1.本地用户家目录的修改

[root@server pub]# vim /etc/vsftpd/vsftpd.conf

 35 local_root=/ftp_westos/

[root@server pub]# systemctl restart vsftpd.service
客户端：
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> ls
lftp [email protected]:~> exit
修改后：
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> ls
-rw-r--r--    1 0        0               0 Jan 23 06:15 westosfile1
-rw-r--r--    1 0        0               0 Jan 23 06:15 westosfile2
-rw-r--r--    1 0        0               0 Jan 23 06:15 westosfile3
lftp [email protected]:~> exit

2.更改本地用户上传文件的权限

##更改本地用户上传文件的权限
[root@server pub]# vim /etc/vsftpd/vsftpd.conf

 43 local_umask=077

[root@server pub]# systemctl restart vsftpd.service
客户端
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> ls
lftp [email protected]:~> put /etc/passwd
2243 bytes transferred
lftp [email protected]:~> ls
-rw-r--r--    1 1000     1000         2243 Jan 23 08:16 passwd
lftp [email protected]:~> exit
修改后：
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> ls
-rw-r--r--    1 1000     1000         2243 Jan 23 08:16 passwd
lftp [email protected]:~> put /etc/group
959 bytes transferred
lftp [email protected]:~> ls
-rw-------    1 1000     1000          959 Jan 23 08:17 group
-rw-r--r--    1 1000     1000         2243 Jan 23 08:16 passwd
lftp [email protected]:~> exit

3.限制本地用户浏览根目录

##限制本地用户浏览根目录：

[root@server pub]# vim /etc/vsftpd/vsftpd.conf

chroot_local_user=YES

[root@server pub]# systemctl restart vsftpd.service

[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> cd /
cd ok, cwd=/
lftp [email protected]:/> ls
lrwxrwxrwx    1 0        0               7 May 07 2014 bin -> usr/bin
dr-xr-xr-x    4 0        0            4096 Jul 10 2014 boot
drwxr-xr-x   18 0        0            2920 Jan 23 03:18 dev
drwxr-xr-x 134 0        0            8192 Jan 23 07:11 etc
drwxr-xr-x    2 0        0              60 Jan 23 06:15 ftp_westos
drwxr-xr-x    4 0        0              33 Jan 23 07:11 home
lrwxrwxrwx    1 0        0               7 May 07 2014 lib -> usr/lib
lrwxrwxrwx    1 0        0               9 May 07 2014 lib64 -> usr/lib64
drwxr-xr-x    2 0        0               6 Mar 13 2014 media
drwxr-xr-x    2 0        0               6 Mar 13 2014 mnt
drwxr-xr-x    3 0        0              15 Jul 10 2014 opt
dr-xr-xr-x 162 0        0               0 Jan 23 03:01 proc
dr-xr-x---   15 0        0            4096 Jan 23 08:16 root
drwxr-xr-x   35 0        0            1140 Jan 23 03:25 run
lrwxrwxrwx    1 0        0               8 May 07 2014 sbin -> usr/sbin
drwxr-xr-x    2 0        0               6 Mar 13 2014 srv
dr-xr-xr-x   13 0        0               0 Jan 23 03:01 sys
drwxrwxrwt   12 0        0            4096 Jan 23 08:04 tmp
drwxr-xr-x   13 0        0            4096 May 07 2014 usr
drwxr-xr-x   23 0        0            4096 Jan 23 03:25 var
lftp [email protected]:/> exit
##配置文件后
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> cd /
cd: Login failed: 500 OOPS: vsftpd: refusing to run with writable root inside chroot()
lftp [email protected]:~> exit
##本地文件系统权限过大，更改本地文件系统权限
[root@server pub]# chmod u-w /home/*
##再次测试
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> cd /
cd ok, cwd=/
lftp [email protected]:/> ls
-rw-------    1 1000     1000          959 Jan 23 08:17 group
-rw-r--r--    1 1000     1000         2243 Jan 23 08:16 passwd
lftp [email protected]:/> cd /
lftp [email protected]:/> ls
-rw-------    1 1000     1000          959 Jan 23 08:17 group
-rw-r--r--    1 1000     1000         2243 Jan 23 08:16 passwd
lftp [email protected]:/> exit
##可以看到，student用户被锁定在自己的家目录中，不能切换到根目录

4.限制是否可以切换家目录的黑白名单

##限制是否可以切换家目录的黑白名单
##黑名单
[root@server pub]# vim /etc/vsftpd/vsftpd.conf

 37 chroot_local_user=NO
 38 chroot_list_enable=YES
 39 chroot_list_file=/etc/vsftpd/chroot_list

[root@server pub]# systemctl restart vsftpd.service
[root@server pub]# ls /etc/vsftpd/chroot_list
ls: cannot access /etc/vsftpd/chroot_list: No such file or directory
[root@server pub]# touch /etc/vsftpd/chroot_list                     ##本来没有这个列表，需要新建
[root@server pub]# vim /etc/vsftpd/chroot_list
[root@server pub]# cat /etc/vsftpd/chroot_list                              ##即改即生效
student
客户端：
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> cd /
cd ok, cwd=/
lftp [email protected]:/> ls       ##student不可切换
-rw-------    1 1000     1000          959 Jan 23 08:17 group
-rw-r--r--    1 1000     1000         2243 Jan 23 08:16 passwd
lftp [email protected]:/> exit
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos
Password:
lftp [email protected]:~> cd /
cd ok, cwd=/
lftp [email protected]:/> ls                                               ##westos可以切换
lrwxrwxrwx    1 0        0               7 May 07 2014 bin -> usr/bin
dr-xr-xr-x    4 0        0            4096 Jul 10 2014 boot
drwxr-xr-x   18 0        0            2920 Jan 23 03:18 dev
drwxr-xr-x 134 0        0            8192 Jan 23 08:31 etc
drwxr-xr-x    2 0        0              60 Jan 23 06:15 ftp_westos
drwxr-xr-x    4 0        0              33 Jan 23 07:11 home
lrwxrwxrwx    1 0        0               7 May 07 2014 lib -> usr/lib
lrwxrwxrwx    1 0        0               9 May 07 2014 lib64 -> usr/lib64
drwxr-xr-x    2 0        0               6 Mar 13 2014 media
drwxr-xr-x    2 0        0               6 Mar 13 2014 mnt
drwxr-xr-x    3 0        0              15 Jul 10 2014 opt
dr-xr-xr-x 161 0        0               0 Jan 23 03:01 proc
dr-xr-x---   15 0        0            4096 Jan 23 08:30 root
drwxr-xr-x   35 0        0            1140 Jan 23 03:25 run
lrwxrwxrwx    1 0        0               8 May 07 2014 sbin -> usr/sbin
drwxr-xr-x    2 0        0               6 Mar 13 2014 srv
dr-xr-xr-x   13 0        0               0 Jan 23 03:01 sys
drwxrwxrwt   12 0        0            4096 Jan 23 08:04 tmp
drwxr-xr-x   13 0        0            4096 May 07 2014 usr
drwxr-xr-x   23 0        0            4096 Jan 23 03:25 var
lftp [email protected]:/> exit

#设定白名单

[root@server pub]# vim /etc/vsftpd/vsftpd.conf

 37 chroot_local_user=YES
 38 chroot_list_enable=YES
 39 chroot_list_file=/etc/vsftpd/chroot_list

[root@server pub]# systemctl restart vsftpd.service
[root@server pub]# vim /etc/vsftpd/chroot_list
[root@server pub]# cat /etc/vsftpd/chroot_list
student
客户端：
客户端的student用户在白名单中，可以正常切换根目录：
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> cd /
cd ok, cwd=/
lftp [email protected]:/> ls
lrwxrwxrwx    1 0        0               7 May 07 2014 bin -> usr/bin
dr-xr-xr-x    4 0        0            4096 Jul 10 2014 boot
drwxr-xr-x   18 0        0            2920 Jan 23 03:18 dev
drwxr-xr-x 134 0        0            8192 Jan 23 08:31 etc
drwxr-xr-x    2 0        0              60 Jan 23 06:15 ftp_westos
drwxr-xr-x    4 0        0              33 Jan 23 07:11 home
lrwxrwxrwx    1 0        0               7 May 07 2014 lib -> usr/lib
lrwxrwxrwx    1 0        0               9 May 07 2014 lib64 -> usr/lib64
drwxr-xr-x    2 0        0               6 Mar 13 2014 media
drwxr-xr-x    2 0        0               6 Mar 13 2014 mnt
drwxr-xr-x    3 0        0              15 Jul 10 2014 opt
dr-xr-xr-x 162 0        0               0 Jan 23 03:01 proc
dr-xr-x---   15 0        0            4096 Jan 23 08:40 root
drwxr-xr-x   35 0        0            1140 Jan 23 03:25 run
lrwxrwxrwx    1 0        0               8 May 07 2014 sbin -> usr/sbin
drwxr-xr-x    2 0        0               6 Mar 13 2014 srv
dr-xr-xr-x   13 0        0               0 Jan 23 03:01 sys
drwxrwxrwt   12 0        0            4096 Jan 23 08:04 tmp
drwxr-xr-x   13 0        0            4096 May 07 2014 usr
drwxr-xr-x   23 0        0            4096 Jan 23 03:25 var
lftp [email protected]:/> exit

##白名单之外的westos被限制
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos
Password:
lftp [email protected]:~> cd /
cd ok, cwd=/
lftp [email protected]:/> ls

lftp [email protected]:~> exit

5.用户登陆黑白名单

##正常的：
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> ls
-rw-------    1 1000     1000          959 Jan 23 08:17 group
-rw-r--r--    1 1000     1000         2243 Jan 23 08:16 passwd
lftp [email protected]:~> exit
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos
Password:
lftp [email protected]:~> ls
lftp [email protected]:~> exit

##永久黑名单
[root@server pub]# cd /etc/vsftpd/
[root@server vsftpd]# ls
chroot_list ftpusers user_list vsftpd.conf vsftpd_conf_migrate.sh
[root@server vsftpd]# vim ftpusers
[root@server vsftpd]# tail -n 1 ftpusers
student
配置永久黑名单后：
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> ls
ls: Login failed: 530 Login incorrect.
lftp [email protected]:~> exit
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos
Password:
lftp [email protected]:~> ls
lftp [email protected]:~> exit

##临时黑名单(先去掉永久黑名单的student)
[root@server vsftpd]# vim user_list
[root@server vsftpd]# tail -n 1 user_list
student
修改后
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos
Password:
lftp [email protected]:~> ls
lftp [email protected]:~> exit
[kiosk@foundation22 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> ls
ls: Login failed: 530 Permission denied.
lftp [email protected]:~> exit

6.把临时黑名单变成白名单

[root@server vsftpd]# vim /etc/vsftpd/vsftpd.conf

148 userlist_enable=YES
149 userlist_deny=NO

[root@server vsftpd]#systemctl restart vsftpd.service
更改后：
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> ls
-rw-------    1 1000     1000          959 Jan 23 08:17 group
-rw-r--r--    1 1000     1000         2243 Jan 23 08:16 passwd
lftp [email protected]:~> exit
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos
Password:
lftp [email protected]:~> ls
ls: Login failed: 530 Permission denied.
lftp [email protected]:~> exit

7.虚拟用户的设定

##为了更安全##

#服务端配置
[root@server ~]# cd /etc/vsftpd/                   ##切换目录到vsftpd服务配置文件夹
[root@server vsftpd]# ls
ftpusers user_list vsftpd.conf vsftpd_conf_migrate.sh
[root@server vsftpd]# vim userfile                ##新建文件，文件名任意
[root@server vsftpd]# cat userfile                ##可以看到文件中设定的用户和密码的内容
westos1
123
westos2
123
westos3                                         ##注意不要乱加空格
123
##对刚才新建的文件进行哈希加密
[root@server vsftpd]# db_load -T -t hash -f /etc/vsftpd/userfile /etc/vsftpd/userfile.db
[root@server vsftpd]# ls                            ##可以看到加密后的文件userfile.db
ftpusers userfile userfile.db user_list vsftpd.conf vsftpd_conf_migrate.sh
[root@server vsftpd]# cat userfile.db
^Aa^U^F ^B�L4^A^A�L�G��
��^B�L4^A^A�L�G��s3^A123^Awestos1^A^B^B�
              ^A^Aэh^^A^A^A123^Awestos2            ##可以看到文件被哈希加密的结果
[root@server vsftpd]# vim /etc/pam.d/userauth      ##在pam认证配置目录下新建一个文件，文件名任意
[root@server vsftpd]# cat /etc/pam.d/userauth      ##可以看到新建文件的内容

account           required       pam_userdb.so    db=/etc/vsftpd/userfile
auth              required       pam_userdb.so    db=/etc/vsftpd/userfile
#用户|密码         ##需要         ##指定认证插件       ##此处的文件名不加后缀.db 系统会自行补齐

[root@server vsftpd]# vim /etc/vsftpd/vsftpd.conf ##编辑vsftpd主配置文件

147 pam_service_name=userauth     ##指定认证访问的文件用户名单
##上面的文件指定后，原来真实存在的用户就不能登陆了，解决的办法是把两个文件合成一个文件，即把原有的用户也添加到文件夹中

148 guest_enable=YES              ##开启虚拟用户可以登陆服务
149 guest_username=ftp            ##指定虚拟用户登陆ftp的用户名

[root@server vsftpd]# systemctl restart vsftpd.service ##重启服务，使配置生效

#客户端：
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos1
Password:
lftp [email protected]:~> ls
ls: Login failed: 530 Login incorrect.
lftp [email protected]:~> exit
kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos2
Password:
lftp [email protected]:~> ls
ls: Login failed: 530 Login incorrect.
kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos3
Password:
lftp [email protected]:~> ls
ls: Login failed: 530 Login incorrect.
lftp [email protected]:~> exit
##可以看到，虚拟用户登陆不成功

##配置ftp虚拟用户之后
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos1
Password:
lftp [email protected]:~> ls
drwxrwxr-x    2 0        50             60 Jan 23 07:28 pub
drwxr-xr-x    2 0        0               6 Jan 23 03:32 qwert
lftp [email protected]:/> exit
[kiosk@foundation68 ~]$ lftp 172.25.254.222 -u westos2
Password:
lftp [email protected]:~> ls
drwxrwxr-x    2 0        50             60 Jan 23 07:28 pub
drwxr-xr-x    2 0        0               6 Jan 23 03:32 qwert
lftp [email protected]:/> exit
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos3
Password:
lftp [email protected]:~> ls
drwxrwxr-x    2 0        50             60 Jan 23 07:28 pub
drwxr-xr-x    2 0        0               6 Jan 23 03:32 qwert
lftp [email protected]:/> exit

8.虚拟用户个人家目录

##服务端配置
[root@server vsftpd]# mkdir /var/ftpuserdir/westos{1..3} -p
##新建每个用户的家目录，家目录名与用户名一致（后面$USER可用），-p使不存在的目录递归创建
[root@server vsftpd]# vim /etc/vsftpd/vsftpd.conf ##配置vsftpd主文件

150 local_root=/var/ftpuserdir/$USER        ##指定用户的家目录为上述创建的与用户名一致的目录
151 user_sub_token=$USER           ##$USER是shell中的变量，指定vsftpd服务中的变量与其一致

[root@server vsftpd]# echo $USER      ##可以看到$USER代指当前用户
root
[root@server vsftpd]# su - student
[student@server ~]$ echo $USER
student
[student@server ~]$ logout
[root@server vsftpd]# systemctl restart vsftpd.service          ##重启服务
[root@server vsftpd]# mkdir /var/ftpuserdir/westos{1..3}/pub    ##在家目录中新建目录
[root@server vsftpd]# mkdir /var/ftpuserdir/westos1/westos1file
[root@server vsftpd]# mkdir /var/ftpuserdir/westos2/westos2file
[root@server vsftpd]# mkdir /var/ftpuserdir/westos3/westos3file
##客户端
##配置后在客户端可以看到每个虚拟用户都在自己的家目录中
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos1
Password:
lftp [email protected]:~> ls
drwxr-xr-x    2 0        0               6 Jan 24 02:29 pub
drwxr-xr-x    2 0        0               6 Jan 24 02:30 westos1file
lftp [email protected]:/> exit
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos2
Password:
lftp [email protected]:~> ls
drwxr-xr-x    2 0        0               6 Jan 24 02:29 pub
drwxr-xr-x    2 0        0               6 Jan 24 02:30 westos2file
lftp [email protected]:/> exit
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos3
Password:
lftp [email protected]:~> ls
drwxr-xr-x    2 0        0               6 Jan 24 02:29 pub
drwxr-xr-x    2 0        0               6 Jan 24 02:30 westos3file
lftp [email protected]:/> exit

9.虚拟用户配置独立

##服务端配置
[root@server vsftpd]# vim /etc/vsftpd/vsftpd.conf

31 local_enable=YES
34 #write_enable=YES                                    ##注释影响配置结果的参数
51 #anon_upload_enable=YES
154 user_config_dir=/etc/vsftpd/userconf                ##指定独立用户配置目录

[root@server vsftpd]# systemctl restart vsftpd.service
[root@server vsftpd]# mkdir -p /etc/vsftpd/userconf ##目录本来没有，需要新建
[root@server vsftpd]# vim /etc/vsftpd/userconf/westos1 ##在目录下新建文件（与用户名相同）

  1 anon_upload_enable=YES                                  #配置允许该用户上传文件

[root@server vsftpd]# systemctl restart vsftpd.service      ##重启服务
[root@server vsftpd]# ls -ld /var/ftpuserdir/westos*/*
drwxr-xr-x 2 root root 6 Jan 23 21:29 /var/ftpuserdir/westos1/pub
drwxr-xr-x 2 root root 6 Jan 23 21:30 /var/ftpuserdir/westos1/westos1file
drwxr-xr-x 2 root root 6 Jan 23 21:29 /var/ftpuserdir/westos2/pub
drwxr-xr-x 2 root root 6 Jan 23 21:30 /var/ftpuserdir/westos2/westos2file
drwxr-xr-x 2 root root 6 Jan 23 21:29 /var/ftpuserdir/westos3/pub
drwxr-xr-x 2 root root 6 Jan 23 21:30 /var/ftpuserdir/westos3/westos3file
[root@server vsftpd]# chmod 775 /var/ftpuserdir/westos*/pub      ##给所有组可写的权限
[root@server vsftpd]# ls -ld /var/ftpuserdir/westos*/*
drwxrwxr-x 2 root root 6 Jan 23 21:29 /var/ftpuserdir/westos1/pub
drwxr-xr-x 2 root root 6 Jan 23 21:30 /var/ftpuserdir/westos1/westos1file
drwxrwxr-x 2 root root 6 Jan 23 21:29 /var/ftpuserdir/westos2/pub
drwxr-xr-x 2 root root 6 Jan 23 21:30 /var/ftpuserdir/westos2/westos2file
drwxrwxr-x 2 root root 6 Jan 23 21:29 /var/ftpuserdir/westos3/pub
drwxr-xr-x 2 root root 6 Jan 23 21:30 /var/ftpuserdir/westos3/westos3file
[root@server vsftpd]# chgrp ftp /var/ftpuserdir/westos*/pub      ##更改用户组为ftp
[root@server vsftpd]# ls -ld /var/ftpuserdir/westos*/*
drwxrwxr-x 2 root ftp 6 Jan 23 21:29 /var/ftpuserdir/westos1/pub
drwxr-xr-x 2 root root 6 Jan 23 21:30 /var/ftpuserdir/westos1/westos1file
drwxrwxr-x 2 root ftp 6 Jan 23 21:29 /var/ftpuserdir/westos2/pub
drwxr-xr-x 2 root root 6 Jan 23 21:30 /var/ftpuserdir/westos2/westos2file
drwxrwxr-x 2 root ftp 6 Jan 23 21:29 /var/ftpuserdir/westos3/pub
drwxr-xr-x 2 root root 6 Jan 23 21:30 /var/ftpuserdir/westos3/westos3file
##客户端;
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos1
Password:
lftp [email protected]:~> ls
drwxr-xr-x    2 0        0               6 Jan 24 02:29 pub
drwxr-xr-x    2 0        0               6 Jan 24 02:30 westos1file
lftp [email protected]:/> cd pub/
lftp [email protected]:/pub> put /etc/passwd
put: Access failed: 553 Could not create file. (passwd)
lftp [email protected]:/pub> exit
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos2
Password:
lftp [email protected]:~> cd pub/
lftp [email protected]:/pub> put /etc/passwd
put: Access failed: 553 Could not create file. (passwd)
lftp [email protected]:/pub> exit

##配置后：
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos1

Password:
lftp [email protected]:~> cd pub/
lftp [email protected]:/pub> put /etc/passwd
2243 bytes transferred
lftp [email protected]:/pub> exit
[kiosk@foundation68 ~]$ lftp 172.25.254.222 -u westos2
Password:
lftp [email protected]:~> ls
drwxrwxr-x 2 0 50 19 Jan 24 03:16 pub
drwxr-xr-x 2 0 0 6 Jan 24 02:30 westos2file
lftp [email protected]:/> cd pub/
lftp [email protected]:/pub> put /etc/passwd
put: Access failed: 550 Permission denied. (passwd)
lftp [email protected]:/pub> exit

可以看到我们在配置目录 /etc/vsftpd/userconf/下新建了一个文件westos1，所以只有westos1能上传

深度解析LInux中ftp服务（二）（本地用户、虚拟用户）

1.本地用户家目录的修改

2.更改本地用户上传文件的权限

3.限制本地用户浏览根目录

4.限制是否可以切换家目录的黑白名单

#设定白名单

5.用户登陆黑白名单

6.把临时黑名单变成白名单

7.虚拟用户的设定

8.虚拟用户个人家目录

9.虚拟用户配置独立

注意避免实验环境的改变对当前实验的影响！！

猜你喜欢