Install vsftp on centos

1. To test and understand vsftp, the RPM package is used for installation.

Installation of nvsftpd qrpm-Qa | grep vsftpdqrpm-IVH vsftpd-1.1.3-8.i386.rpm

 

N start qservice vsftpd start/stop/restart

QPS-A | grep vsftpd

 

First
Rpm-Qa | grep vsftpd --------- check for installation. If not, install it. I use yum.
Yum install vsftpd
See:
[Root @ FTP sbin] # Yum install vsftpd
[Root @ FTP sbin] # service vsftpd status
Vsftpd is stopped
[Root @ FTP sbin] # service vsftpd start
Starting vsftpd For vsftpd: [OK]

[Root @ FTP sbin] #

2. Set automatic operation and Manual start at each boot:
Chkconfig vsftpd on
Service vsftpd start
Netstat-Tl can check whether the ftp port is listening!

Related configuration files:/etc/vsftpd. conf;

 

3. Now FTP is ready for normal operation,
4. For FTP configuration, refer to the following settings:
Set host values
Connect_from_port_20 = Yes (NO)
This configuration item is in port 20 when the active connection is started.
Listen_port = 21
Set the port number of the vsftpd Command Channel.
For a regular FTP port, modify the settings in this project!
Dirmessage_enable = Yes (NO)
When a user enters a directory, the contents of this directory are displayed.
The file defaults to. Message. Of course, you can use the setting item below to revise it!
Message_file =. Message
When dirmessage_enable = yes, you can set this item for vsftpd
Find this file to display the message! You can also set other file names.
Listen = Yes (NO)
If yes, vsftpd is started in standalone mode!
Pasv_enable = Yes (NO)
Set passive mode to yes.
Use_localtime = Yes (NO)
Is the host time used ?! Default GMT time (Greenwich Mean)
Write_enable = Yes (NO)
Allow users to write data? This includes deletion and modification functions!
Connect_timeout = 60
The Unit is seconds. If the client tries to connect to our vsftpd Command Channel for more than 60 seconds,
Then, force disconnection without waiting.
Accept_timeout = 60
When the user uses passive PASV for data transmission, if the host enables passive
Port and wait for more than 60 seconds for the client to force disconnection!
Data _ connection_timeout = 300
If data transmission between the client and server fails within 300 seconds,
Then the client will be forcibly removed by our vsftpd!
Idle_session_timeout = 300
If the user has no command action within 300 seconds, force it to go offline!
Max_clients = 0
If vsftpd is started in stand alone mode, you can set the maximum number of clients that can be connected to vsftpd at the same time.
Max_per_ip = 0
How many connections can be allowed for the same IP address at the same time?
Connect_from_port_20 = Yes
Use Standard Port 20 to connect to FTP
Listen_address = 192.168.0.2
Bound to an IP address. Other IP addresses cannot be accessed.

Set values for anonymous login
Anonymous_enable = Yes (NO)
Set to allow anonymous to log on to our vsftpd host! The default value is yes.
All related settings must be set to anonymous_enable = yes!
Anon_world_readable_only = Yes (NO)
Only anonymous is allowed to download readable files. The default value is yes.
Anon_other_write_enable = Yes (NO)
Allow Anonymous to write data? The default value is no! If you want to set
Yes, you also need to adjust the permission to make vsftpd
The PID owner of can write data!
Anon_mkdir_write_enable = Yes (NO)
Do you want Anonymous to have the permission to create a directory? The default value is no! If you want to set
Yes, so anony_other_write_enable must be set to yes!
Anon_upload_enable = Yes (NO)
Whether to enable Anonymous to upload data. The default value is no.
Yes, then anon_other_write_enable = Yes must be set.
No_anon_password = Yes (NO)
When set to yes, it indicates that anonymous will skip the password verification step,
Directly go to the vsftpd server! Therefore, the default value is no!
Anon_max_rate = 0
The unit of value followed by this value is Bytes/second, which limits the transmission of anonymous.
Speed. If it is 0, it is not limited (limited by the maximum bandwidth). If you want
The anonymous speed is only 30 kb/s and can be set
& Quot; anon_max_rate = 30000 & quot 』
Anon_umask = 077
Restrict anonymous permissions! If the file is 077, anonymous transfers the file
The permission will be-RW -------

