close
Network File Sharing Service
1. File Transfer Protocol (FTP)
Packages: vsftpd
Deamon: /usr/sbin/vsftpd
Script: /etc/init.d/vsftpd
Ports:21(ftp),20(ftp-data)
Confituration: /etc/vsftpd/vsftpd.conf, /etc/vsftpd/ftpuser(黑名單)
Log: /var/log/xferlog
Related: tcp_wrappers, ip_conntrack_ftp, ip_nat_ftp
(1)安裝vsftpd
#yum install vsftpd
(2)啟動vsftpd
#service vsftpd start
#chkconfig vsftpd on
(3)開放port:21及related(port:20) .[RH253,Unit4:iptables] 插入在RELATED,ESTABLISHED後面
iptables
#create rules of CLASS-RULES
#accept lo,icmp,related
iptables -t filter -A CLASS-RULES -i lo -j ACCEPT
iptables -t filter -A CLASS-RULES -p icmp -j ACCEPT
iptables -t filter -A CLASS-RULES -m state --state ESTABLISHED,RELATED -j ACCEPT
#ssh
iptables -t filter -A CLASS-RULES -p tcp --dport 22 -j ACCEPT
#dns
iptables -t filter -A CLASS-RULES -p tcp --dport 53 -j ACCEPT
iptables -t filter -A CLASS-RULES -p udp --dport 53 -j ACCEPT
#vsftp
iptables -t filter -A CLASS-RULES -m state --state NEW -p tcp --dport 21 -s 192.168.0.0/24 -j ACCEPT
---略---
接下來把 related modules加入iptables-config : "ip_conntrack_ftp", 因為只有單一網段,沒有nat, 如果有須加上"ip_nat_ftp"
#vi /etc/sysconfig/iptables-config
---略---
IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp"
---略---
%若不更任何設定, any user都能登入ftp server (/var/ftp/pub), read-only, 只能download, 不允許upload
(4)允許user可以upload file
#mkdir /var/ftp/incoming
#chown root:ftp /var/ftp/incoming
#chmod 730 /var/ftp/incoming
SElinux設定
#chon -t public_content_rw_t incoming
[root@server118 ftp]# ll -Z
drwx-wx--- root ftp system_u:object_r:public_content_rw_t incoming
drwxr-xr-x root root system_u:object_r:public_content_t pub
#setsebool -P allow_ftpd_anon_write on
[root@server118 ftp]# getsebool -a|grep ftp
allow_ftpd_anon_write --> on
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
allow_tftp_anon_write --> off
ftp_home_dir --> off
ftpd_disable_trans --> off
ftpd_is_daemon --> on
httpd_enable_ftp_server --> off
tftpd_disable_trans --> off
修改vsftpd.conf
#vi /etc/vsftpd/vsftpd.conf
#edit
#anon_upload_enable=YES
anon_upload_enable=YES
---略---
#edit
#chown_uploads=YES
#chown_username=whoever
chown_username=ftp
重新啟動vsftpd
#service vsftpd restart
測試
[root@server1 /]# lftp ftp://192.168.0.118
lftp 192.168.0.118:~> cd incoming
cd ok, cwd=/incoming
lftp 192.168.0.118:/incoming> ls
lftp 192.168.0.118:/incoming> lcd /root
lcd ok, local cwd=/root
lftp 192.168.0.118:/incoming> put install.log
31854 bytes transferred
資料確實己上傳主機uid=ftp
[root@server118 incoming]# ll
total 40
-rw-r--r-- 1 root root 0 Jul 26 14:21 f2.test
-rw------- 1 ftp ftp 31854 Jul 26 22:25 install.log
1. File Transfer Protocol (FTP)
Packages: vsftpd
Deamon: /usr/sbin/vsftpd
Script: /etc/init.d/vsftpd
Ports:21(ftp),20(ftp-data)
Confituration: /etc/vsftpd/vsftpd.conf, /etc/vsftpd/ftpuser(黑名單)
Log: /var/log/xferlog
Related: tcp_wrappers, ip_conntrack_ftp, ip_nat_ftp
(1)安裝vsftpd
#yum install vsftpd
(2)啟動vsftpd
#service vsftpd start
#chkconfig vsftpd on
(3)開放port:21及related(port:20) .[RH253,Unit4:iptables] 插入在RELATED,ESTABLISHED後面
iptables
#create rules of CLASS-RULES
#accept lo,icmp,related
iptables -t filter -A CLASS-RULES -i lo -j ACCEPT
iptables -t filter -A CLASS-RULES -p icmp -j ACCEPT
iptables -t filter -A CLASS-RULES -m state --state ESTABLISHED,RELATED -j ACCEPT
#ssh
iptables -t filter -A CLASS-RULES -p tcp --dport 22 -j ACCEPT
#dns
iptables -t filter -A CLASS-RULES -p tcp --dport 53 -j ACCEPT
iptables -t filter -A CLASS-RULES -p udp --dport 53 -j ACCEPT
#vsftp
iptables -t filter -A CLASS-RULES -m state --state NEW -p tcp --dport 21 -s 192.168.0.0/24 -j ACCEPT
---略---
接下來把 related modules加入iptables-config : "ip_conntrack_ftp", 因為只有單一網段,沒有nat, 如果有須加上"ip_nat_ftp"
#vi /etc/sysconfig/iptables-config
---略---
IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp"
---略---
%若不更任何設定, any user都能登入ftp server (/var/ftp/pub), read-only, 只能download, 不允許upload
(4)允許user可以upload file
#mkdir /var/ftp/incoming
#chown root:ftp /var/ftp/incoming
#chmod 730 /var/ftp/incoming
SElinux設定
#chon -t public_content_rw_t incoming
[root@server118 ftp]# ll -Z
drwx-wx--- root ftp system_u:object_r:public_content_rw_t incoming
drwxr-xr-x root root system_u:object_r:public_content_t pub
#setsebool -P allow_ftpd_anon_write on
[root@server118 ftp]# getsebool -a|grep ftp
allow_ftpd_anon_write --> on
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
allow_tftp_anon_write --> off
ftp_home_dir --> off
ftpd_disable_trans --> off
ftpd_is_daemon --> on
httpd_enable_ftp_server --> off
tftpd_disable_trans --> off
修改vsftpd.conf
#vi /etc/vsftpd/vsftpd.conf
#edit
#anon_upload_enable=YES
anon_upload_enable=YES
---略---
#edit
#chown_uploads=YES
#chown_username=whoever
chown_username=ftp
重新啟動vsftpd
#service vsftpd restart
測試
[root@server1 /]# lftp ftp://192.168.0.118
lftp 192.168.0.118:~> cd incoming
cd ok, cwd=/incoming
lftp 192.168.0.118:/incoming> ls
lftp 192.168.0.118:/incoming> lcd /root
lcd ok, local cwd=/root
lftp 192.168.0.118:/incoming> put install.log
31854 bytes transferred
資料確實己上傳主機uid=ftp
[root@server118 incoming]# ll
total 40
-rw-r--r-- 1 root root 0 Jul 26 14:21 f2.test
-rw------- 1 ftp ftp 31854 Jul 26 22:25 install.log
全站熱搜
留言列表
學習 (2)