Creating and using FTP virtual account

Posted by mouli on Sat, 12 Feb 2022 07:18:42 +0100

1. Environmental planning


Environment system version, hereinafter referred to as host A and host B
A: CentOS 7.6 (172.20.10.4)
B: RedHat 8.2 (172.20.10.6)
Machine A establishes and uploads test files for easy distinction. The naming method is "system abbreviation + system version + virtual account abbreviation"

[root@CentOS7-6 test]# ll
-rw-r--r-- 1 root root 1819 May 19 12:34 CT7-6-1
-rw-r--r-- 1 root root 1819 May 19 12:34 CT7-6-2


Machine A establishes and downloads test files for easy distinction. The naming method is' machine A + virtual account abbreviation '

[root@CentOS7-6 test]# ls /home/test/test1/
A1.txt
[root@CentOS7-6 test]# ls /home/test/test2/
A2.txt


Machine B establishes and uploads test files for easy distinction. The naming method is "system abbreviation + system version + virtual account abbreviation"

[root@RedHat8-2 test]# ll
-rw-r--r-- 1 root root 2123 May 19 12:34 RH8-2-1
-rw-r--r-- 1 root root 2123 May 19 12:34 RH8-2-2


Machine B establishes and downloads test files for easy distinction. The naming method is' machine B + virtual account abbreviation '

[root@RedHat8-2 test]# ls /home/test/test1
B1.txt
[root@RedHat8-2 test]# ls /home/test/test2
B2.txt

2. Brief description of test contents and results


1) Host accounts of machine A and machine B are created. The test shell is / sbin/nologin home directory / home/test
2) Create two virtual accounts test1 account home directory / home/test/test1 and test2 account home directory / home/test/test2 respectively
3) The host account is forbidden to log in, and the virtual account login is locked in its own home directory
4) Transmission test machine A and machine B are server clients to each other, upload and test the files under / test /, and download the specific files of the server to the client / test
5) The end of the file describes the contents of vsftpd configuration file, black and white list description and virtual user independent permission file

 

3. Install vsftp package and ftp client for testing

yum install -y vsftpd
yum install -y ftp


4. Create ftp host account
I tested two virtual accounts, which are limited to the home directory of two separate virtual accounts under the unified directory

useradd -s /sbin/nologin test
mkdir /home/test/test1
mkdir /home/test/test2
chown test. /home/test/ -R

5. Create ftp log files and change permissions

touch /var/log/vsftpd.log
chown test. /var/log/vsftpd.log

6. Backup vsftpd configuration file

cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf_bak

7. Change ftp profile

cat > /etc/vsftpd/vsftpd.conf << EOF
anonymous_enable=NO
local_enable=YES
write_enable=YES
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/vsftpd.chroot_list
guest_enable=YES
guest_username=test
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
user_config_dir=/etc/vsftpd/vsftpd_user_conf
vsftpd_log_file=/var/log/vsftpd.log
allow_writeable_chroot=YES
EOF

Or use the following command to manually edit and add
sed '/\#/d' /etc/vsftpd/vsftpd.conf
sed '/\#/d' /etc/vsftpd/vsftpd.conf -i
vi /etc/vsftpd/vsftpd.conf 

8. Create a whitelist file and write the account. The test entity account is test, and the virtual account is test1 and test2

cat >> /etc/vsftpd/vsftpd.chroot_list << EOF
test1
test2
EOF

9. ftp virtual account password file, (base line account, even line password)

cat >> /etc/vsftpd/vsftpd_user << EOF
test1
1qaz2wsx
test2
p@ssw0rd
EOF

10. Generate the account password file into a library file (for security reasons, back up the account password file by yourself, and delete the account password file after generating the library file)

db_load -T -t hash -f /etc/vsftpd/vsftpd_user /etc/vsftpd/vsftpd_user.db
chmod 600 /etc/vsftpd/vsftpd_user.db

11. Add pam authentication

cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd_bak
cat /etc/pam.d/vsftpd|grep -v '#'|awk '{print "#"$0 >> "/etc/pam.d/vsftpd"}'
cat /etc/pam.d/vsftpd|grep  '#'|awk '{print $0 > "/etc/pam.d/vsftpd"}'

cat >> /etc/pam.d/vsftpd << EOF
auth required pam_userdb.so db=/etc/vsftpd/vsftpd_user
account required pam_userdb.so db=/etc/vsftpd/vsftpd_user
EOF

