Linux Network Services--FTP full Raiders (VSFTPD) __linux

Source: Internet
Author: User
Tags chmod mkdir file permissions webdisk

/etc/vsftpd/vsftpd.conf document detailed, divided into good categories, convenient for everyone to find and learn


################ #匿名权限控制 ###############

Anonymous_enable=yes #是否启用匿名用户
No_anon_password=yes #匿名用户login时不询问口令

The following four main statements control the upload, download, create, delete, and rename of this file and folder.
Anon_upload_enable= (yes/no); #控制匿名用户对文件 (not directory) upload permissions.
Anon_world_readable_only= (yes/no); #控制匿名用户对文件的下载权限
Anon_mkdir_write_enable= (yes/no); #控制匿名用户对文件夹的创建权限
Anon_other_write_enable= (yes/no); #控制匿名用户对文件和文件夹的删除和重命名

Note: Anonymous user download is used nobody this user, so the corresponding o this location to have R permission to be downloaded. If you want to allow anonymous users to upload and delete permissions, you must set

Write_enable=yes #全局设置, whether to allow writing (either anonymous or local), to enable upload permission, you must open it.
Anon_root= (None) #匿名用户主目录
Anon_max_rate= (0) #匿名用户速度限制
anon_umask= (077) #匿名用户上传文件时有掩码 (This setting is 073 if you want to allow anonymous users to upload files directly to the download.)
Chown_uploads=yes #所有匿名上传的文件的所属用户将会被更改成chown_username
Chown_username=whoever #匿名上传文件所属用户名


################ #本地用户权限控制 ###############

Write_enable=yes #可以上传 (Global control) Delete, rename
local_umask=022 #本地用户上传文件的umask
Userlist_enable=yes #限制了这里的用户不能访问
Local_root #设置一个本地用户登录后进入到的目录
User_config_dir #设置用户的单独配置文件, with which account to log on to name the account
Download_enable #限制用户的下载权限

Chown_uploads=yes #所有匿名上传的文件的所属用户将会被更改成chown_username
Chown_username=whoever #匿名上传文件所属用户名

Chroot_list_enable=yes #如果启动这项功能, all consumers listed in Chroot_list_file cannot change the root directory
Chroot_list_file=/etc/vsftpd/chroot_list #指定限制的用户文件

User_config_dir= #后面跟存放配置文件的目录. Used to implement different permissions for different users.
Add this sentence to the #在vsftpd. conf file,
#在相应的目录里面, create your own profile for each user to implement different permissions


You can control the user Switching directory by using the following three configuration files.
Chroot_list_enable=yes/no #设置是否启用chroot_list_file配置项指定的用户列表文件.
#如果启动这项功能, all users listed in Chroot_list_file cannot change the root directory. The default value is yes.

Chroot_list_file=/etc/vsftpd/chroot_list #指出被锁定在自家目录中的用户的列表文件.

Chroot_list_enable=yes
The following effects can be achieved by pairing with chroot_local_user=yes/no:
1. When Chroot_list_enable=yes,chroot_local_user=yes, users listed in the/etc/vsftpd.chroot_list file can switch to other directories; users not listed in the file, You cannot switch to a different directory.
2. When Chroot_list_enable=yes,chroot_local_user=no, users listed in the/etc/vsftpd.chroot_list file cannot switch to other directories; users not listed in the file. You can switch to a different directory.
3, when Chroot_list_enable=no,chroot_local_user=yes, all users can not switch to other directories.
4, when Chroot_list_enable=no,chroot_local_user=no, all users can switch to other directories.


