一.FTP 两种工作模式
主动模式port
FTP主动模式:TCP链接客户端访问FTP,客户端会开启一个大于1024的端口N访问FTP的21端口(控制端口),并通过21端口发送port命令与N+1的端口,服务端收到命令后会使用20(数据端口)主动链接客户端N+1端口进行数据传输。
被动模式pasv
FTP被动模式:TCP链接客户端访问FTP,客户端开启一个大于1024的端口N访问FTP的21端口(控制端口),同时会开启一个N+1的端口,并通过21端口发送pasv命令,FTP同过命令得知处于被动状态,会开放一个大于1024的端口P,然后通过命令通知客户端P数据端口,客户端然后会通过N+1端口链接P端口进行数据传输。
注:
- 由于防火墙机制,主动模式不利于客户端管理,被动模式不利于服务端管理。
- 主动情况下服务端数据端主动链接客户端可能遭到客户端防火墙拦截。
- 被动情况下客户端主动访问服务端数据端口可能遭到服务端防火墙拦截。
二.实现基于MYSQL验证的vsftpd虚拟用户
[root@centos8 ~]# yum -y install mariadb-server
[root@centos8 ~]# systemctl enable --now mariadb
Created symlink /etc/systemd/system/mysql.service → /usr/lib/systemd/system/mariadb.service.
Created symlink /etc/systemd/system/mysqld.service → /usr/lib/systemd/system/mariadb.service.
Created symlink /etc/systemd/system/multi-user.target.wants/mariadb.service → /usr/lib/systemd/system/mariadb.service.
[root@centos8 ~]# mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 8
Server version: 10.3.27-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> CREATE DATABASE vsftpd;
Query OK, 1 row affected (0.000 sec)
MariaDB [(none)]> use vsftpd
Database changed
CREATE TABLE users (
id INT AUTO_INCREMENT NOT NULL PRIMARY KEY,
name CHAR(50) BINARY NOT NULL,
password CHAR(48) BINARY NOT NULL
);
MariaDB [vsftpd]> desc users;
+----------+----------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+----------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| name | char(50) | NO | | NULL | |
| password | char(48) | NO | | NULL | |
+----------+----------+------+-----+---------+----------------+
3 rows in set (0.001 sec)
MariaDB [vsftpd]> INSERT INTO users(name,password) values('ftpuser1',password('123456'));
Query OK, 1 row affected (0.001 sec)
MariaDB [vsftpd]> INSERT INTO users(name,password) values('ftpuser2',password('123456'));
Query OK, 1 row affected (0.001 sec)
MariaDB [vsftpd]> INSERT INTO users(name,password) values('ftpuser3',password('123456'));
Query OK, 1 row affected (0.001 sec)
MariaDB [vsftpd]> select * from users;
+----+----------+-------------------------------------------+
| id | name | password |
+----+----------+-------------------------------------------+
| 1 | ftpuser1 | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 |
| 2 | ftpuser2 | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 |
| 3 | ftpuser3 | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 |
+----+----------+-------------------------------------------+
3 rows in set (0.000 sec)
MariaDB [vsftpd]> GRANT SELECT ON vsftpd.* TO vsftpd@'10.0.0.%' IDENTIFIED BY '123456';
Query OK, 0 rows affected (0.000 sec)
[root@centos7 ~]# yum -y install vsftpd gcc gcc-c++ make mariadb-devel pam-devel
[root@centos7 ~]# rz -E
rz waiting to receive.
