青岛香农数据恢复中心-完美修复数据

vsftpd在mysql上配置虚拟用户指南

作者：香农青岛数据恢复中心 2013-11-07 11:01

Overview

VSFTPD (Very Secure FTP Daemon) is a Secure FTP server for unix/linux systems. It protects or encrypts transferred data using SSL. It is well known because of its security, performance and stability over other servers. Vsftpd supports virtual users with PAM (pluggable authentication modules). A virtual user is a user login which does not exist as a real login on the system in /etc/passwd and /etc/shadow file. Virtual users can therefore be more secure than real users, because a compromised account can only use the FTP server but cannot login to system to use other services. You can put your virtual users into a local db or myql db. This guide is for RHEL/CentOS 5/6 and focuses on mysql based ftp authentication.

Procedure

1. Install the vsftpd package using yum.

# yum install vsftpd mysql-server
# service mysqld restart
# mysqldadmin -u root password 'newpassword'

2. Create the mysql database for use with vsftpd.

$ mysql -u root -p 
  mysql> CREATE DATABASE vsftpd;
  mysql> GRANT SELECT ON vsftpd.* TO 'vsftpd'@'localhost' IDENTIFIED BY  'vsftpdpassword';
  mysql> FLUSH PRIVILEGES; 
  mysql> USE vsftpd;
  mysql> CREATE TABLE `accounts` (
  `id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY ,
  `username` VARCHAR( 30 ) NOT NULL ,
  `pass` VARCHAR( 50 ) NOT NULL ,
   UNIQUE (`username`)
   ) ENGINE = MYISAM ; 
   mysql> exit;
 

3. Configure vsftpd. Create a non-privileged user called 'vsftpd' (with the home directory /home/vsftpd ) belonging to thegroup 'users'. The vsftpd can run with this user's privileges to further reduce risk of a system. The FTP directories of our virtual users will be beneath the '/home/vsftpd/' directory (e.g./home/vsftpd/user1, /home/vsftpd/user2, etc.) or as defined in VSFTPDPERUSER config file.

# useradd -G users -s /bin/false -d /home/vsftpd  vsftpd   
  

4. Open and configure default vsftpd.conf file.

# vim /etc/vsftpd/vsftpd.conf

anonymous_enable=NO
# Allow 'local' users with WRITE permissions (0755)
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
log_ftp_protocol=YES
connect_from_port_20=YES
xferlog_file=/var/log/xferlog
nopriv_user=vsftpd
chroot_local_user=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
guest_enable=YES
guest_username=vsftpd
local_root=/home/vsftpd/$USER
user_sub_token=$USER
virtual_use_local_privs=YES
user_config_dir=/etc/vsftpd/vsftpd_user_conf 

5. Create a pam file that will use the new user database.

 
# cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd-orig
# cat /dev/null > /etc/pam.d/vsftpd
# vi /etc/pam.d/vsftpd 
# vi /etc/pam.d/vsftpd 
   #%PAM-1.0
 session       optional        pam_keyinit.so       force revoke
 auth required pam_mysql.so user=vsftpd passwd=vsftpdpassword  host=localhost db=vsftpd table=accounts usercolumn=username   passwdcolumn=pass crypt=3
 account required pam_mysql.so user=vsftpd passwd=vsftpdpassword  host=localhost db=vsftpd table=accounts usercolumn=username  passwdcolumn=pass crypt=3

6. Install pam_mysql.so. Only available in EPEL.

# wget ftp://ftp.pbone.net/mirror/centos.karan.org/el5/extras/testing/i386/RPMS/pam_mysql-0.7-0.5.rc1.el5.kb.2.i386.rpm
# rpm -ivh pam_mysql-0.7-0.5.rc1.el5.kb.2.i386.rpm

Check to make sure it installed correctly. When installed, you should find it:

# ls -al /lib/security/pam_m*
-rwxr-xr-x 1 root root  8024 Sep  4 00:51 /lib/security/pam_mail.so
-rwxr-xr-x 1 root root 15848 Sep  4 00:51 /lib/security/pam_mkhomedir.so
-rwxr-xr-x 1 root root  3892 Sep  4 00:51 /lib/security/pam_motd.so
-rwxr-xr-x 1 root root 36920 Feb 28  2008 /lib/security/pam_mysql.so 

7. Create some mysql users.

$ mysql -u root -p 
mysql> USE vsftpd; 
mysql> INSERT INTO accounts (username, pass) VALUES('user1', md5('secret')); 
mysql> select * from accounts;
+----+-----------+----------------------------------+
| id | username  | pass                             |
+----+-----------+----------------------------------+
|  1 | user1     | 5ebe2294ecd0e0f08eab7690d2a6ee69 |
+----+-----------+----------------------------------+
1 rows in set (0.00 sec)

mysql> exit;

8. Now user1's homedir is /home/vsftpd/user1 . Unfortunately vsftpd doesn't create that directory automatically if it doesn't exist. Therefore one has to create it as root manually now and give it proper ownership by the vsftpd user and group 'users':

# mkdir /home/vsftpd/user1
# chown vsftpd:users /home/vsftpd/user1 

9. Start service and make it persistent across reboots.

 service vsftpd restart; chkconfig vsftpd on

10. Confirm the service is listening:

lsof -i -n | egrep 'FTP|21'

11. If you have Iptables enabled, allow ftp traffic to 21/tcp,

# vim /etc/sysconfig/iptables
-A INPUT -m state –state NEW -p tcp –dport 21 -j ACCEPT

12. Load the required module by,

# vim /etc/sysconfig/iptables-config
IPTABLES_MODULES=”ip_conntrack_ftp”

Save and close the file.

13. Save iptables and restart the service.

# service iptables save; service iptables restart

14. Restart vsftpd.

# service vsftpd restart

Now open two different terminals. In one terminal try to connect ftp using local user and in another terminal view FTP log message,

# tail -f /var/log/vsftpd.log