Câu lệnh
__________
export EDITOR=vi ;to specify a editor to open crontab file.

crontab -e     Edit your crontab file, or create one if it doesn’t already exist.
crontab -l      Display your crontab file.
crontab -r      Remove your crontab file.
crontab -v      Display the last time you edited your crontab file. (This option is only available on a few systems.)
 

Cấu trúc File Crontab
___________
syntax :-
A crontab file has five fields for specifying day , date and time  followed by the command to be run at that interval.

* Indicates all possible values as in braces for that column.

Ví dụ
_______

A line in crontab file like below  removes the tmp files from /home/someuser/tmp each day at 6:30 PM.

30     18     *     *     *         rm /home/someuser/tmp/*

Changing the parameter values as below will cause this command to run at different time schedule below :

Khai báo các biến môi trường trong file crontab
___________
cron invokes the command from the user’s HOME directory with the shell, (/usr/bin/sh).
cron supplies a default environment for every shell, defining:
HOME=user’s-home-directory
LOGNAME=user’s-login-id
PATH=/usr/bin:/usr/sbin:.
SHELL=/usr/bin/sh

Users who desire to have their .profile executed must explicitly do so
in the crontab entry or in a script called by the entry.

Tắt chức năng mail
____________

By default cron jobs sends a email to the user account executing the cronjob. If this is not needed put the following command At the end of the cron job line .

>/dev/null 2>&1

Thu thập file log
________________

To collect the cron execution execution log in a file :

18 * * * rm /home/someuser/tmp/* > /home/someuser/cronlogs/clean_tmp_dir.log

Một số ví dụ về crontab nâng cao

0 0 * * * – chạy script mỗi 0:00 AM

0 * * * * – chạy script mỗi giờ (vào phút đầu tiên của giờ)

*/15 * * * * – chạy script mỗi 15 ph

5 8 * * * – chạy script mỗi ngày vào 8h5ph sáng

5 8 15 * * – chạy script mỗi 8h5ph sang ngày 15 hằng tháng

5 8 * * 1 – chạy script mỗi thứ hai hàng tuần, 8h5ph

30 0 1 1,6,12 * chạy script vào 0h30ph sang ngày 1 của tháng 1, tháng 6 và tháng 12.

0 20 * 10 1-5 8h tối mỗi ngày trong tuần(thứ 2 tới thứ 6) của tháng 10

0 0 1,10,15 * * nửa đêm của ngày 1, 10 và 15 hằng tháng.

5,10 0 10 * 1 vào 12h5, 12h10 mỗi thứ hai và vào ngày 10 hằng tháng

1,21,41 * * * * echo “Meu crontab rodou mesmo!”

Là một lệnh shell được sử dụng trong linux với mục đích lập thời gian biểu tự động chạy một ứng dụng cụ thể nào đó hoặc để thực hiện tự động 1 nhiệm vụ nào đó mà người dùng định nghĩa. Khi thực hiện khai báo lệnh này cần chú ý về thời gian thực hiện, tránh thực hiện những lệnh backup data hay restart service trong thời gian nhạy cảm của hệ thống: thời gian có nhiều tiến trình đang hoạt động, có nhiều kết nối từ bên ngoài vào …

• Nội dung

Là một lệnh shell được sử dụng trong linux với mục đích sử dụng thời gian biểu tự động chạy một ứng dụng cụ thể nào đó hoặc để thực hiện tụ động 1 nhiệm vụ nào đó mà người dùng định nghĩa.
Thường được dùng để backup hoặc xóa các file tạm được sinh ra trong quá trình vận hành hệ thống… được định nghĩa trong file /etc/crotab.
Cú pháp câu lệnh Crontab

Ví dụ:
Để xóa file home/someuser/tmp/ vào lúc 18h45 hàng ngày ta dùng lệnh sau:
4518***User rm/home/someuser/tmp/*
4518***Là thời gian thực hiện
User là user thực hiện
rm/home/someuser/tmp/* Công việc thực hiện
Các bước tiến hành như sau:
Bước 1: Khở động terminal của máy muốn thực hiện.
Bước 2: Dùng lệnh cd để truy cập vào thư mục /etc

Bước 3: Mở file crontab bằng lệnh vi or vim trong linux để cấu hình

Bước 4: Tiến hành thiết đặt các thông số cần thiết

Bước 5: Save file crontab và thực hiện restart lại dịch vụ crontab bằng lệnh sau:
service crond restart

• Thực hiện nhiều nhiệm vụ

Nếu như ta thực hiện cùng lúc 1 gói các lệnh thì ta nên tạo ra một file_crontab.sh để thực hiện cùng nhiều lệnh (tương đương với file.bat trong windows)
Ví dụ:

Bước 1: Ta tiến hành tạo một file file_crontab.sh có nội dung như sau bằng lệnh vi (vim)
mkdir -p/root/test
cp/tmb/* /root/test
cd/root/test
taz -cvf test.tar/root/test/*
cp/root/test/test.tar/home/someuser/tmpBước 2: Tiến hành thiết lập cấu hình cho file crontab the trình tự các bước ở phần trên rồi khởi động lại.
- Thêm dòng này vào file crontab.
0020***root sh/path/file_crontab.sh
- Restart lại dịch vụ crontab
 Một số lưu ý
- Khi thực hiện khai báo lệnh này ta lên chú ý về thời gian thực hiện, tránh thực hiện những lệnh backup  dữ liệu hay restart lại service trong thời gian nhạy cảm của hệ thống (thời gian có nhiều tiến trình đang hoạt động, có nhiều kết nối từ bên ngoài vào).

SVN là gì thì search google nhé.

Install svn step by step as following

1. Install packages using yum

yum install subversion mod_dav_svn

2. Configure /etc/httpd/conf.d/subversion.conf

LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so

DAV svn
SVNParentPath /var/www/svn

AuthType Basic
AuthName “Subversion repos”
AuthUserFile /var/www/svn/htpasswd
Require valid-user

3. Prepare the repository

mkdir /var/www/svn
cd /var/www/svn
svnadmin create your_src
chown -R apache.apache your_src

4. Restart httpd

And then we are able to import codes right now.