Here is an example that I hope will be useful to you:

1, can only upload. Cannot download, delete, rename.
Cmds_allowed=feat,rest,cwd,list,mdtm,mkd,nlst,pass,pasv,port,pwd,quit,rmd,size,stor,type,user,acct,appe,cdup, Help,mode,noop,rein,stat,stou,stru,syst

For a detailed explanation of the parameters
CMDS_ALLOWED=ABOR,ACCT,APPE,CWD,CDUP,DELE,HELP,LIST,MODE,MDTM,MKD,NOOP,NLST,PASS,PASV,PORT,PWD,QUIT,REIN,RETR, Rmd,rnfr,rnto,site,size,stor,stat,stou,stru,syst,type,user

Cwd-change working Directory change directory
dele-delete a remote file Delete file
list-list remote Files column directory
Mkd-make A Remote Directory new folder
Nlst-name List of remote directory
Pwd-print working directory displays the current working directory
Retr-retrie ve a remote file download file
rmd-remove A remote directory delete directory
Rnfr-rename from rename
rnto-rename to rename
STOR- Store a file on the remote host upload files


# Abor-abort A file transfer cancel the transfer of files
# cwd-change working directory Change catalog
# dele-delete A remote file delete files
# list-list Remote Files column directory
# Mdtm-return The modification time of a file returns the update
# Mkd-make A remote directory new folder
# nlst-name List of remote directory
# pass-send Password
# pasv-enter Passive Mode
# Port-open a data port to open a transport ports
# Pwd-print Working directory displays the current working directory
# Quit-terminate the connection exit
# retr-retrieve a remote file download
# Rmd-remove a remote directory
# Rnfr-rename from
# Rnto-rename to
# site-site-specific Commands
# Size-return the size of a files return file sizes
# Stor-store a file on the remote host upload files
# Type-set Transfer TYPE
# user-send Username

# Less common commands:

# acct*-Send account information
# appe-append to a remote file
# CDUP-CWD to the ' current directory '
# Help-return Help on using the server
# Mode-set Transfer MODE
# noop-do Nothing
# rein*-Reinitialize the connection
# Stat-return Server Status
# Stou-store a file uniquely
# Stru-set File transfer structure
# Syst-return System Type

2, can only download. Cannot upload, delete, rename. Write_enable=no
3, can only upload, delete, rename. Cannot download. Download_enable=no

4, can only download, delete, rename. Cannot upload.
Cmds_allowed=feat,rest,cwd,list,mdtm,mkd,nlst,pass,pasv,port,pwd,quit,rmd,rnfr,rnto,retr,dele,size,type,user, Acct,appe,cdup,help,mode,noop,rein,stat,stou,stru,syst


################## #虚拟用户设置 ###################

The virtual user uses the PAM authentication method.
PAM_SERVICE_NAME=VSFTPD #设置PAM使用的名称, the default value is/ETC/PAM.D/VSFTPD.

Check_shell=yes # (Note: Only useful if there is no Pam validation version, check that the user has a valid shell to log in)
guest_enable= yes/no #启用虚拟用户. The default value is No.
Guest_username=ftp #这里用来映射虚拟用户. The default value is FTP.
When Virtual_use_local_privs=yes/no #当该参数激活 (YES), the virtual user uses the same permissions as the local user.
#当此参数关闭 (NO), the virtual user uses the same permissions as the anonymous user. This parameter is off by default (NO).


################## #访问控制设置 ###################

Two kinds of control methods: one control host access, the other control user access.

1, control the host access:
Tcp_wrappers=yes/no

Sets whether the VSFTPD is combined with the TCP wrapper for host access control. The default value is yes. If enabled, the VSFTPD server checks the settings in/etc/hosts.allow and/etc/hosts.deny to determine whether the host requesting the connection is allowed to access the FTP server. These two files can play a simple firewall function.

For example, to allow only 192.168.10.1-192.168.10.254 users to connect to an FTP server,

is in
/etc/hosts.allow
/etc/hosts.deny
Add the following to the file:


The format is as follows:

Restricted Services: IP (network segment)
vsftpd:192.168.1.
vsftpd:192.168.1.12
vsftpd:192.168.1.0/255.255.255.0 can't write 192.168.1.0/24 here.

2, Control user access:

Vsftpd.ftpusers #用于保存不允许进行FTP登录的本地用户帐号. Is the VSFTP user's blacklist.

