vsftpd服务采用服务器端/客户机端模式
以下实验PC1为服务器端,IP为192.168.10.10; PC2为客户机端,IP为192.168.10.20
1、在PC1服务器端安装vsftpd服务
[root@PC1 ~]# yum install vsftpd.x86_64 -y
Loaded plugins: langpacks, product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
rhel7 | 4.1 kB 00:00
Resolving Dependencies
--> Running transaction check
---> Package vsftpd.x86_64 0:3.0.2-9.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
vsftpd x86_64 3.0.2-9.el7 rhel7 166 k
Transaction Summary
================================================================================
Install 1 Package
Total download size: 166 k
Installed size: 343 k
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : vsftpd-3.0.2-9.el7.x86_64 1/1
rhel7/productid | 1.6 kB 00:00
Verifying : vsftpd-3.0.2-9.el7.x86_64 1/1
Installed:
vsftpd.x86_64 0:3.0.2-9.el7
Complete!
2、清空PC1服务器端防火墙策略并保存
[root@PC1 ~]# iptables -F
[root@PC1 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
3、在PC1服务器端精简vsftpd服务主配置文件
[root@PC1 ~]# cd /etc/vsftpd/
[root@PC1 vsftpd]# ls
ftpusers user_list vsftpd.conf vsftpd_conf_migrate.sh
[root@PC1 vsftpd]# cp vsftpd.conf vsftpd.conf.bak
[root@PC1 vsftpd]# grep -v "#" vsftpd.conf.bak > vsftpd.conf
[root@PC1 vsftpd]# cat vsftpd.conf
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
4、在PC1服务器端创建用于进行FTP认证的用户数据库文件,奇数行为账户名、偶数行为密码,使用哈希算法生成新的数据库文件,降低新的数据库文件权限,并删除原始数据库文件
[root@PC1 vsftpd]# cd /etc/vsftpd/
[root@PC1 vsftpd]# vim vuser.list
zhangsan
redhat
lisi
redhat
[root@PC1 vsftpd]# db_load -T -t hash -f vuser.list vuser.db
[root@PC1 vsftpd]# file vuser.list
vuser.list: ASCII text
[root@PC1 vsftpd]# file vuser.db
vuser.db: Berkeley DB (Hash, version 9, native byte-order)
[root@PC1 vsftpd]# chmod 600 vuser.db
[root@PC1 vsftpd]# rm -f vuser.list
[root@PC1 vsftpd]# ls
ftpusers vsftpd.conf vsftpd_conf_migrate.sh
user_list vsftpd.conf.bak vuser.db
[root@PC1 vsftpd]# cat vuser.db
�� ��$��cэh^redhatlisi[root@PC1 vsftpd]#
5、 创建vsftpd服务登录的根目录、创建虚拟用户(ftp登录的账户(比如zhangsan、lisi)需要映射到具体的用户)
[root@PC1 vsftpd]# useradd -d /var/ftproot -s /sbin/nologin virtual
[root@PC1 vsftpd]# ls -ld /var/ftproot/
drwx------. 3 virtual virtual 74 Dec 14 20:19 /var/ftproot/
[root@PC1 vsftpd]# chmod -R 755 /var/ftproot/
[root@PC1 vsftpd]# ls -ld /var/ftproot/
drwxr-xr-x. 3 virtual virtual 74 Dec 14 20:19 /var/ftproot/
6、PC1中建立用于支持虚拟用户的PAM文件(zhangsan、lisi不是真实的用户,可以实现登录??)
[root@PC1 vsftpd]# vim /etc/pam.d/vsftpd.vu ## vuser 为创建的经哈希算法处理后的用户数据库文件
auth required pam_userdb.so db=/etc/vsftpd/vuser
account required pam_userdb.so db=/etc/vsftpd/vuser
7、PC1中修改主配置文件
[root@PC1 vsftpd]# vim /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
guest_enable=YES
guest_username=virtual ## 这一步实现用户和虚拟登录账号的映射?
allow_writeable_chroot=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd.vu ##
userlist_enable=YES
tcp_wrappers=YES
8、在PC1中为虚拟用户设置不同的权限
[root@PC1 vsftpd]# mkdir /etc/vsftpd/vusers_dir/
[root@PC1 vsftpd]# cd /etc/vsftpd/vusers_dir/
[root@PC1 vusers_dir]# touch lisi
[root@PC1 vusers_dir]# vim zhangsan
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
9、在PC1中修改vsftpd的主配置文件
[root@PC1 vusers_dir]# vim /etc/vsftpd/vsftpd.conf
1 anonymous_enable=NO
2 local_enable=YES
3 guest_enable=YES
4 guest_username=virtual
5 allow_writeable_chroot=YES
6 write_enable=YES
7 local_umask=022
8 dirmessage_enable=YES
9 xferlog_enable=YES
10 connect_from_port_20=YES
11 xferlog_std_format=YES
12 listen=NO
13 listen_ipv6=YES
14
15 pam_service_name=vsftpd.vu
16 userlist_enable=YES
17 tcp_wrappers=YES
18 user_config_dir=/etc/vsftpd/vusers_dir ## 指定了虚拟用户权限文件的路径
10、在PC1主机中重启vsftpd服务
[root@PC1 vusers_dir]# systemctl restart vsftpd
[root@PC1 vusers_dir]# systemctl enable vsftpd
ln -s '/usr/lib/systemd/system/vsftpd.service' '/etc/systemd/system/multi-user.target.wants/vsftpd.service'
[root@PC1 vusers_dir]# systemctl status vsftpd.service
vsftpd.service - Vsftpd ftp daemon
Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled)
Active: active (running) since Mon 2020-12-14 20:43:17 CST; 22s ago
Main PID: 32049 (vsftpd)
CGroup: /system.slice/vsftpd.service
└─32049 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
Dec 14 20:43:17 PC1 systemd[1]: Starting Vsftpd ftp daemon...
