Vsftp means very security FTP, which is actually an FTP software. Each person has their own different methods when installing software, but most of them are similar. The following is my own method for installing vsftpd:
1. Download:
Download the software from the network. The software name is vsftpd-2.0.5.tar.gz.
2. Compile the source code:
Tar xvzf vsftpd-2.0.5.tar.gz (unzipping and go to the unzipping directory vsftpd-2.0.5)
Make
Make install
3. installation and configuration:
CP vsftpd. CONF/etc
To recognize that vsftpd supports local user login, We will test the Identity Authentication Module file into the system.
CP RedHat/vsftpd. PAM/etc/PAM. d/FTP (user identification)
4. Edit the Configuration:
Use VI to open vsftpd. conf. You do not need to worry about it by default.
Add Listen = yes Directly to the last line (independent vsftpd server)
5. Start the service:
/Usr/local/bin/vsftpd &
Use netstat-tnl to check whether port 21 has been installed successfully.
At this time, FTP is used, but anonymous access is not allowed.
6. Anonymous Access:
Mkdir/var/ftp
Chown root. Root/var/ftp
Chmod og-W/var/ftp
This allows anonymous access. If you are not clear, refer to the installation help more install
7. Automatic Start
Open it with VI and add/usr/local/bin/vsftpd & to etc/rc. Local.
The following is the parameter program code of vsftpd. conf:
Anonymous_enable = Yes allow anonymous login
When dirmessage_enable = yes is used to switch the directory, the contents of. Message under the directory are displayed.
Local_umask = 022 local file permission on FTP. The default value is 077.
Connect_form_port_20 = Yes enable data connection on the FTP data port
Xferlog_enable = yes. Activate the uploaded and downloaded logs.
Xferlog_std_format = yes use the standard log format
Ftpd_banner = XXXXX show welcome information
Pam_service_name = vsftpd Verification Method
Listen = Yes independent vsftpd Server
Anon_upload_enable = Yes anonymous user upload permission
Anon_mkdir_write_enable = yes. When creating a directory, you can upload files to the directory.
Write_enable = Yes permission written by the local user
Anon_other_write_enable = Yes anonymous account can be deleted
Anon_world_readable_only = no anonymous user browsing permission
Ascii_upload_enable = Yes enables the upload ASCII Transmission Mode
Ascii_download_enable = Yes enable the ASCII transmission mode for download
Banner_file =/var/vsftpd_banner_file after the user connects, welcome information in this file
Idle_session_timeout = 600 (seconds) 10 minutes after the user's session is idle
Data_connection_timeout = 120 (seconds) disconnect the data connection for 2 minutes
Accept_timeout = 60 (seconds) disconnect the client after being idle for 1 minute
Connect_timeout = 60 (seconds) interrupted for 1 minute and then reconnected
Local_max_rate = 50000 (BITE) Local User transfer rate 50 K
Anon_max_rate = 30000 (BITE) Anonymous user transfer rate 30 K
Pasv_min_port = 5000 change the client's data connection port
Pasv_max_port = 6000 between and
Max_clients = 200 maximum number of FTP connections
Max_per_ip = 4 maximum number of connections per IP
Listen_port = 5555 data connection from port 5555
Local_enble = Yes local account can log on
Write_enable = No. You are not authorized to delete or modify files after logging on to the local account.
Chroot_local_user = yes all local accounts can only be in their own directories
The list in the chroot_list_enable = yes file can be called.
Chroot_list_file =/etc/vsftpd. chroot_list prerequisite: chroot_local_user = No
Userlist_enable = yes is not accessible to users in the specified file
Userlist_deny = Yes
Userlist_file =/etc/vsftpd. user_list
Banner_fail =/path/file name display the file content when connection fails
Ls_recurse_enable = No
Async_abor_enable = Yes
One_process_model = Yes
Listen_address = 10.2.2.2 bind the virtual service to a port
Guest_enable = Yes virtual user can log on
Guest_username = specifies the user name used to map a virtual user to a local user.
