Linux vsftpd服务

vsftpd服务

由vsftpd包提供

不再由xinetd管理

用户认证配置文件:/etc/pam.d/vsftpd

服务脚本： /usr/lib/systemd/system/vsftpd.service

/etc/rc.d/init.d/vsftpd

配置文件:/etc/vsftpd/vsftpd.conf

man 5 vsftpd.conf

格式：option=value

注意：= 前后不要有空格

匿名用户（映射为系统用户ftp ）共享文件位置：/var/ftp

系统用户共享文件位置：用户家目录

虚拟用户共享文件位置：为其映射的系统用户的家目录

[root@234c17 ~]# vim /etc/vsftpd/vsftpd.conf
 
# ftp server can use as a totally isolated and unprivileged user.
 
#nopriv_user=ftpsecure
 
#
 
# Enable this and the server will recognise asynchronous ABOR requests. Not
 
# recommended for security (the code is non-trivial). Not enabling it,
 
# however, may confuse older FTP clients.
 
#async_abor_enable=YES
 
#
 
# By default the server will pretend to allow ASCII mode but in fact ignore
 
# the request. Turn on the below options to have the server actually do ASCII
 
# mangling on files when in ASCII mode.
 
# Beware that on some FTP servers, ASCII support allows a denial of service
 
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
 
# predicted this attack and has always been safe, reporting the size of the
 
# recommended!
 
#chown_uploads=YES
 
#chown_username=whoever
 
#
 
# You may override where the log file goes if you like. The default is shown
 
# below.
 
#xferlog_file=/var/log/xferlog
 
#
 
# If you want, you can have your log file in standard ftpd xferlog format.
 
# Note that the default log file location is /var/log/xferlog in this case.
 
xferlog_std_format=YES
 
#
 
# You may change the default value for timing out an idle session.
 
#idle_session_timeout=600
 
#
 
# You may change the default value for timing out a data connection.
 
#data_connection_timeout=120
 
#
 
# It is recommended that you define on your system a unique user which the
 
# ftp server can use as a totally isolated and unprivileged user.
 
#nopriv_user=ftpsecure
 
#
 
# Enable this and the server will recognise asynchronous ABOR requests. Not
 
# recommended for security (the code is non-trivial). Not enabling it,
 
# however, may confuse older FTP clients.
 
#async_abor_enable=YES
 
#
 
# By default the server will pretend to allow ASCII mode but in fact ignore
 
# the request. Turn on the below options to have the server actually do ASCII
 
# mangling on files when in ASCII mode.
 
# Beware that on some FTP servers, ASCII support allows a denial of service
 
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
 
# predicted this attack and has always been safe, reporting the size of the
 
# raw file.
 
# ASCII mangling is a horrible feature of the protocol.
 
#ascii_upload_enable=YES
 
#ascii_download_enable=YES
 
#
 
# You may fully customise the login banner string:
 
#ftpd_banner=Welcome to blah FTP service.
 
