centos7下面vsftpd服务快速搭建和设置使用
vsftpd 是“very secure FTP daemon”的缩写,安全性是它的一个最大的特点。在开源操作系统中常用的FTPD套件主要还有ProFTPD、PureFTPd和wuftpd等.
vsftpd 是以一般身份启动服务,所以对于 Linux 系统的使用权限较低,对于Linux 系统的危害就相对的减低了。此外, vsftpd 亦利用 chroot() 这个功能进行改换根目录的动作,使得系统工具不会被vsftpd 这支服务所误用;
一.安装和配置
本次安装环境演示是64位的CentOS Linux release 7.1.1503 (Core)
1.1.使用Yum安装
rpm -qa vsftpd|grep vsftpd yum -y install vsftpd systemctl enable vsftpd.service #开机自启 systemctl restart vsftpd.service #启动 |
yum 安装的版本号是:vsftpd-3.0.2-11.el7_2.x86_64
检查启动查看端口号:
[root@htuidc ~]# lsof -i:21 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME vsftpd 31660 root 3u IPv6 72248 0t0 TCP *:ftp (LISTEN) vsftpd 31661 nobody 0u IPv6 72249 0t0 TCP htuidc.bgp.ip:ftp->hn.kd.ny.adsl:25143 (ESTABLISHED) vsftpd 31661 nobody 1u IPv6 72249 0t0 TCP htuidc.bgp.ip:ftp->hn.kd.ny.adsl:25143 (ESTABLISHED) vsftpd 31661 nobody 2u IPv6 72249 0t0 TCP htuidc.bgp.ip:ftp->hn.kd.ny.adsl:25143 (ESTABLISHED) vsftpd 31666 txidc 0u IPv6 72249 0t0 TCP htuidc.bgp.ip:ftp->hn.kd.ny.adsl:25143 (ESTABLISHED) vsftpd 31666 txidc 1u IPv6 72249 0t0 TCP htuidc.bgp.ip:ftp->hn.kd.ny.adsl:25143 (ESTABLISHED) vsftpd 31666 txidc 2u IPv6 72249 0t0 TCP htuidc.bgp.ip:ftp->hn.kd.ny.adsl:25143 (ESTABLISHED |
1.2.vsftpd配置目录文件结构
[root@htuidc ~]# tree /etc/vsftpd/ /etc/vsftpd/ ├── chroot_list #自建的允许切换用户清单 ├── ftpusers #ftpusers配置文件,在里面的用户禁止使用ftp登陆 ├── user_list #文件禁止登录FTP的用户 ├── vsftpd.conf #主配置文件 └── vsftpd_conf_migrate.sh |
二.vsftpd安装配置说明
vsftpd服务的安装很简单.主要是配置.下面列出重点的配置选项
2.1.关匿名用户
安全起见.把vsftpd服务的匿名登陆关了.
使用sed命令快速替换
sed -i "s#anonymous_enable=YES#anonymous_enable=NO#g" vsftpd.conf |
也可以手动vi进行改,找到12行,把yes改为no
11 # Allow anonymous FTP? (Beware - allowed by default if you comment this out). 12 anonymous_enable=NO |
2.2.允许useradd添加的本地用户登陆
一般个人使用.在添加本地用户前,先在配置文件打开允许ftp本地用户登陆.16行取消注释.设置如下
local_enable=YES |
2.3.添加个ftp使用的用户
指定家目录,指定shell不允许登陆.
useradd -d /data/ftp/video/ -s /sbin/nologin txidc echo "abcdef" |passwd --stdin testftp #设置ftp密码 |
2.4.打开允许FTP用户写入权限
19行的配置.打开
write_enable=YES |
2.5.设置FTP用户不允许切换目录
chroot,即 change root directory (更改 root 目录)。在 linux 系统中,系统默认的目录结构都是以 /
,即是以根 (root) 开始的。而在使用 chroot 之后,系统的目录结构将以指定的位置作为 /
位置
推荐使用方案的配置,并手动touch /etc/vsftpd/chroot_list
chroot_local_user=YES #所有用户限制目录 chroot_list_enable=YES #允许使用用户清单文件 chroot_list_file=/etc/vsftpd/chroot_list #此清单的用户能切换目录 |
解释:所有用户都锁定在自己家目录中.但/etc/vsftpd/chroot_list中的用户.可以切换到其它上级目录中去.
更详细的解释
2.6.如有需要.可以做限速和并发数处理
我这只进行简单的设置
max_clients=50 #最大连接50个 max_per_ip=5 #同一个IP最多5个连接 |
2.7.新版本的vsftpd进行chroot限制后.对根目录权限的设置
上面第5步,进行了chroot设置后,一直无法登陆.折腾了有半小时.后查资料发现.需要去掉用户家目录的写权限.才能连接.不然一直报331 密码错误.要提供密码
响应: 331 Please specify the password |
把根目录的写权限去掉就行了
[root@htuidc ftp]# chmod u-w video/ [root@htuidc ftp]# ll total 4 dr-x------. 3 txidc ftp 4096 Nov 5 22:20 video |
问题又来了.去了写权限.则无法上传文件了.怎么办呢?
