一、安装并启动服务
1 [root@node01 ~]# systemctl status vsftpd.service 2 ● vsftpd.service - Vsftpd ftp daemon 3 Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; disabled; vendor preset: disabled) 4 Active: active (running) since Sat 2018-07-21 05:39:53 CST; 13s ago 5 Process: 2958 ExecStart=/usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf (code=exited, status=0/SUCCESS) 6 Main PID: 2959 (vsftpd) 7 CGroup: /system.slice/vsftpd.service 8 └─2959 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf 9 10 Jul 21 05:39:53 node01 systemd[1]: Starting Vsftpd ftp daemon... 11 Jul 21 05:39:53 node01 systemd[1]: Started Vsftpd ftp daemon. 12 [root@node01 ~]# ss -tnlp|grep 21 13 LISTEN 0 32 :::21 :::* users:(("vsftpd",pid=2959,fd=3)) 14 [root@node01 ~]#
二、匿名用户访问
默认情况下,启动服务可以通过匿名用户直接登录,但是不允许上传文件
1 [root@node02 ~]# lftp 192.168.0.10 2 lftp 192.168.0.10:~> dir 3 drwxr-xr-x 2 0 0 6 Aug 03 2017 pub 4 lftp 192.168.0.10:/> cd pub/ 5 lftp 192.168.0.10:/pub> dir 6 lftp 192.168.0.10:/pub> put /etc/passwd 7 put: Access failed: 550 Permission denied. (passwd) 8 lftp 192.168.0.10:/pub> put /etc/fstab 9 put: Access failed: 550 Permission denied. (fstab) 10 lftp 192.168.0.10:/pub>
默认情况vsftp中允许上传的配置是关闭状态,将以下两项设置为YES,注释的打开,另外保证write_enable=YES
anonymous_enable=YES
anon_upload_enable=YES
write_enable=YES
[root@node01 vsftpd]# grep -E "anonymous_enable|anon_upload_enable|write_enable" vsftpd.conf anonymous_enable=YES write_enable=YES anon_upload_enable=YES [root@node01 vsftpd]# systemctl restart vsftpd.service [root@node01 vsftpd]#
接下来再次测试:
1 [root@node02 ~]# lftp 192.168.0.10 2 lftp 192.168.0.10:~> ls 3 drwxr-xr-x 2 0 0 6 Aug 03 2017 pub 4 drwxr-xr-x 2 0 0 6 Jul 20 23:05 upload 5 lftp 192.168.0.10:/> lcd 6 lcd ok, local cwd=/root 7 lftp 192.168.0.10:/> lcd /etc/ 8 lcd ok, local cwd=/etc 9 lftp 192.168.0.10:/> cd pub/ 10 lftp 192.168.0.10:/pub> put passwd 11 put: Access failed: 553 Could not create file. (passwd) 12 lftp 192.168.0.10:/pub> cd .. 13 lftp 192.168.0.10:/> dir 14 drwxr-xr-x 2 0 0 6 Aug 03 2017 pub 15 drwxr-xr-x 2 0 0 6 Jul 20 23:05 upload 16 lftp 192.168.0.10:/> cd upload/ 17 lftp 192.168.0.10:/upload> put fstab 18 put: Access failed: 553 Could not create file. (fstab) 19 lftp 192.168.0.10:/upload>
发现仍然无法上传文件,为什么修改了对应项目还是无法上传呢?这里我们来看一下vsftp的上传目录下的权限
1 [root@node01 ~]# ls -ld /var/ftp/ 2 drwxr-xr-x 4 root root 29 Jul 21 07:05 /var/ftp/ 3 [root@node01 ~]# cd /var/ftp/ 4 [root@node01 ftp]# ls -ald 5 drwxr-xr-x 4 root root 29 Jul 21 07:05 . 6 [root@node01 ftp]# ls -al 7 total 4 8 drwxr-xr-x 4 root root 29 Jul 21 07:05 . 9 drwxr-xr-x. 20 root root 4096 Jul 21 05:35 .. 10 drwxr-xr-x 2 root root 6 Aug 3 2017 pub 11 drwxr-xr-x 2 root root 6 Jul 21 07:05 upload 12 [root@node01 ftp]#
