Configure the FTP service with vsftpd In Debian

Source: Internet
Author: User
Tags ftp commands gz file ftp client ftp access
Original Works are allowed to be reprinted. During reprinting, please mark the article in hyperlink form
Original source, author information, and this statement. Otherwise, legal liability will be held. Http:// 1. Install vsftpd.Apt-Get install vsftpd 2. Add ftp usersAdduser username 3. Add a user to a specified groupAdduser username group name 3. Create an FTP directoryMkdir/var/WWW 4. Set FTP directory PropertiesChmod-r 777/var/WWW recursively give the chgrp-r FTP/var/WWW recursive permission to read, write, and execute all files and subdirectories in this directory. set the group of all files and subdirectories in the directory to an FTP group. 5. Modify the Home Directory of FTPVI/etc/passwd: Find a line containing the FTP account and add the FTP directory. Location: WSS: X: 1003: 1003: WSS,:/home/WSS:/bin/bashwss: X: 1003: 1003: WSS ,,,: /var/www:/bin/bash 6. Restrict FTP accounts from logging on to the server consoleEdit the/etc/passwd file, change the logon shell of the FTP account to the/usr/sbin/nologin file, and check whether the file contains the/usr/sbin/nologin line, if none exist, add it. 7. Modify the FTP configuration fileVI/etc/vsftpd. conf anonymous_enable = No local_enable = Yes write_enable = Yes local_umask = 022 the above lines are explained as follows: 1. prohibit anonymous users from accessing ftp 2. allow local users to access FTP 3. allow write operations 4. when uploading a file, the mask used is 0228. Restart vsftpd

/Etc/init. d/vsftpd restart

9 . Common parameter meanings, configured as appropriate# Whether anonymous_enable allows anonymous ftp. Otherwise, if no is selected, anonymous access is allowed by default. Note that all users are considered anonymous logon. # Whether local_enable allows access by local users refers to the registered user on the machine where vsftp is located. # Local_umask = 022 default umask Code # Whether write_enable allows local users to modify and delete

# Anon_upload_enable = yes whether anonymous users are allowed to upload files

# Anon_mkdir_write_enable = yes: whether to allow anonymous users to write and create directories

# Dirmessage_enable = yes: When you switch to a directory, whether to display the message hidden file content in the directory

# Xferlog_enable = yes whether to activate the upload and download logs

# Connect_from_port_20 = yes whether to start the connection request of FTP data port 20

# Chown_uploads = yes whether to change the owner of the uploaded file

# Chown_username = Whoever change the owner of the uploaded file to whoever.

# Xferlog_file =/var/log/vsftpd. Log default path for uploading/downloading log files

# Xferlog_std_format = yes whether the standard ftpd xferlog log format is used

# Idle_session_timeout = 600 indicates whether the user's session will be interrupted after being idle for 10 minutes

# Data_connection_timeout = 120 whether the data connection will be interrupted after being idle for 2 minutes

# Nopriv_user = ftbench cure whether to run non-special system users required by vsftpd default nobody

# Async_abor_enable = yes whether special FTP command async can be run

# Ascii_upload_enable = yes whether to enable the uploaded ASCII Transmission Mode

# Ascii_download_enable = yes whether to enable the download ASCII Transmission Mode

# Ftpd_banner = welcome to blah FTP service. Information displayed after the user connects to the server

# Deny_email_enable = yes: whether to allow anonymous users to use email addresses (default)

Chroot_local_user = nochroot_list_enable = yesvsftpd file structure is very simple, mainly including:/usr/sbin/vsftpd -- vsftpd main program

/Etc/init. d/vsftpd -- start script

/Etc/vsftpd. conf -- master configuration file/etc/PAM. d/vsftpd -- PAM Authentication file/etc/ftpusers -- Record the root directory of the/home/FTP -- vsftpd user name that is not allowed to access the FTP server. In addition, the log file of vsftpd is/var/log /vsftpd. log. Vsftpd management control:

