ネットワークファイル共有サービス-vsftp
23157 ワード
ファイル転送プロトコルFTP
FTPソフトウェア紹介:
FTPサービス
vsftpdサービス
vsftpd匿名ユーザー構成例
vsftpd匿名ユーザー構成例
システムユーザをゲストアカウントguestにマッピングする
ホームディレクトリにおけるシステムユーザーの束縛例:
vsftpd仮想ユーザ
ファイル検証ベースvsftp仮想ユーザーの例
MYSQL検証に基づくvsftpd仮想ユーザ
1、File Transfer Protocol
2、 C/S
3、 :
,
、 。 ,
、
、 、
FTP ,
4、 :
( )
5、 :
(PORT style):
( ): : port --- :tcp21
: : port --- :tcp20
(PASV style):
( ): : port --- :tcp21
: : port --- : port
6、 :
227 Entering Passive Mode (172,16,0,1,224,59)
:224*256+59
FTPソフトウェア紹介:
FTP :
Wu-ftpd,Proftpd,Pureftpd,ServU,IIS
vsftpd:Very Secure FTP Daemon,CentOS FTP
, , WU-FTP
ftp.redhat.com : 15000
:
ftp,lftp,lftpget,wget,curl
ftp -A ftpserver port -A –p
lftp –u username ftpserver
lftp username@ftpserver
lftpget ftp://ftpserver/pub/file
gftp:GUI centos5 2.0.19 (11/30/2008)
filezilla,CuteFtp,FlashFXP,LeapFtp
IE ftp://username:password@ftpserver
FTPサービス
:
1XX: 125:
2XX: 200: OK 230:
3XX: 331: OK
4XX: 425:
5XX: 530:
:
:ftp,anonymous, Linux ftp
:Linux , /etc/passwd, /etc/shadow
: , /
nsswitch:network service switch
pam:pluggable authentication module
/lib64/security /etc/pam.d/ /etc/pam.conf
vsftpdサービス
1、 vsftpd
2、 xinetd
3、 :
/etc/pam.d/vsftpd
4、 :
/usr/lib/systemd/system/vsftpd.service
/etc/rc.d/init.d/vsftpd
5、 :
/etc/vsftpd/vsftpd.conf
man 5 vsftpd.conf
:option=value
:=
6、 ( ftp ) :
/var/ftp
7、 :
8、 :
9、
listen_port=21
10、
connect_from_port_20=YES 20
ftp_data_port=20 ( )
11、
linux
windows
pasv_min_port=6000 0
pasv_max_port=6010
12、
use_localtime=YES ( NO, GMT)
13、
anonymous_enable=YES
no_anon_password=YES( NO)
anon_world_readable_only ( YES)
anon_upload_enable=YES , :
anon_mkdir_write_enable=YES
anon_umask=0333 umask, 077
anon_other_write_enable=YES
chown_uploads=YES( NO)
chown_username=wang
chown_upload_mode=0644
14、Linux
local_enable=YES linux
write_enable=YES linux
local_umask=022
guest_enable=YES guest
guest_username=ftp , guest
local_root=/ftproot guest
15、
chroot_local_user=YES( NO, )
16、 ,
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
chroot_local_user=YES , chroot_list
chroot_local_user=NO , chroot_list
17、wu-ftp :
xferlog_enable=YES ( )
xferlog_std_format=YES ( ) wu-ftp
xferlog_file=/var/log/xferlog ( )
vsftpd :
dual_log_enable=YES vsftpd ,
vsftpd_log_file=/var/log/vsftpd.log( )
18、
ftpd_banner="welcome to mage ftp server"
banner_file=/etc/vsftpd/ftpbanner.txt
dirmessage_enable=YES ( )
message_file=.message( )
.message
19、 pam(Pluggable Authentication Modules)
pam_service_name=vsftpd
pam :/etc/pam.d/vsftpd
/etc/vsftpd/ftpusers
, ,
1、
2、
20、
userlist_enable=YES
userlist_deny=YES( ) , ,NO
userlist_file=/etc/vsftpd/users_list
vsftpd
nopriv_user=nobody ( )
max_clients=0
max_per_ip=0 IP
: /
anon_max_rate=0
local_max_rate=0
:
connect_timeout=60
accept_timeout=60
data_connection_timeout=300
idle_session_timeout=60
ascii_upload_enable=YES
ascii_download_enable=YES
vsftpd匿名ユーザー構成例
: ftp
1、 vsftpd
[root@node6 ~]#yum -y install vsftpd
2、 vsftpd
[root@node6 ~]#systemctl start vsftpd
3、
[root@node7 ~]#lftp 192.168.137.56
lftp 192.168.137.56:~> ls
drwxr-xr-x 2 0 0 6 Aug 03 2017 pub
lftp 192.168.137.56:/> cd pub
lftp 192.168.137.56:/pub> ls
lftp 192.168.137.56:/pub> ls
-rw-r--r-- 1 0 0 23 Oct 22 12:26 issue
lftp 192.168.137.56:/pub> lcd /tmp
lcd ok, local cwd=/tmp
lftp 192.168.137.56:/pub> mget issue