12. Configure virtual account permission file

mkdir /etc/vsftpd/vsftpd_user_conf

cat > /etc/vsftpd/vsftpd_user_conf/test1 << EOF
local_root=/home/test/test1
write_enable=YES
anon_umask=022
anon_world_readable_only=NO
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
EOF

cat > /etc/vsftpd/vsftpd_user_conf/test2 << EOF
local_root=/home/test/test2
write_enable=YES
anon_umask=022
anon_world_readable_only=NO
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
EOF

13. Restart vsftpd service

systemctl start vsftpd
systemctl status vsftpd

14. Login test and transmission test
1) Establish test directory and add upload, download and transfer test files

host A: CentOS 7.6:
mkdir /test
cat /etc/profile >> /test/CT7-6-1
cat /etc/profile >> /test/CT7-6-2
cat /etc/profile >> /home/test/test1/A1.txt
cat /etc/profile >> /home/test/test2/A2.txt
chown test. /home/test/ -R
 host B: RedHat 8.2:
mkdir /test
cat /etc/profile >> /test/RH8-2-1
cat /etc/profile >> /test/RH8-2-2
cat /etc/profile >> /home/test/test1/B1.txt
cat /etc/profile >> /home/test/test2/B2.txt
chown test. /home/test/ -R

#Both hosts enter the test transmission directory
cd /test

2) Machine A and machine B are server and client login tests

##B is the client and A is the server ftp account - test1, test2:
[root@RedHat8-2 test]# ftp 172.20.10.4
Connected to 172.20.10.4 (172.20.10.4).
220 (vsFTPd 3.0.2)
Name (172.20.10.4:root): test1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.

[root@RedHat8-2 test]# ftp 172.20.10.4
Connected to 172.20.10.4 (172.20.10.4).
220 (vsFTPd 3.0.2)
Name (172.20.10.4:root): test2
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.

##A is the client and B is the server login ftp account - test1, test2:
[root@CentOS7-6 test]# ftp 172.20.10.6
Connected to 172.20.10.6 (172.20.10.6).
220 (vsFTPd 3.0.3)
Name (172.20.10.6:root): test1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.

[root@CentOS7-6 test]# ftp 172.20.10.6
Connected to 172.20.10.6 (172.20.10.6).
220 (vsFTPd 3.0.3)
Name (172.20.10.6:root): test2
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.

3) Transmission test - A logs in the ftp user tets1 of machine B for the client, and machine A test1 uploads the test file 'CT7-6-1' and downloads the test file B1 txt

#####Upload:
[root@CentOS7-6 test]# ls
CT7-6-1  CT7-6-2
[root@CentOS7-6 test]# ftp 172.20.10.6
Connected to 172.20.10.6 (172.20.10.6).
220 (vsFTPd 3.0.3)
Name (172.20.10.6:root): test1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (172,20,10,6,42,68).
150 Here comes the directory listing.
-rw-r--r--    1 1000     1000         2123 May 19 04:34 B1.txt
226 Directory send OK.
ftp> put CT7-6-1 
local: CT7-6-1 remote: CT7-6-1
227 Entering Passive Mode (172,20,10,6,124,67).
150 Ok to send data.
226 Transfer complete.
1819 bytes sent in 6.3e-05 secs (28873.02 Kbytes/sec)
ftp> ls
227 Entering Passive Mode (172,20,10,6,186,156).
150 Here comes the directory listing.
-rw-r--r--    1 1000     1000         2123 May 19 04:34 B1.txt
-rw-r--r--    1 1000     1000         1819 May 19 06:02 CT7-6-1
226 Directory send OK.

#####Download:
ftp> ls
227 Entering Passive Mode (172,20,10,6,53,40).
150 Here comes the directory listing.
-rw-r--r--    1 1000     1000         2123 May 19 04:34 B1.txt
-rw-r--r--    1 1000     1000         1819 May 19 06:02 CT7-6-1
226 Directory send OK.
ftp> get B1.txt
local: B1.txt remote: B1.txt
227 Entering Passive Mode (172,20,10,6,204,244).
150 Opening BINARY mode data connection for B1.txt (2123 bytes).
226 Transfer complete.
2123 bytes received in 2.8e-05 secs (75821.42 Kbytes/sec)
ftp> 221 Goodbye.
[root@CentOS7-6 test]# ls
B1.txt  CT7-6-1  CT7-6-2

4) Transmission test - B logs in ftp user tets1 of machine a for the client, and test1 of machine B uploads the test file 'RH8-2-1' and downloads the test file A1 txt

