Directory
1. vsftpd, commonly used FTP server suite;
2. FTP user management explanation;
3. Install vsftpd;
4. Start and Stop vsftpd servers;
5. Relationship between vsftpd servers and firewalls and SELinux;
6. 500 Oops: vsftpd: refusing to run with writable Anonymous root
7. Description of the vsftpd configuration file;
8. Implementation of some common vsftpd server functions;
++ ++
Body
++ ++
1. vsftpd, commonly used FTP server suite;
Vsftpd is one of the most popular FTP server programs in the Linux release. It features little, light, and secure and easy to use. It can give full play to and master its own characteristics, however, the most important thing is to use it;
Currently, the ftpd suites commonly used in open-source operating systems mainly include ProFTPD, pureftpd and wuftpd. Which FTP server suite is better, which one is the most familiar to you, and which one is the best;
2. FTP user management explanation;
The FTP server manages users according to/etc/passwd and/etc/group by default.
So we must understand the management of Linux users and user groups. User and user group management is the foundation of all applications, I want to build a better architecture.
It turns out that this learning method is the most unwise for various servers. Although you may have started the FTP server in a few minutes, you may not be able to know what went wrong when you encounter problems; therefore, the foundation is extremely heavy.
Yes;
Recommended articles:Linux User and user group management overview
2.1 anonymous ftp users and user groups;
When we access various major FTP sites, we may not think about the identity of us to log on, if his FTP allows anonymous login; for example, we enter in the browser;
Ftp://mirrors.kernel.org
Or
FTP: // ftp: ftp@mirrors.kernel.org
We will find that the above two rows can finally be accessed, and the display results are exactly the same, eventually jump to the ftp://mirrors.kernel.org
Address; do we have a user and password when accessing this ftp? Yes, it is also necessary, but only on the server side to allow anonymous access, while the username and password for anonymous access are both FTP, But we
Because of anonymous access, he does not feel that he has a user name and password. The second address is accessed by an FTP user and the password is also FTP.
Ftp://mirrors.kernel.org;
If we use the FTP command to connect to mirrors.kernel.org, we will find that we need to enter the user FTP and password FTP to access;
On the FTP server, the anonymous user name and password are both FTP. This user can be found in/etc/passwd in your operating system. There may be a line similar to the following;
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
Note:
/Etc/passwd is the configuration file of the System user./etc/group is the configuration file of the System user group) management overview and related documents to learn some basic user management knowledge;
In the FTP user line, we can see seven fields, each of which is separated by a number;
FTP is the user name
X is the password field, which is hidden;
14 is the UID field of the user. You can set it by yourself. Do not use the same UID as other users. Otherwise, system security problems may occur;
50 use the GID of the user group, which can be set by yourself. Do not share the ftp gid with other user groups; otherwise, the system will be completely faulty;
FTP user is a user Description field;
/Var/FTP is the home directory of FTP users and can be defined by yourself;
/Sbin/nologin this is the user login shell, which can also be defined,/sbin/nologin
It indicates that you cannot log on to the system. The system virtual account (also known as a pseudo-user) is generally set in this way. For example, change/sbin/nologin of an FTP user to/bin/bash.
In this way, the FTP user logs on to the system as a real user through SSH or telnet, a local or remote tool. This is not safe for the system; if you think a user does not need to log on
After logging to the system, you can grant only the FTP account permissions, that is, only the FTP permissions to the user, rather than setting his shell to/bin/bash;
Understanding of the FTP user group:
When we look at/etc/group, we will find such a line;
ftp:x:50:
/Etc/group is the management configuration file of the user group. The above line indicates the user group FTP, X indicates the password segment, and 50 indicates the GID; we know from the ftp line in/etc/passwd that the FTP user belongs to the FTP user group, because the GID in the FTP user row is the same as the GID in the FTP user group;
2.2 can anonymous ftp users and FTP user groups be deleted?
In general, you cannot delete ftp users and user group rows in/etc/passwd and/etc/group, because the FTP server requires them to manage ftp users, by default.
