vsftpd 是“very secure FTP daemon”的缩写,安全性是它的一个最大的特点。在开源操作系统中常用的FTPD套件主要还有ProFTPD、PureFTPd和wuftpd等.
vsftpd 是以一般身份启动服务,所以对于 Linux 系统的使用权限较低,对于Linux 系统的危害就相对的减低了。此外, vsftpd 亦利用 chroot() 这个功能进行改换根目录的动作,使得系统工具不会被vsftpd 这支服务所误用;
本次安装环境演示是64位的CentOS Linux release 7.1.1503 (Core)
1.1.使用Yum安装
1 2 3 4 |
rpm -qa vsftpd|grep vsftpd yum -y install vsftpd systemctl enable vsftpd.service #开机自启 systemctl restart vsftpd.service #启动 |
yum 安装的版本号是:vsftpd-3.0.2-11.el7_2.x86_64
检查启动查看端口号:
1 2 3 4 5 6 7 8 9 |
[root@htuidc ~]# lsof -i:21 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME vsftpd 31660 root 3u IPv6 72248 0t0 TCP *:ftp (LISTEN) vsftpd 31661 nobody 0u IPv6 72249 0t0 TCP htuidc.bgp.ip:ftp->hn.kd.ny.adsl:25143 (ESTABLISHED) vsftpd 31661 nobody 1u IPv6 72249 0t0 TCP htuidc.bgp.ip:ftp->hn.kd.ny.adsl:25143 (ESTABLISHED) vsftpd 31661 nobody 2u IPv6 72249 0t0 TCP htuidc.bgp.ip:ftp->hn.kd.ny.adsl:25143 (ESTABLISHED) vsftpd 31666 txidc 0u IPv6 72249 0t0 TCP htuidc.bgp.ip:ftp->hn.kd.ny.adsl:25143 (ESTABLISHED) vsftpd 31666 txidc 1u IPv6 72249 0t0 TCP htuidc.bgp.ip:ftp->hn.kd.ny.adsl:25143 (ESTABLISHED) vsftpd 31666 txidc 2u IPv6 72249 0t0 TCP htuidc.bgp.ip:ftp->hn.kd.ny.adsl:25143 (ESTABLISHED |
1.2.vsftpd配置目录文件结构
1 2 3 4 5 6 7 |
[root@htuidc ~]# tree /etc/vsftpd/ /etc/vsftpd/ ├── chroot_list #自建的允许切换用户清单 ├── ftpusers #ftpusers配置文件,在里面的用户禁止使用ftp登陆 ├── user_list #文件禁止登录FTP的用户 ├── vsftpd.conf #主配置文件 └── vsftpd_conf_migrate.sh |
二.vsftpd安装配置说明
vsftpd服务的安装很简单.主要是配置.下面列出重点的配置选项
安全起见.把vsftpd服务的匿名登陆关了.
使用sed命令快速替换
1 |
sed -i "s#anonymous_enable=YES#anonymous_enable=NO#g" vsftpd.conf |
也可以手动vi进行改,找到12行,把yes改为no
1 2 |
11 # Allow anonymous FTP? (Beware - allowed by default if you comment this out). 12 anonymous_enable=NO |
2.2.允许useradd添加的本地用户登陆
一般个人使用.在添加本地用户前,先在配置文件打开允许ftp本地用户登陆.16行取消注释.设置如下
1 |
local_enable=YES |
2.3.添加个ftp使用的用户
指定家目录,指定shell不允许登陆.
1 2 |
useradd -d /data/ftp/video/ -s /sbin/nologin txidc echo "abcdef" |passwd --stdin testftp #设置ftp密码 |
2.4.打开允许FTP用户写入权限
19行的配置.打开
1 |
write_enable=YES |
2.5.设置FTP用户不允许切换目录
chroot,即 change root directory (更改 root 目录)。在 linux 系统中,系统默认的目录结构都是以 /
,即是以根 (root) 开始的。而在使用 chroot 之后,系统的目录结构将以指定的位置作为 /
位置
推荐使用方案的配置,并手动touch /etc/vsftpd/chroot_list
1 2 3 |
chroot_local_user=YES #所有用户限制目录 chroot_list_enable=YES #允许使用用户清单文件 chroot_list_file=/etc/vsftpd/chroot_list #此清单的用户能切换目录 |
解释:所有用户都锁定在自己家目录中.但/etc/vsftpd/chroot_list中的用户.可以切换到其它上级目录中去.
更详细的解释
2.6.如有需要.可以做限速和并发数处理
我这只进行简单的设置
1 2 |
max_clients=50 #最大连接50个 max_per_ip=5 #同一个IP最多5个连接 |
2.7.新版本的vsftpd进行chroot限制后.对根目录权限的设置
上面第5步,进行了chroot设置后,一直无法登陆.折腾了有半小时.后查资料发现.需要去掉用户家目录的写权限.才能连接.不然一直报331 密码错误.要提供密码
1 |
响应: 331 Please specify the password |
把根目录的写权限去掉就行了
1 2 3 4 |
[root@htuidc ftp]# chmod u-w video/ [root@htuidc ftp]# ll total 4 dr-x------. 3 txidc ftp 4096 Nov 5 22:20 video |
问题又来了.去了写权限.则无法上传文件了.怎么办呢?
