How to configure vsftpd virtual users in centos [finishing]

Source: Internet
Author: User
The local_root directory of all virtual users is stored in/data/wwwroot/. for convenience, the directory name is the same as the virtual user name.

The basic configuration environment is as follows:

1. ftp user's home directory:/data/ftp
2. the local_root directory of all virtual users is stored in/data/wwwroot/. for convenience, the directory name is the same as the virtual user name, but it can be different.
3. log on to the user File:/etc/vsftpd/chroot_list

========================================================== =

1. install vsftpd

# Yum-y install vsftpd

Run the service vsftpd start command to check whether the installation is successful.

Set CentOS vsftpd to start automatically

# Chkconfig -- level 35 vsftpd on

2. configure the vsftpd. conf file

# Vi/etc/vsftpd. conf
Anonymous_enable = NO whether anonymous users are allowed to access
# Chroot_list_enable = YES: users cannot leave the main directory
# Chroot_list_file =/etc/vsftpd/chroot_list

Chroot_local_user = YES // for convenience, all users are directly locked in their own directories by default. if this row is not written, the preceding two rows must be enabled, when you add a new account later, you need to add the user to chroot_list_file to lock the user in their own directory, refer to: http://blog.haohtml.com/archives/857

Local_enable = YES/NO can be accessed by local users. note: If NO is set, all virtual users cannot be accessed because: virtual users access the host by local users.
Pam_service_name = vsftpd pam authentication file name in/etc/pam. d/vsftpd

Guest_enable = YES enable the virtual user function
Guest_username = ftpadmin specifies that the virtual user's host user-centos already has a built-in ftp user. here we use the re-created user (note: this user is specified in the chroot_list_file =/etc/vsftpd/chroot_list file)

User_config_dir =/etc/vsftpd/vuser_conf set the directory where the service configuration file of the virtual user's personal vsftp is located

The vsftpd user has no way to modify the permissions of the file (chmod), plus these two lines on the http://blog.haohtml.com/archives/7852
Virtual_use_local_privs = YES
Chmod_enable = YES

Create a virtual user configuration file directory

# Mkdir/etc/vsftpd/vuser_conf
# Mkdir/etc/vsftpd/chroot_list

4. add the local system user corresponding to the vsftpd virtual user to the authentication file chroot_list.

Create a vsftpd running user ftpadmin. before creating a vsftpd user, check whether there is a/data Directory. if not, create one or finally create this directory, you can also assign permissions (the default ftp: ftp user is not used here to work with the web)

#/Usr/sbin/useradd-d/data/ftp-g www-s/sbin/nologin ftpadmin
# Passwd ftpadmin

Here, if you are in the previous vsftpd. if the command chroot_local_user = YES is used in the conf file, you can skip the following step directly. Otherwise, you need to write ftpadmin to the chroot_list file.

Add ftpadmin to the/etc/vsftpd/chroot_list file

# Vi/etc/vsftpd/chroot_list
Ftpadmin

5. create a virtual user and generate a virtual user db File
Install the corresponding Library

# Yum-y install db4-utils

Add a virtual user (odd behavior username, even behavior password)

# Vi/etc/vsftpd/vftpuser.txt
Zz
Aaaaa
Ftp1
Zzzzz

Generate db files

# Db_load-T-t hash-f/etc/vsftpd/vftpuser.txt/etc/vsftpd/vftpuser. db

6. generate authentication file

# Vi/etc/pam. d/vsftpd
Auth required pam_userdb.so db =/etc/vsftpd/vftpuser
Account required pam_userdb.so db =/etc/vsftpd/vftpuser

If a 64-bit system is used, add the following two sentences:

Auth required/lib64/security/pam_userdb.so db =/etc/vsftpd/vftpuser
Account required/lib64/security/pam_userdb.so db =/etc/vsftpd/vftpuser

Note: The vftpuser in db =/etc/vsftpd/vftpuser is the db file of your generated virtual user.

The default content in the/etc/pam. d/vsftpd file can be commented out first. add the above two lines.

