vsftpd搭建和创建虚拟账号,VsFtpd指定被动端口范围教程
# Example config file /etc/vsftpd.conf # 示例配置文件 /etc/vsftpd.conf # # The default compiled编译的 in settings are fairly相当地,颇 paranoid多疑的,妄想的;患偏执症的. This sample file # loosens放宽 things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive详尽的,彻底的 list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities.能力;功能;性能; # # # Run standalone?独立运行 vsftpd can run either from an inetd服务监控进程 or as a standalone独立进程 # daemon started from an initscript.系统启动时以守护进程开机启动,在初始化脚本中 listen=NO # # This directive指示;指令 enables listening on IPv6 sockets. By default, listening # on the IPv6 "any" address (::) will accept connections from both IPv6 # and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6不必同时监听 IPv4 和 IPv6 # sockets. If you want that (perhaps because you want to listen on specific # addresses) then you must run two copies of vsftpd with two configuration # files. listen_ipv6=YES # # Allow anonymous FTP? (Disabled by default). anonymous_enable=NO # # Uncomment this to allow local users to log in. local_enable=YES # # Uncomment取消注释 this to enable any form of FTP write command. #write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) #local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files允许匿名 FTP 用户上传文件. This only # has an effect作用,影响 if the above global write enable is activated. Also, you will # obviously(用于强调)显然,显而易见; need to create a directory writable by the FTP user. #anon_upload_enable=YES # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES # # Activate directory messages - messages given to remote users when they # go into a certain directory.当远程用户进入某个目录时收到消息 dirmessage_enable=YES # # If enabled, vsftpd will display directory listings with the time # in your local time zone当地的时区. The default is to display GMT. The # times returned by the MDTM FTP command are also affected by this # option. use_localtime=YES # # Activate logging of uploads/downloads. xferlog_enable=YES # # Make sure PORT transfer connections originate起源 from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended!安排上传的匿名文件归所有人所有 #chown_uploads=YES #chown_username=whoever # # You may override where the log file goes if you like覆盖日志文件的位置. The default is shown # below. #xferlog_file=/var/log/vsftpd.log # # If you want, you can have your log file in standard ftpd xferlog format. # Note that the default log file location is /var/log/xferlog in this case. #xferlog_std_format=YES # # You may change the default value for timing out an idle session.更改空闲会话超时的默认值 #idle_session_timeout=600 # # You may change the default value for timing out a data connection.更改数据连接超时的默认值 #data_connection_timeout=120 # # It is recommended that you define on your system a unique user一个唯一用户 which the # ftp server can use as a totally isolated完全隔离 and unprivileged user非特权用户. #nopriv_user=ftpsecure # # Enable this and the server will recognise认出; asynchronous异步 ABOR requests. Not # recommended for security (the code is non-trivial琐碎的,不重要的;). Not enabling it, # however, may confuse使糊涂,使迷惑; older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow假装允许 ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling压碎,撕烂; on files when in ASCII mode. # Beware当心,提防 that on some FTP servers, ASCII support allows a denial否认;拒绝接受,拒不承认 of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted预测,预言,预报 this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible 可怕的,令人恐惧的; feature of the protocol.协议;条约草案 #ascii_upload_enable=YES #ascii_download_enable=YES # # You may fully customise依照顾客具体要求而制造 the login banner string: #ftpd_banner=Welcome to blah废话;空话;瞎说 FTP service. # # You may specify明确指出; a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting与……格斗,与……对抗 certain必然的,必定的; DoS attacks攻击,评击. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd.banned_emails # # You may restrict限制,控制 local users to their home directories. See the FAQ for # the possible risks in this before using chroot_local_user or # chroot_list_enable below. #chroot_local_user=YES # # You may specify an explicit清楚明白的,明确的 list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). # (Warning! chroot'ing can be very dangerous.危险的, If using chroot, make sure that # the user does not have write access to the top level directory within the # chroot) #chroot_local_user=YES #chroot_list_enable=YES # (default follows) #chroot_list_file=/etc/vsftpd.chroot_list # # You may activate the "-R" option to the builtin内键指令 ls. This is disabled by # default to avoid remote users being able to cause excessive过度的,过多的 I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence出席,存在; of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # # Customization # # Some of vsftpd's settings don't fit the filesystem layout by # default. # # This option should be the name of a directory which is empty. Also, the # directory should not be writable by the ftp user. This directory is used # as a secure chroot() jail监狱;监禁 at times vsftpd does not require filesystem # access. secure_chroot_dir=/var/run/vsftpd/empty # # This string is the name of the PAM service vsftpd will use. pam_service_name=vsftpd # # This option specifies the location of the RSA certificate to use for SSL # encrypted加密的 connections连接;. rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key ssl_enable=NO # # Uncomment this to indicate that vsftpd use a utf8 filesystem使用 utf8 文件系统. #utf8_filesystem=YES # ==================man vsftpd.conf.5 > 1.txt
调整换行强行断字
‐$\n(\s+)(\w+)
$2\n$1
VSFTPD.CONF(5) File Formats Manual文件格式手册 VSFTPD.CONF(5) NAME vsftpd.conf - config file for vsftpd DESCRIPTION描述 vsftpd.conf may be used to control various 各种各样的; aspects方面 of vsftpd's behaviour. By default, vsftpd looks for this file at the location /etc/vsftpd. conf. However, you may override this by specifying指定; a command line argument to vsftpd. The command line argument命令行参数 is the pathname of the configuration file for vsftpd. This behaviour行为,举止 is useful because you may wish to use an advanced inetd such as xinetd to launch vsftpd with different configuration files on a per virtual host basis. FORMAT The format of vsftpd.conf is very simple. Each line is either a comment or a directive. Comment lines start with a # and are ignored. A directive 指示; line has the format: option=value选项=值 It is important to note that it is an error to put any space between the option, = and value.任何空格都是错误的 Each setting has a compiled in default编译的默认值 which may be modified in the configuration file. BOOLEAN OPTIONS Below is a list of boolean options布尔选项列表. The value for a boolean option may be set to YES or NO. allow_anon_ssl Only applies if ssl_enable is active. If set to YES, anonymous users匿名用户 will be allowed to use secured SSL connections使用安全的 SSL 连接. Default: NO anon_mkdir_write_enable If set to YES, anonymous users will be permitted to create new创建新的 directories目录 under certain必然的,必定的; conditions. (生活或工作等的)条件;For this to work, the option write_enable must be activated, and the anonymous ftp user must have write permission on the parent directory对父目录有写权限. Default: NO anon_other_write_enable If set to YES, anonymous users will be permitted to perform write operations other than upload and create directory, such as deletion and renaming删除和重命名. This is generally not recommended but included for completeness. Default: NO anon_upload_enable If set to YES, anonymous users will be permitted to upload files under certain确定的,无疑的; conditions. For this to work, the option write_enable must be activated, and the anonymous ftp user must have write permission on desired期望得到的, upload locations. This setting is also required for virtual users to upload; by default, virtual users are treated对待; with anonymous (i.e. maximally restricted有限的) privilege特权. Default: NO anon_world_readable_only When enabled, anonymous users will only be allowed to download files which are world世界 readable可读的. This is recognising识别 that the ftp user may own files, especially in the presence存在 of uploads. Default: YES anonymous_enable Controls whether anonymous logins are permitted or not. If enabled, both the usernames ftp and anonymous are recognised as anonymous logins.用户名 ftp 和匿名都被识别 Default: NO ascii_download_enable When enabled, ASCII mode data transfers will be honoured光荣 on downloads. Default: NO ascii_upload_enable When enabled, ASCII mode data transfers will be honoured on uploads. Default: NO async_abor_enable When enabled, a special特殊 FTP command known as "async ABOR" will be enabled. Only ill有病的,不舒服的; advised FTP clients不明智的 FTP 客户端 will use this feature. Additionally, this feature is awkward to handle, so it is disabled by default. Unfortunately不幸的是, some FTP clients will hang悬挂,吊; when cancelling a transfer unless this feature is available除非此功能可用, so you may wish to enable it. Default: NO background When enabled, and vsftpd is started in "listen" mode以“侦听”模式启动, vsftpd will background the listener process后台侦听进程. i.e. control will immediately be returned to the shell which launched vsftpd. Default: NO check_shell Note! This option only has an effect有效 for non-PAM builds仅对非 PAM 构建的 of vsftpd. If disabled, vsftpd will not check /etc/shells for a valid user shell for local logins. Default: YES chmod_enable When enabled, allows use of the SITE CHMOD command. NOTE! This only applies to local users仅适用于本地用户. Anonymous users never get to use SITE CHMOD. Default: YES chown_uploads If enabled, all anonymously uploaded files will have the ownership所有权 changed to the user specified规定的; in the setting chown_username. This is useful from an administrative管理的, and perhaps security保护措施, standpoint观点. Default: NO chroot_list_enable If activated, you may provide提供,供给; a list of local users who are placed in a chroot() jail监狱; in their home directory upon login. The meaning is slightly轻微地; different if chroot_local_user is set to YES. In this case, the list becomes a list of users which are NOT to be placed in a chroot() jail. By default, the file containing this list is /etc/vsftpd.chroot_list, but you may override推翻; this with the chroot_list_file setting. Default: NO chroot_local_user If set to YES, local users will be (by default) placed in a chroot () jail in their home directory after login. Warning: This option has security implications暗指,暗示;, especially尤其,特别; if the users have upload permission,许可; or shell access. Only enable if you know what you are doing. Note that these security implications are not vsftpd specific特定的;. They apply to all FTP daemons which offer to put local users in chroot() jails. Default: NO connect_from_port_20 This controls whether PORT style data connections use port 20 (ftp-data) on the server machine. For security reasons, some clients may insist坚持; that this is the case. Conversely相反地, disabling this option enables vsftpd to run with slightly轻微地 less privilege特权. Default: NO (but the sample config file enables it) debug_ssl If true, OpenSSL connection diagnostics诊断学 are dumped to the vsftpd log file. (Added in v2.0.6). Default: NO delete_failed_uploads If true, any failed upload files are deleted. (Added in v2.0.7). Default: NO deny_email_enable If activated, you may provide a list of anonymous password e- mail responses响应回应 which cause login to be denied. By default, the file containing this list is /etc/vsftpd.banned_emails, but you may override this with the banned_email_file setting. Default: NO dirlist_enable If set to NO, all directory list commands will give permission denied. Default: YES dirmessage_enable If enabled, users of the FTP server can be shown messages when they first enter a new directory首次进入新目录. By default, a directory is scanned for the file .message, but that may be overridden with the configuration setting message_file. Default: NO (but the sample config file enables it) download_enable If set to NO, all download requests will give permission denied被拒绝. Default: YES dual_log_enable If enabled, two log files are generated in parallel, going by default to /var/log/xferlog and /var/log/vsftpd.log. The former is a wu-ftpd style transfer log, parseable语法分析 by standard tools. The latter is vsftpd's own style log. Default: NO force_dot_files If activated, files and directories starting with . will be shown in directory listings even if the "a" flag was not used by the client. This override excludes此覆盖不包括 the "." and ".." entries进入;(词典所列的)词目. Default: NO force_anon_data_ssl Only applies if ssl_enable is activated. If activated, all anonymous logins are forced to use a secure SSL connection in order to send and receive data on data connections.匿名登录被迫使用安全的 SSL 连接发送和接收数据 Default: NO force_anon_logins_ssl Only applies if ssl_enable is activated. If activated, all anonymous logins are forced to use a secure SSL connection in order to send the password.匿名登录被迫使用安全的 SSL 连接发送密码 Default: NO force_local_data_ssl Only applies if ssl_enable is activated. If activated, all non- anonymous logins are forced to use a secure SSL connection in order to send and receive data on data connections.非匿名登录被迫使用安全的 SSL 连接发送和接收数据 Default: YES force_local_logins_ssl Only applies if ssl_enable is activated. If activated, all non- anonymous logins are forced to use a secure SSL connection in order to send the password.非匿名登录被迫使用安全的 SSL 连接发送密码 Default: YES guest_enable If enabled, all non-anonymous logins are classed as "guest" logins. A guest login is remapped to the user specified规定的;详细说明的 in the guest_username setting.非匿名登录都被归类为“访客” Default: NO hide_ids If enabled, all user and group information目录列表中的所有用户和组信息 in directory listings will be displayed as "ftp". Default: NO implicit_ssl含蓄的,未言明的;内含的,固有的; If enabled, an SSL handshake握手 is the first thing expect期待;预计; on all connections (the FTPS protocol)(FTPS 协议). To support explicit SSL and/or plain text too, a separate单独的,分开的; vsftpd listener process should be run. Default: NO listen If enabled, vsftpd will run in standalone mode独立模式运行. This means that vsftpd must not be run from an inetd of some kind. Instead, the vsftpd executable is run once directly直接运行一次. vsftpd itself will then take care of listening for and handling incoming处理传入 connections. Default: NO listen_ipv6 Like the listen parameter, except除……外 vsftpd will listen on an IPv6 socket instead of an IPv4 one. Note that a socket listening on the IPv6 "any"任何 address (::) will accept both IPv6 and IPv4 connections by default. This parameter and the listen parameter are mutually相互地,共同地 exclusive排外的;排斥的;. Default: NO local_enable Controls控制; whether local logins are permitted允许; or not. If enabled, normal user accounts in /etc/passwd (or wherever your PAM config references) may be used to log in. This must be enable for any non-anonymous login to work, including virtual users虚拟用户. Default: NO lock_upload_files When enabled, all uploads proceed with a write lock on the upload file. All downloads proceed with a shared read lock on the download file. WARNING! Before enabling this, be aware有……知识的 that malicious恶意的,恶毒的,怀恨的 readers could starve挨饿,饿死; a writer wanting to e.g. append a file. Default: YES log_ftp_protocol When enabled, all FTP requests and responses are logged, providing the option xferlog_std_format is not enabled. Useful for debugging. Default: NO ls_recurse_enable When enabled, this setting will allow the use of "ls -R". This is a minor较小的,次要的,轻微的; security risk危险,风险;, because a ls -R at the top level of a large site may consume a lot of resources资源;. Default: NO mdtm_write When enabled, this setting will allow MDTM to set file modification times (subject使臣服,征服,压服; to the usual普通 access checks访问检查). Default: YES no_anon_password When enabled, this prevents vsftpd from asking for an anonymous password - the anonymous user will log straight 直的,笔直的; in. Default: NO no_log_lock When enabled, this prevents阻止 vsftpd from taking a file lock when writing to log files. This option should generally通常,普遍地 not be enabled. It exists to workaround应变方法; operating system bugs such as the Solaris / Veritas filesystem combination结合体,联合体 which has been observed观察; to sometimes exhibit 表现出; hangs trying to lock log files. Default: NO one_process_model If you have a Linux 2.4 kernel, it is possible to use a different security model which only uses one process per connection.每个连接只使用一个进程 It is a less pure security model, but gains you performance. You really don't want to enable this unless you know what you are doing, and your site supports huge庞大的,极大的 numbers of simultaneously同时地 connected users. Default: NO passwd_chroot_enable If enabled, along with chroot_local_user , then a chroot() jail监狱;监禁 location may be specified规定的; on a per-user basis. Each user's jail is derived导出的;衍生的,派生的 from their home directory string in /etc/passwd. The occurrence发生,出现 of /./ in the home directory string denotes表示 that the jail is at that particular location in the path. Default: NO pasv_addr_resolve 解决 Set to YES if you want to use a hostname (as opposed反对的 to IP address ) in the pasv_address option. Default: NO pasv_enable Set to NO if you want to disallow the PASV method of obtaining获得; a data connection. Default: YES pasv_promiscuous Set to YES if you want to disable the PASV security check that ensures the data connection originates起源于 from the same IP address as the control connection. Only enable if you know what you are doing! The only legitimate正当的,合理的; use for this is in some form of secure tunnelling挖隧道 scheme, or perhaps to facilitate使更容易, FXP support. Default: NO port_enable Set to NO if you want to disallow the PORT method of obtaining a data connection数据连接. Default: YES port_promiscuous混杂的;杂乱的 Set to YES if you want to disable the PORT security check that ensures that outgoing data connections can only connect to the client. Only enable if you know what you are doing! Default: NO require_cert If set to yes, all SSL client connections are required to present在场的,出席的; a client certificate. The degree of validation验证; applied to this certificate is controlled by validate_cert (Added in v2.0.6). Default: NO require_ssl_reuse If set to yes, all SSL data connections are required to exhibit表现出 SSL session reuse重复使用 (which proves证明 that they know the same master secret as the control channel). Although this is a secure default, it may break many FTP clients, so you may want to disable it. For a discussion of the consequences, see http://scarybeastsecurity. blogspot.com/2009/02/vsftpd-210-released.html (Added in v2.1.0). Default: YES run_as_launching_user发射;下水;创设 Set to YES if you want vsftpd to run as the user which launched vsftpd. This is useful where root access is not available. MASSIVE WARNING! Do NOT enable this option unless you totally know what you are doing, as naive use of this option can create massive security problems. Specifically, vsftpd does not / cannot use chroot technology to restrict 限制,控制file access when this option is set (even if launched by root). A poor substitute 替代品,代替物could be to use a deny_file setting such as {/*,*..*}, but the reliability可信度 of this cannot compare to chroot, and should not be relied on. If using this option, many restrictions on other options apply. For example, options requiring privilege such as non-anonymous logins, upload ownership changing, connecting from port 20 and listen ports less than 1024 are not expected预料的,预期的 to work. Other options may be impacted.压紧的; Default: NO secure_email_list_enable Set to YES if you want only a specified list of e-mail passwords for anonymous logins to be accepted. This is useful as a low-hassle <非正式>麻烦,困难; way of restricting access to low-security content without needing virtual users. When enabled, anonymous logins are prevented阻止;避免; unless the password provided is listed in the file specified by the email_password_file setting. The file format is one password per line, no extra额外的; whitespace. The default filename is /etc/vsftpd.email_passwords. Default: NO session_support This controls whether vsftpd attempts企图, to maintain保持,维持; sessions会议; for logins. If vsftpd is maintaining维护;保养 sessions会议;, it will try and update utmp and wtmp. It will also open a pam_session if using PAM to authenticate鉴定, and only close this upon logout. You may wish to disable this if you do not need session logging, and you wish to give vsftpd more opportunity to run with less processes and / or less privilege. NOTE - utmp and wtmp support is only provided 假如,只要,在……条件下 with PAM enabled builds. Default: NO setproctitle_enable If enabled, vsftpd will try and show session status information会话状态信息 in the system process listing. In other words, the reported报告 name of the process will change to reflect反映 what a vsftpd session is doing (idle, downloading etc). You probably want to leave this off for security purposes安全目的. Default: NO ssl_enable If enabled, and vsftpd was compiled against 反对; OpenSSL针对 OpenSSL 编译的, vsftpd will support secure connections via SSL. This applies to the control connection (including login) and also data connections. You'll need a client with SSL support too. NOTE!! Beware当心,提防 enabling this option. Only enable it if you need it. vsftpd can make no guarantees保证 about the security of the OpenSSL libraries. By enabling this option, you are declaring宣告行为,说明 that you trust the security of your installed OpenSSL library. Default: NO ssl_request_cert If enabled, vsftpd will request (but not necessarily require; see require_cert)acertificateonincomingSSLconnections.Normally this should not cause any trouble at all, but IBM zOS seems to have issues. (New in v2.0.7). Default: YES ssl_sslv2 Only applies if ssl_enable is activated. If enabled, this option will permit SSL v2 protocol connections. TLS v1 connections are preferred.