简介
FTP安装及配置,文档时间:2020-3-03-31.
1、redhat(centos)
- 安装软件
yum -y install vsftpd
- 启动服务
systemctl start vsftpd
- 查看相关文件
cd /etc/vsftpd
-rw------- 1 root root 125 Mar 22 2017 ftpusers 黑名单文件,此文件里的用户不允许访问 FTP 服务器
-rw------- 1 root root 361 Mar 22 2017 user_list 白名单文件,是允许访问 FTP 服务器的用户列表
-rw------- 1 root root 4599 Mar 22 2017 vsftpd.conf 核心配置文件
-rwxr--r-- 1 root root 338 Mar 22 2017 vsftpd_conf_migrate.sh FTP服务
- 创建chroot_list文件,后面锁定用户目录的时候会使用到
vi chroot_list
wq
- 配置文件:
# Example config file /etc/vsftpd/vsftpd.conf
ftpd_banner=welcome to login xxfy ftp service
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
# When SELinux is enforcing check for SE bool ftp_home_dir
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/xferlog
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode. The vsftpd.conf(5) man page explains
# the behaviour when these options are disabled.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list
allow_writeable_chroot=YES
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=NO
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
# Make sure, that one of the listen options is commented !!
listen=YES
listen_port=29999
# 启用pasv(被动)模式
pasv_enable=YES
# 设置pasv模式中的可用端口范围(开始)
pasv_min_port=30000
# 设置pasv模式中的可用端口范围(结束)
pasv_max_port=30100
# 设置pasv模式中的外网IP
pasv_address=你的服务器IP
# 关闭 seccomp 功能
seccomp_sandbox=NO
pam_service_name=vsftpd
userlist_enable=YES
userlist_deny=NO
tcp_wrappers=YES
一般情况下最好将原配置文件进行备份,避免配置出现错误导致无法恢复。
- 添加防火墙规则
开放端口(--permanent永久生效,没有此参数重启后失效)
firewall-cmd --zone=public --add-port=21/tcp --permanent
重新载入
firewall-cmd --reload
查看
firewall-cmd --zone= public --query-port=21/tcp
如果不愿意关闭防火墙,需要防火墙添加FTP服务:
firewall-cmd --permanent --zone=public --add-service=ftp
firewall-cmd --reload
若防火墙自身关闭,无需进行此操作
- 创建一般用户,这些用户只可以在自己的用户目录下进行文件的上传
# 创建ftpuser
useradd -d /var/ftp/0401 -g ftp mk0401
# 设置密码
passwd mk0401
# user_list文件中添加该账户
# 修改文件夹权限支持组内访问
chmod -R g+rwx 0401
注意此处授予的组内访问,之后我们创建的超管用户,必须归属于ftp用户组。
- 创建超级用户,这些用户可以访问所有的文件
useradd -d /var/ftp/ftpadmin -g ftp ftpadmin
passwd ftpadmin
# user_list文件中添加该账户
# chroot_list中添加该用户
但需要注意的是,ftpadmin虽然可以跨越文件夹,但是对于linux权限管控的文件还是不能直接访问,例如之前的ftp文件夹,可以对FTP文件进行授权,开启对ftp组的访问权限。
- 重启服务
systemctl restart vsftpd
- 将ftp设置为开机自启动
chkconfig vsftpd on
ubuntu版本
- 安装
apt-get install vsftpd
- 配置文件位置
/etc/vsftpd.conf
# 监听默认21端口
listen=YES
#listen_ipv6=YES
# 不允许匿名登录
anonymous_enable=NO
# 允许本地用户登录
local_enable=YES
# 允许上传文件到ftp服务器
write_enable=YES
#
dirmessage_enable=YES
#
use_localtime=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#chown_uploads=YES
#chown_username=whoever
#xferlog_file=/var/log/vsftpd.log
#xferlog_std_format=YES
#idle_session_timeout=600
#data_connection_timeout=120
#nopriv_user=ftpsecure
#async_abor_enable=YES
#ascii_upload_enable=YES
#ascii_download_enable=YES
#ftpd_banner=Welcome to blah FTP service.