Top 20 OpenSSH Server Best Security Practices

OpenSSH được ứng dụng nhiều để đăng nhập từ xa, backup dữ liệu, truyền file từ xa bằng scp hay sftp, … Tuy nhiên sức mạnh của SSH nằm ở public key cryptography. Tuy nhiên, lỗi zero-day khiến các tin tặc có thể đoạt quyền sử dụng. Sau đây là 20 mẹo giúp gia tăng độ bảo mật của SSH

Default Config Files and SSH Port

* /etc/ssh/sshd_config – OpenSSH server configuration file.

* /etc/ssh/ssh_config – OpenSSH client configuration file.

* ~/.ssh/ – Users ssh configuration directory.

* ~/.ssh/authorized_keys or ~/.ssh/authorized_keys – Lists the public keys (RSA or DSA) that can be used to log into the user’s account

* /etc/nologin – If this file exists, sshd refuses to let anyone except root log in.

* /etc/hosts.allow and /etc/hosts.deny : Access controls lists that should be enforced by tcp-wrappers are defined here.

* SSH default port : TCP 22

#1: Disable OpenSSH Server on un-needed Workstation and Laptop

Workstations and laptop đâu cần ssh server!

# chkconfig sshd off

# yum erase openssh-server

Kiểm tra các rule của IPtable, vì có thể quản trị mạng trước đã add thêm 1 số ngoại lệ cho phép ssh từ trong ra ngoài hoặc ngược lại

/etc/sysconfig/ip6tables.

# service iptables restart

# service ip6tables restart

#2: Only Use SSH Protocol 2

SSH 1 không bảo mật!

Protocol 2

#3: Limit Users’ SSH Access

< Mất công dịch lại quá. Đây là 20 mẹo bảo mật ssh hay. Đọc dễ hiểu mà. Không hiểu cứ post bài hỏi nha. He he>

By default all systems user can login via SSH using their password or public key. Sometime you create UNIX / Linux user account for ftp or email purpose. However, those user can login to system using ssh. They will have full access to system tools including compilers and scripting languages such as Perl, Python which can open network ports and do many other fancy things. One of my client has really outdated php script and an attacker was able to create a new account on the system via a php script. However, attacker failed to get into box via ssh because it wasn’t in AllowUsers.

Only allow root, vivek and jerry user to use the system via SSH, add the following to sshd_config:

AllowUsers root vivek jerry

Alternatively, you can allow all users to login via SSH but deny only a few users, with the following line:

DenyUsers saroj anjali foo

You can also configure Linux PAM allows or deny login via the sshd server. You can allow list of group name to access or deny access to the ssh.

#4: Configure Idle Log Out Timeout Interval

User can login to server via ssh and you can set an idel timeout interval to avoid unattended ssh session. Open sshd_config and make sure following values are configured:

ClientAliveInterval 300

ClientAliveCountMax 0

You are setting an idle timeout interval in seconds (300 secs = 5 minutes). After this interval has passed, the idle user will be automatically kicked out (read as logged out). See how to automatically log BASH / TCSH / SSH users out after a period of inactivity for more details.

#5: Disable .rhosts Files

Don’t read the user’s ~/.rhosts and ~/.shosts files. Update sshd_config with the following settings:

IgnoreRhosts yes

SSH can emulate the behavior of the obsolete rsh command, just disable insecure access via RSH.

#6: Disable Host-Based Authentication

To disable host-based authentication, update sshd_config with the following option:

HostbasedAuthentication no

#7: Disable root Login via SSH

There is no need to login as root via ssh over a network. Normal users can use su or sudo (recommended) to gain root level access. This also make sure you get full auditing information about who ran privileged commands on the system via sudo. To disable root login via SSH, update sshd_config with the following line:

PermitRootLogin no

However, bob made excellent point:

Saying “don’t login as root” is horseshit. It stems from the days when people sniffed the first packets of sessions so logging in as yourself and su-ing decreased the chance an attacker would see the root pw, and decreast the chance you got spoofed as to your telnet host target, You’d get your password spoofed but not root’s pw. Gimme a break. this is 2005 – We have ssh, used properly it’s secure. used improperly none of this 1989 will make a damn bit of difference. -Bob

#8: Enable a Warning Banner

Set a warning banner by updating sshd_config with the following line:

Banner /etc/issue

Sample /etc/issue file:

———————————————————————————————-

You are accessing a XYZ Government (XYZG) Information System (IS) that is provided for authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

+ The XYZG routinely intercepts and monitors communications on this IS for purposes including, but not limited to,

penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM),

law enforcement (LE), and counterintelligence (CI) investigations.

+ At any time, the XYZG may inspect and seize data stored on this IS.

+ Communications using, or data stored on, this IS are not private, are subject to routine monitoring,

interception, and search, and may be disclosed or used for any XYZG authorized purpose.

+ This IS includes security measures (e.g., authentication and access controls) to protect XYZG interests–not

for your personal benefit or privacy.

+ Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching

or monitoring of the content of privileged communications, or work product, related to personal representation

or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work

product are private and confidential. See User Agreement for details.

———————————————————————————————-

Above is standard sample, consult your legal team for exact user agreement and legal notice details.

#8: Firewall SSH Port # 22

You need to firewall ssh port # 22 by updating iptables or pf firewall configurations. Usually, OpenSSH server must only accept connections from your LAN or other remote WAN sites only.

Netfilter (Iptables) Configuration

Update /etc/sysconfig/iptables (Redhat and friends specific file) to accept connection only from 192.168.1.0/24 and 202.54.1.5/29, enter:

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state –state NEW -p tcp –dport 22 -j ACCEPT

-A RH-Firewall-1-INPUT -s 202.54.1.5/29 -m state –state NEW -p tcp –dport 22 -j ACCEPT

If you’ve dual stacked sshd with IPv6, edit /etc/sysconfig/ip6tables (Redhat and friends specific file), enter:

-A RH-Firewall-1-INPUT -s ipv6network::/ipv6mask -m tcp -p tcp –dport 22 -j ACCEPT

Replace ipv6network::/ipv6mask with actual IPv6 ranges.

