vsftp manual
Introduction
FTP is a widely used and old an Internet file transfer protocol
- Mainly for the Internet
文件的双向传输
(upload / download), File Sharing - Cross-platform Linux, Windows
- FTP is a C / S architecture has a client and server, using the TCP protocol as the underlying transport protocol to provide reliable data transmission
- 21 FTP default port number (the port command) 20 (data port, active mode) by default passive mode
FTP service client tools
Linux: ftp, lftp (client)
lftp: The default is the anonymous user access
lftp can bulk up and download directory
lftp localhost:~> mirror remote local #下载整个目录到本地 lftp localhost:~> mirror -R local remote rename #上传整个目录到远程同时可以重命名
ftp: default is username / password access
Windows: FileZilla、IE、Chrome、Firefox
FTP the two modes of operation
Active mode
Active mode schematic
- Client Open command is greater than the random port 1023 and port 1023 is greater than the random data request to the originating port number of 21 Server
- Server's
21号命令端口
random command response Client port - Server port 20 is
主动
requesting a connection to Client随机数据端口
- Client port random data confirm successful connection
Passive mode
Passive mode schematic
- Client Open command is greater than the random port 1023 and port 1023 is greater than the random data request to the originating port number of 21 Server
- Server's
21号命令端口
random command response Client port - Client
主动连接Server
Open大于1023的随机数据端口
- Server confirmation, the connection is successful
About Software
Software File List
/etc/logrotate.d/vsftpd //日志轮转的文件
/etc/pam.d/vsftpd //安全认证
/etc/rc.d/init.d/vsftpd //启动脚本
/etc/vsftpd //配置文件的主目录
/etc/vsftpd/ftpusers //用户列表(黑名单)
/etc/vsftpd/user_list //用户列表(默认黑名单|可黑可白)
/etc/vsftpd/vsftpd.conf //主配置文件
/usr/sbin/vsftpd //二进制命令
/usr/share/doc/vsftpd-2.2.2/EXAMPLE/VIRTUAL_HOSTS
/usr/share/doc/vsftpd-2.2.2/EXAMPLE/VIRTUAL_HOSTS/README //虚拟主机
/usr/share/doc/vsftpd-2.2.2/EXAMPLE/VIRTUAL_USERS
/usr/share/doc/vsftpd-2.2.2/EXAMPLE/VIRTUAL_USERS/README //虚拟用户
/usr/share/man/man5/vsftpd.conf.5.gz //man文档
/var/ftp //匿名用户的默认数据的根目录
/var/ftp/pub //匿名用户的默认数据目录的扩展目录
The basic configuration file
NOTE: The main configuration file: man 5 vsftpd.conf
[root@ftp-server ~]# grep -v ^# /etc/vsftpd/vsftpd.conf
anonymous_enable=YES //支持匿名用户访问
anon_mkdir_write_enable=YES //支持匿名用户创建,修改文件
anon_other_write_enable=YES // 同上
anon_upload_enable=YES //支持匿名用户上传, (默认不支持)
local_enable=YES //非匿名用户
write_enable=YES //写总开关
local_umask=022 //反掩码 file:644 rw- r-- r-- dir:755
anon_umask=022
dirmessage_enable=YES //启用消息功能
xferlog_enable=YES //开启或启用xferlog日志
connect_from_port_20=YES //支持主动模式(默认被动模式)
xferlog_std_format=YES //xferlog日志格式
listen=YES //ftp服务独立模式下的监听
pam_service_name=vsftpd //指定认证文件
userlist_enable=YES //启用用户列表
tcp_wrappers=YES //支持tcp_wrappers功能
chroot_local_user=YES //禁锢所有的本地用户的家目录
# 禁锢大部分本地用户允许小部分人可以切换跳转:
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
# 禁锢小部分用户允许大部分用户:
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
echo zhangsan >> /etc/vsftpd/chroot_list
#网络访问控制:
/etc/hosts.deny
vsftpd:all 全部拒绝
vsftpd:all EXCEPT 192.168.0.2 拒绝所有除了192.168.0.2
vsftpd:192.168.0.254 拒绝单个ip地址=hosts.allow文件里增加vsftpd:192.168.0.254:deny
vsftpd:192.168.0.0/255.255.255.0 拒绝某个网段
vsftpd:192.168.0.0/255.255.255.0 EXCEPT 192.168.0.254 拒绝某个网段,但是除了某个ip地址
注意:子网掩码不支持192.168.0.0/24这种写法
#固定服务器端被动模式下的端口号范围为2000~2050
pasv_max_port=2050
pasv_min_port=2000
#限制匿名用户下载文件的速率为500kbps, 最大连接数为10
anon_max_rate=500000
max_clients=10
FTP access control services
/etc/vsftpd/ftpusers //用户列表(黑名单)
/etc/vsftpd/user_list //用户列表(默认黑名单|可黑可白)
