May 24, 2021 That's what Linux should learn
The virtual user pattern we're going to end up with is the safest authentication model of all three, and of course, the configuration process is a little more complicated because security is improved compared to the previous two.
Step 1: Create a user database file for FTP authentication, where the odd behavior account name, even behavior password. For example, we created two users, zhangsan and lisi, with redhat passwords:
(root@linuxprobe) cd /etc/vsftpd/ s/root@linuxprobe vsftpd/ vim vuser.list zhangsan redhat lisi redhat But clear text information is neither secure nor compliant with jean vsftp The d service program loads the format directly, so you need to use the db_load command to convert the original clear text information file into a database file using the hash algorithm, and reduce the permissions of the database file (to prevent others from seeing the contents of the database file), and then delete the original clear text file.
(root@linuxprobe vsftpd) db_load -T hash -f vuser.list vuser.db (root@linuxprobe vsftpd) file vuser.db vuser.db : Berkeley DB (Hash, version 9, native byte-order) (root@linuxprobe vsftpd) s chmod 600 vuser.db (root@linuxprobe vsftpd) s rm -f vuser.list Step 2: Create the root of the vsftpd service program for storing files and the system local users that the virtual user maps. The root of the FTP service used to store files refers to the default location accessed when a virtual user logs on.
Because each file in the Linux system has an owner, belongs to the group properties, such as using the virtual account "Zhang San" to create a new file, but the system can not find the account "Zhang San", will cause the permissions of this file error. T o do this, you need to create another system local user that can be mapped to a virtual user. Simply put, by default, the virtual user logs on to the home directory of the local user of the system with which the mapping is based, and the properties of the files created by the virtual user are also attributed to the local user of the system, thus preventing the Linux system from being able to handle the property permissions of the files created by the virtual user.
To facilitate the management of data on the FTP server, the home directory of the local user of this system can be set to the /var directory, which is used to hold data that changes frequently. And for security reasons, we set the local user of this system to not allow login to the FTP server, which does not affect the virtual user login, but also to prevent hackers from logging in through the system local user.
[root@linuxprobe ~]# useradd -d /var/ftproot -s /sbin/nologin virtual [root@linuxprobe ~]# ls -ld /var/ftproot/ drwx------. 3 virtual virtual 74 Jul 14 17:50 /var/ftproot/ (root@linuxprobe s) chmod -Rf 755 /var/ftproot/Step 3: Establish a PAM file to support virtual users.
PAM (Pluggable Authentication Module) is a authentication mechanism that separates the services provided by the system from the authentication method through some dynamic link libraries and unified APIs, allowing the system administrator to flexibly adjust the different authentication methods of the service program according to the needs. To fully understand the functions and functions of PAM, at least one chapter is needed (readers interested in this topic should pay attention to the advanced part of this book, which will explain PAM in detail).
In layman's terms, PAM is a set of security mechanism modules that system administrators can easily adjust the way service programs are authenticed without any modifications to the application. PAM adopts the idea of layered design (application layer, application interface layer, identification module layer), the structure of which is shown in Figure 11-2.
Chapter 11 Transfer files using the Vsftpd service. C hapter 11 Transfer files using the Vsftpd service. The hierarchical design structure of Figure 11-2 PAM
Create a new PAM file vsftpd.vu for virtual user authentication, where the "db" parameter in the PAM file is the path to the account password database file generated using the db_load command, but does not have to write the suffix of the database file:
(root@linuxprobe. s/etc/pam.d/vsftpd.vu auth needed pam_userdb.so db=/etc/vsftpd/vuser account needed pam_userdb.so db/etc/vsftpd/v Step 4: Change the name of the PAM authentication file to vsftpd.vu with pam_service_name parameters in the main configuration file of the vsftpd service provider, which serves as a link between the application layer and the authentication module layer, allowing the application to flexibly insert the required authentication function modules on its own, as required. When an application requires PAM authentication, the PAM profile responsible for authentication needs to be defined in the application to implement the required authentication functionality.
For example, the main configuration file of the vsftpd service provider defaults to the parameter pam_service_name svsftpd, which means that the FTP server is securely authenticed based on /etc/pam.d/vsftpd files. N ow all we have to do is modify the original PAM authentication file in the vsftpd main configuration file vsftpd to vsftpd.vu new file. The parameters used in this operation and their function are shown in Table 11-4.
