One 、 Configuration of experimental environment and ftp Introduction to

Configuration of experimental environment ：
Two hosts can communicate , And the server must be shut down selinux
As long as the client network is OK , Function errors are all caused by the server
ftp Introduction to ：
The oldest file transfer protocol on the Internet
Website publishing is rarely used , It is commonly used in enterprises

Two 、vsftpd service

2.1vsftd Basic information about services

vsftd Basic information about services
The service name :vsftpd.service
The configuration directory ：/etc/vsftpd
Master profile ：/etc/vsftpd/vsftpd.conf
Default publishing directory ：/var/ftp
Error message ：
550 The program itself rejects
553 File system permission restrictions
500 Too much authority
530 Authentication failed

2.2vsftpd Installation and activation of services

Server installation vsftp This software

dnf install vsftpd -y
systemctl enable --now vsftpd
firewall-cmd --permanent --add-service=ftp
firewall-cmd --reload

Client installation lftp

dnf install lftp -y
lftp 172.25.254.100（ The server ip）  Anonymous user login 
ls  It is shown that 530 Report errors 
lftp 172.25.254.100 -u westos  The user of the server westos
Password: After entering the password 
ls You can see westos All the files in the user's home directory 

This is the time ftp It's already started , But it can only be logged in by local users at present , The client cannot log in
By default ftp Anonymous users are not allowed to log in

Allow anonymous users to log in

rpm-qc vsftpd  Query its main configuration file 
vim /etc/vsftpd/vsftpd.conf
systemctl restart vsftpd

The original anonymous user cannot log in, but YES

lftp 172.25.254.100
ls  You can see the file , The default login location for anonymous users is /var/ftp/ This directory （ Default publishing directory ）

lftp 172.25.254.100（ The server ip）  Anonymous user login 

At this time, if you write , What you are using is ftp Self contained system user identity ftp, This identity is being installed vsftp Automatically created when
you are here /var/ftp/ Create a file below , Delete the file

lftp 172.25.254.100（ The server ip）  Anonymous user login 
ls You can see the file just created , The file is missing 

3、 ... and 、ftp Anonymous access control

man 5 vsftpd.conf  View the specific parameters of all functions 

3.1 Anonymous users specify the default publishing directory

Server side

mkdir -p /mnt/yan
vim /etc/vsftpd/vsftpd.conf
systemctl restart vsftpd

Write... In the blank space under the main configuration file

anon_root=/mnt

lftp 172.25.254.100（ The server ip）  Anonymous user login 
ls
 You can see below yan file 
quit Log out 

3.2 Anonymous user upload function settings

The client uploads a file to ftp The server

lftp 172.25.254.100（ The server ip）  Anonymous user login 
cd pub
put /mnt/yan
 Report errors 550, No authority 

The server opens its upload function , This function is off by default

vim /etc/vsftpd/vsftpd.conf
systemctl restart vsftpd

client , because pub The directory does not have write permission for other users

lftp 172.25.254.100（ The server ip）  Anonymous user login 
cd pub
put /mnt/yan
 Report errors 553

The server cannot modify the publishing directory /var/ftp jurisdiction , If the modification is too large 777, After the client accesses directly ls, Direct error 500
So the subdirectories in the modified release Directory

chmod 775 /var/ftp/pub/
chgrp ftp /var/ftp/pub/

At this time, the client can upload successfully

lftp 172.25.254.100（ The server ip）  Anonymous user login 
cd pub
put /mnt/yan

3.3 Setting up and deleting directories for anonymous users

By default, anonymous users cannot create their own directories , Will report a mistake 550

vim /etc/vsftpd/vsftpd.conf
systemctl restart vsftpd

Enable this function

Similarly, the server ftp Modify master profile , Enable delete function

anon_other_write_enable=YES

rm -r  Delete 

3.3 Anonymous users can download files in the directory

ftp The server modifies the master configuration file , By default , Only anonymous documents have the right to read

anon_world_readable_only=NO

get filename  You can download it , Download what you entered in that directory ftp You can download it in that directory 

3.4 File permissions after anonymous users upload files

By default 600 -rw-------
Modify master profile

anon-umask=022  The reserved permission is only 02 jurisdiction 

777-022=755
755-111（ file ）=644
So the file permissions after uploading the file are -rw-r–r–
So creating a file is 755 drwxr-xr-x

3.4 Anonymous user uploads the identity of the file and specifies the connection ftp Maximum number of servers

Change of the identity of the user uploading the file
The default upload file is ftp identity , My display file is 1 40 50

id ftp What we found was 14 50

Change upload identity , Modify master profile , In the main configuration file 52 and 53 That's ok
take whoever Change to your user , Query your users grep bash /etc/passwd

chown_uploads=YES
chown_username=whoever

Specify the connection ftp Maximum number of servers
avoid ddos attack , And too much pressure （ Normally, the cluster is used to prevent excessive pressure ）
Modify master profile , Find a blank line to write max_clients=3 Only maximum connections are allowed 3 individual

3.5 Maximum upload rate

dd if=/dev/zero of=/mnt/yan bs=1M count=1000
lftp 172.25.254.100
put /mnt/yan  It can be seen that every s hundred M Speed 

Modify master profile , Find an empty line

anon_max_rate=102400  The speed limit is 100kb/s

Four 、 Local user access

4.1 Control whether local users can log in and upload files

Control whether local users can log in
Modify master profile , In about 17 That's ok

local_enable=YES  You change to NO, Local users cannot log in 
lftp 172.25.254.100 -u westos  Just log in 530 Wrong report 