*BSD PF Firewall Configuration

If you are using PF firewall update /etc/pf.conf as follows:

pass in on $ext_if inet proto tcp from {192.168.1.0/24, 202.54.1.5/29} to $ssh_server_ip port ssh flags S/SA synproxy state

#9: Change SSH Port and Limit IP Binding

By default SSH listen to all available interfaces and IP address on the system. Limit ssh port binding and change ssh port (by default brute forcing scripts only try to connects to port # 22). To bind to 192.168.1.5 and 202.54.1.5 IPs and to port 300, add or correct the following line:

Port 300

ListenAddress 192.168.1.5

ListenAddress 202.54.1.5

A better approach to use proactive approaches scripts such as fail2ban or denyhosts (see below).

#10: Use Strong SSH Passwords and Passphrase

It cannot be stressed enough how important it is to use strong user passwords and passphrase for your keys. Brute force attack works because you use dictionary based passwords. You can force users to avoid passwords against a dictionary attack and use john the ripper tool to find out existing weak passwords. Here is a sample random password generator (put in your ~/.bashrc):

genpasswd() {

    local l=$1

    [ "$l" == "" ] && l=20

    tr -dc A-Za-z0-9_ < /dev/urandom | head -c ${l} | xargs

}

Run it:

genpasswd 16

Output:

uw8CnDVMwC6vOKgW

#11: Use Public Key Based Authentication

Use public/private key pair with password protection for the private key. See how to use RSA and DSA key based authentication. Never ever use passphrase free key (passphrase key less) login.

#12: Use Keychain Based Authentication

keychain is a special bash script designed to make key-based authentication incredibly convenient and flexible. It offers various security benefits over passphrase-free keys. See how to setup and use keychain software.

#13: Chroot SSHD (Lock Down Users To Their Home Directories)

By default users are allowed to browse the server directories such as /etc/, /bin and so on. You can protect ssh, using os based chroot or use special tools such as rssh. With the release of OpenSSH 4.8p1 or 4.9p1, you no longer have to rely on third-party hacks such as rssh or complicated chroot(1) setups to lock users to their home directories. See this blog post about new ChrootDirectory directive to lock down users to their home directories.

#14: Use TCP Wrappers

TCP Wrapper is a host-based Networking ACL system, used to filter network access to Internet. OpenSSH does supports TCP wrappers. Just update your /etc/hosts.allow file as follows to allow SSH only from 192.168.1.2 172.16.23.12 :

sshd : 192.168.1.2 172.16.23.12

See this FAQ about setting and using TCP wrappers under Linux / Mac OS X and UNIX like operating systems.

#15: Disable Empty Passwords

You need to explicitly disallow remote login from accounts with empty passwords, update sshd_config with the following line:

PermitEmptyPasswords no

#16: Thwart SSH Crackers (Brute Force Attack)

Brute force is a method of defeating a cryptographic scheme by trying a large number of possibilities using a single or distributed computer network. To prevents brute force attacks against SSH, use the following softwares:

* DenyHosts is a Python based security tool for SSH servers. It is intended to prevent brute force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses.

* Fail2ban is a similar program that prevents brute force attacks against SSH.

* security/sshguard-pf protect hosts from brute force attacks against ssh and other services using pf.

* security/sshguard-ipfw protect hosts from brute force attacks against ssh and other services using ipfw.

* security/sshguard-ipfilter protect hosts from brute force attacks against ssh and other services using ipfilter.

* security/sshblock block abusive SSH login attempts.

* security/sshit checks for SSH/FTP bruteforce and blocks given IPs.

* BlockHosts Automatic blocking of abusive IP hosts.

* Blacklist Get rid of those bruteforce attempts.

* Brute Force Detection A modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format.

* IPQ BDB filter May be considered as a fail2ban lite.

#17: Rate-limit Incoming Port # 22 Connections

Both netfilter and pf provides rate-limit option to perform simple throttling on incoming connections on port # 22.

Iptables Example

The following example will drop incoming connections which make more than 5 connection attempts upon port 22 within 60 seconds:

#!/bin/bash

inet_if=eth1

ssh_port=22

$IPT -I INPUT -p tcp –dport ${ssh_port} -i ${inet_if} -m state –state NEW -m recent –set

$IPT -I INPUT -p tcp –dport ${ssh_port} -i ${inet_if} -m state –state NEW -m recent –update –seconds 60 –hitcount 5 -j DROP

Call above script from your iptables scripts. Another config option:

$IPT -A INPUT -i ${inet_if} -p tcp –dport ${ssh_port} -m state –state NEW -m limit –limit 3/min –limit-burst 3 -j ACCEPT

$IPT -A INPUT -i ${inet_if} -p tcp –dport ${ssh_port} -m state –state ESTABLISHED -j ACCEPT

$IPT -A OUTPUT -o ${inet_if} -p tcp –sport ${ssh_port} -m state –state ESTABLISHED -j ACCEPT

# another one line example

# $IPT -A INPUT -i ${inet_if} -m state –state NEW,ESTABLISHED,RELATED -p tcp –dport 22 -m limit –limit 5/minute –limit-burst 5-j ACCEPT

See iptables man page for more details.

