1.本地用户家目录的修改
[root@server pub]# vim /etc/vsftpd/vsftpd.conf
35 local_root=/ftp_westos/
[root@server pub]# systemctl restart vsftpd.service
客户端:
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> ls
lftp [email protected]:~> exit
修改后:
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> ls
-rw-r--r-- 1 0 0 0 Jan 23 06:15 westosfile1
-rw-r--r-- 1 0 0 0 Jan 23 06:15 westosfile2
-rw-r--r-- 1 0 0 0 Jan 23 06:15 westosfile3
lftp [email protected]:~> exit
2.更改本地用户上传文件的权限
##更改本地用户上传文件的权限
[root@server pub]# vim /etc/vsftpd/vsftpd.conf
43 local_umask=077
[root@server pub]# systemctl restart vsftpd.service
客户端
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> ls
lftp [email protected]:~> put /etc/passwd
2243 bytes transferred
lftp [email protected]:~> ls
-rw-r--r-- 1 1000 1000 2243 Jan 23 08:16 passwd
lftp [email protected]:~> exit
修改后:
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> ls
-rw-r--r-- 1 1000 1000 2243 Jan 23 08:16 passwd
lftp [email protected]:~> put /etc/group
959 bytes transferred
lftp [email protected]:~> ls
-rw------- 1 1000 1000 959 Jan 23 08:17 group
-rw-r--r-- 1 1000 1000 2243 Jan 23 08:16 passwd
lftp [email protected]:~> exit
3.限制本地用户浏览根目录
##限制本地用户浏览根目录:
[root@server pub]# vim /etc/vsftpd/vsftpd.conf
chroot_local_user=YES
[root@server pub]# systemctl restart vsftpd.service
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> cd /
cd ok, cwd=/
lftp [email protected]:/> ls
lrwxrwxrwx 1 0 0 7 May 07 2014 bin -> usr/bin
dr-xr-xr-x 4 0 0 4096 Jul 10 2014 boot
drwxr-xr-x 18 0 0 2920 Jan 23 03:18 dev
drwxr-xr-x 134 0 0 8192 Jan 23 07:11 etc
drwxr-xr-x 2 0 0 60 Jan 23 06:15 ftp_westos
drwxr-xr-x 4 0 0 33 Jan 23 07:11 home
lrwxrwxrwx 1 0 0 7 May 07 2014 lib -> usr/lib
lrwxrwxrwx 1 0 0 9 May 07 2014 lib64 -> usr/lib64
drwxr-xr-x 2 0 0 6 Mar 13 2014 media
drwxr-xr-x 2 0 0 6 Mar 13 2014 mnt
drwxr-xr-x 3 0 0 15 Jul 10 2014 opt
dr-xr-xr-x 162 0 0 0 Jan 23 03:01 proc
dr-xr-x--- 15 0 0 4096 Jan 23 08:16 root
drwxr-xr-x 35 0 0 1140 Jan 23 03:25 run
lrwxrwxrwx 1 0 0 8 May 07 2014 sbin -> usr/sbin
drwxr-xr-x 2 0 0 6 Mar 13 2014 srv
dr-xr-xr-x 13 0 0 0 Jan 23 03:01 sys
drwxrwxrwt 12 0 0 4096 Jan 23 08:04 tmp
drwxr-xr-x 13 0 0 4096 May 07 2014 usr
drwxr-xr-x 23 0 0 4096 Jan 23 03:25 var
lftp [email protected]:/> exit
##配置文件后
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> cd /
cd: Login failed: 500 OOPS: vsftpd: refusing to run with writable root inside chroot()
lftp [email protected]:~> exit
##本地文件系统权限过大,更改本地文件系统权限
[root@server pub]# chmod u-w /home/*
##再次测试
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> cd /
cd ok, cwd=/
lftp [email protected]:/> ls
-rw------- 1 1000 1000 959 Jan 23 08:17 group
-rw-r--r-- 1 1000 1000 2243 Jan 23 08:16 passwd
lftp [email protected]:/> cd /
lftp [email protected]:/> ls
-rw------- 1 1000 1000 959 Jan 23 08:17 group
-rw-r--r-- 1 1000 1000 2243 Jan 23 08:16 passwd
lftp [email protected]:/> exit
##可以看到,student用户被锁定在自己的家目录中,不能切换到根目录
4.限制是否可以切换家目录的黑白名单
##限制是否可以切换家目录的黑白名单
##黑名单
[root@server pub]# vim /etc/vsftpd/vsftpd.conf
37 chroot_local_user=NO
38 chroot_list_enable=YES
39 chroot_list_file=/etc/vsftpd/chroot_list
