1. 安装
sudo apt-get install vsftpd
2. 配置文件
注:配置文件的详细设置见后面
3.创建虚拟用户数据库
例子可以是:
首先我们假定你已经安装了vsftpd,并在/home/vsftpd 目录下建立了以下3个子目录
下面,我们要建3个虚拟用户,密码分别是用户名后加"00"
使得
- 用户db1 的主目录为 dbzh1 ,在该目录下只有只读权限
- 用户db2 的主目录为 dbzh2,在该目录下只有只读权限
- 用户db3 的主目录为 dbzh3 ,在该目录下拥有所有权限
创建文本文件loguser.txt
格式如下:
user_id
password
于是,我们/home/loguser.txt文件的内容为
cd /home 切换到/home目录
sudo touch /home/loguser.txt 创建账户和密码文件
sudo gedit /home/loguser.txt
然后将下面的账户文件字符粘帖入loguser.txt中,注意一行一行输入。
注意:奇数行为账户名,偶数行为密码。也就是1.3.5.等行为用户名,2.4.6行为密码;
最后一行需要回车(否则建立数据库文件时无法识别最后一行,导致报奇数行错误)。
db1
db100
db2
db200
db3
db300
test
生成数据库
如果你以前没装过db4.8-util 或者你不清楚装没装,需先执行下面的命令
sudo apt-get install db4.8-util
然后,我们执行
sudo db4.8_load -T -t hash -f /home/loguser.txt /etc/vsftpd_login.db
最后设置一下数据库文件的访问权限
sudo chmod 600 /etc/vsftpd_login.db
配置PAM文件
编辑文件/etc/pam.d/vsftpd.vu 将以下内容增加到原文件前面两行:
auth required pam_userdb.so db=/etc/vsftpd_login
account required pam_userdb.so db=/etc/vsftpd_login
- 我们上一步建立的数据库 vsftpd_login 在此处被使用
- 我们建立的虚拟用户将采用PAM进行验证,这是通过/etc/vsftpd.conf文件中的 语句pam_service_name=vsftpd.vu来启用的,稍后你将发现。
- 注意:/lib/security/pam_userdb.so可能不存,因此要执行:ln /lib/x86_64-linux-gnu/security/pam_userdb.so /lib/security/pam_userdb.so
为虚拟用户创建本地系统用户
新建一个系统用户vsftpd,用户家目录为/home/vsftpd, 用户登录终端设为/bin/false(即使之不能登录系统)
sudo useradd vsftpd -d /home/vsftpd -s /bin/false
sudo chown vsftpd:vsftpd /home/vsftpd
/etc/vsftpd.conf
根据需要创建/etc/vsftpd.conf,一般要确保含有以下设置:
listen=YES
anonymous_enable=NO
dirmessage_enable=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
chroot_local_user=YES
guest_enable=YES
guest_username=vsftpd
user_config_dir=/etc/vsftpd_user_conf
pam_service_name=vsftpd.vu
local_enable=YES
secure_chroot_dir=/var/run/vsftpd
现在为止,我们的3个用户都可以工作了,可是它们的根目录现在都是/home/vsftpd,权限也都一样。 那么怎么才能完成我们预定的目标呢?
/etc/vsftpd_user_conf
在上面的配置中,有这么一行
user_config_dir=/etc/vsftpd_user_conf
现在,我们要把各个用户的配置文件放到目录/etc/vsftpd_user_conf中,配置文件名就是用户名。
切换到目录:
sudo mkdir /etc/vsftpd_user_conf
cd /etc/vsftpd_user_conf
sudo touch db1 db2 db3
db1文件中的内容如下
local_root=/home/vsftpd/dbzh1
同样,db2文件中的内容
local_root=/home/vsftpd/dbzh2
那么,db3的内容呢? 其实也很简单
write_enable=YES
anon_world_readable_only=NO
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
local_root=/home/vsftpd/dbzh3
这里要注意不能有空格,不然登录的时候会提示出错。
如果有空格,在登录时,终端会提示:
500 OOPS: bad bool value in config file for: guest_enable Login failed.
或者
500 OOPS: bad bool value in config file for: anon_upload_enable Login failed.
等等之类的错误的布尔值提示
因为你的那个YES/NO 布尔值(bool value)后边加了一个空格,即:
anon_world_readable_only=NO空格
正确的格式应该是:
anon_world_readable_only=NO(无空格)!!!!!!
注意,NO后边的空格,要用退格键将其删除。
能成?
重启vsftpd我们就可以看到效果了^_^
/etc/init.d/vsftpd start|restart
错误解决方案===500 OOPS: vsftpd: refusing to run with writable root inside chroot()
如果出现该错误,说明你ftp主文件夹的权限太大了,要去掉root,如下:chmod -x /home/vsftpd 就OK了!
