[Linux Services] vsftpd File Transfer Protocol

vsftpd file transfer protocol

System environment: CentOS Linux release 7.6.1810 (Core)

I. Brief Introduction

ftp (File Transfer Protocol) is called Very Secure FTP Server. Vsftpd is the ftp server software running on linux operating system. -

vsftp provides three login modes: 1. anonymous login; 2. local user login; 3. virtual user login

The characteristics of vsftpd:

1) Higher security requirements

2) Bandwidth limitation

3) Create virtual users

4) IPV6 support

5) Medium-to-high performance.

6) Distributable Virtual IP

7) High Speed

Two channels are used in Ftp session:

Control Channel: The communication channel with Ftp server, linking Ftp to send FTP instructions are accomplished through control channel.

2) Data Channel: Data Channel and Ftp Server for File Transfer or List

II. Working Principle

In Ftp protocol, the control connection is initiated by the client, and the data connection has two working modes: Port and Pasv.

Port mode (active mode) - > Default

Ftp client first establishes a connection with tcp 21 port of Ftp server, through which to send commands. When the client wants to receive data, it sends Port commands on this channel. Port commands include which port (a port larger than 1024) the client uses to receive data. When transmitting data, the server sends data through its own TCP 20 port. At this point, the data connection is established from server to client.

Port interaction process:

client side: client links to port 21 of server and sends username password and port command randomly on 1024 to server, indicating active mode and opening the random port.

Server side: After receiving the Port active mode command and port from client, server will connect with the random port of client through its own 20 port, and then carry out data transmission.

Pasv mode (passive mode)

Similar to Port mode, when a client sends Pasv commands through this channel, Ftp server opens a random port between 1024 and 5000 and notifies the client to transmit data requests on this port. Then Ftp server will transmit data through this port. At this point, the data connection is established from client to server.

Pasv interaction process

Clietn: client connects to port 21 of server and sends user name password and pasv command to server, indicating passive mode.

Server: After receiving the pasv passive mode command from client, the server tells the client that the port is randomly opened on 1024, and then the client connects with the random port of server with its own 20 port for data transmission.

If PORT is OUTBOUND for servers from the perspective of C/S model, and PASV mode is INBOUND for servers, please pay special attention to this point, especially in enterprises using firewalls, this is very critical, if the settings are wrong, then customers will not be able to connect.

III. Installation of vsfpd

1. Install vsftpd related components

[root@VM_0_10_centos shellScript]# yum -y install vsftpd*

2. Installing PAM service-related components

[root@VM_0_10_centos shellScript]# yum -y install pam*

Installation pam error reporting:

--> Finished Dependency Resolution
Error: Package: 2:postfix-2.10.1-7.el7.x86_64 (@anaconda)
           Requires: libmysqlclient.so.18(libmysqlclient_18)(64bit)
Error: Package: libmapi-7.1.14-3.el7.x86_64 (epel)
           Requires: libmysqlclient.so.18(libmysqlclient_18)(64bit)
Error: Package: libmapi-7.1.14-3.el7.x86_64 (epel)
           Requires: libmysqlclient.so.18()(64bit)
Error: Package: 2:postfix-2.10.1-7.el7.x86_64 (@anaconda)
           Requires: libmysqlclient.so.18()(64bit)
 You could try using --skip-broken to work around the problem
** Found 2 pre-existing rpmdb problem(s), 'yum check' output follows:
2:postfix-2.10.1-7.el7.x86_64 has missing requires of libmysqlclient.so.18()(64bit)
2:postfix-2.10.1-7.el7.x86_64 has missing requires of libmysqlclient.so.18(libmysqlclient_18)(64bit)

Solve:

Lack of Percona-XtraDB-Cluster-shared-55-5.5.37-25.10.756.el6.x86_64.rpm package

[root@VM_0_10_centos tmp]# wget http://www.percona.com/redir/downloads/Percona-XtraDB-Cluster/5.5.37-25.10/RPM/rhel6/x86_64
/Percona-XtraDB-Cluster-shared-55-5.5.37-25.10.756.el6.x86_64.rpm
[root@VM_0_10_centos tmp]# rpm -ivh Percona-XtraDB-Cluster-shared-55-5.5.37-25.10.756.el6.x86_64.rpm 
warning: Percona-XtraDB-Cluster-shared-55-5.5.37-25.10.756.el6.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID cd2efd2a: N
OKEYPreparing...                          ################################# [100%]
Updating / installing...
   1:Percona-XtraDB-Cluster-shared-55-################################# [100%]

