Long-Term Supported Versions

    Configuring the FTP Server

    General Introduction

    FTP Overview

    File Transfer Protocol (FTP) is one of the earliest transmission protocols on the Internet. It is used to transfer files between the server and client. FTP allows users to access files on a remote system using a set of standard commands without logging in to the remote system. In addition, the FTP server provides the following functions:

    • Subscriber classification

      By default, the FTP server classifies users into real users, guest users, and anonymous users based on the login status. The three types of users have different access permissions. Real users have complete access permissions, while anonymous users have only the permission to downloading resources.

    • Command records and log file records

      FTP can use the syslogd to record data, including historical commands and user transmission data (such as the transmission time and file size). Users can obtain log information from the /var/log/ directory.

    • Restricting the access scope of users

      FTP can limit the work scope of a user to the home directory of the user. After a user logs in to the system through FTP, the root directory displayed by the system is the home directory of the user. This environment is called change root (chroot for short). In this way, users can access only the main directory, but not important directories such as /etc, /home, and /usr/local. This protects the system and keeps the system secure.

    Port Used by the FTP Server

    The FTP service requires multiple network ports. The server uses the following ports:

    • Command channel. The default port number is 21.
    • Data channel. The default port number is 20.

    Port 21 is used to receive connection requests from the FTP client, and port 20 is used by the FTP server to proactively connect to the FTP client.

    Introduction to vsftpd

    FTP has a long history and uses the unencrypted transmission mode, and is therefore considered insecure. This section describes the Very Secure FTP Daemon (vsftpd), to use FTP in a more secure way.

    The vsftpd is introduced to build a security-centric FTP server. The vsftpd is designed with the following features:

    • The startup user of the vsftpd service is a common user who has low system permission. In addition, the vsftpd service uses chroot to change the root directory, preventing the risk of misusing system tools.
    • Any vsftpd command that requires high execution permission is controlled by a special upper-layer program. The upper-layer program has low permission and does not affect the system.
    • vsftpd integrates most of the extra commands (such as dir, ls, and cd) used by FTP. Generally, the system does not need to provide extra commands, which are secure for the system.

    Using vsftpd

    Installing vsftpd

    To use the vsftpd service, you need to install the vsftpd software. If the yum source has been configured, run the following command as the root user to install the vsftpd service:

    # dnf install vsftpd
    

    Service Management

    To start, stop, or restart the vsftpd service, run the corresponding command as the root user.

    • Starting vsftpd services

      # systemctl start vsftpd
      

      You can run the netstat command to check whether communication port 21 is enabled. If the following information is displayed, the vsftpd service has been enabled.

      # netstat -tulnp | grep 21
      tcp6       0      0 :::21                   :::*                    LISTEN      19716/vsftpd
      

      NOTE:
      If the netstat command does not exist, run the dnf install net-tools command to install the net-tools software and then run the netstat command.

    • Stopping the vsftpd services

      # systemctl stop vsftpd
      
    • Restarting the vsftpd service

      # systemctl restart vsftpd
      

    Configuring vsftpd

    vsftpd Configuration Files

    You can modify the vsftpd configuration file to control user permissions. Table 1 describes the vsftpd configuration files. You can modify the configuration files as required. You can run the man command to view more parameter meanings.

    Table 1 vsftpd configuration files

    Configuration File

    Description

    /etc/vsftpd/vsftpd.conf

    Main configuration file of the vsftpd process. The configuration format is Parameter=Parameter value. The parameter and parameter value cannot be empty.

    You can run the following command to view details about the vsftpd.conf file:

    man 5 vsftpd.conf

    /etc/pam.d/vsftpd

    Pluggable authentication modules (PAMs) are used for identity authentication and restrict some user operations.

    /etc/vsftpd/ftpusers

    List of users who are not allowed to use the vsftpd. By default, the system account is also in this file. Therefore, the system account cannot use vsftpd by default.

