Linux基础入门之vsFTP+本地文件认证+SSl实现虚拟用户配置详解

评论
4,569 次

摘要

VSFTP可以使用系统账户或者匿名账户登录，且FTP协议在传输帐号和密码的时候是明文传输。出于安全的考虑，通常建议使用vsftp虚拟账户+配置SSL来登录ftp服务器，虚拟用户是指使用独立的文件保存vsftp用户帐号，虚拟账户只能登录ftp服务器。

1、安装、启动vsftpd，设置vsftpd开机自动启动

[[email protected] ~]# yum install vsftpd -y
[[email protected] ~]# service vsftpd start
为 vsftpd 启动 vsftpd：                                    [确定]
[[email protected] ~]# netstat -tnlp | grep 21
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      43011/vsftpd
[[email protected] ~]# chkconfig vsftpd on
[[email protected] ~]# chkconfig --list vsftpd
vsftpd          0:关闭  1:关闭  2:启用  3:启用  4:启用  5:启用  6:关闭
[[email protected] ~]#

2、配置vsftp虚拟用户

[[email protected] ~]# cd /etc/vsftpd/
[[email protected] /etc/vsftpd]# cp -a vsftpd.conf vsftpd.conf_backup_`date +%F`
[[email protected] /etc/vsftpd]# ls
ftpusers  user_list  vsftpd.conf  vsftpd.conf_backup_2015-06-06  vsftpd_conf_migrate.sh
[[email protected] /etc/vsftpd]# :>vsftpd.conf
[[email protected] /etc/vsftpd]# groupadd -g 1501 vftpuser && useradd -g vftpuser -u 1501 -s /sbin/nologin -d /home/vftpuser vftpuser
[[email protected] /etc/vsftpd]# mkdir -p /home/vftpuser
[[email protected] /etc/vsftpd]# chown -R vftpuser.vftpuser /home/vftpuser
[[email protected] /etc/vsftpd]# chmod go+rx /home/vftpuser
[[email protected] /etc/vsftpd]# ls -ld /home/vftpuser/
drwxr-xr-x 4 vftpuser vftpuser 4096 6月   6 01:12 /home/vftpuser/
[[email protected] /etc/vsftpd]# touch /var/log/vsftpd.log
[[email protected] /etc/vsftpd]# cat > vsftpd.conf << EOF
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
anon_upload_enable=NO
anon_mkdir_write_enable=NO
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
xferlog_file=/var/log/vsftpd.log
chroot_local_user=YES
listen=YES
pam_service_name=vsftpd.localfile
userlist_enable=YES
tcp_wrappers=YES
guest_enable=YES
guest_username=vftpuser
EOF
[[email protected] /etc/vsftpd]#

