Add users and restrict directories in vsftpd (specify user access to the specified directory)

If the development side updates faster, there will be countless files or directories handed over to O & M updates for release every day. This is troublesome, so we just need to set up FTP for them to upload and modify on their own, but there is a problem, that is, permission issues. The company's five sites have five directories. Each person is responsible for different sites and how to make them "corrupt" without interfering with others or directories of others "! Solve this problem below!

I. Check the installation of vsftpd in Linux.

No worries.

II. Disable SELinux in the system, and restart the computer (you can modify the tag if you do not close it)

To disable SELinux:

Modify SELinux = "" in the/etc/SELinux/config file to disabled, and then restart.

If you do not want to restart the system, run the setenforce 0 command.

Note:

Setenforce 1 sets SELinux to enforcing Mode

Setenforce 0 sets SELinux to permissive Mode

Add SELinux = 0 to the startup parameters of LILO or grub. You can also disable SELinux.

Setsebool ftpd_disable_trans 1

3. Create a user and a specified directory

Note: To create permissions for directories, you 'd better modify them before specifying the FTP home directory.

Then, modify the local_umask value in the vsftpd. conf configuration file to 000. The default 777 directory is generated, and the default 666 file is generated.

# Useradd-D/var/www-S/sbin/nologin ftp3

# Passwd ftp3

Create a user ftp3 and specify its home directory as/var/www. login prohibited

# Useradd-D/var/Web-S/sbin/nologin ftp4

# Passwd ftp4

Create a user ftp4 and specify its home directory as/var/Web. login prohibited

In this way, ftp3 and ftp4 users are specified to the corresponding folder.

4. Modify the vsftpd. conf configuration file

Change anonymous_enable to no to prevent anonymous upload.

Remove the comments of chroot_list_enable and chroot_list_file to prevent users from accessing the parent directory.

5. Create a chroot_list file under/etc/vsftpd

After the creation is complete, add the user ftp3, ftp4 (one row per row) in it so that it can only access the specified directory.

Sat. Start or restart the FTP service.

# Service vsftpd restart (start)

After the FTP service is successfully started, you can access the FTP service.

The following are some configurations of vsftpd. conf.

1. anonymous server connection (independent server)

Add the following items to the/etc/vsftpd. conf configuration file:

Anonymous_enable = Yes (anonymous login allowed)

Dirmessage_enable = Yes (The. Message content under the directory is displayed when the directory is switched)

Local_umask = 022 (local file permission on FTP, default: 077)

Connect_form_port_20 = Yes (enable data connection on the FTP data port )*

Xferlog_enable = Yes (enable upload and download logs)

Xferlog_std_format = Yes (use the standard log format)

Ftpd_banner = XXXXX (welcome information)

Pam_service_name = vsftpd (Verification Method )*

Listen = Yes (independent vsftpd server )*

Function: You can only connect to the FTP server, but cannot upload or download files.

Note: All links related to log welcome information are optional. If an asterisk is used, all accounts must be added. This is a basic FTP option.

2. enable Anonymous FTP Server Upload permission

Add the following information to the configuration file:

Anon_upload_enable = Yes (Open upload permission)

Anon_mkdir_write_enable = Yes (you can create a directory and upload files to it)

Write_enable = Yes (grant write permission to local users)

Anon_other_write_enable = Yes (anonymous accounts can have the permission to delete)

3. Enable the permission for downloading anonymous servers

Add the following information to the configuration file:

Anon_world_readable_only = No

Note: Pay attention to the folder attributes. An anonymous account is another (other) user who wants to enable its read and write permissions.

(R) read-download (w) Write-upload (x) execute-if the FTP directory is not enabled

4. Connection to the FTP server of a common user (independent server)

Add the following information to the configuration file:

Local_enble = Yes (the local account can log on)

Write_enable = No (You are not authorized to delete or modify files after logging on to the local account)

Function: You can use a local account to log on to the vsftpd server and have the permission to download and upload files.

Note: The anonymous server can log on but cannot upload or download the information that disables Anonymous logon.

5. User Login is restricted to other directories, but only to its main directory

Set all local users to execute chroot

Chroot_local_user = Yes (all local accounts can only be in their own directories)

Set the specified user to execute chroot

Chroot_list_enable = Yes (the list in the file can be called)

Chroot_list_file =/any specified path/vsftpd. chroot_list

Note: vsftpd. chroot_list is not created and needs to be added by yourself. To control the account, add the account directly in the file.

6. restrict access by local users to FTP

Userlist_enable = Yes (use userlistlai to restrict user access)

Userlist_deny = No (users in the list are not allowed to access)

Userlist_file =/Specify the path where the file is stored/(the path where the file is stored)

Note: Enabling userlist_enable = yes for anonymous accounts cannot log on

7. Security Options

Idle_session_timeout = 600 (seconds) (10 minutes after the user's session is idle)

Data_connection_timeout = 120 (seconds) (idle 2 minutes)

Accept_timeout = 60 (seconds) (disconnect the client one minute later)

Connect_timeout = 60 (seconds) (disconnect again after 1 minute)

Local_max_rate = 50000 (BITE) (Local User transfer rate: 50 K)

Anon_max_rate = 30000 (BITE) (anonymous user transfer rate: 30 K)

Pasv_min_port = 50000 (change the client's data connection port

Pasv_max_port = 60000 between and)

Max_clients = 200 (maximum number of FTP connections)

Max_per_ip = 4 (maximum number of connections per IP)

Listen_port = 5555 (data connection from port 5555)

8. Check who logged on to FTP and killed the process.

PS-XF | grep FTP

Kill process number

Add users and restrict directories in vsftpd (specify user access to the specified directory)