一.總的分為這幾個步驟 Calibri;mso-hansi-font-family:Calibri;mso-no-proof:yes">安裝
VSFTPD軟體及DB軟體 Calibri;mso-hansi-font-family:Calibri;mso-no-proof:yes">創建一個虛擬賬戶,把他當作虛擬用戶的宿主.
Calibri;mso-hansi-font-family:Calibri;mso-no-proof:yes">配置
vsftp.conf配置文件,添加新虛擬用戶相關內容 Calibri;mso-hansi-font-family:Calibri;mso-no-proof:yes">創建一個虛擬用戶數據文件
Calibri;mso-hansi-font-family:Calibri;mso-no-proof:yes">使用
DB4把用戶數據文件HASH一下,這樣用戶數據文件才能生效 Calibri;mso-hansi-font-family:Calibri;mso-no-proof:yes">修改
PAM里的VSFTPD
用戶認證文件,註釋掉其他,添加與用戶數據的關聯信息 Calibri;mso-hansi-font-family:Calibri;mso-no-proof:yes">創建一個虛擬用戶目錄,裡面放著虛擬用戶配置文件
Calibri;mso-hansi-font-family:Calibri;mso-no-proof:yes">可以
CP 並修改原先vsftpd.conf配置文件給虛擬用戶目錄,當作虛擬用戶的配置文件. Calibri;mso-hansi-font-family:Calibri;mso-no-proof:yes">創建一個虛擬用戶的根目錄,根目錄就是存放上傳下載數據的內容.
二.實際操作 Calibri;mso-hansi-font-family:Calibri;mso-no-proof:yes">安裝這兩個服務安裝包
Yum install vsftpd.i686 –y Yum install db4-utils-4.7.25-16.el6.i686 –y 接下來我們開始詳細的配置過程拉 Calibri;mso-hansi-font-family:Calibri;mso-no-proof:yes">首先我們來創建一個虛擬賬戶,後面我們的虛擬用戶都是寄托在他身上的,
虛擬用戶在系統里是不存在的,所以要寄託一個系統里的用戶,這樣關聯了才能登入的.
useradd virtuser -s /sbin/nologin 為了安全,我們把virtuser賬戶設置為不可登入的,系統的用戶我們是不允許登入的. Calibri;mso-hansi-font-family:Calibri;mso-no-proof:yes">接下來我們開始配置一下
vsftp.conf文件,我們詳解配置文件的內容,並在裡面添加虛擬賬戶的相關信息. Cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.bak 備份一下配置文件 Vi /etc/vsftpd/vsftpd.conf # Example config file /etc/vsftpd/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO 不允許匿名用戶登入 # # Uncomment this to allow local users to log in. local_enable=YES 本地用戶允許登入 # # Uncomment this to enable any form of FTP write command. write_enable=YES 允許寫入 # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022 上傳后的文件許可權反碼 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. anon_upload_enable=NO 禁止匿名賬戶上傳 # # Uncomment this if you want the anonymous FTP user to be able to create
# new directories. anon_mkdir_write_enable=NO 禁止匿名賬戶創建目錄 # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES 開啟目錄標語功能 # # Activate logging of uploads/downloads. xferlog_enable=YES 開啟日誌功能 # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES 使用埠20連接 # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! chown_uploads=NO 禁止上傳的文件更改宿主
#chown_username=whoever # # You may override where the log file goes if you like. The default is shown # below. xferlog_file=/var/log/vsftpd.log 日誌記錄文件的存放目錄. # # If you want, you can have your log file in standard ftpd xferlog format. # Note that the default log file location is /var/log/xferlog in this case. xferlog_std_format=YES 日誌文件使用標準格式來記錄日誌內容 # # You may change the default value for timing out an idle session. idle_session_timeout=600 空閑會話超時時間設定,單位秒 # # You may change the default value for timing out a data connection. data_connection_timeout=120 數據連接超時時間設置,單位秒 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=vsfptd VSFTPD服務是由哪個用戶來運行的,我們在這裡可以不管他的. # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. async_abor_enable=YES 數據的非同步傳輸功能開啟 # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. ascii_upload_enable=YES 使用ASCII模式上傳 ascii_download_enable=YES
