FTP installation and configuration under CentOS 7.0

1. 1. Run the yum install vsftpd command 

   　　[root@localhost ~]# yum install vsftpd 

   2. After the ftp installation is complete, comment out the root line in the /etc/vsftpd/user_list file and the /etc/vsftpd/ftpuusers file 

   　　# root 

   3. Execute the following command 

   　　# setebool -P ftpd_disable_trans = 1 

   　　Modify /etc/vsftpd/vsftpd.conf and add local_root=/ at the last line 

   4. Restart the ftp process #service vsftpd restart 

   Note: Every time you modify the ftp-related configuration files, you need to restart the ftp process to take effect.

2. 　　vsftpd.ftpuusers: located in the /etc directory. It specifies which user accounts cannot access the FTP server, such as root, etc. 

   　　vsftpd.user_list: located in the /etc directory. User accounts in this file also cannot access the FTP server by default, and are only allowed when the userlist_enable=NO option is enabled in the vsftpd .conf configuration file. 

   　　vsftpd.conf: located in the /etc/vsftpd directory. To customize the configuration of the FTP server such as user login control, user authority control, timeout settings, server function options, server performance options, and server response messages. 

   　　(1) User login control 

   　　anonymous_enable=YES, allows anonymous users to log in. 

   　　no_anon_password=YES, an anonymous user does not need to enter a password when logging in. 

   　　local_enable=YES, allows local users to log in. 

   　　deny_email_enable=YES, you can create a file to keep a blacklist of certain anonymous emails to prevent these people from using Dos attacks. 

       banned_email_file=/etc/vsftpd.banned_emails, when deny_email_enable is enabled, the desired email blacklist save path (default is /etc/vsftpd.banned_emails). 

   　　(2) User permission control 

   　　write_enable=YES, enable global upload permission. 

   　　local_umask=022, the umask of the uploaded file of the local user is set to 022 (the system default is 077, generally it can be changed to 022). 

   　　anon_upload_enable=YES, allows anonymous users to have upload permissions. Obviously, write_enable=YES must be enabled to use this item. At the same time, we must also create a directory that allows ftp users to read and write (as mentioned earlier, ftp is a mapped user account for anonymous users). 

   　　anon_mkdir_write_enable=YES, allows anonymous users to have the right to create directories. 

   　　chown_uploads=YES, enable this item, the owner user of anonymous upload files will be changed to another user account, note that it is recommended not to specify the root account as the owner user of anonymous upload files! 

   　　chown_username=whoever, when chown_uploads=YES is enabled, the specified owner user account, the whoever here is naturally replaced by a suitable user account. 

   　　chroot_list_enable=YES, you can use a list to limit which local users can only be active in their own directory. If chroot_local_user=YES, then the users specified in this list are not restricted. 

       chroot_list_file=/etc/vsftpd.chroot_list, if chroot_local_user=YES, specify the save path of the list (chroot_local_user) (default is /etc/vsftpd.chroot_list). 

   　　nopriv_user=ftpsecure, specifies a secure user account for the FTP server to use as a fully isolated and unprivileged individual user. This is the recommended option for the vsftpd system. 

   　　async_abor_enable=YES, it is strongly recommended not to enable this option, otherwise it may cause errors! 

   　　ascii_upload_enable=YES; ascii_download_enable=YES, by default the server will pretend to accept ASCII mode requests but actually ignore such requests. Enabling the above two options allows the server to truly implement ASCII mode transmission. 

   　　Note: Enabling the ascii_download_enable option will allow malicious remote users to consume a lot of I/O resources of the FTP server with commands like "SIZE/big/file" in ASCII mode. 

   　　These ASCII mode setting options are divided into upload and download, so that we can allow ASCII mode upload (which can prevent the upload of malicious files such as scripts and cause crashes) without suffering the danger of denial of service attacks. 

   　　(3) User connection and timeout options 

   　　idle_session_timeout=600, you can set the default idle timeout time, the user will be kicked out of the server if the user does not act after this time. 

   　　data_connection_timeout=120, set the default data connection timeout. 

