ftp 配置

http://www.cnblogs.com/zhenmingliu/archive/2012/04/25/2470646.html

参考：http://coffeelet.blog.163.com/blog/static/1351574532011434453515/

什么是vsftpd

vsftpd是一款在Linux发行版中最受推崇的FTP服务器程序。特点是小巧轻快，安全易用。

vsftpd 的名字代表”very secure FTP daemon”, 安全是它的开发者 Chris Evans 考虑的首要问题之一。在这个 FTP 服务器设计开发的最开始的时候，高安全性就是一个目标。

安装vsftpd

1、以管理员（root）身份执行以下命令

1. yum install vsftpd

2、设置开机启动vsftpd ftp服务

1. chkconfig vsftpd on

3、启动vsftpd服务

1. service vsftpd start

管理vsftpd相关命令：

停止vsftpd:  service vsftpd stop

重启vsftpd:  service vsftpd restart

配置防火墙

打开/etc/sysconfig/iptables文件

1. vi /etc/sysconfig/iptables

在REJECT行之前添加如下代码

1. -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT

保存和关闭文件，重启防火墙

1. service iptables start

配置vsftpd服务器

默认的配置文件是/etc/vsftpd/vsftpd.conf，你可以用文本编辑器打开。

1. vi /etc/vsftpd/vsftpd.conf

添加ftp用户

下面是添加ftpuser用户，设置根目录为/home/wwwroot/ftpuser,禁止此用户登录SSH的权限，并限制其访问其它目录。

１、修改/etc/vsftpd/vsftpd.conf

将底下三行

1. #chroot_list_enable=YES
2. # (default follows)
3. #chroot_list_file=/etc/vsftpd/chroot_list

改为

1. chroot_list_enable=YES
2. # (default follows)
3. chroot_list_file=/etc/vsftpd/chroot_list

禁止匿名用户访问：

1. anonymous_enable=YES,将YES改为NO

在文件末尾加如下的设置：

1. pasv_enable=YES ;允许被动模式
2. pasv_min_port=10000 ；被动模式使用端口范围
3. pasv_max_port=10010
4. local_max_rate=200000 ；用户宽带限制 （未测试）
5. chroot_local_user=YES ；禁用户离开主目录（未测试）
6. 注意：设置pasv端口后，需要修改防火墙，如在centOs里，修改如下：
   iptables -A RH-Firewall-1-INPUT -p tcp --dport 10000:10010 -j ACCEPT

3、增加用户ftpuser，指向目录/home/wwwroot/ftpuser,禁止登录SSH权限。

1. useradd -d /home/wwwroot/ftpuser -g ftp -s /sbin/nologin ftpuser

4、设置用户口令

1. passwd ftpuser

5、编辑文件chroot_list:

1. vi /etc/vsftpd/chroot_list

内容为ftp用户名,每个用户占一行,如：

peter
john

6、重新启动vsftpd

1. service vsftpd restart

 

但客户端访问提示如下错误：

500 OOPS: cannot change directory:/home/ftp

原因是他的CentOS系统安装了SELinux，因为默认下是没有开启FTP的支持，所以访问时都被阻止了。

//查看SELinux设置

 

# getsebool -a|grep ftp

ftp_home_dir-->off

 

//使用setsebool命令开启

 

 

# setsebool ftp_home_dir 1

 

由于操作系统一旦重启后，这种设置需要重新设置，这里使用-P参数实现.

 

//setsebool使用-P参数，无需每次开机都输入这个命令

 

# setsebool -P ftp_home_dir 1

---------------------------------------------------------------------------------------------------分隔线----------------------------------------------------------------------------------------------------