发现上传目录和目录下的子目录属主和属组都是root,而我们匿名用户被映射成ftp用户,pub、upload目录对于用户ftp用户都没有任何写入权限,所以上传文件会报错,这里修改upload目录属主
1 [root@node01 ftp]# chown ftp upload 2 [root@node01 ftp]# ll 3 total 0 4 drwxr-xr-x 2 root root 6 Aug 3 2017 pub 5 drwxr-xr-x 2 ftp root 6 Jul 21 07:05 upload 6 [root@node01 ftp]#
再测试上传文件
1 lftp 192.168.0.10:/upload> bye 2 [root@node02 ~]# lftp 192.168.0.10 3 lftp 192.168.0.10:~> ls 4 drwxr-xr-x 2 0 0 6 Aug 03 2017 pub 5 drwxr-xr-x 2 14 0 6 Jul 20 23:05 upload 6 lftp 192.168.0.10:/> cd upload 7 lftp 192.168.0.10:/upload> lcd /etc/ 8 lcd ok, local cwd=/etc 9 lftp 192.168.0.10:/upload> put passwd 10 1080 bytes transferred 11 lftp 192.168.0.10:/upload> put fstab 12 501 bytes transferred 13 lftp 192.168.0.10:/upload> exit 14 [root@node02 ~]# lftp 192.168.0.10 15 lftp 192.168.0.10:~> lcd /etc 16 lcd ok, local cwd=/etc 17 lftp 192.168.0.10:~> cd pub/ 18 lftp 192.168.0.10:/pub> put passwd 19 put: Access failed: 553 Could not create file. (passwd) 20 lftp 192.168.0.10:/pub> put fstab 21 put: Access failed: 553 Could not create file. (fstab) 22 lftp 192.168.0.10:/pub> exit 23 [root@node02 ~]#
发现upload可以上传,pub目录仍然无法上传
1 [root@node01 ~]# cd /var/ftp/ 2 [root@node01 ftp]# ls -la 3 total 4 4 drwxr-xr-x 4 root root 29 Jul 21 07:05 . 5 drwxr-xr-x. 20 root root 4096 Jul 21 05:35 .. 6 drwxr-xr-x 2 root root 6 Aug 3 2017 pub 7 drwxr-xr-x 2 ftp root 31 Jul 21 07:22 upload 8 [root@node01 ftp]# cd upload/ 9 [root@node01 upload]# ls -lh 10 total 8.0K 11 -rw------- 1 ftp ftp 501 Jul 21 07:22 fstab 12 -rw------- 1 ftp ftp 1.1K Jul 21 07:22 passwd 13 [root@node01 upload]#
上传之后的目录fstab、passwd权限为600,进一步验证创建目录和文件
1 [root@node02 ~]# lftp 192.168.0.10 2 lftp 192.168.0.10:~> ls 3 drwxr-xr-x 2 0 0 6 Aug 03 2017 pub 4 drwxr-xr-x 2 14 0 31 Jul 20 23:22 upload 5 lftp 192.168.0.10:/> cd upload/ 6 lftp 192.168.0.10:/upload> ls -l 7 -rw------- 1 14 50 501 Jul 20 23:22 fstab 8 -rw------- 1 14 50 1080 Jul 20 23:22 passwd 9 lftp 192.168.0.10:/upload> mkdir ftpdir 10 mkdir: Access failed: 550 Permission denied. (ftpdir) 11 lftp 192.168.0.10:/upload> touch ftpfile 12 Unknown command `touch'. 13 lftp 192.168.0.10:/upload> ls -lh 14 -rw------- 1 14 50 501 Jul 20 23:22 fstab 15 -rw------- 1 14 50 1080 Jul 20 23:22 passwd 16 lftp 192.168.0.10:/upload>
发现在upload目录下无法创建文件和目录,提示没有权限,接下来解决无法创建目录(文件)的问题,在vsftp中有一个配置选项 "anon_mkdir_write_enable=YES",默认是注释,去掉注释重启vsftp服务,重新测试创建目录