Although it cannot be deleted, some related ftp users and FTP user groups in/etc/passwd and/etc/group can be modified. For example, we can
Change the user's home directory, or change the FTP user's uid ......
The premise is that you understand user management. system user management is one of the foundations of all applications. Maybe new Linux beginners do not understand the importance of user management, but you will find this truth slowly;
3. Install vsftpd;
Vsftpd software packages are included in the latest installation disks of various major release editions. you can install them using the software package management tools provided by the corresponding release editions; of course, you can go to the FTP images of various major releases
Find the vsftpd software package. Of course, you can also use the software package management tool to install it online. The vsftpd software package is not large, and it will not take long. It will take two minutes. This is because this article is taught by beginners.
, I strongly recommend that you use the software provided by the release to install it. We do not recommend you compile the source code package by yourself;
If you are using a fedora or RedHat system, you can use the following command to install it online;
[root@localhost ~]# yum install vsftpd
For Debian systems, you can use apt for online installation;
[root@localhost ~]# apt-get install vsftpd
If you are an RPM system, you can also find the vsftpd-xxxx.rpm package to install through the RPM command;
[root@localhost ~]# rpm -ivh vsftpd*.rpm
You can download the source package to install
For example, we download the vsftpd-2.0.3.tar.gz;
[root@localhost ~]# tar zxvf vsftpd-2.0.3.tar.gz
[root@localhost ~]# cd vsftpd-2.0.3
[root@localhost ~]# make ;make install
[root@localhost ~]# cp vsftpd.conf /etc
Modify/etc/vsftpd. conf and add the following line to the last line of the configuration file;
listen=yes
If your system is an RPM package-managed system, you can delete the/etc/xinetd. d/vsftpd file and start the xinetd server;
[Root @ localhost ~] #/Etc/init. d/xinetd restart
Stop xinetd: [OK]
Start xinetd: [OK]
Vsftpd runs in two modes. In RPM package management, most of the systems are retried by fedora/RedHat.
After development, there is an xinted server for such a system; for systems with non-RPM package management, there is generally no xinted. We do not use this document to ensure consistency.
In xinetd mode, the initd running mode is used to start and manage the server, that is, the independent running mode. What is the xinted and inted modes, you can refer to "use vsftpd to install a server on a Linux Network"
4. Start and Stop vsftpd servers;
It is very easy to start and shut down vsftpd servers. We can directly transfer the server operation to the backend for running. This is the operation mode managed by almost all servers;
4.1. Common vsftpd server startup and shutdown Methods;
To run the vsftpd command, you must use the root permission. If you are not the root user, you can use Su to switch to the root permission, one is Su and the other is sudo;See:Control of super permissions in Linux
Run the vsftpd server;
[root@localhost ~]# /usr/sbin/vsftpd &
[root@localhost ~]# /usr/local/sbin/vsftpd &
Whether the vsftpd server is running;
We can use pgrep vsftpd to check whether vsftpd is running;
[root@localhost ~]# pgrep vsftpd
4248
The above shows that the vsftpd server is running. You can test the connection by using FTP commands, lftp tools, gftp, or other FTP clients;
Disable the vsftpd Server:
We use pkill vsftpd to kill the vsftpd process. In this way, we disable vsftpd and use psgrep vsftpd to view the process. If no process exists, it indicates that vsftpd has been disabled. Of course, we also need to use the root permission.