/Etc/init. d/vsftpd start // start vsftpd

/Etc/init. d/vsftpd stop // stop vsftpd

/Etc/init. d/vsftpd restart // restart vsftpd

/Etc/init. d/vsftpd reload // re-import vsftpd

Vsftpd configuration file/etc/vsftpd. conf main configuration file/usr/sbin/vsftpd main program/etc/rc. d/init. d/vsftpd STARTUP script/etc/PAM. d/vsftpd PAM Authentication file (the file =/etc/vsftpd/ftpusers field in this file indicates that the user blocking access is from the user in the/etc/vsftpd/ftpusers file) /etc/vsftpd/ftpusers disable vsftpd user list files. Record the user name list that is not allowed to access the FTP server. The administrator can record some user accounts that are threatening system security in this file, this prevents the user from getting the right to upload or download more after logging on from ftp, which may cause damage to the system. (Note: This file is in the/etc/directory in the linux-4)/etc/vsftpd/user_list prohibit or allow the user list file that uses vsftpd. The Default User information specified in this file (in/etc/vsftpd. if userlist_deny = yes is set in Conf, the FTP server cannot be accessed. When userlist_deny = No is set, only the user specified in user_list can access the FTP server. (Note: This file is in the/etc/directory in the linux-4)/var/FTP Anonymous user home directory; local user home directory is:/home/user home directory, that is, after logging on to the directory/var/FTP/pub anonymous user download directory, the directory must be authorized to the root chmod 1777 pub (1 is a special permission, so that it cannot be deleted after uploading) /etc/logrotate. d/vsftpd. the main configuration file/etc/vsftpd of the log file vsftpd. the conf description (backup before modification) is the same as most configuration files in Linux systems. Note the # in the configuration file of vsftpd. # Whether Anonymous logon to the FTP server is allowed. The default value is yes. # You can use the username FTP or anonymous to log on to the FTP server. The password is your e-mail address. # If anonymous access is not allowed, set it to noanonymous_enable = yes # whether to allow local users (that is, user accounts in Linux) to log on to the FTP server, the default value is yes. # after a local user logs on, the user's home directory is displayed. After an anonymous user logs on, the user's download directory/var/FTP/pub is displayed. # If only anonymous users are allowed to access the directory, add # comment out to prevent local users from accessing the FTP server local_enable = yes # whether to allow local users to have write permissions on FTP server files. The default value is yes, which allows write_enable = yes # mask, the default local user mask is 077 # You can set the local user's file mask to the default 022, you can also set it to another value according to your preferences # local_umask = 022 # whether anonymous users are allowed to upload files. The Global write_enable = Yes must be set. The default value is yes # anon_upload_enable = yes # whether anonymous users are allowed to create new folders

# Anon_mkdir_write_enable = Yes

# Whether to activate the directory welcome information function # When a user accesses a directory on the server in cmd mode for the first time, the FTP server displays the welcome information # by default, the welcome information is in this directory. message file # This File Stores custom welcome information, built by the user # dirmessage_enable = yes # Whether to enable the system to automatically maintain the uploaded and downloaded log files # by default, this log file is/var/log/vsftpd. log, you can also set it using the xferlog_file option below # default value: noxferlog_enable = Yes

# Make sure port transfer connections originate from Port 20 (ftp-data ).

# Whether to set the FTP server to enable the FTP data port connection request # ftp-data transmission, 21 is the connection control port connect_from_port_20 = yes # Set whether to allow changing the owner of the file to be uploaded, use with the following configuration item # Note: it is not recommended that you use the root user to upload files # chown_uploads = yes # Set the owner of the uploaded files to be changed. If necessary, enter a system username # To change all uploaded files to the root owner. Whoever: Anyone # chown_username = Whoever # Set the log file for system maintenance record uploading and downloading on the FTP server

