学习总结所用《 Linux就该这么学 》
文件传输协议
-
为了解决在复杂多样的设备之间的文件传输问题
-
FTP是一种基于客户端/服务器模式的文件传输协议,默认使用20、21号端口
-
端口20(数据端口)用于进行数据传输(目录列表,数据)
-
端口21(命令端口)用于接收客户端发出的相关FTP命令与参数
-
FTP服务器普遍部署于内网中,特点:容易搭建、方便管理
-
有些FTP客户端工具支持文件的多点下载以及断电续传技术
-
FTP协议传输拓扑图:
-
FTP服务器是按照FTP协议在互联网上提供文件存储和访问服务的主机
-
FTP客户端是向服务器发送连接请求,以建立数据传输链路的主机
-
FTP协议有两种工作模式:
**主动模式:**FTP服务器主动向客户端发起连接请求
**被动模式:**FTP服务器等待客户端发起连接请求(FTP的默认工作模式)
防火墙一般是用于过滤从外网进入内网的流量,即有时候需将FTP的工作模式设置为主动模式才可传输数据
-
vsftpd(very secure ftp daemon,非常安全的FTP守护进程)是一款运行在Linux操作系统上的FTP服务程序,特点:安全开源免费,具有很高的安全性、传输速度以及支持虚拟用户验证等其它FTP服务程序不具备的特点
安装vsftpd服务程序
- yum安装vsftpd服务程序
# yum install -y vsftpd
-
清空iptables防火墙的默认策略,保存当前状态
iptables防火墙工具默认禁止了FTP传输协议的端口,此操作可避免配置vsftpd服务程序时被默认的防火墙策略影响
# iptables -F
# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
- 查看vsftpd服务程序的主配置文件(/etc/vsftpd/vsftpd.conf)
# cat -n /etc/vsftpd/vsftpd.conf
1 # Example config file /etc/vsftpd/vsftpd.conf
2 #
3 # The default compiled in settings are fairly paranoid. This sample file
4 # loosens things up a bit, to make the ftp daemon more usable.
5 # Please see vsftpd.conf.5 for all compiled in defaults.
6 #
7 # READ THIS: This example file is NOT an exhaustive list of vsftpd options.
8 # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
9 # capabilities.
10 #
11 # Allow anonymous FTP? (Beware - allowed by default if you comment this out).
12 anonymous_enable=YES
13 #
14 # Uncomment this to allow local users to log in.
15 # When SELinux is enforcing check for SE bool ftp_home_dir
16 local_enable=YES
17 #
18 # Uncomment this to enable any form of FTP write command.
19 write_enable=YES
20 #
21 # Default umask for local users is 077. You may wish to change this to 022,
22 # if your users expect that (022 is used by most other ftpd's)
23 local_umask=022
24 #
25 # Uncomment this to allow the anonymous FTP user to upload files. This only
26 # has an effect if the above global write enable is activated. Also, you will
27 # obviously need to create a directory writable by the FTP user.
28 # When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
29 #anon_upload_enable=YES
30 #
31 # Uncomment this if you want the anonymous FTP user to be able to create
32 # new directories.
33 #anon_mkdir_write_enable=YES
34 #
35 # Activate directory messages - messages given to remote users when they
36 # go into a certain directory.
37 dirmessage_enable=YES
38 #
39 # Activate logging of uploads/downloads.
40 xferlog_enable=YES
41 #
42 # Make sure PORT transfer connections originate from port 20 (ftp-data).
43 connect_from_port_20=YES
44 #
45 # If you want, you can arrange for uploaded anonymous files to be owned by
46 # a different user. Note! Using "root" for uploaded files is not
47 # recommended!
48 #chown_uploads=YES
49 #chown_username=whoever
50 #
51 # You may override where the log file goes if you like. The default is shown
52 # below.
53 #xferlog_file=/var/log/xferlog
54 #
55 # If you want, you can have your log file in standard ftpd xferlog format.
56 # Note that the default log file location is /var/log/xferlog in this case.