#####Upload:
[root@RedHat8-2 test]# ls
RH8-2-1  RH8-2-2
[root@RedHat8-2 test]# ftp 172.20.10.4
Connected to 172.20.10.4 (172.20.10.4).
220 (vsFTPd 3.0.2)
Name (172.20.10.4:root): test1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (172,20,10,4,245,200).
150 Here comes the directory listing.
-rw-r--r--    1 1000     1000         1819 May 19 04:34 A1.txt
226 Directory send OK.
ftp> put RH8-2-1
local: RH8-2-1 remote: RH8-2-1
227 Entering Passive Mode (172,20,10,4,45,38).
150 Ok to send data.
226 Transfer complete.
2123 bytes sent in 0.000107 secs (19841.12 Kbytes/sec)
ftp> ls
227 Entering Passive Mode (172,20,10,4,60,224).
150 Here comes the directory listing.
-rw-r--r--    1 1000     1000         1819 May 19 04:34 A1.txt
-rw-r--r--    1 1000     1000         2123 May 19 06:07 RH8-2-1
226 Directory send OK.

#####Download:
ftp> ls
227 Entering Passive Mode (172,20,10,4,60,224).
150 Here comes the directory listing.
-rw-r--r--    1 1000     1000         1819 May 19 04:34 A1.txt
-rw-r--r--    1 1000     1000         2123 May 19 06:07 RH8-2-1
226 Directory send OK.
ftp> get A1.txt
local: A1.txt remote: A1.txt
227 Entering Passive Mode (172,20,10,4,120,123).
150 Opening BINARY mode data connection for A1.txt (1819 bytes).
226 Transfer complete.
1819 bytes received in 3.5e-05 secs (51971.43 Kbytes/sec)
ftp> ls
227 Entering Passive Mode (172,20,10,4,221,74).
150 Here comes the directory listing.
-rw-r--r--    1 1000     1000         1819 May 19 04:34 A1.txt
-rw-r--r--    1 1000     1000         2123 May 19 06:07 RH8-2-1
226 Directory send OK.
ftp> 221 Goodbye.
[root@RedHat8-2 test]# ls
A1.txt  RH8-2-1  RH8-2-2

15. Description of vsftpd configuration file, black and white list and virtual user permission file

vsftpd profile:

anonymous_enable=NO         #Turn off anonymous users
local_enable=YES            #Turn on local users
write_enable=YES            #Open read permission
anon_upload_enable=NO       #Prohibit anonymous users from uploading
anon_mkdir_write_enable=NO  #Prohibit anonymous users from creating directories
anon_other_write_enable=NO  #Anonymous user deletion prohibited
chroot_local_user=YES       #All users are locked in their home directory (if closed, chroot_list is blacklisted)
chroot_list_enable=YES      #Users cannot leave the home directory (user whitelist file needs to be established)
chroot_list_file=/etc/vsftpd/vsftpd.chroot_list       #User whitelist
guest_enable=YES            #Enable the function of virtual user
guest_username=ftpuser1     #Defines the host operating system user of the virtual user
pam_service_name=vsftpd     #pam settings
user_config_dir=/etc/vsftpd/vsftpd_user_conf  #Specify the virtual user permission profile. Each virtual account in the directory has a profile with the same account name.
vsftpd_log_file=/var/log/vsftpd.log           #The service log saving path of vsftpd does not exist by default
allow_writeable_chroot=YES                    #If the file can be viewed but cannot be uploaded or downloaded, you can try to add this option

Black and white list:

The storage location of black-and-white list files can be defined by yourself. Pay attention to the differences
#User whitelist creation
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list  #chroot_list is equivalent to white list

#User blacklist establishment
chroot_local_user=NO
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list  #chroot_list is equivalent to blacklist

Content of virtual user permission file:

Make appropriate modifications with reference to the following:
When virtual_use_local_privs=YES The virtual user and the local user have the same permissions when using the;
When virtual_use_local_privs=NO Virtual users and anonymous users have the same permissions. The default is NO. 
When virtual_use_local_privs=YES,write_enable=YES The virtual user has write permission (upload, download, delete, rename).
When virtual_use_local_privs=NO,write_enable=YES,anon_world_readable_only=YES,
anon_upload_enable=YES The virtual user can't browse the directory and can only upload files without other permissions.
When virtual_use_local_privs=NO,write_enable=YES,anon_world_readable_only=NO,
anon_upload_enable=NO Virtual users can only download files without other permissions.
When virtual_use_local_privs=NO,write_enable=YES,anon_world_readable_only=NO,
anon_upload_enable=YES Virtual users can only upload and download files without other permissions.
When virtual_use_local_privs=NO,write_enable=YES,anon_world_readable_only=NO,
anon_mkdir_write_enable=YES Virtual users can only download files and create folders without other permissions.
When virtual_use_local_privs=NO,write_enable=YES,anon_world_readable_only=NO,
anon_other_write_enable=YES Virtual users can only download, delete and rename files without other permissions.

 

Topics: Linux