ftp的主动和被动模式,并实现基于pam认证的vsftpd

2018-06-28  本文已影响63人  任总

(1) ftp的主动和被动模式

(2)vsftpd用户:

1)、用户类别:

2)、配置文件设置

[root@localhost ~]# vim /etc/vsftpd/vsftpd.conf
anonymous_enable=YES是否支持匿名账户只有下载权限
anon_upload_enable=YES上传权限只能上传文件
anon_mkdir_write_enable=YES创建目录
anon_other_write_enable=YES修改权限包括删除目录
anon_umask=077                  

* 系统用户设置:                   

local_enable=YES是否本地用户
write_enable=YES写权限
local_umask=022默认权限644
                    
chroot_local_user=YES#禁锢所有本地用户于其家目录;需要事先去除用户对家目录的写权限;
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list#禁锢列表中文件存在的用户于其家目录中;需要事先去除用户对家目录的写权限;
                        
* 传输日志设置:
                    
xferlog_enable=YES
xferlog_file=/var/log/xferlog
xferlog_std_format=YES

* 上传下载速率:
                
anon_max_rate=0    0代表无限制
local_max_rate=0

* 并发连接数限制:
                    
max_clients=2000最大并发连接数
max_per_ip=50单个(一个客户端)ip最大连接数

辅助配置文件/etc/vsftpd/ftpusers;列在此文件中的用户均禁止使用ftp服务;

[root@localhost ~]# vim /etc/vsftpd/ftpusers;

# Users that are not allowed to login via ftp
root
bin
-省略-
userlist_enable=YES
启用/etc/vsftpd/user_list文件来控制可登录用户;
    userlist_deny=
    YES:意味着此为黑名单;
    NO:白名单;

(3)配置pam_mysql认证ftp虚拟用户

image.png

1)mysql服务器安装及设置

[root@mariadb-107 ~]# systemctl stop firewalld
[root@mariadb-107 ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@mariadb-107 ~]# vim /etc/selinux/config 
 SELINUX=disabled
[root@mariadb-107 ~]# systemctl reboot  #重启生效

[root@mariadb-107 ~]# yum install  mariadb-server -y
[root@mariadb-107 ~]# vim /etc/my.cnf.d/server.cnf
 
 [mysqld]
skip_name_resolve=ON               #添加
innodb_file_per_table=ON          #添加
 
[root@mariadb-107 ~]# systemctl start mariadb.service
[root@mariadb-107 ~]# systemctl enable mariadb.service
[root@mariadb-107 ~]# ss -tnl
[root@mariadb-107 ~]# mysql                    #登录数据库
  MariaDB [(none)]>CREATE DATABASE vsftpd;
  MariaDB [(none)]> use vsftpd;
  MariaDB [vsftpd]> GRANT SELECT ON vsftpd.* TO vsftp@'172.16.15.%' IDENTIFIED BY 'vpass';#创建ftp授权用户                                           
  MariaDB [vsftpd]> FLUSH PRIVILEGES;               #刷新
  MariaDB [vsftpd]> CREATE TABLE users (id INT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,name VARCHAR(50) BINARY NOT NULL,password CHAR(48) BINARY NOT NULL);#创建users表,id列为无符号整型,该列值不可以为空,并不可以重复,而且自增;
MariaDB [vsftpd]> INSERT INTO users(name,password) VALUES ('test1',password('123')),('test2',password('456'));#插入test1和test2用户名密码
MariaDB [vsftpd]> select * from users;
+----+-------+-------------------------------------------+
| id | name  | password                                  |
+----+-------+-------------------------------------------+
|  1 | test1 | *23AE809DDACAF96AF0FD78ED04B6A265E05AA257 |
|  2 | test2 | *531E182E2F72080AB0740FE2F2D689DBE0146E04 |
+----+-------+-------------------------------------------+
MariaDB [vsftpd]> exit

2)ftp服务器安装及设置

[root@fpt-103 ~]# systemctl stop firewalld
[root@fpt-103 ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@fpt-103 ~]# vim /etc/selinux/config 
 SELINUX=disabled
[root@fpt-103 ~]# systemctl reboot  #重启生效