1 [root@node01 vsftpd]# grep "anon_mkdir_write_enable=YES" /etc/vsftpd/vsftpd.conf 2 anon_mkdir_write_enable=YES 3 [root@node01 vsftpd]# 4 [root@node01 vsftpd]# systemctl restart vsftpd.service 5 [root@node02 ~]# lftp 192.168.0.10 6 lftp 192.168.0.10:~> cd upload/ 7 lftp 192.168.0.10:/upload> ls -la 8 drwxr-xr-x 2 14 0 31 Jul 20 23:22 . 9 drwxr-xr-x 4 0 0 29 Jul 20 23:05 .. 10 -rw------- 1 14 50 501 Jul 20 23:22 fstab 11 -rw------- 1 14 50 1080 Jul 20 23:22 passwd 12 lftp 192.168.0.10:/upload> mkdir ftpdir 13 mkdir ok, `ftpdir' created 14 lftp 192.168.0.10:/upload> 15 lftp 192.168.0.10:/upload> ls -la 16 drwxr-xr-x 3 14 0 44 Jul 20 23:41 . 17 drwxr-xr-x 4 0 0 29 Jul 20 23:05 .. 18 -rw------- 1 14 50 501 Jul 20 23:22 fstab 19 drwx------ 2 14 50 6 Jul 20 23:41 ftpdir 20 -rw------- 1 14 50 1080 Jul 20 23:22 passwd 21 lftp 192.168.0.10:/upload>
调整参数之后可以创建目录,接下来测试删除目录操作
1 lftp 192.168.0.10:/upload> ls -l 2 -rw------- 1 14 50 501 Jul 20 23:22 fstab 3 drwx------ 2 14 50 6 Jul 20 23:41 ftpdir 4 -rw------- 1 14 50 1080 Jul 20 23:22 passwd 5 lftp 192.168.0.10:/upload> rm fstab 6 rm: Access failed: 550 Permission denied. (fstab) 7 lftp 192.168.0.10:/upload> rm passwd 8 rm: Access failed: 550 Permission denied. (passwd) 9 lftp 192.168.0.10:/upload>
在vftpd中有一个参数"anon_other_write_enable " 用来控制删除和重命名权限的,我们添加之后重启vsftp服务,再进行验证
1 [root@node01 vsftpd]# grep "anon_other_write_enable=YES" /etc/vsftpd/vsftpd.conf 2 anon_other_write_enable=YES 3 [root@node01 vsftpd]# systemctl restart vsftpd.service 4 [root@node01 vsftpd]# 5 lftp 192.168.0.10:/upload> exit 6 [root@node02 ~]# lftp 192.168.0.10 7 lftp 192.168.0.10:~> cd upload/ 8 lftp 192.168.0.10:/upload> ls -la 9 drwxr-xr-x 3 14 0 44 Jul 20 23:41 . 10 drwxr-xr-x 4 0 0 29 Jul 20 23:05 .. 11 -rw------- 1 14 50 501 Jul 20 23:22 fstab 12 drwx------ 2 14 50 6 Jul 20 23:41 ftpdir 13 -rw------- 1 14 50 1080 Jul 20 23:22 passwd 14 lftp 192.168.0.10:/upload> rm fstab 15 rm ok, `fstab' removed 16 lftp 192.168.0.10:/upload> rm passwd 17 rm ok, `passwd' removed 18 lftp 192.168.0.10:/upload> ls -la 19 drwxr-xr-x 3 14 0 19 Jul 20 23:52 . 20 drwxr-xr-x 4 0 0 29 Jul 20 23:05 .. 21 drwx------ 2 14 50 6 Jul 20 23:41 ftpdir 22 lftp 192.168.0.10:/upload>
确实可以删除文件,再演示重命名文件
1 lftp 192.168.0.10:/upload> ls -al 2 drwxr-xr-x 3 14 0 20 Jul 20 23:53 . 3 drwxr-xr-x 4 0 0 29 Jul 20 23:05 .. 4 drwx------ 2 14 50 6 Jul 20 23:41 testdir 5 lftp 192.168.0.10:/upload> mv testdir ftpdir 6 rename successful 7 lftp 192.168.0.10:/upload> ls -al 8 drwxr-xr-x 3 14 0 19 Jul 20 23:54 . 9 drwxr-xr-x 4 0 0 29 Jul 20 23:05 .. 10 drwx------ 2 14 50 6 Jul 20 23:41 ftpdir 11 lftp 192.168.0.10:/upload>
三、本地用户访问vsftp
