catalogs
I. FTP Protocol
Introduction to the protocol
File transfer process
Second, the Linux system configuration FTP protocol to achieve file transfer
Example 1: Anonymous user
Example 2: Local user access
Expansion modifies the configuration:
One,FTP protocol
Introduction to the protocol
Like most Internet services, FTP is a c/s architecture. A user connects to a remote host on a remote computer through a client program that supports the FTP protocol.FTP serverProgram. The user issues commands to the server program through the client program, and the server program executes the commands issued by the user and returns the results of the execution to the client. For example, if the user issues a command asking the server to deliver a copy of a particular file to the user, the server responds to the command by delivering the specified file to the user's machine. The client program receives this file on behalf of the user and stores it in the user directory.
File transfer process
By default, FTP servers use TCP protocol ports 20 and 21 to communicate with clients.
-
Port 20 is used to establish a data connection and transfer file data.
-
Port 21 is used to establish a control connection and transmit FTP control commands.
Two modes of FTP file transfer
active mode
-
The client first establishes theTCPgrout
-
The client first sends an FTP control command to the server
-
The server actively sends data from port 20 to the client
compiler
passive mode
-
The client first establishes theTCP connection
-
The client first sends an FTP control command to the server
-
The server waits for the client to open a port connection before transferring data to the client through the port
compiler
Two,LinuxSystem configuration of FTP protocol for file transfer
Example 1: Anonymous user
1. First install the ftp software on your Linux system, find the configuration file and backup it.
-
/install vsftpd
-
[root@localhost ~]#yum install -y vsftpd
-
-
// Backup configuration file
-
[root@localhost ~]#cd /etc/vsftpd
-
[root@localhost vsftpd]#ls
-
ftpusers user_list vsftpd_conf_migrate.sh
-
[root@localhost vsftpd]#cp
2. Modify the configuration file to enable anonymous users to access the ftp service (maximum privileges).
Interpretation of key modification fields
anonymous_enable=YES | Enable anonymous user access (enabled by default) |
---|---|
write_enable=YES | Open write access to the server (must be turned on if you want to upload, it's turned on by default) |
anon_umansk=022 | Setting the permission mask (backmask) for data uploaded by anonymous users |
anon_upload_enable=YES | Allow anonymous users to upload files (commented by default, needs to be uncommented) |
anon_mkdir_write_enable=YES | Allow anonymous users to create (upload) directories (commented by default, needs to be uncommented) |
anon_other_write_enable=YES | Allow deletion, renaming, overwriting, etc. (needs to be added) |
-
//Modify the configuration file, labeled here with line numbers to show only the key configured fields
-
[root@localhost vsftpd]#vim /etc/vsftpd/
-
-
12 anonymous_enable=YES -- enable anonymous user access (enabled by default)
-
13 #
-
14 # Uncomment this to allow local users to log in.
-
15 # When SELinux is enforcing check for SE bool ftp_home_dir
-
16 local_enable=YES
-
17 #
-
18 # Uncomment this to enable any form of FTP write command.
-
19 write_enable=YES --Open the server's write permissions (must be enabled if you want to upload, enabled by default)
-
20 #
-
21 # Default umask for local users is 077. You may wish to change this to 022,
-
22 # if your users expect that (022 is used by most other ftpd's)
-
23 local_umask=022
-
24 anon_umask=022 --Sets the permission mask (backmask) for data uploaded by anonymous users.
-
25 #
-
26 # Uncomment this to allow the anonymous FTP user to upload files. This only
-
27 # has an effect if the above global write enable is activated. Also, you wil l
-
28 # obviously need to create a directory writable by the FTP user.
-
29 # When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_f tpd_full_access
-
30 anon_upload_enable=YES --Allow anonymous users to upload files (commented by default, needs to be uncommented)
-
31 #
-
32 # Uncomment this if you want the anonymous FTP user to be able to create
-
33 # new directories.
-
34 anon_mkdir_write_enable=YES --Allow anonymous users to create (upload) directories (commented by default, need to uncomment)
-
35 anon_other_write_enable=YES --Delete, rename, overwrite, etc. allowed (needs to be added)
3. Give the anonymous user directory the highest privileges, turn off the firewall and selinux, turn on the service and test it.
The default directory for anonymous users to access the ftp server is /var/ftp, this directory comes with a pub directory that can be used for transferring files (you can also create your own), and you need to grant permissions in order to transfer files.
