Further configure the FTP server
The following will create an FTP server that can meet common needs. In practical applications, FTP servers generally provide both upload and download functions. In addition, for security reasons, user authentication, user permission settings and space management are also required. Let’s build such an FTP server.
1. Create a welcome message. If you want the user to see a welcome message or an introduction to this directory when entering the directory, you can do it through the following methods.
Confirm that dirmessage_enable=YES in the /etc/vsftpd/ file. By default, Red Hat 9.0 has this setting. Next, add a new file named .message to the directory. This example creates a .message file in the /home/ylg directory, with the content of "Welcome to my FTP site".
2. Replace the default port of the FTP server. Change the preset port 21 to 2121, which is based on security considerations. Change the method to open /etc/vsftpd/ using vi:
#vi /etc/vsftpd/
Add the following line to the end of the file:
listen_port=2121
3. Cancel the anonymous login function. Find the following line in the file and change its value to "NO":
anonymous_enable=YES
4. Set that the user is not allowed to change the directory. The purpose of this is also based on security considerations. Generally, the user's preset directory is /home/username. If you do not want the user to be able to switch to the previous layer directory/home after logging in, you can achieve it through the following settings. Find the following three lines in the /etc/vsftpd/ file:
Change it to:
Add a new file /etc/vsftpd/chroot_list, with two user names:
|
5. Limit different speeds for different users. Assuming that the maximum speed that user ylg can use is 500Kb/s, and the maximum speed that user user1 can use is 250Kb/s, it can be set by the following method. Add the following line at the end of the /etc/vsftpd/ file:
user_config_dir=/etc/vsftpd/userconf
Add a directory called /etc/vsftpd/userconf:
#mkdir /etc/vsftpd/userconf
Add a new file named ylg under /etc/vsftpd/userconf, and the content is as follows:
local_max_rate=500000
Add a new file named user1 in the /etc/vsftpd/userconf directory, the contents are as follows:
local_max_rate=250000
VSFTP limits the speed range between about 80% and 120%, that is, the maximum limit speed is 100Kb/s, but the actual speed may be between 80Kb/s and 120Kb/s. If the bandwidth is insufficient, the value will be below this limit.
6. For each online user, it runs as an independent process. Generally speaking, when starting VSFTP, you will only see a process called vsftpd running. But if readers want each online user to be presented as an independent process, they can do so by adding the following line to the /etc/vsftpd/ file:
setproctitle_enable=YES
7. Save the /etc/vsftpd/ file and restart vsftpd:
#service vsftpd restart
8. Test the FTP server you just created.
Login in by default will be denied because the default port number has been changed to 2121 at this time, so the port must be specified when logging in.
You can no longer use anonymous login:
If you use user ylg, you can log in successfully (specify port 2121) and display the welcome message:
Because the directory cannot be switched in the settings, the following command cannot be executed correctly:
Let's test upload and download. First download the file in the server directory:
You can use the !ls command to see that the file has been successfully downloaded in the local directory. Then upload the files in the local directory to the server:
Use the ls command to view the server directory and you will find that the file has been uploaded successfully.
In order to test that different users connect to the machine use different processes, you can use the ps -ef instruction, which is displayed as follows:
So far, an FTP server that can basically meet the needs of ordinary use has been set up.
In practical applications, sometimes in order to increase security, the FTP server is placed behind the firewall. As mentioned at the beginning of this article, the passive transmission mode is suitable for situations with a firewall. Let’s create an FTP server behind the firewall. The FTP port of the server is 2121 and the data transmission port is 2020.
Execute the following two lines of instructions, only ports 2121 and 2020 are allowed to be opened, and the remaining ports are closed:
Modify the /etc/vsftpd/ file and add the following two lines at the end of the text:
Restart vsftpd:
#service vsftpd restart
Sometimes it is desired to directly define a certain source address in /etc/, which can be achieved through the following configuration. First make sure that tcp_wrappers=YES in /etc/vsftpd/, which is the default value in Red Hat 9.0. Restart vsftpd
#service vsftpd restart
Assuming that connections between 168.192.2.1 and 210.31.8.1 to 210.31.8.254 are provided, the following settings for /etc/ can be made:
|
Configure virtual user FTP
The FTP server configured above has a feature, that is, the user of the FTP server itself is also a system user. This is obviously a security risk, because these users can not only access FTP, but also access other system resources. How to solve this problem? The answer is to create a virtual user's FTP server. The characteristic of a virtual user is that he can only access the FTP services provided by the server, but cannot access other resources of the system. Therefore, if you want users to have write permissions on the FTP server site but do not allow access to other resources in the system, you can use virtual users to improve the security of the system.
In VSFTP, authenticating these virtual users uses a separate password library file (pam_userdb), which is authenticated by the insertable authentication module (PAM). This method is safer and more flexible in configuration.
The configuration process is described below.
1. Generate virtual user password library files. In order to create this password library file, a text file must be generated first. The format of this file is as follows: the username of the odd behavior and the password of the even behavior:
2. Generate password library files and modify their permissions:
3. Create a new PAM file for a virtual user. Add the following two lines:
4. Create a virtual user, set the directory to which the user wants to access, and set the permissions for the virtual user to access:
After setting this step, /ftpsite is the home directory of the virtual_user user, and the user is also the owner of the /ftpsite directory. Except for the root user, only that user has permission to read, write and execute the directory.
5. Generate a test file. First switch to the virtual_user user identity, and then create a file in the /ftpsite directory:
6. Edit /etc/vsftpd/ file so that its entire file content is as follows (removed the comment content):
In the above code, guest_enable=YES means enabling virtual users; guest_username=virtual maps virtual users to local users, so that the virtual user can enter the local user virtual directory /ftpsite after logging in; pam_service_name=Specify the configuration file of PAM as.
7. Restart VSFTP
#service vsftpd restart
8. Test with virtual user gou (the account does not exist in Linux):
Test download a file in the server directory mytest:
Test uploading files in the local directory:
It can be seen that virtual users who do not have a system account can successfully complete the upload and download work. However, the FTP virtual server only allows virtual users to log in, and other system users cannot log in. If the system user user1 is not a virtual user, it cannot log in to the virtual server.
In the virtual FTP server, the permissions of each user can also be set. The method is to add the following line to the /etc/ file:
user_config_dir=user configuration file directory
Then create the corresponding user configuration file in the user configuration file directory, such as creating a configuration file for the above-mentioned user named gou (assuming the configuration file directory is /etc/user_config_dir):
Restart the FTP server and then log in with your account Gou, and you no longer have the permission to upload.