#############第十四讲##############
#################################
############# #############
1.ftp
1.1 安装ftp服务并测试
yum install vsftpd.x86_64 -y
systemctl restart vsftpd
touch /var/ftp/westos
systemctl disable firewalld
systemctl enable vsftpd
(1.1图)
1.2 ftp配置
在此项操作前需要关闭内核加强性防火墙
vim /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled (改此处)
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
使用查看
[root@ftpserver student]# getenforce
Disabled
[root@ftpserver student]#
报错:
553 本地文件系统不允许
550 服务禁止
vim /etc/vsftpd/vsftpd.conf
# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES ##(n匿名用户可以登陆)
#
# Uncomment this to allow local users to log in.
# When SELinux is enforcing check for SE bool ftp_home_dir
local_enable=YES ##本地用户可以登陆
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES ##本地用户可以写入
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
没禁止之前:
[root@foundation24 Desktop]# lftp 172.25.254.124
lftp 172.25.254.124:~> ls
drwxr-xr-x 2 0 0 6 Aug 03 2015 pub
-rw-r--r-- 1 0 0 0 Feb 21 02:05 westos
lftp 172.25.254.124:/>
当禁止匿名用户:(1.2图)
1.3匿名用户上传
虚拟机(ftpserver)设置:
vim /etc/vsftpd/vsftpd.conf
19 write_enable=YES (必须保证开启)
20 #
21 # Default umask for local users is 077. You may wish to change this to 022,
22 # if your users expect that (022 is used by most other ftpd's)
23 local_umask=022
24 #
25 # Uncomment this to allow the anonymous FTP user to upload files. This only
26 # has an effect if the above global write enable is activated. Also, you wil l
27 # obviously need to create a directory writable by the FTP user.
28 # When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_f tpd_full_access
29 anon_upload_enable=YES (必须保证开启)##允许匿名用户上传
58 systemctl restart vsftpd.service
59 chgrp ftp /var/ftp/pub/ ****
60 chmod 775 /var/ftp/pub/ ****
测试端:
[root@foundation24 Desktop]# lftp 172.25.254.124
lftp 172.25.254.124:~> ls
drwxr-xr-x 2 0 0 6 Aug 03 2015 pub
-rw-r--r-- 1 0 0 0 Feb 21 02:05 westos
lftp 172.25.254.124:/> cd pub/
lftp 172.25.254.124:/pub> put /etc/passwd
2367 bytes transferred
lftp 172.25.254.124:/pub> ls
-rw------- 1 14 50 2367 Feb 21 02:40 passwd
lftp 172.25.254.124:/pub>
(1.3图)
1.4匿名用户建立目录,删除,读取
ftpserver端口设置
vim /etc/vsftpd/vsftpd.conf
30 #
31 # Uncomment this if you want the anonymous FTP user to be able to create
32 # new directories.
33 anon_mkdir_write_enable=YES (允许匿名用户创建目录)
34 anon_world_readable_only=NO (允许匿名用户读取文件)
35 anon_other_write_enable=YES (允许匿名用户删除文件目录)
36 #
37 # Activate directory messages - messages given to remote users when they
(图1.4.1)
测试端口:
lftp 172.25.254.124:/pub> mkdir wula
mkdir ok, `wula' created
lftp 172.25.254.124:/pub> ls
-rw------- 1 14 50 2367 Feb 21 02:40 passwd
drwx------ 2 14 50 6 Feb 21 03:04 wula
lftp 172.25.254.124:/pub> cd wula/
lftp 172.25.254.124:/pub/wula> put /etc/passwd
2367 bytes transferred
lftp 172.25.254.124:/pub/wula> ls
-rw------- 1 14 50 2367 Feb 21 03:04 passwd
lftp 172.25.254.124:/pub/wula> rm -fr passwd
rm ok, `passwd' removed
lftp 172.25.254.124:/pub/wula> ls
lftp 172.25.254.124:/pub/wula> cd -
lftp 172.25.254.124:/pub> rm -fr wula/
rm ok, `wula/' removed
lftp 172.25.254.124:/pub> ls
-rw------- 1 14 50 2367 Feb 21 02:40 passwd
lftp 172.25.254.124:/pub>
(图1.4.2)
1.5更改用户的登陆位置和上传权限
匿名用户登陆位置:
anon_root=/westos
测试:
[root@foundation24 Desktop]# lftp 172.25.254.124
lftp 172.25.254.124:~> ls
-rw-r--r-- 1 0 0 0 Feb 21 03:27 file1
-rw-r--r-- 1 0 0 0 Feb 21 03:27 file2
-rw-r--r-- 1 0 0 0 Feb 21 03:27 file3
本地用户登陆位置:
local_root=/westos
测试:
[root@foundation24 Desktop]# lftp 172.25.254.124 -u student
Password:
lftp student@172.25.254.124:~> ls
-rw-r--r-- 1 0 0 0 Feb 21 03:27 file1
-rw-r--r-- 1 0 0 0 Feb 21 03:27 file2
-rw-r--r-- 1 0 0 0 Feb 21 03:27 file3
匿名用户上传权限
anon_umask=055
测试:
前:
lftp student@172.25.254.124:~> put /etc/passwd
2367 bytes transferred
lftp student@172.25.254.124:~> ls
-rw-r--r-- 1 1000 1000 2367 Feb 21 03:34 passwd
后:
lftp 172.25.254.124:/pub> put /etc/passwd
2367 bytes transferred
lftp 172.25.254.124:/pub> ls
-rw--w--w- 1 14 50 2367 Feb 21 03:37 passwd
lftp 172.25.254.124:/pub>
本地用户上传权限
local_umask=011
前:
lftp student@172.25.254.124:~> put /etc/passwd
2367 bytes transferred
lftp student@172.25.254.124:~> ls
-rw-r--r-- 1 1000 1000 2367 Feb 21 03:34 passwd
后:
lftp student@172.25.254.124:~> put /etc/passwd
2367 bytes transferred
lftp student@172.25.254.124:~> ls
-rw-rw-rw- 1 1000 1000 2367 Feb 21 03:36 passwd
lftp student@172.25.254.124:~> quit
1.6 更改上传文件的所有人及下载速率(匿名用户)
ftpserver设置
vim /etc/vsftpd/vsftpd.conf
52 # recommended!