500 OOPS: cannot change directory:
linux打开ftp遇到的问题 500 OOPS: cannot change directory:
google好多都是 执行这个就OKsetsebool ftpd_disable_trans 1service vsftpd restart
但是执行的时候遇到这个问题 Could not change active booleans: Invalid boolean
搜了好久终于解决
setsebool -P ftp_home_dir=1
附1:
***配置文件/etc/vsftpd.conf:
# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
#
# Run standalone? vsftpd can run either from an inetd or as a standalone
# daemon started from an initscript.
listen=YES
#
# Run standalone with IPv6?
# Like the listen parameter, except vsftpd will listen on an IPv6 socket
# instead of an IPv4 one. This parameter and the listen parameter are mutually
# exclusive.
#listen_ipv6=YES
#
# Allow anonymous FTP? (Disabled by default)
# 设置为NO可关闭匿名共享
anonymous_enable=YES
# 更改匿名用户的用户目录
anon_root=/media/sharedisk/ftp
#让匿名用户可以删除目录和文件:anon_other_write_enable=YES#让匿名用户可以下载自己上传的文件:anon_umask=022
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# If enabled, vsftpd will display directory listings with the time
# in your local time zone. The default is to display GMT. The
# times returned by the MDTM FTP command are also affected by this
# option.
use_localtime=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may restrict local users to their home directories. See the FAQ for
# the possible risks in this before using chroot_local_user or
# chroot_list_enable below.
chroot_local_user=YES
guest_enable=YES
guest_username=vsftpd
user_config_dir=/etc/vsftpd_user_conf
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# Debian customization
#
# Some of vsftpd's settings don't fit the Debian filesystem layout by
# default. These settings are more Debian-friendly.
#
# This option should be the name of a directory which is empty. Also, the
# directory should not be writable by the ftp user. This directory is used
# as a secure chroot() jail at times vsftpd does not require filesystem
# access.
secure_chroot_dir=/var/run/vsftpd/empty
#
# This string is the name of the PAM service vsftpd will use.
pam_service_name=vsftpd.vu
#
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
rsa_cert_file=/etc/ssl/private/vsftpd.pem
附2:
添加vsftpd 用户:
1. 准备添加用户newusername(新用户的名称)
2. 添加系统用户:
sudo useradd -g ftp -d /home/newusername_home_directory -s /sbin/nologin newusername
3. sudo editor /home/loguser.txt
注意:奇数行为账户名,偶数行为密码
4. 切换到vsftpd.conf中定义的目录:user_config_dir=/etc/vsftpd_user_conf
cd /etc/vsftpd_user_conf
5. sudo touch newusername
6. 配置
sudo editor /etc/vsftpd_user_conf/newusername
write_enable=YES
anon_world_readable_only=NO
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
local_root=/home/vsftpd/dbzh3
7. 加载新用户
sudo db6.0_load -T -t hash -f /home/loguser.txt /etc/vsftpd_login.db
附录3:
可能会出现的错误:
a. 匿名登陆后不现文件:可能是文件夹权限设置有问题
b. 无法登陆错误: 500 OOPS: vsftpd: refusing to run with writable root inside chroot ()
After upgrading vsftpd or vsftpd-ext you may be getting the following message when trying to log in.
500 OOPS: vsftpd: refusing to run with writable root inside chroot ()
This is due to the following update:
- Add stronger checks for the configuration error of running with a writeable root directory inside a chroot(). This may bite people who carelessly turned on chroot_local_user but such is life.
The problem is that your users root directory is writable, which isn’t allowed when using chroot restrictions in the new update.
To fix this you must either remove write permissions on the users root directory with the following command, replacing the directory with your users root:
chmod a-w /home/user
Or you can work around this security check by adding either of the two below into your configuration file.
For the standard vsFTPd build (vsftpd):
allow_writeable_chroot=YES
For the extended vsFTPd build (vsftpd-ext):
allow_writable_chroot=YES
Removing the write permission on the root isn’t a perfect solution as doing this can cause a few problems with things that need to write to the root directory, such as the bash history file or some graphical environments.
Dmitriy has suggested 3 ways to also overcome this problem, be sure to check them out.
c. 匿名目录可能因权限不能访问:
匿名登录的用户目录权限设置:
成功后设置是:ftp:ftp (用户ftp ,组ftp)
d. 虚拟用户可能因权限不能上传(553 could not create file):
虚拟用户的ftp目录权限设置:
sudo chmod 777 -R virtualuserftdir
sudo chmod ftpvirtualusername:ftp virutaluserftpdir
附录4:
总是提示目录错误,“00 OOPS: cannot change directory”
但又没有发现设置错误,最后发现是用户vsftpd 的主目录不正确引起。修改如下:
sudo usermod -d /home/vsftpd_directory vsftpd
附录5:
建匿名服务器时,如何使其它可读,一个或多个人可写:
1. 匿名为只读共享上
2. 建立用户指向匿名共享目录,使其对共享目录可写。
附录 6:
设置timeout:
1. idle timeout
2.data connect timeout