    /etc/vsftpd/user_list

    List of users who are allowed or not allowed to log in to the vsftpd server. Whether the file takes effect depends on the following parameters in the main configuration file vsftpd.conf:

    userlist_enable: indicates whether to enable the userlist mechanism. The value YES indicates that the userlist mechanism is enabled. In this case, the userlist_deny configuration is valid. The value NO indicates that the userlist mechanism is disabled.

    userlist_deny: indicates whether to forbid users in the user list to log in. YES indicates that users in the user list are forbidden to log in. NO indicates that users in the command are allowed to log in.

    For example, if userlist_enable is set to YES and userlist_deny is set to YES, all users in the user list cannot log in.

    /etc/vsftpd/chroot_list

    Whether to restrict the user list in the home directory. By default, this file does not exist. You need to create it manually. It is the value of chroot_list_file in the vsftpd.conf file.

    The function of this parameter is determined by the following parameters in the vsftpd.conf file:

    • chroot_local_user: indicates whether to restrict all users to the home directory. The value YES indicates that all users are restricted to the home directory, and the value NO indicates that all users are not restricted to the home directory.
    • chroot_list_enable: indicates whether to enable the list of restricted users. The value YES indicates that the list is enabled, and the value NO indicates that the list is disabled.

    For example, if chroot_local_user is set to YES, chroot_list_enable is set to YES, and chroot_list_file is set to /etc/vsftpd/chroot_list, all users are restricted to their home directories, and users in chroot_list are not restricted.

    /usr/sbin/vsftpd

    Unique execution file of vsftpd.

    /var/ftp/

    Default root directory for anonymous users to log in. The root directory is related to the home directory of the ftp user.

    Default Configuration Description

    NOTE:
    The configuration content in this document is for reference only. You can modify the content based on the site requirements (for example, security hardening requirements).

    In the openEuler system, vsftpd does not open to anonymous users by default. Run the vim command to view the main configuration file. The content is as follows:

    $ vim /etc/vsftpd/vsftpd.conf
    anonymous_enable=NO
    local_enable=YES
    write_enable=YES
    local_umask=022
    dirmessage_enable=YES
    xferlog_enable=YES
    connect_from_port_20=YES
    xferlog_std_format=YES
    listen=NO
    listen_ipv6=YES
    pam_service_name=vsftpd
    userlist_enable=YES
    

    Table 2 describes the parameters.

    Table 2 Parameter description

    Parameter

    Description

    anonymous_enable

    Indicates whether to allow anonymous users to log in. YES indicates that anonymous users are allowed to log in; NO indicates that anonymous users are not allowed to log in.

    local_enable

    Whether to allow local users to log in. YES indicates that local users are allowed to log in. NO indicates that local users are not allowed to log in.

    write_enable

    Whether to allow the login user to have the write permission. YES indicates that the upload and write function is enabled, and NO indicates that the function is disabled.

    local_umask

    Indicates the umask value when a local user adds a profile.

    dirmessage_enable

    Indicates whether to display the contents that users need to pay attention to when a user accesses a directory. The options are YES (yes) and NO (no).

    xferlog_enable

    Indicates whether to record file upload and download operations. The options are YES (record operations) and NO (not record operations).

    connect_from_port_20

    Indicates whether port 20 is used for data transmission in port mode. YES indicates that port 20 is used, and NO indicates that port 20 is not used.

    xferlog_std_format

    Indicates whether the transfer log file is written in the standard xferlog format. The options are YES (yes) and NO (no).

    listen

    Indicates whether the vsftpd service is started in standalone mode. The options are YES (yes) and NO (no).

    pam_service_name

    Support for PAM management. The value is a service name, for example, vsftpd.

    userlist_enable

    Indicates whether to support account login control in the /etc/vsftpd/user_list file. The options are YES (yes) and NO (no).

    tcp_wrappers

    Indicates whether to support the firewall mechanism of the TCP Wrappers. The options are YES (yes) and NO (no).

    listen_ipv6

    Indicates whether to listen to IPv6 FTP requests. The options are YES (yes) and NO (no). listen and listen_ipv6 cannot be enabled at the same time.

    Setting the Local Time

    Overview

    In the openEuler system, vsftpd uses the Greenwich Mean Time (GMT) time by default, which may be different from the local time. For example, the GMT time is 8 hours later than the Beijing time. You need to change the GMT time to the local time. Otherwise, the server time and client time are inconsistent, which may cause errors during file upload and download.

