Install the FTP service vsftpd script in CentOS

Source: Internet
Author: User
Tags anonymous auth chmod ftp ftp file parent directory file permissions pkill

Install and configure vsftpd

# Check whether the installation is complete
Rpm-q vsftpd
# Install vsftpd in yum
Yum install vsftpd

# Allow root login
Vi/etc/vsftpd/user_list
Vi/etc/vsftpd/ftpusers
# Shield root
# Root
# If SElinux is enabled:
Setsebool-P ftpd_disable_trans = 1
# Create a user [only for FTP and cannot log on to the system]
Adduser-d/home/www.111cn.net-g ftp-s/sbin/nologin tianya
# Set password:
Passwd tianya

# Prohibit switch to the parent directory
Chroot_list_enable = YES
Chroot_list_file =/etc/vsftpd/chroot_list
# Add a user [create if the file does not exist]
Vi/etc/vsftpd/chroot_list
Tianya
# If chkconfig does not have vsftpd, add
Chkconfig -- add mysqld
# Set vsftpd startup
Chkconfig vsftpd on

Appendix 1 VSFTPD anonymous configuration-local user-Virtual User

1. Download VSFTPD. TAR. GZ
Program download address: ftp://vsftpd.beasts.org/users/cevans/
2. Check and create accounts and directories
1. nobody user
[Root @ main vsftpd-2.1.0] # cat/etc/passwd | grep nobody
Nobody: x: 99: 99: Nobody: // sbin/nologin
If not, create an account.
2,/usr/share/empty directory. If the directory does not exist, create
3. If anonymous access is allowed, you need to create an Ftp user. The home directory is/var/ftp (the ftp user usually exists but the home directory does not exist)
[Root @ main vsftpd-2.1.0] # mkdir/var/ftp/
[Root @ main vsftpd-2.1.0] # chown root. root/var/ftp
[Root @ main vsftpd-2.1.0] # chmod 755/var/ftp