Chown_uploads = yes. Change the object owner to root.
Chown_username = root
Deny_email_enable = yes whether anonymous users are allowed to use certain email addresses
Banned_email_file = // any specified path/XX/
Pasv_enable = yes the server uses the passive mode.
User_config_dir =/any specified path // any file directory specifies the path where the virtual user stores the configuration file
Upload ASCII transmission mode ascii_download_enable = Yes enable the download ASCII transmission mode banner_file =/var/vsftpd_banner_file after the user connects, the welcome information in this file is the relevant information idle_session_timeout = 600 (seconds) 10 minutes after the user session is idle, data_connection_timeout = 120 (seconds) disconnects the data connection for 2 minutes. accept_timeout = 60 (seconds) disconnects the client from idle for 1 minute and then disconnects connect_timeout = 60 (seconds) after one minute of interruption, connect local_max_rate = 50000 (BITE) again. The local user transmission rate is 50 K anon_max_rate = 30000 (BITE) anonymous user transfer rate 30 K pasv_min_port = 5000 change the client's data connection port to max_clients = 6000 maximum number of FTP connections between pasv_max_port = 200 5000-6000 max_clients = 5555 maximum number of connections per IP address listen_port = from port 5555 for data connection local_enble = Yes local account can log on to write_enable = no local account, no
========================================================== ========================================================== =
1. Introduction to vsftpd
Vsftpd is a GPL-based FTP server software for Unix-like systems. Its full name is very secure FTP deamon, which is outstanding in terms of security, speed, and stability. In terms of security, vsftpd is designed for program permissions. It starts services as a normal identity and has low permission to use Linux systems. On Gigabit Ethernet, the speed of vsftpd can reach 86 Mb/s; it is even better in terms of stability. The data shows that 24 hours of work, 2.6 TB of data transmission, 1500 concurrent connections on average, and 4000 users at the peak, these are implemented on a single machine. In addition, vsftpd includes the following features:
IP-based Virtual Server
Virtual users, combined with database user verification
Independent configuration file for each user
Speed Limit
IPv6 support
Supports SSL encrypted transmission
......
Which sites are using vsftpd?
Vsftpd has been used for the following sites (this is only a small number of sites)
Ftp.redhat.com
Ftp.suse.com
Ftp.debian.org
Ftp.openbsd.org
Ftp.freebsd.org
Ftp.gnu.org
Ftp.gnome.org
Ftp.kde.org
Ftp.kernel.org
Rpmfind.net
Ftp.linux.org. uk
Ftp.gimp.org
Ftp-stud.fht-esslingen.de
GD. tuwien. ac.
FTP. sunet. se
Ftp.ximian.com
Ftp.engardelinux.org
Ftp.sunsite.org. uk
Ftp.isc.org
The above content is taken from the official vsftpd website.
Http://vsftpd.beasts.org/
2. Install and uninstall the software
Obtain Software
The latest version of vsftpd is 2.0.5 ,:
Ftp://vsftpd.beasts.org/users/cevans/vsftpd-2.0.5.tar.gz
Software Installation
Decompress the software and edit builddefs. h file
# Tar zxvf vsftpd-2.0.5.tar.gz
# Cd vsftpd-2.0.5
# Vi builddefs. h
Find the following three lines. The meanings are shown on the right.
# UNDEF vsf_build_tcpwrappers // whether TCP Wrappers is allowed
# Define vsf_build_pam // whether PAM Authentication is allowed
# UNDEF vsf_build_ssl // whether SSL is allowed
If you want to allow a function shown above, change UNDEF to define. Note that the "#" sign before each line is not a comment, it cannot be removed (c-language comrades should know what this "#" means ). Among them, TCP Wrappers is a program to verify the validity of the IP address. PAM Authentication allows vsftpd to support local user login to the server, and SSL can be used to establish an encrypted data transmission. Here we enable all three items.
Compile and install. If the system has an earlier version of vsftpd installed, uninstall it first. By default, the installation execution files are in/usr/local/sbin, and man pages are placed in/usr/local/man/man5 and/usr/local/man/man8.
