1. first with rpm -qa | grep vsftpd command to check whether or not already installed, if ftp is not installed, use yum -y install vsftpd installation, (using apt-get install vsftpd under ubuntu)
2. service vsftpd start / service vsftpd restart
Every time you want to start FTP at startup, run the command: chkconfig --level 35 vsftpd on
3. Set permissions ftp
we /etc/vsftpd/vsftpd.conf
The anonymous_enable = YES = NO instead anonymous_enable
the ESC return, enter ": wq" to save and launch
Refresh firewall
#iptables -F
Which vsftpd master configuration file is:
/etc/vsftpd/vsftpd.conf
experiment one:
If I do not allow anonymous FTP login, we can modify the vsftpd master configuration file to accomplish
#vi /etc/vsftpd/vsftpd.conf anonymous_enable = YES to the anonymous_enable = NO
Experiment two:
windows FTP server can be set in the words of welcome, the maximum number of connections, then we set up an FTP server on Linux in it? My answer is: the same can, we can also vsftpd master configuration file to accomplish # vi /etc/vsftpd/vsftpd.conf
At the end add ftpd_banner = welcome to here! This is the greeting Max_clients = 100 This means you can have up to 100 users simultaneously access the restart vsftpd you can!
Experiment three:
If I do not want to lend me money also colleagues (lilei), I did not want him to log in to our FTP site, then I can add to the user lilei vi /etc/vsftpd.ftpusers
Experiment 4:
Morning to promote the company's general manager, said a small number of people to hear this news, act quickly, I only allow a general manager who can visit the FTP server, other people never expect to shoot horses manager, limit other people. I can do this: # vi /etc/vsftpd/vsftpd.conf
Adding to the last two,
userlist_deny = / NO in the list of people do not refuse, reject others (including anonymous)
userlist_file = / etc / mp / specified path list
vsftpd configuration file using "#" as a comment character, a "#" at the beginning of the line and a blank line will be ignored when parsing the rest of the line is considered a configuration command line, each configuration command "=" Do not leave both sides spaces. For each of the configuration commands in the configuration file also lists the relevant configuration instructions may be implemented using vi editor editing changes to the configuration files. As follows:
#vi /etc/vsftpd/vsftpd.conf
1. Log in and set up for anonymous users
local_enable // = YES whether to allow local users to log FTP server. The default is NO
anonymous_enable = YES // set the user whether to allow anonymous FTP server. The default is YES
ftp_username = // define the FTP anonymous user account name, the default value is ftp.
no_anon_password = YES // password when asked whether the anonymous user login. Set to YES, no inquiry. Mo
recognized NO
anon_world_readable_only // = YES whether to allow anonymous users can download the document read. The default is YES.
anon_upload_enable = YES // whether to allow anonymous users to upload files. Only in write_enable set
to YES, the item is valid. And anonymous users must have write access to the appropriate directory. The default is NO.
anon_mkdir_write_enable = YES // whether to allow anonymous users to create directories. Effective only when write_enable to YES. And the anonymous user has write access to the parent directory. The default is NO.
anon_other_write_enable = NO // If set to YES, anonymous users will be allowed to have more than
permission to upload and create directory, but also have permission to delete and rename. Default is NO.
2. A banner
After the user logs on the FTP server is successful, the server can be preset with the greeting message to logged-on user.
= is available for purchase to the FTP My ftpd_banner Server.
// This configuration item is used to set relatively brief welcome message. If welcome more information, you can use banner_file configuration items.
banner_file = / etc / vsftpd / banner
when a user logs // set, the output file will be displayed. The settings will override the settings ftpd_banner.
= YES dirmessage_enable
// set the display of directory information. If set to YES, then when the user enters a particular directory (such as / var / FTP / the Linux ), the contents of the file is displayed (.message) specified by the directory entries arranged message_file in.
message_file = .message // set the directory message files. It can display information stored in the file. The need in the corresponding file directory (such as / var / FTP / Linux ) under
3. After setting the directory where user login
local_root = / var / the FTP
// set the directory where the local user login. The default configuration file is not set in the home directory for the user directory after this time the user logs on the FTP server, where, for the root user, for the / root directory.
= anon_root / var / the FTP
// set the directory where the anonymous user login. If not specified, the default is / var / ftp directory.
4. Controlling whether to allow the user to switch to the parent directory
in the configuration, the user can use the "cd .." default name switch to the parent directory. For example, the directory where after If the user login is / var / ftp, then "ftp & gt;" the command line, execution "cd .." command, the user will switch to its parent directory / var, if it continues to execute the command, They can enter the root directory of the Linux system, which can operate on the entire Linux file system.
