Analysis of vsftpd service configuration (anonymous, user, virtual user) in Linux

Time:2021-3-4

Overview of vsftpd

Vsftpd is the abbreviation of “very secure FTP daemon”, and security is one of its biggest characteristics. Vsftpd is the name of a server running on a UNIX like operating system. It can run on systems such as Linux, BSD, Solaris, HP-UNIX and so on. It is a completely free and open source FTP server software. It supports many features that other FTP servers do not support.

characteristic

Very high security requirements, bandwidth constraints, good scalability, can create virtual users, support IPv6, high speed

Small, light, safe and easy to use.

FTP, SFTP, vsftp and vsftpd

FTP is the abbreviation of file transfer protocol. It is a set of standard protocol for file transfer on the network, using client / server mode. It belongs to the application layer of network transport protocol.

SFTP is the abbreviation of SSH file transfer protocol;

Vsftp is a kind of FTP server software based on GPL, which is used on UNIX like system. Its full name is very secure FTP. From this name, we can see that the author’s original intention is code security;

Vsftpd is the abbreviation of very secure FTP daemon, and security is its biggest feature. Vsftpd is the name of a server running on a UNIX like operating system. It can run on systems such as Linux, BSD, Solaris, HP-UNIX, etc. it is a free and open source FTP server software;

1、 Anonymous user login FTP (file in / var / FTP)

1. Install vsftpd service

[ [email protected]  ~]#Yum install vsftpd - y installation service
[ [email protected]  ~]#CD / etc / vsftpd / # this directory is the configuration file directory
[[email protected] vsftpd]# ls
ftpusers user_list vsftpd.conf vsftpd_conf_migrate.sh
[ [email protected]  Vsftpd] # systemctl start vsftpd # start vsftpd service
[ [email protected]  vsftpd]# systemctl stop  firewalld.service  ##Turn off firewall
[ [email protected]  Vsftpd] # setenforce 0 # turn off enhancements
[ [email protected]  Vsftpd] # LS / var / ftp / # switch to the FTP directory
pub
[ [email protected]  vsftpd]# echo "this is test" > /var/ftp/ test.txt  ##Add a text file

2. Use the test machine CMD to access the vsftpd service (CMD connects to FTP) and download the file

C: Access to FTP service
Connect to 192.168.13.140.
220 (vsFTPd 3.0.2)
200 Always in UTF8 mode.
User (192.168.13.140: (none)): FTP # anonymous access
331 Please specify the password.
password: 
##Password no carriage return
230 Login successful.
FTP > PWD # view current path
257 "/" the root directory of FTP service
FTP > LS - a # view contents in directory
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
.
..
pub
test.txt   ##Files in the server
226 Directory send OK.
FTP: 25 bytes received, 0.00 sec, 25000.00 Kbytes / sec.
ftp> get  test.txt  ##Download the file to the local (where the disk is accessed, you can switch the disk to download e:)
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for test.txt (13 bytes).
226 Transfer complete.
FTP: 13 bytes received, 0.00 sec, 13000.00 Kbytes / sec.
FTP > put test1.txt # create a test1.txt in Disk C and upload it to Linux
200 PORT command successful. Consider using PASV.
550 permission denied
Vsftpd service configuration in Linux (anonymous, user, virtual user)

3. Modify the vsftpd configuration file to enable the maximum permissions of anonymous access

[[email protected] ftp]# cd /etc/vsftpd/
[[email protected] vsftpd]# vim vsftpd.conf
##Look in the configuration file to turn on the following options
anonymous_ Enable = yes # open anonymous user
local_ Enable = yes # local user
write_ Enable = yes # write permission
local_ Umask = 022 ᦇ local user anti mask
anon_ upload_ Enable = yes ᦇ upload permission on
anon_ mkdir_ write_ Enable = yes #######################
anon_ other_ write_ Enable = yes # add a permission to rename and delete another
[ [email protected]  Vsftpd] # systemctl restart vsftpd # restart service
[ [email protected]  Vsftpd] # CD / var / ftp / # switch to the FTP directory
[[email protected] ftp]# ls
pub test.txt
[[email protected] ftp]# ls -l
Total consumption 4
Drwxr-xr-x. 2 root 6 October 31, 2018 Pub
-Rw-r -- R --. 1 root 13 November 5 19:14 test.txt
[ [email protected]  FTP] # Chmod 777 pub ############################