3. Decompress, compile, and install the program (in fact, vsftpd is installed using rpm and the source code, which is inconvenient to compile and install. We recommend that you install RPM)
[Root @ main ~] # Tar xzfv vsftpd-2.1.0.tar.gz
[Root @ main ~] # Cd vsftpd-2.1.0
[Root @ main vsftpd-2.1.0] # make & make install
4. Copy related files
If RPM is used for installation, it may be slightly different from the source code installation file path, such as/etc/vsftpd. conf is changed to/etc/vsftpd. conf. find related files for such changes.
Main configuration file
[Root @ main vsftpd-2.1.0] # cp vsftpd. conf/etc/vsftpd. conf
PAM authentication file
[Root @ main vsftpd-2.1.0] # cp RedHat/vsftpd. pam/etc/pam. d/ftp
5. Configure vsftpd. conf
Enable/disable anonymous user access.
Anonymous_enable = YES/NO
Allow local users to log on and upload files.
Local_enable = YES
Write_enable = YES
Locking a local user in the main directory is not allowed to switch to the upper-level Directory.
Chroot_local_user = YES
Anonymous and local user speed limit (unit: byte)
Anon_max_rate = number
Local_max_rate = number
Some users are prohibited from logging on to the server through ftp. If local_enable = YES is set, all users, including the root user, can log on to the server through ftp. For security reasons, some users must be restricted. There are three option controls in vsftpd. conf:
Userlist_deny = YES/NO
Userlist_enalbe = YES
Userlist_file =/etc/vsftpd. user_list
If userlist_deny = YES,/etc/vsftpd. username listed in user_list is not allowed to log on to the ftp server. If userlist_deny = NO,/etc/vsftpd. the username listed in user_list allows you to log on to the ftp server. You only need to create the vsftpd. user_list file in the/etc directory. The file contains the username that allows or disables logon. Each user has a row.
Prohibit users from modifying file or folder permissions through FTP.
Chmod_enable = NO (
Set the umask value of the file or folder uploaded by the local user (default: 077)
Local_umask = 022
Up to 100 clients can be connected at the same time
Max_clients = 100
Each IP address allows up to three threads.
Max_per_ip = 3
Only listen to FTP service requests that access 192.168.0.2 (applicable to local multi-Nic and multi-IP addresses)
Listen_address = 192.168.0.2
6. Run the vsftpd command to start the vsftpd service. Make sure that the firewall opens the relevant ports and try to log on anonymously. Note that all anonymous users log on to the same directory/var/ftp.
We can use pgrep vsftpd to check whether vsftpd is running. We can use pkill vsftpd to kill the vsftpd process and disable vsFTPd. Therefore, we recommend that you use rpm for installation, so that you can use service vsftpd start | stop | restart to control it.
[Root @ main ~] # Pgrep vsftpd
2745
[Root @ main ~] # Pkill vsftpd
7. Set the pub directory to allow anonymous users to upload and download files.
Change the configuration file to make sure there are the following items:
Anonymous_enable = YES
Anon_upload_enable = YES
Anon_mkdir_write_enable = YES
Anon_umask = 022
Create a folder and change its permissions.
[Root @ main ~] # Mkdir/var/ftp/pub
[Root @ main ~] # Chmod 777/var/ftp/pub
Try uploading and downloading anonymously. It should be okay.
8. Use a local user to log on to the FTP server and set permissions.
Add a user that can only log on to the server from ftp, but cannot log on from the local shell. Create a user ftpuser and do not allow local login
[Root @ localhost root] # useradd-g ftp-s/sbin/nologin ftpuser
After creating the account and password, change the configuration file vsftpd. conf to ensure that the local virtual user has the read and write permissions:
Local_enable = YES
Write_enable = YES
Local_umask = 022
Use a local user to upload and download files. (PS, I don't know why I can't upload or download, but I can apply it after I restart the system)
You can also use userlist_deny = YES/NO
Userlist_enalbe = YES
Userlist_file =/etc/vsftpd. user_list
These options control users.
9. Try to use a virtual user to access the FTP service.
Create a password source file in the format of first line user name, second line password, third line user name, fourth line password ......
[Root @ main ~] # Cat temp_pass.txt
Caocao
Caomengde
Xiaocaocao
Xiaocaomengde
Use the db_load command to generate the authentication file. The problem I encountered was that the local machine does not have the db_load command. The answer I found on the internet is that the rpm Package of DB4 is missing. I think it is troublesome to install all the rpm packages starting with DB4 on the disc, the yum-y install db4 * command is used. After the db_load command is installed.
[Root @ main ~] # Db_load-T-t hash-f temp_pass.txt/etc/vuser. db
Set Database file permissions and delete password files.
[Root @ main ~] # Chmod 600/etc/vuser. db
[Root @ main ~] # Rm temp_pass.txt
Create the PAM configuration file required by the Virtual User
[Root @ main ~] # Vi/etc/pam. d/ftpuser. vu
# Add the following content
Auth required/lib/security/pam_userdb.so db =/etc/vuser
Account required/lib/security/pam_userdb.so db =/etc/vuser
To add a new user, consider setting the user nologin
[Root @ main home] # useradd vuserftp
Modify the vsftpd. conf configuration file. If yes, modify it. If no, add it.
Guest_enable = YES
Guest_username = vuserftp
Pam_service_name = ftpuser. vu
Restart and access ftp: // Can I use caomengde for password access to caocao @ ftp? If there are minor issues during this period, consider the following directory permissions.
10. Try to assign permissions to virtual users
Modify the configuration file of VSFTPD. Create and enter this folder.
User_config_dir =/etc/vuserftp/
[Root @ main vuserftp] # mkdir/etc/vuserftp/
[Root @ main vuserftp] # cd/etc/vuserftp/
Create a configuration file for virtual user permissions
[Root @ main vuserftp] # vi caocao
Write_enable = YES
Anon_world_readable_only = NO
Anon_upload_enable = YES
Anon_mkdir_write_enable = YES
Anon_other_write_enable = YES
Local_root =/home/vuserftp/caocao
Create a virtual user directory and configure permissions.
[Root @ localhost ~] # Mkdir/home/vuserftp/caocao
[Root @ localhost ~] # Chown vuserftp/home/vuserftp/caocao/
11. I followed this tutorial to review the FTP logon process for virtual users. The configuration files and permissions related to show are rough because they are only used in experiments. You can optimize and streamline it yourself.
[Root @ localhost ~] # Ll/home/vuserftp/
Total 4
Drwxr-xr-x 2 root 4096 Mar 30 09:47 caocao
[Root @ localhost ~] # Grep-v' # '/etc/vsftpd. conf
Local_enable = YES
Write_enable = YES
Local_umask = 022
Dirmessage_enable = YES
Xferlog_enable = YES
Connect_from_port_20 = YES
Listen = YES
Guest_enable = YES
Guest_username = vuserftp
Pam_service_name = ftpuser. vu
User_config_dir =/etc/vuserftp/
[Root @ localhost ~] # Rpm-qa | grep db4-
Db4-java-4.3.29-9.fc6
Db4-devel-4.3.29-9.fc6
Db4-tcl-4.3.29-9.fc6
Db4-4.3.29-9.fc6
Db4-utils-4.3.29-9.fc6

