一、LINUX最小安装


Linux 版本


CentOS 7 VSFTPD 安装与配置(虚拟用户)_CenOS


二、禁用防火墙


禁用firewall也可以,更彻底:


systemctl disable firewalld


@其他关于防火墙的命令


启动: systemctl start firewalld


关闭: systemctl stop firewalld


查看状态: systemctl status firewalld


开机禁用 : systemctl disable firewalld


开机启用 : systemctl enable firewalld


三、关闭selinux


关闭selinux,不关闭ftp工具应该可以连接,但是传输文件的时候,会发现文件上传和下载都会出现500、503 、200等报错


通过配置文件修改禁用


#打开SELINUX配置文件


vi /etc/selinux/config


#修改配置参数


#注释


SELINUX=enforcing


#增加


SELINUX=disabled


四、安装VSFTPD


#安装


yum install -y vsftpd


#设置开机启动


systemctl enable vsftpd.service


#启动


service vsftpd start


#停止


service vsftpd stop


#查看状态


service vsftpd status


五、虚拟用户配置


首先需要我们新建一个虚拟宿主用户,也就是上边说的要映射的真实用户:


useradd virtualhost -s /sbin/nologin


这里设置宿主用户也不允许登录系统


修改配置文件如下(红色字体为修改处):


# Example config file /etc/vsftpd/vsftpd.conf


#


# The default compiled in settings are fairly paranoid. This sample file


# loosens things up a bit, to make the ftp daemon more usable.


# Please see vsftpd.conf.5 for all compiled in defaults.


#


# READ THIS: This example file is NOT an exhaustive list of vsftpd options.


# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's


# capabilities.


#


# Allow anonymous FTP? (Beware - allowed by default if you comment this out).


anonymous_enable=NO


#


# Uncomment this to allow local users to log in.


# When SELinux is enforcing check for SE bool ftp_home_dir


local_enable=YES


#


# Uncomment this to enable any form of FTP write command.


write_enable=YES


#


# Default umask for local users is 077. You may wish to change this to 022,


# if your users expect that (022 is used by most other ftpd's)


local_umask=022


#


# Uncomment this to allow the anonymous FTP user to upload files. This only


# has an effect if the above global write enable is activated. Also, you will


# obviously need to create a directory writable by the FTP user.


# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access


anon_upload_enable=NO


#


# Uncomment this if you want the anonymous FTP user to be able to create


# new directories.


anon_mkdir_write_enable=NO


#


# Activate directory messages - messages given to remote users when they


# go into a certain directory.


dirmessage_enable=YES


#


# Activate logging of uploads/downloads.


xferlog_enable=YES


#


# Make sure PORT transfer connections originate from port 20 (ftp-data).


connect_from_port_20=YES


#


# If you want, you can arrange for uploaded anonymous files to be owned by


# a different user. Note! Using "root" for uploaded files is not


# recommended!


chown_uploads=NO


#chown_username=whoever


#


# You may override where the log file goes if you like. The default is shown


# below.


xferlog_file=/var/log/xferlog


#


# If you want, you can have your log file in standard ftpd xferlog format.


# Note that the default log file location is /var/log/xferlog in this case.


xferlog_std_format=YES


#


# You may change the default value for timing out an idle session.


#idle_session_timeout=600


#


# You may change the default value for timing out a data connection.


#data_connection_timeout=120


#


# It is recommended that you define on your system a unique user which the


# ftp server can use as a totally isolated and unprivileged user.


#nopriv_user=ftpsecure


#


# Enable this and the server will recognise asynchronous ABOR requests. Not


# recommended for security (the code is non-trivial). Not enabling it,


# however, may confuse older FTP clients.


async_abor_enable=YES


#


# By default the server will pretend to allow ASCII mode but in fact ignore


# the request. Turn on the below options to have the server actually do ASCII


# mangling on files when in ASCII mode. The vsftpd.conf(5) man page explains


# the behaviour when these options are disabled.


# Beware that on some FTP servers, ASCII support allows a denial of service


# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd


# predicted this attack and has always been safe, reporting the size of the


# raw file.


# ASCII mangling is a horrible feature of the protocol.


ascii_upload_enable=YES


ascii_download_enable=YES


#


# You may fully customise the login banner string:


ftpd_banner=Welcome to blah FTP service.


#


# You may specify a file of disallowed anonymous e-mail addresses. Apparently


# useful for combatting certain DoS attacks.


#deny_email_enable=YES


# (default follows)


#banned_email_file=/etc/vsftpd/banned_emails


#


# You may specify an explicit list of local users to chroot() to their home


# directory. If chroot_local_user is YES, then this list becomes a list of


# users to NOT chroot().


# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that


# the user does not have write access to the top level directory within the


# chroot)


chroot_local_user=YES


chroot_list_enable=NO


# (default follows)


# chroot_list_file=/etc/vsftpd/chroot_list


allow_writeable_chroot=YES


#


# You may activate the "-R" option to the builtin ls. This is disabled by


# default to avoid remote users being able to cause excessive I/O on large


# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume


# the presence of the "-R" option, so there is a strong case for enabling it.


ls_recurse_enable=NO


#


# When "listen" directive is enabled, vsftpd runs in standalone mode and


# listens on IPv4 sockets. This directive cannot be used in conjunction


# with the listen_ipv6 directive.


listen=YES


#


# This directive enables listening on IPv6 sockets. By default, listening


# on the IPv6 "any" address (::) will accept connections from both IPv6


# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6


# sockets. If you want that (perhaps because you want to listen on specific


# addresses) then you must run two copies of vsftpd with two configuration


# files.


# Make sure, that one of the listen options is commented !!


# listen_ipv6=YES


pam_service_name=vsftpd


userlist_enable=YES


tcp_wrappers=YES


guest_enable=YES


guest_username=virtualhost


virtual_use_local_privs=YES


user_config_dir=/etc/vsftpd/virtualconf


listen_port=9021


pasv_max_port=9025


pasv_min_port=9022


pasv_promiscuous=YES


注意:


