Introduction to secure FTP server vsftpd

vsftpd is the name of a server running on an UNIX class operating system, which can run on things like Linux, BSD, Solaris, HP-UX, and IRIX. It supports many other features not supported by FTP servers. Such as:

Very high security requirements
Bandwidth limitations
Good scalability
The possibility of creating virtual users
IPv6 support
Medium to high performance
Assign the possibility of virtual IP
High speed

The name vsftpd stands for "very secure FTP daemon", and security was a top priority for its developer, Chris Evans. At the beginning of the FTP server design and development, high security was a goal.

One example is that vsftpd works in chroot mode, which specifies a new directory for the program (in this case, vsftpd), so it can't access programs and files outside that directory -- so this is also called "locked." An FTP server that could have been compromised by a potential attacker would have been isolated from the rest of the system, avoiding even greater damage.

With so many features, the security of the FTP service should be the most important, and vsftpd is superior to other FTP servers. WU-FTPD http:// www.wu-ftpd.org/can be seen here as an example of the opposite, because it has had so many security flaws in the past few years.

Appendix 1: what is FTP
The abbreviation of FTP Transfer Protocol piece transport protocol is specified in RFC 959.

The FTP session contains two channels, one called the control channel and one called the data channel.

Control channel: control channel is the channel that communicates with FTP server, connects to FTP, and sends FTP instructions through control channel.

Data channel: data channel is the channel for file transfer or list with FTP server.

In the FTP protocol, control connections are initiated by clients, and data connections work in two ways: PORT and PASV

PORT mode (active mode)

The FTP client first establishes a connection to FTP Server's TCP 21 port, and sends commands through this channel. When the client needs to receive data, it sends PORT commands over this channel. The PORT command contains what port the client is using to receive data (1 port greater than 1024). When transferring data, the server sends the data through its own port, TCP 20. FTP server must establish a new connection with the client to transfer data.

PASV mode (passive mode)

At the time of establishing control channel and PORT pattern, when the client sent through this channel PASV command, FTP server open a random port lies between 1024 and 5000 and notify the client send data request on this port, then FTP server will through the ports for data transfer, this time FTP server no longer need to establish a new connection between the client and transmit data.

If from the perspective of C/S model, PORT is OUTBOUND for the server, and PASV mode is INBOUND for the server, please pay special attention to this point, especially in the enterprise using firewall, this point is very critical, if the setting is wrong, then the customer will not be able to connect.

Appendix 2: FTP user management commentary

FTP server for managing the user by default is based on/etc/passwd and/etc group, so we need to know 1 Linux system user and user group management, the management of the users and groups is the basis of 1 cutting applications, some of the brothers don't want to know something, just want to 1 step into a good variety of servers, proved this method of learning is the most unwise; Although you may have started the ftp server in a few minutes, you will always know what went wrong when you encounter a problem. So the fundamentals are extremely important;

Recommended article: management overview of Linux users (user) and user groups (group)

Understanding of anonymous ftp users

When we visit the major FTP, we may not think about what identity we are logging in, if his FTP allows anonymous logging; Like when we type in the browser;

ftp://mirrors.kernel.org

or

ftp://ftp:ftp@mirrors.kernel.org

We will find that the two lines above the final can access, but also shows the results of the 1 sample completely, eventually to ftp: / / mirrors kernel. org address; So when we access FTP, do we have a user and a password? Yes, it is also necessary, but anonymous access is allowed on the server side, and the user name and password for anonymous access are ftp, but we do not feel that it has a user name and password because of anonymous access. The second address is to ftp user, the password is also ftp to access ftp: / / mirrors kernel. org;

If we connect mirrors.kernel.org with the ftp command, we will find that we need to enter the user ftp and the password ftp to access it.

In the FTP server, the username and password of the anonymous user are ftp; This user can be found in your operating system /etc/passwd; It might have something like the following 1 row;

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

Description:

/etc/passwd is the configuration file of the system user; /etc/group is the system user group configuration file, you can through "Linux user (user) and user group (group) management overview" and related documents to understand some basic knowledge of user management;

In the ftp user line, we see seven fields, each of which is separated by:;

ftp is the user name
x is the password field, which is hidden;
14 is the user's UID field, which can be set by yourself. It should not be the same as other users' UID, otherwise it will cause system security problems.
50 use GID of user group, you can set it by yourself, do not share FTP GID with other user groups, otherwise it will cause the whole system problems;
FTP User is the user description field;
/var/ftp is the home directory of ftp users, which can be defined by themselves.
/sbin/nologin this is the user login SHELL, this can also be defined, /sbin/nologin means can not log in the system; System virtual account (also known as fake user) 1 is generally set like this. For example, we change ftp user's /sbin/nologin to /bin/bash, so that ftp user can log into the system as a real user through local or remote tools, ssh or telnet. It's not safe for the system to do that; If you think it is not necessary for a user to log into the system, you can only give him the permission of FTP account, that is to say, only give him the permission of FTP, instead of setting his SHELL to /bin/bash, etc.

Understanding of the ftp user group

When we look at /etc/group, we find something like this;

ftp:x:50:
/etc/group is the user group management profile. The line above represents the user group ftp, x is the password segment, and 50 is GID. We know that ftp users belong to the ftp user group by referring to the ftp line in /etc/passwd, because GID in the ftp user line is the same as GID in the ftp user group.

Can anonymous ftp users and ftp user groups be deleted

In general, it is not possible to delete the lines of ftp users and user groups in /etc/passwd and /etc/group, because the FTP server requires them to manage the FTP users, by default.

Although it cannot be deleted, some relevant things can be modified for ftp users in /etc/passwd and /etc/group and 1 of ftp user group. For example, we can change the home directory of ftp users, or change the UID of ftp users... . If you know something about user management. System user management is the foundation of the application. If you are new to Linux, you may not understand the importance of user management, but you will find it later.