vsftpd (very secure ftp daemon, very secure FTP daemon) is an FTP service program running on the Linux operating system. It is not only completely open source and free, but also has high security, transmission speed, and supports virtual User authentication and other features that other FTP service programs do not have.
After configuring the Yum software repository, you can install the vsftpd service program.
[root@localhost ~]# yum install vsftpd
The main configuration file (/etc/vsftpd/vsftpd.conf) of the vsftpd service program has a total length of 123 lines, but most of the parameters are added with a pound sign (#) at the beginning, thus becoming comment information, there is no need for you to comment Spend too much time on information. We can add the -v parameter after the grep command, filter and deselect the parameter lines that do not contain the pound sign (#) (that is, filter out all comment information), and then write the filtered parameter line back to the original through the output redirector in the main configuration file:
[root@localhost ~]# mv /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf_bak [root@localhost ~]# grep -v "#" /etc/vsftpd/vsftpd.conf_bak > /etc/vsftpd/vsftpd.conf [root@localhost ~]# cat /etc/vsftpd/vsftpd.conf anonymous_enable=YES local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES listen=NO listen_ipv6=YES pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES
As a more secure file transfer service program, vsftpd allows users to log in to the FTP server in three authentication modes.
Anonymous open mode : is the least secure authentication mode, anyone can log in directly to the FTP server without password authentication.
Local user mode : It is a mode in which the local account and password information of the Linux system is used for authentication. Compared with the anonymous open mode, it is more secure and easy to configure. However, if hackers crack the account information, they can log in to the FTP server unimpeded, thereby fully controlling the entire server.
Virtual user mode : It is the most secure authentication mode among the three modes. It needs to create a separate user database file for the FTP service, and virtualize the account information used for password verification, and these account information is actually in the server system. It does not exist and is only used for authentication by the FTP service program. In this way, even if hackers crack the account information, they cannot log in to the server, thereby effectively reducing the scope and impact of damage.
Here's a look at the typical configuration of virtual user mode
Step 1 : Create a user database file for FTP authentication, where the odd number is the account name and the even number is the password. For example, we created the lightningnear user separately, the password is redhat
[root@localhost ~]# cd /etc/vsftpd
[root@localhost vsftpd]# vim vuser.list
lightnear
redhat
However, the plaintext information is neither safe nor conforms to the format that the vsftpd service program can directly load. Therefore, it is necessary to use the db_load command to convert the original plaintext information file into a database file with a hash algorithm, and reduce the permissions of the database file ( to prevent others from seeing the contents of the database file), and then delete the original plaintext information file.
[root@localhost vsftpd]# db_load -T -t hash -f vuser.list vuser.db [root@localhost vsftpd]# file vuser.db vuser.db: Berkeley DB (Hash, version 9, native byte-order) [root@localhost vsftpd]# chmod 600 vuser.db [root@localhost vsftpd]# rm -f vuser.list
Step 2 : Create a root directory for the vsftpd service program to store files and a system local user for virtual user mapping. The root directory used by the FTP service to store files refers to the default location accessed by the virtual user after logging in.
Since every file in the Linux system has owner and group attributes, for example, a new file is created using the virtual account "Zhang San", but the account "Zhang San" cannot be found in the system, which will cause the permissions of this file to appear. mistake. To do this, create another system local user that can be mapped to the virtual user. Simply put, it is to let the virtual user log in by default to the home directory of the local user of the system that has a mapping relationship with it, and the attributes of the files created by the virtual user also belong to the local user of the system, so as to prevent the Linux system from being unable to process virtual users. Attribute permissions for the created file.
In order to facilitate the management of data on the FTP server, the home directory of the local user of this system can be set to the /var directory (this directory is used to store frequently changed data). And for the sake of security, we set the local user of this system to not allow login to the FTP server, which will not affect the virtual user login, and can also prevent hackers from logging in through the local user of this system.
