Vsftpd. conf

Reprint, source: http://blog.sina.com.cn/u/48dd4b84010002pv
Configuration file named vsftpd. conf-vsftpd
Description: vsftpd. conf can be used to control vsftpd to implement various functions. vsftpd defaults to/etc/vsftpd. find this file in Conf. of course, you can also specify it using the command line parameters. this command line parameter refers to the configuration file of vsftpd. this function is useful for users who want to use advanced inetd management, such as xinetd. you can use different configuration files to start each service based on the virtual host.
Format: vsftpd. the conf format is very simple. each line is either a comment or a command. the comment line starts with # And will be ignored. the command line format is as follows: option = Value Note that if there is a space between option, = and value, an error will be reported. (Note: spaces are not allowed between the three items) each setting has a default value, which can be modified in the configuration file.
Boolean Option
The following is a list of Boolean options. The value of a Boolean option can be set to yes or no allow_anon_ssl.
It is only useful when ssl_enable is activated. If it is set to yes, Anonymous Users are allowed to use secure SSL connections.
Default Value: No anon_mkdir_write_enable
If it is set to yes, Anonymous Users are allowed to create directories in some cases. This requires the write_enable option to be activated, and anonymous ftp users need to have the write permission on the parent directory.
Default Value: No anon_other_write_enable
If set to yes, anonymous users will have more permissions except upload and Directory creation, such as Delete and rename. it is generally not recommended to do so, but the complete configuration file includes this option.
Default Value: No anon_upload_enable
If it is set to yes, Anonymous Users are allowed to upload files in some cases. This requires activation of the write_enable option, and anonymous users should have the write permission on the corresponding directory.
Default Value: No anon_world_readable_only
When enabled, only anonymous users are allowed to download files with global read permission. This means that ftp users can have their own files, especially the files uploaded above.
Default Value: Yes anonymous_enable
It is used to control whether anonymous users are allowed to log on. If activated, both FTP and anonymous are considered anonymous users.
Default Value: Yes ascii_download_enable
If activated, data is transmitted in ASCII mode during download.
Default Value: No ascii_upload_enable
If activated, data is transmitted in ASCII mode during upload.
Default Value: No async_abor_enable
If it is activated, a special FTP command "async Abor" will be activated. only some FTP clients need to use this feature. in addition, this feature is not well controlled, so it is not enabled by default. unfortunately, if this feature is not enabled, some FTP clients will suspend when canceling a transfer, so you may want to enable it.
Default Value: no background
If it is activated and vsftpd is started in "listen" mode, vsftpd listens to the process on the background. That is, control will immediately be returned to the shell which launched vsftpd.
Default Value: No check_shell
Note! This option is only valid for vsftpd with the non-Pam parameter added during construction. If it fails, vsftpd will not check the/etc/shells used for local login by valid users.
Default Value: Yes chmod_enable
If activated, the site chmod command is allowed. Note! This is only valid for local users. Anonymous users are not allowed to use site chmod.
Default Value: Yes chown_uploads
If activated, the hosts of all files uploaded anonymously will be changed to the user specified in chown_username, which facilitates management, especially from the security perspective.
Default Value: No chroot_list_enable
If activated, you need to provide a list of local users that need to be restricted to their home directories. if you set chroot_local_user to yes, the meaning is slightly different. in this case, the list is a list of users who do not need to restrict users to their home directories. by default, the list file is/etc/vsftpd. chroot_list, but can be set through the chroot_list_file option.
Default Value: No chroot_local_user
If it is set to yes, the local user will be (default) restricted to its home directory after login. warning this option has security risks, especially when the user has the upload permission or can access it through shell. if you do not know the consequences, do not enable it. note that these security risks are not unique to vsftpd. all FTP daemon that provide directory restrictions for local users have this risk.
Default Value: No connect_from_port_20
It is used to control whether to use port 20 (ftp-data) for data connection on the server side. based on security considerations, some clients need to do so. conversely, disabling this option enables vsftpd to run with less privileges.
Default Value: No (but this option is enabled in the example). deny_email_enable
If activated, you should provide a list of email addresses that prohibit anonymous users from using passwords. by default, the list file is/etc/vsftpd. banned_emails, of course, you can use the banned_email_file option to specify.
Default Value: No dirlist_enable
If it is set to no, all directory column fetch commands will be disabled.
