For FTP data connection, FTP data transmission modes can be divided into three types: active transmission mode, passive transmission mode and single-port transmission mode.
1. Active transmission mode
When the control connection of FTP is established, when the client puts forward a directory list and transmits files, the client issues a PORT command to negotiate with the server, and the FTP server uses a standard port 20 as the server's data connection port (ftp-data) to establish data connection with the client. Port 20 is only used when the source address of the connection is the server side, and there is no listening process in port 20 to listen to the client request.
In the active transmission mode, the data connection and control connection of FTP are in the opposite direction, and the server initiates the connection of data transmission to the client. The connection port of the client is determined through negotiation between the server and the client.
2. Passive transmission mode
When the control connection of FTP is established, when the client puts forward a directory list and transmits files, the client sends a PASV command to put the server in a passive transmission mode, and the FTP server waits for the client to contact it. The FTP server listens for client requests on data transmission ports other than port 20.
In the passive transmission mode, the data connection and control connection of FTP are in the same direction, and the client initiates a connection to the server for data transmission. The connection port of the client is the port used when initiating a data connection request. When the FTP client accesses the FTP server outside the firewall, it needs to use the passive transmission mode.
3. Single port mode
In addition to the above two modes, there is also a single-port mode. The data connection request in this mode is initiated by FTP server. When using this transmission mode, the control connection port and data connection port of the client are the same. This mode is not commonly used because it cannot input data and transmit commands continuously in a short time.
There are many FTP servers available under Linux, among which WU-FTP and VSFTP are popular. Red Hat 8.0 comes with two softwares, WU-FTP and VSFTP. WU-FTP is a famous FTP server software, which is powerful and can run well under many Unix operating systems. But as a rising star, VSFTP is becoming more and more popular, and only VSFTP is included in the release of Red Hat 9.0.
In VSFTP, VS means "very safe". As can be seen from the name, from the beginning, the author of the software paid great attention to its security. In addition to the inherent security, VSFTP also has high-speed and stable performance characteristics. In terms of stability, VSFTP can support more than 4000 concurrent users to connect at the same time on one machine (non-cluster). According to the data of ftp.redhat.com, VSFTP can support up to 15000 concurrent users.
Quickly build FTP server
The basic function of FTP server is uploading and downloading. The following are several steps to build a simple FTP server that can realize download function.
1. Install FTP server.
If you did not choose to install the FTP server when installing the system, you can install it through the Add/Remove Applications tool in Red Hat 9.0. Specifically, select Main Menu → System Settings → Add/Remove Applications, select FTP server in the pop-up interface, and click Update.
If you can't confirm whether the software is installed, you can use the following command to check:
#rpm -qa|grep vsftpd
vsftpd- 1. 1.3-8
2. Start the FTP server
Start VSFTP directly by applying the default example of Red Hat 9.0.
# /sbin/service vsftpd start
Start vsftpd for vsftpd: [OK]
3. Create a file named test.txt in the /var/ftp/pub directory, and the file content is "This is a test file".
test
Log in to the local server using an FTP client, and then log in anonymously:
# ftp 127.0.0. 1
Connect to127.0.0.1(127.0.0.1).
220 (vsFTPd 1. 1.3)
Name (127.0.0. 1:root): anonymous.
33 1 Please specify a password.
Password:
230 login succeeded. Have fun.
The remote system type is UNIX.
Use binary mode to transfer files.
This will successfully log in to the FTP server. The list of server directories that can be displayed is as follows:
Ftp> Limit Switch
227 enters the passive mode (127, 0,0, 1 63, 15).
Drwxr-xr-x 2 0 0 40961February 4th 0 1:35 released.
226 Directory sent successfully.
Switch to the pub directory, display the contents of the directory, and you can find the newly created file test.txt:
Ftp & gtcd bar
The 250 directory has been successfully changed.
Ftp> Limit Switch
227 enters the passive mode (127, 0, 0, 1, 232, 34).
Here comes the list of contents.
-rw-r-r- 1 0 0 2 1 04 0 1:35 test . txt
226 Directory sent successfully.
Download the test.txt file:
Ftp & gtmget test.txt
mget test.txt? y
227 enters the passive mode (127, 0,0, 1,186,210).
150 opens the binary mode data connection of test.txt (2 1 byte).
226 file sent successfully.
