Configure the ftp server and the linuxftp server in Linux
1. Run the rpm-qa | grep vsftpd command to check whether the ftp has been installed. If ftp is not installed, run yum-y install vsftpd to install it. (use apt-get install vsftpd in ubuntu)
2.Service vsftpd start/service vsftpd restart
To enable FTP to automatically start upon startup, run the command chkconfig -- level 35 vsftpd on.
3. Set ftp Permissions
Vi/etc/vsftpd. conf
Change anonymous_enable = YES to anonymous_enable = NO
ESC return, input ": wq" to save and release
Refresh Firewall
# Iptables-F
The main configuration file of vsftpd is:
/Etc/vsftpd. conf
Lab 1:
If I do not allow anonymous FTP login, we can modify the main configuration file of vsftpd to implement
# Change anonymous_enable = YES to anonymous_enable = NO in vi/etc/vsftpd. conf
Lab 2:
In windows, the FTP server can set the welcome word and the maximum number of connections. What should we set in the Linux FTP server? I want to answer: Likewise, we can use the main configuration file of vsftpd to implement # vi/etc/vsftpd. conf
Add ftpd_banner = welcome to here at the end! This is the welcome word Max_clients = 100, which means that up to 100 users can access and restart vsftpd at the same time!
Lab 3:
If I want to pay off my lilei colleague (lilei) and don't want him to log on to our FTP site, I can add lilei to vi/etc/vsftpd. ftpusers
Experiment 4:
In the morning, the General Manager said that a small number of people in the company should be promoted. When I heard the news, I quickly acted. I only allowed the General Manager to log on to the FTP server. Other people may leave their minds and take pictures of manager horses, restrict others. I can do this: # vi/etc/vsftpd. conf
Add 2 to the end,
Userlist_deny = NO/the persons in this list will not be rejected, and others will be rejected (including anonymous)
Userlist_file =/etc/mp/specifies the path of the List
The vsftpd configuration file uses "#" as the annotator. Lines starting with "#" And blank lines are ignored during parsing, and other lines are considered as configuration command lines, do not leave spaces on either side of "=" for each configuration command. For each configuration command, related configuration instructions are also listed in the configuration file. You can use the vi editor to edit and modify the configuration file. The method is as follows:
# Vi/etc/vsftpd. conf
1. logon and anonymous user settings
Write_enable = YES // whether to enable write permission for the logon user. Global settings. NO by default
Local_enable = YES // whether to allow local users to log on to the FTP server. The default value is NO.
Anonymous_enable = YES // sets whether anonymous users are allowed to log on to the FTP server. YES by default
Ftp_username = ftp // defines the account name of an anonymous user. The default value is ftp.
No_anon_password = YES // whether to ask for the password when an anonymous user logs on. If this parameter is set to YES, no query is required. Mo
Recognize NO
Anon_world_readable_only = YES // whether anonymous users are allowed to download readable documents. The default value is YES.
Anon_upload_enable = YES // whether anonymous users are allowed to upload files. Only when write_enable is set
YES, this configuration item is valid. Moreover, anonymous users must have the write permission on the corresponding directory. The default value is NO.
Anon_mkdir_write_enable = YES // whether anonymous users are allowed to create directories. Valid only when write_enable is set to YES. The anonymous user has the write permission on the upper-level directory. The default value is NO.
Anon_other_write_enable = NO // If set to YES, Anonymous Users are allowed to have more
The permission to upload and create directories also grants the permission to delete and rename directories. The default value is NO.
2. Set welcome information
After the user successfully logs on to the FTP server, the server can output pre-set welcome information to the login user.
Ftpd_banner = Welcome to my FTP server.
// This configuration item is used to set brief welcome information. If you have more welcome information, you can use the banner_file configuration item.
Banner_file =/etc/vsftpd/banner
// Set the output file to be displayed when the user logs on. This setting will overwrite the ftpd_banner setting.
Dirmessage_enable = YES
// Set whether to display the directory message. If it is set to YES, when you enter a specific directory (such as/var/ftp/Linux), the contents of the file (. message) specified by message_file in this directory are displayed.
Message_file =. message // sets the directory message file. You can save the displayed information to this file. This file needs to be placed in the corresponding directory (such as/var/ftp/linux)
3. Set the directory where the user logs on.
Local_root =/var/ftp
// Set the directory where the local user logs on. This item is not set in the default configuration file. After the user logs on to the FTP server, the directory where the user is located is the main directory of the user. For the root user, the directory is the/root directory.
Anon_root =/var/ftp
// Set the directory where the anonymous user logs on. If not specified, the default value is the/var/ftp directory.
4. control whether the user can switch to the parent directory
By default, you can use the "cd .." name to switch to the parent directory. For example, if the directory where the user logs on is/var/ftp, execute "cd .. "command, the user will switch to its parent directory/var. If you continue to execute this command, you can enter the root directory of the Linux system to operate the entire Linux File System.
