马哥 27_01 _ftp服务有大用

星期五, 2020-07-17 09:18 — adminshiping1

Name Resolve: Username-->Uid Group-->GID,Service Name -->PORT,Hostname-->IP

Username --> UID: /etc/passwd

Hostname --> IP: DNS,/etc/hosts

Servcie Name -->Ports: /etc/services, (MySQL:services,ports)

只要有一种数据存储格式: 解析库,不同的解析库需要不同的查询方式

nsswitch ( name services switch ? )

S/MIME:

openssl, GPG(PGP的一种实现)

maildrop:MDA,Courier,邮件投递

FTP: File Transfer Protocol

21/tcp:

ftp 与 smtp 差不多早,比http要早得多

文件共享服务: 应用层 (tcp之上的,与PRC不同,)

RPC: Remote Procedure Call (远程过程调用)两台主机直接工作的,

让两台主机的不同进程能够基于二进制,实现数据通信

(hadoop ,openstack等许多应用,都是依赖于RPC,尤其是hadoop)

NFS: ( Network File System )网络文件系统依赖于 RPC,

Samba: CIFS/SMB,能够实现跨平台文件共享的,共享机制很底层 CIFS( common internet file system )

网上邻居就是用的 CIFS 协议,Samba 能够实现让 linux 支持 CIFS协议,因此,能让 linux/windows共享文件

FTP: 基于tcp,两个连接

命令连接,控制连接 (一直在线的) 21/tcp

数据连接 (按需打开,按需关闭)

(它是文本协议,可以telnet过去,本身有专用客户端,类似于C/S)

(基于套接字来完成)

主动模式: 20/tcp

被动模式:端口随机

数据传输模式(自动模式):

二进制

文本

ftp server -->ftp client 遵循文件本身 (http能把文本转为二进制传输,到了浏览器,又转为文本,ftp可没有这个功能)

This is a test file.---->

结构化数据

半结构化数据

非结构化数据

文本,二进制

html 文本

mp3,jpeg 二进制

服务器主动连接

杀毒软件:通过检测文件的内容来判断是否有危险,杀死危险,

防火墙: 作用就是关闭用不着的门,用不着的端口 (防止别人进来,自己可以出去,也可以让自己出不去)