Default Value: Yes dirmessage_enable
If enabled, the FTP server displays the welcome information when the user enters a new directory for the first time. by default, the scan directory is used. message file. Of course, you can also set it through the message_file option.
Default Value: No (but this option is enabled in the example settings) download_enable
If it is set to no, all download requests will be rejected.
Default Value: Yes dual_log_enable
If enabled, two similar log files are generated. The default values are/var/log/xferlog and/var/log/vsftpd. log directory. the former is the transfer log of the wu-ftpd type and can be used for standard tool analysis. the latter is a log of the vsftpd type.
Default: No force_dot_files
If activated. files And Directories In the beginning will be displayed when the directory column is retrieved, even if the client does not use the "A" identifier. this does not include ". "and ".. "Directory
Default: No force_local_data_ssl
It can only be used when ssl_enable is activated. If it is activated, all non-Anonymous Users are forced to use secure SSL connections to send and receive data upon logon.
Default: Yes force_local_logins_ssl
Ssl_enable can be used only when it is activated. If it is activated, all non-Anonymous Users are forced to use secure SSL connections for password transfer upon logon.
Default Value: Yes guest_enable
If enabled, all non-anonymous users will log on as "guest". Guest is set through guest_username to map to a specified user.
Default Value: No hide_ids.
If enabled, the user and group information columns in all directories are displayed as "ftp ".
Default Value: No listen
If it is enabled, vsftpd runs in standalone mode. This means that vsftpd cannot be started by the inetd class. vsftpd should be executed directly. vsftpd itself listens to and processes connection requests.
Default: No listen_ipv6
For example, the listen parameter, the difference is that vsftpd listens to IPv6 interfaces instead of IPv4 interfaces. This parameter and listen parameters are independent of each other.
Default Value: No local_enable
Used to control whether local logon is allowed. If enabled, a common account in/etc/passwd can be used to log on.
Default Value: No log_ftp_protocol
If xferlog_std_format is enabled, all FTP requests and responses are recorded. This option is useful for debugging.
Default Value: No ls_recurse_enable
If enabled, this setting will allow users to use "ls-R". This is a bit of a security threat, because LS-R under the root directory of a large site will consume a lot of resources.
Default Value: No no_anon_password
If enabled, anonymous users no longer need a password-you can log on directly.
Default Value: No no_log_lock
If enabled, vsftpd will be blocked from being locked when writing log files. this option is not usually enabled. it is used to handle a bug in the operating system, such as the combination of Solaris/Veritas File Systems, which sometimes attempts to lock log files.
Default Value: No one_process_model
If you use the Linux 2.4 kernel, you can use a different security mode, which only allows each connection to use one process. this is a small security problem, but it improves performance. do not enable this option if you are not clear about the consequences or your site is subject to a large number of concurrent user connections.
Default Value: No passwd_chroot_enable
If it is enabled and used together with chroot_local_user, a restricted directory is created based on each user. The directory restricted by each user is from the home directory in/etc/passwd. the home directory path contains /. /, enotes that the jail is at that participant location in the path. pasv_enable
If PASV mode is not allowed during data transmission, set this option to no
Default Value: Yes pasv_promiscuous.
If you want to disable the PASV security check, set this option to yes. this check is used to ensure that the data transmission connection and control connection come from the same IP address. do not enable this option if you are not clear about the consequences! This option can be used only in some security tunnel scenarios, or fxp is required.
Default Value: No port_enable
If you do not allow data connection in Port mode, set this option to No.
Default Value: Yes port_promiscuous.
If you want to disable the port security check, set this option to yes. This check is used to confirm that the outbound data only flows to the client. do not enable this option before figuring out the consequences!
Default Value: No run_as_launching_user
If you want to enable vsftpd, set this option to yes. this is usually useful when root logon is unavailable. severe warning: do not enable this option before figuring out the consequences. Enabling this option at Will will cause serious security problems. in particular, vsftpd does not/cannot use directory restriction technology to restrict file access (or even vsftpd is started by root ). A silly alternative is to set the deny_file option {/*,*.. *}, but its reliability cannot be compared with the restricted directory, or even not in a level. if this option is enabled, use of other options should be restricted. for example, for non-Anonymous login, the Upload File host conversion, using a connection from Port 20 and a port lower than 1024 does not work. other options may also be affected.
Default Value: No secure_email_list_enable
If you want to specify a list of email addresses as passwords for anonymous users, set this option to yes. it is useful to construct a low-security access control without creating virtual users. if enabled, anonymous users can log on only by using the email address specified in email_password_file as the password. the file format is one password per line with no space. the default file name is/etc/vsftpd. email_passwords.