*BSD PF Example

The following will limits the maximum number of connections per source to 20 and rate limit the number of connections to 15 in a 5 second span. If anyone breaks our rules add them to our abusive_ips table and block them for making any further connections. Finally, flush keyword kills all states created by the matching rule which originate from the host which exceeds these limits.

sshd_server_ip=”202.54.1.5″

table <abusive_ips> persist

block in quick from <abusive_ips>

pass in on $ext_if proto tcp to $sshd_server_ip port ssh flags S/SA keep state (max-src-conn 20, max-src-conn-rate 15/5, overload <abusive_ips> flush)

#18: Use Port Knocking

Port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A sample port Knocking example for ssh using iptables:

$IPT -N stage1

$IPT -A stage1 -m recent –remove –name knock

$IPT -A stage1 -p tcp –dport 3456 -m recent –set –name knock2

$IPT -N stage2

$IPT -A stage2 -m recent –remove –name knock2

$IPT -A stage2 -p tcp –dport 2345 -m recent –set –name heaven

$IPT -N door

$IPT -A door -m recent –rcheck –seconds 5 –name knock2 -j stage2

$IPT -A door -m recent –rcheck –seconds 5 –name knock -j stage1

$IPT -A door -p tcp –dport 1234 -m recent –set –name knock

$IPT -A INPUT -m –state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -p tcp –dport 22 -m recent –rcheck –seconds 5 –name heaven -j ACCEPT

$IPT -A INPUT -p tcp –syn -j doo

* fwknop is an implementation that combines port knocking and passive OS fingerprinting.

* Multiple-port knocking Netfilter/IPtables only implementation.

#19: Use Log Analyzer

Read your logs using logwatch or logcheck. These tools make your log reading life easier. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Make sure LogLevel is set to INFO or DEBUG in sshd_config:

LogLevel INFO

#20: Patch OpenSSH and Operating Systems

It is recommended that you use tools such as yum, apt-get, freebsd-update and others to keep systems up to date with the latest security patches.

Other Options

To hide openssh version, you need to update source code and compile openssh again. Make sure following options are enabled in sshd_config:

# Turn on privilege separation

UsePrivilegeSeparation yes

# Prevent the use of insecure home directory and key file permissions

StrictModes yes

# Turn on reverse name checking

VerifyReverseMapping yes

# Do you need port forwarding?

AllowTcpForwarding no

X11Forwarding no

# Specifies whether password authentication is allowed. The default is yes.

PasswordAuthentication no

Verify your sshd_config file before restarting / reloading changes:

# /usr/sbin/sshd -t

Cài đặt SSH khá đơn giản bằng lệnh

# yum –y install sshd

Quản trị Linux với SSH

Với một đoạn script đơn giản và SSH, bạn có thể quản trị đồng thời nhiều máy tính Linux mà không cần phải đăng nhập trực tiếp vào từng máy. SSH là công cụ cung cấp cách thức bảo mật cho việc đăng nhập và truyền nhận thông tin giữa các máy tính với nhau.

Một số công cụ được cung cấp qua SSH: SSH, SCP, SFTP.

Mỗi khi đăng nhập từ xa ta phải nhập password của máy, nhưng thông qua SSH ta không phải nhập password. Để làm được điều này ta phải tạo ra một khóa public key cho máy quản trị và chuyển khóa đó cho các máy cần quản trị từ xa.

Tạo public key cho máy quản trị:

$ ssh-keygen -t rsa

Sau lệnh này hệ thống sẽ tạo một public key (.ssh/id_rsa.pub) và private key.

Tiếp theo bạn đưa public key cho các máy cần quản trị từ xa, đổi tên file thành .ssh/authorized_keys và được đặt trong thư mục home của user mà bạn sẽ đăng nhập từ xa.

Bây giờ ta có thể chạy lệnh từ xa mà không cần phải đăng nhập trực tiếp vào máy.

Cú pháp để thực thi lệnh tới máy domain.com với: $ ssh test@domain.com <command>

Ví dụ: xem thông tin về đĩa: $ ssh test@domain.com df

Bạn có thể thực hiện nhiều lệnh như $ssh test@domain.com “df;uptime”

0xPEFUD0IXzZtXtHVLziA1/NuzY= anze@station1.example.com

Làm thế nào khi muốn chạy ftp server mà không muốn FTP user có login shell, system account và dạo chơi trên cái HDD của server ?

1. Installation of VSFTPD

# yum install vsftpd

2. Virtual users and authentication

Dùng pam_userdb để xác thực user, cần cài thêm component:

# yum install db4-utils

Tạo file `virtual-users.txt’ với username password

mary
123456
jack
654321

Tạo database

# db_load -T -t hash -f virtual-users.txt /etc/vsftpd/virtual-users.db

Sửa file

# vi/etc/pam.d/vsftpd-virtual

auth required pam_userdb.so db=/etc/vsftpd/virtual-users
account required pam_userdb.so db=/etc/vsftpd/virtual-users

3. Configuration of VSFTPD

Sửa file

## vi /etc/vsftpd/vsftpd-virtual.conf,

# disables anonymous FTP
anonymous_enable=NO
# enables non-anonymous FTP
local_enable=YES
# activates virtual users
guest_enable=YES
# virtual users to use local privs, not anon privs
virtual_use_local_privs=YES
# enables uploads and new directories
write_enable=YES
# the PAM file used by authentication of virtual uses
pam_service_name=vsftpd-virtual
# in conjunction with ‘local_root’,
# specifies a home directory for each virtual user
user_sub_token=$USER
local_root=/var/www/virtual/$USER
# the virtual user is restricted to the virtual FTP area
chroot_local_user=YES
# hides the FTP server user IDs and just display “ftp” in directory listings
hide_ids=YES
# runs vsftpd in standalone mode
listen=YES
# listens on this port for incoming FTP connections
listen_port=60021
# the minimum port to allocate for PASV style data connections
pasv_min_port=62222
# the maximum port to allocate for PASV style data connections
pasv_max_port=63333
# controls whether PORT style data connections use port 20 (ftp-data)
connect_from_port_20=YES
# the umask for file creation
local_umask=022

4. Creation of home directories

# mkdir /var/www/virtual/mary
# chown ftp:ftp /var/www/virtual/mary

5. Startup of VSFTPD and test
# /usr/sbin/vsftpd /etc/vsftpd/vsftpd-virtual.conf

# lftp -u mary -p 60021 192.168.1.101

Hoặc một cách khác (nhưng đại khái tương tự J )

1. Installation of VSFTPD

# yum install vsftpd

2. Virtual users and authentication

We may create a real user account for each webmaster. We will only give them FTP access to our server.

