《file sharing Linux教学课件》由会员分享,可在线阅读,更多相关《file sharing Linux教学课件(112页珍藏版)》请在金锄头文库上搜索。
1、Network File Sharing Services *1Cryptography2vftp servicevNFS serviceDate2CryptographyVSFTPD*3Cryptography4vget, mget, put, mput, cd, ls2020012002Date4Cryptography5tcp, udpv杀毒v防火墙规则请求和响应Date5Cryptography6FS APIDate6Cryptography7POSIX FS APIvCIFS/SMBCommon Internet File SystemService Message BlockWin
2、dowsvNFSNetwork File SystemUnix, LinuxvLinux WindowsSamba: CIFS/SMBvNFSvFTPvSamba + LDAP = DCDate7Cryptography8命令连接,124,12vFTPFile Transfer Protocol21/tcp,20/tcpClientServer被动模式主动模式2010021随机Date8Cryptography9vftp连接命令连接一直连接数据连接按需建立vftp的工作模式主动模式port被动模式pasvDate9Cryptography10vsftp (ssh)vftps (ssl)Date
3、10Cryptography11vC/SClient:ftplftpWindows: FlashFXP, CuteFTP, FilezillaLinux: gftpServer:Filezilla Servervsftpd, proftpd, pureftp, wuftpdWindows: ServUDate11Cryptography12vvsftpd安全性检查规则非常严格轻量级、高性能支持虚拟用户vftp用户类型:匿名用户 (ftp, /var/ftp)系统用户 (各自家目录)虚拟用户 (映射为一个系统用 户)v共享文件系统,权限文件系统权限共享权限交集vftp的数据传输模式二进制模式文本
4、模式Date12Cryptography13v文件服务器:NFSUnix-likevFTP应用层vSAMBAvftpFile Transmission Protocol命令连接l21/tcp数据连接数据连接主动模式lC/Sl3333 21lS: 20 3333+1被动模式lC: 4444 S:21lS: 告知客户端自己打开了某端 口(1023随机端口, 33,21)lC:4445 S:( 33*256+21)CSgetDate13Cryptography14v服务器端为什么要工作在被动模式下?v1023, 关闭的1023RELATED:关联的Date14Cryptography15v数据传输格
5、式httpsmtpMIMEASCII: 文本格式ftpbinaryasciiDate15Cryptography16vNFS c1: jerry S: userjerry:502 502: tomUIDvFTPanonymous ftp用户帐号类别:匿名用户 (ftp) HOME DIR系统用户 HOME DIR虚拟用户 有帐号和密码,但帐号不能用于登录系统lfile, Kerberos, LDAP, mysql, NISDate16Cryptography173Avauthentication认证:合法用户(用户名/密码),生物识别vauthorization授权vauditionftp帐号
6、/密码/etc/passwd/etc/ftp/.passwdldap:/KerberosPAM配置文件Date17Cryptography18frameworkDate18Cryptography19Date19Cryptography20vftp:ftp HOME DIRvFTP:WU-ftpdproftpdpure ftpvsftpd: very secureDate20Cryptography21C/SvWindowsServ-UIISFilezillavLinuxFilezillaVsftpd(very secure)wu-ftpdproftpdpureftpvfilezillavfl
7、ashfxpvcuteftpvgftpvftpvlftpDate21Cryptography22vftpvLftpvGUIflashfxpcuteftpgftpDate22Cryptography23The FTP ProtocolvTwo channels, command and dataMaking the service hard to protect with firewalls or encrypted tunnelsvClient contatcs server on port 21 to open command channelThese are clear text comm
8、ands.vAfter authentication, either the PORT or PASV command is sent by the client each time it needs to open the data channelPORT: Server opens data channel to clientServer connects from port 20 to clients portPASV: Client opens data channel to serverServer specifies which portWorks better through s
9、ome firewallsDate23Cryptography24FTP serversvvsftpd“Very Secure” and fast FTP servervSome alternatives are also available in the distributiongssftp (in krb5-workstation)tuxvProftpd, wu-ftpd, pureftpDate24Cryptography25Service Profile: vsftpdvPackages: vsftpdvDaemon: vsftpd (/usr/sbin/vsftpd)vScript:
10、 /etc/rc.d/init.d/vsftpdvPorts: 21/tcp(ftp), 20/tcp (ftp-data)vConfiguration:/etc/vsftpd/vsftpd.conf600,root,root/etc/vsftpd/ftpusers600,root,root/etc/pam.d/vstpd644,root,rootvRelated: tcp_wrappers, ip_conntrack_ftp, ip_nat_ftpDate25Cryptography26Login BannersvBanner provides information before logi
11、nvSet security warning bannersbanner_file=filenamevSuppress server and version informationftp_banner=FTP server readybanner_file overrides the ftp_banner optionDate26Cryptography27Information CapabilitiesvDisplay file when client enters directorymessage_file=.messagedirmessage_enable=YESSometimes, i
12、t is nice to automatically display a message to a FTPclient when it changes to a particular directory on the serverDate27Cryptography28Logging CapabilitiesvTo log all uploads and downloadsxferlog_enable=YESxferlog_std_format=YESoptional; use wu-ftpds log formatvTo log all FTP commandslog_ftp_protoco
13、l=YESxferlog_std_format=NODate28Cryptography29Local UsersvUsers with local accounts may log in using their username and passwordvLocal users start in their home directoryBy default, dose not chroot userschroot_local_user=YESvHave read-write access by defaultTo turn off wirte access:write_enable=NOTo
14、 turn local users entirely:local_enable=NODate29Cryptography30Anonymous FTPvAnonymous use can login by defaultvsftpd sets up the /var/ftp directoryCan login as user anonymous or as ftpvChroot to /var/ftpvHas read-only access by defaultvAnonymous access to the FTP server can be explicitly prohitited:
15、anonyous_enable=NODate30Cryptography31Anonymous FTP UploadingvUploading of files by anonymous user should be carefully controlledvSet permissions and umask to only allow uploads to the upload directory/var/ftp/incoming 770,root,ftpanon_upload_enable=YESanon_umask=077chown_uploads=YESchown_username=r
16、ootvExamine files before allowing others to downloadDate31Cryptography32Connection RestrictionsvTo limit the number of clients that may be connectedmax_clientsvTo limit the number of clients that may be connected from one IP addressmax_per_ipDate32Cryptography33vssl_enable=YESvssl_tlsv1=YESvssl_sslv2=YESvssl_sslv3=YESvallow_anon_ssl=