If set up write_enable = YES, the user can also file in the root directory of the rewrite operation, it will bring a great security risk system, therefore, must prevent users from switching to Linux root directory, configuration items related to the following:
= YES chroot_list_enable
// settings are user list file chroot_list_file configuration items specified enabled. In addition to the YES column j / etc / vsftpd / chroot_list file account, all users can log into the ftp directory other than the root directory. Default NO
the chroot_list_file = / etc / the vsftpd / chroot_list
// specifies the user list file, which is used to control which users can switch to the parent directory of the root directory of the FTP site.
= YES chroot_local_user
// list for a user to specify a user file, whether to allow switching to the parent directory. NO Default
NOTE: To see the effect of local users must first set local_root = / var / ftp
There are several circumstances:
1) When chroot_list_enable = YES, chroot_local_user = YES, users listed in the / etc / vsftpd / chroot_list file, can switch to the parent directory; user not listed in the document, can not switch parent directory to the root directory of the site.
2) When chroot_list_enable = YES, chroot_local_user = NO, the user listed in the / etc / vsftpd / chroot_list file, can not switch to the parent directory of the root directory site; user not listed in the document, can switch to the parent directory .
3) When chroot_list_enable = NO, chroot_local_user = YES, all users can not switch to the parent directory.
4) When chroot_list_enable = NO, chroot_local_user = NO, all users can switch to the parent directory.
5) When the user is not allowed to switch to the parent directory, the root directory of the FTP site login "/" is the home directory of the FTP account, i.e., the file system / var / ftp directory.
5. Set access control
(1) to allow or disallow access to the host (see TBP14)
the tcp_wrappers = YES is used to set whether the server vsftpd combined with tcp wrapper, host access control. The default setting is set to YES, vsftpd server checks /etc/hosts.allow and / etc /hosts.deny in order to decide whether to allow the connection request from the host to access the FTP server. These two documents can play a simple firewall.
For example, 192.168.168.1 ~ 192.168.168.254 To allow only users can access connection vsftpd server, you can add the following to /etc/hosts.allow file:
vsftpd: 192.168.168.0/255.255.255.0: the allow
All: all: deny
(2) allow or disallow access to user
access control to the user by the / etc / vsftpd / user_list and / etc / vsftpd / ftpusers file control is realized. Configuration commands are as follows:
userlist_enable = YES
// decision / etc / vsftpd / user_list file is enabled to take effect. YES, the entry into force, NO does not take effect.
= YES userlist_deny
// decision / etc / vsftpd / user_list file the user is allowed to access or does not allow access. If set to YES, the / etc / vsftpd / user_list file users will not be allowed access to the FTP server; if set to NO, then only vsftpd.user_list files users can access the FTP server.
6. Set the access speed
anon_max_rate = 0
the maximum transmission speed @ anonymous user is provided that can be used, the unit of b / s. If set to 0, are not subject to the speed limit, this is the default.
local_max_rate = 0
the local user can use the // maximum transmission speed. The default is 0, not restricted.
7. Define a user profile
on the server vsftpd, different users may use a different configuration, which configuration file to be implemented by a user.
user_config_dir = / etc / vsftpd / userconf // used to set user configuration files reside.
After setting the configuration item, when users log onto the FTP server, the system will be to the / etc / vsftpd / userconf directory read the same file name of the current user, and according to the configuration command file, the current user further Configuration. For example, using the user profile, access speed can be realized to control different users, each user profile, defined local_max_rate configured to allow a user to determine the access speed.
8. Associated with the connection setup
the listen = YES
// set vsftpd server is operating in standalone mode. Running in standalone mode is a good way to listen this time must be set to YES, this is the default, it is recommended not to change. Many associated with the server running configuration commands require this mode of operation to be effective. If set to NO, then vsftpd is not running as a separate service, management control subject to xinetd services, will be restricted functionality.
max_clients = 0
the maximum allowed number of connections provided vsftpd // Default is 0, it indicates unlimited. If set to 150, while allowing the connector 150, the excess will refuse to establish a connection. Valid only when running in standalone mode.
= 0 max_per_ip
// IP address is provided to allow each number to establish a connection with the FTP server at the same time. The default is 0, not restricted. This configuration can usually be set to prevent the establishment of too many connections to the same user. Valid only when running in standalone mode.
listen_address = IP address
// Set FTP requests user listening on the specified IP address. If not set, all IP address of the server is bound to listen. Valid only when running in standalone mode. For bind only the IP address of a server, no need to configure that, by default, the configuration file is not the configuration items. If the server simultaneously bind multiple IP addresses, you should through the configuration item, designated to provide FTP services on which IP address, specify the IP address of the FTP server is used.