Vsftpd.user_list

(1) Set to prevent user logons in Vsftpd.user_list files: To modify the following two items in the main configuration file vsftpd.conf,
Userlist_enable=yes
Userlist_deny=yes
Description: After configuration, other FTP users can log in, except that the FTP user logged in the Vsftpd.ftpusers file and Vsftpd.user_list file cannot log on to the VSFTP service.

(2) The setting allows only users in the Vsftpd.user_list file to log in; the same reason to modify the statements in the main configuration file vsftpd.conf to the following two items:
Userlist_enable=yes
Userlist_deny=no
Description: After configuration, only the FTP users logged in the Vsftpd.user_list file can log on to the VSFTP service, and no other FTP users can log in.

################## #超时设置 ##################

idle_session_timeout=600 #空闲连接超时
data_connection_timeout=120 #数据传输超时
Accept_timeout=60 #PAVS请求超时
Connect_timeout=60 #PROT模式连接超时


############### #服务器功能选项 ###############

Xferlog_enable=yes #开启日记功能
Xferlog_std_format=yes #使用标准格式
Log_ftp_protocol=no #当xferlog_std_format关闭且本选项开启时, log all FTP requests and replies, when debugging is more useful.
Pasv_enable=yes #允许使用pasv模式
Pasv_promiscuous+no #关闭安全检查, be careful.
Port_enable=yes #允许使用port模式
Prot_promiscuous #关闭安全检查
Tcp_wrappers=yes #开启tcp_wrappers支持
The name used by the PAM_SERVICE_NAME=VSFTPD #定义PAM, preset to VSFTPD.
Nopriv_user=nobody #当服务器运行于最底层时使用的用户名
Pasv_address= (None) #使vsftpd在pasv命令回复时跳转到指定的IP地址. (server join jump?)

################ #服务器性能选项 ##############
Ls_recurse_enable=yes #是否能使用ls-r command to prevent waste of a large number of server resources
One_process_model #是否使用单进程模式
Listen=yes is bound to the port specified by Listen_port, now that it's all tied, that's what standalone mode is.
Text_userdb_names=no #当使用者登入后使用ls-al and so on to query the management of the file, the preset will appear as the owner's UID, not the name of the file owner #称. If you want the owner's name to appear, turn this feature on.

Use_localtime=no #显示目录清单时是用本地时间还是GMT时间, the same effect can be achieved by MDTM command
#use_sendfile =yes #测试平台优化

############### #信息类设置 ################

Ftpd_banner=welcome to FTP. #login时显示欢迎信息. This setting is not valid if Banner_file is set
Dirmessage_enable=yes #允许为目录配置显示信息 to display the contents of the Message_file file under each directory
Setproctitle_enable=yes #显示会话状态信息, Shut up!


############## file Definition ##################

Chroot_list_file=/etc/vsftpd/vsftpd.chroot_list #定义不能更改用户主目录的文件
Userlist_file=/etc/vsftpd/vsftpd.user_list #定义限制/files that allow users to log in
Banner_file=/etc/vsftpd/banner #定义登录信息文件的位置
Banned_email_file=/etc/vsftpd.banned_emails #禁止使用的匿名用户登陆时作为密码的电子邮件地址
Xferlog_file=/var/log/vsftpd.log #日志文件位置
Message_file=.message #目录信息文件


############## Directory definition #################

User_config_dir=/etc/vsftpd/userconf #定义用户配置文件的目录
Local_root=webdisk #此项设置每个用户登陆后其根目录为/home/username/webdisk
#定义本地用户登陆的根目录, note that defining the root can be a relative path or an absolute path. The relative path is #来说的 to the user's home directory.
Anon_root=/var/ftp #匿名用户登陆后的根目录

############ #用户连接选项 #################


max_clients=100 #可接受的最大client数目
Max_per_ip=5 #每个ip的最大client数目
Connect_from_port_20=yes #使用标准的20端口来连接ftp
listen_address=192.168.0.2 #绑定到某个IP, no other IP access
listen_port=2121 #绑定到某个端口
ftp_data_port=2020 #数据传输端口
The upper bound of the Pasv_max_port=0 #pasv连接模式时可以使用port range, 0 indicates arbitrary. The default value is 0.
Pasv_min_port=0 #pasv连接模式时可以使用port the lower bound of the range, 0 indicates arbitrary. The default value is 0.


