Introduction
Describes how to install and configure vsftpd on a Linux instance.
background knowledge
This scenario mainly involves the following cloud products and services:
Cloud server ECS
(Elastic Compute Service, ECS for short) is an IaaS (Infrastructure as a Service)-level cloud computing service provided by Alibaba Cloud with outstanding performance, stability, reliability, and elastic expansion. The cloud server ECS eliminates the preliminary preparation for purchasing IT hardware, allowing you to use the server as convenient and efficient as using public resources such as water, electricity, and natural gas, realizing the out-of-the-box and elastic scaling of computing resources. Alibaba Cloud ECS continues to provide innovative servers to solve a variety of business needs and help your business development.
FTP
FTP (File Transfer Protocol) is one of the protocols in the TCP/IP protocol suite. The FTP protocol includes two components, one is the FTP server, and the other is the FTP client. The FTP server is used to store files, and users can use the FTP client to access resources located on the FTP server through the FTP protocol. When developing a website, the FTP protocol is usually used to transfer web pages or programs to a web server. In addition, due to the very high efficiency of FTP transmission, this protocol is generally used when transferring large files on the network.
By default, the FTP protocol uses the two ports 20 and 21 in the TCP port, where 20 is used to transmit data and 21 is used to transmit control information. However, whether or not to use 20 as the port for data transmission is related to the transmission mode used by FTP. If the active mode is adopted, the data transmission port is 20; if the passive mode is adopted, the final port to be used is determined by the server and the client through negotiation.
vsftpd
vsftpd (very secure FTP daemon) is the most respected FTP server in Linux distributions. It can run on systems such as Linux, BSD, Solaris, HP-UNIX, etc. It is a completely free, open source ftp server software that supports many features not supported by other FTP servers. For example: very high security requirements, bandwidth limitations, good scalability, virtual users can be created, IPv6 support, high speed, etc.
Scene experience
The following address is an ECS instance (cloud server) configured with CentOS 7.7 provided by Alibaba Cloud Experience Lab and configured with an elastic public IP. You can refer to the operation of this tutorial to quickly build an FTP service.
Alibaba Cloud scene resources :
https://developer.aliyun.com/adc/scenario/74b64efe414c47fbaf305957a7fb458b
Step 1: Install vsftpd
1. Run the following command to install vsftpd.
yum install -y vsftpdWhen you return to the interface as shown in the figure below, the installation is successful.
2. Run the following command to set the FTP service to start automatically.
systemctl enable vsftpd.service3. Start the FTP service.
systemctl start vsftpd.service4. Run the following command to view the port monitored by the FTP service.
netstat -antup | grep ftpThe interface as shown in the figure below appears, indicating that the FTP service has been started and the listening port number is 21. At this point, vsftpd has enabled anonymous access by default. You can log in to the FTP server without entering a user name and password, but you do not have the authority to modify or upload files.
Step 2: Configure vsftpd
vsftpd (very secure FTP daemon) is the most respected FTP server in Linux distributions. vsftpd supports two access methods: anonymous access and local user mode. Anonymous access mode Any user can access the built FTP service; the local user mode only supports added local users to access the built FTP service.
Note: Only one of anonymous user mode and local user mode can be configured at the same time.
- Anonymous user mode
a. Modify the configuration file vsftpd.conf.
vim /etc/vsftpd/vsftpd.confPress the i key to enter the edit mode, and
untie the comment of anonymous upload permission anon_upload_enable=YES.
b. Press the ESC key to exit the editing mode, enter: wq to save and exit vim.
c. Change the permissions of the /var/ftp/pub directory and add write permissions for FTP users.
chmod o+w /var/ftp/pub/d. Restart the FTP service.
systemctl restart vsftpd.service
- Local user mode
a. Create a Linux user for the FTP service.
adduser ftptestSet a password for the user.
passwd ftptest 
b. Create a file directory for FTP service.
mkdir /var/ftp/testc. Change the owner of the /var/ftp/test directory to ftptest.
chown -R ftptest:ftptest /var/ftp/testd. Modify the vsftpd.conf configuration file.
- To configure FTP to active mode, execute the following command.
sed -i 's/anonymous_enable=YES/anonymous_enable=NO/' /etc/vsftpd/vsftpd.conf #禁止匿名登录FTP服务器
sed -i 's/listen=NO/listen=YES/' /etc/vsftpd/vsftpd.conf #监听IPv4 sockets
sed -i 's/listen_ipv6=YES/#listen_ipv6=YES/' /etc/vsftpd/vsftpd.conf #关闭监听IPv6 sockets
sed -i 's/#chroot_local_user=YES/chroot_local_user=YES/' /etc/vsftpd/vsftpd.conf #全部用户被限制在主目录
sed -i 's/#chroot_list_enable=YES/chroot_list_enable=YES/' /etc/vsftpd/vsftpd.conf #启用例外用户名单
sed -i 's/#chroot_list_file=/chroot_list_file=/' /etc/vsftpd/vsftpd.conf #指定例外用户列表文件,列表中的用户不被锁定在主目录
echo "allow_writeable_chroot=YES" >> /etc/vsftpd/vsftpd.conf
echo "local_root=/var/ftp/test" >> /etc/vsftpd/vsftpd.conf #设置本地用户登录后所在的目录To configure FTP to passive mode, execute the following command.
sed -i 's/anonymous_enable=YES/anonymous_enable=NO/' /etc/vsftpd/vsftpd.conf #禁止匿名登录FTP服务器
sed -i 's/listen=NO/listen=YES/' /etc/vsftpd/vsftpd.conf #监听IPv4 sockets
sed -i 's/listen_ipv6=YES/#listen_ipv6=YES/' /etc/vsftpd/vsftpd.conf #关闭监听IPv6 sockets
sed -i 's/#chroot_local_user=YES/chroot_local_user=YES/' /etc/vsftpd/vsftpd.conf #全部用户被限制在主目录
sed -i 's/#chroot_list_enable=YES/chroot_list_enable=YES/' /etc/vsftpd/vsftpd.conf #启用例外用户名单
sed -i 's/#chroot_list_file=/chroot_list_file=/' /etc/vsftpd/vsftpd.conf #指定例外用户列表文件,列表中的用户不被锁定在主目录
echo "allow_writeable_chroot=YES" >> /etc/vsftpd/vsftpd.conf
echo "local_root=/var/ftp/test" >> /etc/vsftpd/vsftpd.conf #设置本地用户登录后所在的目录
echo "pasv_enable=YES" >> /etc/vsftpd/vsftpd.conf #开启被动模式
echo "pasv_address=<FTP服务器公网IP地址>" >> /etc/vsftpd/vsftpd.conf #本教程中为Linux实例公网IP
echo "pasv_min_port=20" >> /etc/vsftpd/vsftpd.conf #设置被动模式下,建立数据传输可使用的端口范围的最小值
echo "pasv_max_port=1000" >> /etc/vsftpd/vsftpd.conf #设置被动模式下,建立数据传输可使用的端口范围的最大值e. Create a chroot_list file in the /etc/vsftpd directory and write a list of exception users in the file.
#使用vim命令编辑chroot_list文件,添加例外用户名单。此名单中的用户不会被锁定在主目录,可以访问其他目录。
vim /etc/vsftpd/chroot_listNote: When there are no exception users, the chroot_list file must also be created, and the content can be empty.
f. Restart the FTP service.
systemctl restart vsftpd.serviceStep 3: Configure Security Group
After setting up the FTP service, add a rule in the inbound direction of the ECS instance security group and allow the following FTP ports.
Note: Most clients are located in the local area network, and the IP address is converted, so the IP returned by the ipconfig or ifconfig command may not be the real public IP address of the client. If the subsequent client cannot log in to the FTP server, please reconfirm its public IP address.
1. On the experience page of the experience platform, click one-click to copy the login url, and enter the user name and password of the created sub-account to log in to the ECS console.
2. In the left navigation bar, click Network and Security>Security Group.
3. Select the security group that needs to be configured, and in the Operation column, click Configure Rules.
4. Select the rule direction of the security group rule, click Incoming Direction>Add Security Group Rule. The specific configuration is as follows: Add a security group
Step 4: Client test
FTP client, Windows command line tool or browser can be used to test FTP server.
Note: When an error occurs when using a browser to access the FTP server, it is recommended that you clear the browser cache and try again.
1. Open the Chrom browser and enter ftp://<FTP server public network IP address>:FTP port in the address bar. In this tutorial, it is the public network IP address of the Linux instance. For example: ftp://139.0.0.1:21.
2. In the pop-up dialog box, enter the user name and password, you can operate the FTP file with the corresponding authority.
Note: The anonymous mode does not require entry login operations.
The login interface is similar to the following:
The login interface is similar to the following:
Excerpt from the
original text of Alibaba Cloud Experience Lab :
https://developer.aliyun.com/adc/scenario/74b64efe414c47fbaf305957a7fb458b