1. Environmental planning
Environment system version, hereinafter referred to as host A and host B
A: CentOS 7.6 (172.20.10.4)
B: RedHat 8.2 (172.20.10.6)
Machine A establishes and uploads test files for easy distinction. The naming method is "system abbreviation + system version + virtual account abbreviation"
[root@CentOS7-6 test]# ll -rw-r--r-- 1 root root 1819 May 19 12:34 CT7-6-1 -rw-r--r-- 1 root root 1819 May 19 12:34 CT7-6-2
Machine A establishes and downloads test files for easy distinction. The naming method is' machine A + virtual account abbreviation '
[root@CentOS7-6 test]# ls /home/test/test1/ A1.txt [root@CentOS7-6 test]# ls /home/test/test2/ A2.txt
Machine B establishes and uploads test files for easy distinction. The naming method is "system abbreviation + system version + virtual account abbreviation"
[root@RedHat8-2 test]# ll -rw-r--r-- 1 root root 2123 May 19 12:34 RH8-2-1 -rw-r--r-- 1 root root 2123 May 19 12:34 RH8-2-2
Machine B establishes and downloads test files for easy distinction. The naming method is' machine B + virtual account abbreviation '
[root@RedHat8-2 test]# ls /home/test/test1 B1.txt [root@RedHat8-2 test]# ls /home/test/test2 B2.txt
2. Brief description of test contents and results
1) Host accounts of machine A and machine B are created. The test shell is / sbin/nologin home directory / home/test
2) Create two virtual accounts test1 account home directory / home/test/test1 and test2 account home directory / home/test/test2 respectively
3) The host account is forbidden to log in, and the virtual account login is locked in its own home directory
4) Transmission test machine A and machine B are server clients to each other, upload and test the files under / test /, and download the specific files of the server to the client / test
5) The end of the file describes the contents of vsftpd configuration file, black and white list description and virtual user independent permission file
3. Install vsftp package and ftp client for testing
yum install -y vsftpd yum install -y ftp
4. Create ftp host account
I tested two virtual accounts, which are limited to the home directory of two separate virtual accounts under the unified directory
useradd -s /sbin/nologin test mkdir /home/test/test1 mkdir /home/test/test2 chown test. /home/test/ -R
5. Create ftp log files and change permissions
touch /var/log/vsftpd.log chown test. /var/log/vsftpd.log
6. Backup vsftpd configuration file
cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf_bak
7. Change ftp profile
cat > /etc/vsftpd/vsftpd.conf << EOF anonymous_enable=NO local_enable=YES write_enable=YES anon_upload_enable=NO anon_mkdir_write_enable=NO anon_other_write_enable=NO chroot_local_user=YES chroot_list_enable=YES chroot_list_file=/etc/vsftpd/vsftpd.chroot_list guest_enable=YES guest_username=test listen=NO listen_ipv6=YES pam_service_name=vsftpd user_config_dir=/etc/vsftpd/vsftpd_user_conf vsftpd_log_file=/var/log/vsftpd.log allow_writeable_chroot=YES EOF Or use the following command to manually edit and add sed '/\#/d' /etc/vsftpd/vsftpd.conf sed '/\#/d' /etc/vsftpd/vsftpd.conf -i vi /etc/vsftpd/vsftpd.conf
8. Create a whitelist file and write the account. The test entity account is test, and the virtual account is test1 and test2
cat >> /etc/vsftpd/vsftpd.chroot_list << EOF test1 test2 EOF
9. ftp virtual account password file, (base line account, even line password)
cat >> /etc/vsftpd/vsftpd_user << EOF test1 1qaz2wsx test2 p@ssw0rd EOF
10. Generate the account password file into a library file (for security reasons, back up the account password file by yourself, and delete the account password file after generating the library file)
db_load -T -t hash -f /etc/vsftpd/vsftpd_user /etc/vsftpd/vsftpd_user.db chmod 600 /etc/vsftpd/vsftpd_user.db
11. Add pam authentication
cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd_bak cat /etc/pam.d/vsftpd|grep -v '#'|awk '{print "#"$0 >> "/etc/pam.d/vsftpd"}' cat /etc/pam.d/vsftpd|grep '#'|awk '{print $0 > "/etc/pam.d/vsftpd"}' cat >> /etc/pam.d/vsftpd << EOF auth required pam_userdb.so db=/etc/vsftpd/vsftpd_user account required pam_userdb.so db=/etc/vsftpd/vsftpd_user EOF
12. Configure virtual account permission file