[root@centos7 ~]# tar xf pam_mysql-0.7RC1.tar.gz
[root@centos7 ~]# cd pam_mysql-0.7RC1
[root@centos7 pam_mysql-0.7RC1]# ls
acinclude.m4 config.guess configure CREDITS ltmain.sh missing pam_mysql.c pkg.m4
aclocal.m4 config.h.in configure.in INSTALL Makefile.am mkinstalldirs pam_mysql.spec README
ChangeLog config.sub COPYING install-sh Makefile.in NEWS pam_mysql.spec.in stamp-h.in
[root@centos7 pam_mysql-0.7RC1]# ./configure --with-pam-mods-dir=/lib64/security
[root@centos7 pam_mysql-0.7RC1]# make install
[root@centos7 pam_mysql-0.7RC1]# ll /lib64/security/pam_mysql.*
-rwxr-xr-x 1 root root 882 Mar 13 21:08 /lib64/security/pam_mysql.la
-rwxr-xr-x 1 root root 141712 Mar 13 21:08 /lib64/security/pam_mysql.so
[root@centos7 pam_mysql-0.7RC1]# vim /etc/pam.d/vsftpd.mysql
auth required pam_mysql.so user=vsftpd passwd=123456 host=10.0.0.8 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=123456 host=10.0.0.8 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
:wq
[root@centos7 pam_mysql-0.7RC1]# useradd -s /sbin/nologin -d /data/ftproot -r vuser
[root@centos7 pam_mysql-0.7RC1]# id vuser
uid=998(vuser) gid=996(vuser) groups=996(vuser)
[root@centos7 pam_mysql-0.7RC1]# ls /data/ftproot
ls: cannot access /data/ftproot: No such file or directory
[root@centos7 pam_mysql-0.7RC1]# mkdir -p /data/ftproot/upload
[root@centos7 pam_mysql-0.7RC1]# ll -d /data/ftproot/upload
drwxr-xr-x 2 root root 6 Mar 13 21:16 /data/ftproot/upload
[root@centos7 pam_mysql-0.7RC1]# setfacl -m u:vuser:rwx /data/ftproot/upload/
[root@centos7 pam_mysql-0.7RC1]# vim /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
pam_service_name=vsftpd.mysql
guest_enable=YES
guest_username=vuser
:wq
[root@centos7 pam_mysql-0.7RC1]# systemctl enable --now vsftpd
Created symlink from /etc/systemd/system/multi-user.target.wants/vsftpd.service to /usr/lib/systemd/system/vsftpd.service.
[root@centos7 pam_mysql-0.7RC1]# ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 32 [::]:21 [::]:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 100 [::1]:25 [::]:*
[root@centos6 ~]# yum -y install ftp
[root@centos6 ~]# ftp 10.0.0.7
Connected to 10.0.0.7 (10.0.0.7).
220 (vsFTPd 3.0.2)
Name (10.0.0.7:root): ftpuser1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,0,0,7,57,86).
150 Here comes the directory listing.
drwxrwxr-x 2 0 0 6 Mar 13 13:16 upload
226 Directory send OK.
ftp> cd upload
250 Directory successfully changed.
ftp> !ls
anaconda-ks.cfg install.log install.log.syslog
ftp> put anaconda-ks.cfg
local: anaconda-ks.cfg remote: anaconda-ks.cfg
227 Entering Passive Mode (10,0,0,7,115,217).
550 Permission denied.
ftp> exit
221 Goodbye.
[root@centos6 ~]# ftp 10.0.0.7
Connected to 10.0.0.7 (10.0.0.7).
220 (vsFTPd 3.0.2)
Name (10.0.0.7:root): ftpuser2
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,0,0,7,191,50).
150 Here comes the directory listing.
drwxrwxr-x 2 0 0 29 Mar 13 13:36 upload
226 Directory send OK.
ftp> cd upload
250 Directory successfully changed.
ftp> !ls
anaconda-ks.cfg install.log install.log.syslog
ftp> put anaconda-ks.cfg
local: anaconda-ks.cfg remote: anaconda-ks.cfg
227 Entering Passive Mode (10,0,0,7,115,217).
550 Permission denied.
ftp> exit
221 Goodbye.
[root@centos7 ~]# vim /etc/vsftpd/vsftpd.conf
user_config_dir=/etc/vsftpd/conf.d/
:wq
[root@centos7 ~]# mkdir /etc/vsftpd/conf.d/
[root@centos7 conf.d]# vim ftpuser1
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
:wq
[root@centos7 conf.d]# systemctl restart vsftpd
[root@centos6 ~]# ftp 10.0.0.7
Connected to 10.0.0.7 (10.0.0.7).