更合意的,更好的 Default: NO ssl_sslv3 Only applies if ssl_enable is activated. If enabled, this option will permit SSL v3 protocol connections. TLS v1 connections are preferred. Default: NO ssl_tlsv1 Only applies if ssl_enable is activated. If enabled, this option will permit TLS v1 protocol connections. TLS v1 connections are preferred. Default: YES strict_ssl_read_eof If enabled, SSL data uploads are required to terminate(使)结束 via SSL, not an EOF on the socket. This option is required to be sure that an attacker did not terminate an upload prematurely过早地 with a faked TCP FIN. Unfortunately, it is not enabled by default because so few clients get it right. (New in v2.0.7). Default: NO strict严厉的_ssl_write_shutdown If enabled, SSL data downloads are required to terminate结束, via SSL, not an EOF on the socket. This is off by default as I was unable to find a single FTP client that does this. It is minor. All it affects is our ability to tell whether the client confirmed full receipt of the file. Even without this option, the client is able to check the integrity正直,诚实;完整,完全; of the download检查下载的完整性. (New in v2.0.7). Default: NO syslog_enable If enabled, then any log output which would have gone to /var/log/vsftpd.log goes to the system log instead. Logging is done under the FTPD facility. Default: NO tcp_wrappers If enabled, and vsftpd was compiled with tcp_wrappers support, incoming connections will be fed喂养; through tcp_wrappers access control. Furthermore, there is a mechanism机械装置,机件 for per-IP based configuration. If tcp_wrappers sets the VSFTPD_LOAD_CONF environment variable, then the vsftpd session will try and load the vsftpd configuration file specified in this variable. Default: NO text_userdb_names By default, numeric IDs are shown in the user and group fields of directory listings. You can get textual本文的;按原文的 names by enabling this parameter. It is off by default for performance reasons. Default: NO tilde_user_enable If enabled, vsftpd will try and resolve pathnames such as ~chris/pics, i.e. a tilde followed by a username. Note that vsftpd will always resolve the pathnames ~ and ~/something (in this case the ~ resolves to the initial 开始的,最初的;login directory). Note that ~user paths will only resolve if the file /etc/passwd may be found within the _current_ chroot() jail. Default: NO use_localtime If enabled, vsftpd will display directory listings with the time in your local time zone. The default is to display GMT. The times returned by the MDTM(last modified time of the given file) FTP command are also affected by this option. Default: NO use_sendfile An internal内部的,体内的; setting used for testing the relative benefit of using the sendfile() system call on your platform. Default: YES userlist_deny This option is examined检查过的;验讫 if userlist_enable is activated. If you set this setting to NO, then users will be denied login unless they are explicitly listed in the file specified by userlist_file. When login is denied, the denial 否认; is issued发布; before the user is asked for a password. Default: YES userlist_enable If enabled, vsftpd will load a list of usernames, from the filename given by userlist_file. If a user tries to log in using a name in this file, they will be denied before they are asked for a password. This may be useful in preventing防止的;预防的 cleartext passwords being transmitted.传播的 See also userlist_deny. Default: NO validate_cert If set to yes, all SSL client certificates证书 received must validate批准, OK. Self-signed certs do not constitute组成,构成 OK validation验证;确认. (New in v2.0.6). Default: NO virtual_use_local_privs If enabled, virtual users will use the same privileges特权 as local users. By default, virtual users will use the same privileges as anonymous users, which tends to be more restrictive约束 (especially in terms地位,关系; of write access). Default: NO write_enable This controls whether any FTP commands which change the filesystem are allowed or not. These commands are: STOR, DELE, RNFR,[Rename From (RNFR) ] RNTO, MKD, RMD, APPE and SITE. (see FTP-COMMAND -: https://www.cnblogs.com/Chary/articles/15858064.html) Default: NO xferlog_enable If enabled, a log file will be maintained 维护,维修; detailling细节,细微之处;详细说明,详述; uploads and downloads. By default, this file will be placed 放置at /var/log/vsftpd. log, but this location may be overridden using the configuration setting vsftpd_log_file. Default: NO (but the sample config file enables it) xferlog_std_format If enabled, the transfer 转移,搬迁;转移log file will be written in standard xferlog format, as used by wu-ftpd. This is useful because you can reuse existing transfer statistics统计学; generators.发电机;[计]生成器 The default format is more readable, however. The default location for this style of log file is /var/log/xferlog, but you may change it with the setting xferlog_file. Default: NO NUMERIC OPTIONS Below is a list of numeric options. A numeric option must be set to a non negative integer. Octal numbers are supported, for convenience方便,便利; of the umask options. To specify an octal number要指定八进制数, use 0 as the first digit of the number. accept_timeout The timeout, in seconds, for a remote client to establish connection with a PASV style data connection. Default: 60 anon_max_rate The maximum data transfer rate permitted 允许;, in bytes per second, for anonymous clients. Default: 0 (unlimited) anon_umask The value that the umask for file creation创造,创建; is set to for anonymous users. NOTE! If you want to specify octal values, remember the "0" prefix otherwise the value will be treated治疗;对待; as a base 10 integer! Default: 077 chown_upload_mode The file mode to force for chown()ed anonymous uploads匿名上传. (Added in v2.0.6). Default: 0600 connect_timeout The timeout, in seconds以秒为单位, for a remote client to respond to our PORT style data connection. Default: 60 data_connection_timeout The timeout, in seconds, which is roughly 粗略地,大约;the maximum time we permit data transfers to stall for with no progress. If the timeout triggers, the remote client is kicked off踢,踢腿;. Default: 300 delay_failed_login The number of seconds to pause prior先前的,事先的; to reporting a failed login. Default: 1 delay_successful_login The number of seconds to pause prior to allowing a successful login. Default: 0 file_open_mode The permissions许可,权限 with which uploaded files are created. Umasks are applied on top of this value. You may wish to change to 0777 if you want uploaded files to be executable执行. Default: 0666 ftp_data_port The port from which PORT style connections originate 起源,产生;(as long as和……一样长 the poorly贫穷地;贫乏地;named connect_from_port_20 is enabled). Default: 20 idle_session_timeout The timeout, in seconds, which is the maximum time a remote client may spend between FTP commands. If the timeout triggers触发, the remote client is kicked off. Default: 300 listen_port If vsftpd is in standalone mode, this is the port it will listen on for incoming传入 FTP connections. Default: 21 local_max_rate The maximum data transfer rate permitted 允许;, in bytes per second, for local authenticated已认证; users. Default: 0 (unlimited) local_umask The value that the umask for file creation is set to for local users. NOTE! If you want to specify octal values, remember the "0" prefix otherwise否则,不然; the value will be treated治疗;对待; as a base 10 integer ! Default: 077 max_clients If vsftpd is in standalone mode独立模式, this is the maximum number of clients which may be connected. Any additional clients connecting will get an error message错误消息. Default: 0 (unlimited) max_login_fails After this many login failures, the session is killed. Default: 3 max_per_ip If vsftpd is in standalone mode, this is the maximum number of clients which may be connected from the same source internet互联网, address. A client will get an error message if they go over this limit. Default: 0 (unlimited) pasv_max_port The maximum port to allocate for PASV(Passive Mode) style data connections. Can be used to specify a narrow port range to assist出席 firewalling协助防火墙. Default: 0 (use any port) pasv_min_port The minimum port to allocate for PASV style data connections. Can be used to specify a narrow port range to assist firewalling防火墙. Default: 0 (use any port) trans_chunk_size大块,厚块;大量,大部分; You probably don't want to change this, but try setting it to something like 8192 for a much smoother bandwidth limiter.路面平整机; Default: 0 (let vsftpd pick a sensible setting)理智的,合理的; STRING OPTIONS Below is a list of string options字符串选项. anon_root This option represents代表 a directory which vsftpd will try to change into after an anonymous login匿名登录. Failure失败 is silently 默默地;静静地 ignored. Default: (none) banned_email_file被禁的,被取缔的 This option is the name of a file containing a list of anonymous e-mail passwords which are not permitted. This file is consulted if the option deny_email_enable is enabled. Default: /etc/vsftpd.banned_emails banner_file This option is the name of a file containing text to display when someone connects to the server. If set, it overrides the banner string provided by the ftpd_banner option. Default: (none) ca_certs_file This option is the name of a file to load Certificate Authority certs from, for the purpose of validating client certs. The loaded certs are also advertised to the client, to cater for TLSv1.0 clients such as the z/OS FTP client. Regrettably遗憾地;抱歉地;, the default SSL CA cert paths are not used,不使用默认 SSL CA 证书路径 because of vsftpd's use of restricted有限的,很小的 filesystem spaces (chroot)受限文件系统空间. (Added in v2.0.6). Default: (none) chown_username This is the name of the user who is given ownership所有权 of anonymously uploaded files. This option is only relevant有关的,切题的; if another option, chown_uploads, is set. Default: root chroot_list_file The option is the name of a file containing包含;由……组成; a list of local users which will be placed in a chroot() jail in their home directory. This option is only relevant有关的,切题的; if the option chroot_list_enable is enabled. If the option chroot_local_user is enabled, then the list file becomes a list of users to NOT place in a chroot() jail. Default: /etc/vsftpd.chroot_list cmds_allowed This options specifies a comma separated list of allowed FTP commands (post login. USER, PASS and QUIT and others are always allowed pre-login). Other commands are rejected. This is a powerful method of really locking down an FTP server锁定. Example: cmds_allowed=PASV,RETR,QUIT Default: (none) cmds_denied This options specifies指定;详细说明; a comma separated list of denied FTP commands (post login. USER, PASS, QUIT and others are always allowed pre-login). If a command appears on both this and出现;呈现; cmds_allowed then the denial 否认;takes precedence.