Default Value: No session_support
This option is used to control whether vsftpd maintains a session for logon. if the session is maintained, vsftpd will try and update utmp and wtmp. if you use PAM Authentication, The pam_session will be opened until it is logged out. if you do not need to maintain a logon session, you may want to disable this option so that vsftpd occupies fewer processes and/or fewer privileges. note-utmp and wtmp are only supported when Pam is enabled.
Default Value: No setproctitle_enable
If enabled, vsftpd will attempt to display session status information in the system process list. that is to say, the Process report will show what each vsftpd session is doing (idle, download, etc ). for security reasons, you may need to disable it.
Default Value: No ssl_enable
If this option is enabled and OpenSSL support is added during compilation, vsftpd supports secure connections through SSL. this option is used to control connections (including logon) and data connections. you may also need clients that support SSL. note !! Be careful when enabling this option. Enable. vsftpd only when necessary. vsftpd does not guarantee the security of the OpenSSL library. Enabling this option means that you believe the security of the installed OpenSSL library.
Default Value: No ssl_sslv2
This option is valid only when the ssl_enable option is enabled. If it is enabled, connections are allowed using the SSL v2 protocol. TLS v1 is still the preferred connection.
Default Value: No ssl_sslv3
This option is valid only when the ssl_enable option is enabled. If this option is enabled, connections are allowed using the SSL V3 protocol. TLS v1 is still the preferred connection.
Default Value: No ssl_tlsv1
This option is valid only when the ssl_enable option is enabled. If it is enabled, connections are allowed using the TLS v1 protocol. TLS v1 is still the preferred connection.
Default Value: Yes syslog_enable
If enabled, any log that should have been output to/var/log/vsftpd. log will be output to the system log. The record is completed by ftpd.
Default Value: No TCP_WRAPPERS
If TCP_WRAPPERS is enabled and added during vsftpd compilation, the inbound request is forwarded to TCP_WRAPPERS for access control. in addition, this is based on the configuration mechanism of each IP address. if the vsftpd_load_conf environment variable is set for TCP_WRAPPERS, the vsftpd session will attempt to load the vsftpd configuration file specified in this variable.
Default Value: No text_userdb_names
By default, when a directory column is retrieved, the user and group fields display the numeric ID. if this option is enabled, you can get the text name. this option is disabled by default based on performance considerations.
Default Value: No tilde_user_enable
If enabled, vsftpd will try to parse similar ~ The path name of Chris/pics, that is, the model that follows the user name. Note that vsftpd is always resolved ~ And ~ /(Here ,~ Resolved as the initial login path ).~ User is parsed only when the/etc/passwd file containing the idle directory can be found.
Default Value: No use_localtime
If this option is enabled, vsftpd displays the time in your local time zone when you retrieve the directory. The default value is GMT. The time returned by the mdtm ftp command is also affected by this option.
Default Value: No use_sendfile
An internal setting is used to test the performance of the sendfile () system on your platform.
Default Value: Yes userlist_deny.
This option is valid only when userlist_enable is activated. if you set this option to no, only users specified in the userlist_file file can log on to the system. when a logon request is rejected, the request is rejected before the command is called.
Default Value: Yes userlist_enable.
If enabled, vsftpd loads a user name list from the file specified by the userlist_file option. if you try to log on with the name specified in the list, they will be rejected before the password is queried. this helps block the plaintext transmission password. for details, see userlist_deny.
Default Value: No virtual_use_local_privs
If enabled, the virtual user will have the same permissions as the local user. By default, the virtual user has the same permissions as the anonymous user, which tends to have more restrictions (especially on write permissions ).
Default Value: No write_enable
Used to control whether FTP commands are allowed to change the file system. These commands are: Stor, DELE, RNFR, RNTO, MKD, RMD, APPE, and site.
Default Value: No xferlog_enable
If enabled, a log file is maintained for detailed recording upload and download. by default, this log file is/var/log/vsftpd. log. however, you can also specify the vsftpd_log_file option in the configuration file.
Default Value: No (but this option is enabled in the example) xferlog_std_format
If enabled, the transfer log file will be written in the standard xferlog format, just like wu-ftpd. this can be used to re-use the transmission statistics generator. however, the default format is more readable. log files in this format are/var/log/xferlog by default, but you can also set it using the xferlog_file option.
