操作系统: Centos7.2
# yum -y install vsftpd
Installed:
vsftpd.x86_64 0:3.0.2-11.el7_2
Dependency Installed:
logrotate.x86_64 0:3.8.6-7.el7_2
Complete!
# vsftpd -v
vsftpd: version 3.0.2
vsftpd配置文件的默认路径是 /etc/vsftpd/vsftpd.conf
。
如果想了解全部的FTP配置项请参考这里 全部配置项
完整配置
#############################
##### 认证方式(虚拟用户模式) ####
#############################
#
# Controls whether anonymous logins are permitted or not. If enabled, both the usernames ftp and anonymous are recognised as anonymous logins. Default: YES
anonymous_enable=NO
#
# Controls whether local logins are permitted or not. If enabled, normal user accounts in /etc/passwd (or wherever your PAM config references) may be used to log in. This must be enable for any non-anonymous login to work, including virtual users. Default: NO
local_enable=YES
#
# This string is the name of the PAM service vsftpd will use.
pam_service_name=vsftpd
#
# If enabled, vsftpd will load a list of usernames, from the filename given by userlist_file. If a user tries to log in using a name in this file, they will be denied before they are asked for a password. This may be useful in preventing cleartext passwords being transmitted. See also userlist_deny. Default: NO
userlist_enable=YES
#
# This option is examined if userlist_enable is activated. If you set this setting to NO, then users will be denied login unless they are explicitly listed in the file specified by userlist_file. When login is denied, the denial is issued before the user is asked for a password. Default: YES
userlist_deny=NO
#
# This option is the name of the file loaded when the userlist_enable option is active.
# Default: /etc/vsftpd.user_list
userlist_file=/etc/vsftpd/user_list
#############################
########## 用户权限 ##########
#############################
#
# This controls whether any FTP commands which change the filesystem are allowed or not. These commands are: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE and SITE. Default: NO
write_enable=YES
#
# The value that the umask for file creation is set to for local users. NOTE! If you want to specify octal values, remember the "0" prefix otherwise the value will be treated as a base 10 integer! Default: 077
# 022 is used by most other ftpd's
local_umask=022
#
# This powerful option allows the override of any config option specified in the manual page, on a per-user basis. Usage is simple, and is best illustrated with an example. If you set user_config_dir to be /etc/vsftpd_user_conf and then log on as the user "chris", then vsftpd will apply the settings in the file /etc/vsftpd_user_conf/chris for the duration of the session. The format of this file is as detailed in this manual page! PLEASE NOTE that not all settings are effective on a per-user basis. For example, many settings only prior to the user's session being started. Examples of settings which will not affect any behviour on a per-user basis include listen_address, banner_file, max_per_ip, max_clients, xferlog_file, etc.
user_config_dir=/etc/vsftpd/virtual_user
#
# If set to YES, anonymous users will be permitted to upload files under certain conditions. For this to work, the option write_enable must be activated, and the anonymous ftp user must have write permission on desired upload locations. This setting is also required for virtual users to upload; by default, virtual users are treated with anonymous (i.e. maximally restricted) privilege. Default: NO
anon_upload_enable=YES
#
# If set to YES, anonymous users will be permitted to create new directories under certain conditions. For this to work, the option write_enable must be activated, and the anonymous ftp user must have write permission on the parent directory. Default: NO
anon_mkdir_write_enable=YES
#
# If set to YES, anonymous users will be permitted to perform write operations other than upload and create directory, such as deletion and renaming. This is generally not recommended but included for completeness. Default: NO
anon_other_write_enable=YES
#
#############################
########## 日志配置 ##########
#############################
#
# If enabled, a log file will be maintained detailling uploads and downloads. By default, this file will be placed at /var/log/vsftpd.log, but this location may be overridden using the configuration setting vsftpd_log_file.
# Default: NO (but the sample config file enables it)
xferlog_enable=YES
#
# If enabled, the transfer log file will be written in standard xferlog format, as used by wu-ftpd. This is useful because you can reuse existing transfer statistics generators. The default format is more readable, however. The default location for this style of log file is /var/log/xferlog, but you may change it with the setting xferlog_file. Default: NO
xferlog_std_format=NO
#
# This option is the name of the file to which we write the wu-ftpd style transfer log. The transfer log is only written if the option xferlog_enable is set, along with xferlog_std_format. Alternatively, it is written if you have set the option dual_log_enable. Default: /var/log/xferlog
xferlog_file=/var/log/xferlog
#
# If enabled, two log files are generated in parallel, going by default to /var/log/xferlog and /var/log/vsftpd.log. The former is a wu-ftpd style transfer log, parseable by standard tools. The latter is vsftpd's own style log. Default: NO
dual_log_enable=YES
#
# When enabled, all FTP requests and responses are logged, providing the option xferlog_std_format is not enabled. Useful for debugging. Default: NO
log_ftp_protocol=YES
#
#This option is the name of the file to which we write the vsftpd style log file. This log is only written if the option xferlog_enable is set, and xferlog_std_format is NOT set. Alternatively, it is written if you have set the option dual_log_enable. One further complication - if you have set syslog_enable, then this file is not written and output is sent to the system log instead.