[root@fpt-103 ~]#  yum groupinstall -y "Development Tools" "Server PlatformDevelopment"   #安装编辑包组
[root@fpt-103 ~]#  yum install -y  vsftpd ftp wget    #安装vsftp、wget、ftp客户端
[root@fpt-103 ~]# yum install -y mariadb-devel pam-devel  openssl-devel    #安装相关扩展

[root@fpt-103 ~]#wget http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz --no-check-certificate    #下载源码包
[root@fpt-103 ~]#  tra xf pam_mysql-0.7RC1.tar.gz  #解压缩包
[root@fpt-103 ~]# cd pam_mysql-0.7RC1   #切换到pam_mysql目录下
[root@ftp-103 pam_mysql-0.7RC1]# ./configure --with-mysql=/usr --with-openssl=/usr --with-pam=/usr --with-pam-mods-dir=/lib64/security  #设置预编译
[root@ftp-103 pam_mysql-0.7RC1]#  make && make install #编译并安装
[root@fpt-103 ~]# ll /lib64/security/ | grep mysql     #查询是否安装成功
-rwxr-xr-x  1 root root    882 Jun 24 23:49 pam_mysql.la
-rwxr-xr-x  1 root root 141752 Jun 24 23:49 pam_mysql.so
[root@fpt-103 ~]# vim /etc/pam.d/vsftpd.mysql #创建pam认证文件

auth required /usr/lib64/security/pam_mysql.so user=vsftp passwd=vpass host=172.16.15.107 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required /usr/lib64/security/pam_mysql.so user=vsftp passwd=vpass host=172.16.15.107 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

[root@fpt-103 ~]# useradd -s /sbin/nologin -d /var/ftproot vuser
[root@fpt-103 ~]#  chmod go+rx /var/ftproot          #更改权限
[root@fpt-103 ~] vim /etc/vsftpd/vsftpd.conf        #设置配置文件

chroot_local_user=YES
allow_writeable_chroot=YES
pam_service_name=vsftpd.mysql
userlist_enable=YES
guest_enable=YES
guest_username=vuser
user_config_dir=/etc/vsftpd/vusers_conf
[root@fpt-103 ~]#  mkdir /etc/vsftpd/vusers_conf  #创建虚拟用户配置目录
[root@fpt-103 ~]#  cd /etc/vsftpd/vusers_conf#切换目录
[root@ftp-103 vusers_conf]#  vim test1#创建测试1用户配置

anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES

 [root@ftp-103 vusers_conf]# vim test2#创建测试2用户配置

 anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO

 [root@fpt-103 ~]# systemctl start vsftpd  启动vsftp

(4)在客户端测试

[root@client-90 ~]# ftp 172.16.15.103
Connected to 172.16.15.103 (172.16.15.103).
220 (vsFTPd 3.0.2)
Name (172.16.15.103:root): test1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> lcd /etc
Local directory now /etc
ftp> put issue
local: issue remote: issue                  #上传issue
227 Entering Passive Mode (172,16,15,103,119,150).
150 Ok to send data.                        #上传成功
226 Transfer complete.
23 bytes sent in 9e-05 secs (255.56 Kbytes/sec)
ftp> mkdir test
257 "/test" created                       #创建test目录成功
ftp> rm test
250 Remove directory operation successful.  #删除成功
ftp> exit
221 Goodbye.
[root@client-90 ~]# ftp 172.16.15.103
Connected to 172.16.15.103 (172.16.15.103).
220 (vsFTPd 3.0.2)
Name (172.16.15.103:root): test2
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> lcd /etc
Local directory now /etc
ftp> put issue             #上传issue 
local: issue remote: issue
227 Entering Passive Mode (172,16,15,103,47,230).
550 Permission denied #上传被拒绝
ftp> mkdir test
550 Permission denied #创建目录被拒绝
上一篇 下一篇

猜你喜欢

热点阅读