7. create a configuration file for each virtual user (the Directory of the configuration file is/etc/vsftpd/vuser_conf, and the user name is vftpuser.txt)
Assume that the virtual user name is zz, and the created file is named after the virtual ftp user.

# Vi/etc/vsftpd/vuser_conf/zz
Local_root =/data/wwwroot/zzftp (the root directory of the Virtual User is modified according to the actual modification)
Write_enable = YES (writable)
Download_enable = YES
Anon_world_readable_only = NO
Anon_upload_enable = YES
Anon_mkdir_write_enable = YES
Anon_other_write_enable = YES
Local_umask = 022
Listen_port = 21

Create an ftp virtual user directory and modify the permissions for the virtual ftp user directory

# Mkdir-p/data/wwwroot/zzftp
# Chown-R ftpadmin: www/data/wwwroot/zzftp
# Chmod-R 775/data/wwwroot/zzftp

Note that the preceding directory permission value is 775. because it is used together with web, ftpadmin is also a www group, so you must have the permissions of the group users.

7. restart vsftpd

# Service vsftpd restart

# Setsebool ftpd_disable_trans 1

8. test virtual users

# Ftp192.168.1.107

Connected to 192.168.1.107.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as anauthentication type

Name (192.168.1.107: root): zz

331 Please specify the password.

Password:

500 OOPS: cannot changedirectory:/data/wwwroot/zzftp

Login failed.

Ftp>

View method

# Getenforce

Enforcing)

Close method:
# Setenforce 0 (0 | 1 on | off)

Or

Setsebool ftpd_disable_trans 1

Command.

At this time, you can also use the flashxp software to test, including file and folder permission change, upload and delete, RENAME command and so on.

Note: There are currently only two virtual users. to add a new virtual user, you must first add it in/etc/vsftpd/vftpuser.txt, then use "# db_load-T-t hash-f/etc/vsftpd/vftpuser.txt/etc/vsftpd/vftpuser again. db "command to regenerate the database. however, you can write a shell to solve this problem.

If the error "500 OOPS: reading non-root config file" occurs during login, you only need to change the configuration file owner in user_conf/to root. once I reinstall and install vsftpd. download the last configuration file to the local machine, install vsftpd, and overwrite the configuration. this problem has occurred. you should pay attention to it later.

For subsequent tests, we will upload a blog program wordpress.

9. test the web site

So far, we have already made vsftp almost the same. next we will use this ftp directory as the root directory of the website and test it. here I use Nginx. if you are using apache or other classes, modify them according to the actual situation.

Here I use nginx include command to add virtual host site configuration information, more flexible, refer to: http://blog.haohtml.com/archives/6203

In/usr/local/nginx/conf/nginx. A line of include/usr/local/nginx/conf/vhost/* is added to the conf file /*. conf; (do not forget the last semicolon) when adding the VM site configuration file, you only need to create a file in the/usr/local/nginx/conf/vhost/directory. conf is a file with the extension.

Vi/usr/local/nginx/conf/vhost/www.haohtml.com. conf

Server {

Listen 80 default;
Server_name www.haohtml.com;
Root/data/wwwroot/zzftp;

Location /{
Index. php index.html index.shtml;
}

Location ~ \. Php $ {
Fastcgi_pass 127.0.0.1: 9000;
Fastcgi_index index. php;
Fastcgi_param SCRIPT_FILENAME/data/wwwroot/zzftp $ fastcgi_script_name;
Include fastcgi_params;
}

# Log...

}

The configuration content is as follows.

