Installation,Starting/Stopping
- # yum install vsftpd
- # /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
- # service vsftpd {start,stop,status,...} # 2.2.2(/etc/init.d/vsftpd)
- # systemctl {start,...} vsftpd[.service] # 3.02(/usr/lib/systemd/system/vsftpd*)
version:
- vsftpd-3.0.2-9.el7.x86_64
Create FTP user
There are 3 kinds of users in vsftpd:
1. anonymous
2. guest - virtual user
3. local user
PAM with virtual users
- # vim /etc/vsftpd/virtual_user_list.txt
- xxx
- xxx@xxx
-
- # db_load -T -t hash -f /etc/vsftpd/virtual_user_list.txt /etc/vsftpd/virtual_user_list.db
- # chmod 600 /etc/vsftpd/virtual_user_list.db
-
- # cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd.default
- # vi /etc/pam.d/vsftpd
- auth required pam_userdb.so db=/etc/vsftpd/virtual_user_list
- account required pam_userdb.so db=/etc/vsftpd/virtual_user_list
- /etc/vsftpd/virtual_user_list.txt
用于生成 db_load 读取生成用户密码数据库/etc/vsftpd/virtual_user_list.db,PAM 读取/etc/vsftpd/virtual_user_list.db进行访问控制,文件名可以任意取,只需要配置正确就行。
db_load 上述命令行选项对应的/etc/vsftpd/virtual_user_list.txt的格式如下:
- <user1>
- <passwd1>
- <user2>
- <passwd2>
- ...
- /etc/pam.d/vsftpd
此文件为 vsftpd 认证用户时需要读取的文件,需在 vsftpd 的配置中指定此文件的文件名(见下文)
Note: 用上述两行覆盖之前的内容,而不是追加,否则用户登录时会返回530 Login incorrect,/var/log/secure:
- pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=xxx rhost=...
Basic configuration
- # cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.default
- # vim /etc/vsftpd/vsftpd.conf
Note: 每一个配置项结尾都不能有多余的空格
- Run vsftpd in standalone mode
- listen=YES
- #listen_ipv6=YES
Note: listen 和 listen_ipv6 只能开启一个
- Disable anonymous login
- anonymous_enable=NO
- Specifiy the PAM service name for vsftpd
- pam_service_name=vsftpd
即上文编辑过的 /etc/pam.d/vsftpd
Note: 只填文件名,不填目录
- Configure virtual user
- guest_enable=YES # enable virtual user
- guest_username=vsftpd # the local user that the virtual user is mapped to
- virtual_use_local_privs=YES # virtual users use the same privileges as local users.
- user_sub_token=$USER
- local_root=/data/ftp/$USER
Create local user vsftpd:
- # useradd -m -b /home -s /sbin/nologin vsftpd
- # chmod 700 /home/vsftpd
Create “home” directory for vritual user xxx:
- # mkdir /data/ftp
- # mkdir /data/ftp/xxx
- # chown vsftpd:vsftpd /data/ftp/xxx
- Specifiy listening address
- listen_address=10.105.87.168 # default: 0.0.0.0
- listen_port=10101 # default: 21
chroot
- ftp> pwd
- 257 "/data/ftp/xxx"
- ftp> cd ../../..
- 250 Directory successfully changed.
- ftp> pwd
- 257 "/"
通过 FTP 能直接访问上级目录,这样会有较大的安全隐患,因此我们使用 chroot 限制每个虚拟用户的根目录为自己的 “home” 目录:
- chroot_local_user=YES
- chroot_list_enable=YES
- chroot_list_file=/etc/vsftpd/chroot_list
创建文件 chroot_list,并且保证文件 chroot_list 为空,即所有用户均被限定:
- # cd /etc/vsftpd
- # touch chroot_list
- # chmod 600 chroot_list
2.2.2 版本已到达了限定目录的效果:
- ftp> pwd
- 257 "/"
但是 3.0.2 版本会返回如下错误:
- 500 OOPS: vsftpd: refusing to run with writable root inside chroot()
因此需要去掉根目录的写权限:
- # chmod a-w /data/ftp/xxx
Appendix: a full configuration example
- anonymous_enable=NO
- local_enable=YES
- write_enable=YES
- local_umask=022
-
- #anon_upload_enable=YES
- #anon_mkdir_write_enable=YES
-
- dirmessage_enable=YES
- xferlog_enable=YES
- connect_from_port_20=YES
-
- #chown_uploads=YES
- #chown_username=whoever
-
- #xferlog_file=/var/log/xferlog
- xferlog_std_format=YES
-
- #idle_session_timeout=600
- #data_connection_timeout=120
-
- #nopriv_user=ftpsecure
-
- #async_abor_enable=YES
-
- #ascii_upload_enable=YES
- #ascii_download_enable=YES
-
- #ftpd_banner=Welcome to blah FTP service.
-
- #deny_email_enable=YES
- #banned_email_file=/etc/vsftpd/banned_emails
-
-
- chroot_local_user=YES
- chroot_list_enable=YES
- chroot_list_file=/etc/vsftpd/chroot_list
-
- #ls_recurse_enable=YES
-
- listen=YES
- #listen_ipv6=YES
-
- pam_service_name=vsftpd
- userlist_enable=YES
- tcp_wrappers=YES
-
-
- guest_enable=YES
- guest_username=vsftpd
- virtual_use_local_privs=YES
- user_sub_token=$USER
- local_root=/data/ftp/$USER
