Details on CentOS7 FTP service setup (virtual user access to FTP service)

The & # 65279; An overview of the

Recently, I have been working on Oracle cluster under Linux system. For Linux system, the pen person is also a blank. The transfer of external files of Liunx cannot avoid the use of FTP service, so I will sort out the setup of FTP service under the environment of CentOS7. The FTP server needs to install the vsftp server software. We know that in establishing vsftpd user, we like 1 was established under the linux user access ftp useradd way, but sometimes we just want to provide ftp service, and avoid using ftp account to login, the user linux, adopt the way like 1 can be to limit the user's access, but still can't avoid the user login into linux system, so the better method is to use vsftpd virtual users (virtual users).

FTP is based on the configuration of virtual users

1. Configure the firewall to open the port required by FTP server

CentOS 7.0 USES firewall as a firewall by default, but this is changed to iptables firewall.

1. Close firewall:

systemctl stop firewalld.service # stop firewall

systemctl disable firewalld.service # ban firewall Powered up 

2. Install iptables firewall

yum install iptables-services # The installation 

vi /etc/sysconfig/iptables # Edit the firewall configuration file and add the red section below to enter iptables , note: 21 The port is ftp Service port; 10060 to 10090 is Vsftpd Passive mode requires ports that can be customized 1 Period of greater than 1024 the tcp port 

　-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT 

　-A INPUT -m state --state NEW -m tcp -p tcp --dport 10060:10090 -j ACCEPT

　:wq! # Save the exit 

　systemctl restart iptables.service # Finally restart the firewall for the configuration to take effect 

　systemctl enable iptables.service # Set the firewall to boot 

2. Close SELINUX

vi /etc/selinux/config

#SELINUX=enforcing # Comment out the 

#SELINUXTYPE=targeted # Comment out the 

SELINUX=disabled # increase 

:wq! # Save the exit 

setenforce 0 # Enable the configuration to take effect immediately 

3. Install vsftpd

rpm -qc vsftpd # The query vsftpd Whether to install 

yum install -y vsftpd # The installation vsftpd

yum install -y psmisc net-tools systemd-devel libdb-devel perl-DBI # The installation vsftpd Virtual user configuration dependency package 

systemctl start vsftpd.service # Start the 

systemctl enable vsftpd.service # Set up the vsftpd Powered up 

4. New system user vsftpd

useradd vsftpd -d /home/wwwroot -s /bin/false # User directory is /home/wwwroot,  The user login terminal is set as /bin/false( Even if you can't log in )

chown vsftpd:vsftpd /home/wwwroot -R

5. Set up the profile and FTP permissions of the virtual user's personal Vsftp sub-account

mkdir /etc/vsftpd/vconf

cd /etc/vsftpd/vconf

touch web1 # A virtual user profile is created here 

mkdir -p /home/wwwroot/web1/http/mydic

　# Set up the FTP Upload file new permissions, up to date vsftpd Requires that you do not have write permissions on your home directory ftp for 755 , a subdirectory under the home directory 777 permissions  

 chmod -R 755 /home/wwwroot/web1/http
 chmod R 777 /home/wwwroot/web1/http/mydic
vi web1 # Edit the user web1 Configuration file, others similar to this configuration file, enter the following red content 

　local_root=/home/wwwroot/web1/http/　　# Set up the FTP Account root directory 

　write_enable=YES

 anon_world_readable_only=NO

 anon_upload_enable=YES

 anon_mkdir_write_enable=YES

 anon_other_write_enable=YES
:wq! # Save the exit 

6. Configure the vsftp server

cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf-bak # Backup the default configuration file 

Execute the following command to set:

sed -i "s/anonymous_enable=YES/anonymous_enable=NO/g" '/etc/vsftpd/vsftpd.conf'

sed -i "s/#anon_upload_enable=YES/anon_upload_enable=NO/g" '/etc/vsftpd/vsftpd.conf'

sed -i "s/#anon_mkdir_write_enable=YES/anon_mkdir_write_enable=YES/g" '/etc/vsftpd/vsftpd.conf'

sed -i "s/#chown_uploads=YES/chown_uploads=NO/g" '/etc/vsftpd/vsftpd.conf'

sed -i "s/#async_abor_enable=YES/async_abor_enable=YES/g" '/etc/vsftpd/vsftpd.conf'

sed -i "s/#ascii_upload_enable=YES/ascii_upload_enable=YES/g" '/etc/vsftpd/vsftpd.conf'

sed -i "s/#ascii_download_enable=YES/ascii_download_enable=YES/g" '/etc/vsftpd/vsftpd.conf'

sed -i "s/#ftpd_banner=Welcome to blah FTP service./ftpd_banner=Welcome to FTP service./g" '/etc/vsftpd/vsftpd.conf'

echo -e "use_localtime=YES\nlisten_port=21\nchroot_local_user=YES\nidle_session_timeout=300