[root@localhost ~]# pkill vsftpd
[root@localhost ~]# pgrep vsftpd
4.2 enable or disable the vsftpd server in fedora/RedHat/centos:
In fedora/RedHat/centos, you can also use the following method to start vsftpd; of course, you also need to use the root permission;
[Root @ localhost beinan] #/etc/init. d/vsftpd start
Start vsftpd For vsftpd: [OK]
Restart vsftpd with the following command;
[Root @ localhost beinan] #/etc/init. d/vsftpd restart
Disable vsftpd: [OK]
Start vsftpd For vsftpd: [OK]
To disable the vsftpd server, run the following command;
[Root @ localhost beinan] #/etc/init. d/vsftpd stop
Disable vsftpd: [OK]
5. Relationship between vsftpd servers and firewalls and SELinux (important)
On the forum, I saw some brothers say that the vsftpd server is normal, but it cannot be accessed or the user cannot upload files. I think it should be a firewall or SELinux thing; maybe FTPD server
The server is protected by the firewall or SELinux security mechanism. Therefore, you must have the firewall over FTP, and SELinux over the FTP server;
In fedora/RedHat/centos, you need to set up a firewall, you can turn off the firewall, or in the custom, let the ftp "through" firewall;
[root@localhost ~]# system-config-securitylevel-tui
Or run the following command to clear firewall rules (common );
[root@localhost beinan]# iptables -F
The explanation of SELinux server may be difficult for veteran or novice users. We recommend that you use SELinux or allow the vsftpd server to skip SELinux startup.4.1. Common vsftpd server startup and shutdown Methods;This is effective when the vsftpd server is started in fedora/RedHat/centos;
Of course, you can also disable SELinux. The configuration file in/etc/SELinux/config is as follows;
/Etc/SELinux/config
# This file controls the state of SELinux on the system.
# SELinux = can take one of these three values:
# Enforcing-SELinux security policy is enforced.
# Permissive-SELinux prints warnings instead of enforcing.
# Disabled-SELinux is fully disabled.
SELinux = disabled # in this way, The SELinux server is turned off. restart the system;
# Selinuxtype = type of policy in use. Possible values are:
# Targeted-only targeted network daemons are protected.
# Strict-full SELinux protection.
Selinuxtype = targeted
6. 500 Oops: vsftpd: refusing to run with writable Anonymous root
If we have started the vsftpd server, but the logon test will show a message similar to the following;
500 Oops: vsftpd: refusing to run with writable Anonymous root
This indicates that the permissions on the home directory of the FTP user are incorrect and should be changed;
[root@localhost ~]# more /etc/passwd |grep ftp
ftp:x:1000:1000:FTP User:/var/ftp:/sbin/nologin
We found that the FTP user's home directory is in/var/FTP, which is caused by incorrect/var/FTP permissions. the permissions of this directory cannot be opened; it is because you have run chmod 777/var/ftp. If you do not have an FTP user's home directory, you must create one by yourself;
The Home Directory of the following ftp users cannot be fully open to all users, user groups, and other user groups;
[root@localhost ~]# ls -ld /var/ftp
drwxrwxrwx 3 root root 4096 2005-03-23 /var/ftp
The following method should be used to correct this error;
[root@localhost ~]# chown root:root /var/ftp
[root@localhost ~]# chmod 755 /var/ftp
Some may say, What should I do if anonymous users are readable, downloadable, and uploadable? This is also simple. You can create a directory under/var/FTP and set the permission to 777. Then you can change vsftpd. conf to OK. There is no difficulty;
For security considerations, vsftpd does not allow ftp users' home directory permissions to be completely unrestricted. You can read the vsftpd documentation to understand it; otherwise, it cannot be called the safest FTP server, right?
7. Description of the vsftpd configuration file;
Vsftpd. conf is the configuration file of the vsftpd server. This file is generally/etc/vsftpd. conf or/etc/vsftpd. conf. Refer to the system ..
Vsftpd. the conf configuration file is the global control file of the vsftpd server. In this configuration file, each line should be regarded as a rule. The server with the # sign above will not explain it, which is similar to the Apache configuration file; # The subsequent content is generally descriptive, or the option to turn off some features;
Vsftpd. conf
This configuration file does not include all the functions you want to implement. For some functions, we need to do it by ourselves. We need to learn to check vsftpd documents and FAQs, although in English, but both are compared
Simple. Why should we get used to reading foreign documents? Because Linux is already a great foreigner, and most important software is foreign. Don't complain, bro. who left us behind?