If write_enable = YES is set, you can rewrite the files in the root directory, which brings great security risks to the system, you must prevent users from switching to the Linux root directory. The configuration items are as follows:
Chroot_list_enable = YES
// Set whether to enable the user list file specified by the chroot_list_file configuration item. If it is set to YES, all logged-on users can access a directory other than the ftp root directory, except the account listed in the j/etc/vsftpd/chroot_list file. NO by default
Chroot_list_file =/etc/vsftpd/chroot_list
// Specifies the user list file, which is used to control which users can switch to the upper-level directory of the FTP site root directory.
Chroot_local_user = YES
// Specifies whether the user in the user list file can be switched to the upper-level directory. NO by default
Note: To view the effect of local users, you must first set local_root =/var/ftp
The specific situations include:
1) When chroot_list_enable = YES and chroot_local_user = YES, users listed in the/etc/vsftpd/chroot_list file can switch to the parent directory; users not listed in the file, you cannot switch to the upper-level directory of the site root directory.
2) When chroot_list_enable = YES and chroot_local_user = NO, users listed in the/etc/vsftpd/chroot_list file cannot switch to the parent directory of the site root directory; users not listed in the file can switch to the parent directory.
3) When chroot_list_enable = NO, chroot_local_user = YES, all users cannot switch to the parent directory.
4) When chroot_list_enable = NO and chroot_local_user = NO, all users can switch to the parent directory.
5) when the user is not allowed to switch to the parent directory, the root directory "/" of the FTP site after logon is the main directory of the FTP account, that is, the/var/ftp directory of the file system.
5. Set access control
(1) set hosts that are allowed or not allowed to access (see TBP14)
Tcp_wrappers = YES is used to set whether the vsftpd server is combined with tcp wrapper for host access control. The default value is YES. The vsftpd server checks the settings in/etc/hosts. allow and/etc/hosts. deny to determine whether the host requesting connection allows access to the FTP server. These two files can provide simple firewall functions.
For example, to allow only 192.168.168.1 ~ 192.168.168.254 users can access the vsftpd server. You can add the following content to the/etc/hosts. allow file:
Vsftpd: 192.168.168.0/255.255.255.0: allow
All: deny
(2) Set users that are allowed or not allowed to access
User access control is implemented by the/etc/vsftpd/user_list and/etc/vsftpd/ftpusers Files. Related configuration commands are as follows:
Userlist_enable = YES
// Determine whether the/etc/vsftpd/user_list file is enabled and effective. YES, NO.
Userlist_deny = YES
// Determine whether the user in the/etc/vsftpd/user_list file is allowed or not. If it is set to YES, users in the/etc/vsftpd/user_list file will not be allowed to access the FTP server. If it is set to NO, only vsftpd is allowed. users in the user_list file can access the FTP server.
6. Set the access speed
Anon_max_rate = 0
// Sets the maximum transmission speed that anonymous users can use. The unit is B/s. If it is set to 0, the speed is not limited. This is the default value.
Local_max_rate = 0
// Set the maximum transmission speed that local users can use. The default value is 0, which is unrestricted.
7. Define the user configuration file
Different users can use different configurations on the vsftpd server, which must be implemented through the user configuration file.
User_config_dir =/etc/vsftpd/userconf // used to set the directory where the user configuration file is located.
After this configuration item is set, When you log on to the FTP server, the system reads the file with the same user name in the/etc/vsftpd/userconf directory, and further configure the current user based on the configuration commands in the file. For example, the user configuration file can be used to control the access speed of different users. In each user configuration file, the local_max_rate configuration is defined to determine the access speed allowed by the user.
8. Connection-related settings
Listen = YES
// Set whether the vsftpd server runs in standalone mode. Running in standalone mode is a good method. At this time, the listen must be set to YES, which is the default value. Do not change it. Many configuration commands related to server running must be effective in this running mode. If it is set to NO, vsftpd does not run independently. It is subject to the management control of the xinetd service and its functions are limited.
Max_clients = 0
// Set the maximum number of connections allowed by vsftpd. The default value is 0, indicating no restriction. If it is set to 150, 150 connections are allowed at the same time. If it is exceeded, connection establishment is denied. It is valid only when running in standalone mode.
Max_per_ip = 0
// Set the number of connections allowed between each IP address and the FTP server. The default value is 0, which is unrestricted. You can set this configuration to prevent the same user from establishing too many connections. It is valid only when running in standalone mode.
Listen_address = IP Address
// Set to listen for the user's FTP request on the specified IP address. If this parameter is not set, all IP addresses bound to the server are listened. It is valid only when running in standalone mode. This configuration item is not required for a server bound with only one IP address. By default, this configuration item is not found in the configuration file. If the server is bound with multiple IP addresses at the same time, you should use this configuration item to specify the IP address on which the FTP service is provided, that is, the IP address used by the FTP server.