mkdir /etc/vsftpd/vsftpd_user_conf cat > /etc/vsftpd/vsftpd_user_conf/test1 << EOF local_root=/home/test/test1 write_enable=YES anon_umask=022 anon_world_readable_only=NO anon_upload_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES EOF cat > /etc/vsftpd/vsftpd_user_conf/test2 << EOF local_root=/home/test/test2 write_enable=YES anon_umask=022 anon_world_readable_only=NO anon_upload_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES EOF
13. Restart vsftpd service
systemctl start vsftpd systemctl status vsftpd
14. Login test and transmission test
1) Establish test directory and add upload, download and transfer test files
host A: CentOS 7.6: mkdir /test cat /etc/profile >> /test/CT7-6-1 cat /etc/profile >> /test/CT7-6-2 cat /etc/profile >> /home/test/test1/A1.txt cat /etc/profile >> /home/test/test2/A2.txt chown test. /home/test/ -R host B: RedHat 8.2: mkdir /test cat /etc/profile >> /test/RH8-2-1 cat /etc/profile >> /test/RH8-2-2 cat /etc/profile >> /home/test/test1/B1.txt cat /etc/profile >> /home/test/test2/B2.txt chown test. /home/test/ -R #Both hosts enter the test transmission directory cd /test
2) Machine A and machine B are server and client login tests
##B is the client and A is the server ftp account - test1, test2: [root@RedHat8-2 test]# ftp 172.20.10.4 Connected to 172.20.10.4 (172.20.10.4). 220 (vsFTPd 3.0.2) Name (172.20.10.4:root): test1 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> quit 221 Goodbye. [root@RedHat8-2 test]# ftp 172.20.10.4 Connected to 172.20.10.4 (172.20.10.4). 220 (vsFTPd 3.0.2) Name (172.20.10.4:root): test2 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> quit 221 Goodbye. ##A is the client and B is the server login ftp account - test1, test2: [root@CentOS7-6 test]# ftp 172.20.10.6 Connected to 172.20.10.6 (172.20.10.6). 220 (vsFTPd 3.0.3) Name (172.20.10.6:root): test1 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> quit 221 Goodbye. [root@CentOS7-6 test]# ftp 172.20.10.6 Connected to 172.20.10.6 (172.20.10.6). 220 (vsFTPd 3.0.3) Name (172.20.10.6:root): test2 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> quit 221 Goodbye.
3) Transmission test - A logs in the ftp user tets1 of machine B for the client, and machine A test1 uploads the test file 'CT7-6-1' and downloads the test file B1 txt
#####Upload: [root@CentOS7-6 test]# ls CT7-6-1 CT7-6-2 [root@CentOS7-6 test]# ftp 172.20.10.6 Connected to 172.20.10.6 (172.20.10.6). 220 (vsFTPd 3.0.3) Name (172.20.10.6:root): test1 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (172,20,10,6,42,68). 150 Here comes the directory listing. -rw-r--r-- 1 1000 1000 2123 May 19 04:34 B1.txt 226 Directory send OK. ftp> put CT7-6-1 local: CT7-6-1 remote: CT7-6-1 227 Entering Passive Mode (172,20,10,6,124,67). 150 Ok to send data. 226 Transfer complete. 1819 bytes sent in 6.3e-05 secs (28873.02 Kbytes/sec) ftp> ls 227 Entering Passive Mode (172,20,10,6,186,156). 150 Here comes the directory listing. -rw-r--r-- 1 1000 1000 2123 May 19 04:34 B1.txt -rw-r--r-- 1 1000 1000 1819 May 19 06:02 CT7-6-1 226 Directory send OK. #####Download: ftp> ls 227 Entering Passive Mode (172,20,10,6,53,40). 150 Here comes the directory listing. -rw-r--r-- 1 1000 1000 2123 May 19 04:34 B1.txt -rw-r--r-- 1 1000 1000 1819 May 19 06:02 CT7-6-1 226 Directory send OK. ftp> get B1.txt local: B1.txt remote: B1.txt 227 Entering Passive Mode (172,20,10,6,204,244). 150 Opening BINARY mode data connection for B1.txt (2123 bytes). 226 Transfer complete. 2123 bytes received in 2.8e-05 secs (75821.42 Kbytes/sec) ftp> 221 Goodbye. [root@CentOS7-6 test]# ls B1.txt CT7-6-1 CT7-6-2
4) Transmission test - B logs in ftp user tets1 of machine a for the client, and test1 of machine B uploads the test file 'RH8-2-1' and downloads the test file A1 txt