Dec 14 20:43:17 PC1 systemd[1]: Started Vsftpd ftp daemon.
11、在PC1主机中查看并设置SELinux
[root@PC1 vusers_dir]# getsebool -a | grep ftp
ftp_home_dir --> off
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off
[root@PC1 vusers_dir]# setsebool -P ftpd_full_access=on
[root@PC1 vusers_dir]# getsebool -a | grep ftp
ftp_home_dir --> off
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> on
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off
12、在PC2客户机中安装vsftp客户端工具
[root@PC2 test]# yum install ftp -y
Loaded plugins: langpacks, product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Resolving Dependencies
--> Running transaction check
---> Package ftp.x86_64 0:0.17-66.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
ftp x86_64 0.17-66.el7 rhel7 61 k
Transaction Summary
================================================================================
Install 1 Package
Total download size: 61 k
Installed size: 96 k
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : ftp-0.17-66.el7.x86_64 1/1
Verifying : ftp-0.17-66.el7.x86_64 1/1
Installed:
ftp.x86_64 0:0.17-66.el7
Complete!
13、在PC2客户端主机中登录测试
[root@PC2 test]# ftp 192.168.10.10
Connected to 192.168.10.10 (192.168.10.10).
220 (vsFTPd 3.0.2)
Name (192.168.10.10:root): lisi
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> cd /tmp ## 这一步说明仅能在指定的目录
550 Failed to change directory.
ftp> mkdir files
550 Permission denied.
[root@PC2 test]# ftp 192.168.10.10
Connected to 192.168.10.10 (192.168.10.10).
220 (vsFTPd 3.0.2)
Name (192.168.10.10:root): zhangsan
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,10,10,170,162).
150 Here comes the directory listing.
226 Directory send OK.
ftp> pwd
257 "/"
ftp> cd /tmp
550 Failed to change directory.
ftp> mkdir files ## 这一步可以看书lisi 和 zhangsan 账户权限的不同
257 "/files" created
14、利用zhangsan用户测试传输文件功能
[root@PC1 ~]# cd /var/ftproot/
[root@PC1 ftproot]# ls
[root@PC1 ftproot]# echo "i am pc1" > pc1.file
[root@PC1 ftproot]# ls
pc1.file
[root@PC2 test]# pwd
/home/test
[root@PC2 test]# ls
[root@PC2 test]# echo "i am pc2" > pc2.file
[root@PC2 test]# ls
pc2.file
[root@PC2 test]# ftp 192.168.10.10
Connected to 192.168.10.10 (192.168.10.10).
220 (vsFTPd 3.0.2)
Name (192.168.10.10:root): zhangsan
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,10,10,139,101).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 9 Dec 14 13:01 pc1.file
226 Directory send OK.
ftp> mput pc2.file ## 向服务器端传输
mput pc2.file? y
227 Entering Passive Mode (192,168,10,10,126,134).
150 Ok to send data.
226 Transfer complete.
9 bytes sent in 4.3e-05 secs (209.30 Kbytes/sec)
ftp> ls
227 Entering Passive Mode (192,168,10,10,73,59).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 9 Dec 14 13:01 pc1.file
-rw------- 1 1001 1001 9 Dec 14 13:02 pc2.file
226 Directory send OK.
ftp> mget pc1.file ## 向本地传输
mget pc1.file?
227 Entering Passive Mode (192,168,10,10,145,33).
150 Opening BINARY mode data connection for pc1.file (9 bytes).
226 Transfer complete.
9 bytes received in 2.1e-05 secs (428.57 Kbytes/sec)
ftp> exit
221 Goodbye.
[root@PC2 test]# ls
pc1.file pc2.file
[root@PC2 test]# cat pc1.file
i am pc1
虚拟用户模式的安全性体现在哪里?
匿名用户模式:任何人均可登录,但是仅能访问设定的根目录(/var/ftp)
本地用户模式: 需要账户和密码,但是可以根据用权限访问不同目录(从这点讲,本地用户模式不见得比匿名用户安全)。
虚拟用户模式: 需要特定账户和密码,同时仅能访问设定的根目录(创建的用于映射的虚拟用户的家目录),所以所虚拟用户模式集合了匿名用户模式和本地用户模式两者安全性的优点,因此说最安全。