tcp 6万多端口

udp 6万多端口

[root@mail ~]# grep ftp /etc/services

ftp-data 20/tcp

ftp-data 20/udp

# 21 is registered to ftp, but also used by fsp

ftp 21/tcp

ftp 21/udp fsp fspd

tftp 69/tcp

tftp 69/udp

sftp 115/tcp

sftp 115/udp

tftp-mcast 1758/tcp

tftp-mcast 1758/udp

mtftp 1759/udp

venus-se 2431/udp # udp sftp side effect

codasrv-se 2433/udp # udp sftp side effectQ

ni-ftp 47/tcp # NI FTP

ni-ftp 47/udp # NI FTP

bftp 152/tcp # Background File Transfer Program

bftp 152/udp # Background File Transfer Program

softpc 215/tcp # Insignia Solutions

softpc 215/udp # Insignia Solutions

subntbcst_tftp 247/tcp # SUBNTBCST_TFTP

subntbcst_tftp 247/udp # SUBNTBCST_TFTP

mftp 349/tcp # mftp

mftp 349/udp # mftp

ftp-agent 574/tcp # FTP Software Agent System

ftp-agent 574/udp # FTP Software Agent System

pftp 662/tcp # PFTP

pftp 662/udp # PFTP

ftps-data 989/tcp # ftp protocol, data, over TLS/SSL

ftps-data 989/udp # ftp protocol, data, over TLS/SSL

ftps 990/tcp # ftp protocol, control, over TLS/SSL

ftps 990/udp # ftp protocol, control, over TLS/SSL

etftp 1818/tcp # Enhanced Trivial File Transfer Protocol

etftp 1818/udp # Enhanced Trivial File Transfer Protocol

utsftp 2529/tcp # UTS FTP

utsftp 2529/udp # UTS FTP

aaftp 2794/tcp # aaftp

aaftp 2794/udp # aaftp

gsiftp 2811/tcp # GSI FTP

gsiftp 2811/udp # GSI FTP

odette-ftp 3305/tcp # ODETTE-FTP

odette-ftp 3305/udp # ODETTE-FTP

tftps 3713/tcp # TFTP over TLS

tftps 3713/udp # TFTP over TLS

exasoftport1 3920/tcp # Exasoft IP Port

exasoftport1 3920/udp # Exasoft IP Port

kftp-data 6620/tcp # Kerberos V5 FTP Data

kftp-data 6620/udp # Kerberos V5 FTP Data

kftp 6621/tcp # Kerberos V5 FTP Control

kftp 6621/udp # Kerberos V5 FTP Control

[root@mail ~]#

服务器主动模式

服务器被动模式

服务器端口: 256*前面的数+后面的数

数据传输

服务器端程序:

linux

wu-ftpd:

vsftpd: Very Secure ftp Daemon

proftpd:

Filezilla:

windows:

Filezilla:

Serv-U:

客户端程序:

CLI:

ftp (linux)

lftp(linux)

GUI:

gftpd (linux)

FlashFXP (windows)

Cuteftp (windows)

Filezilla (windows)

红帽系统

vsftpd: 短小,精悍 (只有100多k,好像 100四十几K)

/etc/vsftpd: (rpm包格式): 配置文件目录

/etc/init.d/vsftpd: 服务脚本

/usr/sbin/vsftpd: 主程序

基于PAM实现用户认证 (PAM相当于nsswitch,是一个框架)

/etc/pam.d/*

/lib/security/*

(/lib64/security/*)

支持虚拟用户

pam (plugable authenticate module 可插入式认证模块)

vsftpd 受 selinux 控制的 (要关闭 selinux ,可能才能正常工作起来)

vsftpd: (ftp用户,ftp用户组)

/var/ftp: 主目录,只有root用户可写,非常安全

在 /var/ftp 下面建一个子目录,让ftp用户有写权限

上传和下载:

ftp: 系统用户 (以下三种用户都要映射为一个系统用户)

匿名用户 --> 系统用户 anonymous_enable

系统用户 local_enable (local 这里翻译成系统)

虚拟用户 --> 系统用户

/var/ftp: ftp用户的家目录就是匿名用户访问目录

chroot 锁定根目录,这样子的话, 这里把 /var/ftp 当作根了

禁锢用户于其家目录中

系统用户:

write_enable=YES: 用来定义本地用户(或系统用户能否)上传文件

[root@mail ~]# yum install vsftpd

查看它生成了哪些文件

[root@mail ~]# rpm -ql vsftpd

/etc/logrotate.d/vsftpd.log

/etc/pam.d/vsftpd

/etc/rc.d/init.d/vsftpd

/etc/vsftpd

/etc/vsftpd/ftpusers

/etc/vsftpd/user_list

/etc/vsftpd/vsftpd.conf

/etc/vsftpd/vsftpd_conf_migrate.sh

/usr/sbin/vsftpd

/usr/share/doc/vsftpd-2.0.5

/usr/share/doc/vsftpd-2.0.5/AUDIT

/usr/share/doc/vsftpd-2.0.5/BENCHMARKS

/usr/share/doc/vsftpd-2.0.5/BUGS

/usr/share/doc/vsftpd-2.0.5/COPYING

/usr/share/doc/vsftpd-2.0.5/Changelog

/usr/share/doc/vsftpd-2.0.5/EXAMPLE

/usr/share/doc/vsftpd-2.0.5/EXAMPLE/INTERNET_SITE

/usr/share/doc/vsftpd-2.0.5/EXAMPLE/INTERNET_SITE/README

/usr/share/doc/vsftpd-2.0.5/EXAMPLE/INTERNET_SITE/vsftpd.conf

/usr/share/doc/vsftpd-2.0.5/EXAMPLE/INTERNET_SITE/vsftpd.xinetd

/usr/share/doc/vsftpd-2.0.5/EXAMPLE/INTERNET_SITE/vsftpd.xinetd.dir

/usr/share/doc/vsftpd-2.0.5/EXAMPLE/INTERNET_SITE_NOINETD

/usr/share/doc/vsftpd-2.0.5/EXAMPLE/INTERNET_SITE_NOINETD/README

/usr/share/doc/vsftpd-2.0.5/EXAMPLE/INTERNET_SITE_NOINETD/README.dir

/usr/share/doc/vsftpd-2.0.5/EXAMPLE/INTERNET_SITE_NOINETD/vsftpd.conf

/usr/share/doc/vsftpd-2.0.5/EXAMPLE/PER_IP_CONFIG

/usr/share/doc/vsftpd-2.0.5/EXAMPLE/PER_IP_CONFIG/README

/usr/share/doc/vsftpd-2.0.5/EXAMPLE/PER_IP_CONFIG/README.dir

/usr/share/doc/vsftpd-2.0.5/EXAMPLE/PER_IP_CONFIG/hosts.allow

/usr/share/doc/vsftpd-2.0.5/EXAMPLE/PER_IP_CONFIG/hosts.allow.dir

/usr/share/doc/vsftpd-2.0.5/EXAMPLE/README

/usr/share/doc/vsftpd-2.0.5/EXAMPLE/VIRTUAL_HOSTS

/usr/share/doc/vsftpd-2.0.5/EXAMPLE/VIRTUAL_HOSTS/README

/usr/share/doc/vsftpd-2.0.5/EXAMPLE/VIRTUAL_USERS

/usr/share/doc/vsftpd-2.0.5/EXAMPLE/VIRTUAL_USERS/README

/usr/share/doc/vsftpd-2.0.5/EXAMPLE/VIRTUAL_USERS/README.dir

/usr/share/doc/vsftpd-2.0.5/EXAMPLE/VIRTUAL_USERS/logins.txt

/usr/share/doc/vsftpd-2.0.5/EXAMPLE/VIRTUAL_USERS/vsftpd.conf

/usr/share/doc/vsftpd-2.0.5/EXAMPLE/VIRTUAL_USERS/vsftpd.pam

/usr/share/doc/vsftpd-2.0.5/EXAMPLE/VIRTUAL_USERS/vsftpd.pam.dir

/usr/share/doc/vsftpd-2.0.5/EXAMPLE/VIRTUAL_USERS_2

/usr/share/doc/vsftpd-2.0.5/EXAMPLE/VIRTUAL_USERS_2/README

/usr/share/doc/vsftpd-2.0.5/FAQ

/usr/share/doc/vsftpd-2.0.5/INSTALL

/usr/share/doc/vsftpd-2.0.5/LICENSE

/usr/share/doc/vsftpd-2.0.5/README

/usr/share/doc/vsftpd-2.0.5/README.security

/usr/share/doc/vsftpd-2.0.5/REWARD

/usr/share/doc/vsftpd-2.0.5/SECURITY

/usr/share/doc/vsftpd-2.0.5/SECURITY/DESIGN

/usr/share/doc/vsftpd-2.0.5/SECURITY/IMPLEMENTATION

/usr/share/doc/vsftpd-2.0.5/SECURITY/OVERVIEW

/usr/share/doc/vsftpd-2.0.5/SECURITY/TRUST

/usr/share/doc/vsftpd-2.0.5/SIZE

/usr/share/doc/vsftpd-2.0.5/SPEED

/usr/share/doc/vsftpd-2.0.5/TODO

/usr/share/doc/vsftpd-2.0.5/TUNING

/usr/share/doc/vsftpd-2.0.5/vsftpd.xinetd

/usr/share/man/man5/vsftpd.conf.5.gz

/usr/share/man/man8/vsftpd.8.gz

/var/ftp

/var/ftp/pub

[root@mail ~]#

[root@mail ~]# finger ftp (运行者身份是ftp)

Directory: /var/ftp Shell: /sbin/nologin

Never logged in.

No mail.

No Plan.

[root@mail ~]#

[root@mail ~]# grep vsftp /etc/passwd

[root@mail ~]# grep ftp /etc/passwd

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

[root@mail ~]#

[root@mail ~]# service vsftpd start

为 vsftpd 启动 vsftpd： [确定]