Note: This value before and after comparison can listen netstat -tnl the ports
= 60 accept_timeout
// set to establish a passive (the PASV) data connection timeout, in seconds, the default value is 60.
connect_timeout = 60
to establish a data connection in the timeout mode // PORT seconds.
= 300 data_connection_timeout
// set timeout FTP data connection established, the default is 300 seconds.
= 600 idle_session_timeout
// sets the number of the FTP server does not carry out any operation, the FTP connection is disconnected, in seconds, the default is 600 seconds. I.e. trance timeout setting, in this time, if there is no instruction input or data transfer, it will forcibly disconnected.
= the vsftpd pam_service_name
// disposed name PAM is used, the default value vsftpd.
= NO setproctitle_enable | YES
// settings on each connection to the FTP server, whether manifested in different processes, the default value is NO, this time only named vsftpd process. If set to YES, then each will have a connection vsftpd process, using "ps -ef | grep ftp" command to view details of FTP connection information. Safety reasons, the proposed closure.
9. FTP works with the port settings
(1) FTP works Introduction
There are FTP work two ways, one is the PORT FTP, the other is PASV FTP. Here's how it works.
The difference is that the data transfer port PORT FTP is designated by the FTP server and FTP is designated by the PASV FTP client, used by the data connection and each port number is different. Because of this, so as CuteFTP FTP client software, which is connected with a setting item type and PORT PASV two options.
When set to the FTP server PASV mode, the client must also be set PASV connection type. If the client connection type is set to PORT, the FTP connection can be established, but in the ls command execution or get needed data request, there will be no response and the final report can not establish a data connection.
(2) associated with the port configuration
LISTEN_PORT = 21
// set FTP server on listening port connection, the default value is 21.
Non-standard port connector Example: FTP www.sunflower.org 7000
connect_from_port_20 = YES
// default is YES, the specified FTP port 20 using a data transmission connection. If set to NO, the data connection, the port used by the specified ftp_data_port.
= 20 ftp_data_port
// FTP data connection port disposed in use PORT mode, the default value is 20.
= YES pasv_enable | NO
// If set to YES, the operation mode using PASV; if set to NO, using PORT mode. The default is YES, that is, to use PASV mode.
pasv_max_port = 0
at PASV mode of operation, the data port can be used on a range bounded // set. The default is 0, meaning any ports.
pasv_mim_port = 0
Lower Bound // disposed at PASV mode of operation, the data connection port range may be used. The default is 0, meaning any ports.
10. Set the transfer mode
FTP during data transmission, using a binary (Binary) mode, ASCII mode can also be used to upload or download data.
ascii_download_enable = YES // whether to enable ASCII mode data download. The default is NO.
ascii_upload_enable = YES // whether to enable ASCII mode to upload data. The default is NO.
11. Set upload your documents and permissions
owner (1) Set anonymous upload documents
chown_uploads = YES
// used to set whether to change the owner anonymous users to upload documents. The default is NO. If set to YES, the owner are anonymous users to upload document is set to the user name chown_username configuration item set.
= whoever chown_username
// set properties anonymous users to upload documents name of the Lord. Only chown_uploads = YES if valid. Not recommended to set for the root user. But the system default root
Permissions (2) new document setting
local_umask = 022
// add local user documentation umask, the default is 022, corresponding to 755 permissions. umask is 022, corresponding to the binary number is 000010010, which is the inverse 111,101,101, converted to a decimal number, as a permission value 755, representative of the document owner (owner) to read and write execution right, belonging group has read and execute permissions, other users have read and execute permissions. 022 is suitable for most situations, generally you do not need to change. If set to 077, 700 to the corresponding permission.
anon_umask = 022 // Set new anonymous user documentation umask. Default 077
file_open_mode = Set permissions for a document 0755 //. Rights in digital format. Default 0666
12. Log File
xferlog_enable = YES // whether to upload / download logging is enabled. The default is NO
xferlog_file = var / log / vsftpd.log // set the log file name and path. Xferlog_enable option must be enabled
xferlog_std_format = YES // if the log file using the standard xferlog log file format (the same format used by wu-ftpd). The default is NO
13. Other settings
text_userdb_names = NO
// set when executing the ls command is a UID, GID or exhibit specific user name or group name. The default is NO, UID and GID way to show, if you want to display user and group names, is set to YES.
= YES ls_recurse_enable
// If set to YES, then allowed to execute "ls -R" command, default is NO. In this configuration, the configuration file entry is commented out, there are some configuration like this, when the need to enable the uncommented and set to YES or NO