需求:被动模式访问ftp,用户只能访问该用户家目录里面的内容,不能切换除用户目录之外的目录
另外,win 下推荐几个 ftp(sftp)工具
1.Freeftp(功能:ftp+sftp; 小白最适用,简单、适用于对权限无要求的情况)
2.FireZilla(功能:ftp;能对用户权限和目录权限做详细配置)
3.Titan ftp(功能:ftp+sftp 等等,功能全面,了解使用需要一定时间)
yum install -y vsftpd
centos6:service vsftpd start
centos7:systemctl start vsftpd
centos6:chkconfig vsftpd on
centos7:systemctl enable vsftpd
配置文件默认位置:/etc/vsftpd/vsftpd.conf
anonymous_enable=YES #允许匿名用户登录
local_enable=YES #vsftpd所在的系统用户可以登录vsftpd
write_enable=YES #允许使用任何可以修改文件系统的FTP的指令
local_umask=022 #匿名用户新增文件的umask数值
#anon_upload_enable=YES #匿名用户能否上传文件
#anon_mkdir_write_enable=YES #匿名用户能否修改文件
dirmessage_enable=YES
xferlog_enable=YES #启动一个日志文件,详细记录上传和下载记录
connect_from_port_20=YES #开启20端口
#chown_uploads=YES
#chown_username=whoever
#xferlog_file=/var/log/xferlog #记录日志位置
xferlog_std_format=YES #记录日志使用标准格式
#idle_session_timeout=600 #登录之后超时60秒不操作则自动断开
#data_connection_timeout=120
#nopriv_user=ftpsecure
#async_abor_enable=YES
#ascii_upload_enable=YES
#ascii_download_enable=YES
#ftpd_banner=Welcome to blah FTP service.
#deny_email_enable=YES
#banned_email_file=/etc/vsftpd/banned_emails
#chroot_local_user=YES #是否将所有用户限制在主目录,YES为启用(开启的话只能访问固定目录),默认是NO,即可以随意切换目录
#chroot_list_enable=YES #是否启用限制用户名单,YES为启用(开启后只有chroot_list里的用户不能切换目录),若为NO的话chroot_list则没作用
#chroot_list_file=/etc/vsftpd/chroot_list
#ls_recurse_enable=YES
listen=NO #开启监听
listen_ipv6=YES
pam_service_name=vsftpd #验证文件的名字
userlist_enable=YES #允许由userlist_file指定文件中的用户登录FTP服务器
tcp_wrappers=YES #支持tcp_wrappers,限制访问(/etc/hosts.allow,/etc/hosts.deny)
(1)当 anonymous_enable=YES 时,默认用户是 ftp 密码为空,默认目录是 /var/ftp,安装后本地匿名登录测试:
[root@bogon ~]# ftp 127.0.0.1
Connected to 127.0.0.1 (127.0.0.1).
220 (vsFTPd 3.0.2)
Name (127.0.0.1:root): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
(2)本地用户登录测试:使用root用户测试(报530错误)
[root@bogon ~]# ftp 127.0.0.1
Connected to 127.0.0.1 (127.0.0.1).
220 (vsFTPd 3.0.2)
Name (127.0.0.1:root): root
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
(3)临时关闭防火墙
centos6:service iptables stop
centos7:systemctl stop firewalld
(4)若 配置 userlist_enable=YES 为 YES (则启用该功能)时,配置 userlist_deny 以实现白名单或者黑名单控制用户,即 userlist_deny 参数userlist_deny=YES(黑名单,默认)userlist_deny=NO(白名单)
userlist_enable=YES # 启用名单控制
userlist_deny=NO # 启用白名单(YES:启用黑名单)
userlist_file=/etc/vsftp/user_list # 白名单文件(黑名单文件)
(5)默认启动是ipv6监听,不影响使用,改ipv4方式如下:
listen=YES # 启用 ipv4 监听
#listen_ipv6=YES # 停用 ipv6 监听
(6)值得注意的是,这些配置完成后本该能连接上ftp的,仍提示 530 错误:
[root@bogon ~]# ftp 127.0.0.1
Connected to 127.0.0.1 (127.0.0.1).
