FTP
User classification
- System user
- System native user. Linux generally does not restrict entity users, so entity users can work for the entire file system. But they usually do not want to access the system remotely through FTP.
- Virtual user
- Users who can only use the system through FTP can not directly log in to the system through Shell, that is, virtual users. Authentication is required when accessing the server. Most FTP users are such users.
- Anonymous user
- Anonymous user access can be provided for public servers. User name: anonymous. However, when anonymous users are used, they should be restricted as much as possible with low permissions, such as limited number of users connected at the same time, limited number of files accessed, unable to upload files, less instructions allowed for operation, setting the maximum number of online users logged in at the same time, etc.
Install vsftpd service program
vsftpd is the most popular FTP server program in the Linux distribution. It is characterized by small, light, safe and easy to use.
yum install vsftpd ftp # Install the vsftpd package using the default yum source systemctl start vsftpd.service # Start service systemctl enable vsftpd.service # Startup and self start firewall-cmd --permanent --zone=public --add-service=ftp firewall-cmd --reload systemctl stop firewalld setenforce 0 # Setting firewall and selinux mechanism ftp 192.168.10.1 # linux access ftp://192.168.10.1 # windows access
Configure anonymous access
Anonymous users and system users are allowed to access ftp by default. The default directory is: / var/ftp.
Profile:
vi /etc/vsftpd/vsftpd.conf anonymous_enable=YES # Setting allows anonymous users to access ftp no_anon_password=YES # No password is required ftpd_banner= welcome to our home! # Set the prompt content (only in the command prompt) anon_upload_enable=YES # Anonymous user upload permission anon_mkdir_write_enable=YES # Anonymous users have permission to create new folders anon_other_write_enable=yes # Anonymous users have the right to delete and modify files anon_umask=022 # umask to set the permission for anonymous users to upload or create files anonymous_enable=YES # System users are not allowed to log in local_enable=no # Allow anonymous users to log in anon_root=/var/ftp # Anonymous user default access directory
Configure local access
# The system user accesses the home directory by default and has the permissions to upload, download, create and delete. He can also switch to other directories of the system. ############################### anonymous_enable=no # Turn off anonymous user access local_enable=yes # Allow system user access local_umask=022 # umask ############################### # Set that system users can only access their own home directory and have all permissions, and cannot switch to other directories of the system. ############################### chroot_local_user=YES # Control users can only access their own home directory and cannot switch to other directories allow_writeable_chroot=YES # Allow write ftpd_banner= welcome to our home! max_clients=30 # Set maximum connections idle_session_timeout=600 # Set timeout ############################### # Set the system user to access the specified directory. It is not allowed to switch to other directories of the system, and has the permission to upload, download, create and delete. ############################### local_root=/mnt/public/ # Set the default directory for system users to access ftp write_enable=YES # Allow write chroot_local_user=YES # Control the user access path to access the specified directory, and cannot switch to other directories allow_writeable_chroot=YES # Permission to write and modify files in / mnt/public / directory ###############################
Set file permissions:
chmod 777 pub # Not recommended setfacl -m u:ftp:rwx pub # Recommended use
Set permissions for anonymous users to upload or create files:
- umask value: determines the default permission when creating a new file or folder
- Expression method of umask value: 0022
- If you are using vsftp as a local user, you need to modify local in the configuration file_ The value of umask;
- If you are using vsftp as a virtual user, you need to modify the anon in the configuration file_ The value of umask.
- When umask = 022, the new directory permission is 755 and the file permission is 644;
- When umask = 077, the new directory permission is 700 and the file permission is 600.
Configure virtual user access FTP
yum install pam* libdb-utils libdb* --skip-broken -y # Module required for installation vim /etc/vsftpd/ftpusers.txt # Create virtual user temporary folder
The format of user name and password is as follows:
techftp 123456 netftp 123456
Generate vsftpd virtual user database authentication file
db_load -T -t hash -f /etc/vsftpd/ftpusers.txt /etc/vsftpd/vsftp_login.db chmod 600 /etc/vsftpd/vsftp_login.db
Configure PAM authentication file
vim /etc/pam.d/vsftpd.vu ################### auth required pam_userdb.so db=/etc/vsftpd/vsftp_login account required pam_userdb.so db=/etc/vsftpd/vsftp_login ###################
useradd -s /sbin/nologin ftpuser # Create mapping user vim /etc/vsftpd/vsftpd.conf # Modify profile ############################### pam_service_name=vsftpd pam_service_name=vsftpd.vu guest_enable=YES # Enable system virtual user access guest_username=ftpuser # Specify system virtual user user_config_dir=/etc/vsftpd/vsftpd_user_conf # Specify the profile directory for the virtual user virtual_use_local_privs=YES # Whether the permissions of the virtual user and the mapped user are consistent. The default value is NO ###############################
Create private virtual directories and independent configuration files for virtual users respectively:
- Configure profiles for techftp users
mkdir /etc/vsftpd/vsftpd_user_conf # Create virtual user profile directory mkdir /home/ftpuser/techftp vim techftp
local_root=/home/ftpuser/techftp # Default access directory write_enable=YES # Allow write anon_world_readable_only=YES # Allow browsing anon_upload_enable=YES
- Configure netftp user profile
mkdir /home/ftpuser/netftp vim netftp
local_root=/home/ftpuser/netftp write_enable=YES virtual_use_local_privs=NO # The default is YES, which is equal to YES. The configuration does not take effect, and the NO configuration takes effect. anon_world_readable_only=YES # Browsable directory anon_upload_enable=YES anon_mkdir_write_enable=NO anon_other_write_enable=NO
Local user based access control
vi /etc/vsftpd/ftpusers # A list of ftp users (blacklist) used to prohibit login is provided. # Users contained in this file will be prohibited from logging on to the vsftpd server, regardless of whether the user is in / etc / vfsftpd / user_ Appears in the list. vi /etc/vsftpd/user_list # Provides a list of ftp users allowed to log in (white list), # The users contained in this file may be prohibited from logging in and may be allowed to log in. # The final access rights of users are specified in the main configuration file vsftpd Conf decides: # When userlist exists_ When enable = yes, user_ The list file takes effect. # When userlist exists_ When deny = yes, only the accounts in the list are prohibited from logging in. # When userlist exists_ When deny = no, users in the list are allowed to log in. # Where: ftpusers files have higher priority than user files_ List file, that is, if a user exists in two files at the same time, he will be denied access to ftp.
Log management
to configure
vi /etc/vsftpd.conf xferlog_enable=YES # Open the FTP server to record the upload and download xferlog_std_format=YES # Log format xferlog_file=route # Specify the log file. The default is: / var/log/xferlog
Log file format
- Current time (local time), format: DDD MMM dd hh:mm:ss YYYY
- Transfer time: the time taken to transfer files, in seconds
- Remote host name / IP:
- File size: the size of the transferred file, in byte s
- File name: transfer file name, including path
- Transmission type:
- a: ASCII transmission;
- b: Transfer as binary file
- Special handling marks:
- _: No special treatment
- c: The file is in a compressed format
- u: The file is in uncompressed format
- t: File in tar format
- Transmission direction:
- o: Transfer from FTP server to client;
- i: Transfer from client to FTP server
- Access mode:
- a: Anonymous users;
- g: Guest user;
- r: Users in the system
- user name
- Service Name: generally FTP
- Certification method:
- 0: none;
- 1: RFC931 certification
- Authenticated user id: if * is used, it means that the id cannot be obtained
- Completion status:
- i: The transmission is not completed;
- c: Indicates that the transfer is complete.