Note:After modifying the configuration file, you must restart the vsftpd server to take effect ~~
8. Implementation of some common vsftpd server functions;
8.1. Implementation of anonymous upload/download;
Anonymous upload is actually relatively simple. First, we need to modify vsftpd. conf, which is located in the/etc/directory. It may be/etc/vsftpd. conf, or/etc/vsftpd. CONF file. Your system environment shall prevail;
First, we need to change vsftpd. conf to make sure there are the following lines;
anonymous_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_umask=022
Second, create a folder under the FTP user's home directory and change its permissions to fully open;
Where is the home directory of an FTP user? As we have already said, you can view it through/etc/passwd; you can also view it through finger FTP;
[root@localhost beinan]# finger ftp
Login: ftp Name: FTP User
Directory: /var/ftp Shell: /sbin/nologin
This indicates that the FTP user's home directory is in/var/ftp
, We need to create a directory under this directory, and then set its permissions to readable, writable, and executable by any user. In general, in the release version, there is a/var/FTP/pub object
If not, you can create one by yourself. After modifying the configuration file, you only need to open the permission for any directory under/var/FTP, can be used for anonymous upload and download;
For example, if you want anonymous users to upload and download files in/var/FTP/pub, you can open the/var/FTP/pub permission. If you do not have this directory, you must create one by yourself;
[root@localhost ~]# mkdir /var/ftp/pub
[root@localhost ~]# chmod 777 /var/ftp/pub
In this way, it is OK to upload the data to the pub directory during the upload, right ??
8.2 examples of adding local users and enabling read/write permissions;
FTP users generally cannot log on to the system, which is also for security. In the system, users who do not have the permission to log on to the system are also known as virtual users. Virtual users also need to be written into/etc.
/Passwd; this is only a virtual user method, but it is not a real virtual user, but the permission to log on to the shell is removed, therefore, he cannot log on to the system;
If we want to locate the beinan user directory in the/opt/beinan directory and cannot log on to the system, we should perform the following operations:
[root@localhost ~]# adduser -d /opt/beinan -g ftp -s /sbin/nologin beinan
[root@localhost ~]# passwd beinan
Changing password for user beinan.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@localhost ~]#
In fact, this is not enough. We need to change the configuration file vsftpd. conf to ensure that the local virtual user has the read and write permissions;
local_enable=YES
write_enable=YES
local_umask=022
8.4. How to implement a virtual path?
For example:
/Home/A ing is FTP: // localhost/
/Home/B/C is set to FTP: // localhost/C
In fact, this cannot be said to be the content of vsftpd. In fact, we have been using it for a long time. We may not have noticed it. We can implement it through the following methods.
[Root @ localhost ~] # Mount -- bind [original directory] [new directory]
For example, if my default FTP directory is/var/FTP, I want to map the/mnt/ling/winsoft folder to the/var/FTP directory. I will perform the following operations:
Create a directory in the/var/FTP directory first.
[root@localhost ~]# mkdir /var/ftp/WinSoft
Run the mount command.
[root@localhost ~]# mount --bind /mnt/LinG/WinSoft /var/ftp/WinSoft
In this case, OK.
8.5 enable the log function of the vsftp server;
Correct # In Front Of xferlog_file below, that is, enable the log function of vsftp, so that we can view vsftpd. log in the/var/log directory. This is the log function of vsftp, which is extremely important for us.
xferlog_file=/var/log/vsftpd.log
8.6. How to customize the welcome information;
How to customize the welcome information, that is, after we log on to some FTP, there will be a similar: Welcome to linuxsir FTP, here, you will get the most sincere help, if you have any questions or suggestions, please send me a letter. Thank you.
It is not difficult to implement this. We can check whether this line exists in the vsftpd. conf file.
dirmessage_enable=YES
message_file=.message
If no, add it. If there is a # sign before dirmessage_enable = Yes, remove the # sign. In fact, the default FTP information is. Message, so it can be specified without message_file =. It doesn't matter if you specify it yourself;
Then, we create a. Message file and write what you want to write. For example, the content of. message is as follows:
-- Welcome to linuxsir FTP!
