In centos7 ftp installation services
yum install -y vsftpd
Start Service
systemctl start vsftpd
From the start
systemctl enable vsftpd
View port
Close attention to local firewall and SELinux, or does not operate properly
Important documents
/ Var / ftp / pub / default shared directory
/etc/vsftpd/vsftpd.conf main configuration file
/ Etc / vsftpd / user_list blacklist, whitelist can be modified to
/ Etc / vsftpd / ftpusers blacklist
FTP relevant user
Anonymous User
anonymous or ftp
Local Users
Linux system users
Virtual User
Administrators to customize user
Profile /etc/vsftpd/vsftpd.conf
= YES anonymous_enable ### allow anonymous logins, the proposed closure local_enable = YES to allow local users to log ### write_enable = YES ### allows the file system to make changes to the FTP command local_umask = 022 the umask value of ### local user to create files used by dirmessage_enable = YES ### displays a message when a user first enters a new directory xferlog_enable = YES ### for record uploading, downloading log files details connect_from_port_20 = YES ### active mode data transmission interface xferlog_std_format is = YES ### using standard log format ftp the listen = NO ### Do not let vsftpd runs in standalone mode listen_ipv6 = YES ### vsftpd will listen for IPv6 instead of IPv4 pam_service_name = PAM service name used vsftpd ### vsftpd userlist_enable = YES ### limits the user to sign tcp_wrappers=YES ### 使用 tcp wrappers
Anonymous User Login
By default, ftp anonymous users can sign, sign directory is / var / ftp /
The user name anonymous or ftp, password is blank, the proposed closure
By default, only download files, you can not upload files in the corresponding directory
You can modify the corresponding configuration file, the file permissions allow anonymous users to upload and build directories
/Etc/vsftpd/vsftpd.conf profile in the following two lines of comments can be removed
= anon_upload_enable YES # allowed to upload files
anon_mkdir_write_enable = YES # allow the establishment of a directory
Restart the service, as it is also required to make ftp / var / ftp / pub's owner
chown ftp pub/
Sign back in with the anonymous ftp user can create a directory pub / upload files and
System User Login
Adoption of Linux system users to sign in as a user ftp services, but because ftp is passed in clear text, if the person was intercepted packets, equivalent to get Linux users and passwords, it is recommended to close
By default, users log in using the system, you can upload and download, directory for the user's home directory
Replacement system can modify the user profile sign position, add /etc/vsftpd/vsftpd.conf
local_root=/tmp/test_home/
Then create corresponding directory mkdir / tmp / test_home , restart the service
Login again ftp, directory / tmp / test_home, other Linux users login ftp service is (note directory permissions system) in this directory
But the user login system with ftp there is a flaw that can be switched to the root directory, other directories may steal information, so we need to imprison users of the system home directory
Into the configuration file, remove these comments in front of the sentence, and then restart the service, that all system users confined to the home directory
chroot_local_user=YES
chroot_local_user=YES chroot_list_enable=YES chroot_list_file=/etc/vsftpd/chroot_list
If we in the / etc / vsftpd / chroot_list add a system user test2, then the system user login ftp server, you can access the root directory, you can also access other directories
/etc/vsftpd/ftpusers和 /etc/vsftpd/user_list默认情况下都是黑名单,但是/etc/vsftpd/user_list可以通过配置文件修改成白名单
在/etc/vsftpd/vsftpd.conf配置文件中
userlist_enable=YES #在这句下面添加以下两句,将user_list反转成白名单 userlist_deny=NO userlist_file=/etc/vsftpd/user_list
注意黑名单的权限比白名单大,即同时存在与黑名单和白名单,依旧被禁用
虚拟用户登入
比较安全和常见的登入方式为虚拟用户登入,即只能登入ftp服务器
1、添加一个虚拟用户口令文件
vim /etc/vsftpd/vuser.txt
在里面输入虚拟用户和密码
vtest #账户
test #密码
vtest2 #账户
test2 #密码
2、生成认证文件
db_load -T -t hash -f /etc/vsftpd/vuser.txt /etc/vsftpd/vuser.db
如果没有安装口令认证文件先安装
yum -y install db4-utils
3、编辑pam认证文件
进入 /etc/pam.d/vsftpd,注释掉原来的内容,因为系统登入依赖这个文件
在后面添加两行
auth required /lib64/security/pam_userdb.so db=/etc/vsftpd/vuser account required /lib64/security/pam_userdb.so db=/etc/vsftpd/vuser
4、建立本地映射用户
useradd -d /home/vftproot -s /sbin/nologin vuser chmod 755 /home/vftproot
5、修改配置文件
在/etc/vsftpd/vsftpd.conf下面添加
guest_enable=YES guest_username=vuser
user_config_dir=/etc/vsftpd/vuser_conf
然后重启服务,就可以进行虚拟用户登入,记得删除原来的vuser.txt文件
虚拟用户进行目录分配
mkdir /etc/vsftpd/vuser_conf
在这个目录下创建文件,文件名为虚拟用户名,在里面指定权限和目录,没有设置的虚拟用户则根据主配置文件
vim /etc/vsftpd/vuser_conf/vtest2
anon_upload_enable=YES anon_mkdir_write_enable=YES local_root=/tmp/vtest2
mkdir /tmp/vtest2
chown vuser vtest2/
并在配置文件中添加
allow_writeable_chroot=YES
重启服务,再次登入,可以正常使用