23 bytes transferred
lftp 192.168.137.56:/pub> bye
[root@node7 ~]#ls /tmp/
issue
4、 600
[root@node6 /var/ftp/pub]#chmod 600 issue
[root@node6 /var/ftp/pub]#ll
total 4
-rw------- 1 root root 23 Oct 22 20:26 issue
5、
[root@node7 ~]#lftp 192.168.137.56
lftp 192.168.137.56:/> cd pub/
lftp 192.168.137.56:/pub> ls
-rw------- 1 0 0 23 Oct 22 12:26 issue
lftp 192.168.137.56:/pub> mget issue
mget: Access failed: 550 Failed to open file. (issue)
lftp 192.168.137.56:/pub>
、 、 :
,
[root@node6 /etc/vsftpd]#vim vsftpd.conf
#anon_upload_enable=YES
anon_upload_enable=YES
[root@node7 ~]#lftp 192.168.137.56
lftp 192.168.137.56:~> lcd /etc/
lcd ok, local cwd=/etc
lftp 192.168.137.56:~> put fstab
put: Access failed: 553 Could not create file. (fstab)
lftp 192.168.137.56:/>
,ftp anonymous ftp , pub root, ftp , , pub ,
: pub , ftp
[root@node6 /var/ftp]#mkdir upload
[root@node6 /var/ftp]#ls
pub upload
[root@node6 /var/ftp]#ll
total 0
drwxr-xr-x 2 root root 19 Oct 22 20:26 pub
drwxr-xr-x 2 root root 6 Oct 22 20:52 upload
[root@node6 /var/ftp]#chown -R ftp.ftp upload/
[root@node6 /var/ftp]#ll -ld upload/
drwxr-xr-x 2 ftp ftp 6 Oct 22 20:52 upload/
[root@node7 ~]#lftp 192.168.137.56/upload
cd ok, cwd=/upload
lftp 192.168.137.56:/upload> lcd /etc
lcd ok, local cwd=/etc
lftp 192.168.137.56:/upload> put fstab
595 bytes transferred
lftp 192.168.137.56:/upload>
[root@node6 /var/ftp]#cd upload/
[root@node6 /var/ftp]#ls -l upload/
total 4
-rw------- 1 ftp ftp 595 Oct 22 20:55 fstab
、 :
[root@node6 /etc/vsftpd]#vim vsftpd.conf
#chown_uploads=YES
#chown_username=whoever
chown_uploads=YES
chown_username=cobbler
chown_upload_mode=0644
cobbler
[root@node6 /etc/vsftpd]#useradd cobbler
vsftpd
[root@node6 /etc/vsftpd]#systemctl restart vsftpd
[root@node7 ~]#lftp 192.168.137.56/upload
cd ok, cwd=/upload
lftp 192.168.137.56:/upload> lcd /etc
lcd ok, local cwd=/etc
lftp 192.168.137.56:/upload> put passwd
1199 bytes transferred
lftp 192.168.137.56:/upload> ls
[root@node6 /var/ftp]#cd upload/
[root@node6 /var/ftp/upload]#ll
total 8
-rw------- 1 ftp ftp 595 Oct 22 20:55 fstab
-rw-r--r-- 1 cobbler ftp 1199 Oct 22 21:04 passwd
lftp 192.168.137.56:/upload> mkdir test
mkdir: Access failed: 550 Permission denied. (test)
lftp 192.168.137.56:/upload> rm fstab
rm: Access failed: 550 Permission denied. (fstab)
lftp 192.168.137.56:/upload> rm passwd
rm: Access failed: 550 Permission denied. (passwd)
lftp 192.168.137.56:/upload>
[root@node6 /etc/vsftpd]#vim vsftpd.conf
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
[root@node6 /etc/vsftpd]#systemctl restart vsftpd
[root@node7 ~]#lftp 192.168.137.56/upload
cd ok, cwd=/upload
lftp 192.168.137.56:/upload> mkdir test
mkdir ok, 'test' created
lftp 192.168.137.56:/upload> ls
-rw------- 1 14 50 595 Oct 22 12:55 fstab
-rw-r--r-- 1 1000 50 1199 Oct 22 13:04 passwd
drwx------ 2 14 50 6 Oct 22 13:10 test
lftp 192.168.137.56:/upload> rm fstab
rm ok, 'fstab' removed
lftp 192.168.137.56:/upload> rm passwd
rm ok, 'passwd' removed
lftp 192.168.137.56:/upload> rmdir test
rmdir ok, 'test' removed
lftp 192.168.137.56:/upload> ls
lftp 192.168.137.56:/upload>
vsftpd匿名ユーザー構成例
,
[root@node6 /etc/vsftpd]#useradd ilinux
[root@node6 /etc/vsftpd]#echo 123456|passwd --stdin ilinux
Changing password for user ilinux.
