VSFTP简介

VSFTP是一个基于GPL发布的类Unix系统上使用的FTP服务器软件,它的全称是Very Secure FTP。

软件安装

yum install vsftpd mariadb-server mariadb-devel pam-devel -y

wget  http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz

tar xf pam_mysql-0.7RC1.tar.gz 

cd pam_mysql-0.7RC1

./configure --with-pam=/usr --with-mysql=/usr --with-pam-mods-dir=/usr/lib64/security

make -j 4 && make install

配置数据库

配置my.cnf

vim /etc/my.cnf
[mysqld]
innodb_file_per_table = 1
skip_name_resolve=1
log_bin=mysql-bin

启动mariadb

systemctl start mariadb.service
systemctl enable mariadb.service

建立数据用户授权

mysql
grant all on vsftpd.* to 'vsftpd'@'l27.0.0.1' identified by 'vsftpd';
grant all on vsftpd.* to 'vsftpd'@'localhost' identified by 'vsftpd';

建数据库

mysql -uvsftpd -pvsftpd -hlocalhost
create database vsftpd;

建立表

use vsftpd;
create table users(id int unsigned not null auto_increment primary key, name varchar(100) not null,password char(48) not null,unique key(name));
desc users;

建FTP登录授权账号

insert into users (name,password) values ('ftp1',password('ftp1')), ('ftp2',password('ftp2'));

配置Vsftp

创建系统用户vuser

mkdir -pv /ftproot
useradd  -d /ftproot/vuser vuser

创建目录授权

mkdir -pv /ftproot/vuser/{pub,upload}
chmod a-w  /ftproot/vuser

配置vsftpd.vusers

vim /etc/pam.d/vsftpd.vusers
auth required /usr/lib64/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required /usr/lib64/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

crypt=0:表示口令使用明文方式保存在数据库中
crypt=1:表示口令使用UNIX的DES加密方式加密后保存在数据库中
crypt=2:表示口令使用MySQL的password()函数加密后保存在数据库中
crypt=3:表示口令使用MD5散列值的方式保存在数据库中

配置vsftpd.conf

cp /etc/vsftpd/vsftpd.conf{,.back}
vim /etc/vsftpd/vsftpd.conf                           
guest_enable=YES                             #开启虚拟用户
guest_username=vuser                      #FTP虚拟用户对应的系统用户,需要创建系统用户
pam_service_name=vsftpd.vusers     #PAM认证文件   这里是手动建立的pam认证文件名
user_config_dir=/etc/vsftpd/vusers_config/

虚拟用户权限

chown vuser.vuser /ftproot/vuser/upload
mkdir -pv /etc/vsftpd/vusers_config
touch /etc/vsftpd/vusers_config/{ftp1,ftp2}
vim /etc/vsftpd/vusers_config/ftp1
anon_upload_enable=YES
vim /etc/vsftpd/vusers_config/ftp2
anon_upload_enable=YES
anon_mkdir_write_enable=YES

启动vsftpd服务

systemctl start vsftpd.service
systemctl enable vsftpd.service

登录验证
ftp1

ftp 10.120.123.11
220 (vsFTPd 3.0.2)
Name (10.120.123.11:root): ftp1
331 Please specify the password.
Password:
230 Login successful.
ftp> cd upload
250 Directory successfully changed.
ftp> lcd /etc
Local directory now /etc
ftp> put issue
local: issue remote: issue

ftp> ls
227 Entering Passive Mode (10,120,123,11,130,37).
150 Here comes the directory listing.
-rw-------    1 1000     1000           23 Apr 20 08:24 issue
-rw-------    1 1000     1000      3157504 Apr 20 08:23 putty-64bit-0.71-installer.msi
226 Directory send OK.
ftp> mkdir 123
550 Permission denied.
ftp> rm issue
550 Permission denied.

ftp2

ftp 10.120.123.11
Connected to 10.120.123.11 (10.120.123.11).
220 (vsFTPd 3.0.2)
Name (10.120.123.11:root): ftp2
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd upload
250 Directory successfully changed.
ftp> put fstab
local: fstab remote: fstab
227 Entering Passive Mode (10,120,123,11,36,210).
150 Ok to send data.
226 Transfer complete.
465 bytes sent in 7e-05 secs (6642.86 Kbytes/sec)
ftp> mkdir ftp2
257 "/upload/jerry" created
ftp> ls
227 Entering Passive Mode (10,120,123,11,27,190).
150 Here comes the directory listing.
-rw-------    1 1000     1000          465 Apr 20 08:29 fstab
-rw-------    1 1000     1000           23 Apr 20 08:24 issue
drwx------    2 1000     1000            6 Apr 20 08:30 ftp2
-rw-------    1 1000     1000      3157504 Apr 20 08:23 putty-64bit-0.71-installer.msi
226 Directory send OK.

配置防火墙

加载模块p_conntrack_ftp、ip_nat_ftp

vim /etc/sysconfig/iptables-config
IPTABLES_MODULES="ip_conntrack_ftp"
IPTABLES_MODULES="ip_nat_ftp
vim /etc/sysconfig/iptables
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT

启动防火墙

systemctl restart iptables.service