I've seen the best vsftpd configuration tutorial (GO)

Source: Internet
Author: User
Tags hosting

Environment: CentOS 5.0 Operating system
one. Installation:
1. Install VSFTPD Service Related parts:
[email protected] ~]# Yum install vsftpd*
Dependencies resolved=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
VSFTPD i386 2.0.5-10.el5 base 137 ktransaction Summary
=============================================================================
Install 1 package (s)
Update 0 Package (s)
Remove 0 Package (s)
2. Confirm the installation of the PAM Service-related components:
[email protected] ~]# Yum install pam*
Dependencies resolved
=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
Pam-devel i386 0.99.6.2-3.14.el5 Base 186 ktransaction Summary
=============================================================================
Install 1 package (s)
Update 0 Package (s)
Remove 0 Package (s)
Development package, in fact, does not have a relationship, the main purpose is to confirm Pam.
3. Install the DB4 part pack:
A DB4 package is specially installed here to support the file database.
[email protected] ~]# Yum install db4*
Dependencies resolved
=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
Db4-devel i386 4.3.29-9.fc6 Base 2.0 M
Db4-java i386 4.3.29-9.FC6 Base 1.7 M
DB4-TCL i386 4.3.29-9.FC6 Base 1.0 M
Db4-utils i386 4.3.29-9.fc6 Base 119 ktransaction Summary
=============================================================================
Install 4 Package (s)
Update 0 Package (s)
Remove 0 Package (s)

two. System account
1. Establish a hosting user for the VSFTPD service:
[[email protected] ~]# useradd vsftpd-s/sbin/nologin
The default VSFTPD service host user is root, but this does not meet the security requirements. This establishes the user named Vsftpd and uses him as a service host user to support VSFTPD. Since the user is only used to support the VSFTPD service, there is no need to permit him to log on to the system and set him as a user who cannot log on to the system.

2. Establish a VSFTPD virtual hosting User:
[Email protected] nowhere]# useradd overlord-s/sbin/nologin
This article is mainly about VSFTP virtual users, virtual users are not system users, that is to say, these FTP users in the system is not exist. Their overall authority is in fact focused on a certain user in the system, the so-called vsftpd virtual hosting user, is such a support for all virtual users of the host user. Because he supports all the virtual users of FTP, then his own permissions will affect these virtual users, therefore, in security considerations, but also to pay no attention to the user's rights control, the user also absolutely no need to log on the system, here also set him as a user can not login system. (Here is a sentence: Originally in the establishment of the above two users, want to even the user Master path is not intended to give.) Originally wanted to add-d/home/nowhere, according to the man Useradd manual: "-D,--home Home_dir
The new user is being created using Home_dir as the value for the
User Gathering Login directory. The default is to append the LOGIN name to
Base_dir and use that as the login directory name. The directory
Home_dir does not has to exist but would not be created if it is
Missing.
Using the-d parameter to specify the user's home directory, the user home directory does not have to exist. If the specified directory is not present, then it will not be created. "