Local user's permission to upload files
The default permission for local users to upload is 644 -rw-r–r–
Modify master profile ,25 That's ok

local_umask=077  Change to 

So the file permissions are 600, Directory permissions are 700
-rw------ drwx------

4.2 The local user specifies the default publishing directory and controls the write rights

By default, local users log in to their home directory
Modify master profile , Find a blank line to write

local_root= The directory you specified 

Local users write （ Upload , Delete ） Control of rights
Modify master profile ,21 That's ok , Both local users and anonymous users cannot write after this is closed

write_enable=YES  Change to NO

4.3 Local user login restrictions and browsing restrictions

Local user login restrictions
By default , Some local users can use
stay cd /etc/vsftpd There are ftpusers and user_list These two are blacklists by default （ The name appears in either of these files , No access ftp The server ）
Change will take effect , Modify the document ftpusers and user_list One of them , Join in westos Equivalent to westos The user can't log in

But the default user cannot log in （ Find an empty line in the main configuration file to write ）userlist_deny=NO, Only the designated list user_list Users under can log in （ White list ）
By default userlist_deny=YES
In the main profile 134 That's ok
userlist_enable=YES Express userlist The list function is enabled

Local user browsing restrictions
After logging in, your local users can browse not only their own home directory, but also my server /（ Any of any directories ）, It's not safe
Modify master profile , stay 108 Line to YES, By default #( amount to NO) All users can browse /

chroot_local_user=YES 

This is the time ftp Security has been enhanced , At this time, the user's right to write in their home directory will affect the login , therefore
On the server , Remove the write permission of the local user

chmod u-w /home/*

Specify that some users can browse /
In the main profile 111 That's ok

chroot_list_file=/etc/vsftpd/chroot_list People in the list cannot access /

If you want to put the chroot_list_file Change to white list , The main configuration file needs to be modified 108 That's ok NO change YES

chroot_local_user=YES

5、 ... and 、 Authentication deployment of virtual users

5.1 Certification procedures and certification documents

The current users are all real users on the server , General system users have great rights , Can log in ftp You can also log in to other services , So you need anonymous users , It can only be used for ftp authentication , Does not exist in the system

5.2 Creation and encryption of authentication files

Production of certification list ： stay /etc/vsftpd

vim ftpauth
user1 
123
user2 
123
user3 
123

Encrypt the authentication list ：

db_load -T -t hash -f ftpauth ftpauth.db

5.3 Introduction to certification procedures

rpm -ql vsftpd  During installation, the system generates 
 There's a file in it  /etc/pam.d/vsftpd  Authentication strategy 
whatis pam

vim /etc/pam.d/vsftpd
account  Is the account number. When you read the account number, you will read password-auth file 
auth  It's certification , When you read the authentication, you will also read password-auth This file 
/etc/vsftpd/ftpusers  It has always been a blacklist because it has always been deny state 

vim /etc/pam.d/password-auth

auth purpose （ Password authentication ） required function （ Must pass , Otherwise, refuse ） pam_faildelay.so delay=2000000 Program plug-ins used

find / -name pam_userdb.so
/usr/lib64/security/pam_userdb.so  Authentication plug-in of the system , Can be called directly 

5.3 Authentication strategy （ Program ） The foundation of

Enter account , use pam_userdb.so Procedure db=/etc/vsftpd/ftpauth Document comparison , Compare successful passage , Refuse if you don't succeed
Input password , use pam_userdb.so Procedure db=/etc/vsftpd/ftpauth Document comparison , Compare successful passage , Refuse if you don't succeed

vim /etc/pam.d/ftpauth
account  required   pam_userdb.so db=/etc/vsftpd/ftpauth( Look at this file , It will automatically add .so suffix )
auth     required   pam_userdb.so db=/etc/vsftpd/ftpauth

If it is db=/etc/vsftpd/ftpauth.so It will automatically become db=/etc/vsftpd/ftpauth.so.so

5.4 Certification program added to ftp In service

Modify master profile 133 That's ok
Modify the original parameters

pam_service_name=vsftpd  The original 
pam_service_name=ftpauth
 add to 
guest_enable=YES  The virtual user function is enabled 
guest_username=ftp  The real server user identity used by the virtual user is ftp

On the server

id user1 user2 user3 None 

On the client side

lftp 172.25.254.100 -u user1  have access to 
 Empathy user2 user3  The codes are all 123

These three users only have ftp Service recognition , Other services are not recognized

6、 ... and 、 Configuration optimization of virtual users

6.1 Designation of the default publishing directory for virtual users

These three users all go in pub Inside

lftp 172.25.254.100 -u user1  have access to 
 Empathy user2 user3  The codes are all 123

Let the three user home directories be independent

mkdir -p /ftphome/user{
    1..3}/pub
touch /ftphome/user1/user1file
touch /ftphome/user2/user2file
touch /ftphome/user3/user3file

Modify master profile , Find a blank space to write

local_root=/ftphome/$USER
user_sub_token=$USER  Variables declare parameters 

6.2 Upload function of virtual users

All users upload
The server , Since the parameters set in the previous master configuration file can be uploaded , All permissions can be modified , However, it is not possible to specify that some users can upload some but not others

chmod 775 /ftphome/user{
    1..3}/pub
chgrp ftp /ftphome/user{
    1..3}/pub

man 5 vsftpd.conf
 check /conf

Add main profile parameters

user_config_dir=/etc/vsftpd/confdir  The file with the same name as the user in this directory is the user profile 
mkdir /etc/vsftpd/confdir

here user1 2 3 Can't upload

here user1 Can be uploaded user2 3 Can't upload

vim /etc/vsftpd/confdir/user1
anon_upload_enable=YES  Allow upload