passwd: all authentication tokens updated successfully.
, ,
[root@node7 ~]#lftp -u ilinux 192.168.137.56
Password:
lftp [email protected]:~> ls
lftp [email protected]:~> lcd /etc/
lcd ok, local cwd=/etc
lftp [email protected]:~> put issue
23 bytes transferred
lftp [email protected]:~> ls
-rw-r--r-- 1 1001 1001 23 Oct 22 13:19 issue
lftp [email protected]:~>
ilinux
ftp
/var/ftp , , ftp
[root@node6 /var/ftp/upload]#grep "^ftp" /etc/passwd
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
[root@node6 /var/ftp/upload]#ls /home/ilinux/
issue
, , 、
システムユーザをゲストアカウントguestにマッピングする
,
[root@node6 /var/ftp/upload]#useradd -d /data/ftproot vsguest
[root@node6 /var/ftp/upload]#chmod -w /data/ftproot/
[root@node6 /var/ftp/upload]#ls -ld /data/ftproot/
dr-x------ 2 vsguest vsguest 62 Oct 22 21:56 /data/ftproot/
[root@node6 /var/ftp/upload]#chmod +rx !$
chmod +rx /data/ftproot/
[root@node6 /var/ftp/upload]#ls -ld /data/ftproot/
dr-xr-xr-x 2 vsguest vsguest 62 Oct 22 21:56 /data/ftproot/
[root@node6 /var/ftp/upload]#
[root@node6 /etc/vsftpd]#vim vsftpd.conf
#guest user
guest_enable=YES
guest_username=vsguest
[root@node6 /etc/vsftpd]#systemctl restart vsftpd
,
[root@node6 /etc/vsftpd]#cp /etc/vsftpd/vsftpd.conf /data/ftproot/
: 500
[root@node7 ~]#lftp -u ilinux 192.168.137.56
Password:
lftp [email protected]:~> pwd
ftp://[email protected]
lftp [email protected]:~> ls
ls: Login failed: 500 OOPS: vsftpd: refusing to run with writable root inside chroot()
lftp [email protected]:~> ls
ls: Login failed: 500 OOPS: vsftpd: refusing to run with writable root inside chroot()
lftp [email protected]:~> ls
lftp [email protected]:/> ls
-rw------- 1 0 0 5129 Oct 22 14:00 vsftpd.conf
lftp [email protected]:/>
[root@node6 /etc/vsftpd]#vim vsftpd.conf
#guest_enable=YES
#guest_username=vsguest
[root@node6 /etc/vsftpd]#systemctl restart vsftpd
home ilinux ,
[root@node6 /var/ftp/upload]#ls /home/ilinux/
issue
:
[root@node7 ~]#lftp -u ilinux 192.168.137.56
Password:
lftp [email protected]:~> ls
-rw-r--r-- 1 1001 1001 23 Oct 22 13:19 issue
lftp [email protected]:~>
lftp [email protected]:~> cd /etc/
, , , , , ,
ホームディレクトリにおけるシステムユーザーの束縛例:
, ,
[root@node6 /etc/vsftpd]#vim vsftpd.conf
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
[root@node6 /etc/vsftpd]#useradd ik8s
[root@node6 /etc/vsftpd]#echo 123456|passwd --stdin ik8s
Changing password for user ik8s.
passwd: all authentication tokens updated successfully.
[root@node6 /etc/vsftpd]#chmod -w /home/ik8s/
[root@node6 /etc/vsftpd]#vim /etc/vsftpd/chroot_list
ik8s
[root@node6 /etc/vsftpd]#systemctl restart vsftpd
:
[root@node7 ~]#lftp -u ilinux,123456 192.168.137.56
lftp [email protected]:~> cd /etc/
lftp [email protected]:/etc> exit
[root@node7 ~]#lftp -u ik8s,123456 192.168.137.56
lftp [email protected]:~> cd /etc
cd: Access failed: 550 Failed to change directory. (/etc)
lftp [email protected]:/> ls
lftp [email protected]:/>
:
:
[root@node6 /etc/vsftpd]#vim vsftpd.conf
userlist_enable=YES
userlist_deny=NO
user_list
[root@node6 /etc/vsftpd]#vim user_list
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
#
#
# for users that are denied.
ilinux
ftp
[root@node6 /etc/vsftpd]#systemctl restart vsftpd
:
[root@node7 ~]#lftp -u ik8s,123456 192.168.137.56
lftp [email protected]:~> ls
ls: Login failed: 530 Permission denied.
[root@node7 ~]#lftp -u ilinux,123456 192.168.137.56
lftp [email protected]:~> ls
-rw-r--r-- 1 1001 1001 23 Oct 22 13:19 issue
lftp [email protected]:~>
vsftpd仮想ユーザ
:
: ,
,
:
:
, hash
,
db_load -T -t hash -f vusers.txt vusers.db
:
mysql :
pam pam-mysql
/lib64/security/pam_mysql.so
/usr/share/doc/pam_mysql-0.7/README
ファイル検証ベースvsftp仮想ユーザーの例
:
[root@node6 /etc/vsftpd]#vim vsguests.txt
tom
123456
jerry
123456
trump
123456
vsftp db
[root@node6 /etc/vsftpd]#db_load -T -t hash -f vsguests.txt vsguests.db
[root@node6 /var/ftp/upload]#useradd -d /data/ftproot vsguest
[root@node6 /etc/vsftpd]#mkdir /data/ftproot/{upload,pub}
upload
[root@node6 /data/ftproot]#chown vsguest.vsguest upload/
Pam
[root@node6 /etc/pam.d]#vim vsftpd.virt
auth required pam_userdb.so db=/etc/vsftpd/vsguests
account required pam_userdb.so db=/etc/vsftpd/vsguests
vsftpd.conf
[root@node6 /etc/vsftpd]#vim vsftpd.conf
guest_enable=YES
guest_username=vsguest
local_enable=YES
write_enable=YES
pam_service_name=vsftpd.virt # pam
# 、
#anon_mkdir_write_enable=YES
#anon_other_write_enable=YES
#anon_upload_enable=YES
[root@node6 /etc/vsftpd]#vim vsftpd.conf
user_config_dir=/etc/vsftpd/vsguests
[root@node6 /etc/vsftpd]#mkdir /etc/vsftpd/vsguests
[root@node6 /etc/vsftpd]#systemctl restart vsftpd
[root@node7 ~]#lftp -u tom,123456 192.168.137.56
lftp [email protected]:~> ls
drwxr-xr-x 2 0 0 6 Oct 23 02:12 pub
drwxr-xr-x 2 1002 1002 6 Oct 23 02:12 upload
-rw------- 1 0 0 5129 Oct 22 14:00 vsftpd.conf
lftp [email protected]:/> cd upload/
lftp [email protected]:/upload> lcd /etc/
lcd ok, local cwd=/etc
lftp [email protected]:/upload> put issue
put: Access failed: 550 Permission denied. (issue)
lftp [email protected]:/upload>
tom
[root@node6 /etc/vsftpd/vsguests]#vim tom
anon_upload_enable=YES
Jerry
[root@node6 /etc/vsftpd/vsguests]#vim jerry
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
:
[root@node6 /etc/vsftpd/vsguests]#systemctl restart vsftpd
1、 Jerry
[root@node7 ~]#lftp -u jerry,123456 192.168.137.56
lftp [email protected]:/> lcd /etc/
lcd ok, local cwd=/etc
lftp [email protected]:/> cd upload/
lftp [email protected]:/upload> put issue
23 bytes transferred
lftp [email protected]:/upload> ls
-rw-r--r-- 1 1000 1002 23 Oct 23 02:33 issue
lftp [email protected]:/upload> rm issue
rm ok, `issue' removed
lftp [email protected]:/upload> ls
lftp [email protected]:/upload>
2、 Tom
[root@node7 ~]#lftp -u tom,123456 192.168.137.56
lftp [email protected]:~> lcd /etc
lcd ok, local cwd=/etc