############# #数据传输选项 #################

anon_max_rate=51200 #匿名用户的传输比率 (b/s)
local_max_rate=5120000 #本地用户的传输比率 (b/s)


############# #安全选项 #################

idle_session_timeout=600 # (10 minutes after user session idle)
DATA_CONNECTION_TIMEOUT=120 # (Disconnect data for 2 minutes)
ACCEPT_TIMEOUT=60 # (the client is idle for 1 minutes after the break)
CONNECT_TIMEOUT=60 # (1 minutes after interruption and reconnect)
local_max_rate=50000 # (Local user transfer rate 50K)
anon_max_rate=30000 # (anonymous user transfer rate 30K)

pasv_min_port=50000 # (change the client's data connection port to
pasv_max_port=60000 #50000-60000)

MAX_CLIENTS=200 # (Maximum number of connections for FTP)
Max_per_ip=4 # (maximum number of connections per IP)
LISTEN_PORT=5555 # (data connection from Port 5555)

If there is any incomplete or wrong place, please contact me, I timely improvement, thank you


Case 1 establishes an FTP server based on the virtual user and configures the FTP server according to the following requirements.

(1) Configure the FTP anonymous user's home directory as/var/ftp/anon. Download bandwidth limit to 100kb/s

(2) Establish an FTP account named ABC with password XYZ. The download bandwidth is limited to 500kb/s.

(3) Set the maximum number of links for the FTP server to log on to the FTP server at the same time 100; The maximum number of links per IP is 3; the user's idle time exceeds the limit of 5 minutes.

Mkdir/var/fpt/anon

Useradd ABC
PASSWD ABC

Vim/etc/vsftpd/vsftpd.conf

The main contents are as follows

Anonymous_enable=yes
Anon_root=/var/ftp/anon
anon_max_rate=100
# Uncomment this to allow the local users to log in.
Local_enable=yes
local_max_rate=500
max_clients=100
Max_per_ip=3
connect_timeout=300

The above are local users

The following are implemented using virtual users

Vim/etc/vsftpd/vuser

The contents are as follows

Tom
123

To generate a database file
Db_load-t-T Hash-f/etc/vsftpd/vuser/etc/vsftpd/vuser.db
chmod 600/etc/vsftpd/vuser.db

Vim/etc/pam.d/vsftpd


Comment out the original content

Then join

Auth Required pam_userdb.so Db=/etc/vsftpd/vuser
Account Required Pam_userdb.so Db=/etc/vsftpd/vuser

The last editor Vsftpd.conf added the following two sentences

Guest_enable=yes
Guest_username=abc

You can test it yourself.

As of this, the case is completed


"Case 2"
1, a new partition, 10G space, ext3 file system, hanging in the/ftp, as the FTP server data storage place.

2, four departments: DEP1,DEP2, DEP3, DEP4, respectively, corresponding to the directory/FTP/DEP1,/FTP/DEP2,/FTP/DEP3,/FTP/DEP4. Set up a public directory/ftp/public in addition.

3, five users: Admin,user1,user2,user3,user4. Where: The user 1/2/3/4 the corresponding department dep 1/2/3/4, they can only access the directory and the public directory of their own department. For example, User1 can only access the DEP1 and public directories and cannot access other directories. Admin is the administrator user and can access any directory on the FTP server.

4, User access restrictions: USER1/2/3/4 in the directory can be accessed, with the upload file, download the file function, but can not delete files, change file permissions and other functions. Admin Admin user for all directories with file upload, download, delete, permission changes, and other functions.