#/Var/log/vsftpd. log is the default value. You can also set another

# Xferlog_file =/var/log/vsftpd. log # whether to write the transfer log file in the standard xferlog format # The default value is/var/log/xferlog, you can also use the xferlog_file option to set it. # The default value is no # xferlog_std_format = yes # The following are additional configurations, add the corresponding options to enable the corresponding settings # Whether to generate two similar log files # The default values are/var/log/xferlog and/var/log/vsftpd. under the log directory # The former is the transfer log of the wu_ftpd type, which can be analyzed using standard log tools; the latter is a vsftpd log # dual_log_enable # Whether to output the log to/var/log/vsftpd. logs in the log are output to the system log # syslog_enable # sets the data transmission interruption interval. This statement indicates that the idle user session interruption time is 600 seconds # That is, when the data transmission ends, the user connects to the FTP server The time should not exceed 600 seconds. You can modify the value according to the actual situation # idle_session_timeout = 600 # Set the data connection timeout time. This statement indicates that the data connection timeout time is 120 seconds, you can modify it according to the actual situation # data_connection_timeout = 120 # non-privileged system users required to run vsftpd. The default value is nobody # nopriv_user = ft1_cure # Whether to identify asynchronous Abor requests. # If the FTP client issues the "async Abor" command, this setting must be enabled. # generally, this setting is not secure, therefore, we usually cancel # async_abor_enable = yes # Whether to transmit data in ASCII mode. By default, the server ignores requests in ASCII format. # Enabling this option will allow the server to transmit data in ASCII mode # However, this may cause DoS attacks in the "size/big/file" Mode # ascii_upload_enable = yes # ascii_download_enable = yes # Welcome information displayed when logging on to the FTP server # if necessary, you can create a directory named. and write the welcome information.

# Ftpd_banner = welcome to blah FTP service.

# Blacklist settings. If you hate some email addresses, you can use this setting to cancel their logon permissions # You can block some special email addresses. # Deny_email_enable = yes # When deny_email_enable = yes, you can use this setting to specify which email addresses cannot log on to the vsftpd server # This file needs to be created by the user, one email address per line # banned_email_file =/etc/vsftpd/banned_emails # whether the user has the permission to access files other than his directory after logging on to the FTP server # When set to yes, the user is locked in the home directory, vsftpd searches for the chroot_list file in the location of the following chroot_list_file option value # must work with the following settings # chroot_list_enable = yes # users listed in this file, after logon, you cannot switch to another directory other than your own directory # which is conducive to the security management and privacy protection of the FTP server. This file must be created by yourself # chroot_list_file =/etc/vsftpd/chroot_list # Whether recursive queries are allowed. Disabled by default to prevent remote users from causing excessive I/O # ls_recurse_enable = yes # whether to allow listening. # If yes, vsftpd runs in standalone mode. vsftpd listens to and processes IPv4 port connection requests Listen = yes # Sets whether IPv6 is supported. To listen to IPv4 and IPv6 ports at the same time, # You must run two sets of vsftpd, use two sets of configuration files # Make sure that one of the listening options is commented out # listen_ipv6 = yes # Set the configuration file name used by the authentication service provided by the PAM plug-in module, that is,/etc/PAM. d/vsftpd file # file =/etc/vsftpd/ftpusers field in this file, it indicates that the account content that the PAM module can defend against comes from # pam_service_name = vsftpd # in the/etc/vsftpd/ftpusers file, and whether to allow users in the ftpusers file to log on to the FTP server, the default value is no # If this option is set to yes, the user in the user_list file is allowed to log on to the FTP server # If userlist_deny = yes is set at the same time, the user in the user_list file will not be allowed to log on to the FTP server, or even enter the password prompt information # userlist_enable = yes/no # Set whether to block us The user in the er_list file logs on to the FTP server. The default value is yes # userlist_deny = yes/no # whether to use TCP_WRAPPERS as the host access control method. # TCP_WRAPPERS can implement host address-Based Access Control for network services in Linux # hosts in the/etc directory. allow and hosts. two deny files are used to set TCP_WRAPPERS access control # The former sets the allowed access record, and the latter sets the denied access record. # To Restrict Anonymous Access of some hosts to the FTP server, edit the/etc/hosts. allow file. For example, add two lines of commands below:

