当前位置:网站首页>[Galaxy Kirin V10] [server] FTP introduction and common scenario construction
[Galaxy Kirin V10] [server] FTP introduction and common scenario construction
2022-07-04 10:35:00 【GUI Anjun @kylinos】
One 、ftp summary
1、FTP agreement
FTP Is a file transfer protocol in the Internet , client-based / Server mode , By default 20、21 Port no. , Which port 20( Data port ) For data transmission , port 21( The command port ) It is used to accept the correlation sent by the client FTP Commands and parameters .
2、 Working mode
FTP The protocol has the following two working modes :
Active mode :FTP The server initiates the connection request to the client
Passive mode :FTP The server waits for the client to initiate a connection request (FTP The default working mode of )
3、ftp Three modes of use of
(1)、 Anonymous open mode
a、 Parameters related to anonymous open mode
Parameters | effect |
anonymous_enable=YES | Allow anonymous access mode |
anon_umask=022 | Anonymous users upload files umask value |
anon_upload_enable=YES | Allow anonymous users to upload files |
anon_mkdir_write_enable=YES | Allow anonymous users to create directories |
anon_other_write_enable=YES | Allow anonymous users to change directory names or delete directories |
no_anon_password=YES | Set it to YES It means that anonymous users will not query the user password to log in directly |
anon_root=/var/ftp/pub | Specify the root folder after anonymous login |
ftp_username=ftp | The default account for anonymous users to log in to the system is ftp, This item had better not be changed |
listen_port=8021 | Specify the command channel as 8021, The default is 21 |
listen_data_port=8020 | Specify the data channel as 8020, The default is 20 |
【 notes 】 In anonymous open mode name yes anonymous, The password is empty. . The default directory accessed after successful login is /var/ftp, At this moment, you want to have write permission , Need to put /var/ftp The group of the directory is changed to ftp, The initial group is root, The person connected has no permission .
(2)、 Local user mode
Parameters | effect |
anonymous_enable=NO | Disable anonymous access mode |
local_enable=YES | Allow local user mode |
write_enable=YES | Set writable permissions |
local_umask=022 | Local user mode to create files umask value |
userlist_enable=YES | Enable “ No user list ”, The list file is ftpusers and user_list |
userlist_deny=YES | Enable the function of user action list file |
chroot_local_user=YES | Restrict local users to their own home In the folder , In this way, you can't access yourself after logging in home Other documents , This is for safety reasons |
【 notes 】 At this moment, you cannot log in with the original default account , You can log in with your normal account . After logging in with local users , The default access is the user's home directory , So there is no need to modify the permissions of the directory , But these premises are closed SELinux under .
(3)、 Virtual user mode
① Create for FTP Authenticated user database file , Odd behavior user name , Even behavior code .
# cd /etc/vsftpd/ // Get into vsftpd Service profile directory
# vim vuser.list // Create a new virtual user list
② Encrypt the virtual user list
# db_load -T -t hash -f vuser.list vuser.db
② establish vsftpd The service program is used to store the root directory of files and system local users mapped by virtual users
because Linux Every file in the system has an owner 、 Group attribute , For example, using a virtual account “ Zhang San ” Created a new file , But no account can be found in the system “ Zhang San ”, This will result in an error in the permissions of this file . So , You need to create another system local user that can map to a virtual user . Simply speaking , Let the virtual user log in to the home directory of the local user of the system with the mapping relationship by default , The properties of files created by virtual users also belong to the local users of the system , To avoid Linux The system cannot process the property permissions of the file created by the virtual user .
For safety's sake , Set this account as unable to log in to the server , Avoid being hacked to do bad things .
# useradd -d /var/ftproot -s /sbin/nologin virtual // Add users , Set its home directory to /var/ftproot, And set it as unable to log in
# chmod -Rf 755 /var/ftproot // Add other user permissions to the home directory
③ Build... To support virtual users PAM file
PAM( Pluggable authentication module ) It's an authentication mechanism , Through some dynamic link library and unified API Separate the services provided by the system from the authentication mode , The system administrator can flexibly adjust the different authentication methods of the service program according to the requirements .
Popular speaking ,PAM It's a set of security modules , The system administrator can easily adjust the authentication mode of the service program , Without any changes to the application .PAM A layered design ( Application layer 、 Application interface layer 、 Authentication module layer ) Thought , Its structure is shown in the figure .
④ stay vsftpd The main configuration file of the service program passes the pam_service_name Parameter will PAM The name of the certification document is changed to vsftpd.vu,PAM As the link between application layer and authentication module layer , It allows the application to flexibly insert the required authentication function modules in itself according to the requirements . When the application needs PAM At the time of certification , You need to define the... Responsible for authentication in your application PAM The configuration file , Achieve the required authentication function .