# Make
# Make install
Test the default configuration file to/etc/vsftpd/
# Mkdir/etc/vsftpd/
# Cp vsftpd. CONF/etc/vsftpd/
To recognize that vsftpd supports local user login, We will test the Identity Authentication Module file into the system.
# Cp RedHat/vsftpd. PAM/etc/PAM. d/vsftpd
Create an FTP user and home directory:
# Mkdir/var/ftp
# Useradd-D/var/FTP
If an FTP user already exists, run the following two commands:
# Chown root: Root/var/ftp
# Chmod 755/var/ftp
Create a special directory for vsftpd:
# Mkdir/usr/share/empty/
Uninstall Software
To uninstall the SDK, run the following command:
# Rm/usr/local/sbin/vsftpd
# Rm/usr/local/man/man5/vsftpd. CONF.5
# Rm/usr/local/man/man8/vsftpd.8
# Rm/etc/xinetd. d/vsftpd
# Rm-RF/etc/vsftpd
3. Configure the vsftpd service
Service start and stop
Before starting the service, edit the configuration file/etc/vsftpd. conf. after opening the configuration file, you can see many rows starting with "#". These rows are comments and are mostly help information. You can read them carefully. Vsftpd. all projects in the conf file are set with "parameter = value". The format is strictly required and must be case sensitive. No space is allowed on either side of the equal sign, there cannot be spaces at the end of each line. Each parameter has a default value. If the parameter is not explicitly specified in the configuration file, the default value is used. We will ignore the original information in the configuration file, delete or comment out all the content, and add the following four lines. The text on the right of each line is a description, do not enter it in the file:
Listen = Yes // vsftpd works in standalone Mode
Anonymous_enable = Yes // allows anonymous users to log on to the server
Local_enable = Yes // allow local users to log on to the server
Pam_service_name = vsftpd // use Pam for authentication
Vsftpd has two working modes: Standalone mode and xinetd daemon mode. Line 1 is to make it work in standalone mode. In this mode, the vsftpd service must be restarted every time the configuration file is modified to take effect. The two modes are described in detail later. We also copied the vsftpd. Pam file under the RedHat Directory to the/etc/PAM. d/vsftpd file during installation. This file is the PAM Authentication configuration file that the local user logs on. This document will be detailed later. We need to know that this configuration file must be available, and the pam_service_name = vsftpd statement must be added to the main configuration file to allow local users to log on. Run the following command to start the service:
#/Usr/local/sbin/vsftpd/etc/vsftpd. conf &
To ensure that the service is started, run the following command:
# Netstat-an | grep 21
TCP 0 0 0.0.0.0: 21 0.0.0.0: * listen
We can see that port tcp21 has been opened on the server, indicating that FTP has been started. Then log on to the server:
# Ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsftpd 2.0.5)
530 please login with user and pass.
530 please login with user and pass.
Kerberos_v4 rejected as an authentication type
Name (127.0.0.1: Root): ftp
331 please specify the password.
Password:
230 login successful.
At this time, we have logged on to the server with an anonymous user (ftp or anonymous with any password) and can also log on with a local user. During the test, we recommend that you use the FTP command shown above (Windows, Linux, and Unix all carry this command, and the usage is the same) to log on to the server, so that you can see more detailed information, it is very helpful for debugging servers. The simplest FTP server has been built. Run the following command to disable the FTP service:
# Killall vsftpd
Create a Service Startup Script
In standalone mode, it is often difficult to use the following command to start and stop the service.
