VSFTPD: very secure ftp
非常安全的FTP服務器軟件,因爲FTP是非常古老的軟件,而且還是基於明文傳輸的,沒有任何加密技術,所以就產生了vsftpd.
基於tcp鏈接的,監聽在21端口上。
程序配置文件:
/etc/vsftpd/vsftpd.conf
[root@localhost ftp]# service vsftpd start Starting vsftpd for vsftpd: [ OK ] [root@localhost ftp]# netstat -ntlp Active Internet connections (only servers) tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 42268/vsftpd
ftp的用戶有三種:
1、匿名用戶:映射至某個固定的系統用戶: ftp vsftp
2、本地用戶:也就是系統用戶,root,daemon
3、虛擬用戶:基於某種認證方式登錄的匿名用戶,認證方式有:nsswtich(名稱服務轉換)、pam(插入式認證模塊)
實驗:通過pam_mysql來連接mysql,獲取mysql上的用戶賬號密碼,登錄ftp
1、安裝pam_mysql驅動
[root@localhost src]# yum -y install pam-devel mysql-devel [root@localhost src]# tar -xf pam_mysql-0.7RC1.tar.gz [root@localhost src]# cd pam_mysql-0.7RC1 [root@localhost pam_mysql-0.7RC1]# ./configure --with-mysql=/usr --with-pam=/usr [root@localhost pam_mysql-0.7RC1]# make && make install [root@localhost pam_mysql-0.7RC1]# cd /lib/security/ [root@localhost security]# ls pam_mysql.la pam_mysql.so //生成pam連接mysql驅動
2、授權賬號,創建用戶表,讓pam讀取表裏的賬號密碼
mysql> grant all on pam.* to 'pamuser'@localhost identified by "123456"; Query OK, 0 rows affected (0.03 sec) mysql> create table pamuser(id int not null primary key, name char(30) not null, password char(48) binary not null); Query OK, 0 rows affected (0.01 sec mysql> desc pamuser -> ; +----------+----------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +----------+----------+------+-----+---------+-------+ | id | int(11) | NO | PRI | NULL | | | name | char(30) | NO | | NULL | | | password | char(48) | NO | | NULL | | +----------+----------+------+-----+---------+-------+ 3 rows in set (0.00 sec)
3、給表中插入數據,包括賬號密碼
mysql> insert into pamuser(id,name,password) values (1,'tom',password("magedu")); Query OK, 1 row affected (0.00 sec) mysql> insert into pamuser(id,name,password) values (2,'jerry',password("jerry")); Query OK, 1 row affected (0.00 sec) mysql> select * from pamuser; +----+-------+-------------------------------------------+ | id | name | password | +----+-------+-------------------------------------------+ | 2 | jerry | *09FB9E6E2AA0750E9D8A8D22B6AA8D86C85BF3D0 | | 1 | tom | *6B8CCC83799A26CD19D7AD9AEEADBCD30D8A8664 | +----+-------+-------------------------------------------+ 2 rows in set (0.00 sec)
4、創建映射用戶
[root@localhost security]# useradd -s /nologin -d /ftproot vuser [root@localhost security]# id vuser uid=501(vuser) gid=501(vuser) groups=501(vuser)
5、編輯配置文件,指明虛擬用戶訪問時對應的映射用戶
[root@localhost security]# vim /etc/vsftpd/vsftpd.conf guest_enable=YES guest_username=vuser //添加這兩個語句
6、編寫虛擬用戶認證的文件
[root@localhost pam.d]# vim /etc/pam.d/vsftpd.conf auth required /lib/security/pam_mysql.so user=pamuser passwd=123456 host=localhost db=pam table=pamuser usercolumn=name passwdcolumn=password crypt=2 account required /lib/security/pam_mysql.so user=pamuser passwd=123456 host=localhost db=pam table=pamuser usercolumn=name passwdcolumn=password crypt=2
7、修改vsftpd的配置文件
[root@localhost pam.d]# vim /etc/vsftpd/vsftpd.conf pam_service_name=vsftpd.conf //把vsftpd修改爲vsftpd.conf anon_upload_enable=YES //允許匿名用戶上傳 anon_mkdir_write_enable=YES //允許匿名用戶創建文件 anon_other_write_enable=YES //允許匿名用戶刪除及重命名操作
8、重啓vsftpd服務,驗證虛擬用戶能否登錄ftp
[root@www ~]# ftp 172.18.250.76 Connected to 172.18.250.76 (172.18.250.76). 220 (vsFTPd 2.2.2) Name (172.18.250.76:root): tom 331 Please specify the password. Password: 230 Login successful. //ok,能登錄 Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (172,18,250,76,115,157). 150 Here comes the directory listing. 226 Transfer done (but failed to open directory). //這不能顯示vuser的家目錄,只要修改權限就行
修改vuser的家目錄的權限,並修改家目錄下的子目錄,讓匿名用戶能在此目錄下創建上傳
[root@localhost /]# chmod go+rx ftproot/ [root@localhost ftproot]# chown vuser upload/
再次測試登錄。。
ftp> ls 227 Entering Passive Mode (172,18,250,76,69,54). 150 Here comes the directory listing. drwxr-xr-x 2 501 0 4096 Apr 18 05:32 upload 226 Directory send OK.