领先,优先权 (Added in v2.1.0). Default: (none) deny_file This option can be used to set a pattern for filenames 文件名的模式(and directory names etc.) which should not be accessible 任何方式访问in any way. The affected 做作的,不自然的; items are not hidden, but any attempt to do anything to them (download, change into directory, affect something within directory etc.) will be denied. This option is very simple, and should not be used for serious 严重的,危急的; access control - the filesystem's permissions should be used in preference.偏爱,偏好; However, this option may be useful in certain 必然的,必定的; virtual user setups. In particular 特定的,某一的; aware 知道的,明白的; that if a filename is accessible可到达的,可进入的; by a variety多样化,变化; of names (perhaps due正对着 to symbolic links or hard links), then care must be taken to deny access to all the names防止软硬链接等对文件的访问,注意拒绝所有可访问途径. Access will be denied to items if their name contains the string given by hide_file, or if they match the regular expression specified by hide_file. Note that vsftpd's regular expression matching code is a simple implementation实施,执行 which is a subset of full regular expression functionality. Because of this, you will need to carefully and exhaustively彻底地,耗尽一切地 test any application of this option. And you are recommended to use filesystem permissions for any important security policies due to their greater 较大的 reliability可靠性;可信度. Supported regex syntax is any number of *, ? and unnested非 嵌套的,内装的 {,} operators. Regex matching is only supported on the last component组成部份, of a path, e.g. a/b/? is supported but a/?/c is not. Example: deny_file={*.mp3,*.mov,.private} Default: (none) download_file This option may be set to restrict 限制,控制downloads to files with names matching the specified pattern. If a filename also matches the deny_file pattern, the denial takes precedence.否认;拒绝接受,拒不承认;领先,优先权 For usage and pattern details细节, see the deny_file option. Default: (none) dsa_cert_file This option specifies the location of the DSA certificate 证明,证书to use for SSL encrypted把……编码; connections. Default: (none - an RSA certificate suffices) dsa_private_key_file This option specifies the location of the DSA private key to use for SSL encrypted connections. If this option is not set, the private key is expected预料的,预期的 to be in the same file as the certificate同一个文件中. Default: (none) email_password_file This option can be used to provide an alternate交替 file for usage by the secure_email_list_enable setting. Default: /etc/vsftpd.email_passwords ftp_username This is the name of the user we use for handling anonymous FTP. The home directory of this user is the root of the anonymous FTP area区域. Default: ftp ftpd_banner This string option 选择,选择权; allows you to override the greeting banner displayed by vsftpd when a connection first comes in. Default: (none - default vsftpd banner is displayed) guest_username See the boolean setting guest_enable for a description 描述, of what constitutes 构成 a guest login. This setting is the real username which guest users are mapped to. Default: ftp hide_file This option can be used to set a pattern for filenames (and directory names etc.) which should be hidden from directory listings. Despite 尽管,即使;being hidden, the files / directories etc. are fully accessible 可到达的,可进入的;to clients who know what names to actually实际上,事实上; use. Items will be hidden if their names contain 包含 the string given by hide_file, or if they match the regular expression specified by hide_file. Note that vsftpd's regular expression matching code is a simple implementation which is a subset of full regular expression functionality. See deny_file for details of exactly精确地,确切地; what regex syntax is supported. Example: hide_file={*.mp3,.hidden, hide*,h?} Default: (none) listen_address If vsftpd is in standalone mode, the default listen address (of all local interfaces) may be overridden by this setting. Provide a numeric 数字IP address. Default: (none) listen_address6 Like listen_address, but specifies 指定;详细说明; a default listen address for the IPv6 listener (which is used if listen_ipv6 is set). Format is standard 标准,水平,规范;IPv6 address format. Default: (none) local_root This option represents代表 a directory which vsftpd will try to change into after a local (i.e. non-anonymous) login. Failure is silently默默地;静静地 ignored. Default: (none) message_file This option is the name of the file we look for when a new directory is entered 进入的. The contents 内容;are displayed to the remote user. This option is only relevant 有关的,if the option dirmessage_enable is enabled. Default: .message nopriv_user This is the name of the user that is used by vsftpd when it wants to be totally unprivileged.无特权的,贫穷的 Note that this should be a dedicated 专用的,专门用途的 user, rather than nobody. The user nobody tends 倾向于to be used for rather相当;宁愿,最好 a lot of important 重要的,重大的;things on most machines. Default: nobody pam_service_name This string is the name of the PAM service vsftpd will use. Default: vsftpd pasv_address Use this option to override the IP address that vsftpd will advertise为……做广告,登广告;公布,征聘; in response 反应,响应; to the PASV command. Provide a numeric IP address, unless pasv_addr_resolve is enabled, in which case you can provide a hostname which will be DNS resolved for you at startup. Default: (none - the address is taken from the incoming connected socket) rsa_cert_file This option specifies 指定;the location of the RSA certificate to use for SSL encrypted connections连接;. Default: /usr/share/ssl/certs/vsftpd.pem rsa_private_key_file This option specifies the location of the RSA private key to use for SSL encrypted 加密的 connections. If this option is not set, the private key is expected 预料的,预期的to be in the same file as the certificate. Default: (none) secure_chroot_dir This option should be the name of a directory which is empty. Also, the directory should not be writable by the ftp user. This directory is used as a secure稳固的,可靠的; chroot() jail at times vsftpd does not require 需要;filesystem access.入口,通道; Default: /var/run/vsftpd/empty ssl_ciphers密码,暗码; This option can be used to select which SSL ciphers vsftpd will allow for encrypted SSL connections. See the ciphers man page for further details. Note that restricting 整形,限制;扼流ciphers can be a useful security precaution 预防措施,防备;避孕措施as it prevents malicious恶意的,恶毒的,怀恨的 remote parties当事人;党派;聚会; forcing a cipher which they have found problems with. Default: DES-CBC3-SHA upload_file This option may be set to restrict 限制,控制uploads to files with names matching the specified pattern. If a filename also matches the deny_file pattern, the denial takes precedence.领先,优先权; For usage and pattern details细节, see the deny_file option选择,选择权;. Default: (none) user_config_dir This powerful option allows the override of any config option specified in the manual page, on a per-user basis基于每个用户. Usage is simple, and is best illustrated加插图于……; with an example. If you set user_config_dir to be /etc/vsftpd_user_conf and then log on as the user "chris", then vsftpd will apply the settings in the file /etc/vsftpd_user_conf/chris for the duration持续,持续时间 of the session一段时间,一场;. The format of this file is as detailed详尽的,详细的; in this manual page! PLEASE NOTE that not all settings are effective有效的; on a per- user basis.基础,要素; For example, many settings only prior先前的,事先的; to the user's session being started. Examples of settings which will not affect不会影响的设置 any behviour 行为; 举止; 态度; on a per-user basis include listen_address, banner_file, max_per_ip, max_clients, xferlog_file, etc. Default: (none) user_sub_token This option is useful is conjunction 结合,同时发生;with virtual users. It is used to automatically generate a home directory for each virtual user, based on a template. For example, if the home directory of the real user specified via guest_username is /home/virtual /$USER, and user_sub_token is set to $USER, then when virtual user fred logs in, he will end up 最终会进入(usually chroot()'ed) in the directory /home/virtual/fred. This option also takes affect if local_root contains user_sub_token. Default: (none) userlist_file This option is the name of the file loaded when the userlist_enable option is active. Default: /etc/vsftpd.user_list vsftpd_log_file This option is the name of the file to which we write the vsftpd style log file. This log is only written if the option xferlog_enable is set, and xferlog_std_format is NOT set. Alternatively,(引出第二种选择或可能的建议)要不,或者 it is written if you have set the option dual_log_enable. One further complication 使复杂化的难题(或困难);并发症- if you have set syslog_enable, then this file is not written and output is sent to the system log instead. Default: /var/log/vsftpd.log xferlog_file This option is the name of the file to which we write the wu- ftpd style transfer log. The transfer log is only written if the option xferlog_enable is set, along with xferlog_std_format. Alternatively, it is written if you have set the option dual_log_enable. Default: /var/log/xferlog AUTHOR scary恐怖的beasts@gmail.com VSFTPD.CONF(5)
环境:CentOS 5.0 操作系统
一.安装:
1.安装Vsftpd服务相关部件:
[root@KcentOS5 ~]# yum install vsftpd*
Dependencies Resolved=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
vsftpd i386 2.0.5-10.el5 base 137 kTransaction Summary
=============================================================================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
2.确认安装PAM服务相关部件:
[root@KcentOS5 ~]# yum install pam*
Dependencies Resolved
=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
pam-devel i386 0.99.6.2-3.14.el5 base 186 kTransaction Summary
=============================================================================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
开发包,其实不装也没有关系,主要的目的是确认PAM。
3.安装DB4部件包:
这里要特别安装一个db4的包,用来支持文件数据库。
[root@KcentOS5 ~]# yum install db4*
Dependencies Resolved
=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
db4-devel i386 4.3.29-9.fc6 base 2.0 M
db4-java i386 4.3.29-9.fc6 base 1.7 M
db4-tcl i386 4.3.29-9.fc6 base 1.0 M
db4-utils i386 4.3.29-9.fc6 base 119 kTransaction Summary
=============================================================================
Install 4 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
二.系统帐户
1.建立Vsftpd服务的宿主用户:
[root@KcentOS5 ~]# useradd vsftpd -s /sbin/nologin
默认的Vsftpd的服务宿主用户是root,但是这不符合安全性的需要。这里建立名字为vsftpd的用户,用他来作为支持Vsftpd的服务宿主用户。由于该用户仅用来支持Vsftpd服务用,因此没有许可他登陆系统的必要,并设定他为不能登陆系统的用户。
2.建立Vsftpd虚拟宿主用户:
[root@KcentOS5 nowhere]# useradd overlord -s /sbin/nologin
本篇主要是介绍Vsftp的虚拟用户,虚拟用户并不是系统用户,也就是说这些FTP的用户在系统中是不存在的。他们的总体权限其实是集中寄托在一个在系统中的某一个用户身上的,所谓Vsftpd的虚拟宿主用户,就是这样一个支持着所有虚拟用户的宿主用户。由于他支撑了FTP的所有虚拟的用户,那么他本身的权限将会影响着这些虚拟的用户,因此,处于安全性的考虑,也要非分注意对该用户的权限的控制,该用户也绝对没有登陆系统的必要,这里也设定他为不能登陆系统的用户。(这里插一句:原本在建立上面两个用户的时候,想连用户主路径也不打算给的。本来想加上 -d /home/nowhere 的,据man useradd手册上讲述:“ -d, --home HOME_DIR
The new user will be created using HOME_DIR as the value for the
user鈙 login directory. The default is to append the LOGIN name to
BASE_DIR and use that as the login directory name. The directory
HOME_DIR does not have to exist but will not be created if it is
missing.
