Introduction to FTP protocol:

FTP protocol is a file transfer protocol, which acts on the application layer. Its function is to realize the file transfer between the server and the client (C/S architecture). The transmission uses the plaintext transmission of TCP connection (command channel and data flow channel). FTP protocol needs two TCP handshake operations to connect.

Command channel: the client will randomly obtain a port greater than 1024 to connect with port 21 on the FTP server. This process requires three handshakes. After the connection is realized, the client can execute commands to the FTP server through this connection. Commands such as query file name, download and upload are executed through this channel.

FTP has two transmission modes:

• Server active post mode
• Server passive pasv mode

How FTP works:

• POST mode:

Notify the FTP server to use the active connection and the port number of the connection

Port 21 of FTP server is mainly used for command channel execution. When the client needs data, it will tell the server how to connect. If it is an active connection, the client will enable a port randomly, inform the FTP server of these two information through the command channel, and wait for the connection of the FTP server.

The FTP server actively connects to the client

After the FTP server understands the requirements of the client through the command channel, it will actively connect from port 20 to the data port of the client. This connection will also go through three handshakes. At this time, the FTP client and server will establish two channel connections, which are used for command channel and data channel respectively. The default active connection port used by the FTP server is port 20.

The data transmission channel is established only when there is data transmission behavior, not immediately after connecting to the FTP server.

port 21 mainly receives the active connection from the client, and port 20 actively connects the FTP server to the client.

• PASV mode:

The client selects the passive connection mode

The client sends a passive connection request through the command channel and waits for the server's response.

The FTP server starts the data port and notifies the client to connect

The FTP server can handle passive connections. At this time, the FTP server will start a listening port first. This port number can be random, or you can customize a range of ports. Then the FTP server will inform the client of the started port port pasv through the command channel port21, and wait for the client to connect.

The client randomly uses a port greater than 1024 to connect

Then, the client will randomly take a port number greater than 1024 to connect to the host port pasv. If everything is OK, FTP data can be transmitted through the random port of the client and the port pasv of the server.

FTP configuration on Linux:

To install ftp components on linux:

//Although vsftpd version ftp has few functions, it is safe
[root@localhost ~]# yum install  vsftpd -y

//Configuration file / etc / vsftpd / vsftpd conf 

//Files generated during download
[root@lxb ~]# rpm  -qc vsftpd
/etc/logrotate.d/vsftpd
/etc/pam.d/vsftpd
/etc/vsftpd/ftpusers
/etc/vsftpd/user_list
/etc/vsftpd/vsftpd.conf


//Several configuration files are generated:
[root@localhost vsftpd]# ls
ftpusers  user_list  vsftpd.conf  vsftpd_conf_migrate.sh

//vsftpd.conf is the main configuration file

//user_list validation and vsftpd Userlist in conf_ Enable and userlist_deny configuration

//userlist_enable=YES whether to handle some unpopular accounts with the blocking mechanism of vsftpd

 

Main profile content of FTP:

• ① Anonymous login:

//FTP supports three login methods: anonymous user, user user and virtual user
[root@localhost vsftpd]# vim vsftpd.conf 

//Anonymous user configuration

//Anonymous login configuration
anonymous_enable=YES/NO             Allow anonymous users to log in vsftpd host
no_anon_password=YES/NO             Ask for password when logging in anonymously
ftp_username=ftp                    Defines the user name for anonymous login

//Anonymous user action configuration
anon_upload_enable=YES/NO           Allow anonymous users to upload files
anon_world_readable_only=YES/NO     Allow anonymous logons to download readable files
anon_mkdir_write_enable=YES/NO      Allow anonymous logons to have permission to add directories

//Anonymous user permission configuration
anon_other_write_enable=YES/NO      Allow anonymous logons to delete or rename
chown_uploads=YES/NO                Whether to change the ownership of files uploaded by anonymous users (not directories)
chown_username=username             The owner name of a file (not a directory) uploaded by an anonymous user
anon_umask=077                      When an anonymous login adds or uploads files umask value
write_enable=YES/NO                 Whether the login user is allowed to have write permission. This is a global setting. The default value is YES

//Login directory permissions
anon_root=/var/ftp                  !!!When anonymous login is used, the login directory is. The default value is/var/ftp
//Note that the ftp directory cannot be 777 permission attribute, that is, the home directory of anonymous users cannot have 777 permission. 