1、开启所有用户限定不能登出其主目录


对于chroot_local_user与chroot_list_enable的组合效果,可以参考下表:

CentOS 7 VSFTPD 安装与配置(虚拟用户)_CenOS_02



参考:vsftpd 配置:chroot_local_user与chroot_list_enable详解_Laurence的技术博客-CSDN博客


2、如果主目录可写就需要开启以下,否则报500错误


allow_writeable_chroot=YES    可以写入用户的主目录权限


当我们限定了用户不能跳出其主目录之后,使用该用户登录FTP时往往会遇到这个错误:


500 OOPS: vsftpd: refusing to run with writable root inside chroot ()


从2.3.5之后,vsftpd增强了安全检查,如果用户被限定在了其主目录下,则该用户的主目录不能再具有写权限了!如果检查发现还有写权限,就会报该错误。


要修复这个错误,可以用命令chmod a-w /home/user去除用户主目录的写权限,注意把目录替换成你自己的。或者你可以在vsftpd的配置文件中增加下列两项中的一项:


allow_writeable_chroot=YES


参考:vsftpd:500 OOPS: vsftpd: refusing to run with writable root inside chroot ()错误的解决方法_Laurence的技术博客-CSDN博客


3、Vsftpd的日志文件不存在,建立Vsftpd的日志文件,并更该属主为Vsftpd的服务宿主用户。


touch /var/log/vsftpd.log


chown virtualhost.virtualhost /var/log/vsftpd.log


4、建立虚拟用户配置文件存放路径:


mkdir /etc/vsftpd/virtualconf


这里是跟配置文件中的user_config_dir这一项是对应的!


六、建立了一个虚拟用户名单文件,把这个名单文件就放置在/etc/vsftpd/下。


接着编辑这个文件,将虚拟用户信息写入这个文件vi /etc/vsftpd/virtusers


virtual1


123456


virtual2


123456


类似上边的格式,一行用户名,一行密码!


接着生成虚拟用户数据文件:


db_load -T -t hash -f /etc/vsftpd/virtusers /etc/vsftpd/virtusers.db


七、设定PAM验证文件,并指定虚拟用户数据库文件进行读取


这里需要我们安装pam服务,一般系统都会有安装:


yum install pam


Vsftp的PAM验证配置文件:/etc/pam.d/vsftpd


这里对应的就是核心配置文件中的pam_service_name,它会去找/etc/pam.d/vsftpd这个文件!


那么我们需要编辑这个文件,同样的编辑前先备份一下:


cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd.bak


然后编辑文件:vi /etc/pam.d/vsftpd


#%PAM-1.0


auth    sufficient      /lib64/security/pam_userdb.so     db=/etc/vsftpd/virtusers


account sufficient      /lib64/security/pam_userdb.so     db=/etc/vsftpd/virtusers

CentOS 7 VSFTPD 安装与配置(虚拟用户)_VSFTPD_03



这里有一个问题需要注意一下:


如果你的系统是32位的,那么这里要改成:


/lib/security/pam_userdb.so


否则会验证失败!不能登录!


八、配置虚拟用户


1.规划好虚拟用户的主路径:mkdir /data/vsftp/


2.建立测试用户的FTP用户目录:


mkdir /data/vsftp/virtual1/  /data/vsftp/virtual2/


3、更改虚拟用户的主目录的属主为虚拟宿主用户(否则会出去500错误,ftp用户没有权限修改):


chown -R virtualhost.virtualhost /data/vsftp/


4、针对具体用户进行定制:


vi /etc/vsftpd/virtualconf/virtual1


#所有权限用户:


local_root=/data/vsftp/ virtual1


chroot_local_user=YES


anonymous_enable=NO


write_enable=YES


local_umask=022


anon_upload_enable=YES


anon_mkdir_write_enable=YES


anon_other_write_enable=YES


download_enable=YES


#idle_session_timeout=600


#data_connection_timeout=120


#max_clients=10


#max_per_ip=5


#local_max_rate=50000


#只有上传权限用户:


ocal_root=/data/vsftp/ virtual1


chroot_local_user=YES


anonymous_enable=NO


local_umask=022


write_enable=YES


anon_world_readable_only=NO


anon_upload_enable=YES


anon_mkdir_write_enable=YES


anon_other_write_enable=YES


download_enable=NO


#只有下载权限


ocal_root=/data/vsftp/ virtual1


chroot_local_user=YES


anonymous_enable=NO


local_umask=022


write_enable=NO


anon_world_readable_only=NO


anon_upload_enable=NO


anon_mkdir_write_enable=NO


anon_other_write_enable=NO


download_enable=YES


最后测试是否可用……


关于映射到公网使用注意事项:


1、上述是基于被动模式配置,需要把以下端口全部映射9022--9025


listen_port=9021


pasv_max_port=9025


pasv_min_port=9022


2、使用WinSCP 连接时提示如下:Security: Bad IP connecting.错误


需要添加以下配置:


pasv_promiscuous=YES      #代表关闭PASV模式的安全检查


参考:https://blog.csdn.net/aiynmimi/article/details/77012507

————————————————

版权声明:本文为CSDN博主「pimg2005」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。

原文链接:https://blog.csdn.net/pimg2005/article/details/120127279