[FTP] in [Linux learning notes]

Posted by xjake88x on Wed, 19 Jan 2022 00:49:03 +0100

FTP

User classification

  • System user
    • System native user. Linux generally does not restrict entity users, so entity users can work for the entire file system. But they usually do not want to access the system remotely through FTP.
  • Virtual user
    • Users who can only use the system through FTP can not directly log in to the system through Shell, that is, virtual users. Authentication is required when accessing the server. Most FTP users are such users.
  • Anonymous user
    • Anonymous user access can be provided for public servers. User name: anonymous. However, when anonymous users are used, they should be restricted as much as possible with low permissions, such as limited number of users connected at the same time, limited number of files accessed, unable to upload files, less instructions allowed for operation, setting the maximum number of online users logged in at the same time, etc.

Install vsftpd service program

vsftpd is the most popular FTP server program in the Linux distribution. It is characterized by small, light, safe and easy to use.

yum install vsftpd ftp
# Install the vsftpd package using the default yum source

systemctl start vsftpd.service
# Start service
systemctl enable vsftpd.service
# Startup and self start

firewall-cmd --permanent --zone=public --add-service=ftp
firewall-cmd --reload
systemctl stop firewalld
setenforce 0
# Setting firewall and selinux mechanism

ftp 192.168.10.1
# linux access
ftp://192.168.10.1
# windows access

Configure anonymous access

Anonymous users and system users are allowed to access ftp by default. The default directory is: / var/ftp.

Profile:

vi /etc/vsftpd/vsftpd.conf

anonymous_enable=YES
# Setting allows anonymous users to access ftp
no_anon_password=YES
# No password is required
ftpd_banner= welcome to our home!
# Set the prompt content (only in the command prompt)
anon_upload_enable=YES
# Anonymous user upload permission
anon_mkdir_write_enable=YES
# Anonymous users have permission to create new folders
anon_other_write_enable=yes
# Anonymous users have the right to delete and modify files

anon_umask=022
# umask to set the permission for anonymous users to upload or create files
anonymous_enable=YES
# System users are not allowed to log in
local_enable=no
# Allow anonymous users to log in

anon_root=/var/ftp
# Anonymous user default access directory

Configure local access

# The system user accesses the home directory by default and has the permissions to upload, download, create and delete. He can also switch to other directories of the system.
###############################
anonymous_enable=no
# Turn off anonymous user access
local_enable=yes
# Allow system user access
local_umask=022
# umask
###############################

# Set that system users can only access their own home directory and have all permissions, and cannot switch to other directories of the system.
###############################
chroot_local_user=YES
# Control users can only access their own home directory and cannot switch to other directories
allow_writeable_chroot=YES
# Allow write
ftpd_banner= welcome to our home!
max_clients=30
# Set maximum connections
idle_session_timeout=600
# Set timeout
###############################

# Set the system user to access the specified directory. It is not allowed to switch to other directories of the system, and has the permission to upload, download, create and delete.
###############################
local_root=/mnt/public/
# Set the default directory for system users to access ftp
write_enable=YES
# Allow write
chroot_local_user=YES
# Control the user access path to access the specified directory, and cannot switch to other directories
allow_writeable_chroot=YES
# Permission to write and modify files in / mnt/public / directory
###############################

Set file permissions:

chmod 777 pub
# Not recommended
setfacl -m u:ftp:rwx pub
# Recommended use

Set permissions for anonymous users to upload or create files:

  • umask value: determines the default permission when creating a new file or folder
  • Expression method of umask value: 0022
  • If you are using vsftp as a local user, you need to modify local in the configuration file_ The value of umask;
  • If you are using vsftp as a virtual user, you need to modify the anon in the configuration file_ The value of umask.
  • When umask = 022, the new directory permission is 755 and the file permission is 644;
  • When umask = 077, the new directory permission is 700 and the file permission is 600.

