centos7之vsftp安装和使用
centos7之vsftp安装和使用
来源 https://www.cnblogs.com/lei0213/p/8657039.html
日常用作中,我们常用的是windows的共享,但是我们都知道windows运行不稳定。原来我们用的是centos6.5上的vsftpd,最近决定把centos6.*上的服务都移植到centos7上,好了,不废话了,下面我们来看常用的功能。
服务器初始化操作:
1、为了调试顺利,关闭selinux,firewall,iptables
2、如果不允许root账户直接登录,可以设置sshd_config
3、根据个人需求安装自己需要的程序。
yum install gcc lrzsz vim wget
科普
Port模式(主动模式):
当客户端C向服务端S连接后,使用的是Port模式,那么客户端C会发送一条命令告诉服务端S(客户端C在本地打开了一个端口N在等着你进行数据连接),当服务端S收到这个Port命令后 就会向客户端打开的那个端口N进行连接,这种数据连接就生成了。
Pasv模式(被动模式):
当客户端C向服务端S连接后,服务端S会发信息给客户端C,这个信息是(服务端S在本地打开了一个端口M,你现在去连接我吧),当客户端C收到这个信息后,就可以向服务端S的M端口进行连接,连接成功后,数据连接也建立了。
环境介绍:
centos7.4
ip:192.168.1.238
client:Win10
开始安装
1、yum安装vsftp
yum -y install vsftpd ftp
2、启动服务
systemctl start vsftpd.service
3、配置文件路径
ls /etc/vsftpd
功能一(匿名):
1、首先我们在企业中ftp服务器,一般情况下都会有个共享服务器,允许员工下载一些公司的软件或者常用的软件包(方便,不用再取外网去下载,也省带宽)
2、vsftp提供了匿名登录,默认anonymous_enable=YES的情况下,就启用了匿名访问,这种情况下你只能把需要给用户的文件,存放到/var/ftp/pub下(默认路径),如果想更改的话需要添加anon_root= /data/pub,后面的路径就是匿名登录后实际访问的目录。如果,总是那么多如果,匿名用户也需要上传的功能的话(一般情况下不会的)
# Example config file /etc/vsftpd/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=YES anon_root=/data/pub # # Uncomment this to allow local users to log in. # When SELinux is enforcing check for SE bool ftp_home_dir use_localtime=YES local_enable=YES # # Uncomment this to enable any form of FTP write command. write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. # When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access anon_upload_enable=YES # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. anon_mkdir_write_enable=YES # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # Activate logging of uploads/downloads. xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #chown_username=whoever # # You may override where the log file goes if you like. The default is shown # below. #xferlog_file=/var/log/xferlog # # If you want, you can have your log file in standard ftpd xferlog format. # Note that the default log file location is /var/log/xferlog in this case. xferlog_std_format=YES # # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. The vsftpd.conf(5) man page explains # the behaviour when these options are disabled. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. #ascii_upload_enable=YES #ascii_download_enable=YES # # You may fully customise the login banner string: #ftpd_banner=Welcome to blah FTP service. # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd/banned_emails # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). # (Warning! chroot'ing can be very dangerous. If using chroot, make sure that # the user does not have write access to the top level directory within the # chroot) #chroot_local_user=YES #chroot_list_enable=YES # (default follows) #chroot_list_file=/etc/vsftpd/chroot_list # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # # When "listen" directive is enabled, vsftpd runs in standalone mode and # listens on IPv4 sockets. This directive cannot be used in conjunction # with the listen_ipv6 directive. listen=NO # # This directive enables listening on IPv6 sockets. By default, listening # on the IPv6 "any" address (::) will accept connections from both IPv6 # and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6 # sockets. If you want that (perhaps because you want to listen on specific # addresses) then you must run two copies of vsftpd with two configuration # files. # Make sure, that one of the listen options is commented !! listen_ipv6=YES pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES
3、我们设置了匿名访问的目录是/data/pub里面,还是上传不了文件,有人说直接改成777就可以,但是改成777就无法访问了,这是由于vsftpd的安全性设置,我们需要在pub里面再创建一个upload的文件(文件夹名字随便起),给他一个777的权限就OK了。
mkdir -p /data/pub/upload chmod -R 777 /data/pub/upload