5, for each department to customize a quota, set the file quota for this account is 1000; disk quota is 2G.

6, anonymous users can not access.


First, add a hard drive, then partition, and write the partition mount to/etc/fstab

# FDISK/DEV/HDB
# MKFS.EXT3/DEV/HDB1
# mkidr/ftp
# Mount/dev/hdb1/ftp-o Usrquota,grpquota

# Vim/etc/fstab
Add the following sentence

/dev/hdb1/ftp ext3 Defaults,usrquota,grpquota 0 0


Second, the establishment of user groups and users and the corresponding folder and change the permissions to meet the problem requirements

# Groupadd DEP1
# Groupadd DEP2
# Groupadd DEP3
# Groupadd DEP4
# Groupadd Boobooke

# usradd-g Dep1,boobooke User1
# usradd-g Dep2,boobooke User2
# usradd-g Dep3,boobooke User3
# usradd-g Dep4,boobooke User4
# usradd-g Dep1,dep2,dep3,dep4,boobooke Admin

# passwd User1
# passwd User2
# passwd User3
# passwd User4
# passwd Admin

# MKDIR/FTP/DEP1
# MKDIR/FTP/DEP2
# MKDIR/FTP/DEP3
# MKDIR/FTP/DEP4
# Mkdir/ftp/public

# chmod UESR1:DEP1/FTP/DEP1
# chmod UESR2:DEP2/FTP/DEP2
# chmod UESR3:DEP3/FTP/DEP3
# chmod UESR4:DEP4/FTP/DEP4
# chmod Admin:boobooke/ftp/public

# chmod 770/FTP/DEP1
# chmod 770/FTP/DEP2
# chmod 770/FTP/DEP3
# chmod 770/FTP/DEP4
# chmod 770/ftp/pubic


The final results are as follows

-RW-------1 root root 8192 11:46 Aquota.group
-RW-------1 root root 7168 11:46 Aquota.user
DRWXRWX---2 user1 dep1 4096 June 20:47 Dep1
DRWXRWX---2 user2 dep2 4096 June 20:47 Dep2
DRWXRWX---2 user3 dep3 4096 June 20:47 Dep3
DRWXRWX---2 user4 dep4 4096 June 20:47 Dep4
drwx------2 root root 16384 20:44 lost+found
DRWXRWX---2 admin boobooke 4096 June 20:48 Public

Third, create quota, configure disk quotas

#mount/dev/hdb1/ftp-o Usrquota,grpquota
# QUOTACHECK-CUVG/DEV/SDB1
# quotaon-a
# edquota-g DEP1

Disk quotas for group DEP1 (GID 503):
FileSystem blocks soft Hard inodes soft
/DEV/HDB1 0 1024000 2048000 0 500 1000

# EDQUOTA-G-P dep1 dep2 dep3 Dep4 (-u-g applies the source user group and group quota settings to other users or groups. )


Iv. editing vsftpd.conf

# vim/etc/vsftpd/vsftpd.conf

Anonymous_enable=no

Join
Local_root=/ftp
User_config_dir=/etc/vsftpd/ftp_config_dir


Open chroot

Chroot_list_enable=yes
Chroot_list_file=/etc/vsftpd/chroot_list


V. Establish a user's independent file

# Mkdir/etc/vsftpd/ftp_config_dir
# Vim/etc/vsftpd/ftp_config_dir/user1

Cmds_allowed=abor,acct,appe,cwd,cdup,help,list,mode,mdtm,noop,nlst,pass,pasv,port,pwd,quit,rein,retr,site,size , Stor,stat,stou,stru,syst,type,user


# Cp/etc/vsftpd/ftp_config_dir/user1/etc/vsftpd/ftp_config_dir/user2
# Cp/etc/vsftpd/ftp_config_dir/user1/etc/vsftpd/ftp_config_dir/user3
# Cp/etc/vsftpd/ftp_config_dir/user1/etc/vsftpd/ftp_config_dir/user4

VI. Test

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.