Details on CentOS7 FTP service setup (virtual user access to FTP service)
- 2020-05-15 03:25:20
- OfStack
The & # 65279; An overview of the
Recently, I have been working on Oracle cluster under Linux system. For Linux system, the pen person is also a blank. The transfer of external files of Liunx cannot avoid the use of FTP service, so I will sort out the setup of FTP service under the environment of CentOS7. The FTP server needs to install the vsftp server software. We know that in establishing vsftpd user, we like 1 was established under the linux user access ftp useradd way, but sometimes we just want to provide ftp service, and avoid using ftp account to login, the user linux, adopt the way like 1 can be to limit the user's access, but still can't avoid the user login into linux system, so the better method is to use vsftpd virtual users (virtual users).
FTP is based on the configuration of virtual users
1. Configure the firewall to open the port required by FTP server
CentOS 7.0 USES firewall as a firewall by default, but this is changed to iptables firewall.
1. Close firewall:
systemctl stop firewalld.service # stop firewall
systemctl disable firewalld.service # ban firewall Powered up
2. Install iptables firewall
yum install iptables-services # The installation
vi /etc/sysconfig/iptables # Edit the firewall configuration file and add the red section below to enter iptables , note: 21 The port is ftp Service port; 10060 to 10090 is Vsftpd Passive mode requires ports that can be customized 1 Period of greater than 1024 the tcp port
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 10060:10090 -j ACCEPT
:wq! # Save the exit
systemctl restart iptables.service # Finally restart the firewall for the configuration to take effect
systemctl enable iptables.service # Set the firewall to boot
2. Close SELINUX
vi /etc/selinux/config
#SELINUX=enforcing # Comment out the
#SELINUXTYPE=targeted # Comment out the
SELINUX=disabled # increase
:wq! # Save the exit
setenforce 0 # Enable the configuration to take effect immediately
3. Install vsftpd
rpm -qc vsftpd # The query vsftpd Whether to install
yum install -y vsftpd # The installation vsftpd
yum install -y psmisc net-tools systemd-devel libdb-devel perl-DBI # The installation vsftpd Virtual user configuration dependency package
systemctl start vsftpd.service # Start the
systemctl enable vsftpd.service # Set up the vsftpd Powered up
4. New system user vsftpd
useradd vsftpd -d /home/wwwroot -s /bin/false # User directory is /home/wwwroot, The user login terminal is set as /bin/false( Even if you can't log in )
chown vsftpd:vsftpd /home/wwwroot -R
5. Set up the profile and FTP permissions of the virtual user's personal Vsftp sub-account
mkdir /etc/vsftpd/vconf
cd /etc/vsftpd/vconf
touch web1 # A virtual user profile is created here
mkdir -p /home/wwwroot/web1/http/mydic
# Set up the FTP Upload file new permissions, up to date vsftpd Requires that you do not have write permissions on your home directory ftp for 755 , a subdirectory under the home directory 777 permissions
chmod -R 755 /home/wwwroot/web1/http
chmod R 777 /home/wwwroot/web1/http/mydic
vi web1 # Edit the user web1 Configuration file, others similar to this configuration file, enter the following red content
local_root=/home/wwwroot/web1/http/ # Set up the FTP Account root directory
write_enable=YES
anon_world_readable_only=NO
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
:wq! # Save the exit
6. Configure the vsftp server
cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf-bak # Backup the default configuration file
Execute the following command to set:
sed -i "s/anonymous_enable=YES/anonymous_enable=NO/g" '/etc/vsftpd/vsftpd.conf'
sed -i "s/#anon_upload_enable=YES/anon_upload_enable=NO/g" '/etc/vsftpd/vsftpd.conf'
sed -i "s/#anon_mkdir_write_enable=YES/anon_mkdir_write_enable=YES/g" '/etc/vsftpd/vsftpd.conf'
sed -i "s/#chown_uploads=YES/chown_uploads=NO/g" '/etc/vsftpd/vsftpd.conf'
sed -i "s/#async_abor_enable=YES/async_abor_enable=YES/g" '/etc/vsftpd/vsftpd.conf'
sed -i "s/#ascii_upload_enable=YES/ascii_upload_enable=YES/g" '/etc/vsftpd/vsftpd.conf'
sed -i "s/#ascii_download_enable=YES/ascii_download_enable=YES/g" '/etc/vsftpd/vsftpd.conf'
sed -i "s/#ftpd_banner=Welcome to blah FTP service./ftpd_banner=Welcome to FTP service./g" '/etc/vsftpd/vsftpd.conf'
echo -e "use_localtime=YES\nlisten_port=21\nchroot_local_user=YES\nidle_session_timeout=300
\ndata_connection_timeout=1\nguest_enable=YES\nguest_username=vsftpd # Here and the username you just created 1 straight