The parameters required are as follows :
Parameters | effect |
anonymous_enable=NO | No anonymous open mode |
local_enable=YES | Allow local user mode |
guest_enable=YES | Turn on virtual user mode |
guest_username=virtual | Specify a virtual user account |
pam_service_name=vsftpd.vu | Appoint PAM file |
allow_writeable_chroot=YES | Allow for the confinement of FTP Write to root , And do not refuse the user's login request |
⑤ Set different permissions for virtual users , Want users A Have more permissions , Read write modification , user B Only read permission
stay /var/vsftpd Create a directory of user rights files under vuser_dir, stay user_dir Create files in , Take the account name as the file name
Write... In the configuration file
anon_upload_enable=YES or NO
anon_mkdir_write_enable=YES or NO
anon_other_write_enable=YES or NO
And in the main configuration file /etc/vsftpd/vsftpd.conf Add :
user_config_dir=/etc/vsftpd/vusers_dir
restart vsftpd service , And shut down SELinux,
# systemctl restart vsftpd
# setenforce 0
Two 、ftp Common scene construction
( The following scenes are built with Galaxy kylin V10 0711 Demonstration of server system as an example )
1、 Anonymous open access , Have the permission to upload, download, delete and create
( User access ftp There is no need to fill in the user name and password , Input IP Can access , Fully open mode )
# yum install vsftpd -y // The server system uses yum install vsftpd
# cp -avx /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.bak // Backup before configuration
【 notes 】: Server system vsftpd Configuration file in /etc/vsftpd/vsftpd.conf
# vim /etc/vsftpd/vsftpd.conf
anonymous_enable=YES # Turn on anonymous login
anon_umask=022 # Set up the umask value , Otherwise, anonymous login creates a new directory or file, and the newly created file cannot be viewed due to insufficient permissions
pam_service_name=vsftpd # Verification mode
connect_from_port_20=YES # Enable FTP Data connection of data port
anon_upload_enable=YES # Open anonymous user upload permission
anon_mkdir_write_enable=YES # Open the permission of anonymous users to create directories
write_enable=YES # Open the write permission of local users
anon_other_write_enable=YES # Set it to YES Words , In addition to uploading and creating directories , You can also rename , Delete file , The default is NO
# chmod -R 777 /var/ftp/pub // Not empowering will lead to the failure of uploading and downloading files
# systemctl restart vsftpd
【 notes 】1、 On the firewall 21 The port must be open , Otherwise, log in ftp You will be prompted socket error , Connection refused .
2、 The default path for anonymous login is :/var/ftp/
3、ftp The default upload path is :/home/ System user name
4、 About umask value :
umask Is in linux A common thing in , It's actually a mask . Of course , Also have umask Such a life Make , It is the definition of the default properties of user created files . The Defined as :
hypothesis umask by 022, For a folder , Its default attribute is 777-022=755, This is me We usually establish folder permissions . For general documents , Is used 666-022=644.
umask yes unix The concept of operating system ,umask Determine the initial permissions obtained when directories and files are created
umask = 022 when , New directory Permissions are 755, File permissions are 644
umask = 077 when , New directory Permissions are 700, File permissions 600
vsftpd Of local_umask and anon_umask Learn from it
By default vsftp The permission of the uploaded file is 600, Directory permissions are 700
You want to modify the permission of the uploaded file , There are two situations :
a、 If you use vsftp It's local users
To modify the local_umask Value
b、 If you use vsftp It's virtual users
To modify the anon_umask Value
2、 Local user mode , Open upload, download, create and delete permissions
# vim /etc/vsftpd/vsftpd.conf
local_enable=YES # Open local user login
anonymous_enable=NO # Prevent anonymous users from logging in , If you need to open it, you can set it to YES
write_enable=YES # Open write access
local_umask=022 # Set up local users umask
# useradd user1 // Create local users , be used for ftp Sign in
# passwd user1 // Set user password
# systemctl restart vsftpd // After restart, you can use user1 The user login ftp
【 notes 】:1、 Firewall on 21 port
2、 Local user login defaults ftp The location is the user's home directory
3、 Virtual user mode , Carry out precise permission control for the specified user
3.1、 The goal of the experiment : Implemented in the same directory , Yes admin、upload、download Three virtual users control different permissions , The specific permission control list is as follows :
user name | Permission specification |
admin | Administrators , Can be uploaded 、 download 、 New folder 、 Delete and change file and folder names |
upload | Can't download , Can be uploaded 、 New folder , But you cannot delete files and folders , Cannot rename existing files and folders |
download | Can only download , No other operation |
【 notes 】: The above three virtual users are not allowed to log in to the system , And use ftp It will be locked in the specified directory and cannot enter other directories of the system .
3.2、 To configure vsftpd
The first 1 Step : Add a user who cannot log in to the system , Used for virtual user mapping
# useradd -s /sbin/nologin -d /home/kylin -M kylin
# passwd kylin // Set the password
The first 2 Step : Create a virtual user list , Namely admin、upload、download Three users
# vim /etc/vsftpd/vu_list.txt // New file , Enter the following , The odd line is the user name , Even lines correspond to user passwords
upload
[email protected]
download
[email protected]
admin
[email protected]
The first 3 Step : The text file that saves the virtual account and password cannot be directly called by the system account , You need to create a for system authentication db file
# db_load -T -t hash -f /etc/vsftpd/vu_list.txt /etc/vsftpd/vu_list.db
# yum -y install db4 db4-devel db4-utils // establish db Documentation needs db4 Support , If the operation reports an error, you can install this
# chmod 600 /etc/vsftpd/vu_list.db // modify db File permissions , To avoid being modified by illegal users
The first 4 Step : To configure PAM file
Because the server calls the system PAM Module to authenticate the client , Therefore, you need to modify the specified configuration file to adjust the authentication method .PAM The configuration file path of the module is :/etc/pam.d/, There are only many configuration files related to user authentication stored in this directory .