[root@localhost ~]# useradd -d /var/ftproot -s /sbin/nologin virtual [root@localhost ~]# ls -ld /var/ftproot/ drwx------. 3 virtual virtual 74 Jul 14 17:50 /var/ftproot/ [root@localhost ~]# chmod -Rf 755 /var/ftproot/
Step 3 : Create a PAM file to support virtual users.
PAM (Plugable Authentication Module) is an authentication mechanism that separates the services provided by the system from the authentication methods through some dynamic link libraries and unified APIs, so that the system administrator can flexibly adjust the different authentication methods of the service programs according to their needs. If you want to fully explain the functions and functions of PAM, you need at least one chapter (readers interested in this topic should pay attention to the advanced chapter of this book, which will explain PAM in detail).
In layman's terms, PAM is a set of security mechanism modules that system administrators can use to easily adjust the authentication method of service programs without any modification to the application program. PAM adopts the idea of layered design (application layer, application interface layer, and identification module layer).
Create a new PAM file vsftpd.vu for virtual user authentication, where the "db=" parameter in the PAM file is the path of the account and password database file generated by the db_load command, but do not need to write the suffix of the database file:
[root@localhost ~]# vim /etc/pam.d/vsftpd.vu auth required pam_userdb.so db=/etc/vsftpd/vuser account required pam_userdb.so db=/etc/vsftpd/vuser
Step 4 : Change the name of the PAM authentication file to vsftpd.vu through the pam_service_name parameter in the main configuration file of the vsftpd service program. As the connection between the application layer and the authentication module layer, PAM allows the application to flexibly use the Insert the required authentication function module itself. When an application requires PAM authentication, a PAM configuration file responsible for authentication needs to be defined in the application to implement the required authentication function.
For example, the main configuration file of the vsftpd service program has the parameter pam_service_name=vsftpd by default, which means that the security authentication is performed according to the /etc/pam.d/vsftpd file when logging in to the FTP server. Now what we need to do is to modify the original PAM authentication file vsftpd in the vsftpd main configuration file to the new vsftpd.vu file.
[root@localhost vsftpd]# vim /etc/vsftpd/vsftpd.conf anonymous_enable=NO local_enable=YES guest_enable=YES guest_username=virtual allow_writeable_chroot=YES write_enable=YES local_umask=022 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES listen=NO listen_ipv6=YES pam_service_name=vsftpd.vu userlist_enable=YES tcp_wrappers=YES user_config_dir=/etc/vsftpd/vuser_dir anon_umask=022 pasv_max_port=21010 pasv_min_port=21000
Step 5 : Set different permissions for virtual users.
[root@localhost ~]# mkdir /etc/vsftpd/vusers_dir/ [root@localhost ~]# cd /etc/vsftpd/vusers_dir/ [root@localhost vusers_dir]# touch lightnear [root@localhost vusers_dir]# vim lightnear guest_enable=YES guest_username=virtual local_root=/var/ftproot write_enable=yes pam_service_name=vsftpd.vu anon_umask=022 anon_world_readable_only=YES anon_upload_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES
Step 6 : Set the SELinux domain allow policy, then log in to the FTP server using virtual user mode. I believe everyone can guess that SELinux will continue to make trouble. Therefore, first follow the steps in the previous experiment to enable the permission policy of the SELinux domain to avoid the failure of the operation again:
[root@localhost ~]# getsebool -a | grep ftp ftp_home_dir –> off ftpd_anon_write –> off ftpd_connect_all_unreserved –> off ftpd_connect_db –> off ftpd_full_access –> off ftpd_use_cifs –> off ftpd_use_fusefs –> off ftpd_use_nfs –> off ftpd_use_passive_mode –> off httpd_can_connect_ftp –> off httpd_enable_ftp_server –> off sftpd_anon_write –> off sftpd_enable_homedirs –> off sftpd_full_access –> off sftpd_write_ssh_home –> off tftp_anon_write –> off tftp_home_dir –> off [root@localhost ~]# setsebool -P ftpd_full_access=on