3、设置pam认证

[[email protected] /etc/vsftpd]# cat > /etc/vsftpd/vsftpuser.txt << EOF
Legion
lookback
LookBack
lookback
EOF
[[email protected] /etc/vsftpd]# if ! rpm -qa db4-utils >/dev/null 2>&1; then yum install db4-utils db4 -y;fi
[[email protected] /etc/vsftpd]# db_load -T -t hash -f /etc/vsftpd/vsftpuser.txt /etc/vsftpd/vsftpuser.db
[[email protected] /etc/vsftpd]# ls -l
总用量 40
-rw------- 1 root root   125 10月 18 2014 ftpusers
-rw------- 1 root root   361 10月 18 2014 user_list
-rw------- 1 root root   450 6月   6 01:13 vsftpd.conf
-rw------- 1 root root  4599 10月 18 2014 vsftpd.conf_backup_2015-06-06
-rwxr--r-- 1 root root   338 10月 18 2014 vsftpd_conf_migrate.sh
-rw-r--r-- 1 root root 12288 6月   6 01:27 vsftpuser.db
-rw-r--r-- 1 root root    34 6月   6 01:23 vsftpuser.txt
[[email protected] /etc/vsftpd]# pam_LocalFile=`find / -type f -name "pam_userdb.so"`
[[email protected] /etc/vsftpd]# cat > /etc/pam.d/vsftpd.localfile << EOF
auth required $pam_LocalFile db=/etc/vsftpd/vsftpuser
account required $pam_LocalFile db=/etc/vsftpd/vsftpuser
EOF
[[email protected] /etc/vsftpd]# echo >> vsftpd.conf
[[email protected] /etc/vsftpd]# echo "user_config_dir=/etc/vsftpd/vftpusers" >> /etc/vsftpd/vsftpd.conf
[[email protected] /etc/vsftpd]# mkdir -p /etc/vsftpd/vftpusers
[[email protected] /etc/vsftpd]# touch /etc/vsftpd/vftpusers/{Legion,LookBack}
[[email protected] /etc/vsftpd]# cat > /etc/vsftpd/vftpusers/Legion <<EOF
anon_upload_enable=YES
#允许Legion用户可以上传文件
anon_mkdir_write_enable=YES
#允许Legion用可以创建文件
anon_other_write_enable=YES
#允许Legion可以删除文件
EOF
[[email protected] /etc/vsftpd]# cat /etc/vsftpd/vftpusers/Legion > /etc/vsftpd/vftpusers/LookBack
[[email protected] /etc/vsftpd]# sed -i 's/YES/NO/g' /etc/vsftpd/vftpusers/LookBack
[[email protected] /etc/vsftpd]# service vsftpd restart
关闭 vsftpd：                                              [确定]
为 vsftpd 启动 vsftpd：                                    [确定]
[[email protected] /etc/vsftpd]# ss -tnl | grep 21
LISTEN     0      32                        *:21                       *:*

4、测试
先来测试有上传创建目录等权限的Legion用户

[[email protected] /etc/vsftpd]# yum install ftp -y >/dev/null 2>&1
[[email protected] /etc/vsftpd]# ftp 172.16.6.100
Connected to 172.16.6.100 (172.16.6.100).
220 (vsFTPd 2.2.2)
Name (172.16.6.100:root): Legion 先来测试有
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> lcd /etc
Local directory now /etc
ftp> put issue
local: issue remote: issue
227 Entering Passive Mode (172,16,6,100,248,197).
150 Ok to send data.
226 Transfer complete.
93 bytes sent in 9.4e-05 secs (989.36 Kbytes/sec)
ftp> ls -l
227 Entering Passive Mode (172,16,6,100,207,144).
150 Here comes the directory listing.
-rw-------    1 1501     1501           93 Jun 05 17:37 issue
226 Directory send OK.
ftp> bye
221 Goodbye.
[[email protected] /etc/vsftpd]#

再来测试LookBack帐户

[[email protected] /etc/vsftpd]# ftp 172.16.6.100
Connected to 172.16.6.100 (172.16.6.100).
220 (vsFTPd 2.2.2)
Name (172.16.6.100:root): LookBack
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -l
227 Entering Passive Mode (172,16,6,100,20,85).
150 Here comes the directory listing.
-rw-------    1 1501     1501           93 Jun 05 17:37 issue
-rw-------    1 1501     1501        13043 Jun 05 14:58 服务器文件目录规范.xlsx
226 Directory send OK.
ftp> lcd /etc/
Local directory now /etc
ftp> put fstab 
local: fstab remote: fstab
227 Entering Passive Mode (172,16,6,100,167,144).
550 Permission denied.
ftp> ls -l
227 Entering Passive Mode (172,16,6,100,240,241).
150 Here comes the directory listing.
-rw-------    1 1501     1501           93 Jun 05 17:37 issue
-rw-------    1 1501     1501        13043 Jun 05 14:58 服务器文件目录规范.xlsx
226 Directory send OK.
ftp> bye
221 Goodbye.
[[email protected] /etc/vsftpd]#