#
 
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
 
# useful for combatting certain DoS attacks.
 
#deny_email_enable=YES
 
# (default follows)
 
#banned_email_file=/etc/vsftpd/banned_emails
 
#
 
# You may specify an explicit list of local users to chroot() to their home
 
# directory. If chroot_local_user is YES, then this list becomes a list of
 
# users to NOT chroot().
 
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
 
# the user does not have write access to the top level directory within the
 
# chroot)
 
#chroot_local_user=YES
 
#chroot_list_enable=YES
 
# (default follows)
 
#chroot_list_file=/etc/vsftpd/chroot_list
 
#
 
# You may activate the "-R" option to the builtin ls. This is disabled by
 
# default to avoid remote users being able to cause excessive I/O on large
 
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
 
# the presence of the "-R" option, so there is a strong case for enabling it.
 
#ls_recurse_enable=YES
 
#
 
# When "listen" directive is enabled, vsftpd runs in standalone mode and
 
# listens on IPv4 sockets. This directive cannot be used in conjunction
 
# with the listen_ipv6 directive.
 
listen=NO
 
#
 
# This directive enables listening on IPv6 sockets. By default, listening
 
# on the IPv6 "any" address (::) will accept connections from both IPv6
 
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
 
# sockets. If you want that (perhaps because you want to listen on specific
 
# addresses) then you must run two copies of vsftpd with two configuration
 
# files.
 
# Make sure, that one of the listen options is commented !!
 
listen_ipv6=YES

vsftpd服务配置

命令端口

listen_port=21

主动模式端口

connect_from_port_20=YES 主动模式端口为20

ftp_data_port=20 （默认） 指定主动模式的端口

被动模式端口范围

linux 客户端默认使用被动模式

windows 客户端默认使用主动模式

pasv_min_port=6000 //0为随机分配
 
pasv_max_port=6010

使用当地时间

use_localtime=YES 使用当地时间 //（默认为NO，使用GMT）

匿名用户

anonymous_enable=YES //支持匿名用户
 
no_anon_password=YES(默认NO) //匿名用户略过口令检查
 
anon_world_readable_only //(默认YES)只能下载全部读的文件
 
anon_upload_enable=YES //匿名上传，注意:文件系统权限
 
anon_mkdir_write_enable=YES //匿名建目录
 
anon_umask=077 //指定匿名上传文件的umask
 
anon_other_write_enable=YES //可删除和修改上传的文件
##指定上传文件的默认的所有者和权限
 
chown_uploads=YES //(默认NO)
 
chown_username=wang
 
chown_upload_mode=0644

Linux系统用户

guest_enable=YES //所有系统用户都映射成guest用户
 
guest_username=ftp //配合上面选项才生效，指定guest用户
 
local_enable=YES //是否允许linux用户登录
 
write_enable-YES //允许linux用户上传文件
 
local_umask=022 //指定系统用户上传文件的默认权限
 
local_root=/ftproot guest//用户登录所在目录

禁锢所有系统用户在家目录中

chroot_local_user=YES //（默认NO，不禁锢）禁锢系统用户

禁锢或不禁锢特定的系统用户在家目录中，与上面设置功能相反

chroot_list_enable=YES
 
chroot_list_file=/etc/vsftpd/chroot_list
 
当chroot_local_user=YES时，则chroot_list中用户不禁锢
 
当chroot_local_user=NO时，则chroot_list中用户禁锢

wu-ftp日志：默认启用

xferlog_enable=YES //（默认） 启用记录上传下载日志
 
xferlog_std_format=YES //（默认） 使用wu-ftp日志格式
 
xferlog_file=/var/log/xferlog //（默认）可自动生成

vsftpd日志：默认不启用

dual_log_enable=YES //使用vsftpd日志格式，默认不启用
 
vsftpd_log_file=/var/log/vsftpd.log //（默认）可自动生成

登录提示信息

ftpd_banner=“welcome to mage ftp server"
 
banner_file=/etc/vsftpd/ftpbanner.txt //优先上面项生效

目录访问提示信息

dirmessage_enable=YES //(默认)
 
message_file=.message //(默认) 信息存放在指定目录下.message

使用pam(Pluggable Authentication Modules)完成用户认证

pam_service_name=vsftpd

pam配置文件:/etc/pam.d/vsftpd

/etc/vsftpd/ftpusers //默认文件中用户拒绝登录

是否启用控制用户登录的列表文件

userlist_enable=YES //默认有此设置
 
userlist_deny=YES  //(默认值) 黑名单,不提示口令，NO为白名单
 
userlist_file=/etc/vsftpd/users_list //此为默认值

vsftpd服务指定用户身份运行

nopriv_user=nobody //(默认值)

连接数限制

max_clients=0 //最大并发连接数
 
max_per_ip=0 //每个IP同时发起的最大连接数

传输速率：字节/秒

anon_max_rate=0 //匿名用户的最大传输速率
 
local_max_rate=0 //本地用户的最大传输速率

连接时间：秒为单位

connect_timeout=60 //主动模式数据连接超时时长
 
accept_timeout=60 //被动模式数据连接超时时长
 
data_connection_timeout=300 //数据连接无数据输超时时长
 
idle_session_timeout=60 //无命令操作超时时长

优先以文本方式传输

ascii_upload_enable=YES
 
ascii_download_enable=YES

配置FTP服务以非独立服务方运行:listen=NO，默认为独立方式

cat /etc/xinetd.d/vsftpd
 
service ftp
 
{
 
flags = REUSE
 
socket_type = stream
 
wait = no
 
user = root
 
server = /usr/sbin/vsftpd
 
log_on_failure += USERID
 
disable = no
 
}