FTP file transfer protocol (File Transfer Protocol, referred to as FTP), is a protocol used to send files from one host to another. The protocol dates back to 1971 (at that time the Internet was still under experimentation), but it is still extremely popular today.
FTP is specifically described in RFC 959. Both HTTP and FTP are file transfer protocols, and they have many common characteristics, such as running on TCP, etc. However, there are important differences between these two application layer protocols. The most important difference is that FTP uses two parallel TCP connections, one is the control connection and the other is the data connection. The control connection is used to send control information between the client host and the server host, such as username and password, commands to change remote directories, commands to retrieve or put back files. Data connection is used to actually send files. During the entire session, the FTP server must maintain the status about the user. Specifically, the server must associate the control connection with a specific user and must track its current directory as the user moves in the remote directory tree. Keeping these state information for each active user session greatly limits the number of sessions that FTP can maintain simultaneously. Stateless HTTP does not have to maintain any user status information. FTP service can work in two modes: active mode and passive mode:
Active mode (general FTP server default mode):The FTP client opens a randomly selected TCP port to connect to the FTP server port 21 requesting a connection. When Three-Way Handshake is completed, the connection is successfully established, but this is only the establishment of the control connection. When both ends need to transmit data, the client uses a port command to tell the server through the command channel, and the client can use another TCP port as the data channel. Then the server uses port 20 to establish a data connection with the TCP port notified by the client just now. Note: The connection direction is from the server to the client, and there will be a SYN flag in the TCP packet. The client will then return a confirmation group with ACK flag and complete another Three-Way Handshake process. Only then can the data connection be successfully established. Start data transfer.
Passive mode:The FTP client opens a randomly selected TCP port to connect to the FTP server port 21 to request a connection to complete the establishment of the control connection. When both ends need to transmit data, the client sends a PASV command to the server through the command channel, requiring it to enter passive transmission mode. Then, the server picks a TCP port like in the second step of the active mode mentioned above and tells the client with the control connection. Then the client uses another TCP port to connect to the TCP port just informed by the server to establish a data channel. At this time, the grouping has SYN flag. After confirmation, the server sends back an ACK packet. And complete all handshake processes, successfully establish a data channel, and start data transmission.
Currently, there are many software that can implement FTP services, such as IIS and Serv-U on the Windows platform, wuFTP and vsftp on the Linux platform, etc. vsftp (Very Secure FTP) is a very secure, fast and stable FTP server in Unix/Linux. It has been adopted by many large sites. vsftpd is also the default ftp service of RHEL. This article mainly talks about vsftp related configuration methods.
1. Install vsftp.
rpm -ivh vsftpd-2.0.5-12. |
After the installation is completed, the vsftpd configuration file is /etc/vsftpd/. You can start vsftpd through the following command and set it to automatically start.
service vsftpd restart |
2. The first FTP site.
VSFTP is ready to be used after installation and startup. By default, anonymous users can be used, and the ftp command is used in the figure below.
1: Use the ftp command to connect to the ftp server.
2: Because currently using anonymous users to connect to the ftp server, all input anonymous users (generally the ftp server is anonymous, the ftp user here is automatically created when installing vsftp, and this user is also an anonymous user of vsftp).
After connecting to vsftp, its default directory is the user's home directory, and the ftp user's home directory is located in /var/ftp, all. The following figure shows the use of other users of the system to connect to the ftp server (if SELinux is enabled in RHEL, you need to run the following command set sebool -P ftp_home_dir=1).