10. test site

#/Usr/local/php/sbin/php-fpm start
#/Usr/local/nginx/sbin/nginx-t // test whether the configuration is correct
# Killall nginx
#/Usr/local/nginx/sbin/nginx

Open the http://www.haohtml.com in the browser and you will see this page

 

For how to install NGINX + MYSQL + PHP + MEMCACHE in CentOS5.5, see: http://blog.haohtml.com/archives/6051

/Etc/vsftpd. conf file:

# The default compiled in settings are fairly paranoid. This sample file# loosens things up a bit, to make the ftp daemon more usable.# Please see vsftpd.conf.5 for all compiled in defaults.## READ THIS: This example file is NOT an exhaustive list of vsftpd options.# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's# capabilities.## Allow anonymous FTP? (Beware - allowed by default if you comment this out).anonymous_enable=NO## Uncomment this to allow local users to log in.local_enable=YES## Uncomment this to enable any form of FTP write command.write_enable=YES## Default umask for local users is 077. You may wish to change this to 022,# if your users expect that (022 is used by most other ftpd's)local_umask=022## Uncomment this to allow the anonymous FTP user to upload files. This only# has an effect if the above global write enable is activated. Also, you will# obviously need to create a directory writable by the FTP user.#anon_upload_enable=YES## Uncomment this if you want the anonymous FTP user to be able to create# new directories.#anon_mkdir_write_enable=YES## Activate directory messages - messages given to remote users when they# go into a certain directory.dirmessage_enable=YES## The target log file can be vsftpd_log_file or xferlog_file.# This depends on setting xferlog_std_format parameterxferlog_enable=YES## Make sure PORT transfer connections originate from port 20 (ftp-data).connect_from_port_20=YES## If you want, you can arrange for uploaded anonymous files to be owned by# a different user. Note! Using "root" for uploaded files is not# recommended!#chown_uploads=YES#chown_username=whoever## The name of log file when xferlog_enable=YES and xferlog_std_format=YES# WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log#xferlog_file=/var/log/xferlog## Switches between logging into vsftpd_log_file and xferlog_file files.# NO writes to vsftpd_log_file, YES to xferlog_filexferlog_std_format=YES## You may change the default value for timing out an idle session.#idle_session_timeout=600## You may change the default value for timing out a data connection.#data_connection_timeout=120## It is recommended that you define on your system a unique user which the# ftp server can use as a totally isolated and unprivileged user.#nopriv_user=ftpsecure## Enable this and the server will recognise asynchronous ABOR requests. Not# recommended for security (the code is non-trivial). Not enabling it,# however, may confuse older FTP clients.#async_abor_enable=YES## By default the server will pretend to allow ASCII mode but in fact ignore# the request. Turn on the below options to have the server actually do ASCII# mangling on files when in ASCII mode.# Beware that on some FTP servers, ASCII support allows a denial of service# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd# predicted this attack and has always been safe, reporting the size of the# raw file.# ASCII mangling is a horrible feature of the protocol.#ascii_upload_enable=YES#ascii_download_enable=YES## You may fully customise the login banner string:#ftpd_banner=Welcome to blah FTP service.## You may specify a file of disallowed anonymous e-mail addresses. Apparently# useful for combatting certain DoS attacks.#deny_email_enable=YES# (default follows)#banned_email_file=/etc/vsftpd/banned_emails## You may specify an explicit list of local users to chroot() to their home# directory. If chroot_local_user is YES, then this list becomes a list of# users to NOT chroot().#chroot_list_enable=YES# (default follows)#chroot_list_file=/etc/vsftpd/chroot_list## You may activate the "-R" option to the builtin ls. This is disabled by# default to avoid remote users being able to cause excessive I/O on large# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume# the presence of the "-R" option, so there is a strong case for enabling it.#ls_recurse_enable=YES## When "listen" directive is enabled, vsftpd runs in standalone mode and# listens on IPv4 sockets. This directive cannot be used in conjunction# with the listen_ipv6 directive.listen=YES## This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6# sockets, you must run two copies of vsftpd whith two configuration files.# Make sure, that one of the listen options is commented !!#listen_ipv6=YESpam_service_name=vsftpduserlist_enable=YEStcp_wrappers=YESchroot_local_user=YESguest_enable=YESguest_username=ftpadminuser_config_dir=/etc/vsftpd/vuser_confvirtual_use_local_privs=YESchmod_enable=YES

For my vsftpd configuration file, see vsftpd. conf.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.