57 xferlog_std_format=YES
58 #
59 # You may change the default value for timing out an idle session.
60 #idle_session_timeout=600
61 #
62 # You may change the default value for timing out a data connection.
63 #data_connection_timeout=120
64 #
65 # It is recommended that you define on your system a unique user which the
66 # ftp server can use as a totally isolated and unprivileged user.
67 #nopriv_user=ftpsecure
68 #
69 # Enable this and the server will recognise asynchronous ABOR requests. Not
70 # recommended for security (the code is non-trivial). Not enabling it,
71 # however, may confuse older FTP clients.
72 #async_abor_enable=YES
73 #
74 # By default the server will pretend to allow ASCII mode but in fact ignore
75 # the request. Turn on the below options to have the server actually do ASCII
76 # mangling on files when in ASCII mode.
77 # Beware that on some FTP servers, ASCII support allows a denial of service
78 # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
79 # predicted this attack and has always been safe, reporting the size of the
80 # raw file.
81 # ASCII mangling is a horrible feature of the protocol.
82 #ascii_upload_enable=YES
83 #ascii_download_enable=YES
84 #
85 # You may fully customise the login banner string:
86 #ftpd_banner=Welcome to blah FTP service.
87 #
88 # You may specify a file of disallowed anonymous e-mail addresses. Apparently
89 # useful for combatting certain DoS attacks.
90 #deny_email_enable=YES
91 # (default follows)
92 #banned_email_file=/etc/vsftpd/banned_emails
93 #
94 # You may specify an explicit list of local users to chroot() to their home
95 # directory. If chroot_local_user is YES, then this list becomes a list of
96 # users to NOT chroot().
97 # (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
98 # the user does not have write access to the top level directory within the
99 # chroot)
100 #chroot_local_user=YES
101 #chroot_list_enable=YES
102 # (default follows)
103 #chroot_list_file=/etc/vsftpd/chroot_list
104 #
105 # You may activate the "-R" option to the builtin ls. This is disabled by
106 # default to avoid remote users being able to cause excessive I/O on large
107 # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
108 # the presence of the "-R" option, so there is a strong case for enabling it.
109 #ls_recurse_enable=YES
110 #
111 # When "listen" directive is enabled, vsftpd runs in standalone mode and
112 # listens on IPv4 sockets. This directive cannot be used in conjunction
113 # with the listen_ipv6 directive.
114 listen=NO
115 #
116 # This directive enables listening on IPv6 sockets. By default, listening
117 # on the IPv6 "any" address (::) will accept connections from both IPv6
118 # and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
119 # sockets. If you want that (perhaps because you want to listen on specific
120 # addresses) then you must run two copies of vsftpd with two configuration
121 # files.
122 # Make sure, that one of the listen options is commented !!
123 listen_ipv6=YES
124
125 pam_service_name=vsftpd
126 userlist_enable=YES
127 tcp_wrappers=YES
- 备份vsftpd的主配置文件并将注释信息去掉