[root@server pub]# systemctl restart vsftpd.service
[root@server pub]# ls /etc/vsftpd/chroot_list
ls: cannot access /etc/vsftpd/chroot_list: No such file or directory
[root@server pub]# touch /etc/vsftpd/chroot_list ##本来没有这个列表,需要新建
[root@server pub]# vim /etc/vsftpd/chroot_list
[root@server pub]# cat /etc/vsftpd/chroot_list ##即改即生效
student
客户端:
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> cd /
cd ok, cwd=/
lftp [email protected]:/> ls ##student不可切换
-rw------- 1 1000 1000 959 Jan 23 08:17 group
-rw-r--r-- 1 1000 1000 2243 Jan 23 08:16 passwd
lftp [email protected]:/> exit
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos
Password:
lftp [email protected]:~> cd /
cd ok, cwd=/
lftp [email protected]:/> ls ##westos可以切换
lrwxrwxrwx 1 0 0 7 May 07 2014 bin -> usr/bin
dr-xr-xr-x 4 0 0 4096 Jul 10 2014 boot
drwxr-xr-x 18 0 0 2920 Jan 23 03:18 dev
drwxr-xr-x 134 0 0 8192 Jan 23 08:31 etc
drwxr-xr-x 2 0 0 60 Jan 23 06:15 ftp_westos
drwxr-xr-x 4 0 0 33 Jan 23 07:11 home
lrwxrwxrwx 1 0 0 7 May 07 2014 lib -> usr/lib
lrwxrwxrwx 1 0 0 9 May 07 2014 lib64 -> usr/lib64
drwxr-xr-x 2 0 0 6 Mar 13 2014 media
drwxr-xr-x 2 0 0 6 Mar 13 2014 mnt
drwxr-xr-x 3 0 0 15 Jul 10 2014 opt
dr-xr-xr-x 161 0 0 0 Jan 23 03:01 proc
dr-xr-x--- 15 0 0 4096 Jan 23 08:30 root
drwxr-xr-x 35 0 0 1140 Jan 23 03:25 run
lrwxrwxrwx 1 0 0 8 May 07 2014 sbin -> usr/sbin
drwxr-xr-x 2 0 0 6 Mar 13 2014 srv
dr-xr-xr-x 13 0 0 0 Jan 23 03:01 sys
drwxrwxrwt 12 0 0 4096 Jan 23 08:04 tmp
drwxr-xr-x 13 0 0 4096 May 07 2014 usr
drwxr-xr-x 23 0 0 4096 Jan 23 03:25 var
lftp [email protected]:/> exit
#设定白名单
[root@server pub]# vim /etc/vsftpd/vsftpd.conf
37 chroot_local_user=YES
38 chroot_list_enable=YES
39 chroot_list_file=/etc/vsftpd/chroot_list
[root@server pub]# systemctl restart vsftpd.service
[root@server pub]# vim /etc/vsftpd/chroot_list
[root@server pub]# cat /etc/vsftpd/chroot_list
student
客户端:
客户端的student用户在白名单中,可以正常切换根目录:
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> cd /
cd ok, cwd=/
lftp [email protected]:/> ls
lrwxrwxrwx 1 0 0 7 May 07 2014 bin -> usr/bin
dr-xr-xr-x 4 0 0 4096 Jul 10 2014 boot
drwxr-xr-x 18 0 0 2920 Jan 23 03:18 dev
drwxr-xr-x 134 0 0 8192 Jan 23 08:31 etc
drwxr-xr-x 2 0 0 60 Jan 23 06:15 ftp_westos
drwxr-xr-x 4 0 0 33 Jan 23 07:11 home
lrwxrwxrwx 1 0 0 7 May 07 2014 lib -> usr/lib
lrwxrwxrwx 1 0 0 9 May 07 2014 lib64 -> usr/lib64
drwxr-xr-x 2 0 0 6 Mar 13 2014 media
drwxr-xr-x 2 0 0 6 Mar 13 2014 mnt
drwxr-xr-x 3 0 0 15 Jul 10 2014 opt
dr-xr-xr-x 162 0 0 0 Jan 23 03:01 proc
dr-xr-x--- 15 0 0 4096 Jan 23 08:40 root
drwxr-xr-x 35 0 0 1140 Jan 23 03:25 run
lrwxrwxrwx 1 0 0 8 May 07 2014 sbin -> usr/sbin
drwxr-xr-x 2 0 0 6 Mar 13 2014 srv
dr-xr-xr-x 13 0 0 0 Jan 23 03:01 sys
drwxrwxrwt 12 0 0 4096 Jan 23 08:04 tmp
drwxr-xr-x 13 0 0 4096 May 07 2014 usr
drwxr-xr-x 23 0 0 4096 Jan 23 03:25 var
lftp [email protected]:/> exit
##白名单之外的westos被限制
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos
Password:
lftp [email protected]:~> cd /
cd ok, cwd=/
lftp [email protected]:/> ls
lftp [email protected]:~> exit
5.用户登陆黑白名单
##正常的:
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> ls
-rw------- 1 1000 1000 959 Jan 23 08:17 group
-rw-r--r-- 1 1000 1000 2243 Jan 23 08:16 passwd
lftp [email protected]:~> exit
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos
Password:
lftp [email protected]:~> ls
lftp [email protected]:~> exit
##永久黑名单
[root@server pub]# cd /etc/vsftpd/
[root@server vsftpd]# ls
chroot_list ftpusers user_list vsftpd.conf vsftpd_conf_migrate.sh
[root@server vsftpd]# vim ftpusers
[root@server vsftpd]# tail -n 1 ftpusers
student
配置永久黑名单后:
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> ls
ls: Login failed: 530 Login incorrect.
lftp [email protected]:~> exit
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos
Password:
lftp [email protected]:~> ls
lftp [email protected]:~> exit
##临时黑名单(先去掉永久黑名单的student)
[root@server vsftpd]# vim user_list
[root@server vsftpd]# tail -n 1 user_list
student
修改后
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos
Password:
lftp [email protected]:~> ls
lftp [email protected]:~> exit
[kiosk@foundation22 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> ls
ls: Login failed: 530 Permission denied.
lftp [email protected]:~> exit
6.把临时黑名单变成白名单
[root@server vsftpd]# vim /etc/vsftpd/vsftpd.conf
148 userlist_enable=YES
149 userlist_deny=NO
[root@server vsftpd]#systemctl restart vsftpd.service
更改后:
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> ls
-rw------- 1 1000 1000 959 Jan 23 08:17 group
-rw-r--r-- 1 1000 1000 2243 Jan 23 08:16 passwd
lftp [email protected]:~> exit
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos
Password:
lftp [email protected]:~> ls
ls: Login failed: 530 Permission denied.
lftp [email protected]:~> exit
7.虚拟用户的设定
##为了更安全##
#服务端配置
[root@server ~]# cd /etc/vsftpd/ ##切换目录到vsftpd服务配置文件夹
[root@server vsftpd]# ls
ftpusers user_list vsftpd.conf vsftpd_conf_migrate.sh
[root@server vsftpd]# vim userfile ##新建文件,文件名任意
[root@server vsftpd]# cat userfile ##可以看到文件中设定的用户和密码的内容
westos1
123
westos2
123
westos3 ##注意不要乱加空格
123
##对刚才新建的文件进行哈希加密
[root@server vsftpd]# db_load -T -t hash -f /etc/vsftpd/userfile /etc/vsftpd/userfile.db
[root@server vsftpd]# ls ##可以看到加密后的文件userfile.db
ftpusers userfile userfile.db user_list vsftpd.conf vsftpd_conf_migrate.sh
[root@server vsftpd]# cat userfile.db
^Aa^U^F ^B�L4^A^A�L�G��
��^B�L4^A^A�L�G��s3^A123^Awestos1^A^B^B�
^A^Aэh^^A^A^A123^Awestos2 ##可以看到文件被哈希加密的结果
[root@server vsftpd]# vim /etc/pam.d/userauth ##在pam认证配置目录下新建一个文件,文件名任意
[root@server vsftpd]# cat /etc/pam.d/userauth ##可以看到新建文件的内容
account required pam_userdb.so db=/etc/vsftpd/userfile
auth required pam_userdb.so db=/etc/vsftpd/userfile
#用户|密码 ##需要 ##指定认证插件 ##此处的文件名不加后缀.db 系统会自行补齐
[root@server vsftpd]# vim /etc/vsftpd/vsftpd.conf ##编辑vsftpd主配置文件
147 pam_service_name=userauth ##指定认证访问的文件用户名单
##上面的文件指定后,原来真实存在的用户就不能登陆了,解决的办法是把两个文件合成一个文件,即把原有的用户也添加到文件夹中
148 guest_enable=YES ##开启虚拟用户可以登陆服务
149 guest_username=ftp ##指定虚拟用户登陆ftp的用户名
[root@server vsftpd]# systemctl restart vsftpd.service ##重启服务,使配置生效
#客户端:
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos1
Password:
lftp [email protected]:~> ls
ls: Login failed: 530 Login incorrect.
lftp [email protected]:~> exit
kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos2
Password:
lftp [email protected]:~> ls
ls: Login failed: 530 Login incorrect.
kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos3
Password:
lftp [email protected]:~> ls
ls: Login failed: 530 Login incorrect.
lftp [email protected]:~> exit
##可以看到,虚拟用户登陆不成功
##配置ftp虚拟用户之后
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos1
Password:
lftp [email protected]:~> ls
drwxrwxr-x 2 0 50 60 Jan 23 07:28 pub
drwxr-xr-x 2 0 0 6 Jan 23 03:32 qwert
lftp [email protected]:/> exit
[kiosk@foundation68 ~]$ lftp 172.25.254.222 -u westos2
Password:
lftp [email protected]:~> ls
drwxrwxr-x 2 0 50 60 Jan 23 07:28 pub
drwxr-xr-x 2 0 0 6 Jan 23 03:32 qwert
lftp [email protected]:/> exit
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos3
Password:
lftp [email protected]:~> ls
drwxrwxr-x 2 0 50 60 Jan 23 07:28 pub
drwxr-xr-x 2 0 0 6 Jan 23 03:32 qwert
lftp [email protected]:/> exit
8.虚拟用户个人家目录
##服务端配置
[root@server vsftpd]# mkdir /var/ftpuserdir/westos{1..3} -p
##新建每个用户的家目录,家目录名与用户名一致(后面$USER可用),-p使不存在的目录递归创建
[root@server vsftpd]# vim /etc/vsftpd/vsftpd.conf ##配置vsftpd主文件
150 local_root=/var/ftpuserdir/$USER ##指定用户的家目录为上述创建的与用户名一致的目录
151 user_sub_token=$USER ##$USER是shell中的变量,指定vsftpd服务中的变量与其一致
[root@server vsftpd]# echo $USER ##可以看到$USER代指当前用户
root
[root@server vsftpd]# su - student
[student@server ~]$ echo $USER
student
[student@server ~]$ logout
[root@server vsftpd]# systemctl restart vsftpd.service ##重启服务
[root@server vsftpd]# mkdir /var/ftpuserdir/westos{1..3}/pub ##在家目录中新建目录
[root@server vsftpd]# mkdir /var/ftpuserdir/westos1/westos1file
[root@server vsftpd]# mkdir /var/ftpuserdir/westos2/westos2file
[root@server vsftpd]# mkdir /var/ftpuserdir/westos3/westos3file
##客户端
##配置后在客户端可以看到每个虚拟用户都在自己的家目录中
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos1
Password:
lftp [email protected]:~> ls
drwxr-xr-x 2 0 0 6 Jan 24 02:29 pub
drwxr-xr-x 2 0 0 6 Jan 24 02:30 westos1file
lftp [email protected]:/> exit
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos2
Password:
lftp [email protected]:~> ls
drwxr-xr-x 2 0 0 6 Jan 24 02:29 pub
drwxr-xr-x 2 0 0 6 Jan 24 02:30 westos2file
lftp [email protected]:/> exit
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos3
Password:
lftp [email protected]:~> ls
drwxr-xr-x 2 0 0 6 Jan 24 02:29 pub
drwxr-xr-x 2 0 0 6 Jan 24 02:30 westos3file
lftp [email protected]:/> exit
9.虚拟用户配置独立
##服务端配置
[root@server vsftpd]# vim /etc/vsftpd/vsftpd.conf
31 local_enable=YES
34 #write_enable=YES ##注释影响配置结果的参数
51 #anon_upload_enable=YES
154 user_config_dir=/etc/vsftpd/userconf ##指定独立用户配置目录
[root@server vsftpd]# systemctl restart vsftpd.service
[root@server vsftpd]# mkdir -p /etc/vsftpd/userconf ##目录本来没有,需要新建
[root@server vsftpd]# vim /etc/vsftpd/userconf/westos1 ##在目录下新建文件(与用户名相同)
1 anon_upload_enable=YES #配置允许该用户上传文件
[root@server vsftpd]# systemctl restart vsftpd.service ##重启服务
[root@server vsftpd]# ls -ld /var/ftpuserdir/westos*/*
drwxr-xr-x 2 root root 6 Jan 23 21:29 /var/ftpuserdir/westos1/pub
drwxr-xr-x 2 root root 6 Jan 23 21:30 /var/ftpuserdir/westos1/westos1file
drwxr-xr-x 2 root root 6 Jan 23 21:29 /var/ftpuserdir/westos2/pub
drwxr-xr-x 2 root root 6 Jan 23 21:30 /var/ftpuserdir/westos2/westos2file
drwxr-xr-x 2 root root 6 Jan 23 21:29 /var/ftpuserdir/westos3/pub
drwxr-xr-x 2 root root 6 Jan 23 21:30 /var/ftpuserdir/westos3/westos3file
[root@server vsftpd]# chmod 775 /var/ftpuserdir/westos*/pub ##给所有组可写的权限
[root@server vsftpd]# ls -ld /var/ftpuserdir/westos*/*
drwxrwxr-x 2 root root 6 Jan 23 21:29 /var/ftpuserdir/westos1/pub
drwxr-xr-x 2 root root 6 Jan 23 21:30 /var/ftpuserdir/westos1/westos1file
drwxrwxr-x 2 root root 6 Jan 23 21:29 /var/ftpuserdir/westos2/pub
drwxr-xr-x 2 root root 6 Jan 23 21:30 /var/ftpuserdir/westos2/westos2file
drwxrwxr-x 2 root root 6 Jan 23 21:29 /var/ftpuserdir/westos3/pub
drwxr-xr-x 2 root root 6 Jan 23 21:30 /var/ftpuserdir/westos3/westos3file
[root@server vsftpd]# chgrp ftp /var/ftpuserdir/westos*/pub ##更改用户组为ftp
[root@server vsftpd]# ls -ld /var/ftpuserdir/westos*/*
drwxrwxr-x 2 root ftp 6 Jan 23 21:29 /var/ftpuserdir/westos1/pub
drwxr-xr-x 2 root root 6 Jan 23 21:30 /var/ftpuserdir/westos1/westos1file
drwxrwxr-x 2 root ftp 6 Jan 23 21:29 /var/ftpuserdir/westos2/pub
drwxr-xr-x 2 root root 6 Jan 23 21:30 /var/ftpuserdir/westos2/westos2file
drwxrwxr-x 2 root ftp 6 Jan 23 21:29 /var/ftpuserdir/westos3/pub
drwxr-xr-x 2 root root 6 Jan 23 21:30 /var/ftpuserdir/westos3/westos3file
##客户端;
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos1
Password:
lftp [email protected]:~> ls
drwxr-xr-x 2 0 0 6 Jan 24 02:29 pub
drwxr-xr-x 2 0 0 6 Jan 24 02:30 westos1file
lftp [email protected]:/> cd pub/
lftp [email protected]:/pub> put /etc/passwd
put: Access failed: 553 Could not create file. (passwd)
lftp [email protected]:/pub> exit
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos2
Password:
lftp [email protected]:~> cd pub/
lftp [email protected]:/pub> put /etc/passwd
put: Access failed: 553 Could not create file. (passwd)
lftp [email protected]:/pub> exit
##配置后:
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos1
Password:
lftp [email protected]:~> cd pub/
lftp [email protected]:/pub> put /etc/passwd
2243 bytes transferred
lftp [email protected]:/pub> exit
[kiosk@foundation68 ~]$ lftp 172.25.254.222 -u westos2
Password:
lftp [email protected]:~> ls
drwxrwxr-x 2 0 50 19 Jan 24 03:16 pub
drwxr-xr-x 2 0 0 6 Jan 24 02:30 westos2file
lftp [email protected]:/> cd pub/
lftp [email protected]:/pub> put /etc/passwd
put: Access failed: 550 Permission denied. (passwd)
lftp [email protected]:/pub> exit
可以看到我们在配置目录 /etc/vsftpd/userconf/下新建了一个文件westos1,所以只有westos1能上传