//Anonymous login requirements:

deny_email_enable=YES/NO            
//If you use anonymous login, you will be asked to enter email address. If the entered email address is in this file, you are not allowed to enter
banned_email_file=/etc/vsftpd/banner_emails
//This file is used to enter email address, only in deny_ email_ This file will be used only when enable = yes

• ② User login

//Local user settings

local_enable=YES/NO          Allow local users to log in
local_root=/home/username    Default directory for local user login
write_enable=YES/NO          Allow login user to have write permission
local_umask=022              When adding a file for a local user umask value
file_open_mode=0755          The file permissions of local users after uploading files, and chmod The values used are the same

• ③ Virtual login

• Configuration of virtual users

Virtual user configuration in /etc/vsftpd/vsftpd.conf
guest_enable=YES
guest_username=lxb
virtual_use_local_privs=YES 
pam_service_name=ftppam

//virtual_use_local_privs=YES
//Indicates that the local virtual user has the same privileges as the local user. If it is NO, it indicates that the virtual user and the anonymous user have the same privileges

//pam_service_name= ftppam
//Set the PAM authentication module name to ftppam

• Virtual user login file creation

//Create a file under etc/vsftpd to store the virtual login file
[root@localhost vsftpd]# vim vitualuserlist

vuser1
vuser1
vuser2
vuser2

• Convert virtual user files to databases

//At this point, the file of vuserlist is converted to the database file visualuserlist ab
db_load -T -t hash -f /etc/vsftpd/vitualuserlist vitualuserlist.ab

//At this point, check to see if vuserlist DB this file
[root@localhost vsftpd]# ls
1                 ftpusers  user_list    vsftpd_conf_migrate.sh  vitualuserlist.db
chroot_list_file  message   vsftpd.conf  vitualuserlist

• Configure PAM items for virtual users

//Enter / etc / PAM D directory, check whether the ftppam file exists (previously configured)
//Configure ftppam at this time

[root@localhost pam.d]# vim ftppam 

auth  required  pam_userdb.so db=/etc/vsftpd/vitualuserlist
account required pam_userdb.so db=/etc/vsftpd/vitualuserlist

//auth's identification of users
//Account checks the properties of the account
//required one vote veto. You can log in only after successful verification
//pam_userdb.so specific use module
//db parameter

• ④ Other item configuration

• Welcome message settings

dirmessage_enable=YES/NO         Set welcome message
message_file=.messag             
            Set the directory message file to write the information to be displayed to it(Default to.messag )
banner_file=/etc/vsftpd/banner   When the user logs in, the file content of this setting will be displayed
ftpd_banner=  XXX                Welcome statement
//banner_file is the form of file, while ftpd_banner is in the form of a string

• Controls whether users are allowed to switch to the parent directory

When configuring this permission, you need to write allow_writeable_chroot=YES, otherwise users who are not in the file cannot log in

1. When chroot_list_enable=YES，chroot_ local_ When user = yes, in / etc / vsftpd chroot_ Users listed in the list file can switch to other directories; Users not listed in the file cannot switch to other directories
2. When chroot_list_enable=YES，chroot_ local_ When user = no, in / etc / vsftpd chroot_ Users listed in the list file cannot switch to other directories; Users who are not listed in the file can switch to other directories
3. When chroot_list_enable=NO，chroot_ local_ When user = yes, all users cannot switch to other directories
4. When chroot_list_enable=NO，chroot_ local_ When user = no, all users can switch to other directories

//In the default configuration, local users can switch to other directories using the cd command after logging in to FTP

allow_writeable_enable=YES                    
//Enable allow_writeable_enable, otherwise the user in chroot cannot log in

chroot_list_file=/etc/vsftpd.chroot_list
//It is used to specify the user list file and control which users can switch to the parent directory of the user's home directory

chroot_local_user=YES/NO
//Specifies whether users in the user list file are allowed to switch to the parent directory

chroot_list_enable=YES/NO
//Sets whether chroot is enabled_ list_ User list file specified by file configuration item

• Data transmission mode setting

When FTP transmits data, it can use binary mode or ASCII mode to upload or download data.

Set whether to enable ASCII Upload data in mode. The default value is NO
    ascii_upload_enable=YES/NO
 Set whether to enable ASCII Mode to download data. The default value is NO
    ascii_download_enable=YES/NO

• Access control settings

Two control modes: one controls host access and the other controls user access.