Create a new file/etc/rc. d/init. d/vsftpd and copy the following content to the file:
#! /Bin/bash
#
# Vsftpd this shell script takes care of starting and stopping
# Standalone vsftpd.
#
# Chkconfig:-60 50
# Description: vsftpd is a FTP daemon, which is the Program/
# That answers incoming FTP service requests.
# Processname: vsftpd
# Config:/etc/vsftpd. conf
# Source function library.
./Etc/rc. d/init. d/functions
# Source networking configuration.
./Etc/sysconfig/Network
# Check that networking is up.
[$ {Networking} = "no"] & Exit 0
[-X/usr/local/sbin/vsftpd] | exit 0
Retval = 0
Prog = "vsftpd"
Start (){
# Start daemons.
If [-D/etc/vsftpd]; then
For I in 'ls/etc/vsftpd/*. conf'; do
Site = 'basename $ I. conf'
Echo-N $ "Starting $ Prog for $ site :"
/Usr/local/sbin/vsftpd $ I &
Retval =$?
[$ Retval-EQ 0] & {
Touch/var/lock/subsys/$ prog
Success $ "$ prog $ site"
}
Echo
Done
Else
Retval = 1
Fi
Return $ retval
}
Stop (){
# Stop daemons.
Echo-N $ "shutting down $ prog :"
Killproc $ prog
Retval =$?
Echo
[$ Retval-EQ 0] & Rm-F/var/lock/subsys/$ prog
Return $ retval
}
# See how we were called.
Case "$1" in
Start)
Start
;;
Stop)
Stop
;;
Restart | RELOAD)
Stop
Start
Retval =$?
;;
Condrestart)
If [-F/var/lock/subsys/$ prog]; then
Stop
Start
Retval =$?
Fi
;;
Status)
Status $ prog
Retval =$?
;;
*)
Echo $ "Usage: $0 {START | stop | restart | condrestart | status }"
Exit 1
Esac
Exit $ retval
Save the file and add the execution permission to the file:
# Chmod 755/etc/rc. d/init. d/vsftpd
In this way, we can manage the service through the following methods:
# Service vsftpd {START | stop | restart | condrestart | status}
For example, restart the service:
# Service vsftpd restart
Shutting down vsftpd: [OK]
Starting vsftpd For vsftpd: [OK]
Iv. configuration file details
There is only one vsftpd configuration file, namely/etc/vsftpd. conf. We have added two line parameters in the previous section. After the configuration file is modified, the service must be restarted to take effect. The following describes the parameters in detail.
1. Common Parameters for anonymous and Local Users
Write_enable = yes/no // whether global writable is allowed
Download_enable = yes/no // whether all users can download
Dirlist_enable = yes/no // whether all users are allowed to browse (list files)
We will add write_enable = No and download_enable = yes to the configuration file, and then test:
# Ftp 127.0.0.1
......
Ftp> ls
227 entering passive mode (230,192, 0)
150 here comes the directory listing.
-RW-r -- 1 0 0 4 May 13 11: 43 ioo_file
226 directory send OK.
Ftp> Get ioo_file
Local: ioo_file remote: ioo_file
227 entering passive mode)
150 opening binary mode data connection for ioo_file (4 bytes ).
226 file send OK.
4 bytes encoded ed in 0.062 seconds (0.063 Kbytes/s)
Ftp> put scsrun. Log
Local: scsrun. Log remote: scsrun. Log
227 entering passive mode (, 0)
550 Permission denied.
As shown above, we can see files on FTP that can be downloaded but cannot be uploaded. If dirlist_enable = No is added, the file on FTP cannot be seen (the file list cannot be listed). However, if you know the specific file name and path, you can still download the file. The experiment results are not pasted.
Let's look at the next group:
Ftpd_banner = welcome string
Banner_file = File
Dirmessage_enable = yes/no
Message_file = File
The welcome speech string set by the ftpd_banner parameter will be seen at login. If you want to make a multi-line welcome speech, you need to save the content separately as the file specified by the banner_file parameter. You can select either of the two parameters in the application. The dirmessage_enable and message_file parameters are the welcome information displayed after entering a directory. They are used in the same way as the first two parameters.