只能在新建个目录.设置相应权限.允许上传.则可以连接上传了.
[root@htuidc ftp]# ll video/ total 4 drwxr-xr-x. 2 txidc ftp 4096 Nov 5 22:21 pub |
把文件上传到pub里面就可以了.真是个坑..不知大家有没有更好的办法来设置
2.8.关于上传文件的权限设置
# Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) #local_umask=022 |
验证
2.9.配置文件详解
个人总结的
Example config file /etc/vsftpd/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # 这个选项不是最全的.可以阅读vsftpd.conf.5,获取比较详细的设置选项 # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # Allow anonymous FTP? (Beware - allowed by default if you comment this out). #允许匿名登陆FTP?(默认注释掉是允许), #所以禁止登陆的话,需要手返改成anonymous_enable=NO anonymous_enable=YES # # Uncomment this to allow local users to log in. #是否允许本地用户登陆,注释掉是不允许. local_enable=YES # # Uncomment this to enable any form of FTP write command. #是否允许用户写入,当设置为NO时,则用户无法上传文件 write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) #FTP里面本地用户使用的umask值,默认是077 local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. #anon_upload_enable=YES #取消掉注释,允许匿名用户上传文件,这个生效只有在全局的上传打开才行,你也可以明显的创建个目录 #让FTP用户可写 # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES #是否允许匿名用户建立目录. # # Activate directory messages - messages given to remote users when they # go into a certain directory. #进入每个用户是否显示欢迎信息 dirmessage_enable=YES # # The target log file can be vsftpd_log_file or xferlog_file. # This depends on setting xferlog_std_format parameter xferlog_enable=YES #上传下载文件时记录日志 # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #不建义使用root用户上传文件 #chown_uploads=YES #修改匿名用户上传的拥有者 #chown_username=whoever # # The name of log file when xferlog_enable=YES and xferlog_std_format=YES # WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log #xferlog_file=/var/log/xferlog # # Switches between logging into vsftpd_log_file and xferlog_file files. # NO writes to vsftpd_log_file, YES to xferlog_file xferlog_std_format=YES # # You may change the default value for timing out an idle session. #会话超时时间,客户端连接FTP.但没操作的时间 #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #数据传输超时最长时间 #data_connection_timeout=120 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure #指定vsftp服务的运行帐户. # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES #是否允许客户端使用sync命令 # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. #ascii_upload_enable=YES #是否允许上传和下载2进制文件 #ascii_download_enable=YES # # You may fully customise the login banner string: #登陆欢迎信息 #ftpd_banner=Welcome to blah FTP service. # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd/banned_emails # #banned_email_file=/etc/vsftpd/banned_emails # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). #chroot_list_enable=YES #指定一个不能离开家目录的用户名单 # (default follows) #chroot_list_file=/etc/vsftpd/chroot_list #设置名单文件的路径 #使用上面的方法必须 chroot_local_user=NO 说明: 1.chroot_local_user=YES,单独这个设置,则所有用户,被锁定自己的家目录中.无法切换到上一级其它目录. 2.chroot_local_user=YES, chroot_list_enable=YES .这2项在一起,则变为,这个清单下面的用户/etc/vsftpd/chroot_list,能改变目录,不会被chroot 3.chroot_local_user=NO chroot_list_enable=YES, 这2项在一起,则变为,这个清单下面的用户不能改变自己的目录,会被chroot # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES #允许使用ls -r # # When "listen" directive is enabled, vsftpd runs in standalone mode and # listens on IPv4 sockets. This directive cannot be used in conjunction # with the listen_ipv6 directive. listen=YES #开启IPV4监听 # # This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6 # sockets, you must run two copies of vsftpd whith two configuration files. # Make sure, that one of the listen options is commented !! #listen_ipv6=YES #开启IPV6监听 pam_service_name=vsftpd userlist_enable=YES #直接禁止userlist_file中的用户登陆.也不提示用户输入密码 tcp_wrappers=YES ~
# chroot_local_user设置了YES,那么所有的用户默认将被chroot, # 也就用户目录被限制在了自己的home下,无法向上改变目录。
# chroot_list_enable设置了YES,即让chroot用户列表有效。 # ★超重要:如果chroot_local_user设置了YES,那么chroot_list_file # 设置的文件里,是不被chroot的用户(可以向上改变目录)
# ★超重要:如果chroot_local_user设置了NO,那么chroot_list_file # 设置的文件里,是被chroot的用户(无法向上改变目录) |