220 (vsFTPd 3.0.2)
Name (10.0.0.7:root): ftpuser1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> ls
227 Entering Passive Mode (10,0,0,7,38,124).
150 Here comes the directory listing.
drwxrwxr-x 2 0 0 6 Mar 13 13:16 upload
226 Directory send OK.
ftp> cd upload
250 Directory successfully changed.
ftp> put anaconda-ks.cfg
local: anaconda-ks.cfg remote: anaconda-ks.cfg
227 Entering Passive Mode (10,0,0,7,195,218).
150 Ok to send data.
226 Transfer complete.
958 bytes sent in 0.00704 secs (136.12 Kbytes/sec)
ftp>
[root@centos7 pam_mysql-0.7RC1]# tail -f /var/log/secure
Mar 13 21:35:02 centos7 polkitd[547]: Registered Authentication Agent for unix-process:11920:442834 (system bus name :1.24 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Mar 13 21:35:02 centos7 polkitd[547]: Unregistered Authentication Agent for unix-process:11920:442834 (system bus name :1.24, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
[root@centos7 conf.d]# ll /data/ftproot/upload/
total 4
-rw------- 1 vuser vuser 958 Mar 13 21:36 anaconda-ks.cfg
[root@centos6 ~]# ftp 10.0.0.7
Connected to 10.0.0.7 (10.0.0.7).
220 (vsFTPd 3.0.2)
Name (10.0.0.7:root): ftpuser2
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,0,0,7,191,50).
150 Here comes the directory listing.
drwxrwxr-x 2 0 0 29 Mar 13 13:36 upload
226 Directory send OK.
ftp> cd upload
250 Directory successfully changed.
ftp> !ls
anaconda-ks.cfg install.log install.log.syslog
ftp> put anaconda-ks.cfg
local: anaconda-ks.cfg remote: anaconda-ks.cfg
227 Entering Passive Mode (10,0,0,7,115,217).
550 Permission denied.
ftp> exit
221 Goodbye.
[root@centos7 conf.d]# mkdir /data/ftproot2
[root@centos7 conf.d]# touch /data/ftproot2/ftproot2.txt
[root@centos7 conf.d]# mkdir /data/ftproot3
[root@centos7 conf.d]# touch /data/ftproot3/ftproot3.txt
[root@centos7 conf.d]# vim ftpuser2
local_root=/data/ftproot2
:wq
[root@centos7 conf.d]# vim ftpuser3
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
local_root=/data/ftproot3
:wq
[root@centos6 ~]# ftp 10.0.0.7
Connected to 10.0.0.7 (10.0.0.7).
220 (vsFTPd 3.0.2)
Name (10.0.0.7:root): ftpuser2
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> ls
227 Entering Passive Mode (10,0,0,7,197,196).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 0 Mar 13 13:41 ftproot2.txt
226 Directory send OK.
[root@centos7 conf.d]# mkdir /data/ftproot2/upload
[root@centos7 conf.d]# mkdir /data/ftproot3/upload
ftp> ls
227 Entering Passive Mode (10,0,0,7,209,217).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 0 Mar 13 13:41 ftproot2.txt
drwxr-xr-x 2 0 0 6 Mar 13 13:46 upload
226 Directory send OK.
ftp> cd upload
250 Directory successfully changed.
ftp> put anaconda-ks.cfg
local: anaconda-ks.cfg remote: anaconda-ks.cfg
227 Entering Passive Mode (10,0,0,7,75,170).
550 Permission denied.
ftp> exit
221 Goodbye.
[root@centos6 ~]# ftp 10.0.0.7
Connected to 10.0.0.7 (10.0.0.7).
220 (vsFTPd 3.0.2)
Name (10.0.0.7:root): ftpuser3
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> ls
227 Entering Passive Mode (10,0,0,7,178,70).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 0 Mar 13 13:41 ftproot3.txt
drwxr-xr-x 2 0 0 6 Mar 13 13:46 upload
226 Directory send OK.
ftp> cd upload
250 Directory successfully changed.
ftp> !ls
anaconda-ks.cfg install.log install.log.syslog
ftp> put anaconda-ks.cfg
local: anaconda-ks.cfg remote: anaconda-ks.cfg
227 Entering Passive Mode (10,0,0,7,49,119).
553 Could not create file.
[root@centos7 conf.d]# ll /data/ftproot3/upload/ -d
drwxr-xr-x 2 root root 6 Mar 13 21:46 /data/ftproot3/upload/
[root@centos7 conf.d]# setfacl -m u:vuser:rwx /data/ftproot3/upload/
ftp> put anaconda-ks.cfg
local: anaconda-ks.cfg remote: anaconda-ks.cfg
227 Entering Passive Mode (10,0,0,7,142,7).
150 Ok to send data.
226 Transfer complete.
958 bytes sent in 0.000108 secs (8870.37 Kbytes/sec)