使用-d参数指定用户的主目录,用户主目录并不是必须存在的。如果没有存在指定的目录的话,那么它将不会被建立”。
三.调整Vsftpd的配置文件:
1.编辑配置文件前先备份
[root@KcentOS5 ~]# cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.backup2.编辑主配置文件Vsftpd.conf
[root@KcentOS5 ~]# vi /etc/vsftpd/vsftpd.conf
这里我将原配置文件的修改完全记录,凡是修改的地方我都会保留注释原来的配置。其中加入我对每条配置项的认识,对于一些比较关键的配置项这里我做了我的观点,并且原本英语的说明我也不删除,供参考对比用。
------------------------------------------------------------------------------
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
#anonymous_enable=YES
anonymous_enable=NO
设定不允许匿名访问
#
# Uncomment this to allow local users to log in.
local_enable=YES
设定本地用户可以访问。注意:主要是为虚拟宿主用户,如果该项目设定为NO那么所有虚拟用户将无法访问。
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
设定可以进行写操作。
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
设定上传后文件的权限掩码。
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
anon_upload_enable=NO
禁止匿名用户上传。
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
anon_mkdir_write_enable=NO
禁止匿名用户建立目录。
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
设定开启目录标语功能。
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
设定开启日志记录功能。
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
设定端口20进行数据连接。
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
chown_uploads=NO
设定禁止上传文件更改宿主。
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
xferlog_file=/var/log/vsftpd.log
设定Vsftpd的服务日志保存路径。注意,该文件默认不存在。必须要手动touch出来,并且由于这里更改了Vsftpd的服务宿主用户为手动建立的Vsftpd。必须注意给与该用户对日志的写入权限,否则服务将启动失败。
#
# If you want, you can have your log file in standard ftpd xferlog format
xferlog_std_format=YES
设定日志使用标准的记录格式。
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
设定空闲连接超时时间,这里使用默认。将具体数值留给每个具体用户具体指定,当然如果不指定的话,还是使用这里的默认值600,单位秒。
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
设定单次最大连续传输时间,这里使用默认。将具体数值留给每个具体用户具体指定,当然如果不指定的话,还是使用这里的默认值120,单位秒。
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
nopriv_user=vsftpd
设定支撑Vsftpd服务的宿主用户为手动建立的Vsftpd用户。注意,一旦做出更改宿主用户后,必须注意一起与该服务相关的读写文件的读写赋权问题。比如日志文件就必须给与该用户写入权限等。
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
async_abor_enable=YES
设定支持异步传输功能。
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
ascii_upload_enable=YES
ascii_download_enable=YES
设定支持ASCII模式的上传和下载功能。
#
# You may fully customise the login banner string:
ftpd_banner=This Vsftp server supports virtual users ^_^
设定Vsftpd的登陆标语。
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
chroot_list_enable=NO
禁止用户登出自己的FTP主目录。
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
ls_recurse_enable=NO
禁止用户登陆FTP后使用"ls -R"的命令。该命令会对服务器性能造成巨大开销。如果该项被允许,那么挡多用户同时使用该命令时将会对该服务器造成威胁。
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
设定该Vsftpd服务工作在StandAlone模式下。顺便展开说明一下,所谓StandAlone模式就是该服务拥有自己的守护进程支持,在ps -A命令下我们将可用看到vsftpd的守护进程名。如果不想工作在StandAlone模式下,则可以选择SuperDaemon模式,在该模式下 vsftpd将没有自己的守护进程,而是由超级守护进程Xinetd全权代理,与此同时,Vsftp服务的许多功能将得不到实现。
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd whith two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YESpam_service_name=vsftpd
设定PAM服务下Vsftpd的验证配置文件名。因此,PAM验证将参考/etc/pam.d/下的vsftpd文件配置。
userlist_enable=YES
设定userlist_file中的用户将不得使用FTP。
tcp_wrappers=YES
设定支持TCP Wrappers。#KC: The following entries are added for supporting virtual ftp users.
以下这些是关于Vsftpd虚拟用户支持的重要配置项目。默认Vsftpd.conf中不包含这些设定项目,需要自己手动添加配置。guest_enable=YES
设定启用虚拟用户功能。
guest_username=overlord
指定虚拟用户的宿主用户。
virtual_use_local_privs=YES
设定虚拟用户的权限符合他们的宿主用户。
user_config_dir=/etc/vsftpd/vconf
设定虚拟用户个人Vsftp的配置文件存放路径。也就是说,这个被指定的目录里,将存放每个Vsftp虚拟用户个性的配置文件,一个需要注意的地方就是这些配置文件名必须和虚拟用户名相同。
pam_service_name=vsftpd # 指定pam模块名(可以自定义)
-------------------------------------------------------------------------
保存退出。
2.建立Vsftpd的日志文件,并更该属主为Vsftpd的服务宿主用户:
[root@KcentOS5 ~]# touch /var/log/vsftpd.log
[root@KcentOS5 ~]# chown vsftpd.vsftpd /var/log/vsftpd.log 4.建立虚拟用户配置文件存放路径:
[root@KcentOS5 ~]# mkdir /etc/vsftpd/vconf/
三.制作虚拟用户数据库文件
1.先建立虚拟用户名单文件:
[root@KcentOS5 ~]# touch /etc/vsftpd/virtusers
建立了一个虚拟用户名单文件,这个文件就是来记录vsftpd虚拟用户的用户名和口令的数据文件,我这里给它命名为virtusers。为了避免文件的混乱,我把这个名单文件就放置在/etc/vsftpd/下。
2.编辑虚拟用户名单文件:
[root@KcentOS5 ~]# vi /etc/vsftpd/virtusers
----------------------------
kanecruise
123456
near
123456near
mello
123456mello
----------------------------
编辑这个虚拟用户名单文件,在其中加入用户的用户名和口令信息。格式很简单:“一行用户名,一行口令”。
3.生成虚拟用户数据文件:
[root@KcentOS5 ~]# db_load -T -t hash -f /etc/vsftpd/virtusers /etc/vsftpd/virtusers.db
这里我顺便把这个命令简单说明一下
----------------------------------------------------------------------
察看db4的db_load命令使用方法:
[root@KSRV2 vsftpd]# db_load
usage: db_load [-nTV] [-c name=value] [-f file]
[-h home] [-P password] [-t btree | hash | recno | queue] db_file
usage: db_load -r lsn | fileid [-h home] [-P password] db_file
解释在本篇中,db_load命令几个相关选项很参数-T
The -T option allows non-Berkeley DB applications to easily load text files into databases.
If the database to be created is of type Btree or Hash, or the keyword keys is specified as set, the input must be paired lines of text, where the first line of the pair is the key item, and the second line of the pair is its corresponding data item. If the database to be created is of type Queue or Recno and the keywork keys is not set, the input must be lines of text, where each line is a new data item for the database.
选项-T允许应用程序能够将文本文件转译载入进数据库。由于我们之后是将虚拟用户的信息以文件方式存储在文件里的,为了让Vsftpd这个应用程序能够通过文本来载入用户数据,必须要使用这个选项。If the -T option is specified, the underlying access method type must be specified using the -t option.
如果指定了选项-T,那么一定要追跟子选项-t-t
Specify the underlying access method. If no -t option is specified, the database will be loaded into a database of the same type as was dumped; for example, a Hash database will be created if a Hash database was dumped.