[root@mail ~]# chkconfig vsftpd on

[root@mail ~]#

[root@mail ~]# cd /var/ftp/

[root@mail ftp]# ls

pub

[root@mail ftp]#

确保防火墙是关掉的

[root@mail ftp]# iptables -L -n

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

Chain RH-Firewall-1-INPUT (0 references)

target prot opt source destination

[root@mail ftp]#

windows 上用ftp命令看看

2开头的,表示成功

3开头的,表示信息不完整

ftp 里面有个 help 命令就是帮助命令

[root@mail ftp]# cd /etc/vsftpd/

[root@mail vsftpd]#

[root@mail vsftpd]# ls

ftpusers user_list vsftpd.conf vsftpd_conf_migrate.sh

[root@mail vsftpd]# cp vsftpd.conf vsftpd.conf.bak

[root@mail vsftpd]# man vsftpd.conf

[root@mail vsftpd]# vim vsftpd.conf (vsftpd.conf 的指令前面不能有空白字符)

anonymous_enable=YES # 是否允许匿名用户

local_enable=YES # 是否启用系统用户(就是本地用户)

write_enable=YES # 是否可写? 要确保 # getenforce 命令关掉 Enforcing

anon_upload_enable=YES #是否允许匿名用户上传文件

anon_mkdir_write_enable=YES #是否允许匿名用户创建目录

#anon_other_write_enable=YES #是否允许匿名用户其它的写权限(比如删除文件?)

dirmessage_enable=YES # 进入某个目录后显示 .message的信息 (进入的这个目录下面的 .message 文件)

xferlog_enable=YES # xfer 就是 transfer 表示是否打开传输日志,用户几点几分下载的文件是否记录到日志里面去

xferlog_file=/var/log/vsftpd.log # 这是日志文件的位置

xferlog_std_format=YES #日志的标准格式

#chown_uploads=YES #用户上传完成以后,是不是把属主属组改为其它用户

#chown_username=whoever #改为哪个用户

[root@mail vsftpd]# cp /etc/issue /home/hadoop/

[root@mail vsftpd]#

[root@mail ~]# tcpdump -i eth0 -nn -X -vv tcp port 21 and ip host 192.168.1.85

[root@mail ~]# getenforce

Permissive

[root@mail ~]# setenforce 0 # 如果不是 Permissive 就这样设一下

ftp://192.168.1.85/

[root@mail ~]# service vsftpd restart

关闭 vsftpd： [确定]

为 vsftpd 启动 vsftpd： [确定]

[root@mail ~]#

[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): hadoop

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

227 Entering Passive Mode (192,168,1,85,49,66)

150 Here comes the directory listing.

-rw-r--r-- 1 0 0 75 Jul 21 10:02 issue

226 Directory send OK.

ftp> lcd /etc #(lcd就是 local cd)

Local directory now /etc

ftp> put fstab (put就是把本地放到远程,get就是从远程得到本地)

local: fstab remote: fstab

227 Entering Passive Mode (192,168,1,85,102,209)

150 Ok to send data.

226 File receive OK.

534 bytes sent in 5.1e-05 seconds (1e+04 Kbytes/s)

ftp> ls

227 Entering Passive Mode (192,168,1,85,103,211)

150 Here comes the directory listing.

-rw-r--r-- 1 2527 2527 534 Jul 22 06:39 fstab

-rw-r--r-- 1 0 0 75 Jul 21 10:02 issue

226 Directory send OK.

ftp> put inittab

local: inittab remote: inittab

227 Entering Passive Mode (192,168,1,85,198,153)

150 Ok to send data.

226 File receive OK.

1666 bytes sent in 4.8e-05 seconds (3.4e+04 Kbytes/s)

ftp> pwd

257 "/home/hadoop"

ftp>

[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): ftp (这里不可以为任意? 肯定可以为ftp anonymous,,,反正是这两个都是匿名用户)

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

227 Entering Passive Mode (192,168,1,85,231,182)

150 Here comes the directory listing.

drwxr-xr-x 2 0 0 4096 Sep 25 2012 pub

226 Directory send OK.

ftp> lcd /etc

Local directory now /etc

ftp> put fstab

local: fstab remote: fstab

227 Entering Passive Mode (192,168,1,85,109,7)

550 Permission denied.

ftp> cd pub

250 Directory successfully changed.

ftp> put fstab

local: fstab remote: fstab

227 Entering Passive Mode (192,168,1,85,53,36)

550 Permission denied.

ftp>

[root@mail ~]# service vsftpd restart

关闭 vsftpd： [确定]

为 vsftpd 启动 vsftpd： [确定]

