Build FTP on Linux
Important to solve how to build FTP
Resolve user-specified access to its root directory
Resolving Access FTP timeout connections
Solve the FTP active connection, passive connection problem
1. Install FTP
Close the firewall before installing FTP
#service iptables Stop (very important)
Install and then add to iptables as needed port
- Install vsftp directly with Yum
1 . Execute the following installation command Yum install-y 2. Set Boot start service chkconfig3. Start service vsftpd Start
- Configuring the FTP configuration file
Here is simply a few of the necessary configuration, specific to the configuration of their own to match
#默认的配置文件是/etc/vsftpd/vsftpd.confvi /ETC/VSFTPD/VSFTPD.COF
#Example config file/etc/vsftpd/vsftpd.conf##The default compiled in Settings is fairly paranoid. This sample file#loosens things up a bit, to make the FTP daemon more usable.#Please see VSFTPD.CONF.5 for all compiled in defaults.##READ This:this Example file is a exhaustive list of vsftpd options.#Please read the VSFTPD.CONF.5 manual page to get a full idea of vsftpd ' s#capabilities.##Allow anonymous FTP? (beware-allowed by default if you comment this out).Anonymous_enable=no #是否允许匿名登录##Uncomment this to allow Local users to log in.#When SELinux are enforcing check for SE bool Ftp_home_dirlocal_enable=YES##uncomment this to enable any form of FTP write command.write_enable=YES##Default umask for Local Users is 077. wish to 022,#If your users expect that (022 was used by the most other ftpd ' s)local_umask=022##Uncomment the anonymous FTP user to upload files. this only#effect if the above global write enable is activated. Also, you'll#obviously need to create a directory writable by the FTP user.#When SELinux are enforcing check for SE bool Allow_ftpd_anon_write, allow_ftpd_full_access#Anon_upload_enable=yes##Uncomment this if you want the anonymous FTP user to being able to create#new directories.#Anon_mkdir_write_enable=yes##Activate directory messages-messages given to remote users when they#go into a certain directory.dirmessage_enable=YES##Activate logging of uploads/downloads.xferlog_enable=YES#Pasv_enable=no##Make sure port transfer connections originate from port (ftp-data).
#主动登录 connect_from_port_20 =yes #是否允许主动登录, data transfer port is 20 (firewall must be open port 20) "Resolve Access FTP timeout connection" Pasv_enable=no #是否被动登录, turn off passive login "Troubleshooting FTP active connections, passive connections"
#被动登录#开启被动则把上面的 Comments, add the following#Connect_from_port_20=no#Pasv_enable=yes#pasv_min_port=50000#pasv_max_port=60000##If you want, you can arrange for uploaded anonymous files to being owned by#a different user. note! Using "root" for uploaded files are not#recommended!#Chown_uploads=yes#Chown_username=whoever##You could override where the log file goes if you like. The default is shown#below.Xferlog_file=/var/log/xferlog #日志# #If you want, you can have the your log file in the standard FTPD xferlog format.#Note that the default log file is location Is/var/log/xferlog.xferlog_std_format=YES##You could change the default value of timing out of an idle session.#idle_session_timeout=600##The default value for timing out a data connection.#data_connection_timeout=120##It is recommended this define on your system a unique user which the#FTP server can use as a totally isolated and unprivileged user.#nopriv_user=ftpsecure##Enable this and the server would recognise asynchronous ABOR requests. not#Recommended for security (the code is non-trivial). Not enabling it,#However, may confuse older FTP clients.#Async_abor_enable=yes##By default the server would pretend to allow ASCII mode but in fact ignore#The request. Turn on the below options to has the server actually do ASCII#mangling on files while in ASCII mode.#beware, some FTP servers, ASCII support allows a denial of service#Attack (DoS) via the command "Size/big/file" in ASCII mode. VSFTPD#predicted this attack and have always been safe, reporting the size of the#raw file.#ASCII mangling is a horrible feature of the protocol.#Ascii_upload_enable=yes#Ascii_download_enable=yes##fully customise the login banner string:#ftpd_banner=welcome to Blah FTP service.##You may specify a file of disallowed anonymous e-mail addresses. Apparently#useful for combatting certain DoS attacks.#Deny_email_enable=yes#(default follows)#banned_email_file=/etc/vsftpd/banned_emails##Specify an explicit list of the Local users to Chroot () to their home#directory. If Chroot_local_user is YES and then this list becomes a list of#users to Not chroot ().#(warning! chroot ' ing can be very dangerous. If using Chroot, make sure that#The user does not has the write access to the top level directory within the#chroot)chroot_local_user=no #是否允许 users to access other directories to "resolve user-specified access to their root directory" Chroot_list_enable=yes#(default follows)chroot_list_file=/etc/vsftpd/chroot_list #配置访问目录的用户 (in chroot_list file configuration) Allow_writeable_chroot=yes # ( Key additions) Configure read and Write permissions##You may activate the "-r" option to the builtin LS. this was disabled by#default to avoid remote users being able to cause excessive I/O on large#sites. However, some broken FTP clients such as "ncftp" and "mirror" assume#The presence of the "-r" option, so there was a strong case for enabling it.#Ls_recurse_enable=yes##When "Listen" directive are enabled, VSFTPD runs in standalone mode and#listens on IPV4 sockets. This directive cannot is used in conjunction#With the listen_ipv6 directive.listen=NO##This directive enables listening on IPV6 sockets. By default, listening#On the IPv6 ' any ' address (::) would accept connections from both IPv6#and IPV4 clients. It isn't necessary to listen on *both* IPv4 and IPv6#sockets. If you want this (perhaps because you want to listen on specific#addresses) Then you must run the copies of VSFTPD with the configuration#files.#Make sure, which one of the listen options is commented !Listen_ipv6=yespam_service_name=vsftpduserlist_enable=yestcp_wrappers=yeslocal_root=/mnt/ftp_user#配置 User's directory
Add user user001, point to directory /mnt/ftp, disable login ssh permissions.
#添加用户, and configure the root directory to/mnt/ftp that is, the user accesses the directory useradd-d/mnt/ftp -s/sbin/nologin user001#添加密码 passwd user001
# and modify the permissions of the/MNT/FTP directory
chmod - R 755/mnt/ftp
#改变文件拥有者和群组 (see the file's own, not user001 need)
chown user00l:user001/mnt/ftp
- Edit the/etc/vsftpd/chroot_list directory, add the user name up to
VI /etc/vsftpd/chroot_list
#添加 user001 can
user001
As of now, it has been completed, and restarting the service will allow you to log in and test
#service vsftpd Restart
Linux to build FTP, VSFTP, to resolve access to FTP timeout connection, to solve the user specified access to their root directory, to resolve the FTP active connection, passive connection problems