一、LINUX最小安装 Linux 版本 二、禁用防火墙 禁用firewall也可以,更彻底: systemctl disable firewalld @其他关于防火墙的命令 启动: systemctl start firewalld 关闭: systemctl stop firewalld 查看状态: systemctl status firewalld 开机禁用 : systemctl disable firewalld 开机启用 : systemctl enable firewalld 三、关闭selinux 关闭selinux,不关闭ftp工具应该可以连接,但是传输文件的时候,会发现文件上传和下载都会出现500、503 、200等报错 通过配置文件修改禁用 #打开SELINUX配置文件 vi /etc/selinux/config #修改配置参数 #注释 SELINUX=enforcing #增加 SELINUX=disabled 四、安装VSFTPD #安装 yum install -y vsftpd #设置开机启动 systemctl enable vsftpd.service #启动 service vsftpd start #停止 service vsftpd stop #查看状态 service vsftpd status 五、虚拟用户配置 首先需要我们新建一个虚拟宿主用户,也就是上边说的要映射的真实用户: useradd virtualhost -s /sbin/nologin 这里设置宿主用户也不允许登录系统 修改配置文件如下(红色字体为修改处): # Example config file /etc/vsftpd/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=NO # # Uncomment this to allow local users to log in. # When SELinux is enforcing check for SE bool ftp_home_dir local_enable=YES # # Uncomment this to enable any form of FTP write command. write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. # When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access anon_upload_enable=NO # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. anon_mkdir_write_enable=NO # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # Activate logging of uploads/downloads. xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! chown_uploads=NO #chown_username=whoever # # You may override where the log file goes if you like. The default is shown # below. xferlog_file=/var/log/xferlog # # If you want, you can have your log file in standard ftpd xferlog format. # Note that the default log file location is /var/log/xferlog in this case. xferlog_std_format=YES # # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. The vsftpd.conf(5) man page explains # the behaviour when these options are disabled. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. ascii_upload_enable=YES ascii_download_enable=YES # # You may fully customise the login banner string: ftpd_banner=Welcome to blah FTP service. # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd/banned_emails # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). # (Warning! chroot'ing can be very dangerous. If using chroot, make sure that # the user does not have write access to the top level directory within the # chroot) chroot_local_user=YES chroot_list_enable=NO # (default follows) # chroot_list_file=/etc/vsftpd/chroot_list allow_writeable_chroot=YES # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. ls_recurse_enable=NO # # When "listen" directive is enabled, vsftpd runs in standalone mode and # listens on IPv4 sockets. This directive cannot be used in conjunction # with the listen_ipv6 directive. listen=YES # # This directive enables listening on IPv6 sockets. By default, listening # on the IPv6 "any" address (::) will accept connections from both IPv6 # and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6 # sockets. If you want that (perhaps because you want to listen on specific # addresses) then you must run two copies of vsftpd with two configuration # files. # Make sure, that one of the listen options is commented !! # listen_ipv6=YES pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES guest_enable=YES