# Default: /var/log/vsftpd.log
vsftpd_log_file=/export/Logs/vsftpd/vsftpd.log
#
#############################
########## 交互设置 ##########
#############################
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to FTP service.
#
# If enabled, users of the FTP server can be shown messages when they first enter a new directory. By default, a directory is scanned for the file .message, but that may be overridden with the configuration setting message_file.
# Default: NO (but the sample config file enables it)
dirmessage_enable=YES
#
# If enabled, vsftpd will display directory listings with the time in your local time zone. The default is to display GMT. The times returned by the MDTM FTP command are also affected by this option. Default: NO
use_localtime=YES
#
# If set to YES, local users will be (by default) placed in a chroot() jail in their home directory after login. Warning: This option has security implications, especially if the users have upload permission, or shell access. Only enable if you know what you are doing. Note that these security implications are not vsftpd specific. They apply to all FTP daemons which offer to put local users in chroot() jails. Default: NO
# chroot_local_user=NO
#
# If activated, you may provide a list of local users who are placed in a chroot() jail in their home directory upon login. The meaning is slightly different if chroot_local_user is set to YES. In this case, the list becomes a list of users which are NOT to be placed in a chroot() jail. By default, the file containing this list is /etc/vsftpd.chroot_list, but you may override this with the chroot_list_file setting. Default: NO
chroot_list_enable=YES
#
# The option is the name of a file containing a list of local users which will be placed in a chroot() jail in their home directory. This option is only relevant if the option chroot_list_enable is enabled. If the option chroot_local_user is enabled, then the list file becomes a list of users to NOT place in a chroot() jail. Default: /etc/vsftpd.chroot_list
chroot_list_file=/etc/vsftpd/chroot_list
#
# Have no idea if still available!
allow_writeable_chroot=YES
#
#############################
########## 连接设置 ##########
#############################
#
## 指令连接
#
# If enabled, vsftpd will run in standalone mode. This means that vsftpd must not be run from an inetd of some kind. Instead, the vsftpd executable is run once directly. vsftpd itself will then take care of listening for and handling incoming connections. Default: YES
listen=YES
#
# If vsftpd is in standalone mode, this is the port it will listen on for incoming FTP connections.
listen_port=21
#
# If enabled, and vsftpd was compiled with tcp_wrappers support, incoming connections will be fed through tcp_wrappers access control. Furthermore, there is a mechanism for per-IP based configuration. If tcp_wrappers sets the VSFTPD_LOAD_CONF environment variable, then the vsftpd session will try and load the vsftpd configuration file specified in this variable.
tcp_wrappers=YES
#
# If vsftpd is in standalone mode, this is the maximum number of clients which may be connected. Any additional clients connecting will get an error message.
max_clients=0
#
# If vsftpd is in standalone mode, this is the maximum number of clients which may be connected from the same source internet address. A client will get an error message if they go over this limit.
max_per_ip=0
#
# The timeout, in seconds, which is the maximum time a remote client may spend between FTP commands. If the timeout triggers, the remote client is kicked off.
idle_session_timeout=300
#
## 数据连接
### PORT模式:主动模式
# The port from which PORT style connections originate (as long as the poorly named connect_from_port_20 is enabled).
ftp_data_port=20
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# The timeout, in seconds, for a remote client to respond to our PORT style data connection.
connect_timeout=60
#
### 被动模式
#
# Set to NO if you want to disallow the PASV method of obtaining a data connection. Default: YES
pasv_enable=YES
#
# The maximum port to allocate for PASV style data connections. Can be used to specify a narrow port range to assist firewalling.
pasv_max_port=61000
#
# The minimum port to allocate for PASV style data connections. Can be used to specify a narrow port range to assist firewalling.
pasv_min_port=60000
#
# The timeout, in seconds, for a remote client to establish connection with a PASV style data connection.
accept_timeout=60
#
# The timeout, in seconds, which is roughly the maximum time we permit data transfers to stall for with no progress. If the timeout triggers, the remote client is kicked off.