2 1 byte received within 0.0 108 seconds (1.9 kilobytes/second)
Looking at the contents of this machine directory, you can see that test.txt has been successfully downloaded to this machine.
ftp & gt! Limit Switch (limit switch)
a EIO _ Binders initrd mnt proc tftpboot ylg . txt
bin etc lib mymnt root tmp
boot home lost+found my share sbin usr
dev id _ dsas . pub misc opt test . txt var
Try to upload a file named ylg.txt, and you can see that the request was rejected.
Ftp> put ylg.txt
Local: ylg.txt Remote: ylg.txt.
227 enters the passive mode (127, 0,0, 1 243, 10).
550 refused permission.
Logout:
Goodbye ftp>
22 1 goodbye.
It can be seen from the test that files can be downloaded, but files cannot be uploaded (and directories and files cannot be created on the server). In fact, this is an anonymous FTP server that provides download services.
As can be seen from the above steps, a simple FTP server can be set up without any configuration. This is because Red Hat has configured a default FTP server. However, in practical application, this simple server can't meet the demand in most cases.
Further configure FTP server
The following will create an FTP server that can meet general needs. In practical applications, FTP servers generally provide both upload and download functions. In addition, for security reasons, user authentication, user rights setting and space management are also needed. Let's set up such an FTP server.
1. Create a greeting. If you want users to see a welcome message or an introduction to the directory when they enter it, you can do so in the following ways.
Make sure that dirmessage_enable=YES in the file/etc//etc /etc/vsftpd/vsftpd.conf By default, Red Hat 9.0 has this setting. Next, add a name. Messages are sent to the directory. This example creates a. message file in the /home/ylg directory, and its content is "Welcome to my FTP site".
2. Replace the default port of FTP server. The preset port 2 1 is changed to 2 12 1 for security reasons. To change it, use vi to open /etc/vsftpd/vsftpd.conf:
#vi /etc/vsftpd/vsftpd.conf
Add the following line at the end of the file:
listen_port=2 12 1
3. Cancel the anonymous login function. Locate the following line in the vsftpd.conf file and change its value to "NO":
Anonymous _ Enabled = Yes
4. Set the user not to change the directory. The purpose of doing so is also based on security considerations. Usually, the user's default directory is /home/username. If you don't want users to be able to switch to the parent/home directory after logging in, you can do this by setting the following. Find the following three lines in the /etc/vsftpd/vsftpd.conf file:
# chroot _ list _ enable = Yes
# (The default value is as follows)
# ch root _ list _ file =/etc/vsftpd . ch root _ list
Amend as follows:
Chroot _ list _ enable = Yes
# (The default value is as follows)
ch root _ list _ file =/etc/vsftpd/ch root _ list
Add a new file with two user names /etc/vsftpd/chroot_list:
ylg
User 1
5. Limit different speeds for different users. Assuming that the maximum speed that the user ylg can use is 500Kb/s and the maximum speed that the user 1 can use is 250Kb/s, it can be set by the following methods. Add the following line at the end of the /etc/vsftpd/vsftpd.conf file:
user _ config _ dir =/etc/vsftpd/userconf
Add a directory named /etc/vsftpd/userconf:
#mkdir /etc/vsftpd/userconf
Add a new file named ylg under /etc/vsftpd/userconf, with the following contents:
Local maximum ratio =500000
Add a new file named user 1 in the /etc/vsftpd/userconf directory, with the following contents:
Local maximum rate =250000
The speed limit of VSFTP is about 80% to 120%, that is, the maximum speed is 100Kb/s, but the actual speed may be between 80Kb/s and 120Kb/s/s, which will be lower than this limit if the bandwidth is insufficient.
6. For each online user, it runs as an independent process. Usually, when you start VSFTP, you will only see a process named vsftpd running. However, if readers want each online user to appear as an independent process, they can do so by adding the following line to the /etc/vsftpd/vsftpd.conf file:
Setproctitle _ enable = Yes
7. Save the file /etc/vsftpd/vsftpd.conf, and then restart vsftpd:
# service vsftpd restart
8. Test the FTP server you just created.
The default login will be rejected, because the default port number has been changed to 2 12 1, so you need to specify a port when logging in.
# ftp 127.0.0. 1
Ftp: Connection: Connection denied.