Note: Before and After setting this value, you can use netstat-tnl to compare the port listening status.
Accept_timeout = 60
// Set the timeout time for establishing a passive (PASV) data connection. The unit is seconds and the default value is 60.
Connect_timeout = 60
// The timeout time for establishing a data connection in the PORT mode, in seconds.
Data _ connection_timeout = 300
// Set the timeout time for establishing an FTP data connection. The default value is 300 seconds.
Idle_session_timeout = 600
// If you do not perform any operation on the FTP server for a specified period of time, the FTP connection is disconnected. The unit is seconds. The default value is 600 seconds. That is to say, set the timeout time for a daze. If there is no data transmission or command input within this time period, the connection will be forcibly disconnected.
Pam_service_name = vsftpd
// Set the name used by PAM. The default value is vsftpd.
Setproctitle_enable = NO | YES
// Set whether each connection to the FTP server is expressed by a different process. The default value is NO. At this time, there is only one process named vsftpd. If YES, each connection will have a vsftpd process. You can view the detailed ftp connection information by running the "ps-ef | grep FTP" command. For security reasons, we recommend that you disable it.
9. FTP work mode and port settings
(1) Introduction to FTP
FTP can work in two ways: port ftp and pasv ftp. The following describes how it works.
The difference between the two is that the port ftp data transmission PORT is specified by the FTP server, while pasv ftp is specified by the FTP client, and each data connection uses a different PORT number. Because of this, in FTP client software such as CuteFTP, there are PORT and PASV options in the connection type settings.
When the FTP server is set to PASV working mode, the client must also be set to PASV connection type. If the client connection type is set to PORT, an FTP connection can be established. However, when you execute commands such as ls or get that require data requests, there will be no response and the final report will be unable to establish a data connection.
(2) port-related configuration
Listen_port = 21
// Set the port on which the FTP server establishes the connection. The default value is 21.
Example of non-standard port connection: ftp www.sunflower.org 7000
Connect_from_port_20 = YES
// The default value is YES, and Port 20 is used for the FTP data transmission connection. If it is set to NO, the port used for data connection is specified by ftp_data_port.
Ftp_data_port = 20
// Set the PORT used for FTP data connection in PORT mode. The default value is 20.
Pasv_enable = YES | NO
// If it is set to YES, PASV working mode is used; if it is set to NO, PORT mode is used. The default value is YES, that is, PASV mode.
Pasv_max_port = 0
// Set the upper limit of the port range that can be used for data connections in PASV mode. The default value is 0, indicating any port.
Pasv_mim_port = 0
// Set the lower bound of the port range that can be used by data connections in PASV mode. The default value is 0, indicating any port.
10. Set Transmission Mode
When FTP transfers data, it can use the Binary or ASCII mode to upload or download data.
Ascii_download_enable = YES // sets whether to enable ASCII mode to download data. The default value is NO.
Ascii_upload_enable = YES // you can specify whether to enable the ASCII mode for data uploading. The default value is NO.
11. Set the ownership and permissions of the document to be uploaded.
(1) set the owner for anonymously uploading documents
Chown_uploads = YES
// Set whether to change the owner of the document uploaded by anonymous users. The default value is NO. If YES, the owner of the document uploaded by the anonymous user is set to the user name set for the chown_username configuration item.
Chown_username = whoever
// Set the owner name of the document uploaded by an anonymous user. Valid only when chown_uploads = YES. We recommend that you do not set it as the root user. But the system does not root
(2) Permission settings for new documents
Local_umask = 022
// Set the umask for the newly added document for the local user. The default value is 022 and the corresponding permission is 755. Umask is 022, and the corresponding binary number is 000 010, Which is reversed to 111 101 101 and converted to a decimal number, that is, the permission value is 755, representing the document owner (owner) you have the read/write execution right, the group you belong to has the read and execution right, and other users have the read and execution right. 022 is suitable for most situations and does not need to be changed. If it is set to 077, the corresponding permission is 700.
Anon_umask = 022 // set umask for the newly added document for anonymous users. The default value is 077.
File_open_mode = 0755 // you can specify the Document Upload permission. The permission is in numeric format. The default value is 0666.
12. Log Files
Xferlog_enable = YES // whether to enable upload/download logging. The default value is NO.
Xferlog_file = var/log/vsftpd. log // set the log file name and path. The xferlog_enable option must be enabled.
Xferlog_std_format = YES // whether the log file uses the standard xferlog file format (the same format as wu-ftpd ). The default value is NO.
13. Other settings
Text_userdb_names = NO
// Set whether the UID, GID, or specific user name or group name is displayed when the ls command is executed. The default value is NO, which is displayed as UID and GID. If you want to display the user name and group name, set it to YES.
Ls_recurse_enable = YES
// If it is set to YES, the "ls-R" command can be executed. The default value is NO. This configuration item has been commented out in the configuration file. similar to this, there are some other configurations. To enable it, remove the annotator and set YES or NO.