ftp> cd upload 250 Directory successfully changed. ftp> mkdir tom.txt //能創建 257 "/upload/tom.txt" created ftp> lcd /etc //切換到Linux主機上的etc目錄 Local directory now /etc ftp> put fstab //能上傳 local: fstab remote: fstab 227 Entering Passive Mode (172,18,250,76,222,184). 150 Ok to send data. 226 Transfer complete. 805 bytes sent in 0.00111 secs (726.53 Kbytes/sec) [root@www ~]# ftp 172.18.250.76 Connected to 172.18.250.76 (172.18.250.76). 220 (vsFTPd 2.2.2) Name (172.18.250.76:root): jerry //jerry登錄也沒問題 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (172,18,250,76,234,145). 150 Here comes the directory listing. drwxr-xr-x 3 501 0 4096 Apr 18 08:53 upload 226 Directory send OK.
如果希望tom能有上傳功能,jerry沒有,怎麼辦
思路: 禁止所有匿名用戶上傳功能,只單獨開放tom能上傳
[root@localhost /]# vim /etc/vsftpd/vsftpd.conf #anon_upload_enable=YES user_config_dir=/etc/vsftpd/vsftpd.conf.d/ //讓服務去讀取這裏定義的權限 [root@localhost /]# cd /etc/vsftpd/ [root@localhost vsftpd]# mkdir vsftpd.conf.d [root@localhost vsftpd]# cd vsftpd.conf.d/ [root@localhost vsftpd.conf.d]# vim tom anon_upload_enable=YES
在測試下。。。。
[root@www ~]# ftp 172.18.250.76 Connected to 172.18.250.76 (172.18.250.76). 220 (vsFTPd 2.2.2) Name (172.18.250.76:root): tom 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd upload 250 Directory successfully changed. ftp> ls 227 Entering Passive Mode (172,18,250,76,233,150). 150 Here comes the directory listing. -rw------- 1 501 501 805 Apr 18 08:53 fstab drwx------ 2 501 501 4096 Apr 18 08:53 tom.txt 226 Directory send OK. ftp> lcd /etc Local directory now /etc ftp> put issue //tom上傳文件 local: issue remote: issue 227 Entering Passive Mode (172,18,250,76,158,39). 150 Ok to send data. 226 Transfer complete. 47 bytes sent in 0.000309 secs (152.10 Kbytes/sec) //上傳文件OK
[root@www ~]# ftp 172.18.250.76 Connected to 172.18.250.76 (172.18.250.76). 220 (vsFTPd 2.2.2) Name (172.18.250.76:root): jerry 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd upload 250 Directory successfully changed. ftp> lcd /etc Local directory now /etc ftp> put issue //jerry上傳文件 local: issue remote: issue 227 Entering Passive Mode (172,18,250,76,24,97). 550 Permission denied. //上傳文件失敗,被拒絕
除了定義上傳之外,還可以定義創建,刪除,重命名等權限,方法和上面上傳的方法一樣。