Btree and Hash databases may be converted from one to the other. Queue and Recno databases may be converted from one to the other. If the -k option was specified on the call to db_dump then Queue and Recno databases may be converted to Btree or Hash, with the key being the integer record number.
子选项-t,追加在在-T选项后,用来指定转译载入的数据库类型。扩展介绍下,-t可以指定的数据类型有Btree、Hash、Queue和Recon数据库。这里,接下来我们需要指定的是Hash型。
----------------------------------------------------------------------------
4.察看生成的虚拟用户数据文件
[root@KcentOS5 ~]# ll /etc/vsftpd/virtusers.db
-rw-r--r-- 1 root root 12288 Sep 16 03:51 /etc/vsftpd/virtusers.db
需要特别注意的是,以后再要添加虚拟用户的时候,只需要按照“一行用户名,一行口令”的格式将新用户名和口令添加进虚拟用户名单文件。但是光这样做还不够,不会生效的哦!还要再执行一遍“ db_load -T -t hash -f 虚拟用户名单文件 虚拟用户数据库文件.db ”的命令使其生效才可以!
四.设定PAM验证文件,并指定虚拟用户数据库文件进行读取
1.察看原来的Vsftp的PAM验证配置文件:
[root@KcentOS5 ~]# cat /etc/pam.d/vsftpd
----------------------------------------------------------------
#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include system-auth
account include system-auth
session include system-auth
session required pam_loginuid.so
----------------------------------------------------------------
2.在编辑前做好备份:
[root@KcentOS5 ~]# cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd.backup3.编辑Vsftpd的PAM验证配置文件
[root@KcentOS5 ~]# vi /etc/pam.d/vsftpd
----------------------------------------------------------------
#%PAM-1.0
auth sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/virtusers
account sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/virtusers
以上两条是手动添加的,内容是对虚拟用户的安全和帐户权限进行验证。
这里的auth是指对用户的用户名口令进行验证。
这里的accout是指对用户的帐户有哪些权限哪些限制进行验证。
其后的sufficient表示充分条件,也就是说,一旦在这里通过了验证,那么也就不用经过下面剩下的验证步骤了。相反,如果没有通过的话,也不会被系统立即挡之门外,因为sufficient的失败不决定整个验证的失败,意味着用户还必须将经历剩下来的验证审核。
再后面的/lib/security/pam_userdb.so表示该条审核将调用pam_userdb.so这个库函数进行。
最后的db=/etc/vsftpd/virtusers则指定了验证库函数将到这个指定的数据库中调用数据进行验证。
#KC: The entries for Vsftpd-PAM are added above.session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include system-auth
account include system-auth
session include system-auth
session required pam_loginuid.so
----------------------------------------------------------------
五.虚拟用户的配置
1.规划好虚拟用户的主路径:
[root@KcentOS5 ~]# mkdir /opt/vsftp/
2.建立测试用户的FTP用户目录:
[root@KcentOS5 ~]# mkdir /opt/vsftp/kanecruise/ /opt/vsftp/mello/ /opt/vsftp/near/
3.建立虚拟用户配置文件模版:[root@KcentOS5 ~]# cp /etc/vsftpd/vsftpd.conf.backup /etc/vsftpd/vconf/vconf.tmp
4.定制虚拟用户模版配置文件:
[root@KcentOS5 ~]# vi /etc/vsftpd/vconf/vconf.tmp
--------------------------------
local_root=/opt/vsftp/virtuser
指定虚拟用户的具体主路径。
anonymous_enable=NO
设定不允许匿名用户访问。
write_enable=YES
设定允许写操作。
local_umask=022
设定上传文件权限掩码。
anon_upload_enable=NO
设定不允许匿名用户上传。
anon_mkdir_write_enable=NO
设定不允许匿名用户建立目录。
idle_session_timeout=600
设定空闲连接超时时间。
data_connection_timeout=120
设定单次连续传输最大时间。
max_clients=10
设定并发客户端访问个数。
max_per_ip=5
设定单个客户端的最大线程数,这个配置主要来照顾Flashget、迅雷等多线程下载软件。
local_max_rate=50000
设定该用户的最大传输速率,单位b/s。
--------------------------------
这里将原vsftpd.conf配置文件经过简化后保存作为虚拟用户配置文件的模版。这里将并不需要指定太多的配置内容,主要的框架和限制交由 Vsftpd的主配置文件vsftpd.conf来定义,即虚拟用户配置文件当中没有提到的配置项目将参考主配置文件中的设定。而在这里作为虚拟用户的配置文件模版只需要留一些和用户流量控制,访问方式控制的配置项目就可以了。这里的关键项是local_root这个配置,用来指定这个虚拟用户的FTP主路径。5.更改虚拟用户的主目录的属主为虚拟宿主用户:
[root@KcentOS5 ~]# chown -R overlord.overlord /opt/vsftp/6.检查权限:
[root@KcentOS5 ~]# ll /opt/vsftp/
total 24
drwxr-xr-x 2 overlord overlord 4096 Sep 16 05:14 kanecruise
drwxr-xr-x 2 overlord overlord 4096 Sep 16 05:00 mello
drwxr-xr-x 2 overlord overlord 4096 Sep 16 05:00 near
六.给测试用户定制:
1.从虚拟用户模版配置文件复制:
[root@KcentOS5 ~]# cp /etc/vsftpd/vconf/vconf.tmp /etc/vsftpd/vconf/kanecruise
2.针对具体用户进行定制:
[root@KcentOS5 ~]# vi /etc/vsftpd/vconf/kanecruise
---------------------------------
local_root=/opt/vsftp/kanecruise
anonymous_enable=NO
write_enable=YES
local_umask=022
anon_upload_enable=NO
anon_mkdir_write_enable=NO
idle_session_timeout=300
data_connection_timeout=90
max_clients=1
max_per_ip=1
local_max_rate=25000
---------------------------------
模板注释:
# cat /etc/vsftpconf/user1 local_root=/opt/vsftp/user1 # 指定用户登录目录 anonymous_enable=NO # 不允许匿名登录 write_enable=YES # 可写 local_umask=022 # 掩码为022 anon_upload_enable=NO # 匿名用户不可上传 anon_mkdir_write_enable=NO # 匿名用户不可创建目录 idle_session_timeout=300 # 会话超时时间300秒 data_connection_timeout=90 # 数据连接超时时间90秒 max_clients=1 # 最大连接数1 max_per_ip=1 # 每个ip最大连接数1 local_max_rate=25000 # 最大传输数率25000B/s
七.启动服务:
[root@KcentOS5 ~]# service vsftpd start
Starting vsftpd for vsftpd: [ OK ]
八.测试:
1.在虚拟用户目录中预先放入文件:
[root@KcentOS5 ~]# touch /opt/vsftp/kanecruise/kc.test
2.从其他机器作为客户端登陆FTP:
[root@Yum ~]# ftp
ftp> open 192.168.1.22
Connected to 192.168.1.22.
220 This Vsftp server supports virtual users ^_^
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.1.22:root): kanecruise
331 Please specify the password.
Password: 123456
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
3.测试列单操作
ftp> ls
227 Entering Passive Mode (192,168,1,22,220,24)
150 Here comes the directory listing.
-rw-r--r-- 1 501 501 0 Sep 15 21:14 kc.test
226 Directory send OK.(目录列单成功)
4.测试上传操作:
ftp> put
(local-file) KC.repo
(remote-file) KC.repo
local: KC.repo remote: KC.repo
227 Entering Passive Mode (192,168,1,22,230,1)
150 Ok to send data.
226 File receive OK. (上传成功)
699 bytes sent in 0.024 seconds (29 Kbytes/s)
ftp>
5.测试建立目录操作:
ftp> mkdir test
257 "/opt/vsftp/kanecruise/test" created (目录建立成功)
6.测试下载操作:
ftp> get kc.test
local: kc.test remote: kc.test
227 Entering Passive Mode (192,168,1,22,164,178)
150 Opening BINARY mode data connection for kc.test (0 bytes).
226 File send OK.(下载成功)
7.测试超时:
ftp> dir
421 Timeout.(超时有效)
ftp> user
Not connected.注意:
在/etc/vsftpd/vsftpd.conf中,local_enable的选项必须打开为Yes,使得虚拟用户的访问成为可能,否则会出现以下现象:
----------------------------------
[root@KcentOS5 ~]# ftp
ftp> open 192.168.1.22
Connected to 192.168.1.22.