Set the local user login Value
Local_enable = yes # default no
Local_umask = 022
When userlist_deny is no, only users in/etc/vsftpd/user_list can log on to FTP
When userlist_deny is yes (default), users in/etc/vsftpd/user_list are not allowed to log on to FTP
/Etc/vsftpd/ftpusers force users listed in the file to log on to FTP

Guest_enable = Yes (NO)
If this value is set to yes, any non-Anonymous login account will be
Assume you become a guest (guest!
Local_enable = Yes (NO)
This setting value must be yes, and the account in/etc/passwd can
Real user login to our vsftpd host!
Local_max_rate = 0
The transmission speed of a real user. The unit is Bytes/second, and 0 is unlimited.
Chroot_local_user = Yes (NO)
Restrict users to their home directories (chroot )! This setting is in vsftpd
The default value is no, because there are two sets of project support.
So you don't need to start him!
Chroot_list_enable = Yes (NO)
Enable limiting some entity users to their home directories? The default value is no,
However, if you want to prevent some users from leaving their home directories,
You can set this value to yes and plan the next value.
Chroot_list_file =/etc/vsftpd. chroot_list
If chroot_list_enable = yes, you can set this project! Inside him
It can be specified that the real user will be restricted in his/her home directory and cannot leave!
(Chroot) One account per line!
Userlist_deny = Yes (NO)
If the value is yes, when the user account is included in a file
Users in this case cannot log on to the vsftpd server! The file name and the following settings
.
Userlist_file =/etc/vsftpd. user_list
If userlist_deny = Yes, the account in this file cannot be used.
Vsftpd

System Security Settings
Ascii_download_enable = Yes (NO)
If yes, the client can download files in ASCII format.
Generally, starting this configuration item may cause DoS attacks.
Set to No.
Ascii_upload_enable = Yes (NO)
Similar to the previous setting, this setting is only applicable to uploads! The default value is no.
Async_abor_enable = Yes (NO)
If your FTP client issues the "async Abor" command
You need to enable it. Generally, this setting is not safe, so it is usually used!
Check_shell = Yes (NO)
If you want users with any strange shell (in the/etc/passwd shell field) to use vsftpd, this setting can be set to no
Xferlog_enable = Yes (NO)
When set to yes, user uploads and downloads will be recorded. Record Files
Related to the next set item:
Xferlog_file =/var/log/vsftpd. Log
If the last xferlog_enable = yes, you can set it here!
This is the name of the logon file.
Xferlog_std_format = Yes (NO)
Is it set to the same logon file format as Wu FTP? Default Value: No, because the logon file ratio is
Easy to read! However, if you have an analysis software that uses the Wu FTP login file
Yes
Nopriv_user = nobody
Vsftpd sets nobody as the executor of this service. Because nobody
The permission is quite low, so even if the attacker is intruded, the attacker can only obtain the nobody permission.
Pam_service_name = vsftpd
Is the name of the PAM module, placed in/etc/PAM. d/vsftpd

Only Enable real User Login settings

1. Use the local time instead of the GMT time;
2. All physical accounts in/etc/passwd can log on to the vsftpd host;
3. However, you cannot use vsftpd for system accounts (such as root accounts and accounts with UID less than 500;
4. The users of user1 and user2 are locked in their home directories (chroot );
5. The data transmission speed is limited to 100 Kbytes/second;
6. When the user enters the/home directory, "hello" is displayed on the client screen;
7. Users can upload, download, and modify files.

