vsftpd服务

ftp是互联网中进行文件传输的一种协议，基于C/S模式，FTP默认有两个工作端口（20数据传输，21FTP服务端就收客户端发来的指令和）

安装FTP服务

[root@haha-main-130 ~]# yum -y install vsftpd 

配置文件位置及内容

[root@haha-main-130 ~]# cat /etc/vsftpd/vsftpd.conf  # Example config file /etc/vsftpd/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=YES # # Uncomment this to allow local users to log in. # When SELinux is enforcing check for SE bool ftp_home_dir local_enable=YES # # Uncomment this to enable any form of FTP write command. write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. # When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access #anon_upload_enable=YES # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # Activate logging of uploads/downloads. xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #chown_username=whoever # # You may override where the log file goes if you like. The default is shown # below. #xferlog_file=/var/log/xferlog # # If you want, you can have your log file in standard ftpd xferlog format. # Note that the default log file location is /var/log/xferlog in this case. xferlog_std_format=YES # # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. The vsftpd.conf(5) man page explains # the behaviour when these options are disabled. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. #ascii_upload_enable=YES #ascii_download_enable=YES # # You may fully customise the login banner string: #ftpd_banner=Welcome to blah FTP service. # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd/banned_emails # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). # (Warning! chroot'ing can be very dangerous. If using chroot, make sure that # the user does not have write access to the top level directory within the # chroot) #chroot_local_user=YES #chroot_list_enable=YES # (default follows) #chroot_list_file=/etc/vsftpd/chroot_list # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # # When "listen" directive is enabled, vsftpd runs in standalone mode and # listens on IPv4 sockets. This directive cannot be used in conjunction # with the listen_ipv6 directive. listen=NO # # This directive enables listening on IPv6 sockets. By default, listening # on the IPv6 "any" address (::) will accept connections from both IPv6 # and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6 # sockets. If you want that (perhaps because you want to listen on specific # addresses) then you must run two copies of vsftpd with two configuration # files. # Make sure, that one of the listen options is commented !! listen_ipv6=YES  pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES  

主要配置项

[root@haha-main-130 ~]# cat /etc/vsftpd/vsftpd.conf | grep -vE '^$|^#' anonymous_enable=YES #是否允许匿名登录 local_enable=YES #是否允许本地用户登录 write_enable=YES #是否允许写入 local_umask=022 #掩码值 dirmessage_enable=YES #是否允许记录日志 xferlog_enable=YES #是否允许记录日志 connect_from_port_20=YES #允许20端口连接 xferlog_file=/var/log/xferlog #日志记录文件位置 xferlog_std_format=YES  listen=YES #是否打开本地监听 listen_ipv6=YES #ipv6监听 pam_service_name=vsftpd #守护名称 userlist_enable=YES #允许userlist文件内用户登录 tcp_wrappers=YES 

vsftp匿名用户模式

• 任何人不需要账号密码登录

配置文件

1.允许匿名用户登录 	anonymous_enable=YES 2.允许匿名用户上传文件 	anon_upload_enable=YES 3.允许匿名用户写入、创建文件夹 	anon_mkdir_write_enable=YES 4.允许匿名用户修改文件名，删除文件夹操作 	anon_other_witer_enable=YES 

vsftp本地用户模式

• 基于linux的本地账号密码进行验证，配置简单，但是存在安全隐患

配置文件

[root@haha-main-130 ~]# cat /etc/vsftpd/vsftpd.conf | grep -Ev '^$|^#' anonymous_enable=NO #关闭匿名用户验证模式 local_enable=YES write_enable=YES local_umask=022 #默认文件权限 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_file=/var/log/xferlog xferlog_std_format=YES listen=YES pam_service_name=vsftpd userlist_enable=YES userlist_deny=YES tcp_wrappers=YES	 