[Root @ localhost ~] # Cat/etc/passwd | grep vuserftp
Vuserftp: x: 500: 500:/home/vuserftp:/bin/bash (can be changed to nologin)
[Root @ localhost ~] # Cat/etc/pam. d/ftpuser. vu
Auth required/lib/security/pam_userdb.so db =/etc/vuser
Account required/lib/security/pam_userdb.so db =/etc/vuser

Vsftpd configuration file/etc/vsftpd. conf resolution:

Anonymous_enable = YES
Whether anonymous users are allowed to access the system. When an anonymous user accesses the system, it is mapped to an ftp user. Its home directory is/var/ftp. Therefore, when anonymous users are accessed, access the/var/ftp directory. (do not change the permission of this directory. If the permission is changed, the directory may be inaccessible ).
 
Local_enable = YES
Whether to allow local users to log on to ftp. After logon, the user's home directory is used, but users with uid less than 500 are not allowed to log on.
 
Write_enable = YES
Whether the local user has the upload permission
 
Local_umask = 022
The reverse mask of the file uploaded by the local user. F users have the actual permission to access the ftp file: the intersection of the Accessed directory and the permission of the file
 
Anon_upload_enable = YES
Allow anonymous users to upload files
 
Anon_mkdir_write_enable = NO
Does an anonymous user have permission to create a directory?
 
Anon_other_write_enable = NO
Are anonymous users authorized to delete and rename files?
 
Anon_world_readable_only = NO
Anonymous users can only download globally readable files, that is, the group and owner of the files. Other users have the read permission.
 
Dirmessage_enable = YES
The welcome information defined when the user switches the directory. You can define a. message file in the home directory.
 
Xferlog_enable = YES
Enable transfer log?
 
Connect_from_port_20 = YES
Whether to enable port 20 for data transmission, which will work in active mode
 
Chown_uploads = YES
Chown_username = whoever
When a user uploads a file, whether to change the owner of the uploaded file and the owner of the uploaded file
 
Xferlog_file =/var/log/xferlog
Defines the location of the log to be transferred. The default value is/var/log/messages.
 
Xferlog_std_format = YES
Define the log format
 
Idle_session_timeout = 600
Session Timeout
 
Data _ connection_timeout = 120
Data connection timeout
 
Nopriv_user = ft1_cure
Specify a secure user account so that the FTP server can be used as an independent user with full isolation and no privileges. Generally, it is not enabled.
 
Async_abor_enable = YES
Whether to run the special ftp command "async ABOR", which is not generally enabled
 
Ascii_upload_enable = YES
Ascii_download_enable = YES
Transmitted in ascii format, not generally enabled
 
Ftpd_banner = Welcome to blah FTP service.
Login ftp welcome information
 
Deny_email_enable = YES
Banned_email_file =/etc/vsftpd/banned_emails
Whether anonymous users are prohibited from using certain email addresses. If the path and file name of the prohibited email addresses are entered, Dos attacks can be prevented.
 
Chroot_list_enable = YES
Chroot_list_file =/etc/vsftpd/chroot_list
When a user logs on to this file, the user's directory is locked and cannot be switched randomly. This is important to ensure system security.
 
Chroot_local_user = YES
All logged-on users are locked into their home directories and cannot be switched randomly.
 
Ls_recurse_enable = YES
Recursive display is supported when you view directory files on the ftp server.
 
Listen = YES
Work with an independent daemon
 
Listen_ipv6 = YES
Enable ipv6 address listening?
 
Pam_service_name = vsftpd
Define ftp user authentication with pam, and perform authentication according to/etc/pam. d/vsftpd definitions
 
Userlist_enable = YES
Whether to enable the user list and only allow user logon in the/etc/vsftpd/user_list file
 
Userlist_deny = YES
Enable the user list and disable user logon defined in/etc/vsftpd/usr_list.
 
Tcp_wrappers = YES
Whether to enable vsftpd control by tcp_wrapper
 
6. Use tcp_wraper to control vsftpd:
First, make sure that the main configuration file "tcp_wrappers = YES" of vsftpd is enabled.
 
Allow access from the 192.168.0 CIDR block:
# Vim/etc/hosts. allow
Add:
Vsftpd: 192.168.0.
Disable access to the network segment 172.16.30:
# Vim/etc/hosts. deny
Add:
Vsftpd: 172.16.30.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.