实验拓扑图

 

VSFTP的黑白名单_RHEL5.4

 

1,配置静态IP
[root@ftp ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
# Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE]
DEVICE=eth0
BOOTPROTO=static
ONBOOT=yes
HWADDR=00:0c:29:ae:0f:02
IPADDR=192.168.1.10
NETMASK=255.255.255.0
[root@ftp ~]# service network restart
[root@ftp ~]# chkconfig network on
2,安装vsftpd软件
[root@ftp ~]# rpm -q vsftpd
vsftpd-2.0.5-16.el5
3,调整匿名上传目录权限,并准备下载测试文件
[root@ftp ~]# chown ftp /var/ftp/pub/
[root@ftp ~]# ls -ld /var/ftp/pub/
drwxr-xr-x 3 ftp root 4096 01-13 23:01 /var/ftp/pub/
[root@ftp ~]# tar jcf /var/ftp/ftpconfig.tar.bz2 /etc/vsftpd/
4,新建测试用户
[root@ftp ~]# useradd u1
[root@ftp ~]# useradd u2
[root@ftp ~]# useradd laya
[root@ftp ~]# passwd  u1
[root@ftp ~]# passwd  u2
[root@ftp ~]# passwd  u3
5,修改vsftpd.conf配置文件开放本地用户
[root@ftp ~]# cat /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
chroot_local_user=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=NO      当userlist_enable=NO时不考虑黑/白名单,既不对用户的访问造成影响。
tcp_wrappers=YES
6,重新启动vsftpd服务
[root@ftp ~]# service vsftpd restart
[root@ftp ~]# chkconfig vsftpd on
7,XP1客户端测试

C:\>ftp 192.168.1.10
Connected to 192.168.1.10.
220 (vsFTPd 2.0.5)
User (192.168.1.10:(none)): u1
331 Please specify the password.
Password:
230 Login successful.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
u1
226 Directory send OK.
ftp: 收到 4 字节,用时 0.00Seconds 4000.00Kbytes/sec.
ftp> bye
221 Goodbye.

C:\>ftp 192.168.1.10
Connected to 192.168.1.10.
220 (vsFTPd 2.0.5)
User (192.168.1.10:(none)): u2
331 Please specify the password.
Password:
230 Login successful.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
u2
226 Directory send OK.
ftp: 收到 4 字节,用时 0.00Seconds 4000.00Kbytes/sec.
ftp> bye
221 Goodbye.

C:\>ftp 192.168.1.10
Connected to 192.168.1.10.
220 (vsFTPd 2.0.5)
User (192.168.1.10:(none)): laya
331 Please specify the password.
Password:
230 Login successful.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> bye
221 Goodbye.

注意放入/etc/vsftpd/ftpusers中的用户默认为黑名单(既不管怎样这里的用户都不可访问,但对虚拟用户名不起作用),
但不影响其他用户的访问,如u1,u2,laya。
[root@ftp ~]# cat /etc/vsftpd/ftpusers
# Users that are not allowed to login via ftp
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
8,更改/etc/vsftpd/user_list配置文件,把u1,u2加入
[root@ftp ~]# vim /etc/vsftpd/user_list
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.另外对虚拟用户名也起作用
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
u1
u2

a, 修改vsftpd.conf配置文件
[root@ftp ~]# cat /etc/vsftpd/vsftpd.conf |grep -v "^#" | grep -v "^$"
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
userlist_deny=NO
tcp_wrappers=YES

重新启动vsftpd服务
[root@ftp ~]# service vsftpd restart
[root@ftp ~]# chkconfig vsftpd on

XP1客户端测试

C:\>ftp 192.168.1.10
Connected to 192.168.1.10.
220 (vsFTPd 2.0.5)
User (192.168.1.10:(none)): u1
331 Please specify the password.
Password:
230 Login successful.
ftp> bye
221 Goodbye.

C:\>ftp 192.168.1.10
Connected to 192.168.1.10.
220 (vsFTPd 2.0.5)
User (192.168.1.10:(none)): u2
331 Please specify the password.
Password:
230 Login successful.
ftp> bye
221 Goodbye.

C:\>ftp 192.168.1.10
Connected to 192.168.1.10.
220 (vsFTPd 2.0.5)
User (192.168.1.10:(none)): laya
530 Permission denied.
Login failed.
ftp>

b,修改vsftpd.conf配置文件

[root@ftp ~]# cat /etc/vsftpd/vsftpd.conf |grep -v "^#" | grep -v "^$"
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
userlist_deny=YES                    //(此时本行也可以不写,效果相同)
tcp_wrappers=YES

重新启动vsftpd服务
[root@ftp ~]# service vsftpd restart
[root@ftp ~]# chkconfig vsftpd on

XP1客户端测试

C:\>ftp 192.168.1.10
Connected to 192.168.1.10.
220 (vsFTPd 2.0.5)
User (192.168.1.10:(none)): u1
530 Permission denied.
Login failed.
ftp> bye
221 Goodbye.

C:\>ftp 192.168.1.10
Connected to 192.168.1.10.
220 (vsFTPd 2.0.5)
User (192.168.1.10:(none)): u2
530 Permission denied.
Login failed.
ftp> bye
221 Goodbye.

C:\>ftp 192.168.1.10
Connected to 192.168.1.10.
220 (vsFTPd 2.0.5)
User (192.168.1.10:(none)): laya
331 Please specify the password.
Password:
230 Login successful.
ftp> pwd
257 "/home/laya"
ftp> mkdir aa
257 "/home/laya/aa" created
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
aa
226 Directory send OK.
ftp: 收到 4 字节,用时 0.00Seconds 4000.00Kbytes/sec.
ftp>

 

注:

 a,当userlist_enable=YES  userlist_deny=NO 则只有/etc/vsftpd/user_list中用户可以访问,既u1,u2可以访问
(前提/etc/vsftpd/ftpusers 中没有这两个用户),其他用户如laya不可访问

 b,当只有userlist_enable=YES 仅etc/vsftpd/user_list中用户不可访问,等价于userlist_enable=YES  userlist_deny=YES
 此时u1,u2不可访问,但laya可以。