Reference website: https://blog.csdn.net/debimeng/article/details/78143071

Finally run and install pam

# yum -y install pam*

3. Installation of DB4 Parts Package

Used to support file databases

[root@VM_0_10_centos tmp]# yum -y install db4*

IV. System Accounts

1. Establishing host users of Vsftpd services

The default Vsftpd service host user is root, but it does not meet the security requirements. Here, a user named vsftpd is established, which is used as a service host user to support Vsftpd. Since this user is only used to support Vsftpd services, it is not necessary to allow him to log on to the system and set him as a user who cannot log on to the system.

Techin Reference Website: https://blog.csdn.net/danson_yang/article/details/65629948

[root@VM_0_10_centos tmp]# useradd vsftpd -s /sbin/nologin

/ sbin/nologin changes whether users can log in Using ssh

2. Establishing Vsftpd Virtual Host User

[root@VM_0_10_centos tmp]# useradd vrvsftpd -s /sbin/nologin

Virtual users are not system users, that is to say, these FTP users do not exist in the system. In fact, their overall authority is centralized on a user in the system. The so-called virtual host user of Vsftpd is such a host user that supports all virtual users. Because he supports all virtual users of FTP, his own rights will affect these virtual users. Therefore, in the consideration of security, we should not pay attention to the control of the user's rights. The user is absolutely not necessary to log on to the system. Here he is also set as a user who can not log on to the system.

V. Modifying the vsftpd configuration file

1. Backup before editing configuration files

[root@VM_0_10_centos tmp]# cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.backup

The contents are as follows:

[root@VM_0_10_centos tmp]# cat /etc/vsftpd/vsftpd.conf

# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
# anonymous_enable=YES
# Setting no anonymous access
anonymous_enable=NO

#
# Uncomment this to allow local users to log in.
# When SELinux is enforcing check for SE bool ftp_home_dir
# Set up local user access. PS: Mainly for virtual host users, if the project is set to No, then all virtual users will not be able to access it.
 local_enable=YES

#
# Uncomment this to enable any form of FTP write command.
# Settings for write operations
write_enable=YES

#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
# Set the permission mask for uploaded files
local_umask=022

#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
#anon_upload_enable=YES
# Prohibit anonymous users from uploading files
anonymous_enable=NO

#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
# Prohibit anonymous users from creating directories
anon_mkdir_write_enable=NO

#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
# Setting the Open Catalog Slogan Function
dirmessage_enable=YES

#
# Activate logging of uploads/downloads.
# Open Logging Function
xferlog_enable=YES

#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
# Setting Port 20 for Database Connection
connect_from_port_20=YES

#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
# Setting prohibition to upload files to change hosts
chown_uploads=NO

#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/xferlog
# Set the vsftpd service log save path. PS: This file does not exist by default and must be created manually.
# Since the host user of vsftpd is changed manually here as vsftpd, we should pay attention to giving the user write permission to the log.
xferlog_file=/var/log/vsftpd.log

#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
# Setting logs using standard record formats
xferlog_std_format=YES

#
# You may change the default value for timing out an idle session.
# Set the idle connection timeout time, using the default here.
# Leave specific values for each specific user to specify, but if not, use the default value of 600, unit seconds.
#idle_session_timeout=600

#
# You may change the default value for timing out a data connection.
# Set the maximum continuous transmission time for a single transmission. The default is used here.
# Leave specific values for each specific user to specify, of course, if not specified, the default value here is 120, unit seconds.
#data_connection_timeout=120

#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
# Set the host user supporting Vsftpd service as the manually established Vsftpd user.
# PS: Once you make a change to the host user, you must pay attention to a read-write authorization problem related to the service. For example, the log file must give the user write permission and so on.
nopriv_user=vsftpd

#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
# Setting up support for asynchronous transmission function
async_abor_enable=YES

#
# ASCII mangling is a horrible feature of the protocol.
# Setting up upload and download functions to support ASCII mode
ascii_upload_enable=YES
ascii_download_enable=YES

#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
# Setting logon slogans for vsftpd
ftpd_banner=This Vsftp server supports virtual users ^_^

#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
#chroot_local_user=YES
#chroot_list_enable=YES
# Users are forbidden to log out of their ftp home directory
chroot_list_enable=NO

# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
# Users are prohibited from using the "ls-R" command after logging in to ftp. This command can cause huge overhead for server performance. If allowed, blocking multiple users from using the command at the same time will pose a threat to the server.
ls_recurse_enable=NO

#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
# listen=NO
# Set the Vsftpd service to work in StanAlone mode.
# By the way, the so-called StandAlone model is that the service has its own daemon support.
# Under the ps-A command, we will see the daemon name of vsftpd. If you don't want to work in StanAlone mode, you can choose SuperDaemon mode.
# In this mode, vsftpd will not have its own daemon, but will be fully proxyed by the superdaemon Xinetd. At the same time, many functions of Vsftp service will not be realized.
listen=YES

#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
# Make sure, that one of the listen options is commented !!

 # listen_ipv6=YES
 # Set up pam Under Service vsftpd Validation profile name for. Therefore, PAM Validation will refer to/etc/pam.d/Next vsftpd File configuration
  pam_service_name=vsftpd
 # Set up userlist_file Users will not be allowed to use FTP.
  userlist_enable=YES
 # Set support for TCP Wrappers.
  tcp_wrappers=YES

# These are important configuration projects for Vsftpd virtual user support. The default Vsftpd.conf does not contain these settings, so you need to add the configuration manually.
# Set up to enable virtual user functionality
guest_enable=YES

# Specify a virtual user host user
guest_username=vrvsftpd

# Setting the permissions of virtual users corresponds to their host users.
virtual_use_local_privs=YES

# Set the configuration file storage path of virtual user personal Vsftp.
# That is to say, each Vsftp virtual user profile will be stored in the specified directory. One thing to note is that the profile names must be the same as the virtual user names.
user_config_dir=/etc/vsftpd/vconf

3. Establish the log file of Vsftpd, and it belongs to the service host user of Vsftpd.

[root@VM_0_10_centos tmp]# touch /var/log/vsftpd.log
[root@VM_0_10_centos tmp]# chown vsftpd.vsftpd /var/log/vsftpd.log

4. Establishing the storage path of virtual user profile

[root@VM_0_10_centos tmp]# mkdir /etc/vsftpd/vconf

VI. Making Virtual User Database Files

1. Create virtual user list file first

A virtual user list file is created, which is a data file to record the user name and password of the virtual user of vsftpd. I name it virtusers here. To avoid file confusion, I put this list file under / etc/vsftpd /.

[root@VM_0_10_centos tmp]# touch /etc/vsftpd/virtusers

2. Editing Virtual User List Files

The format is "one line of username, one line of password".

[root@VM_0_10_centos tmp]# cat /etc/vsftpd/virtusers 
zs
Setting password
thy Setting password

3. Generating Virtual User Data Files

db_load is mainly used to generate db database. In Vsftpd's virtual user settings, first create a new file users.txt to put the username password into it

Next, db_load-T-t hash-f*/users.txt*/users.db

PS: * Represents directories

This generates a user. DB file (hash-coded database file)

Reference website: http://blog.itpub.net/20943428/viewspace-661714/

[root@VM_0_10_centos tmp]# db_load -T -t hash -f /etc/vsftpd/virtusers /etc/vsftpd/virtusers.db

Parameters:

Option-T allows applications to translate text files into databases. Since we then store the virtual user's information in a file, this option must be used in order to enable Vsftpd, an application, to load user data through text. _______

Suboption - t, appended after the - T option, is used to specify the type of database to be translated and loaded. In the extended introduction, - t can specify data types such as Btree, Hash, Queue and Recon databases.

PS: If you specify option-T, you must follow the sub-option-t.

4. Look at the generated virtual user data file

[root@VM_0_10_centos tmp]# ll /etc/vsftpd/virtusers.db 
-rw-r--r-- 1 root root 12288 Oct  9 11:02 /etc/vsftpd/virtusers.db

PS: When adding virtual users in the future, you only need to add new user names and passwords into the virtual user list file according to the format of "one line username, one line password". But that's not enough. It won't work. Also execute the command "db_load-T-t hash-f virtual user list file virtual user database file. db" again to make it effective!