1 lftp 192.168.0.10:/upload> exit 2 [root@node02 ~]# lftp -u ftpuser,ftp123 192.168.0.10 3 lftp ftpuser@192.168.0.10:~> pwd 4 ftp://ftpuser:[email protected] 5 lftp ftpuser@192.168.0.10:~> ls -l 6 lftp ftpuser@192.168.0.10:~> mkdir ftpuser 7 mkdir ok, `ftpuser' created 8 lftp ftpuser@192.168.0.10:~> ls -lh 9 drwxr-xr-x 2 1000 1000 6 Jul 21 01:12 ftpuser 10 lftp ftpuser@192.168.0.10:~> lcd /etc/ 11 lcd ok, local cwd=/etc 12 lftp ftpuser@192.168.0.10:~> put passwd 13 1080 bytes transferred 14 lftp ftpuser@192.168.0.10:~> put issu 15 put: /etc/issu: No such file or directory 16 lftp ftpuser@192.168.0.10:~> put issue 17 23 bytes transferred 18 lftp ftpuser@192.168.0.10:~> ls -lh 19 drwxr-xr-x 2 1000 1000 6 Jul 21 01:12 ftpuser 20 -rw-r--r-- 1 1000 1000 23 Jul 21 01:13 issue 21 -rw-r--r-- 1 1000 1000 1080 Jul 21 01:12 passwd 22 lftp ftpuser@192.168.0.10:~>
本地用户上传文件默认权限为644(-rw-r--r--),目录为755(drwxr-x-r-x),控制本地用户访问和上传文件(目录)的参数为:
local_enable=YES (控制所有非匿名用户访问)
local_umask=022 (控制上传文件和目录之后的权限的掩码)
一般登录vsftp之后进入某个目录时,可以设置一个提示信息,对某个目录进行相关说明,这里可以通过dirmessage参数进行。
这里我们在upload目录中填创建一个.message文件,写入提示内容
1 [root@node01 upload]# pwd 2 /var/ftp/upload 3 [root@node01 upload]# cat .message 4 this is upload dir,pls do not delete files or dir on operation 5 [root@node01 upload]#
重新登录进行测试:
1 [root@node02 ~]# ftp 192.168.0.10 2 Connected to 192.168.0.10 (192.168.0.10). 3 220 (vsFTPd 3.0.2) 4 Name (192.168.0.10:root): anonymous 5 331 Please specify the password. 6 Password: 7 230 Login successful. 8 Remote system type is UNIX. 9 Using binary mode to transfer files. 10 ftp> dir 11 227 Entering Passive Mode (192,168,0,10,45,41). 12 150 Here comes the directory listing. 13 drwxr-xr-x 2 0 0 6 Aug 03 2017 pub 14 drwxr-xr-x 3 14 0 34 Jul 21 01:33 upload 15 226 Directory send OK. 16 ftp> cd upload 17 250-this is upload dir,pls do not delete files or dir on operation 18 250 Directory successfully changed. 19 ftp> pwd 20 257 "/upload" 21 ftp>
所以,dirmessage_enable=YES
用户第一次进入目录时,vsftp会查看.message文件,并将其内容显示给用户
也可以使用message_file指定文件路径,而不是使用默认的.message
上面是对某个目录进行说明,也可以在登录vsftp服务器时给出提示信息。
这里给出的参数是“ftpd_banner=Welcome to blah FTP service”,默认是注释掉,直接去掉注释,然后重启vsftpd服务
1 [root@node02 ~]# ftp 192.168.0.10 2 Connected to 192.168.0.10 (192.168.0.10). 3 220 Welcome to blah FTP service. 4 Name (192.168.0.10:root):
红色提示信息即为设置的banner
四、控制用户登录后锁定在自己家目录下
锁定所有登录的本地用户在自己家目录下,定义参数"chroot_local_user=YES ",为了可以上传确保参数 “allow_writeable_chroot=YES”;
[root@node01 vsftpd]# grep "chroot_local_user=YES" /etc/vsftpd/vsftpd.conf chroot_local_user=YES [root@node01 vsftpd]# systemctl restart vsftpd [root@node01 vsftpd]#
测试登录
[root@node02 ~]# ftp 192.168.0.10 Connected to 192.168.0.10 (192.168.0.10). 220 (vsFTPd 3.0.2) Name (192.168.0.10:root): ftpuser 331 Please specify the password. Password: 500 OOPS: vsftpd: refusing to run with writable root inside chroot() Login failed. 421 Service not available, remote server has closed connection ftp>
发现登录失败,这里提示下,本地用户家目录必须没有写(w)权限