2. Local User Management
2.1 General configuration parameters of Local Users
Local_root =/path // directory that the local user directly enters after logging on to the server
Local_umask = octal bytes // umask value of the local user's permission to upload files
Local_max_rate = numeric // The local user transmission rate in BPS
Chmod_enable = yes/no // whether the local user is allowed to change the permissions of files on the FTP server
We know that the local user logs on to FTP and enters the user's home directory. The locla_root parameter allows us to log on to the server and directly access other directories. This function is very convenient to update and upload website content using Apache's userdir module. Any file in Linux has a limited permission, and the uploaded file is no exception. The default permission value is specified by the local_umask parameter. The calculation method is as follows:
Default file creation permission + local_umask = 0666
By default, the permission to create a directory + local_umask = 0777
From this we can see that the uploaded file cannot have the execution permission in any way. This is also the embodiment of vsftp security!
The local_max_rate parameter limits the data transmission rate, including uploading and downloading. The chmod_enable parameter specifies whether the user can change the File Permission (using the CHMOD and site commands ).
We may want to configure individual permissions for each user, or Configure permissions for individual users. In this way, you have to configure a file for each local user. These configuration files must be in the same directory, so we can set the directory where the local user separately configures the file:
User_config_dir =/path // directory where the user separately configures the file
Add the following lines to the configuration file:
Local_umask = 077
Local_max_rate = 20000
User_config_dir =/etc/vsftpd/vsftpd_user_dir
Grant the upload permission to the user:
Write_enable = Yes
Create a common user Ioo, create a new directory/etc/vsftpd/vsftpd_user_dir, and create a file Ioo, which includes the following lines:
Local_root =/var/www/html
Local_umask = 022
Local_max_rate = 50000
Change the owner of/var/www/html to Ioo:
Chown Ioo: Ioo/var/www/html
After the test, we found that after logging on to The Ioo user, the user directly enters var/www/html. the uploaded file (folder) Permission is 644 (755), and the transmission rate is 50 K, the custom settings overwrite the settings in the main configuration file.
2.2 Local User Logon restriction Parameters
There are already many local users on our servers. These local users should be able to log on to the FTP server. However, the FTP service is transmitted in plain text. If the Administrator is allowed to log on, this mechanism is obviously not good. Or we want some local users to log in to 0.
This article from the csdn blog, reproduced please indicate the source: http://blog.csdn.net/octobereva/archive/2009/04/27/4128269.aspx
========================================================== ========================================================== ===
Vsftp 500 oops explanation
[Root @ 192 Pam. d] #500 Oops: cocould not bind listening IPv4 socket 500 Oops: unrecognised variable in config file: pam_server_name
You need to cancel the xinetd run mode disable = No socket_type = stream wait = No even if xinetd is not running
Like other daemon programs, vsftpd provides standalone and inetd (inetd or xinetd) running modes.
For a brief explanation, standalone is started at a time and remains in the memory during running. The advantage is that it responds quickly to the access signal, and the disadvantage is that it consumes a certain amount of system resources, therefore, it is often used on Professional FTP servers with high real-time response requirements.
Inetd is the opposite. Because the FTP process is called only when an external connection sends a request, it is not suitable for systems with a large number of connections at the same time.
In addition, inetd mode does not occupy system resources. In addition to the impact of response speed and resource occupation, vsftpd also provides some additional advanced features, such as inetd mode support per_ip (Single IP) restrictions, standalone mode is more conducive to the application of PAM verification function.
1. Most of the newer systems in Xinetd run mode use the Xinetd super service daemon process. Use "VI/etc/xinetd. d/vsftpd: Disable = No socket_type = stream wait = No # This indicates that the device is activated and is using standard TCP sockets. If "/etc/vsftpd. in Conf, the option is "Listen = yes". After canceling the command, restart xinetd. The command is as follows: $/etc/rc. d/init. d/xinetd restart, note that "/etc/xinetd. d. Only one FTP service can be enabled in the directory.
2. standalone mode facilitates Pam verification. In this mode, you must first disable vsftpd in Xinetd, set "Disable = yes", or cancel the corresponding lines in "/etc/inetd. conf. Modify the option "Listen = yes" in "/etc/vsftpd. con F ".