此时/etc/vsftpd/ftpuser文件中的用户名不允许登录

vsftp虚拟用户模式

• 单独为FTP工具创建用户数据库，基于口令验证账号密码的信息

1. 安装DB工具，能够转化普通文件为vsftpd识别的数据库文件

yum -y install db4 db4-utils 

2. 创建用于验证的数据文件

[root@haha-main-130 vsftpd]# cat db.txt  name1 111 name2 222 

3. 加密文件

[root@haha-main-130 vsftpd]# db_load -T -t hash -f /etc/vsftpd/db.txt /etc/vsftpd/db.db [root@haha-main-130 vsftpd]# cat db.db  a      Gߊ???? ??Gߊ????e1? эh^?        эh^222name2[root@haha-main-130 vsftpd]#  

4. 创建虚拟用户登录后默认访问的文件夹路径，与linux中的本地用户创建一个映射关系，防止匿名用户登陆之后创建文件提示用户权限问题

# 创建一个本地用户，指定家目录，禁止登录bash [root@haha-main-130 vsftpd]# useradd -d /var/ftp/v_ftpfir -s /sbin/nologin v_user  # 修改/var/ftp/v_ftpfir目录属性为600 [root@haha-main-130 ftp]# chmod -Rf 755 v_ftpfir/  # 修改/etc/vsftpd/ftpuser文件，禁止v_user用户登录 [root@haha-main-130 vsftpd]# echo 'v_user' >> /etc/vsftpd/ftpusers  

5. 修改PAM文件/etc/pam.d/vsftpd

[root@haha-main-130 vsftpd]# cat /etc/pam.d/vsftpd  #%PAM-1.0 session    optional     pam_keyinit.so    force revoke auth       required	pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth       required	pam_shells.so auth       include	password-auth account    include	password-auth session    required     pam_loginuid.so session    include	password-auth  # 添加如下两行，db之后的参数为db_load之后的文件路径，不需要添加后缀名 auth required pam_userdb.so db=/etc/vsftpd/db account required pam_userdb.so db=/etc/vsftpd/db 

6. 修改vsftpd主配置文件/etc/vsftpd/vsftpd.conf

[root@haha-main-130 vsftpd]# grep -Ev '^$|^#' vsftpd.conf  anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_file=/var/log/xferlog xferlog_std_format=YES listen=YES pam_service_name=vsftpd userlist_enable=YES userlist_deny=YES tcp_wrappers=YES # 添加如下配置 guest_enable=YES # 开启虚拟用户 guest_username=v_user # 指定虚拟用户账号（关联的本地用户） allow_writeable_chroot=YES # 允许写入数据 

7. 针对不同用户设置不同的权限

• name1 允许上床，新建，修改，查看，删除
• name2 只读

# 设置关联权限文件夹 mkdir /etc/vsftpd/v_user_dir  # 创建文件，设置权限 [root@haha-main-130 v_user_dir]# pwd /etc/vsftpd/v_user_dir [root@haha-main-130 v_user_dir]# cat name1  anon_upload_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES [root@haha-main-130 v_user_dir]# cat name2  anon_upload_enable=NO anon_mkdir_write_enable=NO anon_other_write_enable=NO [root@haha-main-130 v_user_dir]#   # 编辑vsftpd主配置文件，添加如下配置 [root@haha-main-130 v_user_dir]# echo 'user_config_dir=/etc/vsftpd/v_user_dir' >> /etc/vsftpd/vsftpd.conf 

8. 重启服务

systemctl restart vsftpd 

问题记录

1. 创建文件失败

   ftp> mkdir data 550 Create directory operation failed. 

   解决方法：

   修改/var/ftp/pub文件夹所属用户以及所属用户组

   [root@haha-main-130 ftp]# pwd /var/ftp [root@haha-main-130 ftp]# chown -Rf ftp.ftp pub/ [root@haha-main-130 ftp]# ll 总用量 0 drwxr-xr-x 2 ftp ftp 6 6月   9 2021 pub