At this time, you can no longer log in anonymously:
# FTP 127 . 0 . 0 . 1 2 12 1
Connect to127.0.0.1(127.0.0.1).
220 (vsFTPd 1. 1.3)
Name (127.0.0. 1:root): anonymous.
33 1 Please specify a password.
Password:
530 login is incorrect.
Login failed.
If you use user ylg, you can log in successfully (specify port 2 12 1) and display welcome information:
# FTP 127 . 0 . 0 . 1 2 12 1
Connect to127.0.0.1(127.0.0.1).
220 (vsFTPd 1. 1.3)
Name (127.0.0.1:root): ylg
33 1 Please specify a password.
Password:
Welcome to my FTP site
230 login succeeded. Have fun.
The remote system type is UNIX.
Use binary mode to transfer files.
The following command cannot be executed correctly because the directory cannot be switched in the settings:
ftp & gtcd /home
550 Unable to change the directory.
Let's test the upload and download again. First download the test.txt file in the server directory:
Ftp> get test.txt
Local: test.txt Remote: test.txt.
227 enters the passive mode (127, 0,0, 1, 243,215).
150 opens the binary mode data connection of test.txt (2 1 byte).
226 file sent successfully.
2 1 byte received in 0.00308 seconds (6.7 kilobytes/second).
You can pass! The ls command sees that the file has been successfully downloaded to the local directory. Then upload the ylg.txt file in the local directory to the server:
Ftp> put ylg.txt
Local: ylg.txt Remote: ylg.txt.
227 enters the passive mode (127, 0,0, 1,133,248).
150 can send data.
The file was received normally.
19 bytes are sent within 0.040 1 sec (0.46 kilobytes/sec).
Look at the server directory with the ls command, and you will find that the file has been uploaded successfully.
To test that different connected users use different processes, you can use the ps -ef command as follows:
# ps -ef|grep ftp
root 12972 1356 0 13:44 pts/ 1 00:00:00 FTP 127 . 0 . 0 . 1 2 12 1
Nobody1297312908013: 44? 00:00:00 [vsftpd]
ylg 12975 12973 0 13:44? 00:00:00 [vsftpd]
user 1 130 13 130 1 1 0 13:46? 00:00:00 [vsftpd]
root 1304 1 130 15 0 13:47 pts/4 00:00:00:00 grep FTP
So far, an FTP server has been built, which can basically meet the needs of ordinary use.
In practical applications, sometimes, in order to increase security, FTP servers are placed behind firewalls. As mentioned at the beginning of this article, the passive transmission mode is suitable for situations with firewalls. Let's create an FTP server behind a firewall. The FTP port of the server is 2 12 1, and the data transmission port is 2020.
Execute the following two lines of instructions, only ports 2 12 1 and 2020 are allowed to be opened, and other ports are closed:
#iptables -A input -p tcp -m multiport-dport 2 12 1, 2020 -j accepted.
#iptables -A input -p tcp -j reject-reject-with TCP- reset
Modify the /etc/vsftpd/vsftpd.conf file and add the following two lines at the end of the text:
listen_port=2 12 1
ftp_data_port=2020
Restart vsftpd:
# service vsftpd restart
Sometimes you want to directly define whether to allow or deny a source address in/etc/hosts.allow. This can be achieved by the following configuration. Ensure that tcp_wrappers=YES in /etc/vsftpd/vsftpd.conf is the default value in Red Hat 9.0. Restart vsftpd:
# service vsftpd restart
Suppose168.192.2.1and 210.3/to 2 10.3 1, you can connect/etc.
vsftpd: 168. 192.2 . 1 2 10.3 1.8。 : Allow
All: All: Rejected.
Configure virtual user FTP
The FTP server configured above has a feature that the users of the FTP server are also system users. This is obviously a security risk because these users can access not only FTP, but also other system resources. How to solve this problem? The answer is to create an FTP server for virtual users. Virtual users can only access the FTP service provided by the server, and cannot access other resources of the system. Therefore, if you want users to have write access to FTP server stations, but are not allowed to access other resources of the system, you can use virtual users to improve the security of the system.
In VSFTP, these virtual users are authenticated by a separate password base file (pam_userdb) and by a pluggable authentication module (pam). It is safer and more flexible to use this method. The configuration process is as follows.