500 OOPS: vsftpd: both local and anonymous access disabled!
----------------------------------
原因:虚拟用户再丰富,其实也是基于它们的宿主用户overlord的,如果overlord这个虚拟用户的宿主被限制住了,那么虚拟用户也将受到限制。
补充:
500 OOPS:错误
有可能是你的vsftpd.con配置文件中有不能被实别的命令,还有一种可能是命令的YES 或 NO 后面有空格。
我遇到的是命令后面有空格。因为我是用GEDIT来编辑的配置文件
550 权限错误,不能创建目录和文件
解决方法: 关闭selinux
# vi /etc/selinux/config
将 SELINUX=XXX -->XXX 代表级别
改为
SELINUX=disabled
重启
转载于:https://blog.51cto.com/joker8614610/1914674
一、简介
FTP支持两种模式,一种方式叫做Standard (也就是 PORT方式,主动方式),一种是 Passive (也就是PASV,被动方式)。
主动模式下FTP 客户端首先和FTP服务器的TCP 21端口建立连接,通过这个通道发送命令,客户端需要接收数据的时候在这个通道上发送PORT命令,PORT命令包含了客户端用什么端口接收数据,在传送数据的时候,服务器端通过自己的TCP 20端口连接至客户端的指定端口发送数据。
被动模式(Passive)模式在建立控制通道的时候和Standard模式类似,但建立连接后发送的不是Port命令,而是Pasv命令,FTP服务器收到Pasv命令后,随机打开一个高端端口(端口号大于1024)并且通知客户端在这个端口上传送数据的请求,客户端连接FTP服务器此端口,然后FTP服务器将通过这个端口进行数据的传送,这个时候FTP server不再需要建立一个新的和客户端之间的连接。
二、配置修改过程
因为大部分ftp客户端软件都是被动模式,所以就只介绍被动模式
1、设置被动模式打开的配置文件
#vim /etc/vsftpd/vsftpd.conf
添加或修改以下内容
connect_from_port_10021=YES //这里的10021端口,你可以修改为你喜欢的
pasv_min_port=8888 //设置被动模式的端口范围,最小端口号~最大端口号 pasv_max_port=8899 //我们设置的范围可以不用那么大,但数值最好大些(至少也大于1024)
2、然后更改防火策略
#vim /etc/sysconfig/iptables
添加以下防火规则
-A INPUT -m state --state NEW -m tcp -p tcp --dport 10021 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8888:8899 -j ACCEPT
3、最后重启服务使防火规则生效
#service vsftpd restart #service iptables restart
到这里我们的vsftp正式修改端口到10021
通过 ftp://IP:10021 来指定端口访问,当然,如果你发现selinux还是会阻止ftp那就先设置为临时关闭吧!(#setenforce 0)
Linux添加FTP新用户解释器为/sbin/nologin,无法登陆FTP服务(已解决)
今天下午想给FTP服务添加一个新的测试用户,但是添加之后发现一直登陆不了FTP服务,一直都是报530,用户认证失败
原因:vsftpd默认会检查用户的shell,如果用户的shell在/etc/shells没有记录,则无法登陆ftp
解决办法:在/etc/shells文件里面添加用户的shell(解释器)
vim /etc/shells
补充:/etc/shells文件的作用
1.系统某些服务在运行过程中,回去检查用户使用的shells,而这些shell查询就是借助/etc/shells这个文件。
2.修改该文件不会影响用户登陆服务器主机的权限,该文件提供给解释器给系统的某些服务判断一个用户是否是有效用户,例如我创建的ftp用户解释器为/sbin/nologin,我系统的/etc/shells文件里面没有添加/sbin/nologin,所以我创建的ftp用户登陆不了ftp服务,后面将/sbin/nologin添加进/etc/shells文件,则问题解决。
vsftpd:500 OOPS: vsftpd: refusing to run with writable root inside chroot ()错误的解决方法
当我们限定了用户不能跳出其主目录之后,使用该用户登录FTP时往往会遇到这个错误:
500 OOPS: vsftpd: refusing to run with writable root inside chroot ()
这个问题发生在最新的这是由于下面的更新造成的:
- Add stronger checks for the configuration error of running with a writeable root directory inside a chroot(). This may bite people who carelessly turned on chroot_local_user but such is life.从2.3.5之后,vsftpd增强了安全检查,如果用户被限定在了其主目录下,则该用户的主目录不能再具有写权限了!如果检查发现还有写权限,就会报该错误。
要修复这个错误,可以用命令chmod a-w /home/user去除用户主目录的写权限,注意把目录替换成你自己的。或者你可以在vsftpd的配置文件中增加下列两项中的一项:
allow_writeable_chroot=YES
vsftpd 配置:chroot_local_user与chroot_list_enable详解
很多情况下,我们希望限制ftp用户只能在其主目录下(root dir)下活动,不允许他们跳出主目录之外浏览服务器上的其他目录,这时候我就需要使用到chroot_local_user,chroot_list_enable,chroot_list_file这三个选项了。以下是对三个配置项的解释: 本文原文出处: http://blog.csdn.net/bluishglc/article/details/42398811 严禁任何形式的转载,否则将委托CSDN官方维护权益!
- chroot_local_user #是否将所有用户限制在主目录,YES为启用 NO禁用.(该项默认值是NO,即在安装vsftpd后不做配置的话,ftp用户是可以向上切换到要目录之外的)
- chroot_list_enable #是否启动限制用户的名单 YES为启用 NO禁用(包括注释掉也为禁用)
- chroot_list_file=/etc/vsftpd/chroot_list #是否限制在主目录下的用户名单,至于是限制名单还是排除名单,这取决于chroot_local_user的值,我们可以这样记忆: chroot_local_user总是一个全局性的设定,其为YES时,全部用户被锁定于主目录,其为NO时,全部用户不被锁定于主目录。那么我们势必需要在全局设定下能做出一些“微调”,即,我们总是需要一种“例外机制",所以当chroot_list_enable=YES时,表示我们“需要例外”。而”例外“的含义总是有一个上下文的,即,当”全部用户被锁定于主目录“时(即chroot_local_user=YES),"例外"就是:不被锁定的用户是哪些;当"全部用户不被锁定于主目录"时(即chroot_local_user=NO),"例外"“就是:要被锁定的用户是哪些。这样解释和记忆两者之间的关系就很清晰了!
对于chroot_local_user与chroot_list_enable的组合效果,可以参考下表:
| chroot_local_user=YES | chroot_local_user=NO | |
| chroot_list_enable=YES | 1.所有用户都被限制在其主目录下 2.使用chroot_list_file指定的用户列表,这些用户作为“例外”,不受限制 | 1.所有用户都不被限制其主目录下 2.使用chroot_list_file指定的用户列表,这些用户作为“例外”,受到限制 |
| chroot_list_enable=NO | 1.所有用户都被限制在其主目录下 2.不使用chroot_list_file指定的用户列表,没有任何“例外”用户 | 1.所有用户都不被限制其主目录下 2.不使用chroot_list_file指定的用户列表,没有任何“例外”用户 |
让我们举个例子:
假设有ftp1, ftp2两个ftp用户, 计划让ftp1用户锁定在主目录下,不允许切换到其他目录, 但是允许ftp2用户自由切换目录,则可以分如下两种方式实现:
方式一:
令:
chroot_local_user=YES
chroot_list_enable=YES
/etc/vsftpd/chroot_list名单列表为:
ftp2
解释:chroot_local_user=YES将所有用户限定在主目录内,chroot_list_enable=YES表示要启用chroot_list_file, 因为chroot_local_user=YES,即全体用户都被“限定在主目录内”,所以总是作为“例外列表”的chroot_list_file这时列出的是那些“不会被限制在主目录下”的用户。
方式二:
令:
chroot_local_user=NO
chroot_list_enable=YES
/etc/vsftpd/chroot_list名单列表为:
ftp1
解释:chroot_local_user=NO则所有用户不被限定在主目录内,chroot_list_enable=YES表示要启用chroot_list_file, 因为chroot_local_user=NO,即全体用户都“不被限定在主目录内”,所以总是作为“例外列表”的chroot_list_file这时列出的是那些“会被限制在主目录下”的用户。
其他情况:
对于chroot_local_user和chroot_list_enable的组合还有这样两种情况:
chroot_local_user=YES
chroot_list_enable=NO
和
chroot_local_user=NO
chroot_list_enable=NO
当chroot_list_enable=NO时,就不再启用chroot_list_file,此时就是单纯的把全部用户限定或不限定在主目录下了!
补充:
- 关于chroot_local_user的设置,通常我们倾向于:全局禁止跳出主目录,使用chroot_list添加例外!即:使用Case 1的设置!
- 匿名用户默认的root是/var/ftp
vsftpd与PAM模块编译、安装及测试流程_人人都懂物联网-CSDN博客_pam模块安装
背景:由于产品需求,需要在嵌入式 Linux 平台提供安全的内部 FTP 服务,所以尝试选择 vsftpd + PAM 的方式实现。
1 概述
vsftpd的全名是“Very Secure FTP Daemon”,显然,vsftpd的发展理念就是构建一个以安全为重心的FTP服务器。
为什么“非常安全”?