我的配置：

vi /etc/vsftpd/vsftpd.conf

# Example config file /etc/vsftpd/vsftpd.conf## The default compiled in settings are fairly paranoid. This sample file# loosens things up a bit, to make the ftp daemon more usable.# Please see vsftpd.conf.5 for all compiled in defaults.## READ THIS: This example file is NOT an exhaustive list of vsftpd options.# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's# capabilities.## Allow anonymous FTP? (Beware - allowed by default if you comment this out).anonymous_enable=NO## Uncomment this to allow local users to log in.# When SELinux is enforcing check for SE bool ftp_home_dirlocal_enable=YES## Uncomment this to enable any form of FTP write command.write_enable=YES## Default umask for local users is 077. You may wish to change this to 022,# if your users expect that (022 is used by most other ftpd's)local_umask=022## Uncomment this to allow the anonymous FTP user to upload files. This only# has an effect if the above global write enable is activated. Also, you will# obviously need to create a directory writable by the FTP user.# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access#anon_upload_enable=YES## Uncomment this if you want the anonymous FTP user to be able to create# new directories.#anon_mkdir_write_enable=YES## Activate directory messages - messages given to remote users when they# go into a certain directory.dirmessage_enable=YES## Activate logging of uploads/downloads.xferlog_enable=YES## Make sure PORT transfer connections originate from port 20 (ftp-data).connect_from_port_20=YES## If you want, you can arrange for uploaded anonymous files to be owned by# a different user. Note! Using "root" for uploaded files is not# recommended!#chown_uploads=YES#chown_username=whoever## You may override where the log file goes if you like. The default is shown# below.#xferlog_file=/var/log/xferlog## If you want, you can have your log file in standard ftpd xferlog format.# Note that the default log file location is /var/log/xferlog in this case.xferlog_std_format=YES## You may change the default value for timing out an idle session.#idle_session_timeout=600## You may change the default value for timing out a data connection.#data_connection_timeout=120## It is recommended that you define on your system a unique user which the# ftp server can use as a totally isolated and unprivileged user.#nopriv_user=ftpsecure## Enable this and the server will recognise asynchronous ABOR requests. Not# recommended for security (the code is non-trivial). Not enabling it,# however, may confuse older FTP clients.#async_abor_enable=YES## By default the server will pretend to allow ASCII mode but in fact ignore# the request. Turn on the below options to have the server actually do ASCII# mangling on files when in ASCII mode.# Beware that on some FTP servers, ASCII support allows a denial of service# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd# predicted this attack and has always been safe, reporting the size of the# raw file.# ASCII mangling is a horrible feature of the protocol.#ascii_upload_enable=YES#ascii_download_enable=YES## You may fully customise the login banner string:#ftpd_banner=Welcome to blah FTP service.## You may specify a file of disallowed anonymous e-mail addresses. Apparently# useful for combatting certain DoS attacks.#deny_email_enable=YES# (default follows)#banned_email_file=/etc/vsftpd/banned_emails## You may specify an explicit list of local users to chroot() to their home# directory. If chroot_local_user is YES, then this list becomes a list of# users to NOT chroot().# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that# the user does not have write access to the top level directory within the# chroot)#chroot_local_user=YESchroot_list_enable=YES# (default follows)chroot_list_file=/etc/vsftpd/chroot_list## You may activate the "-R" option to the builtin ls. This is disabled by# default to avoid remote users being able to cause excessive I/O on large# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume# the presence of the "-R" option, so there is a strong case for enabling it.#ls_recurse_enable=YES## When "listen" directive is enabled, vsftpd runs in standalone mode and# listens on IPv4 sockets. This directive cannot be used in conjunction# with the listen_ipv6 directive.listen=NO## This directive enables listening on IPv6 sockets. By default, listening# on the IPv6 "any" address (::) will accept connections from both IPv6# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6# sockets. If you want that (perhaps because you want to listen on specific# addresses) then you must run two copies of vsftpd with two configuration# files.# Make sure, that one of the listen options is commented !!listen_ipv6=YESpam_service_name=vsftpd#userlist_enable=YEStcp_wrappers=YESpasv_enable=YESpasv_min_port=10000pasv_max_port=10010local_max_rate=200000chroot_local_user=NOallow_writeable_chroot=YES

这2句是禁止访问上级目录，但允许打开当前目录(具体看最下方说明)

chroot_local_user=NO
allow_writeable_chroot=YES

#frederru 是用户名，下面的2个是密码和密码确认

useradd -d /home/wwwroot -g ftp -s /sbin/nologin frederru

passwd frederru

xxxxx

xxxxx

[root@localhost vsftpd]# vi /etc/vsftpd/chroot_list
frederru

（如果多用户就多行）
重启ftp

systemctl restart vsftpd.service

防火墙配置：

[root@localhost vsftpd]# vi /etc/sysconfig/iptables# sample configuration for iptables service# you can edit this manually or use system-config-firewall# please do not ask us to add additional ports/services to this default configuration*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p icmp -j ACCEPT-A INPUT -i lo -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT"/etc/sysconfig/iptables" 25L, 1291C# sample configuration for iptables service# you can edit this manually or use system-config-firewall# please do not ask us to add additional ports/services to this default configuration*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p icmp -j ACCEPT-A INPUT -i lo -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 82 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 8091 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 4369 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 21101 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 3690 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 27017 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 28017 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 10000:10010 -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibited-A FORWARD -j REJECT --reject-with icmp-host-prohibitedCOMMIT~

如果设置为

chroot_local_user＝YES

chroot_list_enable=YES(这行可以没有, 也可以有)

chroot_list_file=/etc/vsftpd.chroot_list

那么, 凡是加在文件vsftpd.chroot_list中的用户都是不受限止的用户，即, 可以浏览其主目录的上级目录.

如果不希望某用户能够浏览其主目录上级目录中的内容,可以如上设置,然后在文件vsftpd.chroot_list中去掉或不添加该用户即可。

也可以如下配置

chroot_local_user＝NO

chroot_list_enable=YES(这行必须要有, 否则文件vsftpd.chroot_list不会起作用)

chroot_list_file=/etc/vsftpd.chroot_list

然后把所有不希望有这种浏览其主目录之上的各目录权限的用户添加到文件vsftpd.chroot_list中即可(一行一个用户名，此时, 在该文件中的用户都是不可以浏览其主目录之外的目录的)