Three. Adjust the vsftpd configuration file:
1. Backup before editing the configuration file
[[email protected] ~]# cp/etc/vsftpd/vsftpd.conf/etc/vsftpd/vsftpd.conf.backup2. Edit the master configuration file vsftpd.conf
[Email protected] ~]# vi/etc/vsftpd/vsftpd.conf
Here I have completely recorded the original configuration files, all the changes in the place I will retain the original configuration comments. I have added to each of the configuration items, for some of the more critical configuration items Here I made my opinion, and the original English note I do not delete, for reference comparison.
------------------------------------------------------------------------------
# Allow anonymous FTP? (beware-allowed by default if you comment this out).
#anonymous_enable =yes
Anonymous_enable=no
Setting does not allow anonymous access
#
# Uncomment this to allow local users to log in.
Local_enable=yes
Set the local user to be accessible. Note: Primarily for virtual hosting users, if the item is set to No then all virtual users will not be able to access it.
#
# Uncomment this to enable any form of FTP write command.
Write_enable=yes
The settings can be written.
#
# Default Umask for Local Users is 077. If you are wish to 022,
# If your users expect that (022 was used by the most other ftpd ' s)
local_umask=022
Sets the permission mask for the file after uploading.
#
# Uncomment the anonymous FTP user to upload files. This only
# has a effect if the above global write enable is activated. Also, you'll
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable =yes
Anon_upload_enable=no
Prohibit anonymous users from uploading.
#
# Uncomment this if you want the anonymous FTP user to being able to create
# New directories.
#anon_mkdir_write_enable =yes
Anon_mkdir_write_enable=no
Prevents anonymous users from creating directories.
#
# Activate Directory messages-messages given to remote users when they
# go into a certain directory.
Dirmessage_enable=yes
Set the Open Directory banner feature.
#
# Activate logging of Uploads/downloads.
Xferlog_enable=yes
Set the Enable Logging function.
#
# Make sure port transfer connections originate from port (ftp-data).
Connect_from_port_20=yes
Set port 20 for the data connection.
#
# If you want, you can arrange for uploaded anonymous files to being owned by
# a different user. note! Using "root" for uploaded files are not
# recommended!
#chown_uploads =yes
Chown_uploads=no
Set prohibit upload file change host.
#chown_username =whoever
#
# you could override where the log file goes if you like. The default is shown
# below.
Xferlog_file=/var/log/vsftpd.log
Set the VSFTPD Service log save path. Note that the file does not exist by default. You have to touch it manually, and because of this change, the VSFTPD service host user is the manually established VSFTPD. You must be aware of the Write permission to the log for that user, or the service will fail to start.
#
# If you want, you can have the your log file in the standard FTPD xferlog format
Xferlog_std_format=yes
The settings log uses a standard record format.
#
# You could change the default value of timing out an idle session.
#idle_session_timeout =600
Set the idle connection timeout, where default is used. Specify the specific values for each specific user, if not specified, or use the default value here of 600, per second.
#
# The default value for timing out a data connection.
#data_connection_timeout =120
Set the maximum continuous transmission time for orders, where default is used. Specify the specific values for each specific user, if not specified, or use the default value here of 120, per second.
#
# It is recommended so define on your system a unique user which the
# FTP server can use as a totally isolated and unprivileged user.
#nopriv_user =ftpsecure
Nopriv_user=vsftpd
Sets the host user that supports the VSFTPD service as a manually established VSFTPD user. Note that once you make changes to the host user, you must be aware of the read and write rights of the read-write files associated with the service. For example, the log file must give the user write permission, and so on.
#
# Enable This and the server would recognise asynchronous ABOR requests. Not
# Recommended for security (the code is non-trivial). Not enabling it,
# However, may confuse older FTP clients.
Async_abor_enable=yes
Setting supports asynchronous transfer functions.
#
# By default the server would pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to has the server actually do ASCII
# mangling on files while in ASCII mode.
# beware, some FTP servers, ASCII support allows a denial of service
# Attack (DoS) via the command "Size/big/file" in ASCII mode. Vsftpd
# predicted this attack and have always been safe, reporting the size of the
# RAW file.
# ASCII mangling is a horrible feature of the protocol.
Ascii_upload_enable=yes
Ascii_download_enable=yes
Set up upload and download features that support ASCII mode.
#
# fully customise the login banner string:
Ftpd_banner=this VSFTP Server supports virtual users ^_^
Set the VSFTPD landing banner.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# Useful for combatting certain DoS attacks.
#deny_email_enable =yes
# (default follows)
#banned_email_file =/etc/vsftpd/banned_emails
#
# Specify an explicit list of the Local users to Chroot () to their home
# directory. If Chroot_local_user is YES and then this list becomes a list of
# users to not Chroot ().
#chroot_list_enable =yes
Chroot_list_enable=no
Prevents users from logging out of their own FTP home directory.
# (default follows)
#chroot_list_file =/etc/vsftpd/chroot_list
#
# You may activate the "-r" option to the builtin LS. This was disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# The presence of the "-r" option, so there was a strong case for enabling it.
#ls_recurse_enable =yes
Ls_recurse_enable=no
A command that prohibits users from using "Ls-r" after they log on to FTP. This command can cause significant overhead for server performance. If this entry is allowed, blocking multiple users using the command at the same time will pose a threat to that server.
# when "Listen" directive are enabled, VSFTPD runs in standalone mode and
# listens on IPV4 sockets. This directive cannot is used in conjunction
# with the Listen_ipv6 directive.
Listen=yes
Set the VSFTPD service to work in standalone mode. By the way, the so-called standalone mode is that the service has its own daemon support, under the PS-A command we will be available to see the VSFTPD daemon name. If you do not want to work in standalone mode, you can choose the Superdaemon mode, in which VSFTPD will not have its own daemon, but the Super daemon xinetd full proxy, at the same time, many of the functions of the VSFTP service will not be implemented.
#
# This directive enables listening on IPV6 sockets. To listen on IPV4 and IPV6
# sockets, you must run the copies of vsftpd whith the configuration files.
# Make sure, which one of the listen options is commented!!
#listen_ipv6 =yespam_service_name=vsftpd
Set the authentication profile name for the VSFTPD under the PAM service. Therefore, Pam validation will refer to the vsftpd file configuration under/etc/pam.d/.
Userlist_enable=yes
Users in the set Userlist_file will not be allowed to use FTP.
Tcp_wrappers=yes
The setting supports TCP Wrappers. #KC: The following entries is added for supporting virtual FTP users.
The following are important configuration items for VSFTPD virtual user support. These settings are not included in the default vsftpd.conf, and you need to manually add the configuration yourself. Guest_enable=yes
Set the Enable Virtual User feature.
Guest_username=overlord
Specifies the host user for the virtual user.
Virtual_use_local_privs=yes
Set permissions for virtual users to match their host users.
User_config_dir=/etc/vsftpd/vconf
Set the profile storage path for the virtual user's personal vsftp. That is, the specified directory, will be stored in each vsftp virtual user personality profile, one need to note that these configuration file names must be the same as the virtual user name.
-------------------------------------------------------------------------
Save exit.
3. Establish the VSFTPD log file and, more, the host user for the VSFTPD service:
[Email protected] ~]# Touch/var/log/vsftpd.log
[Email protected] ~]# chown vsftpd.vsftpd/var/log/vsftpd.log 4. Create a virtual user profile storage path:
[Email protected] ~]# mkdir/etc/vsftpd/vconf/
three. Create a virtual user database file
1. Create a virtual user list file first:
[Email protected] ~]# touch/etc/vsftpd/virtusers
Set up a virtual user list file, this file is to record the VSFTPD virtual user's username and password data file, I named it virtusers. In order to avoid the confusion of documents, I put this list file under the/etc/vsftpd/.

