Installation and configuration of ftp under Centos

1. FTP download and installation

1.ftp download

yum install -y vsftpd

2.ftp startup

systemctl enable vsftpd.service       #Startup and self start
systemctl start vsftpd.service        #start-up
systemctl stop vsftpd.service         #stop it
systemctl status vsftpd.service       #state

3. Configure FTP

3.1 open configuration file

vim /etc/vsftpd/vsftpd.conf

3.2 modify the following contents

#set number 
:set number
#Modify configuration line 12
anonymous_enable=NO
#Modify configuration line 33
anon_mkdir_write_enable=YES
#Modify configuration line 48
chown_uploads=YES
#Modify configuration line 72
async_abor_enable=YES
#Modify configuration line 83
ascii_upload_enable=YES
#Modify configuration line 84
ascii_download_enable=YES
#Modify configuration line 87
ftpd_banner=Welcome to blah FTP service.
#Modify configuration line 101
chroot_local_user=YES

3.3 add the following to the end of vsftpd.conf

use_localtime=YES
listen_port=21
idle_session_timeout=300
guest_enable=YES
guest_username=vsftpd
user_config_dir=/etc/vsftpd/vconf
data_connection_timeout=1
virtual_use_local_privs=YES
pasv_min_port=40000
pasv_max_port=40010
accept_timeout=5
connect_timeout=1
allow_writeable_chroot=YES

4. Create virtual user files

4.1 creating and editing user files

vim /etc/vsftpd/ftpuser_list
#The first line is user name and the second line is password. You cannot use root as the user name 
southgis
southgis@123

4.2 generate virtual user data file

db_load -T -t hash -f /etc/vsftpd/ftpuser_list /etc/vsftpd/ftpuser_list.db
#Set the PAM authentication file and specify to read the virtual user database file
chmod 600 /etc/vsftpd/ftpuser_list.db

4.3 modify / etc/pam.d/vsftpd file

# Backup before modification
cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd.bak

vi /etc/pam.d/vsftpd
#First, comment out all the original auth and account configuration lines in the configuration file
#Write the following
auth sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/ftpuser_list
account sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/ftpuser_list
# If the system is 32-bit, the above is changed to lib

5. Create a new system user vsftpd, and the user directory is / data/ftp

5.1 create a new system user vsftpd, and the user directory is / data/ftp

#Set the user login terminal to / bin / false (i.e. make it unable to log in to the system)
useradd vsftpd -d /home/southgisdata/imap-service-publish -s /bin/false
chown -R vsftpd:vsftpd /home/southgisdata/imap-service-publish

5.2 create personal profile of virtual user

mkdir /etc/vsftpd/ftpuser_conf
cd /etc/vsftpd/ftpuser_conf
#Edit the leo user profile as follows, similar to other users
vi southgis
local_root=/home/southgisdata/imap-service-publish
write_enable=YES
anon_world_readable_only=NO
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES

6. Firewall settings

6.1 iptables setting method:

vi /etc/sysconfig/iptables
#Edit the iptables file, add the following content, and open port 21
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 40000:40010 -j ACCEPT

6.2 setting mode of firewall:

firewall-cmd --zone=public --add-service=ftp --permanent
firewall-cmd --zone=public --add-port=21/tcp --permanent
firewall-cmd --zone=public --add-port=40000-40010/tcp --permanent

7. Use ftp tool for connection test

At this time, when using ftp tools to connect, we find that it can be connected. When transferring files, you will find 500, 503, 200 and other problems in file upload and download. At this time, you can perform the following operations:

Mode 1: close SELINUX

open SELINUX configuration file
vim /etc/selinux/config
 Modify configuration parameters
 notes 
SELINUX=enforcing
 increase 
SELINUX=disabled
#After modification, restart is required!

Mode 2: modify SELINUX

setenforce 0 #Temporarily put SELinux into Permissive mode
#Lists ftp related settings
getsebool -a|grep ftp
#The following are the displayed permissions, off is the close permission, and on is the open permission. Different machines may display different. I read my display, which is different from other online tutorials
ftp_home_dir --> off
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off
#FTP will be included_ home_ Dir and ftpd_ full_ All access related are set to 1
setsebool -P ftp_home_dir 1
setsebool -P allow_ftpd_anon_write 1
setsebool -P ftp_home_dir 1
setenforce 1 #Enter forcing mode

Mode 3: SELINUX does not impose any restrictions on vsftp

setsebool -P ftpd_connect_all_unreserved 1
 At this time, you can use the tool to connect, and you can upload and download files normally.
If there is still a problem, try to give it to our users ftp Directory, set the operation permissions
chmod -R 775 /home/vsftpd/leo

8. Principle of virtual user

Because under linux, after using vsftp to establish users, the corresponding user home directory will be accessed by default when using ftp. If you want multiple users to access a directory at the same time and have different permissions under the same directory, for example, some users can only see and do not modify, or some users can only download and cannot upload these permissions. These settings can only be set by virtual users in vsftp. Ordinary users cannot achieve this effect.
Therefore, the above effect is achieved by establishing an ordinary system user, establishing a home directory, mapping all virtual users to the corresponding ordinary system user home directory, and then controlling the permissions of each virtual user.

