Article Catalog
- ftp data connection mode
- ftp service installation
- system user
- anonymous login
- Banning users from their home directories
- Changing the uploaded file owner
- Specify which pam configuration file under /etc/ vsftpd uses for user authentication
- Prohibit/allow specified users to log in
- Enable .message descriptive information in a directory Suppose there is a directory /upload, create a file named .message under it, write some descriptive information in the file, then when the user switches to the /upload directory, the contents of the .message file will be displayed automatically.
- Virtual User Configuration
ftp data connection mode
ftp has 2 modes of data connection: command connection and data connection
Command connection: refers to file management commands, always-on persistent connection until the user logs out of the login
Data connections: are data transfers, connections that are created and closed on demand
Among the data connections there are 2 points to focus on, the first is the data transfer format and the second is the data transfer mode
There are two types of data transfer formats:
- file transfer
- binary transfer
There are also 2 data transfer modes:
- Active mode: server-side creation of data connections
- Passive mode: data connection is created by the client
The process of establishing the two data transfer modes:
Transmission model Establishment process
- Active Mode Command Connection:
Client(1025)–> Server(21)
The client connects to the server's port 21 on a random port (greater than 1023)
Data Connections:
Server(20/tcp) --> Client(1025+1)
The server uses its own port 20 to connect to the random port + 1 used by the client to create the command connection. - Passive mode Command connection:
Client(1110) --> Server(21)
The client connects to the server's port 21 on a random port.
Data Connections:
Client (1110+1) --> Server (random port)
The client connects to the server with the port number on which the command connection was created + 1. The server creates a data connection by using a random port number that the command connection tells it.
ftp service installation
[root@localhost ~]# systemctl start vsftpd
[root@localhost ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 32 :::21 :::*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
system user
[root@localhost ~]# useradd jerry
[root@localhost ~]# echo '123456' |passwd --stdin tom
Change the password for the user tom.
passwd: All authentication tokens have been successfully updated.
- 1
- 2
- 3
- 4
Login Successful
[root@localhost ~]# ftp 192.168.220.10
Connected to 192.168.220.10 (192.168.220.10).
220 (vsFTPd 3.0.2)
Name (192.168.220.10:root): jerry
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
Create directory 123 in the server-side jerry home directory
ftp> ls
227 Entering Passive Mode (192,168,220,10,245,93).
150 Here comes the directory listing.
drwxr-xr-x 2 1002 1002 6 Nov 05 03:45 abc
226 Directory send OK.
ftp> mkdir 123
257 "/home/jerry/123" created
- 1
- 2
- 3
- 4
- 5
- 6
- 7
validate (a theory)
[root@localhost ~]# cd /home/jerry/
[root@localhost jerry]# ls
123 abc
- 1
- 2
- 3
anonymous login
- anonymous_enable=YES Enable anonymous user login
- anon_upload_enable=YES Allow anonymous users to upload
- anon_mkdir_write_enable=YES Allows anonymous users to create directories, but not to delete them
- anon_other_write_enable=YES Allows anonymous users to create and delete directories
[root@localhost ~]# ftp 192.168.220.10
Connected to 192.168.220.10 (192.168.220.10).
220 (vsFTPd 3.0.2)
Name (192.168.220.10:root): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,220,10,101,15).
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 6 Oct 30 2018 pub
226 Directory send OK.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
Create a catalog
[root@localhost ftp]# chown -R pub/
[root@localhost ftp]# ls
pub
[root@localhost ftp]# ll
total usage 0
drwxr-xr-x. 2 ftp ftp 6 10moon 31 2018 pub
- 1
- 2
- 3
- 4
- 5
- 6
ftp> pwd
257 "/pub"
ftp> mkdir abc
257 "/pub/abc" created
- 1
- 2
- 3
- 4
Delete Catalog
Banning users from their home directories
There is no confinement.
ftp> cd ..
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (192,168,220,10,61,156).
150 Here comes the directory listing.
drwx------ 2 1000 1000 62 Oct 30 04:45 tom
226 Directory send OK.
ftp> cd ..
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (192,168,220,10,163,74).