First, use `useradd’ command to create user accounts. Something to be specified are:

• group: we may specify the group of users to the group HTTP server runs as. In most cases, it is `apache’ for Apache HTTP Server, it is `lighttpd’ for lighttpd.
• home directory: we should also specify users’ home directories to their virtual hosts’ DocumentRoot. We should also make these directories writable by HTTP server.
• login shell: in order to disallow normal login for these FTP users, we should specify their login shell to `/sbin/nologin’.

For example:

# useradd -g apache -d /var/www/vhosts/mike -s /sbin/nologin mike
# chmod g+w /var/www/vhosts/mike
# passwd mike
Changing password for user mike.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

3. Configuration of VSFTPD

Create a configuration file /etc/vsftpd/vsftpd-virtual.conf,

# disables anonymous FTP
anonymous_enable=NO
# enables non-anonymous FTP
local_enable=YES
# enables uploads and new directories
write_enable=YES
# authentication of virtual uses
pam_service_name=login
# the virtual user is restricted to the virtual FTP area
chroot_local_user=YES
# runs vsftpd in standalone mode
listen=YES
# listens on this port for incoming FTP connections
listen_port=60021
# the minimum port to allocate for PASV style data connections
pasv_min_port=62222
# the maximum port to allocate for PASV style data connections
pasv_max_port=63333
# controls whether PORT style data connections use port 20 (ftp-data)
connect_from_port_20=YES
# the umask for file creation
local_umask=022

4. Start VSFTPD and test
# /usr/sbin/vsftpd /etc/vsftpd/vsftpd-virtual.conf

# lftp -u mike -p 60021 192.168.1.101

VSFTP – File cấu hình, rảnh ngồi nghiền ngẫm chơi.

allow_anon_ssl

Only applies if ssl_enable is active. If set to YES, anonymous users will be allowed to use secured SSL connections.

Default: NO

anon_mkdir_write_enable

If set to YES, anonymous users will be permitted to create new directories under certain conditions. For this to work, the option write_enable must be activated, and the anonymous ftp user must have write permission on the parent directory.

Default: NO

anon_other_write_enable

If set to YES, anonymous users will be permitted to perform write operations other than upload and create directory, such as deletion and renaming. This is generally not recommended but included for completeness.

Default: NO

anon_upload_enable

If set to YES, anonymous users will be permitted to upload files under certain conditions. For this to work, the option write_enable must be activated, and the anonymous ftp user must have write permission on desired upload locations.

Default: NO

anon_world_readable_only

When enabled, anonymous users will only be allowed to download files which are world readable. This is recognising that the ftp user may own files, especially in the presence of uploads.

Default: YES

anonymous_enable

Controls whether anonymous logins are permitted or not. If enabled, both the usernames ftp and anonymous are recognised as anonymous logins.

Default: YES

ascii_download_enable

When enabled, ASCII mode data transfers will be honoured on downloads.

Default: NO

ascii_upload_enable

When enabled, ASCII mode data transfers will be honoured on uploads.

Default: NO

async_abor_enable

When enabled, a special FTP command known as “async ABOR” will be enabled. Only ill advised FTP clients will use this feature. Additionally, this feature is awkward to handle, so it is disabled by default. Unfortunately, some FTP clients will hang when cancelling a transfer unless this feature is available, so you may wish to enable it.

Default: NO

background

When enabled, and vsftpd is started in “listen” mode, vsftpd will background the listener process. i.e. control will immediately be returned to the shell which launched vsftpd.

Default: NO

check_shell

Note! This option only has an effect for non-PAM builds of vsftpd. If disabled, vsftpd will not check /etc/shells for a valid user shell for local logins.

Default: YES

chmod_enable

When enables, allows use of the SITE CHMOD command. NOTE! This only applies to local users. Anonymous users never get to use SITE CHMOD.

Default: YES

chown_uploads

If enabled, all anonymously uploaded files will have the ownership changed to the user specified in the setting chown_username. This is useful from an administrative, and perhaps security, standpoint.

Default: NO

chroot_list_enable

If activated, you may provide a list of local users who are placed in a chroot() jail in their home directory upon login. The meaning is slightly different if chroot_local_user is set to YES. In this case, the list becomes a list of users which are NOT to be placed in a chroot() jail. By default, the file containing this list is /etc/vsftpd.chroot_list, but you may override this with the chroot_list_file setting.

Default: NO

chroot_local_user

If set to YES, local users will be (by default) placed in a chroot() jail in their home directory after login. Warning: This option has security implications, especially if the users have upload permission, or shell access. Only enable if you know what you are doing. Note that these security implications are not vsftpd specific. They apply to all FTP daemons which offer to put local users in chroot() jails.

Default: NO

connect_from_port_20

This controls whether PORT style data connections use port 20 (ftp-data) on the server machine. For security reasons, some clients may insist that this is the case. Conversely, disabling this option enables vsftpd to run with slightly less privilege.

Default: NO (but the sample config file enables it)

deny_email_enable

If activated, you may provide a list of anonymous password e-mail responses which cause login to be denied. By default, the file containing this list is /etc/vsftpd.banned_emails, but you may override this with the banned_email_file setting.

Default: NO

dirlist_enable

If set to NO, all directory list commands will give permission denied.

Default: YES

dirmessage_enable

If enabled, users of the FTP server can be shown messages when they first enter a new directory. By default, a directory is scanned for the file .message, but that may be overridden with the configuration setting message_file.

Default: NO (but the sample config file enables it)

download_enable

If set to NO, all download requests will give permission denied.

Default: YES

dual_log_enable

If enabled, two log files are generated in parallel, going by default to /var/log/xferlog and /var/log/vsftpd.log. The former is a wu-ftpd style transfer log, parseable by standard tools. The latter is vsftpd’s own style log.

Default: NO

force_dot_files

If activated, files and directories starting with . will be shown in directory listings even if the “a” flag was not used by the client. This override excludes the “.” and “..” entries.