New user

New user marility，User locked in/var/www/ruibiaofangxuan In the directory
mkdir /var/www/ruibiaofangxuan
useradd -d /var/www/ruibiaofangxuan marility
chown marility.marility /var/www/ruibiaofangxuan
chmod u-w /var/www/ruibiaofangxuan
 Generate random passwords for virtual users
[root@marility ~]# tr -cd '[:alnum:]' < /dev/urandom | fold -w32 |head -n1
eFEBgVTfWJ66OhQ3rTuGB4kt5k5r0aMW

9. vsftp related configuration file settings

[root@marility vsftpd]# grep ^[^#] /etc/vsftpd/vsftpd.conf
anonymous_enable=NO          ##Prohibit anonymous users
local_enable=YES             ##To open a local account, the virtual account needs to be mapped to the local account
write_enable=YES           
local_umask=022              ##umask value for local user
anon_umask=022               ##umask value setting of virtual user
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/xferlog        ##Log path
xferlog_std_format=YES
acii_upload_enable=YES               ##Allow uploading ascii format files
ascii_download_enable=YES
ftpd_banner=Welcome to blah FTP service.
chroot_local_user=YES               ##Imprison users at home directory
chroot_list_enable=NO               ##The local directory is not enabled or disabled, and the local list filtering of account opening is not required when using virtual users
listen=YES                          ##Monitor ipv4
listen_ipv6=NO
allow_writeable_chroot=YES          ##You can write because you need to remove the user's write permission to imprison the home directory
tcp_wrappers=YES
guest_enable=YES                    ##Enable virtual account function
guest_username=marility             ##Which local user is the virtual account mapped to
pam_service_name=ftp                ##Mechanism for loading which file in pam.d
user_config_dir=/etc/vsftpd/config                 ##Individual permissions for virtual users
[root@marility vsftpd]# cat /etc/vsftpd/vuser_list
ruibiaofangxuan                                    ##account
eFEBgVTfWJ66OhQ3rTuGB4kt5k5r0aMW                   ##Password of rubiaofangxuan
admini                                             ##account
adminipw                                           ##Password for admini

10. Convert the password file into db format

[root@marility vsftpd]# db_load -T -t hash -f vuser_list /etc/vsftpd/vuser_list.db
 No, db You can use the command first yum -y install db4-utils
 Then change the permissions chmod 600 /etc/vsftpd/vuser_list.db
 User password setting and db Settings for parsing
[root@marility vsftpd]# cat /etc/pam.d/ftp
auth  required  /lib64/security/pam_userdb.so  db=/etc/vsftpd/vuser_list
account required  /lib64/security/pam_userdb.so  db=/etc/vsftpd/vuser_list
auth It refers to verifying the user's user name and password.
accout It refers to verifying the permissions and restrictions of the user's account.
Later/lib/security/pam_userdb.so Indicates that this audit will call pam_userdb.so This library function.
Note that this function will be located in different positions according to the number of bits in the system. You can use rpm –ql pam see
 meanwhile db The file pointed to is actually pointing to vuser_list.db ，But it is omitted by default db Suffix, so the above db The pointing of cannot be written as vuser_list.db

11. Set the permissions of the virtual user

#annotation
[root@marility vsftpd]# cat /etc/vsftpd/config/admini
anon_world_readable_only=NO                  ##Close read only
anon_upload_enable=YES                       ##Allow upload
anon_mkdir_write_enable=YES                  ##Allow new directories
anon_other_write_enable=YES                  ##It is allowed to modify the directory / file name and delete
local_root=/var/www/ruibiaofangxuan/home     ##Home directory mapping

#Example
[root@marility vsftpd]# cat /etc/vsftpd/config/ruibiaofangxuan
anon_world_readable_only=NO
anon_upload_enable=YES
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
local_root=/var/www/ruibiaofangxuan/home

For security, the user needs to be confined to the home directory, so chroot will be in vsftpd.conf_ local_ The user = yes function is turned on, and the user's write permission to his home directory needs to be turned off
After this setting, the virtual user cannot write data to the mapped user's home directory
Therefore, you can create a new directory / var/www/ruibiaofangxuan/home under the home directory of malility
At the same time, change the primary group of this directory to marility, and use chmod to change the permissions
In the / etc/vsftpd/config file, add the mapping paths of the two users to local_ Set root to the created directory
systemctl restart vsftpd
systemctl enable vsftpd
Just restart the service
That is, ordinary users can only download and upload materials, while admini users have all permissions and are locked in the directory / var/www/ruibiaofangxuan