150 Here comes the directory listing.
lrwxrwxrwx 1 0 0 7 Oct 10 14:44 bin -> usr/bin
dr-xr-xr-x 4 0 0 4096 Oct 14 06:39 boot
drwxr-xr-x 3 0 0 1024 Oct 14 07:38 data
drwxr-xr-x 20 0 0 3340 Oct 14 07:39 dev
drwxr-xr-x 77 0 0 8192 Oct 30 04:43 etc
drwxr-xr-x 3 0 0 17 Oct 30 04:42 home
lrwxrwxrwx 1 0 0 7 Oct 10 14:44 lib -> usr/lib
lrwxrwxrwx 1 0 0 9 Oct 10 14:44 lib64 -> usr/lib64
drwxr-xr-x 2 0 0 6 Mar 10 2016 media
drwxr-xr-x 2 0 0 6 Mar 10 2016 mnt
drwxr-xr-x 2 0 0 56 Oct 30 03:46 opt
dr-xr-xr-x 192 0 0 0 Oct 14 06:37 proc
dr-xr-x--- 3 0 0 139 Oct 30 14:57 root
drwxr-xr-x 27 0 0 780 Oct 30 03:53 run
lrwxrwxrwx 1 0 0 8 Oct 10 14:44 sbin -> usr/sbin
drwxr-xr-x 2 0 0 6 Mar 10 2016 srv
dr-xr-xr-x 13 0 0 0 Oct 14 06:37 sys
drwxrwxrwt 14 0 0 4096 Oct 30 14:52 tmp
drwxr-xr-x 13 0 0 155 Oct 10 14:44 usr
drwxr-xr-x 20 0 0 278 Oct 30 03:53 var
226 Directory send OK.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
configuration file
local_root=/tmp/tom
chroot_local_user=YES
allow_writeable_chroot=YES
- 1
- 2
- 3
Modify permissions
[root@localhost tmp]# chown tom/
- 1
Creating a Deletion Catalog
257 "/123" created
ftp> ls
227 Entering Passive Mode (192,168,220,10,113,138).
150 Here comes the directory listing.
drwxr-xr-x 2 1000 1000 6 Oct 30 14:56 123
226 Directory send OK.
ftp> rmdir 123
250 Remove directory operation successful.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
Im*ment successful.
ftp> cd ..
250 Directory successfully changed.
ftp> cd ..
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (192,168,220,10,57,89).
150 Here comes the directory listing.
drwxr-xr-x 2 1000 1000 6 Oct 30 14:52 123
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
Changing the uploaded file owner
Can only change files uploaded by anonymous users
configuration file
[root@localhost ~]# grep '^chown' /etc/vsftpd/
chown_uploads=YES
chown_username=tom
- 1
- 2
- 3
[root@localhost pub]# ls
aa command ? ?txt
[root@localhost pub]# ll
Total usage 4
drwx------. 2 ftp ftp 6 October 30 14:51 aa
-rw-------. 1 tom ftp 3678 November 7 10:29 Command ????? ?txt
- 1
- 2
- 3
- 4
- 5
- 6
Want to create a directory under /var/ftp
[root@localhost var]# chown -R ftp/
- 1
Specify which pam configuration file under /etc/ vsftpd uses for user authentication
The filename of the vsftpd configuration file in /etc/ needs to be the same as the filename set in the pam_service_name in the /etc/vsftpd/configuration file, otherwise you will not be able to log in to ftp.
[root@localhost var]# mv /etc//vsftpd{,-bak}
[root@localhost var]# tail -3 /etc/vsftpd/
pam_service_name=vsftpd-bak
userlist_enable=YES
tcp_wrappers=YES
- 1
- 2
- 3
- 4
- 5
Prohibit/allow specified users to log in
The root user cannot log in to ftp
[root@localhost ~]# ftp 192.168.220.10
Connected to 192.168.220.10 (192.168.220.10).
220 (vsFTPd 3.0.2)
Name (192.168.220.10:root): root
530 Permission denied.
Login failed.
- 1
- 2
- 3
- 4
- 5
- 6
Changing the root user in /etc/vsftpd/ftpusers to a note
[root@localhost var]# head /etc/vsftpd/ftpusers
# Users that are not allowed to login via ftp
#root
bin
daemon
adm
lp
sync
shutdown
halt
mail
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
Configure it in /etc/vsftpd/.
[root@localhost var]# grep '^userlist' /etc/vsftpd/
userlist_enable=YES
userlist_deny=NO
- 1
- 2
- 3
Root can log in
[root@localhost ~]# ftp 192.168.220.10
Connected to 192.168.220.10 (192.168.220.10).
220 (vsFTPd 3.0.2)
Name (192.168.220.10:root): root
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
userlist_deny=NO Only the following users are allowed access
userlist_deny=YES The following users are not allowed to access the
[root@localhost var]# cat /etc/vsftpd/user_list
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
Enabling .message descriptive information in a directory assumes that there is a directory /uploadIf you create a file named .message and write some descriptive information in it, the contents of the .message file will be displayed automatically when the user switches to the /upload directory.
[root@localhost var]# grep 'dirmessage' /etc/vsftpd/
dirmessage_enable=YES
- 1
- 2
[root@localhost var]# cd /var/ftp/
[root@localhost ftp]# vim .message
[root@localhost ftp]# cat .message
skhgskjgkjgfga
- 1
- 2
- 3
- 4
See messages in .message when connecting
Connected to 192.168.220.10 (192.168.220.10).