53 chown_uploads=YES ##开启服务
54 chown_username=student ##文件所有人
55 anon_max_rate=102400 ##平均下载速率
测试:
(图1.6...)
1.7最大链接数(最多可以多少个匿名用户链接数)
max_clients=2 ##在该配置文件中。修改为2人
所以只有两个匿名用户可以同时链接,如下图所示,第三位匿名用户无法链接该
(图1.7)
2.本地用户设置
2.1 本地用户浏览目录限制
白名单设置:
107 chroot_local_user=YES
108 chroot_list_enable=YES
109 # (default follows)
110 chroot_list_file=/etc/vsftpd/chroot_list
student
黑名单:
2.2 限制本地用户登陆
黑名单:在/etc/vsftpd中有两个黑名单
ftpusers ##永久性黑名单,只要写入就会被禁止等入
user_list ##临时性黑名单
白名单:
vim /etc/vsftpd/vsftpd.conf
132 pam_service_name=vsftpd
133 userlist_deny=NO (这条语句可以将user_list中变为ie白名单)
134 userlist_enable=YES
135 tcp_wrappers=YES
3.虚拟帐号的管理
3.1 虚拟帐号的创建
vim jetwula ##建立用户文件
user1
1234
user2
1234
db_load -T -t hash -f /etc/vsftpd/jetwula jetwula.db ##对用户文件进行加密
vim /etc/pam.d/jet
account required pam_userdb.so db=/etc/vsftpd/jetwula
auth required pam_userdb.so db=/etc/vsftpd/jetwula
vim /etc/vsftpd/vsftpd.conf
pam_service_name=jet ##文件为/etc/pam.d/下创建的jet文件
guest_username=jet ##虚拟用户以jet本地用户身份登入
guest_enable=YES ##该功能设置后,本地用户无法等入了
#userlist_deny=NO
userlist_enable=YES
tcp_wrappers=YES
3.2设置独立的虚拟帐号家目录
164 mkdir -p /ftpdir/user1 ##创建家目录
165 mkdir -p /ftpdir/user2
166 touch /ftpdir/user1/file1 ##建立文件以示测试区分
167 touch /ftpdir/user2/file2
168 vim /etc/vsftpd/vsftpd.conf ##编辑配置文件
local_root=/ftpdir/$USER ##指向家目录
user_sub_token=$USER ##shell与vsf服务关联
169 systemctl restart vsftpd.service
3.3虚拟帐号配置独立(让不同的用户又不一样的权限)
177 mkdir user1/userdir1
178 mkdir user2/userdir2
179 chgrp jet user1/userdir1
180 chgrp jet user2/userdir2
181 chmod 775 user1/userdir1
182 chmod 775 user2/userdir2
186 vim /etc/vsftpd/vsftpd.conf
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#anon_world_readable_only=NO
#anon_other_write_enable=YES
user_config_dir=/etc/vsftpd/westos ##指向局部配置文件
(tu 14.3.3.1)
188 mkdir /etc/vsftpd/westos
189 cd /etc/vsftpd/westos/
193 vim user1
[root@ftpserver westos]# cat user1
anon_mkdir_write_enable=YES
anon_world_readable_only=NO
anon_other_write_enable=YES
194 systemctl restart vsftpd.service
4.安全上下文
ftpserver:
214 touch file
215 cd
216 mv /mnt/file /var/ftp/pub/
217 cd /var/ftp/pub/
218 touch file1
219 ls -Z
220 chcon -t public_content_t /var/ftp/pub/file