2. Edit the virtual user list file:
[Email protected] ~]# vi/etc/vsftpd/virtusers
----------------------------
Kanecruise
123456
Near
123456near
Mello
123456mello
----------------------------
Edit this virtual user list file to include the user's user name and password information. The format is simple: "One line of user name, one line password".

3. Generate a virtual user data file:
[Email protected] ~]# db_load-t-t hash-f/etc/vsftpd/virtusers/etc/vsftpd/virtusers.db
Here, by the way, I'll explain the order briefly.
----------------------------------------------------------------------
See DB4 's db_load command usage:
[Email protected] vsftpd]# Db_load
Usage:db_load [-NTV] [-C Name=value] [-F file]
[-H Home] [-p password] [-T Btree | hash | recno | queue] Db_file
Usage:db_load-r LSN | Fileid [-H home] [-p password] Db_file
Explanation in this article, the db_load command several relevant options are parameter-t
THE-T option allows Non-berkeley DB applications to easily load text files into databases.
If the database to being created is of type Btree or Hash, or the keyword keys are specified as set, the input must be paired Lines of text, where the first line of the pair are the key item, and the second line of the pair are its corresponding data Item. If the database to being created is of type Queue or RECNO and the keywork keys are not set, the input must be lines of text, where each line is a new data item for the database.
Option-T allows the application to load text file translations into the database. Since we then store the virtual user's information in a file, this option must be used in order for the VSFTPD application to be able to load user data through text. If the-t option is specified, the underlying access method type must be specified using THE-T option.
If the option-T is specified, then you must follow the sub-option-t-t
Specify the underlying access method. If no-t option is specified, the database would be loaded to a database of the same type as was dumped; For example, a hash database would be created if a hash database is dumped.
Btree and Hash databases May is converted from one to the other. Queue and Recno databases May is converted from one to the other. If the-k option is specified on the call to Db_dump then Queue and Recno databases could be converted to Btree or Hash, WI Th the key being the integer record number.
Child option-T, appended to the-t option, is used to specify the type of database that the translation is loaded into. Under extensions,-T can specify data types with Btree, Hash, queue, and recon databases. Here, the next thing we need to specify is the hash type.
----------------------------------------------------------------------------

4. View the generated virtual user data file
[Email protected] ~]# ll/etc/vsftpd/virtusers.db
-rw-r--r--1 root root 12288 Sep 03:51/etc/vsftpd/virtusers.db
It is important to note that in the future to add a virtual user, you only need to follow the "one line user name, one line password" format to add a new user name and password into the virtual user list file. But the light does not do enough, will not be effective oh! You'll have to do it again. "Db_load-t-t hash-f Virtual user list file virtual user database file. db" command to make it effective!