4. Use test machine CMD to access FTP and upload local files to Linux

C: Access to FTP service
Connect to 192.168.13.140.
220 (vsFTPd 3.0.2)
200 Always in UTF8 mode.
User (192.168.13.140: (none)): FTP
331 Please specify the password.
password:
230 Login successful.
FTP > CD pub / #, switch to the pub directory
250 Directory successfully changed.
FTP > put test1.txt # upload file
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
FTP: send 13 bytes in 0.03 seconds and 0.41 Kbytes / second.
FTP > by exit
221 Goodbye.
##You can also use delete to delete files

5. View the uploaded files

[ [email protected]  FTP] # CD / var / ftp / pub # switch to the pub directory
[ [email protected]  Pub] # LS # view uploaded files
test1.txt

2、 Using local users to log in to FTP (files in home directory)

Prevent local users from accessing the system directory and restrict access only to the user’s home directory

1. Create system users

[ [email protected]  Create a user and set the user password
[[email protected] pub]# passwd zhangsan
[ [email protected]  Pub] # useradd Lisi # create user and set user password
[[email protected] pub]# passwd lisi

2. CMD on the test machine uses the user to log in to FTP

C: Please log in to the FTP service
Connect to 192.168.13.140.
220 (vsFTPd 3.0.2)
200 Always in UTF8 mode.
User (192.168.13.140: (none)): Zhangsan use local user
331 Please specify the password.
password:
230 Login successful.
FTP > LS / ##########################
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
/bin
/boot
/dev
/etc
/home
/lib
/lib64
/media
/mnt
/opt
/proc
/root
/run
/sbin
/srv
/sys
/tmp
/usr
/var
226 Directory send OK.
FTP: 126 bytes received, 0.02 sec, 7.88 Kbytes / sec.

3. Prevent local users from accessing the system directory and restrict access only to the user’s home directory

[ [email protected]  pub]# vim /etc/vsftpd/ vsftpd.conf  ##Modify configuration file
chroot_ local_ User = yes #######################
allow_ writeable_ Chroot = yes # add write permission
[ [email protected]  Pub] # systemctl restart vsftpd # restart service

4. Test machine CMD access

C: Please visit FTP 192.168.13.140
Connect to 192.168.13.140.
220 (vsFTPd 3.0.2)
200 Always in UTF8 mode.
User (192.168.13.140: (none)): Zhangsan # user Zhangsan
331 Please specify the password.
password:
230 Login successful.
FTP > CD / # switch to the system root directory
250 Directory successfully changed.
FTP > LS #############################
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
Set allow to deny the specified user access to FTP
1. Set user list (default reject) to allow or reject specific users to log in to FTP
[ [email protected]  Pub] # CD / etc / vsftpd / # switch to the vsftpd configuration file directory
[[email protected] vsftpd]# vim vsftpd.conf

userlist_ Enable = yes # confirm that the user list is on

[[email protected] vsftpd]# ls
ftpusers user_list vsftpd.conf vsftpd_conf_migrate.sh
[ [email protected]  Vsftpd] # echo "Zhangsan" > > user list # add Zhangsan users to the list
[ [email protected]  Vsftpd] # systemctl restart vsftpd # restart service
2. Test with test machine CMD
C:\Users\xy007>ftp 192.168.13.140
Connect to 192.168.13.140.
220 (vsFTPd 3.0.2)
200 Always in UTF8 mode.
User (192.168.13.140: (none)): Zhangsan login with Zhangsan
530 Permission denied.
Login failed. ##Direct denial of login
ftp>

3, set the list to only allow

[[email protected] ftp]# cd /etc/vsftpd/
[ [email protected]  vsftpd]# vim  vsftpd.conf  ##Configure vsftpd profile
userlist_enable=YES
userlist_ Deny = no # add list allowed

[ [email protected]  Vsftpd] # systemctl restart vsftpd # restart service

4. Test machine CMD test

C:\Users\xy007>ftp 192.168.13.140
Connect to 192.168.13.140.
220 (vsFTPd 3.0.2)
200 Always in UTF8 mode.
User (192.168.13.140: (none)): Zhangsan login with Zhangsan
331 Please specify the password.
password:
230 login successful
ftp> by
221 Goodbye.