1. Generate the virtual user password repository file. In order to build this password repository file, you must first generate a text file. The format of this file is as follows: singular user name or even password:
#vi account.txt
ylg
1234
Zhang Hong
432 1
Goudy goody
5678
2. Generate a password repository file and modify its permissions:
# db _ load-T-T hash-f ./account . txt/etc/vsftpd/account . db
# chmod 600/etc/vsftpd/account . db
3. Create a new PAM file for the virtual user. Add the following two lines:
#vi /etc/pam.d/vsftp.vu
Authorization required/lib/security/PAM _ userdb.sodb =/etc/vsftpd/account.
The account/lib/security/PAM _ userdb.sodb =/etc/vsftpd/account is required.
4. Establish a virtual user, set the directory to be accessed by the user, and set the access rights of the virtual user:
# useradd-d/ftpstite virtual user
#chmod 700 /ftpsite
After this step,/ftpstite is the home directory of virtual_user, and he is also the owner of the/ftpstite directory. Except the root user, only this user has the permission to read, write and execute the directory.
5. Generate a test file. First switch to the virtual_user user identity, and then create a file in the /ftpsite directory:
# su- virtual user
$vi /ftpsite/mytest
This is a test file.
$su - root
6. Edit the file /etc/vsftpd/vsftpd.conf to make the whole file as follows (without comments):
Anonymous _ Enabled = No.
Local _ enable = Yes
local_umask=022
Xferlog _ enable = Yes
Connect _ from _ port _ 20 = Yes.
Xferlog _ std _ format = Yes
Listen = yes
Write _ enable = Yes
Anonymous upload enabled = Yes
Anon _ mkdir _ write _ enable = Yes.
Anon _ other _ write _ enable = Yes.
One _ process _ model = No.
Chroot _ local _ user = Yes
Ftpd_banner=Welcom to my FTP server.
Anon _ world _ readable _ only = No.
Guest _ enable = Yes
Guest User Name = Virtual User
pam_service_name=vsftp.vu
In the above code, guest_enable=YES means enabling virtual users; Guest_username=virtual maps a virtual user to a local user, so that the virtual user can log in to the directory of the local user virtual/ftpsite; Pam_service_name=vsftp.vu specifies that the configuration file of PAM is vsftp.vu.
7. Restart VSFTP:
# service vsftpd restart
8. Test with virtual user Gou (this account does not exist in Linux):
# ftp 127.0.0. 1
Connect to127.0.0.1(127.0.0.1).
Welcome to my FTP server.
Name (127.0.0. 1:root): Gou
33 1 Please specify a password.
Password:
230 login succeeded. Have fun.
The remote system type is UNIX.
Use binary mode to transfer files.
Test the file mytest in the download server directory:
Ftp> get my test
Local: mytest remote: mytest
227 enters the passive mode (127, 0,0, 1, 159, 19).
150 opens the binary mode data connection of mytest (2 1 byte).
226 file sent successfully.
2 1 byte received within 0.00038 seconds (54 kilobytes/second).
Test the uploaded file vsftpd.conf in the local directory:
ftp & gt! Limit Switch (limit switch)
account . db ch root _ list k mytest userconf vsftpd . conf
Ftp> will vsftpd.conf
Local: vsftpd.conf Remote: vsftpd.conf.
227 enters the passive mode (127, 0,0, 1,117,203).
150 can send data.
The file was received normally.
4229 bytes are sent within 0.00 195 seconds (2. 1e+03 kilobytes/second).
It can be seen that using a virtual user without a system account can successfully complete the upload and download work. However, FTP virtual server only allows virtual users to log in, and other system users cannot log in. If the system user user 1 is not a virtual user, you cannot log in to the virtual server.
# ftp 127.0.0. 1
Connect to127.0.0.1(127.0.0.1).
Welcome to my FTP server.
Name (127.0.0. 1:root): user 1
33 1 Please specify a password.
Password:
530 login is incorrect.
Login failed.
In the virtual FTP server, you can also set the permissions of each user. By adding the following line to the /etc/vsftpd.conf file:
User profile directory = user profile directory.
Then create a corresponding user profile under the user profile directory, for example, create a profile for the above-mentioned user named gou (assuming the profile directory is /etc/user_config_dir):
#vi /etc/user_config_dir/gou
Write enable = No.
Anono _ Upload _ Enable = No.
Restart the FTP server, and then log in with gou's account, without permission to upload.