Control host access

Set whether vsftpd is combined with tcpwrapper for host access control. The default value is YES. If enabled, the vsftpd server checks for / etc / hosts Allow and / etc / hosts The settings in deny to determine whether the host requesting the connection is allowed to access the FTP server. These two files can play a simple firewall function.

For example, to allow only 192.168 220.1—192.168. 220.255 users can connect to the FTP server in / etc / hosts Add the following to the allow file:

vsftpd:192.168.220. :allow
all:all :deny

Control user access

For user access control, you can use vsftpd. Com in the / etc directory user_ List and ftpusers files.

Control users' access to FTP files, in which the user name is written. One user name line

userlist_file=/etc/vsftpd.user_list

Enable vsftpd user_ List file

userlist_enable=YES/NO   --- Default to no

Decision vsftpd user_ Whether users in the list file can access the FTP server. If set to YES, vsftpd user_ Users in the list file are not allowed to access FTP. If it is set to NO, only vsftpd user_ List file to access FTP.

userlist_deny=YES/NO   --- Default to yes

/The / etc/vsftpd/ftpusers file is specifically used to define the list of users who are not allowed to access the FTP server (Note: if userlist_enable = yes and userlist_deny = no, if there is a user in both vsftpd.user_list and ftpusers, the user cannot access FTP, that is, the priority of ftpusers is higher). By default, vsftpd.user_list and ftpusers have preset some system internal accounts that do not allow access to FTP server. If the system If you do not have these two files, you can create these two files and add users.

• Access rate setting

Set the maximum transmission speed used by anonymous login, in B/s，0 Indicates no speed limit, and the default value is 0
    anon_max_rate=0
 Maximum transmission speed used by local users, unit: B/s，0 Indicates that the speed is not limited, and the default value is 0
    local_max_rate=0

• Timeout setting

Set up FTP Timeout of the connection, in seconds. The default value is 60
    accept_timeout=60**
PORT Timeout for establishing data connection in mode, unit: seconds. The default value is 60
    connect_timeout=60
 Set up FTP Timeout of data connection, in seconds. The default value is 120
    data_connection_timeout=120
 How long is wrong FTP If the server does anything, disconnect the FTP Connection, in seconds, the default value is 300
    idle_session_timeout=300

• Log file settings

//The main switch is
    xferlog_enable= YES/NO

Enable upload/Download log recording. If enabled, the uploaded and downloaded information will be fully recorded in the xferlog_file In the defined file, it is opened by default
    xferlog_enable= YES/NO
 Set the log file name and path. The default value is/var/log/vsftpd.log
    xferlog_file=/var/log/vsftpd.log
 If enabled, the log file will be written as xferlog Standard format for, like wu-ftpd commonly,The default value is no
    xferlog_std_format=YES/NO
 If this option is enabled, all FTP Requests and responses are recorded in the log. The default log file is/var/log/vsftpd.log. When on, xferlog_std_format Cannot be activated. This option is helpful for debugging. The default value is NO
    log_ftp_protocol=YES/NO    

• Define user profiles

stay vsftpd You can define user profiles to enable different users to use different configurations.
    user_config_dir=/etc/vsftpd/userconf
 Set the directory where the user profile is located. After setting this configuration item, the system will log in to the server/etc/vsftpd/userconf Directory, read the file with the same user name as the current user name, and further configure the current user according to the configuration command in the file.
​
    For example: definition user_config_dir=/etc/vsftpd/userconf，And there are users on the host test1,test2，So we're here user_config_dir The new directory file name is test1 and test2 Two files. If test1 If you log in, it will be read user_config_dir Lower test1 The settings in this file. The default value is none. The user profile can be used to control the access speed of different users, which is defined in each user profile local_max_rate=XX，
Just.
give an example:
Configuration item: user_config_dir=/etc/vsftpd/config
​
cat /etc/vsftpd/config/admini 
anon_world_readable_only=NO                     //Close read only
anon_upload_enable=YES                          //Allow upload
anon_mkdir_write_enable=YES                     //Allow new directories
anon_other_write_enable=YES                     //It is allowed to modify the directory / file name and delete
local_root=/var/www/ruibiaofangxuan/home        //Home directory mapping
    
cat /etc/vsftpd/config/ruibiaofangxuan 
anon_world_readable_only=NO
anon_upload_enable=YES
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
local_root=/var/www/ruibiaofangxuan/home