    Setting Method

    To set the vsftpd time to the local time, perform the following steps as the root user:

    1. Open the vsftpd.conf file and change the value of use_localtime to YES. Run the following command:

      # vim /etc/vsftpd/vsftpd.conf
      

      Modify the file contents as follows:

      use_localtime=YES
      
    2. Restart the vsftpd service.

      # systemctl restart vsftpd
      
    3. Set the vsftpd service to start automatically upon power-on.

      # systemctl enable vsftpd
      

    Configuring Welcome Information

    To use the vsftpd service normally, the welcome information file must exist. To configure the welcome.txt file of the vsftp service, perform the following steps as the root user:

    1. Open the vsftpd.conf configuration file, add the welcome information to the file, save the file, and exit.

      # vim /etc/vsftpd/vsftpd.conf
      

      The following configuration lines need to be added:

      banner_file=/etc/vsftpd/welcome.txt
      
    2. Create welcome information. Specifically, open the welcome.txt file, write the welcome information, save the file, and exit.

      # vim /etc/vsftpd/welcome.txt
      

      The following is an example:

      Welcome to this FTP server!
      

    Configuring the Login Permission of a System Account

    Generally, users need to restrict the login permission of some accounts. You can set the restriction as required.

    Two files are used to restrict the login of system accounts. The default files are as follows:

    • /etc/vsftpd/ftpusers: This file is managed by the PAM module and is determined by the settings of the /etc/pam.d/vsftpd file.
    • /etc/vsftpd/user_list: This file is set by userlist_file in vsftpd.conf and is provided by vsftpd.

    Both files must exist and have the same content. You can write the accounts whose UIDs are smaller than 500 to the two files by referring to the /etc/passwd. Each line indicates an account.

    To restrict the login of system accounts, add the accounts to /etc/vsftpd/ftpusers and /etc/vsftpd/user_list as the root user.

    Open the user_list file to view the account information in the current file. The command and output are as follows:

    $ vim /etc/vsftpd/user_list
    root
    bin
    daemon
    adm
    lp
    sync
    shutdown
    halt
    mail
    news
    uucp
    operator
    games
    nobody
    

    Verifying Whether the FTP Service Is Successfully Set Up

    You can use the FTP client provided by openEuler for verification. The command and output are as follows. Enter the user name (an existing user in the system) and password as prompted. If the message "Login successful" is displayed, the FTP server is successfully set up.

    $ ftp localhost
    Trying 127.0.0.1...
    Connected to localhost (127.0.0.1).
    220-Welcome to this FTP server!
    220
    Name (localhost:root): USERNAME
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> bye
    221 Goodbye.
    

    NOTE:
    If the ftp command does not exist, run the dnf install ftp command as the root user to install the ftp software and then run the ftp command.

    Configuring a Firewall

    To open the FTP service to the Internet, you need to configure the firewall and SElinux as the root user.

    # firewall-cmd --add-service=ftp --permanent
    success
    # firewall-cmd --reload
    success
    # setsebool -P ftpd_full_access on
    

    File Transmission

    Overview

    This section describes how to transfer files after the vsftpd service is started.

    Connecting to the Server

    Command Format

    ftp [hostname | ip-address]

    hostname indicates the name of the server, and ip-address indicates the IP address of the server.

    Requirements

    Run the following command on the command-line interface (CLI) of the openEuler OS:

    $ ftp ip-address
    

    Enter the user name and password as prompted. If the following information is displayed after the authentication is successful, the FTP connection is successful. In this case, you have accessed the directory of the connected server.

    ftp>
    

    At this prompt, you can enter different commands to perform related operations.

    • Display the current path of the server.

      ftp>pwd
      
    • Display the local path. You can upload the files in this path to the corresponding location on the FTP server.

      ftp>lcd
      
    • Exit the current window and return to the local Linux terminal.

      ftp>!
      

    Downloading a File

    Generally, the get or mget command is used to download files.

    How to use get

    • Function description: Transfers files from a remote host to a local host.

