Build an FTP server vsftpd on CentOS 6.3

Source: Internet
Author: User

Build an FTP server vsftpd on CentOS 6.3

Vsftpd is a well-known ftp software on the Linux platform. Vsftpd is short for very secure ftp daemon.

1. Install vsftpd
First, check whether vsftpd is installed in the system.
[Root @ localhost Packages] # rpm-qa | grep vsftpd
[Root @ localhost Packages] #

If it is not installed, continue the following installation.

Insert the first installation disc of CentOS into the optical drive, find the vsftpd installation package in the Packages directory of the disc, and then install it.
[Root @ localhost Packages] # ls * vsftpd *
Vsftpd-2.2.2-11.el6.x86_64.rpm
[Root @ localhost Packages] # rpm-ivh vsftpd-2.2.2-11.el6.x86_64.rpm
Preparing... ######################################## ### [100%]
1: vsftpd ####################################### #### [100%]

Ii. Start the vsftpd service

[Root @ localhost Packages] # service vsftpd status
Vsftpd is stopped
[Root @ localhost Packages] # service vsftpd start
Starting vsftpd for vsftpd: [OK]

The default home directory of an anonymous vsftpd user is/var/ftp, and the vsftpd configuration file is located in the/etc/vsftpd directory.

3. Test the/var/ftp directory used to access the vsftpd server on the client.

Enter "ftp: // Centos system IP Address" in the "Address" column of Windows resource manager. Press enter to display the content in the current/var/ftp directory.

Iv. configuration of upload and download permissions for anonymous vsftpd users

Many users cannot use anonymous users to upload or download (create directories or delete or rename folders) When configuring vsftpd. This article mainly solves the problem of vsftpd anonymous user permission configuration.

Note the following three parts for Configuration:

1. configuration of vsftpd. conf file (vi/etc/vsftpd. conf)
# Allow anonymous users to log on to FTP (if anonymous access is not allowed, set it to NO, followed by a detailed introduction to adding FTP users)
Anonymous_enable = YES
# Enable upload permissions for anonymous users
Anon_upload_enable = YES
# Open the permission for anonymous users to create directories
Anon_mkdir_write_enable = YES

# Anonymous Users are allowed to create directories and upload permissions, such as renaming and deletion.

Anon_other_write_enable = YES

2. ftp directory permission settings
The root directory of ftp is/var/ftp. For the sake of security, this directory cannot be set to 777 by default, otherwise ftp will not be accessible. /Var/ftp/pub is the default access directory for anonymous users, that is, the default directory when the anon_root setting is not found in the vsftpd. conf file. Somehow, if you use anon_root to specify other directories, you will fail to log on anonymously using the ftp command on the terminal, and the Error 500 OOPS: vsftpd: refusing to run with writable anonymous root is returned, no specific causes or solutions have been found.

Generally, vsftpd allows anonymous users to upload and download files. If not, configure selinux as described below.

3. selinux Configuration
SELinux (Security-Enhanced Linux) is the implementation of mandatory access control by the National Security Agency (NAS) and the most outstanding New Security Subsystem in Linux. NSA developed an access control system with the help of the Linux community. Under the restriction of this access control system, processes can only access the files needed in their tasks. SELinux is installed on Fedora and Red Hat Enterprise Linux by default. It can also be easily installed on other distributions.
  
The simplest way is to disable selinux.
Method 1: Modify selinux = "" in the/etc/SELINUX/config file to disabled, and then restart. (Verified)
Method 2: Run setenforce 0 without restarting. (Setenforce format: setenforce [Enforcing | Permissive | 1 | 0)
Method 3: Add selinux = 0 to the startup parameters of lilo or grub. You can also disable selinux. (I have not tried it)
  
Use getenforce to check whether the current selinux is running.
  
If selinux is not disabled, set the ftp permission of selinux. (I have not tried it)
(1) Use getsebool-a | grep ftp to view the ftp-related setting status. Set allow_ftpd_anon_write to on.
(2) Use setsebool-P for settings. Example: setsebool-P allow_ftpd_anon_write = on.
Or use togglesebool to return the bool value, for example, togglesebool allow_ftpd_anon_write.
(3) modify the security context of selinux. The following two commands are introduced:
Command 1: ls-Z ps-Z id-Z # the file, process, and user's SELinux attributes are displayed.
Command 2: # chcon to change SELinux security context
Chcon-u object
-R
-T
-R Recursion
-- Reference source file target file # copy security context
Usage:
Step 1: ls-Zd/var/ftp/upload/usually see:
Drwxr-xr-x ftp root system_u: object_r: public_content_t/var/ftp/upload/
Step 2. chcon-R-t public_content_rw_t/var/ftp/upload/
Step 3: ls-Zd/var/ftp/upload/OK if the following information is displayed:
Drwxr-xr-x ftp root system_u: object_r: public_content_rw_t/var/ftp/upload/
Restart selinux and vsftpd. It doesn't matter if you don't restart selinux. Log on to the ftp again and solve the problem.
In addition, the user interface of selinux can be entered by the system-config-selinux command.

