web123456

Linux ftp service

Article Catalog

    • ftp data connection mode
    • ftp service installation
    • system user
    • anonymous login
      • Banning users from their home directories
      • Changing the uploaded file owner
    • Specify which pam configuration file under /etc/ vsftpd uses for user authentication
    • Prohibit/allow specified users to log in
    • Enable .message descriptive information in a directory Suppose there is a directory /upload, create a file named .message under it, write some descriptive information in the file, then when the user switches to the /upload directory, the contents of the .message file will be displayed automatically.
    • Virtual User Configuration

ftp data connection mode

ftp has 2 modes of data connection: command connection and data connection

Command connection: refers to file management commands, always-on persistent connection until the user logs out of the login
Data connections: are data transfers, connections that are created and closed on demand
Among the data connections there are 2 points to focus on, the first is the data transfer format and the second is the data transfer mode

There are two types of data transfer formats:

  • file transfer
  • binary transfer

There are also 2 data transfer modes:

  • Active mode: server-side creation of data connections
  • Passive mode: data connection is created by the client
    The process of establishing the two data transfer modes:

Transmission model Establishment process

  • Active Mode Command Connection:
    Client(1025)–> Server(21)
    The client connects to the server's port 21 on a random port (greater than 1023)
    Data Connections:
    Server(20/tcp) --> Client(1025+1)
    The server uses its own port 20 to connect to the random port + 1 used by the client to create the command connection.
  • Passive mode Command connection:
    Client(1110) --> Server(21)
    The client connects to the server's port 21 on a random port.
    Data Connections:
    Client (1110+1) --> Server (random port)
    The client connects to the server with the port number on which the command connection was created + 1. The server creates a data connection by using a random port number that the command connection tells it.

ftp service installation

[root@localhost ~]# systemctl start vsftpd
[root@localhost ~]# ss -antl
State       Recv-Q Send-Q                     Local Address:Port                                    Peer Address:Port              
LISTEN      0      128                                    *:22                                                 *:*                  
LISTEN      0      100                            127.0.0.1:25                                                 *:*                  
LISTEN      0      32                                    :::21                                                :::*                  
LISTEN      0      128                                   :::22                                                :::*                  
LISTEN      0      100                                  ::1:25                                                :::*                  
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8

system user

[root@localhost ~]# useradd jerry
[root@localhost ~]# echo '123456' |passwd --stdin tom
Change the password for the user tom.
passwd: All authentication tokens have been successfully updated.
  • 1
  • 2
  • 3
  • 4

Login Successful

[root@localhost ~]# ftp 192.168.220.10
Connected to 192.168.220.10 (192.168.220.10).
220 (vsFTPd 3.0.2)
Name (192.168.220.10:root): jerry
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10

Create directory 123 in the server-side jerry home directory

ftp> ls
227 Entering Passive Mode (192,168,220,10,245,93).
150 Here comes the directory listing.
drwxr-xr-x    2 1002     1002            6 Nov 05 03:45 abc
226 Directory send OK.
ftp> mkdir 123
257 "/home/jerry/123" created
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7

validate (a theory)

[root@localhost ~]# cd /home/jerry/
[root@localhost jerry]# ls
123  abc
  • 1
  • 2
  • 3

anonymous login

  • anonymous_enable=YES Enable anonymous user login
  • anon_upload_enable=YES Allow anonymous users to upload
  • anon_mkdir_write_enable=YES Allows anonymous users to create directories, but not to delete them
  • anon_other_write_enable=YES Allows anonymous users to create and delete directories
[root@localhost ~]# ftp 192.168.220.10
Connected to 192.168.220.10 (192.168.220.10).
220 (vsFTPd 3.0.2)
Name (192.168.220.10:root): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,220,10,101,15).
150 Here comes the directory listing.
drwxr-xr-x    2 0        0               6 Oct 30  2018 pub
226 Directory send OK.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14

Create a catalog

[root@localhost ftp]# chown -R pub/
[root@localhost ftp]# ls
pub
[root@localhost ftp]# ll
total usage 0
drwxr-xr-x. 2 ftp ftp 6 10moon 31 2018 pub
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
ftp> pwd
257 "/pub"
ftp> mkdir abc
257 "/pub/abc" created
  • 1
  • 2
  • 3
  • 4

Delete Catalog

Banning users from their home directories

There is no confinement.