220 (vsFTPd 3.0.2)
Name (192.168.220.10:root): ftp
331 Please specify the password.
Password:
230-skhgskjgkjgfga
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
Virtual User Configuration
- Installing the db command
[root@localhost ftp]# yum -y install db4*
- 1
- Create a file under /etc/vsftpd
[root@localhost vsftpd]# cat > << EOF
> VN
> qweqqr
> plunk
> qewqqr
> riven
> qewqqr
> EOF
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- Convert the just-created text-formatted username and password file into a database file using the db4 utility
-T for conversion, -t for encryption using the hash algorithm
[root@localhost vsftpd]# db_load -T -t hash -f /etc/vsftpd/ /etc/vsftpd/
- 1
- To improve the security of virtual user account files, file permissions should be set to 600 to avoid data leakage
[root@localhost vsftpd]# chmod 600 /etc/vsftpd/vu.*
[root@localhost vsftpd]# ll
total usage 36
-rw-------. 1 root root 126 11moon 7 10:59 ftpusers
-rw-------. 1 root root 361 11moon 7 10:59 user_list
-rw-------. 1 root 5207 11moon 7 11:06
-rwxr--r--. 1 root root 338 10moon 31 2018 vsftpd_conf_migrate.sh
-rw-------. 1 root 12288 11moon 7 11:48
-rw-------. 1 root root 36 11moon 7 11:46
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- Add mapping accounts for virtual users, create ftp root directory.
The name of the mapped account is vftp
[root@localhost vsftpd]# useradd -d /opt/hzw -s /sbin/nologin vftp
[root@localhost vsftpd]# ll /opt/
Total usage 1048680
-rw-------. 1 root root 1583 October 30 11:46
drwx------. 2 vftp vftp 62 November 7 11:54 hzw
-rw-r--r--. 1 root root 1073741824 October 14 09:37 swap_file
-rw-r--r--. 1 root root 1048576 October 14 15:39 xx
[root@localhost vsftpd]# chmod 755 /opt/hzw/
[root@localhost vsftpd]# ll /opt/
Total usage 1048680
-rw-------. 1 root root 1583 October 30 11:46
drwxr-xr-x. 2 vftp vftp 62 November 7 11:54 hzw
-rw-r--r--. 1 root root 1073741824 October 14 09:37 swap_file
-rw-r--r--. 1 root root 1048576 October 14 15:39 xx
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- Establish PAM authentication for virtual users
[root@localhost ]# cp /etc//vsftpd-bak /etc//vsftpd
[root@localhost ]# cat > vsftpd <<EOF
> #%PAM-1.0
> auth required pam_userdb.so db=/etc/vsftpd/vu
> account required pam_userdb.so db=/etc/vsftpd/vu
> EOF
- 1
- 2
- 3
- 4
- 5
- 6
- Modify vsftpd configuration file to add virtual user support
[root@localhost vsftpd]# tail -2
guest_enable=YES
guest_username=vftp
[root@localhost vsftpd]# systemctl restart vsftpd
- 1
- 2
- 3
- 4
- Create separate configuration files for different virtual users
Create a configuration directory and write "user_config_dir=/etc/vsftpd/vu_config", "allow_writeable_chroot=YES" to the configuration file.
[root@localhost vsftpd]# mkdir vu_config
[root@localhost vsftpd]# tail -1
user_config_dir=/etc/vsftpd/vu_config
[root@localhost vsftpd]# grep '^allow' /etc/vsftpd/
allow_writeable_chroot=YES
- 1
- 2
- 3
- 4
- 5
- Create separate profiles for each user
[root@localhost vu_config]# touch VN plunk riven
[root@localhost vu_config]# ls
plunk riven VN
- 1
- 2
- 3
- Give users read and write access to modify
- Turn off the anonymous read/write permissions on the main configuration file, leaving only login permissions, and configure read/write permissions for users individually
[root@localhost vu_config]# cat /etc/vsftpd/vu_config/VN
anonymous_enable=YES
anon_upload_enable=YES
anon_other_write_enable=YES
anon_mkdir_write_enable=YES
- 1
- 2
- 3
- 4
- 5
- Upload/Download
chown_uploads=YES
chown_username=tom
pam_service_name=()
Experiments need to be configured or turned off
[root@localhost ~]# grep 'anon_umask' /etc/vsftpd/
anon_umask=022
- 1
- 2
upload
ftp> put
local: remote:
227 Entering Passive Mode (192,168,220,10,228,68).
150 Ok to send data.
226 Transfer complete.
635 bytes sent in 0.000189 secs (3359.79 Kbytes/sec)
- 1
- 2
- 3
- 4
- 5
- 6
downloading
You must lcd to a directory with permissions, such as tmp, before you can download it.
ftp> lcd /tmp/
Local directory now /tmp
ftp> get
local: remote:
227 Entering Passive Mode (192,168,220,10,83,36).
150 Opening BINARY mode data connection for (0 bytes).
226 Transfer complete.
[root@localhost tmp]# ls
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
(Because the owner is a vftp, why can't 600 download, and why can 644 download)