# mv /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf_bak
# grep -v "#" /etc/vsftpd/vsftpd.conf_bak > /etc/vsftpd/vsftpd.conf
# cat /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
Vsftpd服务程序的三种认证模式
vsftpd作为更加安全的文件传输的服务程序,允许用户以三种认证模式登录到FTP服务器上
匿名开放模式:是一种最不安全的认证模式,任何人都可以无需密码验证而直接登录到FTP服务器
本地用户模式:是通过Linux系统本地的账户密码信息进行认证的模式,相较于匿名开放模式更安全,而且配置起来也很简单。但是如果被黑客破解了账户的信息,就可以畅通无阻地登录FTP服务器,从而完全控制整台服务器
虚拟用户模式:是这三种模式中最安全的一种认证模式,它需要为FTP服务单独建立用户数据库文件,虚拟出用来进行口令验证的账户信息,而这些账户信息在服务器系统中实际上是不存在的,仅供FTP服务程序进行认证使用。这样,即使黑客破解了账户信息也无法登录服务器,从而有效降低了破坏范围和影响
安装ftp——Linux系统中以命令行界面的方式来管理FTP传输服务的客户端工具
# yum install -y ftp
匿名访问模式
- 开放匿名用户的上传、下载文件的权限,以及让匿名用户创建、删除、更名文件的权限
# vim /etc/vsftpd/vsftpd.conf
anonymous_enable=YES #允许匿名访问模式
anon_umask=022 #匿名用户上传文件的umask值
anon_upload_enable=YES #允许匿名用户上传文件
anon_mkdir_write_enable=YES #允许匿名用户创建目录
anon_other_write_enable=YES #允许匿名用户修改目录名称或删除目录
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
- 重启vsftpd,并加入开机启动项
# systemctl restart vsftpd
# systemctl enable vsftpd
ln -s '/usr/lib/systemd/system/vsftpd.service' '/etc/systemd/system/multi-user.target.wants/vsftpd.service'
-
尝试创建一个新的目录文件,以检验是否拥有写入权限,发现创建失败
匿名开放认证模式下,其账号为:anonymous或ftp,密码为空
默认的访问目录是 /var/ftp
# ftp 192.168.40.131
Connected to 192.168.40.131 (192.168.40.131).
220 (vsFTPd 3.0.2)
Name (192.168.40.131:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub
250 Directory successfully changed.
ftp> mkdir files
550 Create directory operation failed.
ftp> exit
- 查看目录的写入权限,修改目录的所有者为ftp,再次尝试还是失败
# ls -ld /var/ftp/pub
drwxr-xr-x. 2 root root 6 Mar 7 2014 /var/ftp/pub
# chown -Rf ftp /var/ftp/pub
# ls -ld /var/ftp/pub
drwxr-xr-x. 2 ftp root 6 Mar 7 2014 /var/ftp/pub
# ftp 192.168.40.131
Connected to 192.168.40.131 (192.168.40.131).
220 (vsFTPd 3.0.2)
Name (192.168.40.131:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub
250 Directory successfully changed.
ftp> mkdir files
550 Create directory operation failed.
ftp> exit
- 修改SElinux中与ftp有关的策略规则,并用-p参数使其永久生效,再次尝试后顺利写入文件
# getsebool -a | grep ftp
ftp_home_dir --> off
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off
# setsebool -P ftpd_full_access=on
# ftp 192.168.40.131
Connected to 192.168.40.131 (192.168.40.131).
220 (vsFTPd 3.0.2)
Name (192.168.40.131:root): anonumous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub
250 Directory successfully changed.
ftp> mkdir files
257 "/pub/files" created
ftp> exit
221 Goodbye.
本地用户模式
- 关闭匿名开放模式,开启本地用户模式
# vim /etc/vsftpd/vsftpd.conf
anonymous_enable=NO #禁止匿名访问模式
local_enable=YES #允许本地用户模式
write_enable=YES #设置可写权限
local_umask=022 #本地用户模式创建的umask值
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
#userlist_deny=YES #启用“禁止用户名单”,名单文件为ftpusers和user_list
userlist_enable=YES #开启用户作用名单文件功能
tcp_wrappers=YES
- 重启vsftpd服务程序【并加入开机启动项】
# systemctl restart vsftpd
# systemctl enable vsftpd
-
为实现root管理员登录FTP服务器,需删除“用户名单”文件(ftpusers和user_list)里的root用户名
vsftpd服务程序为了保证服务器的安全性,默认禁止了root管理员和大多数系统用户的登录行为,这可有效避免黑客通过FTP服务对root管理员密码进行暴力破解
vsftpd服务程序目录中的ftpusers和user_list这两个文件的功能——只要里面写有某个用户的名字,就不再允许这个用户登录到FTP服务器上
# vim /etc/vsftpd/user_list
1 # vsftpd userlist
2 # If userlist_deny=NO, only allow users in this file
3 # If userlist_deny=YES (default), never allow users in this file, and
4 # do not even prompt for a password.