Default: NO

force_local_data_ssl

Only applies if ssl_enable is activated. If activated, all non-anonymous logins are forced to use a secure SSL connection in order to send and receive data on data connections.

Default: YES

force_local_logins_ssl

Only applies if ssl_enable is activated. If activated, all non-anonymous logins are forced to use a secure SSL connection in order to send the password.

Default: YES

guest_enable

If enabled, all non-anonymous logins are classed as “guest” logins. A guest login is remapped to the user specified in the guest_username setting.

Default: NO

hide_ids

If enabled, all user and group information in directory listings will be displayed as “ftp”.

Default: NO

listen

If enabled, vsftpd will run in standalone mode. This means that vsftpd must not be run from an inetd of some kind. Instead, the vsftpd executable is run once directly. vsftpd itself will then take care of listening for and handling incoming connections.

Default: NO

listen_ipv6

Like the listen parameter, except vsftpd will listen on an IPv6 socket instead of an IPv4 one. This parameter and the listen parameter are mutually exclusive.

Default: NO

local_enable

Controls whether local logins are permitted or not. If enabled, normal user accounts in /etc/passwd may be used to log in.

Default: NO

log_ftp_protocol

When enabled, all FTP requests and responses are logged, providing the option xferlog_std_format is not enabled. Useful for debugging.

Default: NO

ls_recurse_enable

When enabled, this setting will allow the use of “ls -R”. This is a minor security risk, because a ls -R at the top level of a large site may consume a lot of resources.

Default: NO

no_anon_password

When enabled, this prevents vsftpd from asking for an anonymous password – the anonymous user will log straight in.

Default: NO

no_log_lock

When enabled, this prevents vsftpd from taking a file lock when writing to log files. This option should generally not be enabled. It exists to workaround operating system bugs such as the Solaris / Veritas filesystem combination which has been observed to sometimes exhibit hangs trying to lock log files.

Default: NO

one_process_model

If you have a Linux 2.4 kernel, it is possible to use a different security model which only uses one process per connection. It is a less pure security model, but gains you performance. You really don’t want to enable this unless you know what you are doing, and your site supports huge numbers of simultaneously connected users.

Default: NO

passwd_chroot_enable

If enabled, along with chroot_local_user , then a chroot() jail location may be specified on a per-user basis. Each user’s jail is derived from their home directory string in /etc/passwd. The occurrence of /./ in the home directory string denotes that the jail is at that particular location in the path.

Default: NO

pasv_enable

Set to NO if you want to disallow the PASV method of obtaining a data connection.

Default: YES

pasv_promiscuous

Set to YES if you want to disable the PASV security check that ensures the data connection originates from the same IP address as the control connection. Only enable if you know what you are doing! The only legitimate use for this is in some form of secure tunnelling scheme, or perhaps to facilitate FXP support.

Default: NO

port_enable

Set to NO if you want to disallow the PORT method of obtaining a data connection.

Default: YES

port_promiscuous

Set to YES if you want to disable the PORT security check that ensures that outgoing data connections can only connect to the client. Only enable if you know what you are doing!

Default: NO

run_as_launching_user

Set to YES if you want vsftpd to run as the user which launched vsftpd. This is useful where root access is not available. MASSIVE WARNING! Do NOT enable this option unless you totally know what you are doing, as naive use of this option can create massive security problems. Specifically, vsftpd does not / cannot use chroot technology to restrict file access when this option is set (even if launched by root). A poor substitute could be to use a deny_file setting such as {/*,*..*}, but the reliability of this cannot compare to chroot, and should not be relied on. If using this option, many restrictions on other options apply. For example, options requiring privilege such as non-anonymous logins, upload ownership changing, connecting from port 20 and listen ports less than 1024 are not expected to work. Other options may be impacted.

Default: NO

secure_email_list_enable

Set to YES if you want only a specified list of e-mail passwords for anonymous logins to be accepted. This is useful as a low-hassle way of restricting access to low-security content without needing virtual users. When enabled, anonymous logins are prevented unless the password provided is listed in the file specified by the email_password_file setting. The file format is one password per line, no extra whitespace. The default filename is /etc/vsftpd.email_passwords.

Default: NO

session_support

This controls whether vsftpd attempts to maintain sessions for logins. If vsftpd is maintaining sessions, it will try and update utmp and wtmp. It will also open a pam_session if using PAM to authenticate, and only close this upon logout. You may wish to disable this if you do not need session logging, and you wish to give vsftpd more opportunity to run with less processes and / or less privilege. NOTE – utmp and wtmp support is only provided with PAM enabled builds.

Default: NO

setproctitle_enable

If enabled, vsftpd will try and show session status information in the system process listing. In other words, the reported name of the process will change to reflect what a vsftpd session is doing (idle, downloading etc). You probably want to leave this off for security purposes.

Default: NO

ssl_enable

If enabled, and vsftpd was compiled against OpenSSL, vsftpd will support secure connections via SSL. This applies to the control connection (including login) and also data connections. You’ll need a client with SSL support too. NOTE!! Beware enabling this option. Only enable it if you need it. vsftpd can make no guarantees about the security of the OpenSSL libraries. By enabling this option, you are declaring that you trust the security of your installed OpenSSL library.

Default: NO

ssl_sslv2

Only applies if ssl_enable is activated. If enabled, this option will permit SSL v2 protocol connections. TLS v1 connections are preferred.

Default: NO

ssl_sslv3

Only applies if ssl_enable is activated. If enabled, this option will permit SSL v3 protocol connections. TLS v1 connections are preferred.

Default: NO

ssl_tlsv1

Only applies if ssl_enable is activated. If enabled, this option will permit TLS v1 protocol connections. TLS v1 connections are preferred.

Default: YES

syslog_enable

If enabled, then any log output which would have gone to /var/log/vsftpd.log goes to the system log instead. Logging is done under the FTPD facility.

Default: NO

tcp_wrappers

If enabled, and vsftpd was compiled with tcp_wrappers support, incoming connections will be fed through tcp_wrappers access control. Furthermore, there is a mechanism for per-IP based configuration. If tcp_wrappers sets the VSFTPD_LOAD_CONF environment variable, then the vsftpd session will try and load the vsftpd configuration file specified in this variable.