功能二(虚拟用户):
1、首先修改配置文件
备份配置文件 #cp vsftpd.conf vsftpd.conf.bak #echo '' > vsftpd.conf #vi /etc/vsftpd/vsftpd.conf
2、配置文件内容(虚拟用户必须关闭虚拟用户anonymous_enable=NO)
# Example config file /etc/vsftpd/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=NO anon_root=/data/pub # # Uncomment this to allow local users to log in. # When SELinux is enforcing check for SE bool ftp_home_dir use_localtime=YES local_enable=YES # # Uncomment this to enable any form of FTP write command. write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. # When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access #anon_upload_enable=YES # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # Activate logging of uploads/downloads. xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #chown_username=whoever # # You may override where the log file goes if you like. The default is shown # below. #xferlog_file=/var/log/xferlog # # If you want, you can have your log file in standard ftpd xferlog format. # Note that the default log file location is /var/log/xferlog in this case. xferlog_std_format=YES # # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. The vsftpd.conf(5) man page explains # the behaviour when these options are disabled. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. #ascii_upload_enable=YES #ascii_download_enable=YES # # You may fully customise the login banner string: #ftpd_banner=Welcome to blah FTP service. # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd/banned_emails # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). # (Warning! chroot'ing can be very dangerous. If using chroot, make sure that # the user does not have write access to the top level directory within the # chroot) allow_writeable_chroot=YES chroot_local_user=YES chroot_list_enable=YES # (default follows) #chroot_list_file=/etc/vsftpd/chroot_list # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # # When "listen" directive is enabled, vsftpd runs in standalone mode and # listens on IPv4 sockets. This directive cannot be used in conjunction # with the listen_ipv6 directive. listen=NO # # This directive enables listening on IPv6 sockets. By default, listening # on the IPv6 "any" address (::) will accept connections from both IPv6 # and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6 # sockets. If you want that (perhaps because you want to listen on specific # addresses) then you must run two copies of vsftpd with two configuration # files. # Make sure, that one of the listen options is commented !! listen_ipv6=YES pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES guest_enable=YES guest_username=ftpuser user_config_dir=/etc/vsftpd/vuser_conf virtual_use_local_privs=YES pasv_min_port=10060 pasv_max_port=10090 accept_timeout=5 connect_timeout=1
当virtual_use_local_privs=YES 时,虚拟用户和本地用户有相同的权限;虚拟用户高级参数
-
当virtual_use_local_privs=NO 时,虚拟用户和匿名用户有相同的权限,默认是NO。
-
当virtual_use_local_privs=YES,write_enable=YES时,虚拟用户具有写权限(上传、下载、删除、重命名)。
-
当virtual_use_local_privs=NO,write_enable=YES,anon_world_readable_only=YES,anon_upload_enable=YES时,虚拟用户不能浏览目录,只能上传文件,无其他权限。
-
当virtual_use_local_privs=NO,write_enable=YES,anon_world_readable_only=NO,anon_upload_enable=NO时,虚拟用户只能下载文件,无其他权限。
-
当virtual_use_local_privs=NO,write_enable=YES,anon_world_readable_only=NO,anon_upload_enable=YES时,虚拟用户只能上传和下载文件,无其他权限。
-
当virtual_use_local_privs=NO,write_enable=YES,anon_world_readable_only=NO,anon_mkdir_write_enable=YES时,虚拟用户只能下载文件和创建文件夹,无其他权限。
-
当virtual_use_local_privs=NO,write_enable=YES,anon_world_readable_only=NO,anon_other_write_enable=YES时,虚拟用户只能下载、删除和重命名文件,无其他权限。