   　　(4) Server log and welcome message 

   　　dirmessage_enable=YES, allows to configure the display information for the directory, showing the contents of the message_file file under each directory. 

   　　ftpd_banner=Welcome to blah FTP service, you can customize the welcome message that FTP users see when they log in to the server. 

   　　xferlog_enable=YES, enable logging of upload/download activity logs. 

   　　xferlog_file=/var/log/vsftpd.log, you can customize the save path and file name of the log file, the default is /var/log/vsftpd.log. 

   　　anonymous_enable=YES to allow anonymous login local_enable=YES to allow local user to login 

   　　write_enable=YES Open local user write permission 

   　　local_umask=022 Set the mask of local user generated files to 022 

   　　#anon_upload_enable=YES This setting allows anonymous users to upload files 

   　　#anon_mkdir_write_enable=YES Enable write and create directory permissions for anonymous users 

   　　dirmessage_enable=YES When switching to a directory, display the contents of the .message hidden files in the directory 

   　　xferlog_enable=YES to activate upload and download logs 

   　　connect_from_port_20=YES Enable connection request for FTP data port 

   　　#chown_uploads=YES Whether to have upload permission. The user is specified by the chown_username parameter. 

   　　#chown_username=whoever Specifies the user who has permission to upload files. This parameter is used in conjunction with chown_uploads. 

   　　#xferlog_file=/var/log/vsftpd.log 

   　　xferlog_std_format=YES use standard ftpd xferlog log format 

   　　#idle_session_timeout=600 This setting will be interrupted after a user session is idle for 10 minutes 

   　　#data_connection_timeout=120 will be interrupted after 2 minutes of idle data connection 

   　　#ascii_upload_enable=YES Enable ASCII transport for upload 

   　　#ascii_download_enable=YES Enable ASCII transport for download 

   　　#ftpd_banner=Welcome to blah FTP service Set the message to be displayed after the user connects to the server 

   　　#deny_email_enable=NO This parameter defaults to NO. When the value is YES, users with the e-mail addresses listed in the file specified by the banned_email_file parameter are denied login. 

   　　#banned_email_file=/etc/vsftpd.banned_emails Specifies the file containing rejected e-mail addresses. 

   　　#chroot_list_enable=YES Set that local users cannot switch to other directories other than their own directory after logging in 

   　　#chroot_list_file=/etc/vsftpd.chroot_list 

   　　#ls_recurse_enable=YES 

   　　pam_service_name=vsftpd Set the configuration file name of the PAM authentication service, which is stored in /etc/pam.d/ 

   　　userlist_enable=YES The user specified in the configuration /etc/vsftpd.user_list cannot access the server. If userlist_deny=No is added, only the users in the /etc/vsftpd.user_list file can access the server, and no other users can access the server. If userlist_enable=NO, userlist_deny=YES, it is specified that the user specified in the file /etc/vsftpd.user_list cannot access the server, and other local users can access the server. 

   　　listen=YES indicates that VSFTPD starts in standalone mode 

   　　tcp_wrappers=YES Use the TCP_Wrappers remote access control mechanism in VSFTPD, the default value is YES

3. After configuring the FTP according to the actual situation, the following example introduces the establishment of an FTP account and a simple configuration:

   1. Create an account with the account test:

   #mkdir /tmp/test //First create the directory

   #adduser -d /tmp/test -g ftp -s /sbin/nologin test //-s /sbin/nologin is to prevent it from logging in to the system, -d is to specify the user directory as /opt/srsman, that is, the account can only Landing ftp, but can not be used as a landing system.

   If it shows: in/nol

   useradd: warning: the home directory already exists.

   Not copying any file from skel directory into it.

   Don't bother, just tell you that the directory you are pointing to already exists, this does not affect

   Set the grouping of the directory and its files, you can also use other grouping methods

   #passwd test

   Changing password for user beinan.//Next will appear to let you set a new password

   New password: 

   Retype new password: 

   passwd: all authentication tokens updated successfully

   Account created successfully!

   2. Restrict the user directory and do not change the directory to the superior

   Modify /etc/vsftpd/vsftpd.conf 

   put these two lines

   #chroot_list_enable=YES

   #chroot_list_file=/etc/vsftpd.chroot_list

   Comment out

   chroot_list_enable=YES

   chroot_list_file=/etc/vsftpd/chroot_list

   Add a new file: /etc/vsftpd/chroot_list 

   Write the user name that needs to be restricted:

   test

   restart vsftpd

   #service vsftpd restart

   3. Finally, in order to prevent the ftp process from not starting after the server is powered on due to power failure, restart, etc., add it to the boot file:

   (1) Find the /etc/rc.local file

   (2) Open the file and add in the last line: service vsftpd start

   (3) save, exit