conf
You have new mail in /var/spool/mail/root
[root@dba user_conf]# more test 
local_root=/var/ftp
write_enable=YES
anon_umask=022
anon_world_readable_only=NO
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES

Ok，restart vsftpd Testing, finally upload files, get it done...

IV. Summary of vsftpd deployment issues:

Waiting for updates...