5、配置SSl的vsftp
先来看看没有ssl的FTP登录抓包后会是什么情况

看到这个情况大家不后怕吗？
下面说正题开始制作证书

[[email protected] /etc/vsftpd]# openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
Generating a 1024 bit RSA private key
.++++++
..........++++++
writing new private key to '/etc/vsftpd/vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ShangHai
Locality Name (eg, city) [Default City]:ShangHai
Organization Name (eg, company) [Default Company Ltd]:ZhongH
Organizational Unit Name (eg, section) []:DEVOPS
Common Name (eg, your name or your server's hostname) []:www.dwhd.org
Email Address []:[email protected]
[[email protected] /etc/vsftpd]#

6、修改vsftp配置文件

[[email protected] /etc/vsftpd]# cat >> vsftpd.conf << EOF

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem
EOF
[[email protected] /etc/vsftpd]# cat vsftpd.conf
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
anon_upload_enable=NO
anon_mkdir_write_enable=NO
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
xferlog_file=/var/log/vsftpd.log
chroot_local_user=YES
listen=YES
pam_service_name=vsftpd.localfile
userlist_enable=YES
tcp_wrappers=YES
guest_enable=YES
guest_username=vftpuser

user_config_dir=/etc/vsftpd/vftpusers

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem
[[email protected] /etc/vsftpd]# service vsftpd restart
关闭 vsftpd：                                              [确定]
为 vsftpd 启动 vsftpd：                                    [确定]
[[email protected] /etc/vsftpd]#

7、测试ssl的vsftp
注意这是普通的方法是连不上ftpserver的

需要修改下连接方式

现在来抓包测试

由上图可见，现在不会明文传输了，我可以安心的睡觉安心的上传下载动作片了

最后给出个一键安装vsftp配置虚拟账户的脚本

#!/bin/bash
#########################################################################
# File Name: AutoInstallVsftpd.sh
# Author: LookBack
# Email: admin#05hd.com
# Version:
# Created Time: 2015年06月06日 星期六 11时39分08秒
#########################################################################

yum clean all && yum makecache && yum update -y
yum install vsftpd -y
cp -a /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf_backup_`date +%F`
read -p "Please input FTPuser home dir : " vftpuserDir
groupadd -g 1501 vftpuser && useradd -g vftpuser -u 1501 -s /sbin/nologin -d vftpuserDir vftpuser
mkdir -p $vftpuserDir
chown -R vftpuser.vftpuser $vftpuserDir
chmod go+rx $vftpuserDir
touch /var/log/vsftpd.log
cat > vsftpd.conf << EOF
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
anon_upload_enable=NO
anon_mkdir_write_enable=NO
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
xferlog_file=/var/log/vsftpd.log
chroot_local_user=YES
listen=YES
pam_service_name=vsftpd.localfile
userlist_enable=YES
tcp_wrappers=YES
guest_enable=YES
guest_username=vftpuser
EOF
read -p "Please input FTPuser name : " ftpUsername
read -P "Please input FTPuser password : " ftpUserpassword
cat > /etc/vsftpd/vsftpuser.txt << EOF
$ftpUsername
$ftpUserpassword
EOF

if ! rpm -qa db4-utils >/dev/null 2>&1; then
        yum install db4-utils db4 -y
fi

db_load -T -t hash -f /etc/vsftpd/vsftpuser.txt /etc/vsftpd/vsftpuser.db
pam_LocalFile=`find / -type f -name "pam_userdb.so"`
cat > /etc/pam.d/vsftpd.localfile << EOF
auth required $pam_LocalFile db=/etc/vsftpd/vsftpuser
account required $pam_LocalFile db=/etc/vsftpd/vsftpuser
EOF

echo -e"\nuser_config_dir=/etc/vsftpd/vftpusers" >> /etc/vsftpd/vsftpd.conf

mkdir -p /etc/vsftpd/vftpusers
touch /etc/vsftpd/vftpusers/$ftpUsername

cat > /etc/vsftpd/vftpusers/$ftpUsername <<EOF
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
EOF

service vsftpd restart
[ $? = "0" ] && echo "vsFTP Install OK" || echo "vsFTP install Fail"