系统运维-23-4-Vsftpd基础知识
Vsftpd基础知识
ftp主动方式:PORT方式
FTP协议最初定义的方式
客户端通过向服务器发送PORT命令,告诉服务器该客户端用于传输数据的临时端口号
当需要传送数据时,服务器通过TCP端口20与客户端临时端口建立数据传输通道,完成数据传输
在建立数据连接的过程中,由服务器主动发起连接
ftp被动方式:PASV方式
客户端向服务器发送PASV命令,告诉服务器进入被动方式,服务器选择临时端口告知客户端
当需要传输数据时,客户端主动与服务器的临时端口建立数据传输通道,完成数据传输
整个过程,服务器总是被动接受客户端的数据连接
ftp消息号
125 数据连接打开,传输开始
200 命令OK
226 数据传输完毕
331 用户名OK
425 不能打开数据连接
426 数据连接关闭,传输被中断
452 错误写文件
500 语法错误,不可识别的命令
vsftpd软件包
主程序 /usr/sbin/vsftpd
服务名 vsftpd
用户控制列表
/etc/vsftpd/ftpusers
/etc/vsftpd/user_list
主配置文件
/etc/vsftpd/vsftpd.conf
安装和启动vsftpd
[root@lab1 ~]# yum install -y vsftpd
[root@lab1 ~]# rpm -qi vsftpd
Name : vsftpd
Version : 3.0.2
Release : 25.el7
Architecture: x86_64
Install Date: Wed 08 May 2019 08:01:07 AM EDT
Group : System Environment/Daemons
Size : 361335
License : GPLv2 with exceptions
Signature : RSA/SHA256, Mon 12 Nov 2018 09:48:54 AM EST, Key ID 24c6a8a7f4a80eb5
Source RPM : vsftpd-3.0.2-25.el7.src.rpm
Build Date : Tue 30 Oct 2018 03:45:10 PM EDT
Build Host : x86-01.bsys.centos.org
Relocations : (not relocatable)
Packager : CentOS BuildSystem
Vendor : CentOS
URL : https://security.appspot.com/vsftpd.html
Summary : Very Secure Ftp Daemon
Description :
vsftpd is a Very Secure FTP daemon. It was written completely from
scratch.
[root@lab1 ~]# systemctl start vsftpd
[root@lab1 ~]# netstat -tunlp | grep vsftpd
tcp6 0 0 :::21 :::* LISTEN 3557/vsftpd
[root@lab1 ~]# ifconfig
ens33: flags=4163
inet 172.20.0.131 netmask 255.255.255.0 broadcast 172.20.0.255
inet6 fe80::3e66:b2a:5133:93d1 prefixlen 64 scopeid 0x20
ether 00:0c:29:b0:6e:59 txqueuelen 1000 (Ethernet)
RX packets 13167 bytes 9232182 (8.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7360 bytes 724005 (707.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1 (Local Loopback)
RX packets 69 bytes 6065 (5.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 69 bytes 6065 (5.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
复制文件到默认目录下
[root@lab1 ~]# cd /var/ftp/pub
[root@lab1 pub]# cp /etc/fstab ./
查看默认配置文件
[root@lab1 ~]# grep -v ^# /etc/vsftpd/vsftpd.conf | grep -v ^$
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
关闭匿名登录
[root@lab1 ~]# vim /etc/vsftpd/vsftpd.conf
[root@lab1 ~]# grep ^anonymous /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
[root@lab1 ~]# systemctl restart vsftpd
测试ftp连接
[root@lab1 ~]# useradd test01
[root@lab1 ~]# echo "redhat" | passwd --stdin test01
Changing password for user test01.
passwd: all authentication tokens updated successfully.
[root@lab1 ~]# ftp 172.20.0.131
Connected to 172.20.0.131 (172.20.0.131).
220 (vsFTPd 3.0.2)
Name (172.20.0.131:root): test01
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/test01"
ftp> help
Commands may be abbreviated. Commands are:
! debug mdir sendport site
$ dir mget put size
account disconnect mkdir pwd status
append exit mls quit struct
ascii form mode quote system
bell get modtime recv sunique
binary glob mput reget tenex
bye hash newer rstatus tick
case help nmap rhelp trace
cd idle nlist rename type
cdup image ntrans reset user
chmod lcd open restart umask
close ls prompt rmdir verbose
cr macdef passive runique ?
delete mdelete proxy send
ftp> status
Connected to 172.20.0.131.
No proxy connection.
Mode: stream; Type: binary; Form: non-print; Structure: file
Verbose: on; Bell: off; Prompting: on; Globbing: on
Store unique: off; Receive unique: off
Case: off; CR stripping: on
Ntrans: off
Nmap: off
Hash mark printing: off; Use of PORT cmds: on
Tick counter printing: off
ftp> exit
221 Goodbye.
测试匿名用户连接
[root@lab1 pub]# ftp 172.20.0.131
Connected to 172.20.0.131 (172.20.0.131).
220 (vsFTPd 3.0.2)
Name (172.20.0.131:root): ftp
331 Please specify the password.
Password:
230 Login successful.
调整匿名用户权限
[root@lab1 pub]# ll
total 4
-rw-r--r-- 1 root root 465 May 8 08:08 fstab
[root@lab1 pub]# grep ^anon /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
[root@lab1 ~]# vim /etc/vsftpd/vsftpd.conf
[root@lab1 ~]# grep ^anon_ /etc/vsftpd/vsftpd.conf
anon_other_write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
[root@lab1 pub]# systemctl restart vsftpd
设置连接显示标语
[root@lab1 ~]# vim /etc/vsftpd/vsftpd.conf
[root@lab1 ~]# grep ^banner /etc/vsftpd/vsftpd.conf
banner_file=/var/vsftpd_banner_file
[root@lab1 ~]# systemctl start vsftpd
[root@lab1 ~]# vim /var/vsftpd_banner_file
[root@lab1 ~]# cat /var/vsftpd_banner_file
###################
hello world !
###################
[root@lab1 ~]# ftp 127.0.0.1
Connected to 127.0.0.1 (127.0.0.1).
220-###################
220-hello world !
220-###################
220
Name (127.0.0.1:root):
配置基于本地用户的访问控制
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd.user_list
使用文件/etc/vsftpd.user_list中指定的本地用户不能访问ftp服务器,而其他本地用户可以访问ftp服务器
chroot选项
默认配置中,本地用户可以切换到家目录以外的目录浏览,并在权限许可的范围进行下载和上传,比较不安全。
具体选项
chroot_local_user
chroot_list_enable
chroot_list_file