只能在新建个目录.设置相应权限.允许上传.则可以连接上传了.
1 2 3 |
[root@htuidc ftp]# ll video/ total 4 drwxr-xr-x. 2 txidc ftp 4096 Nov 5 22:21 pub |
把文件上传到pub里面就可以了.真是个坑..不知大家有没有更好的办法来设置
2.8.关于上传文件的权限设置
1 2 3 |
# Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) #local_umask=022 |
验证
2.9.配置文件详解
个人总结的
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 |
Example config file /etc/vsftpd/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # 这个选项不是最全的.可以阅读vsftpd.conf.5,获取比较详细的设置选项 # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # Allow anonymous FTP? (Beware - allowed by default if you comment this out). #允许匿名登陆FTP?(默认注释掉是允许), #所以禁止登陆的话,需要手返改成anonymous_enable=NO anonymous_enable=YES # # Uncomment this to allow local users to log in. #是否允许本地用户登陆,注释掉是不允许. local_enable=YES # # Uncomment this to enable any form of FTP write command. #是否允许用户写入,当设置为NO时,则用户无法上传文件 write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) #FTP里面本地用户使用的umask值,默认是077 local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. #anon_upload_enable=YES #取消掉注释,允许匿名用户上传文件,这个生效只有在全局的上传打开才行,你也可以明显的创建个目录 #让FTP用户可写 # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES #是否允许匿名用户建立目录. # # Activate directory messages - messages given to remote users when they # go into a certain directory. #进入每个用户是否显示欢迎信息 dirmessage_enable=YES # # The target log file can be vsftpd_log_file or xferlog_file. # This depends on setting xferlog_std_format parameter xferlog_enable=YES #上传下载文件时记录日志 # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #不建义使用root用户上传文件 #chown_uploads=YES #修改匿名用户上传的拥有者 #chown_username=whoever # # The name of log file when xferlog_enable=YES and xferlog_std_format=YES # WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log #xferlog_file=/var/log/xferlog # # Switches between logging into vsftpd_log_file and xferlog_file files. # NO writes to vsftpd_log_file, YES to xferlog_file xferlog_std_format=YES # # You may change the default value for timing out an idle session. #会话超时时间,客户端连接FTP.但没操作的时间 #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #数据传输超时最长时间 #data_connection_timeout=120 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure #指定vsftp服务的运行帐户. # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES #是否允许客户端使用sync命令 # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. #ascii_upload_enable=YES #是否允许上传和下载2进制文件 #ascii_download_enable=YES # # You may fully customise the login banner string: #登陆欢迎信息 #ftpd_banner=Welcome to blah FTP service. # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd/banned_emails # #banned_email_file=/etc/vsftpd/banned_emails # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). #chroot_list_enable=YES #指定一个不能离开家目录的用户名单 # (default follows) #chroot_list_file=/etc/vsftpd/chroot_list #设置名单文件的路径 #使用上面的方法必须 chroot_local_user=NO 说明: 1.chroot_local_user=YES,单独这个设置,则所有用户,被锁定自己的家目录中.无法切换到上一级其它目录. 2.chroot_local_user=YES, chroot_list_enable=YES .这2项在一起,则变为,这个清单下面的用户/etc/vsftpd/chroot_list,能改变目录,不会被chroot 3.chroot_local_user=NO chroot_list_enable=YES, 这2项在一起,则变为,这个清单下面的用户不能改变自己的目录,会被chroot # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES #允许使用ls -r # # When "listen" directive is enabled, vsftpd runs in standalone mode and # listens on IPv4 sockets. This directive cannot be used in conjunction # with the listen_ipv6 directive. listen=YES #开启IPV4监听 # # This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6 # sockets, you must run two copies of vsftpd whith two configuration files. # Make sure, that one of the listen options is commented !! #listen_ipv6=YES #开启IPV6监听 pam_service_name=vsftpd userlist_enable=YES #直接禁止userlist_file中的用户登陆.也不提示用户输入密码 tcp_wrappers=YES ~
# chroot_local_user设置了YES,那么所有的用户默认将被chroot, # 也就用户目录被限制在了自己的home下,无法向上改变目录。
# chroot_list_enable设置了YES,即让chroot用户列表有效。 # ★超重要:如果chroot_local_user设置了YES,那么chroot_list_file # 设置的文件里,是不被chroot的用户(可以向上改变目录)
# ★超重要:如果chroot_local_user设置了NO,那么chroot_list_file # 设置的文件里,是被chroot的用户(无法向上改变目录) |