\nuser_config_dir=/etc/vsftpd/vconf\nvirtual_use_local_privs=YES
\npasv_min_port=10060\npasv_max_port=10090
\naccept_timeout=5\nconnect_timeout=1" >> /etc/vsftpd/vsftpd.conf
Profile description:
anonymous_enable=NO // Set not to allow anonymous access
local_enable=YES // Make it accessible to local users. Note: if a virtual host user is used, set as in the project NO The case where all virtual users will not be able to access
chroot_list_enable=YES // The user cannot leave the home directory
ascii_upload_enable=YES
ascii_download_enable=YES // Set support ASCII Mode upload and download functions
pam_service_name=vsftpd //PAM Authentication file name. PAM Based on the /etc/pam.d/vsftpd authentication
# These are about vsftpd Virtual user supports important configuration items by default vsftpd.conf These Settings are not included in the. You need to manually add them
guest_enable=YES // Set to enable the virtual user function
guest_username=vsftpd // Specify the host user for the virtual user, CentOS There are already built-in ones ftp The user , By mapping to vsftpd
user_config_dir=/etc/vsftpd/vuser_conf // Set up the virtual user individual vsftp the CentOS FTP Service file location path. Storing virtual user personalities CentOS FTP Service file ( Profile name = Virtual username )
7. Create a virtual user list file
touch /etc/vsftpd/virtusers
Edit the virtual user list file: (account number in line 1, password in line 2, note: root cannot be used as user name, the system is reserved)
yum install iptables-services # The installation
vi /etc/sysconfig/iptables # Edit the firewall configuration file and add the red section below to enter iptables , note: 21 The port is ftp Service port; 10060 to 10090 is Vsftpd Passive mode requires ports that can be customized 1 Period of greater than 1024 the tcp port
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 10060:10090 -j ACCEPT
:wq! # Save the exit
systemctl restart iptables.service # Finally restart the firewall for the configuration to take effect
systemctl enable iptables.service # Set the firewall to boot
0
8. Generate virtual user data files
yum install iptables-services # The installation
vi /etc/sysconfig/iptables # Edit the firewall configuration file and add the red section below to enter iptables , note: 21 The port is ftp Service port; 10060 to 10090 is Vsftpd Passive mode requires ports that can be customized 1 Period of greater than 1024 the tcp port
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 10060:10090 -j ACCEPT
:wq! # Save the exit
systemctl restart iptables.service # Finally restart the firewall for the configuration to take effect
systemctl enable iptables.service # Set the firewall to boot
1
9. In the/etc/pam d/vsftpd file head to join the following information (behind join invalid)
Back up before making changes
yum install iptables-services # The installation
vi /etc/sysconfig/iptables # Edit the firewall configuration file and add the red section below to enter iptables , note: 21 The port is ftp Service port; 10060 to 10090 is Vsftpd Passive mode requires ports that can be customized 1 Period of greater than 1024 the tcp port
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 10060:10090 -j ACCEPT
:wq! # Save the exit
systemctl restart iptables.service # Finally restart the firewall for the configuration to take effect
systemctl enable iptables.service # Set the firewall to boot
2
vi/etc/pam d/vsftpd # first comments to vsftpd all configuration, to join the red part below
auth sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/virtusers
account sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/virtusers
Note: if the system is 32-bit, change lib above, otherwise the configuration fails;
10. Finally restart the vsftpd server
yum install iptables-services # The installation
vi /etc/sysconfig/iptables # Edit the firewall configuration file and add the red section below to enter iptables , note: 21 The port is ftp Service port; 10060 to 10090 is Vsftpd Passive mode requires ports that can be customized 1 Period of greater than 1024 the tcp port
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 10060:10090 -j ACCEPT
:wq! # Save the exit
systemctl restart iptables.service # Finally restart the firewall for the configuration to take effect
systemctl enable iptables.service # Set the firewall to boot
4
You can view the security log of the server through the tail-f /var/log/secure instruction to facilitate the analysis of error problems.