#deny_email_enable=YES
#banned_email_file=/etc/vsftpd.banned_emails
#chroot_local_user=YES
chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd.chroot_list
#ls_recurse_enable=YES
secure_chroot_dir=/var/run/vsftpd/empty
# This string is the name of the PAM service vsftpd will use.
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO
# Uncomment this to indicate that vsftpd use a utf8 filesystem.
#utf8_filesystem=YES
# 配置ftp服务器的上传下载文件所在的目录。
local_root=/home/xxfyftp/ftp/
# 启用pasv(被动)模式
pasv_enable=YES
# 设置pasv模式中的可用端口范围(开始)
pasv_min_port=30000
# 设置pasv模式中的可用端口范围(结束)
pasv_max_port=30100
# 设置pasv模式中的外网IP
pasv_address=此处填写你的外网IP
# 关闭 seccomp 功能
seccomp_sandbox=NO
由于windows用户默认连接FTP服务器使用的是被动模式,而ubuntu上面默认是主动模式,因此需要在配置文件中显示的指定模式为被动模式。
- 配置用户
useradd xxfyftp -m
passwd xxfyftp
-
配置用户目录权限。
-
开启防火墙
ufw allow 21
ufw allow 30000:30010
- 若服务器是运营商管理,需要运行商的安全组策略开启我们需要的21、30000-30100/tcp.
附录
1、配置相关解释
anonymous_enable=NO #不允许匿名用户登陆
local_enable=YES #vsftpd所在系统的用户可以登录vsftpd
write_enable=YES #允许使用任何可以修改文件系统的FTP的指令
anon_upload_enable=NO #匿名用户不可以上传文件
anon_mkdir_write_enable=NO #匿名用户不可以修改文件
xferlog_enable=YES #启用一个日志文件,用于详细记录上传和下载。
use_localtime=YES #使用本地时间而不是GMT
vsftpd_log_file=/var/log/vsftpd.log #vsftpd日志存放位置
dual_log_enable=YES #用户登陆日志
connect_from_port_20=YES #开启20端口
xferlog_file=/var/log/xferlog #记录上传下载文件的日志
xferlog_std_format=YES #记录日志使用标准格式
idle_session_timeout=600 #登陆之后超时时间60秒,登陆之后,一分钟不操作,就会断开连接。
chroot_local_user=YES #用于指定用户列表文件中的用户,是否允许切换到上级目录
listen=YES #开启监听
pam_service_name=vsftpd.vu #验证文件的名字
userlist_enable=YES #允许由userlist_file指定文件中的用户登录FTP服务器
tcp_wrappers=YES #支持tcp_wrappers,限制访问(/etc/hosts.allow,/etc/hosts.deny)
guest_enable=YES #起用虚拟用户
guest_username=taokey #虚拟用户名
local_enable=YES:是否允许本地用户访问;
local_umask=022:设置本地用户所上传文件的默认权限掩码值(反掩码);
local_root=/var/ftp:设置本地用户的FTP根目录(默认为用户的宿主目录);
chroot_local_user=YES:是否将FTP本地用户禁锢在宿主目录中;
allow_writeable_chroot=YES:允许被限制用户的主目录具有写权限;
local_max_rate=0:限制本地用户的最大传输速率(0为无限制),单位为字节/秒(B/s)
2、FTP常用命令
3、文件解释
- ftpusers文件:此文件中列出的用户将禁止登录vsftpd服务器。默认包含root、bin、daemon等用于系统运行的特殊用户;
- user_list文件:此文件中包含的用户可能被禁止,可能被允许,具体取决于主配置文件vsftpd.conf中的设置,当存在“userlist——enable=YES”时,user_list列表文件方可生效,若继续指定“userlist_deny=YES”,则功能与ftpusers文件一样,表示禁止此列表中的用户登录;若指定“userlist_deny=NO”,则仅允许列表中的用户登录。
来源:oschina
链接:https://my.oschina.net/u/3091870/blog/3215460