# vim /etc/pam.d/vsftpd // Change it as follows , If it is 32 Bit system , Be careful pam_userdb.so File is in /lib/security Next , Modify the path accordingly , In addition, comment out the original content , Replace with two lines in the figure , Otherwise, it is used locally xftp Unable to connect
#%PAM-1.0
#session optional pam_keyinit.so force revoke
#auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
#auth required pam_shells.so
#auth include password-auth
#account include password-auth
#session required pam_loginuid.so
#session include password-auth
auth required /lib64/security/pam_userdb.so db=/etc/vsftpd/vu_list
account required /lib64/security/pam_userdb.so db=/etc/vsftpd/vu_list
The first 5 Step : Create a virtual user profile
# mkdir /etc/vsftpd/conf // establish conf Folder
# vim /etc/vsftpd/conf/admin // establish admin User profile , The contents are as follows
anon_world_readable_only=NO
local_umask=022
write_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_upload_enable=YES
local_root=/home/kylin
allow_writeable_chroot=YES
# vim /etc/vsftpd/conf/upload // establish upload User profile , The contents are as follows
write_enable=YES
local_umask=022
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_world_readable_only=NO
download_enable=NO
local_root=/home/kylin
allow_writeable_chroot=YES
# vim /etc/vsftpd/conf/download // establish download User profile , The contents are as follows
anon_world_readable_only=NO
local_root=/home/kylin
allow_writeable_chroot=YES
The first 6 Step : modify vsftpd.conf file
First, back up the default configuration file /etc/vsftpd/vsftpd.conf, Then delete the contents of this document and replace with the following
anonymous_enable=NO
local_enable=YES
write_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_enable=YES
chroot_local_user=YES
listen=YES
pam_service_name=vsftpd
guest_enable=YES
guest_username=kylin
user_config_dir=/etc/vsftpd/conf
The first 7 Step : establish ftp root directory
# mkdir /home/kylin // The path and file name should be the same as the above local_root The configuration item corresponds to
# chmod -R 777 /home/kylin // To avoid connection and read-write problems, you can directly grant permissions
# systemctl restart vsftpd // After restart, the configuration is completed
【 notes 】:1、selinux and firewalld Self configuration is required , It can be closed directly
2、ftp The home directory is /home/kylin Next
3、 If you use local xftp Connect , Passive mode needs to be turned off , Here's the picture
边栏推荐
- [Galaxy Kirin V10] [desktop] printer
- Student achievement management system (C language)
- Batch distribution of SSH keys and batch execution of ansible
- Leetcode48. Rotate image
- Today's sleep quality record 78 points
- The time difference between the past time and the present time of uniapp processing, such as just, a few minutes ago, a few hours ago, a few months ago
- Does any teacher know how to inherit richsourcefunction custom reading Mysql to do increment?
- Summary of several job scheduling problems
- Laravel文档阅读笔记-How to use @auth and @guest directives in Laravel
- 【Day1】 deep-learning-basics
猜你喜欢
基于线性函数近似的安全强化学习 Safe RL with Linear Function Approximation 翻译 2
Virtual machine configuration network
【Day2】 convolutional-neural-networks
183 sets of free resume templates to help everyone find a good job
For programmers, if it hurts the most...
Four characteristics and isolation levels of database transactions
PHP code audit 3 - system reload vulnerability
uniapp 小于1000 按原数字显示 超过1000 数字换算成10w+ 1.3k+ 显示
Recursion and divide and conquer strategy
Knapsack problem and 0-1 knapsack problem
随机推荐
Architecture introduction
Leetcode48. Rotate image
OSPF comprehensive experiment
Recursive method to achieve full permutation (C language)
Huge number multiplication (C language)
Knapsack problem and 0-1 knapsack problem
【Day2】 convolutional-neural-networks
Doris / Clickhouse / Hudi, a phased summary in June
leetcode842. Split the array into Fibonacci sequences
Const's constant member function after the function; Form, characteristics and use of inline function
Three schemes of ZK double machine room
On binary tree (C language)
Legion is a network penetration tool
[Galaxy Kirin V10] [server] KVM create Bridge
Read a piece of text into the vector object, and each word is stored as an element in the vector. Convert each word in the vector object to uppercase letters. Output the converted elements in the vect
Safety reinforcement learning based on linear function approximation safe RL with linear function approximation translation 1
使用 C# 提取 PDF 文件中的所有文字(支持 .NET Core)
Collection of practical string functions
基于线性函数近似的安全强化学习 Safe RL with Linear Function Approximation 翻译 2
MPLS: multi protocol label switching