[root@mail ~]#

[root@mail ~]# ls -ld /var/ftp

drwxr-xr-x 3 root root 4096 07-21 17:07 /var/ftp

[root@mail ~]#

[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): ftp

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> lcd /etc

Local directory now /etc

ftp> put fstab

local: fstab remote: fstab

227 Entering Passive Mode (192,168,1,85,164,88)

553 Could not create file. (改了 anon_upload_enable=YES 后,匿名用户仍然不能)

ftp> cd pub

250 Directory successfully changed.

ftp> pwd

257 "/pub"

ftp> put fstab

local: fstab remote: fstab

227 Entering Passive Mode (192,168,1,85,246,145)

553 Could not create file. (改了 anon_upload_enable=YES 后,匿名用户仍然不能)

ftp>

[root@mail ~]# ls -ld /var/ftp

drwxr-xr-x 3 root root 4096 07-21 17:07 /var/ftp

[root@mail ~]# ls -ld /var/ftp/pub/

drwxr-xr-x 2 root root 4096 2012-09-25 /var/ftp/pub/

[root@mail ~]#

[root@mail ~]# mkdir /var/ftp/upload

[root@mail ~]# setfacl -m u:ftp:rwx /var/ftp/upload (让ftp对 /var/ftp/upload有读写执行权限)

[root@mail ~]#

[root@mail ~]# getfacl /var/ftp/upload

getfacl: Removing leading '/' from absolute path names

# file: var/ftp/upload

# owner: root

# group: root

user::rwx

user:ftp:rwx

group::r-x

mask::rwx

other::r-x

[root@mail ~]#

[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): ftp (匿名用户)

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

227 Entering Passive Mode (192,168,1,85,175,16)

150 Here comes the directory listing.

drwxr-xr-x 2 0 0 4096 Sep 25 2012 pub

drwxrwxr-x 2 0 0 4096 Jul 22 07:10 upload

226 Directory send OK.

ftp> cd upload

250 Directory successfully changed.

ftp> lcd /etc

Local directory now /etc

ftp> put fstab (由下面,可以看到能正常上传文件了)

local: fstab remote: fstab

227 Entering Passive Mode (192,168,1,85,136,24)

150 Ok to send data.

226 File receive OK.

534 bytes sent in 3.1e-05 seconds (1.7e+04 Kbytes/s)

ftp> mkdir test (不能创建目录)

550 Permission denied.

ftp> delete fstab (不能删除文件)

550 Permission denied.

ftp>

文件服务权限: 文件系统权限*文件共享权限

[root@mail ~]# service vsftpd restart

关闭 vsftpd： [确定]

为 vsftpd 启动 vsftpd： [确定]

[root@mail ~]#

[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): ftp

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> cd upload

250 Directory successfully changed.

ftp> ls

227 Entering Passive Mode (192,168,1,85,40,161)

150 Here comes the directory listing.

-rw------- 1 14 50 534 Jul 22 07:15 fstab

226 Directory send OK.

ftp> mkdir test ( 开启 anon_mkdir_write_enable=YES #是否允许匿名用户创建目录才可以 )

257 "/upload/test" created

ftp> delete fstab (需要 #anon_other_write_enable=YES #是否允许匿名用户其它的写权限 (比如删除文件?) 才能有权限删除)

550 Permission denied.

ftp>

[root@mail ~]# vim /var/ftp/upload/.message (在某个目录下的隐藏文件 .message )

-- welcome to upload

--please do not upload unknown file

[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): ftp

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> cd upload ( 开启 dirmessage_enable=YES 后

此时显示 /var/ftp/upload/.message 文件中的信息 )

250--- welcome to upload

250---please do not upload unknown file

250---

250 Directory successfully changed.

ftp>

[root@mail ~]# tail /var/log/vsftpd.log (开启日志和日志文件功能,就可看到日志)

Wed Jul 22 07:58:09 2020 1 192.168.1.85 0 /fstab b _ i a ? ftp 0 * i

Wed Jul 22 07:58:43 2020 1 192.168.1.85 534 /upload/fstab b _ i a ? ftp 0 * c

[root@mail ~]#

普通分类:

linux

You are here

友情链接

搜索表单

用户登录

You are here

马哥 27_01 _ftp服务 有大用

友情链接

马哥 27_01 _ftp服务有大用