Configure virtual user access FTP

yum install pam* libdb-utils libdb* --skip-broken -y
# Module required for installation

vim /etc/vsftpd/ftpusers.txt
# Create virtual user temporary folder

The format of user name and password is as follows:

techftp 
123456
netftp
123456

Generate vsftpd virtual user database authentication file

db_load -T -t hash -f /etc/vsftpd/ftpusers.txt /etc/vsftpd/vsftp_login.db
chmod 600 /etc/vsftpd/vsftp_login.db

Configure PAM authentication file

vim /etc/pam.d/vsftpd.vu
###################
auth   required   pam_userdb.so   db=/etc/vsftpd/vsftp_login
account  required  pam_userdb.so  db=/etc/vsftpd/vsftp_login
###################

useradd -s /sbin/nologin ftpuser
# Create mapping user

vim /etc/vsftpd/vsftpd.conf 
# Modify profile
###############################
pam_service_name=vsftpd
pam_service_name=vsftpd.vu
guest_enable=YES
# Enable system virtual user access
guest_username=ftpuser
# Specify system virtual user
user_config_dir=/etc/vsftpd/vsftpd_user_conf
# Specify the profile directory for the virtual user
virtual_use_local_privs=YES
# Whether the permissions of the virtual user and the mapped user are consistent. The default value is NO
###############################

Create private virtual directories and independent configuration files for virtual users respectively:

  1. Configure profiles for techftp users
mkdir /etc/vsftpd/vsftpd_user_conf
# Create virtual user profile directory
mkdir /home/ftpuser/techftp
vim techftp

local_root=/home/ftpuser/techftp
# Default access directory
write_enable=YES
# Allow write
anon_world_readable_only=YES
# Allow browsing
anon_upload_enable=YES
  1. Configure netftp user profile
mkdir /home/ftpuser/netftp
vim netftp

local_root=/home/ftpuser/netftp
write_enable=YES
virtual_use_local_privs=NO
# The default is YES, which is equal to YES. The configuration does not take effect, and the NO configuration takes effect. 
anon_world_readable_only=YES
# Browsable directory
anon_upload_enable=YES
anon_mkdir_write_enable=NO
anon_other_write_enable=NO

Local user based access control

vi /etc/vsftpd/ftpusers
# A list of ftp users (blacklist) used to prohibit login is provided. 
# Users contained in this file will be prohibited from logging on to the vsftpd server, regardless of whether the user is in / etc / vfsftpd / user_ Appears in the list.

vi /etc/vsftpd/user_list
# Provides a list of ftp users allowed to log in (white list),
# The users contained in this file may be prohibited from logging in and may be allowed to log in.

# The final access rights of users are specified in the main configuration file vsftpd Conf decides:
# When userlist exists_ When enable = yes, user_ The list file takes effect.
# When userlist exists_ When deny = yes, only the accounts in the list are prohibited from logging in.
# When userlist exists_ When deny = no, users in the list are allowed to log in.
# Where: ftpusers files have higher priority than user files_ List file, that is, if a user exists in two files at the same time, he will be denied access to ftp.

Log management

to configure

vi /etc/vsftpd.conf

xferlog_enable=YES
# Open the FTP server to record the upload and download
xferlog_std_format=YES
# Log format
xferlog_file=route
# Specify the log file. The default is: / var/log/xferlog

Log file format

  1. Current time (local time), format: DDD MMM dd hh:mm:ss YYYY
  2. Transfer time: the time taken to transfer files, in seconds
  3. Remote host name / IP:
  4. File size: the size of the transferred file, in byte s
  5. File name: transfer file name, including path
  6. Transmission type:
    1. a: ASCII transmission;
    2. b: Transfer as binary file
  7. Special handling marks:
    1. _: No special treatment
    2. c: The file is in a compressed format
    3. u: The file is in uncompressed format
    4. t: File in tar format
  8. Transmission direction:
    1. o: Transfer from FTP server to client;
    2. i: Transfer from client to FTP server
  9. Access mode:
    1. a: Anonymous users;
    2. g: Guest user;
    3. r: Users in the system
  10. user name
  11. Service Name: generally FTP
  12. Certification method:
    1. 0: none;
    2. 1: RFC931 certification
  13. Authenticated user id: if * is used, it means that the id cannot be obtained
  14. Completion status:
    1. i: The transmission is not completed;
    2. c: Indicates that the transfer is complete.

Topics: Linux

Hot Topics

©2024 Programmer Think