centos7下 vsftpd初使用
一. 安装
1. 命令: yum -y install vsftpd
2. 创建一个用户专门用来登录vsftpd
#在根目录下创建一个文件夹ftpfile
mkdir ftpfile
#创建用户ftpuser, 该用户主目录名为ftpfile -s为该用户所用的shell, 此处表示不登录,既没有ssh功能
useradd ftpuser -d /ftpfile -s /sbin/nologin
# -R表示递归处理 用户名:用户组 该句意思是将ftpfile整个文件夹的拥有者改成ftpuser
chown -R ftpuser:ftpuser /ftpfile/
#更改用户密码
passwd ftpuser
二. 修改配置
默认配置文件为/etc/vsftpd/vsftpd.conf, 也可以通过whereis vsftpd查找
在这个配置基础上进行修改,添加即可
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 | # Example config file /etc/vsftpd/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=NO # # Uncomment this to allow local users to log in. # When SELinux is enforcing check for SE bool ftp_home_dir local_enable=YES # # Uncomment this to enable any form of FTP write command. write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. # When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access #anon_upload_enable=YES # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # Activate logging of uploads/downloads. xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #chown_username=whoever # # You may override where the log file goes if you like. The default is shown # below. #xferlog_file=/var/log/xferlog # # If you want, you can have your log file in standard ftpd xferlog format. # Note that the default log file location is /var/log/xferlog in this case. xferlog_std_format=YES # # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. #ascii_upload_enable=YES #ascii_download_enable=YES # # You may fully customise the login banner string: ftpd_banner=Welcome to blah FTP service. #local_root=/ftpfile use_localtime= yes # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd/banned_emails # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). # (Warning! chroot'ing can be very dangerous. If using chroot, make sure that # the user does not have write access to the top level directory within the # chroot) chroot_local_user=NO chroot_list_enable=YES # (default follows) chroot_list_file= /etc/vsftpd/chroot_list allow_writeable_chroot=YES # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # # When "listen" directive is enabled, vsftpd runs in standalone mode and # listens on IPv4 sockets. This directive cannot be used in conjunction # with the listen_ipv6 directive. listen=NO # # This directive enables listening on IPv6 sockets. By default, listening # on the IPv6 "any" address (::) will accept connections from both IPv6 # and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6 # sockets. If you want that (perhaps because you want to listen on specific # addresses) then you must run two copies of vsftpd with two configuration # files. # Make sure, that one of the listen options is commented !! listen_ipv6=YES pam_service_name=vsftpd userlist_enable=YES userlist_deny=YES userlist_file= /etc/vsftpd/user_list tcp_wrappers=YES pasv_min_port=61001 pasv_max_port=62000 |
然后在/etc/vsftpd/chroot_user文件中添加 ftpuser
作用: 此份配置是允许ftpuser用户登录, 并且将其限制在主目录下,对于user_list文件没有修改过
user_list以及ftpusers里的用户被禁止登录, 因为userlist_enable=YES, userlist_deny=YES
ftpusers里的用户本身就被vsftpd所禁止登录
三. 关键配置解释
anonymous_enable=NO #禁止匿名访问
ftpd_banner=Welcome to blah FTP service. #欢迎信息
local_root=/ftpfile #指定根目录文件夹, 如果注释掉, 则根目录文件夹为用户的主目录
use_localtime=YES #使用本地时间
userlist_enable, userlist_deny, userlist_file=/etc/vsftpd/user_list
说清楚这三个属性,必须谈到/etc/vsftpd下面的ftpusers, user_list文件
ftpusers文件中的用户是被禁止登陆到ftp服务器的, 就相当于一个黑名单, 里面存放的是权限很大的用户, 为了安全考虑,vsftpd不想要权限过大的用户登录进来
以免会下载上传一些危险文件破坏系统, 例外这个文件始终是有效的,与任何配置项都是无关的。
user_list的有效性却是与userlist_enable, userlist_deny两个属性有关, 它的作用可以是一个白名单,也可以是一个黑名单。具体要根据
userlist_enable, userlist_deny来决定。
注:以下所谈不包括ftpusers名单的用户, 因为ftpusers名单里的用户永远是被禁止登录的
1. userlist_enable=YES时, userlist_deny才起作用, 决定是否启用user_list名单
2. userlist_enable=YES && userlist_deny=YES时, user_list名单里的用户不允许登录, 起黑名单作用
当尝试用名单里的用户登录时, 不会出现密码选项,直接报530 Permission denied. Login failed.错误
3. userlist_enable=YES && userlist_deny=NO, user_list名单里的用户允许登录, 起白名单作用, user_list名单外的用户不允许登录
当尝试用名单外的用户登录时, 不会出现密码选项,直接报530 Permission denied. Login failed.错误
4. userlist_enable=NO时, user_list名单不起作用
chroot_local_user,chroot_list_enable,chroot_list_file=/etc/vsftpd/chroot_list,allow_writeable_chroot=YES
chroot_local_user:是否将所有用户限制在主目录, 即不能跳出主目录外(YES:限制, NO:不限制)
chroot_list: 在/etc/vsftpd下的一个文件, 作用相当于一个例外表, 即不受chroot_local_user限制
chroot_list_enable: 是否开启chroot_list名单(YES/NO)
allow_writeable_chroot:是否允许chroot_list名单里的用户具有写操作(YES/NO)
1. chroot_list_enable=NO, chroot_list名单不起作用, 取决于chroot_local_user的值
2. chroot_list_enable=YES && chroot_local_user=YES时
意思是将所有用户限制在主目录内,但是chroot_list名单里的用户除外, 即不限制
3. chroot_list_enable=YES && chroot_local_user=NO时
意思是不限制用户在主目录内,但是chroot_list名单里的用户除外, 即chroot_list名单里的用户被限制在主目录内
4. allow_writeable_chroot=YES 一般设置成YES, 不然用户主目录如果拥有写权限时, 登录会报错的
当然要想拥有写操作, 用户主目录必须拥有写权限以及allow_writeable_chroot=YES
pasv_min_port=61001
pasv_max_port=62000 #指定上传下载使用端口, vsftpd默认会使用端口,但是线上需要开放具体防火墙端口, 故自己指定
四. 开启vsftpd服务
systemctl start vsftpd #开启服务
systemctl restart vsftpd #重启服务, 修改了配置需要重启才生效
systemctl stop vsftpd #关闭服务
systemctl enable vsftpd #开机自启动
五. 访问vsftpd(需要开放防火墙)
1. 浏览器 ftp://ip
2. 命令 ftp ip
3. 客户端软件 winscp等客户端软件
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】博客园社区专享云产品让利特惠,阿里云新客6.5折上折
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步