Four. Set the PAM authentication file and specify the virtual user database file for reading
1. Look at the PAM authentication profile for the original vsftp:
[Email protected] ~]# CAT/ETC/PAM.D/VSFTPD
----------------------------------------------------------------
#%pam-1.0
Session optional pam_keyinit.so Force revoke
Auth Required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
Auth Required pam_shells.so
Auth include System-auth
Account include System-auth
Session include System-auth
Session Required Pam_loginuid.so
----------------------------------------------------------------

2. Do a backup before editing:
[[email protected] ~]# cp/etc/pam.d/vsftpd/etc/pam.d/vsftpd.backup3. Edit the PAM authentication configuration file for VSFTPD
[Email protected] ~]# VI/ETC/PAM.D/VSFTPD
----------------------------------------------------------------
#%pam-1.0
Auth sufficient/lib/security/pam_userdb.so db=/etc/vsftpd/virtusers
Account Sufficient/lib/security/pam_userdb.so Db=/etc/vsftpd/virtusers
The above two are manually added to verify the security and account permissions of the virtual user.
The auth here refers to verifying the user's username and password.
The accout here refers to the restrictions on what permissions the user's account has to verify.
The subsequent sufficient represents a sufficient condition, that is, once the validation is passed here, there is no need to go through the remaining verification steps. Conversely, if not passed, the system will not be immediately blocked out of the door, because the failure of sufficient does not determine the failure of the entire verification, meaning that the user must also experience the remaining verification audit.
The subsequent/lib/security/pam_userdb.so indicates that the audit will call pam_userdb.so the library function.
The final db=/etc/vsftpd/virtusers specifies that the validation library function will invoke the data in this specified database for validation.
#KC: The entries for Vsftpd-pam is added above.session optional pam_keyinit.so Force revoke
Auth Required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
Auth Required pam_shells.so
Auth include System-auth
Account include System-auth
Session include System-auth
Session Required Pam_loginuid.so
----------------------------------------------------------------
Five. Configuration of the virtual user
1. Plan the master path for the virtual user:
[Email protected] ~]# mkdir/opt/vsftp/

2. Create the FTP user directory for the test user:
[Email protected] ~]# mkdir/opt/vsftp/kanecruise//opt/vsftp/mello//opt/vsftp/near/

3. Create a virtual user profile template: [[email protected] ~]# cp/etc/vsftpd/vsftpd.conf.backup/etc/vsftpd/vconf/vconf.tmp

4. Customizing the Virtual User template configuration file:
[Email protected] ~]# vi/etc/vsftpd/vconf/vconf.tmp
--------------------------------
Local_root=/opt/vsftp/virtuser
Specifies the specific primary path of the virtual user.
Anonymous_enable=no
Setting does not allow anonymous user access.
Write_enable=yes
Set allow write operations.
local_umask=022
Sets the upload file permission mask.
Anon_upload_enable=no
Setting does not allow anonymous users to upload.
Anon_mkdir_write_enable=no
Setting does not allow anonymous users to create directories.
idle_session_timeout=600
Sets the idle connection timeout period.
data_connection_timeout=120
Sets the maximum time for the order of successive transmissions.
max_clients=10
Sets the number of concurrent client accesses.
Max_per_ip=5
Set the maximum number of threads for a single client, this configuration is mainly to take care of flashget, thunder and other multi-threaded download software.
local_max_rate=50000
Set the user's maximum transfer rate, unit B/S.
--------------------------------
The original vsftpd.conf configuration file is simplified and saved as a template for the virtual user profile. There is no need to specify too many configurations, and the main framework and limitations are assigned to VSFTPD's master profile vsftpd.conf, meaning that configuration items not mentioned in the virtual user profile will refer to the settings in the master configuration file. And here as a virtual user profile template only need to leave some and user traffic control, access mode control configuration items can be. The key here is the Local_root configuration, which specifies the FTP master path for this virtual user. 5. Change the owner of the virtual user's home directory to the virtual host User:
[Email protected] ~]# chown-r OVERLORD.OVERLORD/OPT/VSFTP/6. Check permissions:
[Email protected] ~]# ll/opt/vsftp/
Total 24
Drwxr-xr-x 2 Overlord Overlord 4096 Sep 05:14 kanecruise
Drwxr-xr-x 2 Overlord overlord 4096 Sep 05:00 Mello
Drwxr-xr-x 2 Overlord Overlord 4096 Sep 05:00 near
Six. Customize for test users:
1. Copy from the virtual User template configuration file:
[Email protected] ~]# cp/etc/vsftpd/vconf/vconf.tmp/etc/vsftpd/vconf/kanecruise