C:\Users\xy007>ftp 192.168.13.140
Connect to 192.168.13.140.
220 (vsFTPd 3.0.2)
200 Always in UTF8 mode.
User (192.168.13.140: (none)): Lisi # log in with Lisi
530 Permission denied.
Login failed. ##Login failed

3、 Establish a virtual user account and use FTP (the file is in the home directory of the system user Vuser)

1. Create a virtual user file

[ [email protected]  Vsftpd] # CD / etc / vsftpd / # switch to the configuration file directory
[ [email protected]  Vsftpd] # VIM Vuser # create virtual user file

Lisa # odd behavior user name
123123 # # - even behavioral password
tom
123123

2. Convert database files and set security permissions

[ [email protected]  vsftpd]# db_ load -T -t hash -f vuser  vuser.db  ##Convert Vuser to database file
##T conversion, T type, f specified file
[ [email protected]  Vsftpd] # Chmod 600 Vuser # for the sake of security, do not let others see, set permissions
[[email protected] vsftpd]# chmod 600 vuser.db

3. Edit PAM authentication module to support virtual user login

[[email protected] vsftpd]# useradd -d /opt/vuser -s /sbin/nologin vuser 
##Create system user, specify home directory, cannot log in
[ [email protected]  vsftpd]# vim /etc/pam.d/ vsftpd.vu  ##Compiling PAM authentication module

auth required pam_ userdb.so  DB = / etc / vsftpd / Vuser # identify the converted database file
account required pam_ userdb.so  DB = / etc / vsftpd / Vuser # connected cryptographic service

4. Turn on the virtual user and log in with PAM module authentication

[ [email protected]  vsftpd]# vim  vsftpd.conf  ##Modify configuration file
##Big G to last line
#pam_ service_ Name = vsftpd # comment
##Add the following three lines
guest_ Enable = yes #######################
guest_ User name = Vuser # use Vuser user name
pam_ service_ name= vsftpd.vu  ##PAM module
[ [email protected]  Vsftpd] # systemctl restart vsftpd # restart service

5, test machine CMD test

C:\Users\xy007>ftp 192.168.13.140
Connect to 192.168.13.140.
220 (vsFTPd 3.0.2)
200 Always in UTF8 mode.
User (192.168.13.140: (none)): Tom # log in with virtual user Tom
331 Please specify the password.
password:
230 Login successful.
FTP > put test1.txt # upload a file
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
FTP: send 13 bytes in 0.00 seconds and 13000.00 Kbytes / second.
##The permission to view the file is 600
[[email protected] vsftpd]# ls -l /opt/vuser/
Total consumption 4
-RW -------. 1 Vuser Vuser 13 November 5 22:51 test1.txt

6, individual user configuration, specify the upload file permissions 644

[[email protected] vsftpd]# vim vsftpd.conf 
##Big G last line add
user_ config_ dir=/etc/vsftpd/vu_ Dir # individual user configuration folder
[ [email protected]  vsftpd]# mkdir vu_ Dir create folder
[[email protected] vsftpd]# cd vu_dir/
[ [email protected]  vu_ Create a user profile in the configuration folder
anon_ Umask = 022 # # specify the permission to upload files
[ [email protected]  vu_ Dir] # systemctl restart vsftpd # restart service

7. Test machine CMD uses Lisa user to log in and view the upload file permission

C:\Users\xy007>ftp 192.168.13.140
Connect to 192.168.13.140.
220 (vsFTPd 3.0.2)
200 Always in UTF8 mode.
User (192.168.13.140: (none)): Lisa # login with Lisa
331 Please specify the password.
password:
230 Login successful.
FTP > put 111.txt # upload file
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
FTP: send 13 bytes in 0.00 seconds and 13000.00 Kbytes / second.

[ [email protected]  vu_ Dir] # LS - L / opt / Vuser / # permission to view uploaded files
Total consumption 8
-Rw-r -- R --. 1 Vuser Vuser 13 November 5 22:58 111.txt # Lisa upload file permission 644
-RW -------. 1 Vuser Vuser 13 November 5 22:51 test1.txt? Tom upload file permission 600

summary

The above is the vsftpd service configuration (anonymous, user, virtual user) in Linux introduced by Xiaobian. I hope it can help you. If you have any questions, please leave me a message and Xiaobian will reply you in time. Thank you very much for your support to developer!
If you think this article is helpful to you, please reprint, please indicate the source, thank you!

Recommended Today

Third party calls wechat payment interface

Step one: preparation 1. Wechat payment interface can only be called if the developer qualification has been authenticated on wechat open platform, so the first thing is to authenticate. It’s very simple, but wechat will charge 300 yuan for audit 2. Set payment directory Login wechat payment merchant platform( pay.weixin.qq . com) — > Product […]