利用官方文檔快速搭建vsftpd伺服器
測試環境:vmware server 1.09 CentOS 5.3
vsftpd.conf 官方文檔 http://vsftpd.beasts.org/vsftpd_conf.html
或者 man vsftpd.conf
# yum install vsftpd
# updatedb
# locate vsftpd
找到vsftpd的文檔路徑為/usr/share/doc/vsftpd-2.0.5/EXAMPLE/
INTERNET_SITE 配置vsftpd為xinetd mode服務方式
INTERNET_SITE_NOINETD 配置vsftpd為Standalone mode服務方式
VIRTUAL_HOSTS 虛擬站點配置
VIRTUAL_USERS 虛擬用戶的配置
VIRTUAL_USERS_2 虛擬用戶的高級配置
我這裡喜歡用Standalone mode,就直接用INTERNET_SITE_NOINETD裡面的配置就好了
# cp /usr/share/doc/vsftpd-2.0.5/EXAMPLE/INTERNET_SITE_NOINETD/vsftpd.conf /etc/vsftpd/
cp:是否覆蓋「/etc/vsftpd/vsftpd.conf」? y
具體配置內容如下:
-------------------------------------
# Standalone mode
listen=YES
max_clients=200
max_per_ip=4
# Access rights
anonymous_enable=YES
local_enable=NO
write_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
# Security
anon_world_readable_only=YES
connect_from_port_20=YES
hide_ids=YES
pasv_min_port=50000
pasv_max_port=60000
# Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
# Performance
one_process_model=YES
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
anon_max_rate=50000
------------------------------------
# /etc/init.d/vsftpd start
為 vsftpd 啟動 vsftpd: [確定]
# netstat -tnlp |grep :21
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 2243/vsftpd
現在只允許匿名用戶訪問只能下載的ftp就搭建好了。
下面就增加虛擬賬戶登錄的配置
# cd /usr/share/doc/vsftpd-2.0.5/EXAMPLE/VIRTUAL_USERS
# ls
logins.txt README README.dir vsftpd.conf vsftpd.pam vsftpd.pam.dir
# cat README |more 看說明一步一步照著做就好了
Step 1) Create the virtual users database.
編輯logins.txt 添加你的用戶和密碼,文檔中第一行為用戶名,第二行為該用戶的密碼。
# cat logins.txt
tom
foo
fred
bar
生成數據文件
# db_load -T -t hash -f logins.txt /etc/vsftpd/login.db
如果提示找不到db_load,請安裝相應的工具包 yum install db4-utils
修改數據的許可權
# chmod 600 /etc/vsftpd/login.db
Step 2) Create a PAM file which uses your new database.
在 vi /etc/pam.d/vsftpd裡面加入下面兩行
auth required /lib/security/pam_userdb.so db=/etc/vsftpd/login
account required /lib/security/pam_userdb.so db=/etc/vsftpd/login
# vi /etc/pam.d/vsftpd
屏蔽下面的行
#auth required pam_shells.so
#auth include system-auth
#account include system-auth
或者直接把vsftpd.pam複製成/etc/pam.d/vsftpd。
Step 3) Set up the location of the files for the virtual users.
# useradd -d /home/ftpsite virtual
ls -ld /home/ftpsite
(which should give):
drwx------ 3 virtual virtual 4096 Jul 30 00:39 /home/ftpsite
We have created a user called "virtual" with a home directory "/home/ftpsite".
Let's add some content to this download area:
# cp /etc/hosts /home/ftpsite
# chown virtual.virtual /home/ftpsite/hosts
不過這樣的許可權還是會有點問題,就是登陸ftp后不能看到內容,所以你可能需要修改一下目錄許可權
drwx---r-- 3 virtual virtual 4096 Jul 30 00:39 /home/ftpsite
讓other的用戶能讀
或者用設置anon_umask=073的辦法來保證ftp上傳的文件許可權.
Step 4) Create your vsftpd.conf config file.
See the example in this directory. Let's go through it line by line:
anonymous_enable=NO
local_enable=YES
This disables anonymous FTP for security, and enables non-anonymous FTP (which
is what virtual users use).
write_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
These ensure that for security purposes, no write commands are allowed.
chroot_local_user=YES
This makes sure that the virtual user is restricted to the virtual FTP area
/home/ftpsite we set up above.
guest_enable=YES
guest_username=virtual
The guest_enable is very important - it activates virtual users! And
guest_username says that all virtual users are mapped to the real user
"virtual" that we set up above. This will also determine where on the
filesystem the virtual users end up - the home directory of the user
"virtual", /home/ftpsite.
關於pam_service_name的部分
This string is the name of the PAM service vsftpd will use.
Default: ftp
因為我的pam.d的文件名是vsftpd,所以必須加上下面的設置:
pam_service_name=vsftpd
當然你也可以把/etc/pam.d/vsftpd改為/etc/pam.d/ftp,這樣你就不需要定義pam_service的名稱了。
屏蔽掉one_process_model=YES,這個值默認為NO.否則會報500 OOPS: vsftpd: security: 'one_process_model' is anonymous only
重啟ftp服務進行測試
# /etc/init.d/vsftpd restart
關閉 vsftpd: [確定]
為 vsftpd 啟動 vsftpd: [確定]
虛擬用戶的認證部分就完成了,如果想讓不同虛擬用戶擁有不同的使用許可權喃.下面我們接著繼續看看/usr/share/doc/vsftpd-2.0.5/EXAMPLE/VIRTUAL_USERS_2/README
Step 1) Activate per-user configurability.
To activate this powerful vsftpd feature, add the following to
/etc/vsftpd.conf:
user_config_dir=/etc/vsftpd_user_conf
And, create this directory:
# mkdir /etc/vsftpd_user_conf
Step 2) Give tom the ability to read all files / directories.
在vsftpd.conf已有的許可權如下:
write_enable=NO 允許用戶上傳數據
anon_upload_enable=NO 上傳
anon_mkdir_write_enable=NO 新建目錄
anon_other_write_enable=NO 寫入(刪除)
anon_world_readable_only=YES 允許下載
At the end of the last example, we noted that the virtual users can only
see world-readable files and directories. We could make the /home/ftpsite
directory world readable, and upload files with world-read permission. But
another way of doing this is giving tom the ability to download files which
are not world-readable.
配置tom賬號只有瀏覽ftp的許可權,不能下載
For the tom user, supply a config setting override for
anon_world_readable_only:
echo "anon_world_readable_only=NO" > /etc/vsftpd_user_conf/tom
Step 3) Give fred the ability to read all files / directories and create
new ones but not interfere with existing files.
賦予fred用戶瀏覽、下載、上傳許可權,但不能建立目錄和刪除。
echo "anon_world_readable_only=NO" > /etc/vsftpd_user_conf/fred
echo "write_enable=YES" >> /etc/vsftpd_user_conf/fred
echo "anon_upload_enable=YES" >> /etc/vsftpd_user_conf/fred
Check it out - login as tom and you can't upload. Log in as fred and you can!
Try and delete a file as both tom and fred - you can't.
如果希望fred能建立目錄和刪除的話,請加上一下的配置
anon_other_write_enbale=YES
anon_mkdir_write_enable=YES
如何讓虛擬用戶擁有自己的目錄?
user_sub_token
This option is useful is conjunction with virtual users. It is used to automatically generate a home directory for each virtual user, based on a template. For example, if the home directory of the real user specified via guest_username is /home/virtual/$USER, and user_sub_token is set to $USER, then when virtual user fred logs in, he will end up (usually chroot()'ed) in the directory /home/virtual/fred. This option also takes affect if local_root contains user_sub_token.
首先修改virtual用戶的家目錄
# vi /etc/passwd
virtual:x:501:501::/home/ftpsite/$USER:/bin/bash
然後在/etc/vsftpd.conf 加入user_sub_token=$USER
在/home/virtual目錄下建立與用戶名相同的目錄。重啟服務后,虛擬用戶就會進入自己的家目錄了。
如何限制用戶上傳文件的類型?
deny_file=*.mp3,*.avi
[ 本帖最後由 tenhlf 於 2009-9-16 23:13 編輯 ]
《解決方案》
收藏備用
《解決方案》
很詳細~~
馬上操作下試試
《解決方案》
回復 #1 tenhlf 的帖子
就是的呀 默認在幾個幫助的示例文件中有各種類型的配置參數示例的