Linux operation and maintenance to build a vsftp service that meets your own requirements

After we have installed the vsftpd software on the server and have understood the software's main configuration file /etc/vsftpd/vsftpd.conf, we can build the ftp service we want.

Specify the port, etc.

listen_port=21 Set the listening port

download_enable=YES Allow downloading files

max_clients=100 Limit the number of concurrent client connections

max_per_ip=100 Limit the number of concurrent connections with the same IP

Prohibit anonymous and entity user login

First of all, turn off anonymous user login and deny browsing rights to anonymous users.

anonymous_enable=NO

So why are entity users not allowed to log in? Because physical users can already use the more secure sftp to log in, there is no need to use the ftp protocol to log in. In addition, because ftp is a clear text transfer protocol, it would be bad if the account password is intercepted.

How to prohibit entity users from logging in? The third step of configuring virtual users will be discussed below in the article. Comment out everything under /etc/pam.d/vsftpd.

Active connection and passive connection settings

We want to build a structure that supports both active connection mode and passive connection, so the settings are as follows:

Port settings for active connection mode

connect_from_port_20=YES

Set the firewall to allow port 21. In addition, there is no need to open port 20. Data packets that the host actively requests and responds to are directly allowed to enter the machine ( establish/related).

iptables -A INPUT -p tcp --dport 21 -j ACCEPT # FTP服务
iptables -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT

Enable passive mode, and the passive connection port is limited to any one of 10001~11000.

pasv_enable=YES
pasv_min_port=10001
pasv_max_port=11000

Set the firewall to allow ports between 10000~11000 to be opened.

iptables -A INPUT -p tcp --dport 10001::11000 -j ACCEPT # ftp被动连接端口

Configuring virtual users

The steps to configure virtual users are as follows:

1. Create a virtual user password file

2. Generate a virtual user password authentication file

3. Edit the PAM authentication file of vsftpd

4. Establish a local mapping directory and set the host directory permissions

5. Modify the configuration file.

6. Get a separate configuration file for each virtual user

1. Create a password file for the virtual user, The format of the file is username for odd-numbered lines and password for even-numbered lines. Create such a file /etc/vsftpd/vusers below, with the following content:

ftptest1
111111
ftptest2
222222

2. Generate a virtual user password authentication file , and execute the following command:

db_load -T -t hash -f  /etc/vsftpd/vusers  /etc/vsftpd/login.db

After the command is executed correctly, the /etc/vsftpd/login.db file will appear. For security reasons, we set the permissions of this file to 600.

chmod 600 login.db

3. Edit the PAM configuration file required by the virtual user

vim /etc/pam.d/vsftpd

Replace all the previous contents Comment it out and add two new lines

auth    required    /lib64/security/pam_userdb.so  db=/etc/vsftpd/login 
account   required    /lib64/security/pam_userdb.so  db=/etc/vsftpd/login

Note that if it is 32-bit, remove the 64 after lib, and there is no need to add a suffix after login. After this operation, entity users will not be able to log in to the ftp service.

4. Create a local mapping directory and set the host directory permissions.

Create the host user of the virtual user

# useradd -d /home/vsftp -s /sbin/nologin ftpuser

Modify the directory permissions to 755

# chmod 755 /home/vsftp/

5. Modify the configuration file.

Write the following lines of configuration information into the /etc/vsftpd/vsftpd.conf configuration file.

# 开启虚拟用户登陆功能
guest_enable=YES

# 将虚拟用户与宿主用户对应
guest_username=ftpuser

# pam认证文件（该配置默认存在）
pam_service_name=vsftpd

# vsftpd增强了安全检查，如果用户被限定在了其主目录下，则该用户的主目录不能再具有写权限了，所以要加入下面配置
allow_writeable_chroot=YES

6. Create a separate configuration file for each virtual user.

If you want to create a separate configuration file for each virtual user, you need to add

user_config_dir=/etc/vsftpd/config

to the main configuration file to specify the virtual user's configuration file path. Next, create their own configuration files for the two virtual users:

# ftptest1虚拟用户的配置文件

# 创建虚拟用户家目录
# mkdir /home/vsftp/ftptest1
# chown ftpuser:ftpuser /home/vsftp/ftptest1/

# 建立配置文件
# mkdir /etc/vsftpd/config 
# vim /etc/vsftpd/config/ftptest1  <=== 虚拟用户各自配置文件和自己的用户名对应起来

# 指定家目录
local_root=/home/vsftp/ftptest1
# 允许相关权限
download_enable=yes
anon_upload_enable=yes
anon_other_write_enable=YES
anon_mkdir_write_enable=yes
anon_world_readable_only=no
# 设置最大传输速度，单位b/s
anon_max_rate=100000

Note: Currently, there is no separate configuration file for the ftptest2 virtual user, so for this user, use the configuration of the main configuration file (/etc /vsftpd/vsftpd.conf)

For more related technical articles, please visit the linux system tutorial column!

The above is the detailed content of Linux operation and maintenance to build a vsftp service that meets your own requirements. For more information, please follow other related articles on the PHP Chinese website!