随笔 - 145  文章 - 0  评论 - 6  阅读 - 18万

centos7下 vsftpd初使用

一. 安装

1. 命令: yum -y install vsftpd

2. 创建一个用户专门用来登录vsftpd

#在根目录下创建一个文件夹ftpfile

mkdir ftpfile 

#创建用户ftpuser, 该用户主目录名为ftpfile  -s为该用户所用的shell, 此处表示不登录,既没有ssh功能

useradd ftpuser -d /ftpfile -s /sbin/nologin 

# -R表示递归处理 用户名:用户组 该句意思是将ftpfile整个文件夹的拥有者改成ftpuser

chown -R ftpuser:ftpuser /ftpfile/

 #更改用户密码

passwd ftpuser

 

二. 修改配置

默认配置文件为/etc/vsftpd/vsftpd.conf, 也可以通过whereis vsftpd查找

在这个配置基础上进行修改,添加即可

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
# When SELinux is enforcing check for SE bool ftp_home_dir
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/xferlog
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to blah FTP service.
#local_root=/ftpfile
use_localtime=yes
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
chroot_local_user=NO
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list
allow_writeable_chroot=YES
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=NO
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
# Make sure, that one of the listen options is commented !!
listen_ipv6=YES
 
pam_service_name=vsftpd
userlist_enable=YES
userlist_deny=YES
userlist_file=/etc/vsftpd/user_list
tcp_wrappers=YES
 
pasv_min_port=61001
pasv_max_port=62000

 然后在/etc/vsftpd/chroot_user文件中添加 ftpuser

作用: 此份配置是允许ftpuser用户登录, 并且将其限制在主目录下,对于user_list文件没有修改过

user_list以及ftpusers里的用户被禁止登录, 因为userlist_enable=YES, userlist_deny=YES

ftpusers里的用户本身就被vsftpd所禁止登录

  

三. 关键配置解释

anonymous_enable=NO #禁止匿名访问

ftpd_banner=Welcome to blah FTP service.  #欢迎信息

local_root=/ftpfile    #指定根目录文件夹, 如果注释掉, 则根目录文件夹为用户的主目录

use_localtime=YES #使用本地时间

 


 

userlist_enable, userlist_deny, userlist_file=/etc/vsftpd/user_list

说清楚这三个属性,必须谈到/etc/vsftpd下面的ftpusers, user_list文件

ftpusers文件中的用户是被禁止登陆到ftp服务器的, 就相当于一个黑名单, 里面存放的是权限很大的用户, 为了安全考虑,vsftpd不想要权限过大的用户登录进来

以免会下载上传一些危险文件破坏系统, 例外这个文件始终是有效的,与任何配置项都是无关的

user_list的有效性却是与userlist_enable, userlist_deny两个属性有关, 它的作用可以是一个白名单,也可以是一个黑名单。具体要根据

userlist_enable, userlist_deny来决定

注:以下所谈不包括ftpusers名单的用户, 因为ftpusers名单里的用户永远是被禁止登录的

1. userlist_enable=YES, userlist_deny才起作用, 决定是否启用user_list名单

2. userlist_enable=YES && userlist_deny=YES时, user_list名单里的用户不允许登录, 黑名单作用

当尝试用名单里的用户登录时, 不会出现密码选项,直接报530 Permission denied. Login failed.错误

3. userlist_enable=YES && userlist_deny=NO,  user_list名单里的用户允许登录, 起白名单作用user_list名单外的用户不允许登录

当尝试用名单外的用户登录时, 不会出现密码选项,直接报530 Permission denied. Login failed.错误

4. userlist_enable=NO, user_list名单不起作用

 


 

chroot_local_user,chroot_list_enable,chroot_list_file=/etc/vsftpd/chroot_list,allow_writeable_chroot=YES

chroot_local_user:是否将所有用户限制在主目录, 即不能跳出主目录外(YES:限制, NO:不限制) 

chroot_list:/etc/vsftpd下的一个文件, 作用相当于一个例外表, 即不受chroot_local_user限制

chroot_list_enable: 是否开启chroot_list名单(YES/NO)

allow_writeable_chroot:是否允许chroot_list名单里的用户具有写操作(YES/NO)

1. chroot_list_enable=NO, chroot_list名单不起作用, 取决于chroot_local_user的值

2. chroot_list_enable=YES && chroot_local_user=YES

意思是将所有用户限制在主目录内,但是chroot_list名单里的用户除外, 即不限制

3. chroot_list_enable=YES && chroot_local_user=NO

意思是不限制用户在主目录内,但是chroot_list名单里的用户除外, 即chroot_list名单里的用户被限制在主目录内

4. allow_writeable_chroot=YES 一般设置成YES, 不然用户主目录如果拥有写权限时, 登录会报错的

当然要想拥有写操作, 用户主目录必须拥有写权限以及allow_writeable_chroot=YES

 


 

pasv_min_port=61001

pasv_max_port=62000  #指定上传下载使用端口, vsftpd默认会使用端口,但是线上需要开放具体防火墙端口, 故自己指定

 

四. 开启vsftpd服务

systemctl start vsftpd  #开启服务

systemctl restart vsftpd #重启服务, 修改了配置需要重启才生效

systemctl stop vsftpd  #关闭服务

systemctl enable vsftpd  #开机自启动

 

五. 访问vsftpd(需要开放防火墙)

1. 浏览器  ftp://ip

2. 命令  ftp ip

3. 客户端软件  winscp等客户端软件

 

posted on   wastonl  阅读(783)  评论(1编辑  收藏  举报
< 2025年2月 >
26 27 28 29 30 31 1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 1
2 3 4 5 6 7 8

点击右上角即可分享
微信分享提示