Default Value: No

Number options
The following is a list of numeric options. A non-negative integer must be set for the numeric option. To facilitate the umask option, the first digit of the octal digit. The octal digit must be 0. accept_timeout.
Timeout, in seconds, used to establish a data connection in PASV mode on a remote client.
Default Value: 60 anon_max_rate.
Maximum data transmission rate, in B/S, used for anonymous clients.
Default Value: 0 (unrestricted) anon_umask
Used to set the umask value when an anonymous user creates a file. Note! If you want to specify an octal number, the first priority should be "0", otherwise it will be regarded as a 10-digit number.
Default Value: 077 connect_timeout
Timeout, in seconds, used for data connection in the Response port mode.
Default Value: 60 data_connection_timeout
Timeout, in seconds, is used to set the maximum length allowed for idle data connections. If the timeout is triggered, the remote client is disconnected.
Default Value: 300 file_open_mode
This parameter is used to set the permission to create an uploaded file. The priority of the mask is higher than this setting. If you want to allow upload of files, you can execute the operation and change this value to 0777.
Default Value: 0666 ftp_data_port
Data Connection port in FTP port mode. (The connect_from_port_20 option needs to be activated)
Default Value: 20 idle_session_timeout
Timeout, in seconds. The maximum FTP command interval of the remote client. If the timeout is triggered, the remote client is disconnected.
Default Value: 300 listen_port
If vsftpd is started in standalone mode, this port will listen to FTP connection requests.
Default Value: 21 local_max_rate
The maximum data transmission rate, in B/S, is used to restrict authorized local users.
Default Value: 0 (unlimited) local_umask
Used to set the umask value for the local user to upload files. Note! If you want to specify an octal number, the first priority should be "0", otherwise it will be regarded as a 10-digit number.
Default: 077 max_clients
If vsftpd is started in standalone mode, this option is used to set the maximum number of client connections. If it exceeds the limit, an error message is returned.
Default Value: 0 (unrestricted) max_per_ip
If vsftpd is started in standalone mode, this option is used to set the maximum number of connections originating from the same network address. If the connection is exceeded, an error is returned.
Default Value: 0 (unrestricted) pasv_max_port
The maximum port assigned for PASV data connection. based on security considerations, you can specify the port range within the same small range.
Default Value: 0 (any port can be used) pasv_min_port
The minimum port assigned for PASV data connection. based on security considerations, you can specify the port range within the same small range.
Default Value: 0 (any port can be used) trans_chunk_size
You may not want to modify this setting. If there is a bandwidth limit, you can try to set this value to 8192.
Default Value: 0 (For vsftpd to select a more reasonable setting)
Character option. The following is the character Option List anon_root.
This option declares that anonymous users will be redirected to a specified directory after Logon (Translator's note: default root directory). This option will be ignored when logon fails.
Default: (none) banned_email_file
This option is used to specify the file that contains the list of email addresses that are not allowed to be used as anonymous user logon passwords. To use this option, you must enable the deny_email_enable option.
Default Value:/etc/vsftpd. banned_emails banner_file
This option is used to specify the file containing the welcome ID displayed during user login. setting this option will replace the welcome ID specified by the ftpd_banner option.
Default: (none) chown_username
Specifies the host where an anonymous user uploads files. This option is valid only when the chown_uploads option is set.
Default; root chroot_list_file
This option is used to specify files containing the list of users in the restricted home directory. to use this option, you must enable chroot_list_enable. if the chroot_local_user option is enabled, the list of users contained in this file will not be restricted in the home directory.
Default Value:/etc/vsftpd. chroot_list cmds_allowed
This option specifies the FTP commands that can be used (after login. and the user, pass, and quit before logon, separated by commas. other commands will be denied. this is very effective for locking an FTP server. example: mds_allowed = PASV, RETR, quit
Default: (none) deny_file
This option is used to set the file type (and directory name) for Access denied ). this setting does not hide the file, but you cannot perform operations on it (download, change directory, and other operations ). this option is very simple and cannot be used for strict access control-the file system has a higher priority. however, this option is very effective for some virtual user settings. in particular, when a file can be accessed by a variety of names (which may be through symbolic or hard join), you should be aware to reject all access methods. files that match the hide_file name are denied access. note that vsftpd only supports regular expression matching. because of this, you need to test the settings of this option as much as possible. we recommend that you use the file system's own access control based on security considerations. example: deny_file = {*. MP3 ,*. moV ,. private}
Default: (none) dsa_cert_file
This option is used to specify the location of the DSA certificate for SSL encrypted connections.