2. Customize for specific users:
[[email protected] ~]# vi/etc/vsftpd/vconf/kanecruise
------------------------------ ---
local_root=/opt/vsftp/kanecruise
anonymous_enable=no
Write_enable=yes
local_umask=022
Anon_ Upload_enable=no
Anon_mkdir_write_enable=no
idle_session_timeout=300
data_connection_timeout=90
Max_clients=1
Max_per_ip=1
local_max_rate=25000
---------------------------------
Seven. Start the service:
[[email protected] ~]# service vsftpd start
starting vsftpd for vsftpd: [OK]
eight. Test: strong>
1. Pre-placing the file in the virtual user directory:
[[email protected] ~]# touch/opt/vsftp/kanecruise/kc.test

2. Login FTP from other machines as client:
[[Email protected] ~]# FTP
Ftp> Open 192.168.1.22
Connected to 192.168.1.22.
Vsftp Server supports virtual users ^_^
530 Login with USER and PASS.
530 Login with USER and PASS.
Kerberos_v4 rejected as an authentication type
Name (192.168.1.22:root): kanecruise
331 Specify the password.
password:123456
Successful Login.
Remote system type is UNIX.
Using binary mode to transfer files.

3. Test the list operation
Ftp> ls
227 Entering Passive Mode (192,168,1,22,220,24)
Here comes the directory listing.
-rw-r--r--1 501 501 0 Sep 21:14 kc.test
226 directory Send OK. (Directory listing succeeded)

4. Test the upload operation:
Ftp> put
(Local-file) Kc.repo
(Remote-file) Kc.repo
Local:KC.repo Remote:KC.repo
227 Entering Passive Mode (192,168,1,22,230,1)
Ok to send data.
226 File receive OK. (Upload successful)
699 Bytes Sent in 0.024 seconds (KBYTES/S)
Ftp>

5. Test to establish directory operations:
ftp> mkdir Test
257 "/opt/vsftp/kanecruise/test" created (directory established successfully)

6. Test the download operation:
Ftp> Get Kc.test
Local:kc.test Remote:kc.test
227 Entering Passive Mode (192,168,1,22,164,178)
Opening BINARY mode data connection for kc.test (0 bytes).
226 File send OK. (Download successful)

7. Test timeout:
Ftp> dir
421 timeout. (Timeout valid)
ftp> User
Not connected. Note:
In/etc/vsftpd/vsftpd.conf, the local_enable option must be turned on to Yes to make the virtual user's access possible, or the following behavior may occur:
----------------------------------
[[Email protected] ~]# FTP
Ftp> Open 192.168.1.22
Connected to 192.168.1.22.
OOPS:vsftpd:both local and anonymous access disabled!
----------------------------------
Reason: Virtual users are rich, but also based on their host users overlord, if overlord this virtual user's host is limited, then virtual users will also be limited.
Add:

OOPS: Error

It is possible that there are no commands in your Vsftpd.con configuration file, and there may be a command with a yes or no space behind it.

What I met was a space behind the command. Because I'm using gedit to edit the configuration file

550 permissions error, cannot create directory and file

workaround: Turn off SELinux

# Vi/etc/selinux/config

The Selinux=xxx-->xxx represents the level

Switch

Selinux=disabled

Restart

Http://www.cnblogs.com/hhuai/archive/2011/02/12/1952647.html

I've seen the best vsftpd configuration tutorial (GO)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.