Default: NO

text_userdb_names

By default, numeric IDs are shown in the user and group fields of directory listings. You can get textual names by enabling this parameter. It is off by default for performance reasons.

Default: NO

tilde_user_enable

If enabled, vsftpd will try and resolve pathnames such as ~chris/pics, i.e. a tilde followed by a username. Note that vsftpd will always resolve the pathnames ~ and ~/something (in this case the ~ resolves to the initial login directory). Note that ~user paths will only resolve if the file /etc/passwd may be found within the _current_ chroot() jail.

Default: NO

use_localtime

If enabled, vsftpd will display directory listings with the time in your local time zone. The default is to display GMT. The times returned by the MDTM FTP command are also affected by this option.

Default: NO

use_sendfile

An internal setting used for testing the relative benefit of using the sendfile() system call on your platform.

Default: YES

userlist_deny

This option is examined if userlist_enable is activated. If you set this setting to NO, then users will be denied login unless they are explicitly listed in the file specified by userlist_file. When login is denied, the denial is issued before the user is asked for a password.

Default: YES

userlist_enable

If enabled, vsftpd will load a list of usernames, from the filename given by userlist_file. If a user tries to log in using a name in this file, they will be denied before they are asked for a password. This may be useful in preventing cleartext passwords being transmitted. See also userlist_deny.

Default: NO

virtual_use_local_privs

If enabled, virtual users will use the same privileges as local users. By default, virtual users will use the same privileges as anonymous users, which tends to be more restrictive (especially in terms of write access).

Default: NO

write_enable

This controls whether any FTP commands which change the filesystem are allowed or not. These commands are: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE and SITE.

Default: NO

xferlog_enable

If enabled, a log file will be maintained detailling uploads and downloads. By default, this file will be placed at /var/log/vsftpd.log, but this location may be overridden using the configuration setting vsftpd_log_file.

Default: NO (but the sample config file enables it)

xferlog_std_format

If enabled, the transfer log file will be written in standard xferlog format, as used by wu-ftpd. This is useful because you can reuse existing transfer statistics generators. The default format is more readable, however. The default location for this style of log file is /var/log/xferlog, but you may change it with the setting xferlog_file.

Default: NO

NUMERIC OPTIONS

Below is a list of numeric options. A numeric option must be set to a non negative integer. Octal numbers are supported, for convenience of the umask options. To specify an octal number, use 0 as the first digit of the number.

accept_timeout

The timeout, in seconds, for a remote client to establish connection with a PASV style data connection.

Default: 60

anon_max_rate

The maximum data transfer rate permitted, in bytes per second, for anonymous clients.

Default: 0 (unlimited)

anon_umask

The value that the umask for file creation is set to for anonymous users. NOTE! If you want to specify octal values, remember the “0″ prefix otherwise the value will be treated as a base 10 integer!

Default: 077

connect_timeout

The timeout, in seconds, for a remote client to respond to our PORT style data connection.

Default: 60

data_connection_timeout

The timeout, in seconds, which is roughly the maximum time we permit data transfers to stall for with no progress. If the timeout triggers, the remote client is kicked off.

Default: 300

file_open_mode

The permissions with which uploaded files are created. Umasks are applied on top of this value. You may wish to change to 0777 if you want uploaded files to be executable.

Default: 0666

ftp_data_port

The port from which PORT style connections originate (as long as the poorly named connect_from_port_20 is enabled).

Default: 20

idle_session_timeout

The timeout, in seconds, which is the maximum time a remote client may spend between FTP commands. If the timeout triggers, the remote client is kicked off.

Default: 300

listen_port

If vsftpd is in standalone mode, this is the port it will listen on for incoming FTP connections.

Default: 21

local_max_rate

The maximum data transfer rate permitted, in bytes per second, for local authenticated users.

Default: 0 (unlimited)

local_umask

The value that the umask for file creation is set to for local users. NOTE! If you want to specify octal values, remember the “0″ prefix otherwise the value will be treated as a base 10 integer!

Default: 077

max_clients

If vsftpd is in standalone mode, this is the maximum number of clients which may be connected. Any additional clients connecting will get an error message.

Default: 0 (unlimited)

max_per_ip

If vsftpd is in standalone mode, this is the maximum number of clients which may be connected from the same source internet address. A client will get an error message if they go over this limit.

Default: 0 (unlimited)

pasv_max_port

The maximum port to allocate for PASV style data connections. Can be used to specify a narrow port range to assist firewalling.

Default: 0 (use any port)

pasv_min_port

The minimum port to allocate for PASV style data connections. Can be used to specify a narrow port range to assist firewalling.

Default: 0 (use any port)

trans_chunk_size

You probably don’t want to change this, but try setting it to something like 8192 for a much smoother bandwidth limiter.

Default: 0 (let vsftpd pick a sensible setting)

STRING OPTIONS

Below is a list of string options.

anon_root

This option represents a directory which vsftpd will try to change into after an anonymous login. Failure is silently ignored.

Default: (none)

banned_email_file

This option is the name of a file containing a list of anonymous e-mail passwords which are not permitted. This file is consulted if the option deny_email_enable is enabled.

Default: /etc/vsftpd.banned_emails

banner_file

This option is the name of a file containing text to display when someone connects to the server. If set, it overrides the banner string provided by the ftpd_banner option.

Default: (none)

chown_username

This is the name of the user who is given ownership of anonymously uploaded files. This option is only relevant if another option, chown_uploads, is set.

Default: root

chroot_list_file

The option is the name of a file containing a list of local users which will be placed in a chroot() jail in their home directory. This option is only relevant if the option chroot_list_enable is enabled. If the option chroot_local_user is enabled, then the list file becomes a list of users to NOT place in a chroot() jail.