# user_list要成为白名单, 需要再配置文件里增加:
# userlist_deny=NO
# 注意: 如果user_list是白名单, 那么必须在该文件里的用户才可以访问ftp服务
# 默认情况下, vsftpd服务支持本地用户(/etc/passwd)访问
# 默认情况下, vsftpd服务允许匿名用户下载文件,但是不允许匿名用户上传文件
# 允许本地用户上传和下载文件, 本地用户是ftp服务端的普通用户
note
# ftp-server端的数据目录要有写权限
# 匿名用户的数据根目录权限不能太大可以在数据目录下创建一个新目录解决
CentOS build vsftpd
The installation of the vsftpd default 被动模式
, it is recommended to use passive mode in a production environment
installation
yum install vsftpd db4 db4-utils ftp
Modify the configuration file
# 修改/etc/vsftpd/vsftpd.conf文件名 为 /etc/vsftpd/vsftpd.conf.old
mv /etc/vsftpd/vsftpd.conf{,.old}
man vsftpd.conf
# man vsftpd.conf 查看选项说明
# Allow anonymous FTP
anonymous_enable=NO
# allow local users to log in.
local_enable=YES
# enable any form of FTP write command.
write_enable=YES
# Default umask for local users
local_umask=022
# allow the anonymous FTP user to upload files.
anon_upload_enable=NO
# allow anonymous FTP user to be able to create new directories.
anon_mkdir_write_enable=YES
# Activate directory messages - messages given to remote users when they go into a certain directory.
dirmessage_enable=YES
# Disable logging of uploads/downloads.
xferlog_enable=NO
# xferlog_file=/var/log/xferlog
# xferlog_std_format=YES
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
# If you want, you can arrange for uploaded anonymous files to be owned by a different user. Note! Using "root" for uploaded files is not recommended!
chown_uploads=NO
#chown_username=whoever
# Enable this and the server will recognise asynchronous ABOR requests. Not recommended for security (the code is non-trivial). Not enabling it, however, may confuse older FTP clients.
async_abor_enable=YES
# 设定支持ASCII模式的上传和下载功能
ascii_upload_enable=YES
ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to FTP service.
# You may specify an explicit list of local users to chroot() to their home directory. If chroot_local_user is YES, then this list becomes a list of users to NOT chroot().
# Warning! chroot'ing can be very dangerous. If using chroot, make sure that the user does not have write access to the top level directory within the chroot
chroot_local_user=YES
#chroot_list_enable=YES
# default follows
#chroot_list_file=/etc/vsftpd/chroot_list
# listen on 21
listen_port=21
# listen on ipv4
listen=YES
# listen on ipv6
listen_ipv6=NO
# 不使用vsftpd包的'/etc/pam.d/vsftpd'
pam_service_name=vsftpd.vu
# 禁止指定文件中的用户登录(高危用户)
userlist_enable=YES
userlist_file=/etc/vsftpd/user_list
tcp_wrappers=YES
use_localtime=YES
# 启用非匿名用户的映射
guest_enable=YES
# 非匿名用户登录后被映射的用户,OS中必须存在此用户不然及时用户名密码正确也登录不进来
guest_username=ftp
# 定义每用户的设置
user_config_dir=/etc/vsftpd/vconf
virtual_use_local_privs=YES
pasv_min_port=10060
pasv_max_port=10090
Establish an independent pam authentication module
# /etc/vsftpd/vuser.db (去掉.db)
cat >/etc/pam.d/vsftpd.vu <<'EOF'
auth required /lib64/security/pam_userdb.so db=/etc/vsftpd/vuser
account required /lib64/security/pam_userdb.so db=/etc/vsftpd/vuser
EOF
anonymous ftp account and directory
mkdir -p /data/ftp
usermod -d /data/ftp ftp #修改ftp用户家目录
chown -R ftp:ftp /data/ftp
Add ftp virtual users
To ftpuser for example, this file is used only to generate certification documentation by db_load
# 准备固定格式的文本用于生成认证文件(用户名,密码分别一行)
cat >/etc/vsftpd/ftpuser.list <<'EOF'
ftpuser
123123
EOF
# 生成认证文件
db_load -T -t hash -f /etc/vsftpd/ftpuser.list /etc/vsftpd/vuser.db
# 配置虚拟用户,一个用户一个配置文件,用户必须存在
mkdir -p /etc/vsftpd/vconf
cat >/etc/vsftpd/vconf/ftpuser<<'EOF'
write_enable=YES
anon_world_readable_only=NO
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
allow_writeable_chroot=YES
local_root=/data/ftp
EOF
Restart
systemctl restart vsftpd
systemctl enable vsftpd
test
用ftp localhost正常登陆成功即可
Iptables configuration
vim /etc/sysconfig/iptables
添加如下规则:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 10060:10090 -j ACCEPT