lftp [email protected]:~> cd upload/
lftp [email protected]:/upload> ls
lftp [email protected]:/upload> put issue
23 bytes transferred
lftp [email protected]:/upload> rm issue
rm: Access failed: 550 Permission denied. (issue)
lftp [email protected]:/upload> mkdir test
mkdir: Access failed: 550 Permission denied. (test)
lftp [email protected]:/upload>
MYSQL検証に基づくvsftpd仮想ユーザ
[root@node6 ~]#yum -y install mariadb-server
mariadb
[root@node6 ~]#vim /etc/my.cnf
[mysqld]
skip_name_resolve=on
[root@node6 ~]#systemctl start mariadb
pam、mysql
[root@node6 ~]#yum -y groupinstall "Development tools"
[root@node6 ~]#yum -y install mariadb-devel pam-devel
[root@node6 ~]#tar xf pam_mysql-0.7RC1.tar.gz
[root@node6 ~]#cd pam_mysql-0.7RC1
[root@node6 ~/pam_mysql-0.7RC1]#./configure \
--with-pam-mods-dir=/lib64/security \
--with-mysql=/usr --with-pam=/usr
[root@node6 ~/pam_mysql-0.7RC1]#make -j 2 && make install
mysql
[root@node6 ~/pam_mysql-0.7RC1]#ls /lib64/security/
pam_access.so pam_filter pam_mail.so pam_rootok.so pam_timestamp.so
pam_cap.so pam_filter.so pam_mkhomedir.so pam_securetty.so pam_tty_audit.so
pam_chroot.so pam_fprintd.so pam_motd.so pam_selinux_permit.so pam_umask.so
pam_console.so pam_ftp.so pam_mysql.la pam_selinux.so pam_unix_acct.so
pam_cracklib.so pam_group.so pam_mysql.so
mysql pam
[root@node6 ~vim /etc/pam.d/vsftpd.mysql
auth required pam_mysql.so user=vsftp passwd=magedu host=localhost db=vsftpd table=users u
sercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftp passwd=magedu host=localhost db=vsftpd table=user
s usercolumn=name passwdcolumn=password crypt=2
MariaDB [(none)]> create database vsftpd;
Query OK, 1 row affected (0.01 sec)
MariaDB [(none)]> use vsftpd
Database changed
MariaDB [vsftpd]> create table users(name varchar(100) not null primary key, password char(48) not null);
MariaDB [vsftpd]> grant all on vsftpd.* to 'vsftp'@'localhost' identified by 'magedu';
Query OK, 0 rows affected (0.00 sec)
MariaDB [vsftpd]> grant all on vsftpd.* to 'vsftp'@'127.0.0.1' identified by 'magedu';
Query OK, 0 rows affected (0.00 sec)
MariaDB [vsftpd]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
3
MariaDB [vsftpd]> insert into users values('tom',password('123456')),('jerry',password(123456)),('turmp',password('123456'));
Query OK, 3 rows affected (0.00 sec)
Records: 3 Duplicates: 0 Warnings: 0
vsftpd
,
[root@node6 ~]#vim /etc/vsftpd/vsftpd.conf
pam_service_name=vsftpd.mysql
[root@node6 ~]#systemctl restart vsftpd
:
tom
[root@node7 ~]#lftp -u tom,123456 192.168.137.56
lftp [email protected]:/> cd upload/
lftp [email protected]:/upload> lcd /etc/
lcd ok, local cwd=/etc
lftp [email protected]:/upload> put passwd
1257 bytes transferred
lftp [email protected]:/upload> ls
-rw-r--r-- 1 1000 1002 23 Oct 23 02:34 issue
-rw-r--r-- 1 1000 1002 1257 Oct 23 03:15 passwd
lftp [email protected]:/upload> rm issue
rm: Access failed: 550 Permission denied. (issue)
lftp [email protected]:/upload>
jerry
[root@node7 ~]#lftp -u jerry,123456 192.168.137.56
lftp [email protected]:~> cd upload/
lftp [email protected]:/upload> ls
-rw-r--r-- 1 1000 1002 23 Oct 23 02:34 issue
-rw-r--r-- 1 1000 1002 1257 Oct 23 03:15 passwd
lftp [email protected]:/upload> rm issue
rm ok, 'issue' removed
lftp [email protected]:/upload> rm passwd
rm ok, 'passwd' removed
lftp [email protected]:/upload> ls
lftp [email protected]:/upload>