2. Detailed description of configuration file

＃Sample configuration file/etc/vsftpd/vsftpd.conf
＃
＃The default values compiled in the settings are very paranoid. This sample file
＃Relax a little and make ftp Daemons are more available.
＃see also vsftpd.conf.5 To understand all the contents of the default compilation.
＃
＃Read: this sample file is not vsftpd An exhaustive list of options.
＃Please read vsftpd.conf.5 Man pages for a comprehensive understanding vsftpd
＃Function.
＃
＃Allow Anonymous  FTP？ (watch out-If you comment it out, it is allowed by default).
aonymous_enable =yes
＃
＃Uncomment to allow local users to log in.
＃When SELinux When enforced, check SE bool ftp_home_dir
local_enable =yes
＃
＃Uncomment this option to enable any form of FTP Write commands.
write_enable = YES
＃
＃Default for local users umask Is 077. You may want to change it to 022,
＃If your users expect (most others) ftpd Use 022)
local_umask = 022
＃
＃Uncomment to allow anonymity FTP Users upload files. Only this
 If the above global write enable is activated,＃Will work. Besides, you will
＃Obviously, you need to create one FTP User writable directory.
＃When SELinux Enforcement SE bool allow_ftpd_anon_write，allow_ftpd_full_access During inspection
＃anon_upload_enable =yes
＃
＃If you want to be anonymous FTP User can create, please uncomment
＃A new directory.
＃anon_mkdir_write_enable =yes
＃
＃Activate directory message-Messages received by remote users
＃Enter a directory.
dirmessage_enable =yes
＃
＃Activate upload/Download log records.
xferlog_enable =yes
＃
＃ensure PORT The transport connection comes from port 20( ftp-data). 
connect_from_port_20 =yes
＃
＃If necessary, you can schedule anonymous uploaded files to be owned by the owner
＃Other users. be careful! Cannot use“ root"To upload files
＃ Recommended!
＃chown_uploads =yes
＃chown_username =who
＃
＃If you prefer, you can overwrite the location of the log file. The default value is displayed
＃below.
＃xferlog_file = /var/log/xferlog
＃
＃If desired, you can set the log file to standard ftpd xferlog Format.
＃Note that in this case, the default log file location is/ var / log / xferlog. 
xferlog_std_format =yes
＃
＃You can change the default value to time out idle sessions.
＃idle_session_timeout = 600
＃
＃You can change the default value to time out the data connection.
＃data_connection_timeout = 120
＃
＃It is recommended that you define a unique user on the system,
＃ftp The server can be used as a fully isolated and unprivileged user.
＃nopriv_user = ftp security
＃
＃When this option is enabled, the server recognizes asynchronous ABOR Request. No
＃This code is recommended for security reasons (it is not important). If it is not enabled,
＃However, it may make the older FTP The client is confused.
＃async_abor_enable =yes
＃
＃By default, the server will pretend to allow ASCII Mode, but actually ignored
＃Request. Turn on the following options for the server to actually execute ASCII
＃stay ASCII Process files in mode. vsftpd.conf(5)Manual page introduction
＃Behavior when these options are disabled.
＃Note that in some FTP On the server, ASCII Support causes a denial of service
 By command“ SIZE / big / file"with ASCII Mode proceed＃Attack( DoS).  vsftpd
＃This attack was predicted and has been safe, reported
＃ Original document.
＃ASCII Rewriting is a terrible feature of the agreement.
＃ascii_upload_enable =yes
＃ascii_download_enable =yes
＃
＃You can completely customize the login title string:
＃ftpd_banner =Welcome FTP Service.
＃
＃You can specify an anonymous email address file that is not allowed. Obviously
＃For resisting some DoS Attacks are useful.
＃deny_email_enable =yes
＃((follow default)
＃banned_email_file = / etc / vsftpd / banned_emails
＃
＃You can specify an explicit list of local users to chroot()Move to their home
＃ Directory. If chroot_local_user by YES，This list becomes
＃Not used by users chroot(). 
＃(Warning! chroot'ing Can be very dangerous if used chroot，Please make sure
＃The user does not have access to the top-level directory in the directory
＃chroot)
＃chroot_local_user =yes
＃chroot_list_enable =yes
＃((follow default)
＃chroot_list_file = / etc / vsftpd / chroot_list
＃
＃You can activate the built-in ls Yes“ -R"Option. This is disabled
＃default Avoid excessive on large servers by remote users I / O
＃A web site. However, assume that some are corrupted FTP Client (e.g“ ncftp"And“ mirror")
＃Exist“ -R"Option, so there is a strong reason to enable it.
＃ls_recurse_enable =yes
＃
＃Enable“ listen"After the command, vsftpd Run in stand-alone mode, and
＃Listen IPv4 Socket. This directive cannot be used in conjunction with
＃use listen_ipv6 Instructions.
hear=no
＃
＃This command enables listening IPv6 Socket. By default, listen
 stay IPv6""Any" address::)Upper＃Will accept from both IPv6 Connection of
＃and IPv4 The client does not need to listen at the same time* IPv4 and IPv6
＃A socket. If you want (maybe because you want to listen to a specific message)
＃Two addresses), you must run with two configurations vsftpd Two copies of
＃Files.
＃Make sure one of the listening options is commented!
listen_ipv6 =yes

pam_service_name = vsftpd
userlist_enable =yes
tcp_wrappers =yes