# # use_localtime=YES # 使用本地时(自行添加) listen_port=21 chroot_local_user=YES # 启用限定用户在其主目录下 idle_session_timeout=300 data_connection_timeout=120 # 数据连接超时时间 guest_enable=YES # 设定启用虚拟用户功能 guest_username=ftpuser # 指定虚拟用户的宿主用户 ftpuser(就是我们后面会新建这个用户) # guest_username=www # 如果ftp目录是指向网站根目录,用来上传网站程序, # 可以指定虚拟用户的宿主用户为nginx运行账户www,可以避免很多权限设置问题 user_config_dir=/etc/vsftpd/vuser_conf # 虚拟用户配置文件目录 virtual_use_local_privs=YES # NO时,虚拟用户和匿名用户有相同的权限,默认是NO pasv_min_port=10060 # 被动模式最小端口号10060 pasv_max_port=10090 # 被动模式最大端口号10090 accept_timeout=5 connect_timeout=1
3、创建宿主用户
# 创建用户 ftpuser 指定 `/home/vsftpd` 目录
useradd -g root -M -d /home/vsftpd -s /sbin/nologin ftpuser
# 设置用户 ftpuser 的密码
passwd ftpuser
# 把 /home/vsftpd 的所有权给ftpuser.root
chown -R ftpuser.root /home/vsftpd
4、建立虚拟用户文件
touch /etc/vsftpd/vuser_passwd
# 编辑虚拟用户名单文件:(
# 第一行账号,第二行密码,注意:不能使用root做用户名,系统保留)
vi /etc/vsftpd/vuser_passwd
# 编辑内容,下面是 vuser_passwd 内容
ftp1
12345678
ftp2
12345678
:wq! # 保存退出
5、生成虚拟用户数据文件
db_load -T -t hash -f /etc/vsftpd/vuser_passwd /etc/vsftpd/vuser_passwd.db
chmod 600 /etc/vsftpd/vuser_passwd.db
6、创建用户配置
mkdir /etc/vsftpd/vuser_conf # 建立虚拟用户个人vsftp的配置文件
cd /etc/vsftpd/vuser_conf # 进入目录
touch ftp1 ftp2
每个文件(ftp1和ftp2写入如下内容,local_root=/home/vsftpd/ftp1#这里写入这个用户的实际存储路劲)
local_root=/home/vsftpd/ftp1
write_enable=YES
anon_world_readable_only=NO
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
7、创建用户目录
# mkdir -p /home/vsftpd/ftp1/upload
# mkdir -p /home/vsftpd/ftp2/upload
# chown -R ftpuser.root /home/vsftpd
# chmod -R 777 /home/vsftpd/ftp1/upload
# chmod -R 777 /home/vsftpd/ftp2/upload
8、服务运维
systemctl restart vsftpd.service # 重启服务
systemctl start vsftpd.service # 启动服务
systemctl status vsftpd.service # 服务状态查看
9、调用虚拟用户的PAM文件
# cd /etc/pam.d/
备份vsftpd文件
#cp vsftpd vsftpd.bak
修改vsftpd文件内容(加入第二和第三行,下面的都全部注释,注意下面是64位操作系统,如果是32位的话lib64需要改成lib)
#%PAM-1.0
auth required /lib64/security/pam_userdb.so db=/etc/vsftpd/vuser_passwd
account required /lib64/security/pam_userdb.so db=/etc/vsftpd/vuser_passwd
#session optional pam_keyinit.so force revoke
#auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
#auth required pam_shells.so
#auth include password-auth
#account include password-auth
#session required pam_loginuid.so
#session include password-auth
10、客户端调试
1、首先每次更改配置需要重启vsftpd服务。
2、上面每个配置文件中的内容最好是手动键入(曾经的我直接粘贴进去,cat就是没问题,但是粘贴进去就是不行)
3、客户端windows打开cmd到后台进行连接,网页和资源管理器里面都会有缓存也看不到报错。
4、服务器tail -f /var/log/secure查看日志(也可以tail -f /var/log/messages,这个看不出什么,前者更精准)
5、客户端报错示例(坑了我好久,它说chroot没有读到/etc/vsftpd/chroot_list这个文件,所以我们新建这个文件就行,记得重启服务)。
6、如果虚拟用户登录到自己的宿主目录后,不能上传文件的话,服务器端需要在宿主目录里面再新建一个文件夹,给这文件夹777权限,就可以了(直接把宿主目录设置777就会登录不了)
7、新增用户的话,需要在/etc/vsftpd/vsuser.passwd里面追加用户(删除就是删除用户),记得使用db_load重新生成vsuser.passwd文件即可,vuser_confi里面新建一个新建账户的权限文件,宿主目录记得新建存储文件。
8、建议使用ftp工具和cmd验证
C:\Users\Administrator>ftp 192.168.1.238 连接到 192.168.1.238。 220 (vsFTPd 3.0.2) 200 Always in UTF8 mode. 用户(192.168.1.238:(none)): ftp1 331 Please specify the password. 密码: 500 OOPS: could not read chroot() list file:/etc/vsftpd/chroot_list 500 OOPS: priv_sock_get_result 远程主机关闭连接。
6、连接成功
C:\Users\Administrator>ftp 192.168.1.238 连接到 192.168.1.238。 220 (vsFTPd 3.0.2) 200 Always in UTF8 mode. 用户(192.168.1.238:(none)): ftp1 331 Please specify the password. 密码: 230 Login successful.
11、修改端口号
1、在/etc/vsftpd/vsftpd.conf文件中增加listen_port=2121(这里修改为2121)
2、在vim /etc/services文件中修改如下内容
ftp 2121/tcp ftp 2121/udp
注意:上面修改的只是链接端口号,既然更改了连接端口号,别忘记访问的时候修改端口。
既然我们设置的是被动模式(服务器被动打开数据端口,只有在数据链接的时候才会使用,下面我们用ftp工具能成功连接,当打开某个文件夹的时候(请求数据的时候),才会使用该端口,但是我这里使用了iptables,之允许了2121通过我们设置的是10060到10090端口,具体如下)
cat /etc/vsftpd/vsftpd.conf
设置iptables就可以了
参考地址:
https://blog.csdn.net/hanchao_h/article/details/72731996?locationNum=11&fps=1
http://wiki.ubuntu.org.cn/Vsftpd%E8%99%9A%E6%8B%9F%E7%94%A8%E6%88%B7%E8%AE%BE%E7%BD%AE#.E9.85.8D.E7.BD.AEPAM.E6.96.87.E4.BB.B6
===================== End