7. Set up PAM validation files and specify virtual user database files for reading

1. Look at the PAM validation profile of the original Vsftp

[root@VM_0_10_centos tmp]# cat /etc/pam.d/vsftpd 
#%PAM-1.0
session    optional     pam_keyinit.so    force revoke
auth       required    pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth       required    pam_shells.so
auth       include    password-auth
account    include    password-auth
session    required     pam_loginuid.so
session    include    password-auth

2. Backup before editing

[root@VM_0_10_centos tmp]# cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd.backup
[root@VM_0_10_centos tmp]# vi /etc/pam.d/vsftpd

The contents are as follows

[root@VM_0_10_centos tmp]# vi /etc/pam.d/vsftpd
#%PAM-1.0
session    optional     pam_keyinit.so    force revoke
# The following two are added manually to verify the security and account privileges of virtual users.
# Here auth means authenticating the user's username and password
auth    sufficient      /usr/lib64/security/pam_userdb.so     db=/etc/vsftpd/virtusers
# Here accout refers to what permissions and restrictions are validated for the user's account.
# Subsequent sufficients represent sufficient conditions, that is, once validated here, there is no need to go through the remaining validation steps below.
# On the contrary, if it fails, it will not be blocked by the system immediately, because the failure of the sufficient s does not determine the failure of the whole authentication, which means that the user must also experience the verification audit of the remaining >.
account sufficient /usr/lib64/security/pam_userdb.so db=/etc/vsftpd/virtusers # The following / lib/security/pam_userdb.so indicates that the review will call the library function pam_userdb.so. # The final db=/etc/vsftpd/virtusers specifies that the validation library function will call the data validation in the specified database. auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include password-auth account include password-auth session required pam_loginuid.so session include password-auth

8. Configuration of Virtual Users

1. Planning the main path of virtual users

[root@VM_0_10_centos tmp]# mkdir /opt/vsftpd

2. Establishing FTP User Catalogue for Test Users

[root@VM_0_10_centos tmp]# mkdir /opt/vsftpd/{zs,thy}
[root@VM_0_10_centos tmp]# ls /opt/vsftpd/
thy  zs

3. Establishment of Virtual User Profile Template

[root@VM_0_10_centos tmp]# cp /etc/vsftpd/vsftpd.conf.backup /etc/vsftpd/vconf/vconf.tmp

4. Customize Virtual User Template Profile

[root@VM_0_10_centos tmp]# vi /etc/vsftpd/vconf/vconf.tmp 
# Specify the virtual user's specific primary path.
local_root=/opt/vsftpd/virtuser
# Settings do not allow anonymous user access.
anonymous_enable=NO
# Set allowable write operations.
write_enable=YES
# Set the permission mask for uploading files.
local_umask=022
# Settings do not allow anonymous users to upload.
anon_upload_enable=NO
# Settings do not allow anonymous users to create directories.
anon_mkdir_write_enable=NO
# Set the idle connection timeout time.
idle_session_timeout=600
# Set the maximum time for a single continuous transmission.
data_connection_timeout=120
# Set the number of concurrent client access.
max_clients=10
# Setting the maximum number of threads for a single client, this configuration mainly takes care of Flashget, Thunderbolt and other multi-threaded download software.
max_per_ip=5
# Set the user's maximum transmission rate per unit b/s.
local_max_rate=50000

The original vsftpd.conf configuration file is simplified and saved as a template for the virtual user profile. The main framework and constraints are defined by Vsftpd's main configuration file, vsftpd.conf, that is, the configuration items not mentioned in the virtual user profile will refer to the settings in the main configuration file. In this case, as a virtual user's profile template, only some user flow control and access mode control configuration items are needed. The key item here is the local_root configuration, which specifies the FTP master path for the virtual user.

5. Change the ownership of the virtual user's home directory to the virtual host user:

[root@VM_0_10_centos tmp]# chown -R vrvsftpd.vrvsftpd /opt/vsftpd/
[root@VM_0_10_centos tmp]# ll /opt/vsftpd/
total 8
drwxr-xr-x 2 vrvsftpd vrvsftpd 4096 Oct  9 11:24 thy
drwxr-xr-x 2 vrvsftpd vrvsftpd 4096 Oct  9 11:24 zs

