May 24, 2021 That's what Linux should learn
Compared to anonymous open mode, local user mode is more secure and simple to configure. I f you used anonymous open mode before, you can now turn it off and turn on local user mode. The permission parameters for the local user pattern and the effect are shown in Table 11-3.
Table 11-3 the permission parameters used by the local user mode and the effect
Parameters Acting anonymous_enable-NO Prohibited Anonymous Access Mode local_enable-YES Allows Local User Mode write_enable-YES Setting Writeable Permissions local_umask-022 Local User Mode Creates a File's Umask Value userlist_deny-YES Enables "Prohibited User List" with list files ftpusers and user_list userlist_enable the user action list file function with the user action list function
(root@linuxprobe. s.) vim /etc/vsftpd/vsftpd.conf 1 anonymous_enable=NO 2 local_enable=YES 3 write_enable=YES 4 local_umask=022 5 dirmessage_enable?yes 6 xferlog_enable=YES 7 dirmessage_enable connect_from_port_20=YES 8 xferlog_std_format=YES 9 listen=NO 10 listen_ipv6=YES 11 pam_service_name=vsftpd 12 userlist_enable=YES 13 tcp_wrappers=YESvsftpd service provider's main profile, then save and exit. T he vsftpd service program also needs to be restarted for the new configuration parameters to take effect. Readers who restored the virtual machine after the previous experiment also need to add the configured service to the boot item so that the vsftpd service can still be used normally after the system restarts.
the [email protected] restart vsftpd ( root@linuxprobe . However, after signing in with a root administrator, you are prompted with the following error message:
[root@linuxprobe ~]# ftp 192.168.10.10 Connected to 192.168.10.10 (192.168.10.10). 2 20 (vsFTPd 3.0.2) Name (192.168.10.10:root): root 530 Permission denied. L ogin failed. A s you can see, we were denied access by the system before we entered the root administrator's password. T his is because the directory in which the vsftpd service program is located holds two files called "user lists" (ftpusers and user_list). I don't know if you've seen a Japanese movie, "Death Note" (Mr. Liu's favorite during school), which mentions a small black-covered book that hangs up as long as someone else's name is written in it. The two files in the vsftpd service provider directory have similar functionality -- as long as the user's name is written in it, the user is no longer allowed to log on to the FTP server.
[root@linuxprobe ~]# cat /etc/vsftpd/user_list 1 # vsftpd userlist 2 # If userlist_deny=NO, only allow users in this file 3 # If userlist_deny=YES (default), never allow users in this file, and 4 # do not even prompt for a password. 5 # Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers 6 # for users that are denied. 7 root 8 bin 9 daemon 10 adm 11 lp 12 sync 13 shutdown 14 halt 15 mail 16 news 17 uucp 18 operator 19 games 20 nobody [root@linuxprobe ~]# cat /etc/vsftpd/ftpusers
1 root2 bin3 daemon4 adm5 lp6 sync7 shutdown8 halt9 mail10 news11 uucp12 operator13 games14 nobody
That's true! T he vsftpd service program disables the login behavior of root administrators and most system users by default in order to ensure the security of the server, which effectively prevents hackers from brute force cracking root administrator passwords through FTP services. I f you confirm that using root administrators in a production environment does not have an impact on system security, simply follow the prompts above to remove the root username. We can also select ftpusers and user_list not in the file to try to log on to the FTP server:
[root@linuxprobe ~]# ftp 192.168.10.10 Connected to 192.168.10.10 (192.168.10.10). 2 20 (vsFTPd 3.0.2) Name (192.168.10.10:root): linuxprobe 331 Please specify the password. P assword: Enter the user's password 230 Login successful here. R emote system type is UNIX. U sing binary mode to transfer files. f tp> mkdir files 550 Create directory operation failed. W hen you log on to the FTP server in local user mode, the default access is to the user's home directory, that is, to the /home/linuxprobe directory. A nd the default owner of the directory, the group that belongs to it, is the user himself, so there is no case of insufficient write permissions. B ut the current operation was still rejected because we just restored the virtual machine system to its original state. To do this, you need to turn on the allowing policy for FTP services in the SELinux domain again:
[root@linuxprobe ~]# getsebool -a | g rep ftp ftp_home_dir --> off ftpd_anon_write --> off ftpd_connect_all_unreserved --> off ftpd_connect_db --> off ftpd_full_access --> off ftpd_use_cifs --> off ftpd_use_fusefs --> off ftpd_use_nfs --> off ftpd_use_passive_mode --> off httpd_can_connect_ftp --> off httpd_enable_ftp_server --> off sftpd_anon_write --> off sftpd_ e nable_homedirs --gt; off sftpd_full_access -- off sftpd_write_ssh_home -- off tftp_anon_write -- off tftp_home_dir -- off --root@linuxprobe ftpd_full_access . When setting up SELinux domain policies in lab courses and production environments, remember to add the -P parameter, otherwise the server will be controlled according to the original policy after the restart, making the configured service unavailable.
Once configured, use the local user to try to log on to the FTP server and execute commands such as file creation, rename, and delete, respectively. The operation was successful!
[root@linuxprobe ~]# ftp 192.168.10.10 Connected to 192.168.10.10 (192.168.10.10). 2 20 (vsFTPd 3.0.2) Name (192.168.10.10:root): linuxprobe 331 Please specify the password. P assword: Enter the user's password 230 Login successful here. R emote system type is UNIX. U sing binary mode to transfer files. f tp> mkdir files 257 "/home/linuxprobe/files" created ftp> rename files database 350 Ready for RNTO. 2 50 Rename successful. f tp> rmdir database 250 Remove directory operation successful. f tp> exit 221 Goodbye. Note: When you have completed this lab, restore the virtual machine snapshot for the next experiment, as this may result in a profile conflict and an error.