1. [root @ test root] # vi/etc/vsftpd. conf (or/etc/vsftpd. conf)
# Host and Security Settings
Use_localtime = Yes
Dirmessage_enable = Yes
Xferlog_enable = Yes
Connect_from_port_20 = Yes
Pam_service_name = vsftpd
Tcp_wrappers = Yes
# Settings of anonymous
Anonymous_enable = No
# Setting real user
Local_enable = Yes
Write_enable = Yes
Local_umask = 022
Chroot_list_enable = Yes
Chroot_list_file =/etc/vsftpd. chroot_list
Userlist_deny = Yes
Userlist_file =/etc/vsftpd. user_list
Local_max_rate = 100000
2. Restrict the setting of physical users in their home directory (chroot)
[Root @ test root] # vi/etc/vsftpd. chroot_list
User1
User2
# Other users who have not written the file can leave their home directories,
# Browse in other directories!

3. Use the PAM module to restrict certain accounts from logging on to the host.
[Root @ test root] # vi/etc/PAM. d/vsftpd
# You will find the following words:
Auth ...... file =/etc/vsftpd. ftpusers ....
# The file =... is followed by the file name of the account that is blocked by the PAM module.
You can also use userlist_file to prevent logon from certain accounts.
[Root @ test root] # vi/etc/vsftpd. user_list
# Set this file to be the same as/etc/vsftpd. ftpusers above.

4. Set the information displayed when you enter the directory:
[Root @ test root] # vi/home/. Message
Hello

Only anonymous user logon is enabled.
1. Use the local time instead of the GMT time;
2. Only logon to anonymous is enabled;
3. The speed limit for file transmission is 30 Kbytes/second;
4. Allow Anonymous to upload files to the/var/FTP/upload directory, and allow anonymous to create directories;
5. Data connection process (not a command channel !) If no response is received within 60 seconds, the client is forced to be disconnected!
6. As long as Anonymous does not take action for more than ten minutes, it will be disconnected;
7. Passive connection ports are from 65400 to 65420;
8. the maximum number of concurrent users is 50, and the maximum number of online users from the same IP address source is 5;
9. Do not upload or download in ASCII format!

1. [root @ test root] # vi/etc/vsftpd. conf
# Settings related to host Security
Use_localtime = Yes
Write_enable = Yes
Dirmessage_enable = Yes
Xferlog_enable = Yes
Xferlog_file =/var/log/vsftpd. Log
Data_connection_timeout = 60
Idle_session_timeout = 600
Max_clients = 50
Max_per_ip = 5
Ascii_upload_enable = No
Ascii_download_enable = No
Connect_from_port_20 = Yes
Pasv_min_port = 65400
Pasvanderbilt max_port = 65420
Pam_service_name = vsftpd
Tcp_wrappers = Yes
Nopriv_user = FTP

# Settings of anonymous
Anonymous_enable = Yes
Anon_other_write_enable = Yes
Anon_mkdir_write_enable = Yes
Anon_upload_enable = Yes
Deny_email_enable = Yes
Banned_email_file =/etc/vsftpd. banned_emails
Anon_max_rate = 30000
# Setting real user
Local_enable = No

2. Create a directory that can be uploaded

# Because our nopriv_user is set to FTP, the upload directory owner is FTP
[Root @ test root] # mkdir-P/var/FTP/upload
[Root @ test root] # chown FTP/var/FTP/upload

User Login is restricted to other directories, but only to its main directory
Set all local users to execute chroot
Chroot_local_user = Yes (all local accounts can only be in their own directories)
Set the specified user to execute chroot
Chroot_list_enable = Yes (the list in the file can be called)
Chroot_list_file =/any specified path/vsftpd. chroot_list
Note: vsftpd. chroot_list is not created and needs to be added by yourself. To control the account, add the account directly in the file.

Restrict access to FTP by local users
Userlist_enable = Yes (use userlistlai to restrict user access)
Userlist_deny = No (users in the list are not allowed to access)
Userlist_file =/Specify the path where the file is stored/(the path where the file is stored)
Note: Enabling userlist_enable = yes for anonymous accounts cannot log on