9. Customize to test users

1. Copy from Virtual User Template Profile

[root@VM_0_10_centos tmp]# cp /etc/vsftpd/vconf/vconf.tmp /etc/vsftpd/vconf/thy

2. Customization for specific users

[root@VM_0_10_centos tmp]# vi /etc/vsftpd/vconf/thy 
# Specify the virtual user's specific primary path.
local_root=/opt/vsftpd/thy
# Settings do not allow anonymous user access.
anonymous_enable=NO
# Set allowable write operations.
write_enable=YES
# Set the permission mask for uploading files.
local_umask=022
# Settings do not allow anonymous users to upload.
anon_upload_enable=NO
# Settings do not allow anonymous users to create directories.
anon_mkdir_write_enable=NO
# Set the idle connection timeout time.
idle_session_timeout=300
# Set the maximum time for a single continuous transmission.
data_connection_timeout=90
# Set the number of concurrent client access.
max_clients=1
# Setting the maximum number of threads for a single client, this configuration mainly takes care of Flashget, Thunderbolt and other multi-threaded download software.
max_per_ip=1
# Set the user's maximum transmission rate per unit b/s.
local_max_rate=25000

10. Start-up Services

[root@VM_0_10_centos tmp]# systemctl restart vsftpd
[root@VM_0_10_centos tmp]# systemctl status vsftpd

Testing

1. Preloading files in virtual user directory

[root@VM_0_10_centos tmp]# touch /opt/vsftpd/thy/thy.test

2. Login FTP as a client from other machines

The premise is that this machine has ftp service installed and can use ftp command

 

Solve:

Perhaps it's a pam problem. When configuring the vsftpd.conf configuration file above, the validation of pam is not turned on, so the validation of pam can be turned on.

 

 

Reference website: https://blog.csdn.net/junjunjiao/article/details/50738009

Test login:

3. Test list operation

Solve:

Change active to passive, and then log in to ftp again

ftp> passive
Passive mode on.

Reference website: https://blog.csdn.net/indexman/article/details/42649329

4. Test upload operation

Reference Web Site for Parameter Use Format: https://www.jb51.net/article/124033.htm

First, create the hello.txt file in the current directory on the client server, log in to ftp, and test the upload.

[root@VM_0_16_centos ~]# touch hello.txt
[root@VM_0_16_centos ~]# ftp
ftp> ls
227 Entering Passive Mode (106,53,73,200,241,96).
150 Here comes the directory listing.
-rw-r--r--    1 0        0               0 Oct 09 03:51 thy.test
226 Directory send OK.
ftp> put
(local-file) hello.txt
(remote-file) ftp_hello.txt
local: hello.txt remote: ftp_hello.txt
227 Entering Passive Mode (106,53,73,200,91,237).
150 Ok to send data.
226 Transfer complete.
30 bytes sent in 3e-05 secs (1000.00 Kbytes/sec)

 

You can see the file just uploaded on the vsftpd server

[root@VM_0_10_centos tmp]# ls /opt/vsftpd/thy/
ftp_hello.txt  thy.test

5. Testing and establishing directory operations

ftp> mkdir ftp_test
257 "/opt/vsftpd/thy/ftp_test" created

6. Test download operation

To download files, the vsftpd server must have this file

ftp> get thy.test
local: thy.test remote: thy.test
227 Entering Passive Mode (106,53,73,200,245,241).
150 Opening BINARY mode data connection for thy.test (0 bytes).
226 Transfer complete.

 

In / etc/vsftpd/vsftpd.conf, the local_enable option must be turned on Yes to make virtual user access possible, otherwise the following phenomena will occur:

[root@KcentOS5 ~]# ftp
ftp> open ip address
Connected to ip address.
500 OOPS: vsftpd: both local and anonymous access disabled!

Reason: Virtual users are rich again, in fact, based on their host user overlord. If the host of virtual users overlord is restricted, virtual users will also be restricted.
Supplement:

500 OOPS: Error

There may be unrecognized commands in your vsftpd.con configuration file, or there may be spaces behind YES or NO of commands.

550 permission error, unable to create directories and files

Solution: Turn off selinux

# vi /etc/selinux/config

Representation level of SELINUX = XXX - > XXX

Replace with

SELINUX=disabled

Modifying configuration files requires restarting

7. Access through Browser

ftp://106.53.73.200/

Enter the configured username and password.

 

 

 

 

Reference website: https://www.cnblogs.com/hhuai/archive/2011/02/12/1952647.html

Reference Web Site for Parameter Use Format: https://www.jb51.net/article/124033.htm

Tags: Linux vsftpd ftp Session Database

Posted on Wed, 09 Oct 2019 17:11:35 -0700 by c_shelswell