vsftpd服务

vsftpd服务

1.ftp概念

FTP ( 文件传输协议 ) 是 INTERNET 上仍常用的最老的网络协议
之一 , 它为系统提供了通过网络与远程服务器进行传输的简单方法
在 RED HAT ENTREPRISE LINUX 7 中。 FTP 服务器包的名
称为 VSFTPD , 它代表 Very Secure File TransferProtocol
Damon 服务器名称也叫做 vsftpd
默认配置文件让 ANONYMOUS 用户只能下载位于 CHROOT 目
录中的内容。 /var/ftp/ 这意味着远程 FTP 客户端能以用户
anonymous 或 ftp 身份连接到服务器 ( 无需密码 ), 并从 ftp
服务器上的 /var/ftp/ 目录下载文件 ( 其本地 ftp 用户可以读取这
些文件 )

2.安装ftp

yum install vsftpd -y
systemctl start vsftpd
systemctl stop firewalld
systemctl enable vsftpd
lftp ip ##能登陆并且显示，表示安装成功

[root@localhost Desktop]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:00:0b:0b brd ff:ff:ff:ff:ff:ff
    inet 172.25.254.111/24 brd 172.25.254.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe00:b0b/64 scope link 
       valid_lft forever preferred_lft forever
[root@localhost Desktop]# mkdir /iso
[root@localhost Desktop]# mv rhel-server-7.2-x86_64-dvd.iso /iso
[root@localhost Desktop]# 
[root@localhost Desktop]# mount /iso/rhel-server-7.2-x86_64-dvd.iso /mnt
mount: /dev/loop0 is write-protected, mounting read-only
[root@localhost Desktop]# rm -rf /etc/yum.repos.d/*
[root@localhost Desktop]# vim /etc/yum.repos.d/yum.repo
[root@localhost Desktop]# nm-connection-editor 
[root@localhost Desktop]# ping 172.25.254.11
PING 172.25.254.11 (172.25.254.11) 56(84) bytes of data.
64 bytes from 172.25.254.11: icmp_seq=1 ttl=64 time=0.199 ms
64 bytes from 172.25.254.11: icmp_seq=2 ttl=64 time=0.127 ms
^C
--- 172.25.254.11 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.127/0.163/0.199/0.036 ms
[root@localhost Desktop]# yum install vsftpd -y
Loaded plugins: langpacks
server                                                   | 4.1 kB     00:00     
(1/2): server/group_gz                                     | 136 kB   00:00     
(2/2): server/primary_db                                   | 3.6 MB   00:00     
Resolving Dependencies
--> Running transaction check
---> Package vsftpd.x86_64 0:3.0.2-10.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package         Arch            Version                  Repository       Size
================================================================================
Installing:
 vsftpd          x86_64          3.0.2-10.el7             server          167 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 167 k
Installed size: 347 k
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : vsftpd-3.0.2-10.el7.x86_64                                   1/1 
  Verifying  : vsftpd-3.0.2-10.el7.x86_64                                   1/1 

Installed:
  vsftpd.x86_64 0:3.0.2-10.el7                                                  

Complete!
[root@localhost Desktop]# systemctl start vsftpd
[root@localhost Desktop]# systemctl stop firewalld
[root@localhost Desktop]# systemctl enable vsftpd
ln -s '/usr/lib/systemd/system/vsftpd.service' '/etc/systemd/system/multi-user.target.wants/vsftpd.service'
[root@localhost Desktop]# 

3.vsftpd文件信息

/var/ftp ##默认发布目录
/etc/vsftpd ##配置目录

4.vsftpd服务的配置参数

1）匿名用户设定

anonymous_enable=YES|NO ##匿名用户登陆限制

匿名用户上传

vim /etc/vsftpd/vsftpd.conf
write_enable=YES

anon_upload_enable=YES

chgrp ftp /var/ftp/pub
chmod 775 /var/ftp/pub

匿名用户家目录修改

anon_root=/direcotry

匿名用户上传文件默认权限修改

anon_umask=xxx

匿名用户建立目录

anon_mkdir_write_enable=YES|NO

匿名用户下载

anon_world_readable_only=YES|NO ##设定参数值为no表示匿名用户可以下载

匿名用户删除

anon_other_write_enable=YES|NO

匿名用户使用的用户身份修改

chown_uploads=YES
chown_username=student
chown_uploads_mode=0644

最大上传速率

anon_max_rate=102400

最大链接数

max_clients=2

2)本地用户设定

local_enable=YES|NO ##本地用户登陆限制
write_enable=YES|NO ##本地用户写权限限制

本地用户家目录修改

local_root=/directory

本地用户上传文件权限

local_umask=xxx

限制本地用户浏览 / 目录

所有用户被锁定到自己的家目录中
chroot_local_user=YES
chmod u-w /home/*

用户黑名单建立

chroot_local_user=NO
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list

用户白名单建立

chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list

限制本地用户登陆

vim /etc/vsftpd/ftpusers ##用户黑名单
vim /etc/vsftpd/user_list ##用户临时黑名单

用户白名单设定

userlist_deny=NO
/etc/vsftpd/user_list ##参数设定，此文件变成用户白名单，只在名单中出现的用户可以登陆ftp

# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
# When SELinux is enforcing check for SE bool ftp_home_dir
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you wil
# obviously need to create a directory writable by the FTP user.
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
anon_upload_enable=NO
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/xferlog
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
#chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=NO
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
# Make sure, that one of the listen options is commented !!
listen_ipv6=YES

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

ftp虚拟用户的设定

创建虚拟帐号身份)
vim /etc/vsftpd/loginusers ##文件名称任意
ftpuser1
123
ftpuser2
123
ftpuser3
123

db_load -T -t hash -f /etc/vsftpd/loginusers loginusers.db

vim /etc/pam.d/ckvsftpd ##文件名称任意
account required pam_userdb.so db=/etc/vsftpd/loginusers
auth required pam_userdb.so db=/etc/vsftpd/loginusers

vim /etc/vsftpd/vsftpd.conf
pam_service_name=ckvsftpd
guest_enable=YES

虚拟帐号身份指定

guest_username=ftpuser
chmod u-w /home/ftpuser

虚拟帐号家目录独立设定

vim /etc/vsftpd/vsftpd.conf
local_root=/ftpuserhome/$USER user_sub_token=$USER

mkdir /ftpuserhome
chgrp ftpuser /ftpuserhome
chmod g+s /ftpuserhome
mkdir /ftpuserhome/ftpuser{1..3}mkdir /ftpuserhome
chgrp ftpuser /ftpuserhome
chmod g+s /ftpuserhome
mkdir /ftpuserhome/ftpuser{1..3}

总体的设定，配置文件如图

现在实验，user1身份进入后，进入了自己的家目录下，成功

虚拟帐号配置独立

vim /etc/vsftpd/vsftpd.conf
user_config_dir=/etc/vsftpd/userconf
mkdir -p /etc/vsftpd/userconf

vim /etc/vsftpd/userconf/ftpuser1
在此文件中设定配置文件中的所有参数，此文件的优先级搞