知乎專欄 | 多維度架構 | 微信號 netkiller-ebook | QQ群:128659835 請註明“讀者” |
$ sudo apt-get install vsftpd
test
[08:25:37 jobs:0] $ ncftp ftp://127.0.0.1 NcFTP 3.2.1 (Jul 29, 2007) by Mike Gleason (http://www.NcFTP.com/contact/). Connecting to 127.0.0.1... (vsFTPd 2.0.7) Logging in... Login successful. Logged in to 127.0.0.1. Current remote directory is /. ncftp / >
enable local user
$ sudo vim /etc/vsftpd.conf # Uncomment this to allow local users to log in. local_enable=YES chroot_local_user=YES $ sudo /etc/init.d/vsftpd reload
testing for local user
$ ncftp ftp://neo@127.0.0.1/ NcFTP 3.2.1 (Jul 29, 2007) by Mike Gleason (http://www.NcFTP.com/contact/). Connecting to 127.0.0.1... (vsFTPd 2.0.7) Logging in... Password requested by 127.0.0.1 for user "neo". Please specify the password. Password: ******* Login successful. Logged in to 127.0.0.1. Current remote directory is /home/neo. ncftp /home/neo >
yum install -y vsftpd systemctl enable vsftpd cp /etc/vsftpd/vsftpd.conf{,.original} sed -i 's/anonymous_enable=YES/anonymous_enable=NO/' /etc/vsftpd/vsftpd.conf sed -i 's/#chroot_local_user=YES/chroot_local_user=YES/' /etc/vsftpd/vsftpd.conf sed -i 's/listen=NO/listen=YES/' /etc/vsftpd/vsftpd.conf sed -i 's/listen_ipv6=YES/listen_ipv6=NO/' /etc/vsftpd/vsftpd.conf echo "allow_writeable_chroot=YES" >> /etc/vsftpd/vsftpd.conf systemctl start vsftpd
firewalld 防火牆
# firewall-cmd --permanent --add-port=21/tcp
iptables
sed -i 's/IPTABLES_MODULES=""/IPTABLES_MODULES="ip_conntrack_ftp"/' /etc/sysconfig/iptables-config # vim /etc/sysconfig/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
我們不想讓FTP用戶通過shell登錄系統, 可以將用戶的Shell改為/sbin/nologin
neo:x:1000:1000:neo,,,:/home/neo:/sbin/nologin
# cat /etc/pam.d/vsftpd #%PAM-1.0 session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include system-auth account include system-auth session include system-auth session required pam_loginuid.so
/etc/vsftpd/ftpusers 列表中的用戶將不能登錄ftp伺服器
創建明文密碼檔案,一行用戶名後回車跟一行密碼
# cat virtual-users.txt user password neo 123456 jam 654321
轉為資料庫檔案
# sudo apt-get install db-util # db_load -T -t hash -f virtual-users.txt /etc/vsftpd/virtual-users.db
創建插件認證配置檔案 /etc/pam.d/vsftpd-virtual
auth required pam_userdb.so db=/etc/vsftpd/virtual-users account required pam_userdb.so db=/etc/vsftpd/virtual-users
/etc/vsftpd/vsftpd.conf: # virtual users to use local privs, not anon privs virtual_use_local_privs=YES # the PAM file used by authentication of virtual uses pam_service_name=vsftpd-virtual # in conjunction with 'local_root', # specifies a home directory for each virtual user user_sub_token=$USER local_root=/var/www/virtual/$USER # the virtual user is restricted to the virtual FTP area chroot_local_user=YES # hides the FTP server user IDs and just display "ftp" in directory listings hide_ids=YES guest_enable=YES guest_username=nobody # the umask for file creation local_umask=022
guest_username=nobody 虛擬用戶將使用nobody用戶作為他的uid,gid.
# mkdir /var/www/virtual/mary # chown ftp:ftp /var/www/virtual/mary
vim /etc/vsftpd.conf user_config_dir=/etc/vsftpd/conf.d mkdir /etc/vsftpd/conf.d
neo 只能下載不能上傳
echo "anon_world_readable_only=NO" > /etc/vsftpd/conf.d/neo
jam 可以下上傳跟下載
echo "anon_world_readable_only=NO" > /etc/vsftpd/conf.d/jam echo "anon_upload_enable=YES" >> /etc/vsftpd/conf.d/jam echo "write_enable=YES" >> /etc/vsftpd/conf.d/jam
受限用戶用戶添加到檔案vsftpd.chroot_list
chroot_list_enable=YES chroot_list_file=/etc/vsftpd/chroot_list
注意:每行一個用戶名