5 # Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
6 # for users that are denied.
7 bin
8 daemon
9 adm
10 lp
11 sync
12 shutdown
13 halt
14 mail
15 news
16 uucp
17 operator
18 games
19 nobody
# vim /etc/vsftpd/ftpusers
1 # Users that are not allowed to login via ftp
2 bin
3 daemon
4 adm
5 lp
6 sync
7 shutdown
8 halt
9 mail
10 news
11 uucp
12 operator
13 games
14 nobody
- root用户名登录FTP服务器,执行文件的创建、重命名及删除等命令
# ftp 192.168.40.131
Connected to 192.168.40.131 (192.168.40.131).
220 (vsFTPd 3.0.2)
Name (192.168.40.131:root): root
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> mkdir files
257 "/root/files" created
ftp> rename files database
350 Ready for RNTO.
250 Rename successful.
ftp> rmdir database
250 Remove directory operation successful.
ftp> exit
221 Goodbye.
**说明:**由于在匿名访问模式中已经开启了SELinux域对FTP服务的允许策略,所以此处可省略
虚拟用户模式
-
创建用于进行FTP认证的用户数据库文件,奇数行为 账户名,偶数行为 密码
这里分别创建zhangsan和lisi两个用户,密码均为redhat
# vim /etc/vsftpd/vuser.list
zhangsan
redhat
lisi
redhat
-
使用
db_load命令用哈希(hash)算法将原始的明文信息文件转换成数据库文件,并降低数据库文件的权限,然后再把原始的明文信息文件删除明文信息既不安全,也不符合让vsftpd服务程序直接加载的格式,因此需转为数据库文件
# cd /etc/vsftpd/
# db_load -T -t hash -f vuser.list vuser.db
# file vuser.db
vuser.db: Berkeley DB (Hash, version 9, native byte-order)
# chmod 600 vuser.db
# rm -f vuser.list
-
创建vsftpd服务程序用于存储文件的根目录以及虚拟用户映射的系统本地用户
将系统本地用户的家目录设置为/var目录(该目录用来存放经常发生改变的数据),同时为了安全起见,将系统本地用户设置为不允许登录FTP服务器,这不会影响虚拟用户登录,且还可避免黑客通过系统本地用户进行登录
# useradd -d /var/ftproot -s /sbin/nologin virtual
# ls -ld /var/ftproot/
drwx------. 3 virtual virtual 74 Aug 13 04:01 /var/ftproot/
# chmod -Rf 755 /var/ftproot/
-
建立用于支持虚拟用户的PAM文件vsftpd.vu
PAM文件内的“db=”参数为使用db_load命令生成的账户密码数据库文件的路径,不用写数据库文件的后缀
PAM是一组安全机制的模块,系统管理员可以用来轻易地调整服务程序的认证方式,而不必对应用程序进行任何修改
# vim /etc/pam.d/vsftpd.vu
auth required pam_userdb.so db=/etc/vsftpd/vuser
account required pam_userdb.so db=/etc/vsftpd/vuser
- 将vsftpd服务程序的主配置文件中的pam_service_name参数(PAM认证文件的名称)修改为vsftpd.vu,并配置相应参数
# vim /etc/vsftpd/vsftpd.conf
1 anonymous_enable=NO #禁止匿名开放模式
2 local_enable=YES #允许本地用户模式
3 guest_enable=YES #开启虚拟用户模式
4 guest_username=virtual #指定虚拟用户账户
5 allow_writeable_chroot=YES #允许对禁锢的FTP根目录执行写入操作,且不拒绝用户的登录请求
6 write_enable=YES
7 local_umask=022
8 dirmessage_enable=YES
9 xferlog_enable=YES
10 connect_from_port_20=YES
11 xferlog_std_format=YES
12 listen=NO
13 listen_ipv6=YES
14 pam_service_name=vsftpd.vu #指定PAM文件
15 userlist_enable=YES
16 tcp_wrappers=YES
-
为虚拟用户设置不同的权限,张三允许上传、创建、修改、查看、删除文件,李四只允许查看文件
创建两个以zhangsan和lisi命名的文件,在名为zhangsan的文件中写入允许的相关权限(使用匿名用户的参数)
# mkdir /etc/vsftpd/vusers_dir/
# touch lisi
# vim zhangsan
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
- 修改vsftpd主配置文件,添加user_config_dir参数,并重启vsftpd服务
# vim /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
guest_enable=YES
guest_username=virtual
allow_writeable_chroot=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd.vu
userlist_enable=YES
tcp_wrappers=YES
user_config_dir=/etc/vsftpd/vusers_dir #指定虚拟用户不同权限的配置文件所存放的路径
# systemctl restart vsftpd
- 设置SELinux域允许策略,并使用虚拟用户模式登录FTP服务器验证
# getsebool -a | grep ftp
ftp_home_dir --> off
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> on
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off
# setsebool -P ftpd_full_access=on
# ftp 192.168.40.131
Connected to 192.168.40.131 (192.168.40.131).