    • Command format: get [remote-file] [local-file]

      remote-file indicates a remote file, and local-file indicates a local file.

    • For example, run the following command to obtain the /home/openEuler/openEuler.htm file on the remote server to the local directory /home/myopenEuler/ and change the file name to myopenEuler.htm

      ftp> get /home/openEuler/openEuler.htm /home/myopenEuler/myopenEuler.htm
      

    How to use mget

    • Function description: Receives a batch of files from the remote host to the local host.

    • Command format: mget [remote-file]

      remote-file indicates a remote file.

    • For example, to obtain all files in the /home/openEuler/ directory on the server, run the following command:

      ftp> cd /home/openEuler/
      ftp> mget *.*
      

      NOTE:

      • In this case, a message is displayed each time a file is downloaded. To block the prompt information, run the prompt off command before running the mget *.* command.
      • The files are downloaded to the current directory on the Linux host. For example, if you run the ftp command in /home/myopenEuler/, all files are downloaded to /home/myopenEuler/.

    Uploading a file

    Generally, the put or mput command is used to upload files.

    How to use put

    • Function: Transfers a local file to a remote host.

    • Command format: put [local-file] [remote-file]

      remote-file indicates a remote file, and local-file indicates a local file.

    • For example, run the following command to transfer the local myopenEuler.htm file to the remote host /home/openEuler/ and change the file name to openEuler.htm:

      ftp> put myopenEuler.htm /home/openEuler/openEuler.htm
      

    How to use mput

    • Function: Transfers a batch of files from the local host to a remote host.

    • Command format: mput [local-file]

      local-file indicates a local file.

    • For example, run the following command to upload all HTM files in the local directory to the /home/openEuler/ directory on the server:

      ftp> cd /home/openEuler/
      ftp> mput *.htm
      

    Deleting a File

    Generally, the delete or mdelete command is used to delete a file.

    How to use delete

    • Function description: Deletes one or more files from the remote server.

    • Command format: delete [remote-file]

      remote-file indicates a remote file.

    • For example, to delete the /home/openEuler/openEuler.htm from the remote server, run the following command:

      ftp> cd /home/openEuler/
      ftp> delete openEuler.htm
      

    How to use mdelete

    • Function description: Deletes files from a remote server. This function is used to delete files in batches.

    • Command format: mdelete [remote-file]

      remote-file indicates a remote file.

    • For example, to delete all files whose names start with a from the /home/openEuler/ directory on the remote server, run the following command:

      ftp> cd /home/openEuler/
      ftp> mdelete a*
      

    Disconnecting from the Server

    Run the bye command to disconnect from the server.

    ftp> bye 
    

    Bug Catching

    Buggy Content

    Bug Description

    Submit As Issue

    It's a little complicated....

    I'd like to ask someone.

    PR

    Just a small problem.

    I can fix it online!

    Bug Type
    Specifications and Common Mistakes

    ● Misspellings or punctuation mistakes;

    ● Incorrect links, empty cells, or wrong formats;

    ● Chinese characters in English context;

    ● Minor inconsistencies between the UI and descriptions;

    ● Low writing fluency that does not affect understanding;

    ● Incorrect version numbers, including software package names and version numbers on the UI.

    Usability

    ● Incorrect or missing key steps;

    ● Missing prerequisites or precautions;

    ● Ambiguous figures, tables, or texts;

    ● Unclear logic, such as missing classifications, items, and steps.

    Correctness

    ● Technical principles, function descriptions, or specifications inconsistent with those of the software;

    ● Incorrect schematic or architecture diagrams;

    ● Incorrect commands or command parameters;

    ● Incorrect code;

    ● Commands inconsistent with the functions;

    ● Wrong screenshots.

    Risk Warnings

    ● Lack of risk warnings for operations that may damage the system or important data.

    Content Compliance

    ● Contents that may violate applicable laws and regulations or geo-cultural context-sensitive words and expressions;

    ● Copyright infringement.

    How satisfied are you with this document

    Not satisfied at all
    Very satisfied
    Submit
    Click to create an issue. An issue template will be automatically generated based on your feedback.
    Bug Catching
    编组 3备份