vsftp

用户权限控制
ssl加密
tcp转发

安装

setenforce  0
yum install vsftpd 
rpm -ql vsftpd
systemctl start vsftpd
firewall-cmd --zone=public --add-port=8990/tcp --permanent
firewall-cmd --zone=public --add-port=8991/tcp --permanent   //配置文件中被动模式端口
firewall-cmd --zone=public --add-port=8992/tcp --permanent
firewall-cmd --reload
useradd -s /sbin/nologin -d /home/bsftp -M bsftp
passwd bsftp
cd /etc/vsftpd/
vim vu_list.txt
cp vsftpd.conf vsftpd.conf.bak
vim vsftpd.conf    //配置文件不能有多余的空格，否则启动会报错

#不允许匿名用户访问
anonymous_enable=NO
listen_port=8990
xferlog_std_format=YES
xferlog_file=/var/log/xferlog
#限制速率为10M
anon_max_rate=10000000
local_enable=YES
write_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
connect_from_port_20=YES
pasv_promiscuous=yes
#改为转发后ip
pasv_address=107.279.270.122
xferlog_file=/var/log/vsftpd.log
xferlog_enable=YES
chroot_local_user=YES
listen=YES
allow_writeable_chroot=YES
pasv_min_port=8991
pasv_max_port=8992
#开启ssl
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
force_anon_logins_ssl=YES
force_anon_data_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
require_ssl_reuse=NO
ssl_ciphers=HIGH
rsa_cert_file=/etc/vsftpd/.sslkey/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/.sslkey/vsftpd.pem
pam_service_name=vsftpd
guest_enable=YES
guest_username=bsftp
user_config_dir=/etc/vsftpd/conf

vim vu_list.txt 

upload
kdxx8.3
download
kxxx8.2
admin
kxxxx.2

db_load -T -t hash -f /etc/vsftpd/vu_list.txt /etc/vsftpd/vu_list.db
chmod 600 /etc/vsftpd/vu_list.db
mkdir conf
cd conf/
vim admin

anon_world_readable_only=NO
write_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_upload_enable=YES
local_root=/data/bigdata-ftp

vim upload

write_enable=NO
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_world_readable_only=NO
download_enable=NO
local_root=/data/bigdata-ftp

vim download

anon_world_readable_only=NO
local_root=/data/bigdata-ftp

cd /etc/pam.d/
vim vsftpd 
> 
#%PAM-1.0
#session    optional     pam_keyinit.so    force revoke
#auth       required    pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
#auth       required    pam_shells.so
#auth       include password-auth
#account    include password-auth
#session    required     pam_loginuid.so
#session    include password-auth
auth       required     /lib64/security/pam_userdb.so   db=/etc/vsftpd/vu_list
account    required     /lib64/security/pam_userdb.so   db=/etc/vsftpd/vu_list

mkdir /home/bsftp
chown bsftp.bsftp bsftp/
mkdir /data/bigdata-ftp/
chown bsftp.bsftp /data/bigdata-ftp/

用户权限说明

admin: 管理员，可用上传、下载、新建文件夹、删除、更改
upload：不可以下载，可用上传、新建文件夹，但不能删除和更改
download：只能下载

配置ssl加密（配置文件开启相应配置）

yum install -y openssl openssl-devel
openssl req -new -x509 -nodes -out vsftpd.pem -keyout vsftpd.pem -days 3560
cd /etc/vsftpd/
mkdir .sslkey
cd -
mv vsftpd.pem /etc/vsftpd/.sslkey/
cd -
chmod 400 .sslkey/vsftpd.pem 
systemctl restart vsftpd 

tcp转发(使用被动模式进行连接)

upstream bigdata-ftp {
    hash $remote_addr consistent; 
    server 10.7.0.1:8990;
}
server {
    listen 10990 so_keepalive=on;
    proxy_pass bigdata-ftp;
    access_log logs/bigdata-ftp-access.log  proxy;
    error_log logs/bigdata-ftp-error.log;
}
upstream bigdata-ftp-1 {
    hash $remote_addr consistent;
    server 10.7.0.1:8991;
}
server {
    listen 8991 so_keepalive=on;
    proxy_pass bigdata-ftp-1;
    access_log logs/bigdata-ftp-access.log  proxy;
    error_log logs/bigdata-ftp-error.log;
}
upstream bigdata-ftp-2 {
    hash $remote_addr consistent;
    server 10.7.0.1:8992;
}
server {
    listen 8992 so_keepalive=on;
    proxy_pass bigdata-ftp-2;
    access_log logs/bigdata-ftp-access.log  proxy;
    error_log logs/bigdata-ftp-error.log;
}