ftp> cd ..
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (192,168,220,10,61,156).
150 Here comes the directory listing.
drwx------    2 1000     1000           62 Oct 30 04:45 tom
226 Directory send OK.
ftp> cd ..
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (192,168,220,10,163,74).
150 Here comes the directory listing.
lrwxrwxrwx    1 0        0               7 Oct 10 14:44 bin -> usr/bin
dr-xr-xr-x    4 0        0            4096 Oct 14 06:39 boot
drwxr-xr-x    3 0        0            1024 Oct 14 07:38 data
drwxr-xr-x   20 0        0            3340 Oct 14 07:39 dev
drwxr-xr-x   77 0        0            8192 Oct 30 04:43 etc
drwxr-xr-x    3 0        0              17 Oct 30 04:42 home
lrwxrwxrwx    1 0        0               7 Oct 10 14:44 lib -> usr/lib
lrwxrwxrwx    1 0        0               9 Oct 10 14:44 lib64 -> usr/lib64
drwxr-xr-x    2 0        0               6 Mar 10  2016 media
drwxr-xr-x    2 0        0               6 Mar 10  2016 mnt
drwxr-xr-x    2 0        0              56 Oct 30 03:46 opt
dr-xr-xr-x  192 0        0               0 Oct 14 06:37 proc
dr-xr-x---    3 0        0             139 Oct 30 14:57 root
drwxr-xr-x   27 0        0             780 Oct 30 03:53 run
lrwxrwxrwx    1 0        0               8 Oct 10 14:44 sbin -> usr/sbin
drwxr-xr-x    2 0        0               6 Mar 10  2016 srv
dr-xr-xr-x   13 0        0               0 Oct 14 06:37 sys
drwxrwxrwt   14 0        0            4096 Oct 30 14:52 tmp
drwxr-xr-x   13 0        0             155 Oct 10 14:44 usr
drwxr-xr-x   20 0        0             278 Oct 30 03:53 var
226 Directory send OK.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33

configuration file

local_root=/tmp/tom
chroot_local_user=YES
allow_writeable_chroot=YES
  • 1
  • 2
  • 3

Modify permissions

[root@localhost tmp]# chown  tom/
  • 1

Creating a Deletion Catalog

257 "/123" created
ftp> ls
227 Entering Passive Mode (192,168,220,10,113,138).
150 Here comes the directory listing.
drwxr-xr-x    2 1000     1000            6 Oct 30 14:56 123
226 Directory send OK.
ftp> rmdir 123
250 Remove directory operation successful.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8

Im*ment successful.

ftp> cd ..
250 Directory successfully changed.
ftp> cd ..
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (192,168,220,10,57,89).
150 Here comes the directory listing.
drwxr-xr-x    2 1000     1000            6 Oct 30 14:52 123
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8

Changing the uploaded file owner

Can only change files uploaded by anonymous users

configuration file

[root@localhost ~]# grep  '^chown' /etc/vsftpd/ 
chown_uploads=YES
chown_username=tom
  • 1
  • 2
  • 3

在这里插入图片描述

[root@localhost pub]# ls
aa command ? ?txt
[root@localhost pub]# ll
Total usage 4
drwx------. 2 ftp ftp 6 October 30 14:51 aa
-rw-------. 1 tom ftp 3678 November 7 10:29 Command ????? ?txt
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6

Want to create a directory under /var/ftp

[root@localhost var]# chown -R  ftp/
  • 1

Specify which pam configuration file under /etc/ vsftpd uses for user authentication

The filename of the vsftpd configuration file in /etc/ needs to be the same as the filename set in the pam_service_name in the /etc/vsftpd/configuration file, otherwise you will not be able to log in to ftp.

[root@localhost var]# mv /etc//vsftpd{,-bak}
[root@localhost var]# tail -3 /etc/vsftpd/ 
pam_service_name=vsftpd-bak
userlist_enable=YES
tcp_wrappers=YES
  • 1
  • 2
  • 3
  • 4
  • 5

Prohibit/allow specified users to log in

The root user cannot log in to ftp

[root@localhost ~]# ftp 192.168.220.10
Connected to 192.168.220.10 (192.168.220.10).
220 (vsFTPd 3.0.2)
Name (192.168.220.10:root): root
530 Permission denied.
Login failed.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6

Changing the root user in /etc/vsftpd/ftpusers to a note

[root@localhost var]# head /etc/vsftpd/ftpusers 
# Users that are not allowed to login via ftp
#root
bin
daemon
adm
lp
sync
shutdown
halt
mail
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11

Configure it in /etc/vsftpd/.

[root@localhost var]# grep '^userlist'  /etc/vsftpd/ 
userlist_enable=YES
userlist_deny=NO
  • 1
  • 2
  • 3

Root can log in

[root@localhost ~]# ftp 192.168.220.10
Connected to 192.168.220.10 (192.168.220.10).
220 (vsFTPd 3.0.2)
Name (192.168.220.10:root): root
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9

userlist_deny=NO Only the following users are allowed access
userlist_deny=YES The following users are not allowed to access the

[root@localhost var]# cat /etc/vsftpd/user_list 
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7

Enabling .message descriptive information in a directory assumes that there is a directory /uploadIf you create a file named .message and write some descriptive information in it, the contents of the .message file will be displayed automatically when the user switches to the /upload directory.