3. Configuration parameters.
|
parameter |
illustrate |
|
listen_address=ip address |
Specify listeningIP |
|
listen_port=port_value |
Specify the listening port, default21 |
|
anonymous_enable=YES |
Whether to allow anonymous accounts |
|
local_enable=YES |
Whether to allow local users to log in |
|
nopriv_user=ftp |
SpecifyvsftpdThe service's running account, used when not specifiedftp |
|
write_enable=YES |
Whether to allow writing |
|
anon_upload_enable=YES |
Is anonymous user able to upload files |
|
anon_mkdir_write_enable=YES |
Whether anonymous users create a directory |
|
dirmessage_enable=YES |
Entering each directory is to display welcome information, and create it in each directory..messageWrite a welcome message in the file |
|
xferlog_enable=YES |
Upload/Logging the log when downloading the file |
|
connect_from_port_20=YES |
Whether to use it20Transfer data on ports(Whether to use active mode) |
|
chown_uploads=YES、chown_username=whoever |
Modify the owner of the file uploaded by anonymous users |
|
xferlog_file=/var/log/ |
Log files |
|
xferlog_std_format=YES |
Use standard file logs |
|
idle_session_timeout=600 |
The session timed out, and the client connects toftpBut not operated |
|
data_connection_timeout=120 |
Data transmission timeout |
|
async_abor_enable=YES |
Whether to allow the client to use itsyncWait for the order |
|
ascii_upload_enable=YES、ascii_download_enable=YES |
Whether uploading is allowed/Download the binary file |
|
chroot_local_user=YES |
Restrict all local users in their own directory |
|
chroot_list_enable=YES、chroot_list_file=/etc/vsftpd/chroot_list |
Specify a user who cannot leave the home directory and write the user name one by one in/etc/vsftpd/chroot_listIn the file, you must use this methodchroot_local_user=NO |
|
ls_recurse_enable=YES |
Is it allowed to usels -RWait for the order |
|
listen=YES |
Openipv4monitor |
|
listen_ipv6=YES |
Openipv6monitor |
|
pam_service_name=vsftpd |
usepamModule control,vsftpdThe file is in/etc/In the directory |
|
userlist_enable=YES |
After this option is activated,vsftpdWill readuserlist_fileThe list of users in the file specified by the parameter. When the user in the list is logged inFTPWhen on the server, the user is banned before prompting for a password. That is, after entering the user name,vsftpdFind the username in the list.vsftpdThe user is directly prohibited from being deleted, and no further steps will be followed by asking for passwords. |
|
userlist_deny=YES |
Decide to prohibit or only allowuserlist_fileUser login in specified fileFTPserver. This option isuserlist_enable The option will not take effect only after it is activated.YES, the default value, prohibits users in the file from logging in, and does not prompt these users to enter passwords.NO, only users in the file are allowed to log inFTPserver |
|
tcp_wrappers=YES |
Whether it is allowedtcp_wrappersmanage |
|
local_root=/home/ftp |
The root directory of all users is invalid for anonymous users |
|
anon_max_rate |
The maximum transmission speed of anonymous users isByts/s |
|
local_max_rate |
The maximum transmission speed of local users isByts/s |
|
download_enable= YES |
Whether to allow downloads |
Among all the above parameters, as long as the uploaded parameters are enabled, the corresponding local directory must have write permissions.
4. Identity authentication.
In the above parameters, anonymous users can be disabled by setting anonymous_enable to NO. After banning anonymous users, you can authorize users through the following methods:
Local users:Use the user name in /etc/passwd as the authentication method
Virtual User:Supports saving usernames and passwords in database files or database servers. Compared with the local user form of FTP, virtual users are only proprietary users of the FTP server, and virtual users can only access the resources provided by the FTP server, which greatly enhances the security of the system itself. Compared with anonymous users, virtual users need usernames and passwords to obtain files in the FTP server, increasing manageability for users and downloads. For FTP sites that need to provide download services but do not want everyone to download anonymously; it is necessary to manage download users and consider host security and easy management, virtual users are an excellent solution.
I won't introduce local users here, and I will mainly introduce two methods to implement virtual users:
1. Use local data files:
Generate virtual user files and create /etc/vsftpd/ file, with the following content:
tonyzhang #Virtual user1 |
Install the rpm package to generate the database: db4-utils.
rpm -ivh db4-utils-4.3.29-9.fc6. |
Generate a virtual user database.
db_load -T -t hash -f /etc/vsftpd/ /etc/vsftpd/ |
Create a local mapped user and modify the local mapped user's home directory permissions.
useradd -d /var/ftp/vuserdir -s /sbin/nologin vuser |
Modify the pam authentication file /etc//vsftpd and comment on the original content.
auth required /lib/security/pam_userdb.so db=/etc/vsftpd/vusers |
Modify /etc/vsfptd/ and add the following content.
guest_enable=YES |