data_connection_timeout=300
配置文件中的目录|文件需要手动创建。
创建 edi 分组,分组下创建 edi 用户(注意此 edi 用户与FTP虚拟用户 edi 不同,此处的 edi 用户为Linux用户);为edi用户设置主目录 /home/vsftpsite 。
# groupadd edi
# useradd –d /home/vftpsite –s /sbin/nologin edi
# usermod -G edi edi
新建chroot_list文件,添加用户 edi 。
# vi chroot_list
edi
# vi vftpuser.txt
# 奇数行为用户名、偶数行为密码
edi # 用户名
edi # 密码
将刚添加的vftpuser.txt虚拟用户口令文件转换成系统识别的口令认证文件。
db_load -T -t hash -f vftpuser.txt vftpuser.db
# vi /etc/pam.d/vsftpd
#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
#auth required pam_shells.so
#auth include password-auth
#account include password-auth
session required pam_loginuid.so
session include password-auth
# 新增以下两行代码
auth required pam_userdb.so db=/etc/vsftpd/vftpuser
account required pam_userdb.so db=/etc/vsftpd/vftpuser
在/etc/vsftpd/ 目录下新建 virtual_user 目录,新建 edi(与虚拟用户同名) 文件,进行用户级别设置。
# vi /etc/vsftpd/virtual_user/edi
guest_enable=YES
guest_username=edi # 这里的edi是Linux本地用户
anon_world_readable_only=NO
anon_upload_enable=YES
anon_other_write_enable=YES
anon_mkdir_write_enable=YES
只有添加到 user_list 的用户才有权访问 ftp 服务器
# vi user_list
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
edi
test
# service vsftpd restart
如果需要对外网提供FTP服务,需要进行相关的网络配置。
-A PREROUTING -d pub_ip -p tcp -m multiport --dport 60000:61000 -i eth0 -j DNAT --to-destination ftp-server-ip
-A PREROUTING -d pub_ip -p tcp --dport 21 -j DNAT --to-destination ftp-server-ip:21
-A PREROUTING -d pub_ip -p tcp --dport 20 -j DNAT --to-destination ftp-server-ip:20
-A POSTROUTING -s ftp-server-ip -o eth0 -j SNAT --to-source pub_ip
FTP客户端使用的是mac。
可以通过FTP客户端工具或 ftp 命令访问FTP服务。
$ ftp
ftp> open ftp-server-ip
Connected to ftp-server-ip.
220 Hello...
Name (ftp-server-ip:local-user): edi
331 Please specify the password.
Password:
230 Login successful.
ftp>
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp>
执行 ls 命令,默认使用哪个 PORT 模式(主动模式),如果想切换到被动模式可以执行 passive 命令。
ftp> passive
Passive mode on.
ftp> passive
Passive mode off.
使用被动模式结果展示
ftp> ls
227 Entering Passive Mode (10,170,143,242,237,175)
150 Here comes the directory listing.
226 Directory send OK.
ftp> put /export/x509-certificate.der /x509-certificate.der
227 Entering Passive Mode (10,170,143,242,235,205)
553 Could not create file.
553 Could not create file. 检查是否有文件操作权限。
在 ftp 服务器端,我们使用root用户创建的 /home/vftpsite 文件夹,通过客户端访问 ftp 时实际上我们使用的是Linux本地用户 edi 。在服务器端执行以下命令变更文件夹拥有人。
chown edi.edi /home/vftpsite/
再次执行上传命令
ftp> put /export/x509-certificate.der /x509-certificate.der
227 Entering Passive Mode (10,170,143,242,237,227)
150 Ok to send data.
226 Transfer complete.
874 bytes sent in 0.00547 seconds (156 kbytes/s)
ftp> ls
227 Entering Passive Mode (10,170,143,242,237,89)
150 Here comes the directory listing.
-rw------- 1 1002 1002 874 Sep 30 16:53 x509-certificate.der
226 Directory send OK.
ftp>
FTP服务支持两种传输模式 字符模式(ASCII)和二进制模式(Binary)。默认是ASCII模式,如果上传非文本文件需要使用二进制模式,由于服务器未启用ASCII模式,所以所有的上传下载均以二进制模式进行。
ftp> get /x509-certificate.der /export/x509-certificate-local.der
227 Entering Passive Mode (10,170,143,242,234,175)
150 Opening BINARY mode data connection for /x509-certificate.der (874 bytes).
226 Transfer complete.
874 bytes received in 0.000287 seconds (2.9 Mbytes/s)
ftp>
ftp> !ls /export
x509-certificate-local.der
x509-certificate.der
#!/bin/bash
# Argument
# dir: new directory; username: user name; password: password
if [ $# -lt 3 ];then
echo "error, need 3 arguments:dir, username and password."
exit
fi
# variable definiton
# arguments
dir=$1
username=$2
pwd=$3
# linux local vitural user
local_vuser='edi.edi'
# ftp virtual user store file
user_file='vftpuser.txt'
# ftp virtual user store database
user_db='vftpuser.db'
# data storage base directory
dir_base='/home/vftpsite'
# user-specific configuration store directory
dir_vuser='virtual_user'
# write ftp virtual user/pass to user file and change to db
echo $username>>/etc/vsftpd/$user_file
echo $pwd>>/etc/vsftpd/$user_file
db_load -T -t hash -f $user_file $user_db
# create directory - change owner to local virtual user
mkdir $dir_base/$dir
chown -R $local_vuser $dir_base/$dir
# add ftp virtural user configuration
cat >/etc/vsftpd/$dir_vuser/$username<<EOF
local_root=$dir_base/$dir
guest_enable=YES
guest_username=edi
anon_world_readable_only=NO
EOF
# add user to user_list file
echo $username>>/etc/vsftpd/user_list
# create default sub-directory
cd $dir_base/$dir
mkdir po ro sc share
chown -R $local_vuser $dir_base/$dir
echo "Configuration successful."
Vsftpd文件传输服务(三种认证模式:匿名开放 、本地用户、虚拟用户)
[PAM (简体中文)](https://wiki.archlinux.org/index.php/PAM_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)
详解Linux中/etc/passwd文件
db_load
两种方式建立Vsftpd虚拟用户
mac ftp命令安装即使用