[root@localhost var]# grep 'dirmessage' /etc/vsftpd/ 
dirmessage_enable=YES
  • 1
  • 2
[root@localhost var]# cd /var/ftp/
[root@localhost ftp]# vim .message
[root@localhost ftp]# cat .message 
skhgskjgkjgfga
  • 1
  • 2
  • 3
  • 4

See messages in .message when connecting

Connected to 192.168.220.10 (192.168.220.10).
220 (vsFTPd 3.0.2)
Name (192.168.220.10:root): ftp
331 Please specify the password.
Password:
230-skhgskjgkjgfga
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9

Virtual User Configuration

  • Installing the db command
[root@localhost ftp]# yum -y install db4*
  • 1
  • Create a file under /etc/vsftpd
[root@localhost vsftpd]# cat >  << EOF
> VN
> qweqqr
> plunk
> qewqqr
> riven
> qewqqr
> EOF
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • Convert the just-created text-formatted username and password file into a database file using the db4 utility
    -T for conversion, -t for encryption using the hash algorithm
[root@localhost vsftpd]# db_load -T -t hash -f /etc/vsftpd/ /etc/vsftpd/
  • 1
  • To improve the security of virtual user account files, file permissions should be set to 600 to avoid data leakage
[root@localhost vsftpd]# chmod 600 /etc/vsftpd/vu.*
[root@localhost vsftpd]# ll
total usage 36
-rw-------. 1 root root 126 11moon 7 10:59 ftpusers
-rw-------. 1 root root 361 11moon 7 10:59 user_list
-rw-------. 1 root 5207 11moon 7 11:06
-rwxr--r--. 1 root root 338 10moon 31 2018 vsftpd_conf_migrate.sh
-rw-------. 1 root 12288 11moon 7 11:48
-rw-------. 1 root root 36 11moon 7 11:46
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • Add mapping accounts for virtual users, create ftp root directory.
    The name of the mapped account is vftp
[root@localhost vsftpd]# useradd -d /opt/hzw -s /sbin/nologin vftp
[root@localhost vsftpd]# ll /opt/
Total usage 1048680
-rw-------. 1 root root 1583 October 30 11:46
drwx------. 2 vftp vftp 62 November 7 11:54 hzw
-rw-r--r--. 1 root root 1073741824 October 14 09:37 swap_file
-rw-r--r--. 1 root root 1048576 October 14 15:39 xx
[root@localhost vsftpd]# chmod 755 /opt/hzw/
[root@localhost vsftpd]# ll /opt/
Total usage 1048680
-rw-------. 1 root root 1583 October 30 11:46
drwxr-xr-x. 2 vftp vftp 62 November 7 11:54 hzw
-rw-r--r--. 1 root root 1073741824 October 14 09:37 swap_file
-rw-r--r--. 1 root root 1048576 October 14 15:39 xx
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • Establish PAM authentication for virtual users
[root@localhost ]# cp /etc//vsftpd-bak /etc//vsftpd
[root@localhost ]# cat > vsftpd <<EOF
> #%PAM-1.0
> auth required pam_userdb.so db=/etc/vsftpd/vu
> account required pam_userdb.so db=/etc/vsftpd/vu
> EOF
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • Modify vsftpd configuration file to add virtual user support
[root@localhost vsftpd]# tail -2  
guest_enable=YES
guest_username=vftp
[root@localhost vsftpd]# systemctl restart vsftpd
  • 1
  • 2
  • 3
  • 4
  • Create separate configuration files for different virtual users
    Create a configuration directory and write "user_config_dir=/etc/vsftpd/vu_config", "allow_writeable_chroot=YES" to the configuration file.
[root@localhost vsftpd]# mkdir vu_config
[root@localhost vsftpd]# tail -1  
user_config_dir=/etc/vsftpd/vu_config
[root@localhost vsftpd]# grep '^allow' /etc/vsftpd/ 
allow_writeable_chroot=YES
  • 1
  • 2
  • 3
  • 4
  • 5
  • Create separate profiles for each user
[root@localhost vu_config]# touch VN plunk riven
[root@localhost vu_config]# ls
plunk  riven  VN
  • 1
  • 2
  • 3
  • Give users read and write access to modify
  • Turn off the anonymous read/write permissions on the main configuration file, leaving only login permissions, and configure read/write permissions for users individually
[root@localhost vu_config]# cat /etc/vsftpd/vu_config/VN 
anonymous_enable=YES
anon_upload_enable=YES
anon_other_write_enable=YES
anon_mkdir_write_enable=YES
  • 1
  • 2
  • 3
  • 4
  • 5
  • Upload/Download
    chown_uploads=YES
    chown_username=tom
    pam_service_name=()
    Experiments need to be configured or turned off
[root@localhost ~]# grep 'anon_umask' /etc/vsftpd/ 
anon_umask=022
  • 1
  • 2

upload

ftp> put  
local:  remote: 
227 Entering Passive Mode (192,168,220,10,228,68).
150 Ok to send data.
226 Transfer complete.
635 bytes sent in 0.000189 secs (3359.79 Kbytes/sec)
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6

downloading
You must lcd to a directory with permissions, such as tmp, before you can download it.

ftp> lcd /tmp/
Local directory now /tmp
ftp> get 
local:  remote: 
227 Entering Passive Mode (192,168,220,10,83,36).
150 Opening BINARY mode data connection for  (0 bytes).
226 Transfer complete.
[root@localhost tmp]# ls

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9

(Because the owner is a vftp, why can't 600 download, and why can 644 download)