ftp服务
目录
1 install
2 anonymous_user
3 lcoal_user
4 iptables
5 log
6 virtual_user
--end-- vsftpd.conf
1 install
yum install -y vsftpd
[root@mysql1 ~]# ll /etc/vsftpd/ total 20 -rw------- 1 root root 125 Mar 22 2017 ftpusers -rw------- 1 root root 361 Mar 22 2017 user_list -rw------- 1 root root 4625 Jun 11 11:11 vsftpd.conf -rwxr--r-- 1 root root 338 Mar 22 2017 vsftpd_conf_migrate.sh
2 anonymous_user
在vsftpd.conf里有对匿名用户的配置选项。全部配置为YES,匿名用户就可以使用ftp。(重启vsftpd生效)
anonymous_enable=YES #默认为YES,就是匿名用户有读权限 anon_upload_enable=YES anon_mkdir_write_enable=YES #上传,写入权限。开这两个,可以上传文件,但不能删 anon_other_write_enable=YES #其他权限,如删除、重命名文件
3 lcoal_user
比如在web服务器上,按照权限最小化原则,不允许网站开发人员登录服务器,他们只需要得到/www目录的所有权限。把这个目录配置成ftp,然后给几个特定的访问账户就行。
anonymous_enable=NO anon_upload_enable=NO anon_mkdir_write_enable=NO anon_other_write_enable=NO #要指定账户,所以匿名登录禁止掉 local_enable=YES #本地账户可登录 local_root=/www chroot_list_file=/etc/vsftpd/chroot_list #设定本地用户的根目录,设定ftp可登录的账户列表(把账户写入文件)
chmod -R o+w /www #给ftp账户目录权限 useradd -s /sbin/nologin team1 useradd -s /sbin/nologin team2 echo '123456'|passwd --stdin team1 echo '123456'|passwd --stdin team2 #创建本地账户,设定登录shell为/sbin/nologin
4 iptables
ftp的管理端口是21,数据端口是20。在默认模式下,如果只是给这两个端口开防火墙,会发现只能登录而无法操作。
FTP支持两种模式,一种方式叫做Standard (也就是 PORT方式,主动方式),一种是 Passive (也就是PASV,被动方式)。 Standard模式 FTP的客户端发送 PORT 命令到FTP服务器。Passive模式FTP的客户端发送 PASV命令到 FTP Server。
PORT 和 PASV的简单区别如下:
Port模式FTP 客户端首先和FTP服务器的TCP 21端口建立连接,通过这个通道发送命令,客户端需要接收数据的时候在这个通道上发送PORT命令。 PORT命令包含了客户端用什么端口接收数据。在传送数据的时候,服务器端通过自己的TCP 20端口连接至客户端的指定端口发送数据。 FTP server必须和客户端建立一个新的连接用来传送数据。
Passive模式在建立控制通道的时候和Standard模式类似,但建立连接后发送的不是Port命令,而是Pasv命令。FTP服务器收到 Pasv命令后,随机打开一个高端端口(端口号大于1024)并且通知客户端在这个端口上传送数据的请求,客户端连接FTP服务器此端口,然后FTP服务器将通过这个端口进行数据的传送,这个时候FTP server不再需要建立一个新的和客户端之间的连接。
因为win机器上,linux的ftp客户端上,默认使用的是Passive(被动)模式,所以要连接Linux服务器大于1024端口,而防火墙并没有开发1024以上的端口,导致登录ftp服务器被防火墙阻止。
所以要在配置里加上
pasv_enable=YES pasv_min_port=50000 pasv_max_port=59999 #开启passive模式,设定传输的最小最大端口(注意业务上的端口规划,不要设在业务段)
防火墙配置
#local ftp /sbin/iptables -A INPUT -s 10.224.32.114 -p tcp -m multiport --dport 20,21 -j ACCEPT /sbin/iptables -A INPUT -s 10.224.32.34 -p tcp -m multiport --dport 20,21 -j ACCEPT /sbin/iptables -A INPUT -s 10.224.32.114 -p tcp --dport 50000:59999 -j ACCEPT /sbin/iptables -A INPUT -s 10.224.32.34 -p tcp --dport 50000:59999 -j ACCEPT
5 log
xferlog_enable=YES xferlog_std_format=YES xferlog_file=/var/log/vsftpd.log #哪个用户在什么时间作了什么操作,都会记录
6 virtual_user
在local_user,账户实际上在linux系统里配置的。就是说要多少个用户就要useradd多少次。
而virtual_user,在系统上只要加一个账户,ftp需要的账户都映射到这个账户上。
不直接使用系统账号,安全性相对要高。
--end-- vsftpd.conf
#匿名用户禁止 anonymous_enable=NO anon_upload_enable=NO anon_mkdir_write_enable=NO anon_other_write_enable=NO # #用户&目录 local_enable=YES local_root=/www chroot_list_file=/etc/vsftpd/chroot_list # #写入允许 write_enable=YES # #写日志 xferlog_enable=YES xferlog_std_format=YES xferlog_file=/var/log/vsftpd.log # #passive模式 pasv_enable=YES pasv_min_port=50000 pasv_max_port=60000 # # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022 # # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #chown_username=whoever # # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. #ascii_upload_enable=YES #ascii_download_enable=YES # # You may fully customise the login banner string: #ftpd_banner=Welcome to blah FTP service. # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd/banned_emails # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). #chroot_local_user=YES #chroot_list_enable=YES # (default follows) # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # # When "listen" directive is enabled, vsftpd runs in standalone mode and # listens on IPv4 sockets. This directive cannot be used in conjunction # with the listen_ipv6 directive. listen=YES # # This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6 # sockets, you must run two copies of vsftpd with two configuration files. # Make sure, that one of the listen options is commented !! #listen_ipv6=YES pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES