Home | 簡體中文 | 繁體中文 | 雜文 | 知乎專欄 | Github | OSChina 博客 | 雲社區 | 雲棲社區 | Facebook | Linkedin | 視頻教程 | 打賞(Donations) | About
知乎專欄多維度架構 微信號 netkiller-ebook | QQ群:128659835 請註明“讀者”

69.4. vsftpd - The Very Secure FTP Daemon

69.4.1. 安裝 vsftpd

69.4.1.1. Ubuntu 環境安裝

$ sudo apt-get install vsftpd
				

test

				
[08:25:37 jobs:0] $ ncftp ftp://127.0.0.1
NcFTP 3.2.1 (Jul 29, 2007) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to 127.0.0.1...
(vsFTPd 2.0.7)
Logging in...
Login successful.
Logged in to 127.0.0.1.
Current remote directory is /.
ncftp / >
				
				

enable local user

$ sudo vim /etc/vsftpd.conf

# Uncomment this to allow local users to log in.
local_enable=YES
chroot_local_user=YES

$ sudo /etc/init.d/vsftpd reload
				

testing for local user

				
$ ncftp ftp://neo@127.0.0.1/
NcFTP 3.2.1 (Jul 29, 2007) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to 127.0.0.1...
(vsFTPd 2.0.7)
Logging in...
Password requested by 127.0.0.1 for user "neo".

    Please specify the password.

Password: *******

Login successful.
Logged in to 127.0.0.1.
Current remote directory is /home/neo.
ncftp /home/neo >
				
				

69.4.1.2. CentOS 7 環境安裝

				
yum install -y vsftpd

systemctl enable vsftpd

cp /etc/vsftpd/vsftpd.conf{,.original}

sed -i 's/anonymous_enable=YES/anonymous_enable=NO/' /etc/vsftpd/vsftpd.conf
sed -i 's/#chroot_local_user=YES/chroot_local_user=YES/' /etc/vsftpd/vsftpd.conf
sed -i 's/listen=NO/listen=YES/' /etc/vsftpd/vsftpd.conf
sed -i 's/listen_ipv6=YES/listen_ipv6=NO/' /etc/vsftpd/vsftpd.conf

echo "allow_writeable_chroot=YES" >> /etc/vsftpd/vsftpd.conf

systemctl start vsftpd
				
				

firewalld 防火牆

# firewall-cmd --permanent --add-port=21/tcp				
				

iptables

sed -i 's/IPTABLES_MODULES=""/IPTABLES_MODULES="ip_conntrack_ftp"/' /etc/sysconfig/iptables-config

# vim /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
				

69.4.2. ftp 帳號的shell權限

我們不想讓FTP用戶通過shell登錄系統, 可以將用戶的Shell改為/sbin/nologin

neo:x:1000:1000:neo,,,:/home/neo:/sbin/nologin
			

69.4.3. vsftpd 認證模組

69.4.3.1. pam_shells.so

# cat /etc/pam.d/vsftpd
#%PAM-1.0
session    optional     pam_keyinit.so    force revoke
auth       required	pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth       required	pam_shells.so
auth       include	system-auth
account    include	system-auth
session    include	system-auth
session    required     pam_loginuid.so
				

/etc/vsftpd/ftpusers 列表中的用戶將不能登錄ftp伺服器

69.4.3.2. virtual user

創建明文密碼檔案,一行用戶名後回車跟一行密碼

# cat virtual-users.txt
user
password
neo
123456
jam
654321
				

轉為資料庫檔案

# sudo apt-get install db-util
# db_load -T -t hash -f virtual-users.txt /etc/vsftpd/virtual-users.db
				

創建插件認證配置檔案 /etc/pam.d/vsftpd-virtual

auth required pam_userdb.so db=/etc/vsftpd/virtual-users
account required pam_userdb.so db=/etc/vsftpd/virtual-users
				
/etc/vsftpd/vsftpd.conf:

# virtual users to use local privs, not anon privs
virtual_use_local_privs=YES

# the PAM file used by authentication of virtual uses
pam_service_name=vsftpd-virtual

# in conjunction with 'local_root',
# specifies a home directory for each virtual user
user_sub_token=$USER
local_root=/var/www/virtual/$USER
# the virtual user is restricted to the virtual FTP area

chroot_local_user=YES
# hides the FTP server user IDs and just display "ftp" in directory listings
hide_ids=YES

guest_enable=YES
guest_username=nobody

# the umask for file creation
local_umask=022
				

guest_username=nobody 虛擬用戶將使用nobody用戶作為他的uid,gid.

# mkdir /var/www/virtual/mary
# chown ftp:ftp /var/www/virtual/mary
				

69.4.3.3. 虛擬用戶權限

vim /etc/vsftpd.conf

user_config_dir=/etc/vsftpd/conf.d

mkdir /etc/vsftpd/conf.d
				

neo 只能下載不能上傳

				
echo "anon_world_readable_only=NO" > /etc/vsftpd/conf.d/neo
				
				

jam 可以下上傳跟下載

				
echo "anon_world_readable_only=NO" > /etc/vsftpd/conf.d/jam
echo "anon_upload_enable=YES" >> /etc/vsftpd/conf.d/jam
echo "write_enable=YES" >> /etc/vsftpd/conf.d/jam
				
				

69.4.4. chroot

69.4.4.1. local user

chroot 所有本地用戶

chroot_local_user=YES
				

69.4.4.2. /etc/vsftpd/chroot_list

受限用戶用戶添加到檔案vsftpd.chroot_list

chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
				

注意:每行一個用戶名

69.4.4.3. test

adduser -o --home /www --shell /sbin/nologin --uid 99 --gid 99 --group nobody www
echo "www:chen" | chpasswd
echo www > /etc/vsftpd/chroot_list
ncftp ftp://www:chen@172.16.0.1
				

69.4.5. FAT

69.4.5.1. vsftpd: refusing to run with writable root inside chroot()

添加 allow_writeable_chroot=YES 項到 /etc/vsftpd/vsftpd.conf 配置檔案

echo "allow_writeable_chroot=YES" >> /etc/vsftpd/vsftpd.conf
				
重啟 vsftpd