-
-
[root@localhost vsftpd]#cd /var/ftp/
-
[root@localhost ftp]#ls
-
pub
-
[root@localhost ftp]#chmod 777 pub
-
[root@localhost ftp]#systemctl stop firewalld
-
[root@localhost ftp]#setenforce 0
-
-
[root@localhost ftp]#systemctl start vsftpd
-
-
[root@localhost ftp]#ss -nltp |grep ftp
-
LISTEN 0 32 [::]:21 [::]:* users:(("vsftpd",pid=59399,fd=4))
-
-
-
4. In the ftp server and windows client test directory to create a new file for testing.
linux system ftp server: switch to pub directory, new ftptest file
[root@localhost ~]#cd /var/ftp/pub/ [root@localhost pub]#touch ftptest
windowsClient: create a new Test folder on the desktop, create a hello file
compiler
5. Use the windows client to test access to the last configuration of the FTP server to complete the file transfer to each other.
compiler
After typing get ftptest, the server-side ftptest is retrieved from the folder
compiler
After typing put, the server gets the file
compiler
Example 2: Local user access
Set local users to authenticate access to ftp and disable switching to directories other than ftp (the default root directory for client login is the local user's home directory)
1. Installation and other operations (same as example 1)
2. Modify the configuration file
Interpretation of key modification fields
local_enable=YES | Enable local users (enabled by default) |
---|---|
anonymous_enable=NO | Disable anonymous user access (modification required) |
write_enable=YES | Open write access to the server (must be turned on if you want to upload, it's turned on by default) |
local_umask=077 | Allows you to set only the host user (i.e., the local user accessing the ftp server) to have permissions (anti-masking) on the files being uploaded (needs to be modified) |
chroot_local_user=YES | Barring access to the user's host directory (for security, prohibits switching to other directories, needs to be added) |
allow_writeable_chroot=YES | Allow restricted user home directories to have write permissions (needs to be added) |
-
//Modify the configuration file, labeled here with line numbers to show only the key configured fields
-
[root@localhost ~]#vim /etc/vsftpd/
-
-
12 anonymous_enable=NO --Disable anonymous user access
-
13 #
-
14 # Uncomment this to allow local users to log in.
-
15 # When SELinux is enforcing check for SE bool ftp_home_dir
-
16 local_enable=YES --enable local users
-
17 #
-
18 # Uncomment this to enable any form of FTP write command.
-
19 write_enable=YES --Open the server's write permissions (must be enabled if you want to upload, enabled by default)
-
20 chroot_local_user=YES --Barring access to the user's host directory (for security, prohibits switching to other directories, need to add)
-
21 allow_writeable_chroot=YES -- Allow restricted user home directories to have write permissions (needs to be added)
-
22 #
-
23 # Default umask for local users is 077. You may wish to change this to 022,
-
24 # if your users expect that (022 is used by most other ftpd's)
-
25 local_umask=077 -- allows you to set only the host user (i.e., the local user accessing the ftp server) to have permissions (backmask) on the files being uploaded (needs to be changed)
3. Restart the service to make the modified configuration take effect, and turn off the firewall and selinux (which was turned off in Example 1).
[root@localhost ~]#systemctl restart vsftpd
4. Create a new local user zhangsan and create a file in its home directory for testing client access through the local user.
-
[root@localhost ~]#useradd zhangsan
-
[root@localhost ~]#passwd zhangsan
-
Change the password for user zhangsan.
-
New password:
-
Re-enter the new password:
-
passwd: All authentication tokens have been successfully updated.
-
[root@localhost ~]#cd /home/zhangsan
-
[root@localhost zhangsan]#touch localtest
-
[root@localhost zhangsan]#ls
-
localtest
Client-side local user access for file transfer
compiler
After typing get localtest, the localtest file in zhangsan's home directory is retrieved from the folder
compiler
After typing put, the server gets the file in zhangsan's home directory.
compiler
Expansion modifies the configuration:
Modify the default root directory for anonymous and local user logins anon_root=/var/... /... anon_root for anonymous users local_root=/var/... /... local_root for system users
Restricting ftp access to users using the user_list user list file vim /etc/vsftpd/user_list Add username (e.g. zhangsan)
userlist_enable=YES set blacklist, do not allow users in user_list user list file to access userlist_deny=NO set whitelist, only allow users in user_list user list file to access
(default YES, blacklisted, disabled)