Overview
This topic describes how to set up very secure FTP (VSFTP) and configure virtual users.
Usage notes
Take note of the following items:
Before you perform high-risk operations such as modifying the configurations or data of Alibaba Cloud instances, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.
Before you modify the configurations or data of an instance, such as an Elastic Compute Service (ECS) instance or an ApsaraDB RDS instance, we recommend that you create snapshots or enable backup for the instance. For example, you can enable log backup for an ApsaraDB RDS instance.
If you granted access permissions on or submitted sensitive information (such as usernames and passwords) in the Alibaba Cloud Management Console, we recommend that you modify the information at the earliest opportunity.
The VSFTP service supports the following user modes:
Anonymous user mode: By default, VSFTP supports anonymous access. In this mode, you can log on to the FTP server using the
anonymous
account without the need to enter a password.System user mode: In this mode, you can use Linux accounts to log on to the FTP server. You can specify the Linux accounts in a configuration file.
Virtual user mode: In this mode, virtual users can access only the FTP service but not other resources provided by the Linux operating system. For example, if you want to grant users only write permissions within the FTP server but not access to other system resources, you can use the virtual user mode to enhance the security of the system.
Virtual users are anonymous and their permissions are configured in a unified manner and mapped to the permissions of a system user during logons. You cannot distinguish the permissions between different virtual users.
Environment requirements and objectives
Requirement 1: A 64-bit Alibaba Cloud CentOS 7.6 public image of the 3.10.0-957.21.3.el7.x86_64 kernel version.
Requirement 2: The vsftpd-3.0.2-25.el7.x86_64 package.
Objective: Set up an FTP server that allows you to use the virtual user vuser1 to log on in both active and passive modes.
Procedure
CentOS 6 and CentOS 8 have reached their end of life (EOL). In accordance with Linux community rules, all content has been removed from the CentOS 6 and CentOS 8 repository addresses. If you continue to use the default repository address of CentOS 6 or CentOS 8, an error is reported. We recommend that you change the repository address of CentOS 6 or CentOS 8. For more information, see How do I change CentOS 6 repository addresses? and Change CentOS 8 repository addresses.
Run the following command to install the
vsftpd
service:yum install vsftpd -y
Run the following command to verify the path of the
pam_userdb.so
module:NoteIn most cases, the path of the pam_userdb.so module in a 64-bit CentOS 7.6 operating system is /lib64/security/pam_userdb.so.
ls -l /lib64/security/pam_userdb.so
Create a virtual host user. Virtual users are not system users and do not exist in the system. The permissions of virtual users are mapped to those of a system user in a unified manner. The system user acts as the virtual host user for the virtual users of
vsftpd
. Run the following command to map the virtual users to the system user virtusers:useradd -d /data/ftproot virtusers -s /sbin/nologin
Note-d specifies the FTP home directory. Example:
/data/ftproot
. -s specifies the logon shell of the system user. nologin specifies that the system user is not allowed to log on to the system by using shell access.Create FTP-related working directories and manage permissions. The latest version of
vsftpd
does not allow thew
permission on the home directory of a user. Therefore, create a subdirectory in the home directory. All operations such as upload, download, delete, and rename can be performed only in the subdirectory. In this example, set the FTP directory (home directory) of the virtual user vuser1 to/data/ftproot/vuser1/
, and run the chmod 500 command to grant permissions on the directory to the user. 500 indicates that the user does not have thew
permission./data # The data directory that can be used for data backup. └── [drwxr-xr-x] ftproot # The directory of the FTP service. └── [dr-x------] vuser1 # The home directory of the virtual user vuser1. You can create home directories for users such as vuser2 and vuser3 based on your business requirements. └── [drwxr-xr-x] rootdir # The working directory of the virtual user vuser1 in which read and write operations are allowed.
NoteThe preceding directory tree displays the permissions on each subdirectory.
Run the following command to create the /data/ftproot/vuser1/rootdir directory:
mkdir -p /data/ftproot/vuser1/rootdir
Run the following commands to grant permissions:
chown -R virtusers.virtusers /data/ftproot chmod 500 /data/ftproot/vuser1
Configure virtual users
Run the following command to create a file named vuserlist:
vi /etc/vsftpd/vuserlist
Add the following content to the file:
vuser1 123456
NoteThe first line specifies the username and the second line specifies the password.
Use the
db_load
tool of the system to generate a .db file namedvuserlist.db
and set the permissions on the .db file to 600 for security reasons.db_load -T -t hash -f /etc/vsftpd/vuserlist /etc/vsftpd/vuserlist.db chmod 600 /etc/vsftpd/vuserlist.db
Modify Pluggable Authentication Modules (PAM) authentication configurations. Modify the
/etc/pam.d/vsftpd
file, which corresponds to thepam_service_name=vsftpd
setting in the/etc/vsftpd.conf
file. Comment out existing configurations and append the following lines to the end:auth required /lib64/security/pam_userdb.so db=/etc/vsftpd/vuserlist account required /lib64/security/pam_userdb.so db=/etc/vsftpd/vuserlist
Create and configure the configuration file of virtual users.
Create a configuration file for the virtual user vuser1.
mkdir /etc/vsftpd/vuser_conf/
Configure the configuration file of the virtual user vuser1.
vi /etc/vsftpd/vuser_conf/vuser1
Add the following configurations:
local_root=/data/ftproot/vuser1 anon_upload_enable=YES anon_world_readable_only=NO anon_mkdir_write_enable=YES anon_other_write_enable=YES
Configure the
/etc/vsftpd/vsftpd.conf
main configuration file for VSFTP.Complete the configurations.
listen=YES # Enable IPv4 listening. listen_ipv6=NO # Disable IPv6 listening. chroot_local_user=YES chroot_list_enable=YES chroot_list_file=/etc/vsftpd/chroot_list pam_service_name=vsftpd # The name of the PAM service that is used by vsftpd. Make sure that the pam_service_name value is the same as the /etc/pam.d/vsftpd file name. virtual_use_local_privs=YES # Allow virtual users to have the same permissions as local users. guest_enable=YES # Enable guest logons for virtual users. guest_username=virtusers # Specify the host user for virtual users. user_config_dir=/etc/vsftpd/vuser_conf # Specify the configuration file of virtual users. pasv_enable=YES # Enable passive mode. pasv_min_port=30100 # Specify the minimum port for passive mode connections. Example: 30100. pasv_max_port=30200 # Specify the maximum port for passive mode connections. Example: 30200. pasv_address=X.X.X.X # The IP address used for passive mode connections. If the server resides in a virtual private cloud (VPC), set the value to the public IP address of the instance.
Create a file named
/etc/vsftpd/chroot_list
and add the FTP user to the file. Otherwise, an error is reported when the user attempts to connect to the FTP server.touch /etc/vsftpd/chroot_list
Open the /etc/vsftpd/chroot_list file and modify the file.
vim /etc/vsftpd/chroot_list
Add the user vuser1 to the file.
vuser1
Check result
Use an FTP client such as Filezilla to verify that the virtual user vuser1 can access the FTP server in active or passive mode, perform file read and write operations, and create, delete, and modify directories in the rootdir
working directory as expected.
If the user cannot access in passive mode, check whether the security groups of the instance allow traffic on the ports for passive mode connections.
Applicable scope
ECS