• Working mode and port setting of FTP

FTP There are two ways to work: PORT FTP(Active mode) and PASV FTP((passive mode)

    set up FTP The port on which the server listens to establish a connection. The default value is 21
        listen_port=21
    appoint FTP Use port 20 for data transmission. The default value is YES
        connect_from_port_20=YES/NO
    Set in PORT In this way, FTP The port used for data connection. The default value is 20
        ftp_data_port=20

If set to YES，Then use PASV Working mode; If set to NO，Then use PORT pattern. The default value is YES，Immediate use PASV Working mode
    pasv_enable=YES/NO(YES)

stay PASV In working mode, the maximum port of the port range that can be used for data connection. 0 indicates any port. The default value is 0
    pasv_max_port=0
 stay PASV In working mode, the smallest port of the port range that can be used for data connection, and 0 represents any port. The default value is 0
    pasv_min_port=0

• Connection related settings

set up vsftpd Is the server in standalone Mode operation. with standalone Mode operation is a better way,
here listen Must be set to YES，This is the default.
It is recommended not to change. There are many configuration commands related to server operation, which need to be valid in this mode.
If set to NO，be vsftpd Not running as a stand-alone service, subject to xinetd Service control and functions will be limited.
    listen=YES/NO(YES)

set up vsftpd The maximum number of connections allowed. The default value is 0, which means unlimited. If it is set to 100, 100 connections are allowed at the same time, and the excess will be rejected. Only in standalone Mode operation is effective.
    max_clients=0
 Set each IP Allow and FTP The number of simultaneous connections established by the server. The default value is 0, which means unlimited. Only in standalone Mode operation is effective.
    max_per_ip=0
 set up FTP The server is at the specified location IP Listen on user's address FTP Request. If it is not set, all data bound to the server will be IP Listen to the address. Only in standalone Mode operation is effective.
    listen_address=IP address
 Set each and FTP Whether the connection of the server is shown in different processes. The default value is NO，Use at this time ps aux |grep ftp There will only be one vsftpd Process. If set to YES，There will be one for each connection vsftpd Process.
    setproctitle_enable=YES/NO(NO)

• Other settings

Set in execution ls –la And so on UID,GID Or the specific user name and group name are displayed
 The default value is NO，Namely UID and GID Mode display. If you want to display user and group names, set to YES
    text_userdb_names= YES/NO
    This function allows the login to use ls –R(You can view files in subdirectories of the current directory). The default value is NO
    ls_recurse_enable=YES/NO
    With this function, all file owners and groups are ftp，That is, user login ls -al The file owners and groups you see are ftp. The default value is no
    hide_ids=YES/NO
 If set to NO，All files cannot be downloaded locally, and the folder is not affected. The default value is YES
    download_enable=YES/NO

Configure anonymous user login:

[root@lxb vsftpd]# vim vsftpd.conf 
anonymous_enable=yes
no_anon_password=no
ftp_username=ftp

//Setting allows anonymous login, password free, and the login id is ftp
//At this time, under the cmd command, anonymous login is displayed. At this time, you can only enter ftp to achieve secret free login
//At this time, it can be found that anonymous login does not have delete and create permissions

 

To set the download permission, you need to/etc/vsftpd/vsftpd.conf Make modifications
[root@lxb vsftpd]# vim vsftpd.conf 

anon_mkdir_write_enable=yes
//Set the function that virtual users can download

anon_upload_enable=YES          
//Set anonymous users to upload files

anon_mkdir_write_enable=YES      
//Set anonymous login to have permission to add directory

anon_other_write_enable=YES
//Set anonymous login delete or rename

//
chown_uploads=YES/NO                Whether to change the ownership of files uploaded by anonymous users (not directories)
chown_username=ftp                  The owner name of a file (not a directory) uploaded by an anonymous user


!!!File creation needs to exist on the virtual machine O Permissions for
ftp> mkdir ftp_client
550 Create directory operation failed.
ftp> mkdir ftp_client
257 "/ftp_client" created
ftp> delete hello
250 Delete operation successful.
ftp> quit
221 Goodbye.