-------------------------------------- Split line --------------------------------------

The introduction to FTP server is not introduced. I believe everyone knows what it is. Google if you don't know! The FTP server software used here is a very famous vsftpd.

1. Install vsFTPd Software
If you do not need to install the source code, you can use google, because online installation is very convenient.
Install yum install vsftpd in Fedora.

2. Start/restart/shut down the vsftpd Server
[Root @ localhost ftp] #/sbin/service vsftpd restart
Shutting down vsftpd: [OK]
Starting vsftpd for vsftpd: [OK]
OK indicates that the restart is successful.
Change restart to start/stop for start and stop respectively.
If the source code is installed, find the start. sh and shutdown. sh files in the installation folder and execute them.

3. files and folders related to the vsftpd Server
The configuration file of the vsftpd server is/etc/vsftpd. conf.

The root directory of the vsftpd server, that is, the home directory of the FTP server:
[Root @ localhost ftp] # more/etc/passwd | grep ftp
Ftp: x: 14: 50: FTP User:/var/ftp:/sbin/nologin
In this way, you can see that the directory of the FTP server is at/var/ftp.
If you want to modify the path of the server directory, you only need to modify/var/ftp elsewhere.

4. Add an FTP user
Some FTP servers require the user name and password to log on, because FTP users and permissions are set.
FTP users generally cannot log on to the system, but can only access the FTP server's own directory, which is for security. such a user is called a virtual user. in fact, it is not a real virtual user, but cannot log on to the SHELL, and cannot log on to the system.

/Usr/sbin/adduser-d/opt/test_ftp-g ftp-s/sbin/nologin test
This command indicates:
Use the command (adduser) to add the test user. You cannot log on to the system (-s/sbin/nologin). Your own folder is in (-d/opt/test_ftp )), group ftp (-g ftp)
Then you need to set the password for it: passwd test
In this way, an FTP user is added. The following example can help you access the FTP server.

[Root @ localhost ftp] # ftp
Ftp> open 192.168.0.33
Connected to 192.168.0.33 (192.168.0.33 ).
220 (vsFTPd 2.0.5)
Name (192.168.0.33: gxl): test
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
Ftp> quit
221 Goodbye.

In windows, you only need to enter ftp: // 192.168.0.33 in the browser to enter the FTP server, right-click to log on, and enter the user name and password to log on to your directory.
Of course, to ensure that you can read and write your own directories, you must set it in the configuration file vsftpd. conf to read and write.
Local_enable = yes
Write_enable = yes
Local_umask = 022

5. upload and download anonymously
Modify the configuration file to vsftpd. conf. Make sure there are the following lines. You can add them without yourself.
Anonymous_enable = yes
Anon_upload_enable = yes
Anon_mkdir_write_enable = yes
Anon_umask = 022

Then you can create a new folder and change its permissions to fully open. Any user can log on to the folder and upload and download files:
Mkdir/var/ftp/guest
Chmod 777/var/ftp/guest

6. Customize the welcome information for accessing the FTP server
Set in the vsftpd. conf file:
Dirmessage_enable = yes
Then go to the user directory and create a. message file. Enter the Welcome information (Welcome to gxlinux's FTP is written here !) :
[Root @ localhost test_ftp] # ftp 192.168.0.33
Connected to 192.168.0.33 (192.168.0.33 ).
220 (vsFTPd 2.0.5)
Name (192.168.0.33: gxl): test
331 Please specify the password.
Password:
230-Welcome to gxlinux's FTP!
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

7. Implement Virtual paths
Mount a directory to an FTP server for your use. This is called a virtual path.
For example, mount the gxl user directory to the FTP server for use by FTP Server users. Run the following command:
[Root @ localhost opt] # mount -- bind/home/gxl/var/ftp/pub # Use the mount command
[Root @ localhost opt] # ls/var/ftp/pub
LumaQQ Screenshot.png Desktop

8. Enable the log function of vsFTPd.
Add the following line to the vsftpd. conf file. Generally, this line exists in the file. You only need to remove the annotator #. If not, add or modify the line:
Xferlog_file =/var/log/vsftpd. log

9. Limit the number of links and the maximum number of links per IP Address
Modify the configuration file. For example, vsftp supports a maximum of 100 connections. Each IP address supports five links:
Max_client = 100
Max_per = 5

10. limit transmission speed
Modify the configuration file, for example, allow anonymous users and users on vsftd (I .e. virtual users) to download at 80 KB = 1024*80 = 81920
Anon_max_rate = 81920
Local_max_rate = 81920

11. restrict users (generally virtual users) to their own directories
Modify the configuration file so that users can only access their own directories:
Chroot_local_user = yes
If you only want some users to access their own directories, and other users do not have this restriction, you need to go to the chroot_list file (this file is usually in/etc/vsftpd) add this user.
Edit this file. For example, if you add a user named test to this file, you can write it. Generally, a user occupies a row.
[Root @ localhost vsftpd] # cat chroot_list
Test

12. bind an IP address to vsFTPd
Sometimes it is necessary to restrict some IP addresses to access the server and only allow some IP addresses to access the server. For example, if only 192.168.0.33 is allowed to access the FTP, the configuration file is also modified:
Listen_address = 192.168.0.33