Default: (none-use RSA Certificate) email_password_file
This option is used to enable the secure_email_list_enable option, the file to be replaced.
Default Value:/etc/vsftpd. email_passwords ftp_username
Username used to process anonymous FTP. The home directory used is the root directory of anonymous FTP sending.
Default Value: ftp ftpd_banner
It is used to replace the welcome identifier string displayed when vsftpd is connected for the first time.
Default: (none-display default vsftpd ID) guest_username
Refer to the Boolean option guest_enable. This option is used to map a guest user to a real user.
Default Value: ftp hide_file
This option is used to set the file type (and directory) to be hidden when the column is retrieved from the directory ). although hidden, the client that knows its host can still have full access to files/directories. items that match the string in the hide_file name will be hidden. note that vsftpd only supports regular expression matching. example: hide_file = {*. MP3 ,. hidden, hide *, H ?}
Default: (none) listen_address
If vsftpd runs in standalone mode, this setting is used to modify the default (all local interfaces) Listening address. The format is a digital IP address.
Default: (none) listen_address6
For example, listen_address. However, you should specify the default listening address for IPv6 listeners. The format is standard IPv6 address format.
Default: (none) local_root
This option is used to specify the directory to which the local user (that is, a non-Anonymous user) will be redirected after logon. If the logon fails, the directory will be ignored.
Default: (none) message_file this option is used to specify the file name to be queried when entering the new directory. the content of this file is the welcome information that is displayed to remote users. to use this option, enable dirmessage_enable.
Default Value:. Message nopriv_user
Used to specify a user. This user is used when vsftpd is to be switched to a non-Permission state. note that it is best to be a dedicated user instead of the user nobody. on most machines, user nobody is used for a large number of important tasks.
Default Value: Nobody pam_service_name
Used to specify the name of the PAM service.
Default Value: ftp pasv_address
This option specifies an IP address For vsftpd and serves as a response to the PASV command. The IP address should be in digital mode.
Default Value: (none-that is, the address is obtained from the connected socket) rsa_cert_file
This option is used to specify the location of the RSA certificate used for SSL encrypted connections.
Default Value:/usr/share/SSL/certs/vsftpd. pem secure_chroot_dir
This option is used to specify an empty directory. in addition, ftp users should not have write permission on this directory. if vsftpd does not need to access the file system, this directory is used as a restricted directory, which limits users to this directory.
Default Value:/usr/share/empty ssl_ciphers
This option is used to select which SSL encryption algorithms are allowed by vsftpd for SSL encrypted connections. for more information, see the ciphers online manual. note that this can effectively prevent malicious remote attacks against some vulnerability detection algorithms.
Default: DES-CBC3-SHA user_config_dir
This option is used to define the directory where the user's personal configuration file is located. it is very easy to use, as shown in an example. if you set user_config_dir to/etc/vsftpd_user_conf and log on to the user "Chris", vsftpd uses the settings in the file/etc/vsftpd_user_conf/Chris. the format of this file is described in detail in the online manual. note that not every setting affects the user. for example, some settings only work when the user session starts. this includes listen_address, banner_file, max_per_ip, max_clients, xferlog_file, and so on.
Default: (none) user_sub_token
This option must be used with a virtual user. it creates a home directory for each virtual user based on a template. for example, if the Home Directory of a real user is specified as/home/virtual/$ user by the option guest_username and user_sub_token is set to $ user, after the virtual user Fred logs in, the directory/home/virtual/Fred. this option also works if local_root contains user_sub_token.
Default: (none) userlist_file
This option is used to specify the name of the file to be loaded after the userlist_enable option is enabled.
Default Value:/etc/vsftpd. user_list vsftpd_log_file
This option is used to specify the file to write logs in vsftpd format. if xferlog_enable is enabled, but xferlog_std_format is not set, logs will only be written to this file. in addition, if dual_log_enable is set, logs will also be written to this file. more complex: If syslog_enable is set, the output will not write to this file, but to the system log file.
Default Value:/var/log/vsftpd. Log

Xferlog_file
This option is used to specify the file name for writing the wu-ftpd style log. this transfer log is recorded only when xferlog_enable and xferlog_std_format are set. in addition, if you set the dual_log_enable option, this log is also logged.
Default Value:/var/log/xferlog