//On virtual machine
[root@lxb ftp]# ll
 Total consumption 0
drwx------. 2 ftp  ftp  6 12 24 / 22:40 ftp_client
drwxr-xr-x. 2 root root 6 4 May 22, 2021 pub

//Users and groups of files are ftp

Configure real user login:

//Configure user login (anonymous login permission needs to be turned off at this time)
[root@lxb ~]# vim /etc/vsftpd/vsftpd.conf 
# Local login
local_enable=YES
write_enable=yes
allow_writeable_chroot=no

//At this time, restart the service, find the users who need to use the local machine, and find that you can switch folders up and down at this time
//Unlike anonymous users, you can switch folders at this time
C:\Users\14202>ftp 192.168.220.234
 Connect to 192.168.220.234. 
220 (vsFTPd 3.0.3)
200 Always in UTF8 mode.
user(192.168.220.234:(none)): lxb
331 Please specify the password.
password:
230 Login successful.
ftp> cd ..
250 Directory successfully changed.
ftp> cd ..
250 Directory successfully changed.
ftp> cd ..
250 Directory successfully changed.
ftp> pwd
257 "/" is the current directory
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
bin
boot
dev
etc
haha.crt
hehe.key
home
index.html
lib
lib64
media
mima
mnt
nfs
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
www
226 Directory send OK.
ftp: 155 bytes received, time 0.04 Seconds 3.60 Kilobyte/Seconds.
ftp>

If you need to set the switch folder permission, you need to set chroot_list_enable and chroot_local_user

At this time, it should be noted that when setting the switch directory permission, allow_writeable_chroot=YES, if this item is written and the three important chroot files are uncommented, it is not written in chroot_ The user of the list file cannot log in!!!

//Configure chroot permissions
[root@localhost vsftpd]# vim vsftpd.conf 
allow_writeable_chroot=yes 
chroot_local_user=yes
chroot_list_enable=yes
chroot_list_file=/etc/vsftpd/chroot_list_file

//Then configure chroot_ list_ User of file
[root@localhost vsftpd]# cat chroot_list_file 
lxb

//A new user is created
[root@localhost home]# useradd nihao
[root@localhost home]# echo "123" | passwd --stdin nihao
Changing password for user nihao.
passwd: all authentication tokens updated successfully.

//After starting the default parent, the virtual user cannot access other directories
C:\Users\14202>ftp 192.168.220.134
 Connect to 192.168.220.134. 
220 (vsFTPd 3.0.3)
200 Always in UTF8 mode.
user(192.168.220.134:(none)): ftp
331 Please specify the password.
password:
230 Login successful.
ftp> pwd
257 "/" is the current directory
ftp> cd /home
550 Failed to change directory.
ftp> quit
221 Goodbye.



//Log in lxb and nihao users again
C:\Users\14202>ftp 192.168.220.134
 Connect to 192.168.220.134. 
220 (vsFTPd 3.0.3)
200 Always in UTF8 mode.
user(192.168.220.134:(none)): lxb
331 Please specify the password.
password:
230 Login successful.
ftp> pwd
257 "/home/lxb" is the current directory
ftp> cd /
250 Directory successfully changed.
ftp> pwd
257 "/" is the current directory
ftp> quit
221 Goodbye.

C:\Users\14202>ftp 192.168.220.134
 Connect to 192.168.220.134. 
220 (vsFTPd 3.0.3)
200 Always in UTF8 mode.
user(192.168.220.134:(none)): nihao
331 Please specify the password.
password:
230 Login successful.
ftp> pwd
257 "/" is the current directory
ftp> cd home
550 Failed to change directory.
ftp>

//It is found that lxb users can switch directories freely, while nihao users cannot switch directories freely

Configure virtual user login:

//Configure the virtual login permission (the login user is lxb, which needs to be a local user)
[root@localhost vsftpd]# vim vsftpd.conf 
#Anonymous login
guest_enable=yes
guest_username=lxb
virtual_use_local_privs=yes
pam_service_name=ftppam
    
//The file name of the configured pam permission is ftppam

//Configure anonymous users at this time
[root@localhost vsftpd]# cat vuserlist
vuser1   //User 1
vuser1   //Password 1
vuser2   //User 2
vuser2   //Password 2

//Then convert the vuserlist to a database file
[root@localhost vsftpd]# db_load -T -t hash -f /etc/vsftpd/vuserlist vuserlist.ab

//Then configure pam permissions
[root@localhost ~]# cd /etc/pam.d/
[root@localhost pam.d]# cat ftppam 
auth  required  pam_userdb.so db=/etc/vsftpd/vuserlist
account required pam_userdb.so db=/etc/vsftpd/vuserlist

//Restart the service and use the virtual user

C:\Users\14202>ftp 192.168.220.134
 Connect to 192.168.220.134. 
220 (vsFTPd 3.0.3)
200 Always in UTF8 mode.
user(192.168.220.134:(none)): vuser1
331 Please specify the password.
password:
230 Login successful.
ftp> quit