Default: /etc/vsftpd.chroot_list

cmds_allowed

This options specifies a comma separated list of allowed FTP commands (post login. USER, PASS and QUIT are always allowed pre-login). Other commands are rejected. This is a powerful method of really locking down an FTP server. Example: cmds_allowed=PASV,RETR,QUIT

Default: (none)

deny_file

This option can be used to set a pattern for filenames (and directory names etc.) which should not be accessible in any way. The affected items are not hidden, but any attempt to do anything to them (download, change into directory, affect something within directory etc.) will be denied. This option is very simple, and should not be used for serious access control – the filesystem’s permissions should be used in preference. However, this option may be useful in certain virtual user setups. In particular aware that if a filename is accessible by a variety of names (perhaps due to symbolic links or hard links), then care must be taken to deny access to all the names. Access will be denied to items if their name contains the string given by hide_file, or if they match the regular expression specified by hide_file. Note that vsftpd’s regular expression matching code is a simple implementation which is a subset of full regular expression functionality. Because of this, you will need to carefully and exhaustively test any application of this option. And you are recommended to use filesystem permissions for any important security policies due to their greater reliability. Example: deny_file={*.mp3,*.mov,.private}

Default: (none)

dsa_cert_file

This option specifies the location of the DSA certificate to use for SSL encrypted connections.

Default: (none – an RSA certificate suffices)

email_password_file

This option can be used to provide an alternate file for usage by the secure_email_list_enable setting.

Default: /etc/vsftpd.email_passwords

ftp_username

This is the name of the user we use for handling anonymous FTP. The home directory of this user is the root of the anonymous FTP area.

yum -y install vsftpd && vi /etc/vsftpd/vsftpd.conf

    local_enable=YES # cho phép user trong mạng local

    write_enable=YES # cho phép users upload file lên

    chroot_local_user=YES # giới hạn users trong thư mục riêng của chính user đó

#/etc/init.d/vsftpd restart

Tạo user, home directory và phân quyền

#useradd ftpuser && passwd ftpuser

#mkdir /home/ftpuser && chown ftpuser /home/ftpuser

Default firewall của linux sẽ block fpt, phải add rule cho nó chấp nhận connection vào từ local và internet với port 21

iptables -A INPUT -p tcp -m tcp –dport 21 -j ACCEPT

Nếu dùng shorewall thì vi /etc/shorewall/rules, hoặc sửa bằng command echo

echo ACCEPT net $FW tcp 21 >> /etc/shorewall/rules

echo ACCEPT loc $FW tcp 21 >> /etc/shorewall/rules

shorewall restart

Test lại, từ windows xp command promt:

C:\Documents and Settings\Administrator>ftp 192.168.0.12

Connected to 192.168.0.12.

220 Welcome Unix VSFTP

User (192.168.0.12(none)): ftpuser

331 Please specify the password.

Password:

230 Login successful.

ftp>

tạo thư mục abc và kiểm tra quyền ghi

ftp>mkdir abc

257 “/abc” created

Kiểm tra xem nó có thiệt hay không nhá,

ftp>dir

200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwx—— 2 1008 1008 4096 Sep 07 06:47 abc 226 Directory send OK. ftp: 61 bytes received in 0.00Seconds 61000.00Kbytes/sec.

Để giới hạn một ip download 3 connection để điều tiết băng thông:

add thêm dòng này trong /etc/vsftpd.conf

max_per_ip=3

#/etc/init.d/vsftpd restart

Vậy thì khi dùng flashget download nhiều hơn 3 connection server sẽ báo lỗi error 421

421 There are too many connections from 210.77.77.77

Nếu bạn để ftp trong DMZ hoặc phía sau firewall linux thì cần phải config cho NAT cho firewall

Option Explicit

Dim objNetwork, strDrive, objShell, objUNC

Dim strRemotePath, strRemotePath1, strRemotePath2, strDriveLetter, strDriveLetter1, strDriveLetter2, strNewName, strNewName1, strNewName2

‘

‘ Thay ServerName voi ten server

strDriveLetter = “H:”

strRemotePath = “\\splendid”

strNewName = “home”

strDriveLetter1 = “K:”

strRemotePath1 = “\\splendid\allshare”

strNewName1 = “allshare”

strDriveLetter2 = “T:”

strRemotePath2 = “\\splendid\acshare”

strNewName2 = “acshare”

‘ Section to map the network drive

‘ Map drive cho user

On Error Resume Next

Set objNetwork = CreateObject(“WScript.Network”)

If (LCase(objNetwork.UserName) = “root” or LCase(objNetwork.UserName) = “sonnt”) Then

objNetwork.MapNetworkDrive strDriveLetter, strRemotePath

strNewName = objNetwork.UserName

Else

objNetwork.MapNetworkDrive strDriveLetter, strRemotePath + “\” + objNetwork.UserName

strNewName = objNetwork.UserName

End If

‘ Map drive cho PublicData

objNetwork.MapNetworkDrive strDriveLetter, strRemotePath

objNetwork.MapNetworkDrive strDriveLetter1, strRemotePath1

objNetwork.MapNetworkDrive strDriveLetter2, strRemotePath2

‘ Section which actually (re)names the Mapped Drive

Set objShell = CreateObject(“Shell.Application”)

objShell.NameSpace(strDriveLetter).Self.Name = strNewName

objShell.NameSpace(strDriveLetter1).Self.Name = strNewName1

objShell.NameSpace(strDriveLetter1).Self.Name = strNewName2

‘Wscript.Echo “Check : “& strDriveLetter & ” for ” & strNewName

WScript.Quit

‘ End of script

1. Join XP và test lại
   

Change Computer Name và WorkGroup giống tên domain. Chạy fixsamba.reg. Restart lại XP.
Set IP address, WINS, DNS
Kiểm tra lại:
ping pdc nếu ra IP là Wins thành công.
ping pdc.ketoan.com nếu ra IP à DNS thành công.
Tiến hành Join XP vô Domain.

• Trong Local Security Settings. Security Options. Disable các option:
  Domain member: Digitally encrpt secure channel data
  Domain member: Digitally sign secure …
  Domain member: disable machine account password…
  Domain member: require strong (…)