 

 

========================================================== ====================================


Self-configured vsftpd. conf (both active and passive modes are supported (verified), and log files can be output)

 


[Root @ localhost vsftpd] # pwd
/Etc/vsftpd
[Root @ localhost vsftpd] # cat vsftpd. conf
# Example config file/etc/vsftpd. conf
#
# The default compiled in settings are fairly paranoid. This sample file
# Loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd. conf.5 for all compiled in defaults.
#
# Read this: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd. conf.5 manual page to get a full idea of vsftpd's
# Capabilities.
#
# Allow anonymous FTP? (Beware-allowed by default if you comment this out ).
Anonymous_enable = NO
#
# Uncomment this to allow local users to log in.
Local_enable = YES
#
# Uncomment this to enable any form of FTP write command.
Write_enable = YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# If your users CT that (022 is used by most other ftpd's)
Local_umask = 022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# Has an effect if the above global write enable is activated. Also, you will
# Obviously need to create a directory writable by the FTP user.
Anon_upload_enable = YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# New directories.
Anon_mkdir_write_enable = YES
#
# Activate directory messages-messages given to remote users when they
# Go into a certain directory.
Dirmessage_enable = YES
#
# The target log file can be vsftpd_log_file or xferlog_file.
# This depends on setting xferlog_std_format parameter
Xferlog_enable = YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data ).
Connect_from_port_20 = YES
#
# If you want, you can arrange for uploaded anonymous files to be owned
# A different user. Note! Using "root" for uploaded files is not
# Recommended!
# Chown_uploads = YES
# Chown_username = whoever
#
# The name of log file when xferlog_enable = YES and xferlog_std_format = YES
# WARNING-changing this filename affects/etc/logrotate. d/vsftpd. log
# Specify the log directory (the difference between this log and subsequent logs has not been studied yet, haha ):
Xferlog_file =/ftptest/xferlog
#
# Switches between logging into vsftpd_log_file and xferlog_file files.
# NO writes to vsftpd_log_file, YES to xferlog_file
Xferlog_std_format = YES
#
# You may change the default value for timing out an idle session.
# Idle_session_timeout = 600
#
# You may change the default value for timing out a data connection.
# Data_connection_timeout = 120
#
# It is recommended that you define on your system a unique user which
# Ftp server can use as a totally isolated and unprivileged user.
# Nopriv_user = ft1_cure
#
# Enable this and the server will recognize asynchronous ABOR requests. Not
# Recommended for security (the code is non-trivial). Not enabling it,
# However, may confuse older FTP clients.
# Async_abor_enable = YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# The request. Turn on the below options to have the server actually do ASCII
# Mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# Attack (DoS) via the command "SIZE/big/file" in ASCII mode. vsftpd
# Predicted this attack and has always been safe, reporting the size of
# Raw file.
# ASCII mangling is a horrible feature of the protocol.
# Ascii_upload_enable = YES
# Ascii_download_enable = YES
#
# You may fully customise the login banner string:
# Ftpd_banner = Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# Useful for combatting certain DoS attacks.
# Deny_email_enable = YES
# (Default follows)
# Banned_email_file =/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot () to their home
# Directory. If chroot_local_user is YES, then this list becomes a list
# Users to NOT chroot ().
# Chroot_local_user = YES
# Chroot_list_enable = YES
# (Default follows)
# Chroot_list_file =/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled
# Default to avoid remote users being able to cause excessive I/O on large
# Sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# The presence of the "-R" option, so there is a strong case for enabling it.
# Ls_recurse_enable = YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# Listens on IPv4 sockets. This directive cannot be used in conjunction
# With the listen_ipv6 directive.
Listen = YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# Sockets, you must run two copies of vsftpd with two configuration files.
# Make sure, that one of the listen options is commented !!
# Listen_ipv6 = YES

Pam_service_name = vsftpd
Userlist_enable = YES
Tcp_wrappers = YES
#
# Other...

Anon_other_write_enable = YES
# Anon_root =/var/ftp/pub
Dual_log_enable = YES
# Specify the log directory:
Vsftpd_log_file =/ftptest/vsftpd. log
# Enable active mode:
Port_enable = YES
# Enable passive mode (the passive mode is enabled by default. to disable the passive mode, set NO ):
Pasv_enable = YES
# Specify the port range in passive mode:
Pasv_min_port = 50000
Pasvanderbilt max_port = 60000

[Root @ localhost vsftpd] #

Four Advanced configurations of vsftpd Server:

VsFTPd configuration Tutorial:

Simple and practical Ubuntu FTP setup

Set up FTP server and Apache server on Ubuntu

Install the LAMP \ vsftpd \ Webmin \ phpMyAdmin service and settings in Ubuntu 13.04

Simple case of anonymous uploading of SeLinux and vsftpd on the RHEL6 Platform

Install vsftpd source code in Linux

Install and configure the FTP server vsftpd in openSUSE 13.2/13.1

This article permanently updates the link address:

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.