# Vsftpd: deny and vsftpd: deny

# It indicates that the IP address is and the IP address is # at this time, although the FTP server can be pinged, it cannot connect to TCP_WRAPPERS = Yes except for the above basic settings, we can also go to vsftpd. add more security options to the conf file. Several of them are commonly used as follows: the maximum number of connections and transmission rate are limited in the management of the FTP server. Both local users and anonymous users need to control the use of FTP Server resources, to avoid FTP server running exceptions due to excessive workload, you can add the following configuration items to control FTP client usage of FTP Server resources: The max_client setting item is used to set the maximum number of client connections allowed by the FTP server, if the value is 0, it indicates no restriction. For example, max_client = 100 indicates that the maximum number of connections of all clients on the FTP server cannot exceed 100. The max_per_ip setting item is used to set the maximum number of client connections allowed for the same IP address. If the value is 0, it indicates no limit. For example, max_per_ip = 5 indicates that the maximum number of connections between an FTP client and an FTP server with the same IP address cannot exceed 5. The local_max_rate setting item is used to set the maximum transmission rate of local users. The unit is B/S. If the value is 0, it indicates no restriction. For example, local_max_rate = 500000 indicates that the local user transmission rate of the FTP server is set to kb/s. the anon_max_rate setting item is used to set the maximum transmission rate for anonymous users. The unit is B/S and the value is 0, which indicates no restriction. For example, ano_max_rate = 200000 indicates that the maximum transmission rate of anonymous users on the FTP server is set to kb/s. specifies the user's permission settings vsftpd. the user_list file must be associated with vsftpd. configuration items in the conf file are combined to implement vsftpd. specify User Account Access Control in the user_list file: (1) set the user account to be vsftpd. vsftpd. the user account in the user_list file is forbidden from ftp Logon: userlist_enable = yesuserlist_deny = yesuserlist_enable. in the user_list file, set userlist_deny to yes to indicate vsftpd. the user_list file is used to set forbidden user accounts. (2) Set a user account that is only allowed to log on to vsftpd. only vsftpd is available when the conf configuration file includes the following settings. the user account in the user_list file can perform FTP Logon: userlist_enable = yesuserlist_deny = nouserlist_enable. in the user_list file, set userlist _ deny to no, which indicates vsftpd. the usre_list file is used to set only user accounts that are allowed to log on. user accounts not included in the file are prohibited from ftp logon. The userlist_deny and userlist_enable options restrict users from logging on to the FTP server. (using the userlist_deny option together with the user_list file can effectively prevent root, Apache, WWW, and other system users from logging on to the FTP server, to ensure hierarchical security of FTP servers ). The following are the specific representations of the two options and the effects of the two methods of combination: userlist_enable = Yes ftpusers users are allowed to access user_list users are allowed to access userlist_enable = No ftpusers users are not allowed to access user_list users are allowed to access userlist_deny = Yes ftpusers users are not allowed to access (you can see the password enter the prompt, but still cannot be accessed) in user_list, users are prohibited from accessing userlist_deny = No ftpusers. Users in user_list are prohibited from accessing userlist_enable = Yes, and users in userlist_deny = Yes ftpusers are prohibited from accessing user_list. password prompt, directly rejected by the server) userlist_enable = yes and the user in userlist_deny = No ftpusers is forbidden to access In user_list, users are allowed to access and modify the default port. The default FTP server port number is 21. For security purposes, modify the default port number and modify/etc/vsftpd. conf, add statement (example): The listen_port = 4449 statement specifies the port number of the FTP server after modification, should be greater than 4000. After modification, access # ftp 4449. Note that the correct port number must be added here. Otherwise, the connection will fail. Set the importance of user groups for FTP users and user groups, which we mentioned earlier when introducing vsftpd. Here, we will briefly describe the technical implementation of the User Group. As for how to apply the user group, we will take it as needed. # Mkdir-P/home/Try recursively create a new directory # groupadd try create a group # useradd-G try-D/home/Try try1 create user try1 and specify the home directory and group # useradd-G try-D/home/Try try2 create user try2 and specify the home directory and group # useradd-G try-D/home/Try try3 create user try3 and specify the Home Directory and group # passwd try1 set password for new user # passwd try2 set password for new user # passwd try3 set password for new user # chown try1/home/Try Set directory owner as user try1 # chown. try/home/Try set the directory group as the group try # chmod 750/home/Try set the directory access permission try1 to read, write, execute; try2, try3 to read, execution because the local user logs on to the FTP server and enters the master Directory, while try1 and try2 try3 have different permissions assigned to the home directory/home/try, so the ftp access permission is different. try1 has the following access permissions: Upload, download, and Directory Creation; try2 and try3 have the permission to download, browse, and cannot create directories or upload. Different access levels of users in the group are implemented, and hierarchical security management of FTP servers is enhanced. Connection timeout (this part is provided by Li Yang) to configure the interruption time of idle user sessions: The following configuration will be interrupted five minutes after the user session is idle, to release the server's resource idle_session_timeout = 300 configure the idle data connection interruption time: The following configuration will be interrupted after 1 minute of idle data connection, to release the server resource data_connection_timeout = 60, configure the automatic disconnection and activation time when the client is idle. The following configuration will automatically interrupt the connection after the client is idle for one minute, and automatically activate the connection accept_timeout = 60connect_timeout = 30 in 30 seconds. Next, we will introduce the vsftpd log. Common vsftpd log solutions are available in vsftpd. the conf file defines the logging method as follows: # indicates that the FTP server records uploading and downloading. xferlog_enable = yes # indicates that the recorded uploading and downloading information is written in the file specified by xferlog_file, that is, xferlog_std_format = yesxferlog_file =/var/log/xferlog # enables dual logs in the file specified by the xferlog_file option. When the xferlog file is used to record the upload and download situations of the server, the file specified by # vsftpd_log_file is/var/log/vsftpd. log will also be used to record the server's transmission status dual_log_enable = yesvsftpd_log_file =/var/log/vsftpd. two log files of logvsftpd are analyzed as follows:/var/log/xferlog Record Content example