使用ASCII模式下載 # # You may fully customise the login banner string: ftpd_banner=Welcome to blah FTP service. FTP登入后顯示的標語 # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd/banned_emails # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). chroot_local_user=YES 禁止用戶登出自己的根目錄 #chroot_list_enable=YES # (default follows) #chroot_list_file=/etc/vsftpd/chroot_list # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. ls_recurse_enable=NO 關閉ls –R 功能,使用此命令會有給伺服器增加負載的危險. # # When "listen" directive is enabled, vsftpd runs in standalone mode and # listens on IPv4 sockets. This directive cannot be used in conjunction # with the listen_ipv6 directive. listen=YES 開啟監聽,使該VSFTP擁有自己的守護進程. # # This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6 # sockets, you must run two copies of vsftpd with two configuration files. # Make sure, that one of the listen options is commented !! #listen_ipv6=YES pam_service_name=vsftpd 設置vsftp
使用/etc/pam.d/vsftpd這個PAM認證文件. userlist_enable=YES 用戶列表開啟,在/etc/vsftpd/user_list里的用戶將不得使用FTP. tcp_wrappers=YES 控制功能開啟,他就是對應/etc/host.allow、/etc/host.deny文件. ####下面就是新添加的內容#### guest_enable=YES 開啟虛擬用戶功能
guest_username=virtuser 設置虛擬用戶的宿主,就是虛擬賬戶 user_config_dir=/etc/vsftpd/vconf 設置虛擬用戶的配置文件目錄,每一個虛擬用戶都需要有自己私有的配置文件 virtual_use_local_privs=YES 設置虛擬用戶的許可權符合虛擬賬戶的對應的許可權,而虛擬賬戶的許可權就是/etc/vsftpd.vsftpd.conf里設置的,如果虛擬賬戶在vsftpd.conf中關閉了某些功能,則虛擬用戶將無法使用該功能,而虛擬賬戶開啟了某些功能,則虛擬用戶可以自己設置如關閉或開啟使用. 好了,現在配置文件已經配置好了.開始創建虛擬用戶數據文件 3 .我們現在開始創建一個用戶數據文件拉, touch /etc/vsftpd/virtuser.txt
vi /etc/vsftpd/virtuser.txt user01 ----虛擬用戶1 123456 ----虛擬用戶1密碼 User02 ----虛擬用戶2 123456 ----虛擬用戶2密碼 保存退出 接著使用DB 來hash一下這個用戶數據文件,是的VSFTPD服務能使用它
Db_load –T –t hash –f /etc/vsftpd/virtuser.txt /etc/vsftpd/virtuser.db 記住,用戶數據文件是一行用戶一行密碼的. Db_load –T –t hash –f 一定要使用,不然無法使用用戶數據文件的用戶密碼等都無法使用了. Calibri;mso-hansi-font-family:Calibri;mso-no-proof:yes">現在我們開始修改
PAM 文件. Vi /etc/pam.d/vsftpd #%PAM-1.0 session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include password-auth account include password-auth session required pam_loginuid.so session include password-auth 這些是默認的內容噢..我們現在要把他們全部的註釋掉然後再添加兩行內容了 #%PAM-1.0 #session optional pam_keyinit.so force revoke
#auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed #auth required pam_shells.so #auth include password-auth #account include password-auth #session required pam_loginuid.so #session include password-auth auth required /lib/security/pam_userdb.so db=/etc/vsftpd/virtuser account required /lib/security/pam_userdb.so db=/etc/vsftpd/virtuser 以上兩行就是我們添加的內容了, 注意:/etc/vsftpd/virtuser是經過hash的用戶數據文件,不用在後面再添加上.db了. 7. 我們現在開始創建一個虛擬用戶目錄,裡面放著的是虛擬用戶的配置文件,就是和VSFTP.CONF差不多,但是內容不多,主要還是根據
/etc/vsftpd/vsftpd.conf的,記住,用戶的配置文件名一定好喝你虛擬用戶登入名是一樣的. Mkdir /etc/vsftpd/vconf Vi /etc/vsftpd/vconf/user01 local_root=/opt/vsftp/user01 ---指定user01的根目錄 download_enable=YES -----允許user01下載文件 anon_upload_enable=YES -----允許user01 上傳文件 anon_mkdir_write_enable=YES ------允許user01 創建和刪除目錄
anon_max_rate=500000 --------最大傳輸綠為50000 bit/s user02 操作也是一樣的,直接拷貝user01的配置,然後更改下根目錄就可以了 8.現在我們可以創建虛擬用戶的根目錄拉.. Mkdir /opt/vsftp/user01 /opt/vsftp/user02 然後在目錄里創建一些文件,用於測試用 Mkdir /opt/vsftp/user01/ll 創建完后我們開始對每一個用戶的許可權重新分配 Chown virtuser:virtuser –R /etc/vsftpd/vconf Chown virtuser:virtuser –R /opt/vsftp/ 然後service vsftpd restart 重啟
VSFTP服務 三.實際測試. 我們現在開始測試: [root@CentOS vsftpd]# ftp ftp> open 192.168.0.1 Connected to 192.168.0.1 (192.168.0.1). 220 Welcome to blah FTP service. Name (192.168.0.1:root): user02 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 227 Entering Passive Mode (192,168,0,1,83,74). 150 Here comes the directory listing. drwxr-xr-x 2 503 503 4096 Jan 04 04:29 11 226 Directory send OK. ftp> 在Windows 上測試
可以上傳和下載拉..有問題希望能指出..謝謝了...本文出自 「只為更好!」 博客,請務必保留此出處http://donex.blog.51cto.com/2005970/757907
