Linux FTP server build tutorial

FTP server setup

Packages:vsftpd.i386

Daemon:vsftp(/usr/sbin/vsftpd)

Script:/etc/init.d/Vsftpd

ports:21/tcp(ftp),20/tcp(ftp-data)

Configuration:

/etc/vsftpd/vsftpd.conf

/etc/vsftpd/ftpusers

/etc/pam.d/vsftpd

In Linux, there are several software that implement ftp server, we are here Use redhat's own vsftp, which has security and lightweight features.

We open the service after installing the vsftpd package, ftp can be accessed:

yum –y install vsftpd.i386

service vsftpd start

Starting the service We can directly access the ftp server

ftp root directory is located in /var/ftp/we can create a directory here

When using local user login, the login to the directory is the user's home Directory

such as lftp –u zoe 192.168.0.3

The content displayed in the /home/zoe directory after login

here we Mainly introduces three aspects:

1 ftp various configurations (through configuration files)

2 ssl-based security ftp

3 About ftp virtual user establishment

We first get to know the main configuration file of vsftp /etc/vsftpd/vsftpd.conf

anonymous_enable=YES Whether to allow users to log in anonymously

local_enable=YES Whether to allow local users to log in

anon_upload_enable=YES to allow users to upload files

anon_mkdir_write_enable=YES to allow uploading directories

anon_other_write_enable=YESright for anonymous users to delete files

dirmessage _enable=YESDoes the user access a directory to display the welcome message

message_file=.messageCreate a .message file in the user's home directory, which writes the welcome message

xferlog_enable=YES Turn on the transfer Log

xferlog_file=/var/log/vsftpd Open the transfer log, define the location

chown_loads=YESChange the owner to another user after uploading the file

chown_username= Whoever changed the owner to

idle_session_timeout=600 idle session timeout

data_connection_timeout=120 download timeout

ascii_upload_enable=YES Whether to open ascii-based transmission, generally It is not recommended to open

ftpd_banner=Welcome to blah FTP service Welcome message

chroot_local_user=YESLock user to home directory

If you do not use this item, you can cd after login. View to any directory on the host where the ftp server is located

chroot_list_enable=YES Lock the user in the list defined by the downlink to access only its home directory

chroot_list_file=/etc/vsftpd/chroot_list List file location

chroot_loca L_user=YESLock all

ls_recurse_enable=YES Whether to use recursive display when using the ls command

listen=YES listen is independent guard

pam_service_name=vsftpd user login mode verification Method definition file

userlist_enable=YES Use user_list to define the user in the secondary file to log in

userlist_deny=N0 to allow only users in the user_list file to log in

or userlist_deny= YES means that only the user login in the user_list file is rejected.

The default is to reject

tcp_wrappers=YESftp to accept the control of tcp_wrapper

Defined in /etc/Users in vsftpd/ftpusers do not seem to be allowed to log in to ftp

Refer to the above information, we can change the configuration file to make the ftp server meet our requirements, here is no longer an example. Just say a few ftp commands:

Lftp –u fedora 192.168.0.3 Login with which user

ftp>put issue upload issue file

We want to upload files to anonymous users, you need the directory ftp:ftp belongs to the main group

for security, I We do this

mkdir /var/ftp/upload

chown ftp:ftp /var/ftp/upload

Cd to the directory when uploading files

lftp 192.168.48.3

>cd /upload

>lcd /etc

>put issue

>bye

We need to close selinux in order to enable users to upload files, etc. So, can we enable user uploads without shutting down selinux? Of course, yes, we need to change the options in the selinux policy to support user uploads.

getsebool -a Displays the value of the Boolean type supported by all the policies on the current host

Make some modifications:

setsebool allow_ftpd_anon_write=1 Only valid for the current system

or setsebool -P allow_ftpd_anon_write=1 directly modify the value in the policy library, permanent

cd /var/ftp/

ll -Z

chcon - t public_content_rw_t upload/Add read and write permissions to the directory

So selinux supports this function of ftp

----------- --------------------------------SSL

When we log in to ftp Passwords are all logged in plain text, which is extremely insecure, so we can use ssl-based ftp login transport.

First we have to sign the certificate for ftp; then add the following to the configuration file

# SSL

ssl_enable=YES Enable ssl

ssl_tlsv1=YES Enable tls v1 version

ssl_sslv2=YES Enable ssl v2 version

ssl_sslv3=YES

allow_anon_data_ssl=NO Anonymous users generally do not need

force_local_data_ssl=YES local Whether to use ssl

force_local_logins_ssl=YES when using local user login ssl

rsa_cert_file=/etc/vsftpd/ssl/vsftpd.crt Certificate path

rsa_private_key_file= /etc/vsftpd/ssl/vsftpd.key private key path

Then use the ftp software on the window side to test, for example Flashfxp

during the login process, we can capture The data packet is analyzed to see if the password is encrypted during the login process before and after using ssl.

A simple way to capture data: tcpdump -i eth0 A dst host 192.168.0.3

On which host you can execute this command, you should pay attention to whether the network card is selected.

tcpdump -D Display NIC list

tcpdump -i eth0 Specifies the network card to listen to

A displays the header information in plain text

dst host IP destination address IP

src host IP source address IP

-------------------------- ----------------------- Instance of virtual user establishment:

1 Create account database file of virtual FTP user

2 Creating a system user with FTP root directory and virtual user mapping

3 Establishing a PAM authentication file that supports virtual users

4 Adding support configuration to the vsftpd.cong file