(1)vsftpd尽量将服务取得的PID权限降低,使得服务即使不小心被入侵,入侵者也无法得到有效的系统管理权限,会使我们的系统较为安全。
(2)vsftpd支持chroot功能,也就是说它可以将某个特定的目录变成根目录,所以与该目录无关的其他目录就不会被误用。
(3)vsftpd可以通过配置文件(ftpusers和user_list)阻挡一些用户登录。
(4)vsftpd支持虚拟用户方式登录。
(5)vsftpd支持PAM认证模块插件,对登录账号和口令进行验证,并且可以根据需要扩展PAM认证模块。
(6)可通过支持SSL模块,增加对传输数据加密的功能。
2 可插拔认证模块PAM
2.1 PAM模块介绍
可插拔认证模块PAM(Pluggable Authentication Modules)是一种认证机制,通过一些动态链接库和统一的API将系统提供的服务与认证方式分开,使得系统管理员可以根据需求灵活地调整服务程序的不同认证方式。简单来讲,PAM是一组安全机制的模块(插件),让系统管理员可以轻易地调整服务程序的认证方式,而不必对应用程序做任何修改。
PAM采用分层设计思想,可分为应用程序层、应用接口层、鉴别模块层,如下图所示。
PAM API 作为应用程序与鉴别模块层的连接纽带,让应用程序可以根据需求灵活地选择所需的鉴别功能模块。PAM 模块一般位于 /lib/security/ 目录下,PAM配置文件一般位于 /etc/pam.d/ 目录下。
2.2 编译及安装
注意:编译PAM模块前需要更新flex,否则会出现“yywrap未定义”等错误。(我们这里由flex 2.5.37升级到flex 2.6.0)
下面以Linux-PAM-1.1.1为例对PAM模块的编译与安装进行讲解。
(1)解压缩Linux-PAM-1.1.1.tar.bz2
# tar jxvf Linux-PAM-1.1.1.tar.bz2(2)进入Linux-PAM-1.1.1目录
# cd Linux-PAM-1.1.1(3)配置,生成Makefile
# ./configure --prefix=/usr --sysconfdir=/etc --libdir=/usr/lib --disable-regenerate-docu --enable-securedir=/lib/security --docdir=/usr/share/doc/Linux-PAM-1.1.1(4)编译
# make(5)安装
# make install之后我们可以在 /usr/lib 目录下查看到如下库文件,它们就是上面所说的应用接口层。
root@imx6qrom5420:~# ls /usr/lib/libpam
libpam.la libpam_misc.la libpamc.la
libpam.so libpam_misc.so libpamc.so
libpam.so.0 libpam_misc.so.0 libpamc.so.0
libpam.so.0.82.2 libpam_misc.so.0.82.0 libpamc.so.0.82.1在 /lib/security目录下查看到如下库文件,它们就是上面所说的鉴别模块层。
root@imx6qrom5420:~# ls /lib/security/pam_
pam_access.la pam_group.so pam_motd.so pam_succeed_if.so
pam_access.so pam_issue.la pam_namespace.la pam_tally.la
pam_debug.la pam_issue.so pam_namespace.so pam_tally.so
......如果没有 /etc/pam.d 目录,则创建,并从其他Linux设备上拷贝 /etc/pam.d/other 和 /etc/pam.d/vsftpd 到目标机器。
3 vsftpd服务
3.1 编译及安装
vsftpd 的编译和安装步骤很简单,下面我们以 vsftpd-2.2.2 为例进行讲解。
(1)解压缩vsftpd-2.2.2.tar.gz
# tar zxvf vsftpd-2.2.2.tar.gz(2)进入vsftpd-2.2.2目录
# cd vsftpd-2.2.2(3)检查builddefs.h文件定义,选择是否支持tcp_wrappers、pam、ssl。
#undef VSF_BUILD_TCPWRAPPERS
#define VSF_BUILD_PAM
#undef VSF_BUILD_SSL我们这里支持 PAM 即可,故不作修改。实际上 builddefs.h 这个头文件是由 sysdeputil.c 包含,有兴趣的话可以跟踪一下。
(4)编译
# make(5)检查相关库
# ./vsf_findlibs.sh这里的执行结果输出如下:
-lpam
-ldl
-lnsl
-lresolv
-lutil
/lib/libcap.so.2(6)安装
可以执行 make install 进行安装,但是我的嵌入式平台不支持 install 命令,所以手动拷贝,如下:
# cp vsftpd /usr/sbin/
# cp xinetd.d/vsftpd /etc/xinetd.d/
# cp vsftpd.conf /etc/3.2 启动前的准备工作
(1) vsftpd预设以 nobody 作为此一服务执行者的权限,保险起见,执行如下命令:
# useradd nobody
useradd: user nobody exists从输出的信息看来,nobody已经存在,那就放心了。
(2)vsftpd 预设 secure_chroot_dir 为 /usr/share/empty,所以我们需要创建 /usr/share/empty 目录,如下:
# mkdir /usr/share/empty/
mkdir: cannot create directory `/usr/share/empty': File exists显然,我们这里已经存在empty目录了。
(3)匿名访问需要ftp用户,并且有合理的家目录(拥有者不是ftp本身,并且不开放写权限),创建ftp用户如下:
# mkdir /var/ftp/
# useradd -d /var/ftp ftp保险起见,执行如下命令修改属性:
# chown root.root /var/ftp
# chmod og-w /var/ftp4 测试
4.1 匿名访问测试
FTP匿名访问模式是一种不安全的服务模式,在真实的应用场合中一定要注意,敏感的数据千万不要存放,以免泄密。但是要注意,vsftpd默认是允许匿名访问模式的,也就是说要禁止匿名访问,一定要显式声明 anonymous_enable=NO,单纯注释掉 anonymous_enable=YES 是没有用的。
下面我们通过匿名访问模式登录 vsftpd,打开 vsftpd 的配置文件 /etc/vsftpd.conf,添加或修改下面参数:
anonymous_enable=YES (允许匿名访问模式)
anon_umask=022 (匿名用户上传文件的umask值)
anon_upload_enable=YES (允许匿名用户上传文件)
anon_mkdir_write_enable=YES (允许匿名用户创建目录)
anon_other_write_enable=YES (允许匿名用户修改目录或删除目录) 保存并退出vsftpd.conf文件,并重启vsftpd服务。
打开Windows的cmd命令行或者Linux的terminal,输入ftp回车,然后输入 open <IP> <port> 进行连接。测试截图如下:
说明:anonymous访问的目录就是ftp的家目录 /var/ftp。实际应用中如果确实要提供匿名访问功能,一定要注意权限的管理,如:anon_upload_enable、anon_mkdir_write_enable、anon_other_write_enable 配置项。
4.2 本地用户访问测试
本地用户模式有一些要注意的文件: ftpusers、vsftpd.user_list、vsftpd.chroot_list。它们都是根据 vsftpd.conf 中相关配置提供一定的约束,有利于提高安全性。
可以认为:先检查 /etc/vsftpd.user_list,再检查 /etc/ftpusers进行PAM验证。所以,只要这两个文件任意一个配置了root用户,都会导致root无法登录。
本次测试的 vsftpd.conf 配置如下:
anonymous_enable=NO (禁止匿名访问模式)
local_enable=YES (允许本地用户模式)
write_enable=YES (设置可写权限)
local_umask=022 (本地用户模式创建文件的umask值)
userlist_enable=YES (配置禁止本地用户策略)
userlist_deny=YES
userlist_file=/etc/vsftpd.user_list
pam_service_name=vsftpd (指定pam配置文件,即 /etc/pam.d/vsftpd)由于编译的时候选择了PAM,所以对于本地用户登录也需要指定PAM配置文件 /etc/pam.d/vsftpd,内容如下:
#%PAM-1.0
auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed
auth required /lib/security/pam_unix.so shadow nullok
auth required /lib/security/pam_shells.so
account required /lib/security/pam_unix.so
session required /lib/security/pam_unix.so 重启vsftpd服务,测试截图如下:
4.3 虚拟用户访问测试
创建用户virtual,定义用户家目录并设置为不允许登录系统:
# useradd -d /var/ftproot -s /sbin/nologin virtual为保证其他用户可以访问,执行:
# chmod -Rf 755 /var/ftproot修改 /etc/vsftpd.conf 为:
anonymous_enable=NO (禁止匿名访问模式)
local_enable=YES (允许本地用户模式)
guest_enable=YES (开启虚拟用户模式)
guest_username=virtual (指定虚拟用户账号,也就是我们刚刚创建的virtual)
pam_service_name=vsftpd (指定pam配置文件,即 /etc/pam.d/vsftpd)
allow_writeable_chroot=YES (低版本vsftpd不需要)
#tcp_wrappers=YES (注释掉) 然后我们使用两个特殊的PAM模块来验证,分别是: pam_permit.so 和 pam_deny.so,前者表示无条件允许,后者表示无条件拒绝。
修改pam配置文件 /etc/pam.d/vsftpd为:
auth required pam_permit.so
account required pam_permit.so
session required pam_permit.so
password required pam_permit.so或者
auth required pam_deny.so
account required pam_deny.so
session required pam_deny.so
password required pam_deny.so 重新启动vsftpd,打开Windows的cmd命令行或者Linux的terminal,输入ftp回车,然后输入 open <IP> <port> 进行连接。测试截图如下:
(1)/etc/pam.d/vsftpd配置为pam_permit.so无条件允许
(2)/etc/pam.d/vsftpd配置为pam_deny.so无条件拒绝
通过这样的测试,可以确定vsftpd使用虚拟用户 + PAM认证的框架生效,接下来就可以根据需求编写自己的PAM认证模块了。
5 注意事项
可能出现的问题:
(1)“530 Login incorrect 登录失败”
账号、密码出错,没有权限或该用户被强制禁止访问等原因。
(2)本地用户或虚拟用户登录,出现“500 OOPS: priv_sock_get_result远程主机关闭连接。”
可能由于用户密码错误,或库链接不正确(比如原本希望调用pam,却链接到crypt了)导致的。
(3)“500 OOPS: vsftpd: refusing to run with writable root inside chroot() 远程主机关闭连接”
配置文件vsftpd.conf中添加 allow_writeable_chroot=YES,这个问题猜测跟版本有关,低版本vsftpd不需要该配置项,而有些版本则是 allow_writable_chroot=YES。(注意:writeable和writable)
(4)“500 OOPS: priv_sock_get_cmd远程主机关闭连接”
(5)“500 OOPS: vsftpd: not found: directory given in ‘secure_chroot_dir’:/usr/share/empty”
找不到/usr/share/empty目录,需要创建该目录,或者修改 secure_chroot_dir 配置项。
注意:编译安装vsftpd,如果需要支持PAM模块,一定要先安装好PAM,否则会由于动态链接的问题造成异常。
编译完 vsftpd,可以通过执行 vsftpd 源码包中的 vsf_findlibs.sh 脚本来检查,或者使用 ldd 命令来检查链接情况。
