We all know the FTP server password authentication is based on the plaintext, so can easily be sniffs.
This article describes the virtual FTP server using chroot option, although it is not possible to prevent passwords from being sniffed, but you can protect your system password to be sniffing, still cannot break. Virtual FTP service, in addition to the chroot feature, also adopted a second password for the database to authenticate the user, so you don't need to set up FTP user account, even if password disclosure, the user cannot log on to the system. We use a daemon called vftpd to play virtual FTP server role, the main security features include:-always use chroot processing the user's home directory-allows the user to no shell of access-VFTPD does not allow the user's home is:/,/etc,/bin,/sbin,/usr/bin,/usr/sbin,/dev/,/lib,/tmp. -Home directory cannot contain symbols-in addition to the root user has UID0, do not allow other users-do not allow users to set the password file and other has write permissions to install vftpd is simple, is currently the latest version 6.5.8, download tarxvfz ... , Make, makeinstall, that simple. Download: startuplinux.com/virtualftpd.tml most configuration is done automatically, only need to modify the file, the file/etc/ftppasswd contains user real FTP account. This file format is basically the same, each row/etc/password format: login: encryptedpassword: uid: gid: description: ftppath:/no/sell vftpd provides a tool called addvuser, can easily add FTP users, modify the current user's password is "ftppasswdusername". If you do have a shell account user to increase or need to add the user ftppasswd, but the password it is best not to. For users who do not need to ftp, you can put the account join/etc/ftpusers. Finally, to/etc/ftpwelcome (connection display) and/etc/motd (after successful login display) increase the ftp login info. Now you can start the process: vftpd-D-l-U-D to become daemon running in the background-llogsFTP syslog in login log record (the record both failed and successful), the twice-l record details-U allow you use who command to view the currently active ftp session-A only allow anonymous users to connect-S to anonymous connections log records to the/var/log/tpd-p port number, the default is 21 for example, we can write in rc.local inside:/usr/local/bin/vftpd-D-U-l-l
No comments:
Post a Comment