220 (vsFTPd 3.0.2)
Name (127.0.0.1:root): root
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
而原因是 /etc/pam.d/vsftpd 文件中配置了一项:
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
即 /etc/vsftpd/ftpusers 这个文件要严格按照 pam_listfile.so 模块的规则去认证,就是文件中存在某用户,则返回为假,即拒绝(简单来说就是个黑名单文件),因此作用和 userlist_deny=NO 的作用一样 ,而测试的root用户就在此名单中,因此只要在这个文件中去掉该用户,则可以正常登录
(7)若创建的是不可登录用户,如: useradd -d /home/ftptest1 -m -s /bin/nologin ftpuser
那么验证模块/etc/pam.d/vsftpd 中使用:auth required pam_shells.so 模块验证也会出现 530 错误(应该是用户类型原因,因为该用户是不能登录系统的,不同于root等可登录的系统用户)
而要把他改成:auth required pam_nologin.so
(8)当你完成以上步骤后以为万事大吉了吗?其实不是的,仍然有报错:
500 OOPS: vsftpd: refusing to run with writable root inside chroot()
login failed.
421 Service not available, remote server ha closed connection
而这个也不难找到原因,官方报错原因是更新导致的问题,而说白了就是:用户在FTP根目录拥有了写权限, 但是vsftpd FTP根目录默认是FTP用户不能写入的。
- Add stronger checks for the configuration error of running with a writeable root directory inside a chroot(). This may bite people who carelessly turned on chroot_local_user but such is life.
解决办法也很简单,把 ftp 用户的根目录去掉写权限就行了
chmod a-w /var/ftp/ftptest1
网上还有说在 vsftpd.conf 加入 allow_writeable_chroot=YES 配置的??至少我没成功,会导致vsftpd重启失败
(9)还有个坑人的问题,登录进去之后无法列出文件和目录
ftp> ls
227 Entering Passive Mode (127,0,0,1,28,27).
150 Here comes the directory listing.
226 Directory send OK
原因在于 ftp 被selinux 限制,可以通过关闭 selinux 解决
(10)接着再来说说怎么限制用户能否切换目录的配置
chroot_local_user=YES #是否将所有用户限制在主目录,YES为启用(开启的话只能访问固定目录),默认是NO,即可以随意切换目录,若为YES,则下面两个配置不起作用
chroot_list_enable=YES #是否启用限制用户名单,YES为启用(开启后只有chroot_list里的用户不能切换目录),若为NO的话chroot_list则没作用
chroot_list_file=/etc/vsftpd/chroot_list
会导致 500 OOPS 错误的原因也是因为限制了该用户目录切换:chroot_list_enable=YES
好了,大概就这么多分享的,以后用到更多功能的时候再进行补充。有什么不对的地方也情批评指出!
创建 ftp 用户、配置文件、错误解析上面都做了,最后就把创建用户和配置文件配置列出来做个参考
创建用于登录 ftp 用户(不可登录系统)、指定家目录及创建密码
[root@localhost ~]# useradd -d /home/ftptest1 -m -s /bin/nologin ftpuser
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
[root@localhost ~]# passwd ftpuser
Changing password for user ftpuser.
New password:
BAD PASSWORD: it is WAY too short
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
配置文件:/etc/vsftpd/vsftpd.conf
# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
pasv_enable=YES
pasv_min_port=60000
pasv_max_port=60010
#
# Uncomment this to allow local users to log in.
# When SELinux is enforcing check for SE bool ftp_home_dir
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/xferlog
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
chroot_local_user=NO
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=NO
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
# Make sure, that one of the listen options is commented !!
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
配置文件:/etc/pam.d/vsftpd
#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
#auth required pam_shells.so
auth required pam_nologin.so
auth include password-auth
account include password-auth
session required pam_loginuid.so
session include password-auth