Thu Sep 6 09:07:48 2007 7 4323279/home/student/phpMyadmin-2.11.0-all-languages.tar.gz B-I r student FTP 0 * C

Example of/var/log/vsftpd. Log Record Content Tue sep 11 14:59:03 2007 [pid 3460] CONNECT: client ""

Tue sep 11 14:59:24 2007 [pid 3459] [FTP] OK login; client "", anon password "? "

/Var/log/xferlog log file data analysis and parameter description Record Data parameter name parameter description Thu Sep 6 09:07:48 2007 Current Time Current server local time, format: ddd Mmm dd hh: mm: ss yyy 7 transmission time used for transferring files, measured in seconds remote host name/IP 4323279 file size transfer file size, the Unit is byte/home/student/phpMyadmin-2.11.0-all-languages.tar.gz file name transfer file name, including the type of path B transfer type, including two: A transmits B in ASCII format as a binary file-special processing flag the flag for special processing. Possible values include: _ No special processing is required. c files are compressed. U files are non-compressed. t files are tar format I transmission direction. There are two types: O from the FTP server to the customer. Terminal transmission I transmits the r access mode user access mode from the client to the FTP server, including: a anonymous user g Guest user R real user, that is, the service name used by the FTP service name of the user student user name in the system. Generally, the FTP 0 authentication method is used, including: 0 none 1 rfc931 certification * ID of the User Authenticated by the user ID. If * is used, the status of the complete status transfer of this id c cannot be obtained: C indicates that the transfer has been completed. I indicates that the transfer has been completed. Finally, I will introduce common FTP commands and the significance of FTP digital code. Common FTP commands and functions FTP command functions ls display the directory on the server ls [Remote-Dir] [local-file] display remote Directory Remote-Dir, save the local file local-file get remote-file [local-file] to download the specified file from the server to the client mget remote-files to download multiple remote files (mget commands allow multiple downloads with wildcards) files) put local-file [Remote-file] upload a specified file from the client to the server mput local-file to upload multiple files to the remote host (the mput command allows uploading multiple files with wildcards) open connection to FTP server mdelete [Remote-file] Delete remote host file close interrupt and Remote Server FTP session (corresponds to open) mkdir Dir-Name: Create the directory open host in the remote host [p You can specify the connection port newer file-name. If the file-name modification time on the remote host is closer than that on the local hard disk with the same name, then re-upload the file CD directory to change the server's working directory RENAME [from] [to] Change the remote host file name LCD directory on the client (local) change the working directory PWD to display the current working directory bye of the remote host and exit the FTP command status quit with bye, exit the FTP session. Set the file transmission mode to ASCII. reget remote-file [local-file] is similar to get. However, if local-file exists, then, the file transfer mode is set to binary mode rhelp [cmd-name] from the last transmission interruption to request help from the remote host! [Cmd [ARGs] returns to the FTP environment after the interactive shell in the local host, for example :! Ls *. zip rstatus [file-name] If no file name is specified, the remote host status is displayed, otherwise, the file status accout [Password] is displayed. The password hash required to access system resources after successful logon to the remote system is 1024 bytes per transmission. A hash symbol (#) is displayed (#) append local-file [Remote-file]: append the local file to the remote system host. If the remote system file name is not specified, use the local file name restart marker from the specified mark marker, re-start get or put. For example, when restart 130 bye exits the FTP session, rmdir Dir-name deletes the remote host directory. When using the mget command, converts uppercase letters to lowercase letters in the remote host file name. Size file-name indicates the size of the remote host file. For example, size idle 7200 CD remote-Dir indicates that the current ft is displayed in the remote host directory status. In the P state, cdup enters the parent directory of the remote host directory. The system displays the remote host's operating system Delete remote-file Delete the remote host file user-name [Password] [account] to indicate its own identity, when a password is required, enter the password, for example, USER anonymous my @ email dir [Remote-Dir] [local-file] to display the remote host directory, and save the result to the local file help [cmd] to display the help information of the FTP Internal Command cmd, for example, help get ftp digital code meaning 110 restart mark the response. 120 how long is the service ready. 125 enable the data link port and prepare for transfer. 150 the File status is normal and the data connection port is enabled. 200 the command is successfully executed. 202 command execution failed. 211 system status or system help response. 212 directory status. The status of the 213 file. 214 help message. 215 name system type. 220 new online service ready. 221 the Service's control connection port is closed and can be canceled. 225 Data Link is enabled, but there is no transmission action. 226 close the data connection port and the requested file operation is successful. 227 enters the passive mode. 230 user login. 250 the requested file operation is complete. 257 display the current path name. 331 the user name is correct and the password is required. 332 account information is required for logon. 350 the requested operation requires a command. 421 unable to provide services. Disable the control link. 425 the data link cannot be enabled. 426 disable online and terminate transmission. 450 the requested operation was not executed. 451 command termination: there is a local error. 452 unexecuted command: the disk space is insufficient. 500 the format is incorrect and the command cannot be identified. 501 parameter syntax error. 502 command execution failed. 503 command order error. 504 the parameters connected to the command are incorrect. 530 not logged in. 532 Account Login is required to store files. 550 the requested operation is not performed. 551 the Request command is terminated and the type is unknown. 552 the requested file is terminated and the storage space overflows. 553 the name of the requested command is incorrect.
Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.