Table 11-4 uses PAM files for authentication using the parameters and effects
Parameter Action anonymous_enable-NO Prohibits Anonymous Open Mode local_enable-YES Allows Local User Mode guest_enable-YES Turn on Virtual User Mode guest_username-virtual Specified Virtual User Account pam_service_name-vsftpd.vu Specified PAM File allow_writeable_chroot-YES Allows FTP Root Directory to Be Banned Writes are performed, and the user's login request is not denied allow_ guest_username guest_enable local_enable anonymous_enable root@linuxprobe, and the user's login request is not denied. w riteable_chroot s yes 6 write_enable s YES 7 local_umask s 022 8 dirmessage_enable s yes 9 xferlog_enable s YES 10 connect_from_port_20 s YES 11 xferlog_std_format s yes 12 listen-NO 13 listen_ipv6=YES 14 pam_service_name=vsftpd.vu 15 userlist_enable=YES 16 tcp_wrappers=YES Step 5: Set different permissions for virtual users. A lthough both accounts zhangsan and lisi are virtual accounts for vsftpd service program authentication, we still want to treat them differently. F or example, Zhang San is allowed to upload, create, modify, view, delete files, and only Li Four is allowed to view files. T his can be done through the vsftpd service program. Simply create a new directory in which two files named after zhangsan and lisi are created, where the allowed permissions are written to the file named zhangsan (using the parameters of anonymous users):
root@linuxprobe mkdir /etc/vsftpd/vusers_dir/root@linuxprobe-cd/etc/vsftpd/vusers_dir/root@linuxprobe vusers_dir/touchlisi root@linuxprobe vusers_dir anon_other_write_enable anon_mkdir_write_enable anon_upload_enable the vsftpd main profile is modified again by adding the user_config_dir parameter to define the path stored by the profiles with different permissions for the two virtual users. For the modified parameters to take effect immediately, the vsftpd service program needs to be restarted and added to the boot item:
[root@linuxprobe ~]# vim /etc/vsftpd/vsftpd.conf anonymous_enable=NO local_enable=YES guest_enable=YES guest_username=virtual allow_writeable_chroot=YES write_enable=YES local_umask=022 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES listen=NO listen_ipv6=YES pam_service_name=vsftpd.vu userlist_enable=YES tcp _ wrappers s/yes user_config_dir/etc/vsftpd/vusers_dir s.root@linuxprobe.) s systemctl restart vsftpd [email protected] systemctl enable vsftpd ln -s'/usr// lib/systemd/system/vsftpd.service'//etc/system/system/multi-user.target.wants/vsftpd.service Step 6: Set the SELinux domain allow policy and log on to the FTP server using virtual user mode. I 'm sure you can guess that SELinux will continue to make trouble. So, follow the steps in the previous experiment to turn on the allowed policy for the SELinux domain to avoid another operational failure:
[root@linuxprobe ~]# getsebool -a | g rep ftp ftp_home_dir –> off ftpd_anon_write –> off ftpd_connect_all_unreserved –> off ftpd_connect_db –> off ftpd_full_access –> off ftpd_use_cifs –> off ftpd_use_fusefs –> off ftpd_use_nfs –> off ftpd_use_passive_mode –> off httpd_can_connect_ftp –> off httpd_enable_ftp_server –> off sftpd_anon_write –> off sftpd_enable_homedirs – A t this point, not only can tftp_anon_write sftpd_write_ssh_home sftpd_full_access you successfully log on to the FTP server using virtual user mode, but you can also use accounts zhangsan and ftpd_full_access root@linuxprobe tftp_home_dir lisi to verify their permissions. Of course, the reader in the production environment must be flexible according to the real needs of the configuration parameters, do not copy the experimental operation here.
[root@linuxprobe ~]# ftp 192.168.10.10 Connected to 192.168.10.10 (192.168.10.10). 220 (vsFTPd 3.0.2) Name (192.168.10.10:root): lisi 331 Please specify the password. Password: Enter the password of the virtual user here 230 login surcessful. Remote system type is UNIX. Using binary mode to transfer files. ftp> mkdir files 550 Permission denied. ftp> exit 221 Goodbye. [root@linuxprobe ~]# ftp 192.168.10.10 Connected to 192.168.10.10 (192.168.10.10). 220 (vsFTPd 3.0.2) Name (192.168.10.10:root): zhangsan 331 Please specify the password. Password: Enter the password of the virtual user here 230 login surcessful. Remote system type is UNIX. Using binary mode to transfer files. ftp> mkdir files 257 "/files" created ftp> rename files database 350 Ready for RNTO. 250 Rename successful. ftp> rmdir database 250 Remove directory operation successful. ftp> exit 221 Goodbye.