-- Here, you will get the most sincere help;
-- If you have any questions or suggestions, please send me a letter. Thank you.
We can use the editor to write this. message. I don't need to talk about this process.
Then we copy the. Message file to the Home Directory of each user. For example, if one of my FTP users is beinan and the Home Directory of this user is/opt/beinan
We need to put. message in the/opt/beinan directory. If the system user FTP, his directory is/var/FTP, This is the default, when anonymous
The/var/FTP directory is accessed during user login. We want anonymous users to see the welcome information. Put. message in the/var/FTP directory. Other users are nothing more
Is a similar operation.
8.7 If hard disk space is limited, How can I change the default home directory of the FTP account to another place?
My hard disk space is limited. How can I change the default FTP path/var/FTP of my account to another place? Or, all my Linux directories are placed in the/root partition. Due to space shortage, can I put the default path of the FTP user to another partition ??
For FTP user management, we should check/etc/passwd and then modify the FTP user line;
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
For example, to change the Home Directory of an FTP user to/opt/FTP
ftp:x:14:50:FTP User:/opt/ftp:/sbin/nologin
Then we will create a new home directory for FTP users;
[root@localhost ~]# mkdir /opt/ftp
[root@localhost ~]# chmod 755 /opt/ftp
[root@localhost ~]# chown root:root /opt/ftp
If the default FTP disk space is insufficient, we can also use the virtual path ing method, that is, the Mount-bind method. Depending on the situation, which method is best;
8.8. How can I limit the number of connections on the vsftp server and the maximum number of connections per IP address?
Modify the vsftpd server configuration file vsftpd. conf and add the following two lines:
Max_clients = Number
Max_per_ip = Number
Example:I want my vsftp to support a maximum of 100 connections. Each IP Address can support up to five connections. Therefore, I should add the following two lines in vsftpd. conf:
max_clients=100
max_per_ip=5
After modifying the configuration file, do not forget to start the vsftp server.
8.9. How do I limit the transmission speed?
Anon_max_rate = Number
Note: This is an anonymous speed.
Local_max_rate = Number
Note: This is the speed of local users on the vsftp server.
Note: The unit of this number is byte, so we need to calculate it. For example, if I want Anonymous Users and vsftp users to download data at 80 KB, the number should be 1024x80 = 81920.
Therefore, we need to add the following two lines to vsftpd. conf:
anon_max_rate=81920
local_max_rate=81920
8.10. How can I restrict users to the home directory?
We need to create a file by ourselves in the/etc directory or in the/etc/vsftpd directory (If your vsftpd configuration files are all in this directory );
#touch /etc/vsftpd.chroot_list
Beinan and NanBei users are restricted to their home directories, while other ftp users do not.
In the vsftpd. chroot_list file, add beinan and NanBei. Note that each user occupies one row.
beinan
nanbei
Modify the/etc/vsftpd. conf file and find the following two lines:
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
If there are no such two rows, you can add them by yourself.
After the configuration, restart the vsftpd server.
Supplement 1: How to restrict all ftp users in the system to the home directory ?? As prompted by juliaugong, I found the foreign description of vsftpd, proving that this option is a one-size-fits-all solution. All users can restrict access to the home directory.
You can add the following line by changing the vsftpd. conf file:
chroot_local_user=YES
After modifying the configuration file, do not forget to restart the vsftpd server;
8.11. How can I bind an IP address to vsftpd?
How can I bind an IP address to vsftpd? That is to say, how can users access FTP only through an IP address. In fact, this function is very interesting. If you are bound to an intranet IP address, there is no way to access the outside. If the IP address of the external service is bound, the Intranet can only access the FTP through the IP address of the external service.
Add a line in vsftpd. conf. Take my lan as an example. Please refer to the operating environment in the first post, so that the Internet cannot access my FTP, and the Intranet may also access FTP through 192.168.0.2;
listen_address=192.168.0.2Source: http://www.linuxsir.org/main? Q = node/152Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