\ndata_connection_timeout=1\nguest_enable=YES\nguest_username=vsftpd # Here and the username you just created 1 straight 

\nuser_config_dir=/etc/vsftpd/vconf\nvirtual_use_local_privs=YES

\npasv_min_port=10060\npasv_max_port=10090

\naccept_timeout=5\nconnect_timeout=1" >> /etc/vsftpd/vsftpd.conf

Profile description:

anonymous_enable=NO // Set not to allow anonymous access 
local_enable=YES // Make it accessible to local users. Note: if a virtual host user is used, set as in the project NO The case where all virtual users will not be able to access 
chroot_list_enable=YES // The user cannot leave the home directory 
ascii_upload_enable=YES
ascii_download_enable=YES // Set support ASCII Mode upload and download functions 
pam_service_name=vsftpd  //PAM Authentication file name. PAM Based on the /etc/pam.d/vsftpd authentication 


# These are about vsftpd Virtual user supports important configuration items by default vsftpd.conf These Settings are not included in the. You need to manually add them 
guest_enable=YES // Set to enable the virtual user function 
guest_username=vsftpd // Specify the host user for the virtual user, CentOS There are already built-in ones ftp The user , By mapping to vsftpd
user_config_dir=/etc/vsftpd/vuser_conf // Set up the virtual user individual vsftp the CentOS FTP Service file location path. Storing virtual user personalities CentOS FTP Service file ( Profile name = Virtual username )

7. Create a virtual user list file

touch /etc/vsftpd/virtusers

Edit the virtual user list file: (account number in line 1, password in line 2, note: root cannot be used as user name, the system is reserved)

yum install iptables-services # The installation 

vi /etc/sysconfig/iptables # Edit the firewall configuration file and add the red section below to enter iptables , note: 21 The port is ftp Service port; 10060 to 10090 is Vsftpd Passive mode requires ports that can be customized 1 Period of greater than 1024 the tcp port 

　-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT 

　-A INPUT -m state --state NEW -m tcp -p tcp --dport 10060:10090 -j ACCEPT

　:wq! # Save the exit 

　systemctl restart iptables.service # Finally restart the firewall for the configuration to take effect 

　systemctl enable iptables.service # Set the firewall to boot 

0

8. Generate virtual user data files

yum install iptables-services # The installation 

vi /etc/sysconfig/iptables # Edit the firewall configuration file and add the red section below to enter iptables , note: 21 The port is ftp Service port; 10060 to 10090 is Vsftpd Passive mode requires ports that can be customized 1 Period of greater than 1024 the tcp port 

　-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT 

　-A INPUT -m state --state NEW -m tcp -p tcp --dport 10060:10090 -j ACCEPT

　:wq! # Save the exit 

　systemctl restart iptables.service # Finally restart the firewall for the configuration to take effect 

　systemctl enable iptables.service # Set the firewall to boot 

1

9. In the/etc/pam d/vsftpd file head to join the following information (behind join invalid)

Back up before making changes

yum install iptables-services # The installation 

vi /etc/sysconfig/iptables # Edit the firewall configuration file and add the red section below to enter iptables , note: 21 The port is ftp Service port; 10060 to 10090 is Vsftpd Passive mode requires ports that can be customized 1 Period of greater than 1024 the tcp port 

　-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT 

　-A INPUT -m state --state NEW -m tcp -p tcp --dport 10060:10090 -j ACCEPT

　:wq! # Save the exit 

　systemctl restart iptables.service # Finally restart the firewall for the configuration to take effect 

　systemctl enable iptables.service # Set the firewall to boot 

2

vi/etc/pam d/vsftpd # first comments to vsftpd all configuration, to join the red part below

auth  sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/virtusers
account sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/virtusers

Note: if the system is 32-bit, change lib above, otherwise the configuration fails;

10. Finally restart the vsftpd server

yum install iptables-services # The installation 

vi /etc/sysconfig/iptables # Edit the firewall configuration file and add the red section below to enter iptables , note: 21 The port is ftp Service port; 10060 to 10090 is Vsftpd Passive mode requires ports that can be customized 1 Period of greater than 1024 the tcp port 

　-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT 

　-A INPUT -m state --state NEW -m tcp -p tcp --dport 10060:10090 -j ACCEPT

　:wq! # Save the exit 

　systemctl restart iptables.service # Finally restart the firewall for the configuration to take effect 

　systemctl enable iptables.service # Set the firewall to boot 

4

You can view the security log of the server through the tail-f /var/log/secure instruction to facilitate the analysis of error problems.