220 (vsFTPd 3.0.2)
Name (192.168.40.131:root): zhangsan
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> mkdir files
257 "/files" created
ftp> rename files database
350 Ready for RNTO.
250 Rename successful.
ftp> rmdir database
250 Remove directory operation successful.
ftp> exit
221 Goodbye.
# ftp 192.168.40.131
Connected to 192.168.40.131 (192.168.40.131).
220 (vsFTPd 3.0.2)
Name (192.168.40.131:root): lisi
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> mkdir files1
550 Permission denied.
ftp> exit
221 Goodbye.
TFTP简单文件传输协议
- 简单文件传输协议(Trivial File Transfer Protocol,TFTP)是一种基于UDP协议在客户端和服务器之间进行简单文件传输的协议
- 提供不复杂、开销不大的文件传输服务(可将其当作FTP协议的简化版本)
- TFTP的命令功能不如FTP服务强大,甚至不能遍历目录,在安全性方面也弱于FTP服务
- TFTP在传输文件时采用的是UDP协议,占用的端口号为69
- TFTP不需要客户端的权限认证,减少了无谓的系统和网络带宽消耗,在传输琐碎(trivial)不大的文件时,效率很高
- TFTP的根目录为/var/lib/tftpboot
- 安装TFTP软件包
# yum install -y tftp-server tftp
-
在xinetd服务程序中将TFTP服务开启,即把默认的禁用(disable)参数修改为no
在RHEL 7系统中,TFTP服务是使用xinetd服务程序来管理的。xinetd服务可用来管理多种轻量级的网络服务,且具有强大的日志功能
# vim /etc/xinetd.d/tftp
......
service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -s /var/lib/tftpboot
disable = no
per_source = 11
cps = 100 2
flags = IPv4
}
- 重启xinetd服务并加入到开机启动项,然后手动将UDP协议的端口号69加入到防火墙的允许策略
# systemctl restart xinetd
# systemctl enable xinetd
# firewall-cmd --permanent --add-port=69/udp
success
# firewall-cmd --reload
success
- tftp命令中可用的参数以及作用
| 命令 | 作用 |
|---|---|
| ? | 帮助信息 |
| put | 长传文件 |
| get | 下载文件 |
| verbose | 显示详细的处理信息 |
| status | 显示当前的状态信息 |
| binary | 使用二进制进行传输 |
| ascii | 使用ASCII码进行传输 |
| timeout | 设置重传的超时时间 |
| quit | 退出 |
# echo "i love linux" > /var/lib/tftpboot/readme.txt
# tftp 192.168.40.131
tftp> get readme.txt
tftp> quit
# ls
anaconda-ks.cfg Desktop Documents Downloads fstab initial-setup-ks.cfg Music Pictures Public readme.txt Templates Videos
# cat readme.txt
i love linux
TFTP服务与其他软件相搭配,可组合出一套完整的自动化部署系统方案
扫一扫
854
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
