vsftpd 是“very secure FTP daemon”的缩写,安全性是它的一个最大的特点。vsftpd 是一个 UNIX 类操作系统上运行的服务,是完全免费的、开放源代码的ftp服务器软件。
因为只是了解相关vsftpd服务的搭建与配置,所以需要先关闭selinux
[root@foundation80 ~]# vim /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled ##disabled 关闭 ##enforcing 强制执行 ##permissive 警告,但可以执行
安装vsftpd服务
[root@foundation80 ~]# yum install vsftpd.x86_64 -y
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-
: manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Resolving Dependencies
--> Running transaction check
---> Package vsftpd.x86_64 0:3.0.2-21.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
vsftpd x86_64 3.0.2-21.el7 RHEL7.3 169 k
Transaction Summary
================================================================================
Install 1 Package
Total download size: 169 k
Installed size: 348 k
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : vsftpd-3.0.2-21.el7.x86_64 1/1
Verifying : vsftpd-3.0.2-21.el7.x86_64 1/1
Installed:
vsftpd.x86_64 0:3.0.2-21.el7
Complete!
启动vsftpd服务,并设置开机启动
[root@foundation80 ~]# systemctl start vsftpd ##启动服务
[root@foundation80 ~]# systemctl enable vsftpd ##设置开机启动
Created symlink from /etc/systemd/system/multi-user.target.wants/vsftpd.service to /usr/lib/systemd/system/vsftpd.service.
配置防火墙允许ftp服务,也可以直接关闭防火墙
[root@foundation80 ~]# netstat -antlupe | grep vsftpd
tcp6 0 0 :::21 :::* LISTEN 0 47334 12752/vsftpd
[root@foundation80 ~]# firewall-cmd --list-all ##查看防火墙
public (active)
target: default
icmp-block-inversion: no
interfaces: br0 enp0s31f6 wlp3s0
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
[root@foundation80 ~]# firewall-cmd --permanent --add-service=ftp ##永久添加服务ftp
success
[root@foundation80 ~]# firewall-cmd --reload ##重新加载
success
[root@foundation80 ~]# firewall-cmd --list-all ##查看防火墙配置
public (active)
target: default
icmp-block-inversion: no
interfaces: br0 enp0s31f6 wlp3s0
sources:
services: dhcpv6-client ftp ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
安装ftp客户端软件lftp,vsftpd提供服务,为服务端,访问使用lftp,为客户端
[root@foundation80 ~]# yum install lftp -y ##安装lftp
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-
: manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Resolving Dependencies
--> Running transaction check
---> Package lftp.x86_64 0:4.4.8-8.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
lftp x86_64 4.4.8-8.el7 RHEL7.3 751 k
Transaction Summary
================================================================================
Install 1 Package
Total download size: 751 k
Installed size: 2.4 M
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : lftp-4.4.8-8.el7.x86_64 1/1
Verifying : lftp-4.4.8-8.el7.x86_64 1/1
Installed:
lftp.x86_64 0:4.4.8-8.el7
Complete!
vsftpd文件位置
/var/ftp ##默认发布目录
/etc/vsftpd ##配置文件目录
/etc/vsftpd/ftpusers ##用户黑名单
/etc/vsftpd/user_list ##临时黑名单
vsftpd服务配置常用参数
man 5 vsftpd.conf ##获取配置参数帮助信息
###匿名用户配置###
anonymous_enable=YES ##是否允许匿名用户登陆
anon_upload_enable=YES ##是否允许匿名用户上传文件,需要设定文件夹归属组并确定用户有写入权限
anon_mkdir_write_enable=YES ##是否允许匿名用户建立目录
anon_world_readable_only=YES ##设定参数值为no表示匿名用户可以下载自己不可读的文件
anon_other_write_enable=YES ##匿名用户可以删除
anon_umask=xxx ##匿名用户上传文件默认权限掩码
anon_max_rate=* ##最大上传速率,单位bytes
max_clients=* ##最大链接数
anon_root=/目录 ##匿名用户家目录修改
chown_uploads=YES ##匿名用户上传文件身份
chown_username=用户名 ##匿名用户上传身份指定
###本地用户配置###
local_enable=YES ##是否允许本地用户登陆
write_enable=YES ##是否允许本地用户写入
local_root=/目录 ##本地用户家目录修改
local_umask=xxx ##本地用户上传文件默认权限掩码
chroot_local_user=YES ##锁定用户到自己的家目录中,家目录需要去掉写权限
chroot_list_enable=YES ##设定一个用户列表,将列表中的用户锁定在家目录中,chroot_local_user=YES时,该列表的用户不会被锁定
chroot_list_file=/etc/vsftpd/chroot_list ##指定chroot_list_enable参数用户列表文件
userlist_deny=NO ##设定成NO时,只有/etc/vsftpd/user_list中的用户可以登陆ftp
FTP中虚拟账户的配置
[root@foundation80 ~]# cd /etc/vsftpd
[root@foundation80 vsftpd]# cat >> virtuser << "EOF" ##创建用户列表文件
> ftpuser1
> 123
> ftpuser2
> 123
> ftpuser3
> 123
> EOF
[root@foundation80 vsftpd]# db_load -T -t hash -f /etc/vsftpd/virtuser virtuser.db ##创建用户数据库
[root@foundation80 vsftpd]# vim /etc/pam.d/ftpusers ##配置pam
account required pam_userdb.so db=/etc/vsftpd/virtuser
auth required pam_userdb.so db=/etc/vsftpd/virtuser
[root@foundation80 vsftpd]# vim /etc/vsftpd/vsftpd.conf
pam_service_name=ftpusers ##指定pam
guest_enable=YES ##开启访客
####指定虚拟帐号的身份####
[root@foundation80 home]# useradd student
[root@foundation80 home]# cat >> /etc/vsftpd/vsftpd.conf << "EOF"
> guest_username=student ##指定访客身份为student
> EOF
[root@foundation80 home]# chmod u-w /home/student/
####虚拟帐号家目录单独指定####
[root@foundation80 home]# chmod g+s /home/student/
[root@foundation80 student]# mkdir /home/student/ftpuser{1..3}
[root@foundation80 home]# cat >> /etc/vsftpd/vsftpd.conf << "EOF"
> local_root=/home/student/$USER ##用户家目录
> user_sub_token=$USER ##引用系统变量$USER
> EOF
####虚拟账户单独配置####
user_config_dir=/etc/vsftpd/用户配置目录 ##指定用户配置目录
/etc/vsftpd/用户配置目录/用户名 ##单独配置用户参数,优先级高于/etc/vsftpd/vsftpd.conf