#####Upload: [root@RedHat8-2 test]# ls RH8-2-1 RH8-2-2 [root@RedHat8-2 test]# ftp 172.20.10.4 Connected to 172.20.10.4 (172.20.10.4). 220 (vsFTPd 3.0.2) Name (172.20.10.4:root): test1 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (172,20,10,4,245,200). 150 Here comes the directory listing. -rw-r--r-- 1 1000 1000 1819 May 19 04:34 A1.txt 226 Directory send OK. ftp> put RH8-2-1 local: RH8-2-1 remote: RH8-2-1 227 Entering Passive Mode (172,20,10,4,45,38). 150 Ok to send data. 226 Transfer complete. 2123 bytes sent in 0.000107 secs (19841.12 Kbytes/sec) ftp> ls 227 Entering Passive Mode (172,20,10,4,60,224). 150 Here comes the directory listing. -rw-r--r-- 1 1000 1000 1819 May 19 04:34 A1.txt -rw-r--r-- 1 1000 1000 2123 May 19 06:07 RH8-2-1 226 Directory send OK. #####Download: ftp> ls 227 Entering Passive Mode (172,20,10,4,60,224). 150 Here comes the directory listing. -rw-r--r-- 1 1000 1000 1819 May 19 04:34 A1.txt -rw-r--r-- 1 1000 1000 2123 May 19 06:07 RH8-2-1 226 Directory send OK. ftp> get A1.txt local: A1.txt remote: A1.txt 227 Entering Passive Mode (172,20,10,4,120,123). 150 Opening BINARY mode data connection for A1.txt (1819 bytes). 226 Transfer complete. 1819 bytes received in 3.5e-05 secs (51971.43 Kbytes/sec) ftp> ls 227 Entering Passive Mode (172,20,10,4,221,74). 150 Here comes the directory listing. -rw-r--r-- 1 1000 1000 1819 May 19 04:34 A1.txt -rw-r--r-- 1 1000 1000 2123 May 19 06:07 RH8-2-1 226 Directory send OK. ftp> 221 Goodbye. [root@RedHat8-2 test]# ls A1.txt RH8-2-1 RH8-2-2
15. Description of vsftpd configuration file, black and white list and virtual user permission file
vsftpd profile:
anonymous_enable=NO #Turn off anonymous users local_enable=YES #Turn on local users write_enable=YES #Open read permission anon_upload_enable=NO #Prohibit anonymous users from uploading anon_mkdir_write_enable=NO #Prohibit anonymous users from creating directories anon_other_write_enable=NO #Anonymous user deletion prohibited chroot_local_user=YES #All users are locked in their home directory (if closed, chroot_list is blacklisted) chroot_list_enable=YES #Users cannot leave the home directory (user whitelist file needs to be established) chroot_list_file=/etc/vsftpd/vsftpd.chroot_list #User whitelist guest_enable=YES #Enable the function of virtual user guest_username=ftpuser1 #Defines the host operating system user of the virtual user pam_service_name=vsftpd #pam settings user_config_dir=/etc/vsftpd/vsftpd_user_conf #Specify the virtual user permission profile. Each virtual account in the directory has a profile with the same account name. vsftpd_log_file=/var/log/vsftpd.log #The service log saving path of vsftpd does not exist by default allow_writeable_chroot=YES #If the file can be viewed but cannot be uploaded or downloaded, you can try to add this option
Black and white list:
The storage location of black-and-white list files can be defined by yourself. Pay attention to the differences #User whitelist creation chroot_local_user=YES chroot_list_enable=YES chroot_list_file=/etc/vsftpd.chroot_list #chroot_list is equivalent to white list #User blacklist establishment chroot_local_user=NO chroot_list_enable=YES chroot_list_file=/etc/vsftpd.chroot_list #chroot_list is equivalent to blacklist
Content of virtual user permission file:
Make appropriate modifications with reference to the following: When virtual_use_local_privs=YES The virtual user and the local user have the same permissions when using the; When virtual_use_local_privs=NO Virtual users and anonymous users have the same permissions. The default is NO. When virtual_use_local_privs=YES,write_enable=YES The virtual user has write permission (upload, download, delete, rename). When virtual_use_local_privs=NO,write_enable=YES,anon_world_readable_only=YES, anon_upload_enable=YES The virtual user can't browse the directory and can only upload files without other permissions. When virtual_use_local_privs=NO,write_enable=YES,anon_world_readable_only=NO, anon_upload_enable=NO Virtual users can only download files without other permissions. When virtual_use_local_privs=NO,write_enable=YES,anon_world_readable_only=NO, anon_upload_enable=YES Virtual users can only upload and download files without other permissions. When virtual_use_local_privs=NO,write_enable=YES,anon_world_readable_only=NO, anon_mkdir_write_enable=YES Virtual users can only download files and create folders without other permissions. When virtual_use_local_privs=NO,write_enable=YES,anon_world_readable_only=NO, anon_other_write_enable=YES Virtual users can only download, delete and rename files without other permissions.