[root@node01 vsftpd]# ls -ld /home/ftpuser/ drwx------ 4 ftpuser ftpuser 113 Jul 21 09:13 /home/ftpuser/ [root@node01 vsftpd]#
去掉本地用户写权限
1 [root@node01 vsftpd]# ls -ld /home/ftpuser/ 2 drwx------ 4 ftpuser ftpuser 113 Jul 21 09:13 /home/ftpuser/ 3 [root@node01 vsftpd]# chmod -w /home/ftpuser/ 4 [root@node01 vsftpd]# ls -ld /home/ftpuser/ 5 dr-x------ 4 ftpuser ftpuser 113 Jul 21 09:13 /home/ftpuser/ 6 [root@node01 vsftpd]#
再进行测试
1 [root@node02 ~]# ftp 192.168.0.10 2 Connected to 192.168.0.10 (192.168.0.10). 3 220 (vsFTPd 3.0.2) 4 Name (192.168.0.10:root): ftpuser 5 331 Please specify the password. 6 Password: 7 230 Login successful. 8 Remote system type is UNIX. 9 Using binary mode to transfer files. 10 ftp> cd /etc/ 11 550 Failed to change directory. 12 ftp> pwd 13 257 "/" 14 ftp>
登录成功,确实不能切换到其他目录下,所以参数“chroot_local_user=YES ”对本地所有用户控制,有没有多部分用户进行设置呢?答案是肯定的
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
通过以上两个个参数设置指定用户,对chroot_list中设置的用户有效,另外不能同时使用两种方式。为了 可以上传用户确保参数 "allow_writeable_chroot=YES";
1 [root@node01 vsftpd]# pwd 2 /etc/vsftpd 3 [root@node01 vsftpd]# cat chroot_list 4 user001 5 [root@node01 vsftpd]# useradd user001 6 [root@node01 vsftpd]# passwd user001 7 Changing password for user user001. 8 New password: 9 BAD PASSWORD: The password is shorter than 8 characters 10 Retype new password: 11 passwd: all authentication tokens updated successfully. 12 [root@node01 vsftpd]# !systemc 13 systemctl restart vsftpd 14 [root@node01 vsftpd]# grep "chroot_list" vsftpd.conf 15 chroot_list_enable=YES 16 chroot_list_file=/etc/vsftpd/chroot_list 17 [root@node01 vsftpd]#
分别使用ftpuser 和user001进行测试
1 ftp> exit 2 [root@node02 ~]# ftp 192.168.0.10 3 Connected to 192.168.0.10 (192.168.0.10). 4 220 (vsFTPd 3.0.2) 5 Name (192.168.0.10:root): ftpuser 6 331 Please specify the password. 7 Password: 8 230 Login successful. 9 Remote system type is UNIX. 10 Using binary mode to transfer files. 11 ftp> pwd 12 257 "/home/ftpuser" 13 ftp> cd /etc 14 250 Directory successfully changed. 15 ftp> pwd 16 257 "/etc" 17 ftp> exit 18 221 Goodbye. 19 [root@node02 ~]# ftp 192.168.0.10 20 Connected to 192.168.0.10 (192.168.0.10). 21 220 (vsFTPd 3.0.2) 22 Name (192.168.0.10:root): user001 23 331 Please specify the password. 24 Password: 25 230 Login successful. 26 Remote system type is UNIX. 27 Using binary mode to transfer files. 28 ftp> pwd 29 257 "/" 30 ftp> cd /etc/ 31 550 Failed to change directory. 32 ftp>
user001的家目录必须是没有写的权限。从以上可以发现通过chroot_list定义的用户user001确实不能切换用户,ftpuser不在chroot_list文件中,则可以随意切换到其他目录
控制用户是否可以登录vsftpd,通过黑白名单来控制,黑白名单通过指令userlist_deny=YES|NO来控制
userlist_enable
启用时,vsftpd将加载一个由userlist_file指令的用户列表文件(user_list),由此文件中的用户是否能访问vsftpd服务取决于userlist_deny指令:
userlist_deny=YES:表示此列表为黑名单
userlist_deny=NO:表示此列表为白名单