guest_username=virtualhost virtual_use_local_privs=YES user_config_dir=/etc/vsftpd/virtualconf listen_port=9021 pasv_max_port=9025 pasv_min_port=9022 pasv_promiscuous=YES 注意: 1、开启所有用户限定不能登出其主目录 对于chroot_local_user与chroot_list_enable的组合效果,可以参考下表: 参考:vsftpd 配置:chroot_local_user与chroot_list_enable详解_Laurence的技术博客-CSDN博客 2、如果主目录可写就需要开启以下,否则报500错误 allow_writeable_chroot=YES 可以写入用户的主目录权限 当我们限定了用户不能跳出其主目录之后,使用该用户登录FTP时往往会遇到这个错误: 500 OOPS: vsftpd: refusing to run with writable root inside chroot () 从2.3.5之后,vsftpd增强了安全检查,如果用户被限定在了其主目录下,则该用户的主目录不能再具有写权限了!如果检查发现还有写权限,就会报该错误。 要修复这个错误,可以用命令chmod a-w /home/user去除用户主目录的写权限,注意把目录替换成你自己的。或者你可以在vsftpd的配置文件中增加下列两项中的一项: allow_writeable_chroot=YES 参考:vsftpd:500 OOPS: vsftpd: refusing to run with writable root inside chroot ()错误的解决方法_Laurence的技术博客-CSDN博客 3、Vsftpd的日志文件不存在,建立Vsftpd的日志文件,并更该属主为Vsftpd的服务宿主用户。 touch /var/log/vsftpd.log chown virtualhost.virtualhost /var/log/vsftpd.log 4、建立虚拟用户配置文件存放路径: mkdir /etc/vsftpd/virtualconf 这里是跟配置文件中的user_config_dir这一项是对应的! 六、建立了一个虚拟用户名单文件,把这个名单文件就放置在/etc/vsftpd/下。 接着编辑这个文件,将虚拟用户信息写入这个文件vi /etc/vsftpd/virtusers virtual1 123456 virtual2 123456 类似上边的格式,一行用户名,一行密码! 接着生成虚拟用户数据文件: db_load -T -t hash -f /etc/vsftpd/virtusers /etc/vsftpd/virtusers.db 七、设定PAM验证文件,并指定虚拟用户数据库文件进行读取 这里需要我们安装pam服务,一般系统都会有安装: yum install pam Vsftp的PAM验证配置文件:/etc/pam.d/vsftpd 这里对应的就是核心配置文件中的pam_service_name,它会去找/etc/pam.d/vsftpd这个文件! 那么我们需要编辑这个文件,同样的编辑前先备份一下: cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd.bak 然后编辑文件:vi /etc/pam.d/vsftpd #%PAM-1.0 auth sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/virtusers account sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/virtusers 这里有一个问题需要注意一下: 如果你的系统是32位的,那么这里要改成: /lib/security/pam_userdb.so 否则会验证失败!不能登录! 八、配置虚拟用户 1.规划好虚拟用户的主路径:mkdir /data/vsftp/ 2.建立测试用户的FTP用户目录: mkdir /data/vsftp/virtual1/ /data/vsftp/virtual2/ 3、更改虚拟用户的主目录的属主为虚拟宿主用户(否则会出去500错误,ftp用户没有权限修改): chown -R virtualhost.virtualhost /data/vsftp/ 4、针对具体用户进行定制: vi /etc/vsftpd/virtualconf/virtual1 #所有权限用户: local_root=/data/vsftp/ virtual1 chroot_local_user=YES anonymous_enable=NO write_enable=YES local_umask=022 anon_upload_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES download_enable=YES #idle_session_timeout=600 #data_connection_timeout=120 #max_clients=10 #max_per_ip=5 #local_max_rate=50000 #只有上传权限用户: ocal_root=/data/vsftp/ virtual1 chroot_local_user=YES anonymous_enable=NO local_umask=022 write_enable=YES anon_world_readable_only=NO anon_upload_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES download_enable=NO #只有下载权限 ocal_root=/data/vsftp/ virtual1 chroot_local_user=YES anonymous_enable=NO local_umask=022 write_enable=NO anon_world_readable_only=NO anon_upload_enable=NO anon_mkdir_write_enable=NO anon_other_write_enable=NO download_enable=YES 最后测试是否可用…… 关于映射到公网使用注意事项: 1、上述是基于被动模式配置,需要把以下端口全部映射9022--9025 listen_port=9021 pasv_max_port=9025 pasv_min_port=9022 2、使用WinSCP 连接时提示如下:Security: Bad IP connecting.错误 需要添加以下配置: pasv_promiscuous=YES #代表关闭PASV模式的安全检查 参考:https://blog.csdn.net/aiynmimi/article/details/77012507 ———————————————— 版权声明:本文为CSDN博主「pimg2005」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。 原文链接:https://blog.csdn.net/pimg2005/article/details/120127279
CentOS 7 VSFTPD 安装与配置(虚拟用户)
