Linux overview-FTP server configuration and management

Source: Internet
Author: User
Tags ftp client file transfer protocol
The full name of FTP is File Transfer Protocol (File Transfer Protocol Is the protocol used to transmit files. it works on the Seventh Layer of the OSI model, that is, the application layer, using TCP transmission instead of UDP. in this way, the FTP client and the server need to go through a "three-way handshake" process before establishing a connection. another important feature of the FTP service is that it can be independent from the platform. there are many software for implementing FTP services in Linux, the most common of which are: Vsftpd , Wu-ftpd And ProFTP And so on. Red Hat Enterprise Linux is installed by default Vsftpd. Generally, access to the FTP server requires verification. Only after verification is performed on the FTP server can users access and transmit files. vsftpd provides three FTP logon modes:


(1) Anonymous (anonymous account) Anonymous is a widely used FTP server. if you do not have an account on the FTP server, you can use anonymous as the username and your email address as the password to log on. after an anonymous user logs on to the FTP server, the logon directory is/var/FTP. to reduce the load on the FTP server, you should disable the upload function of an anonymous account. (2) Real (Real Account) Real, also known as a local account, is to log on with a real user name and password, provided that the user has his own account on the FTP server. after you log on with a real account, the user's directory is used to log on to the system. This directory is automatically created when the system creates an account. (3) Guest (virtual account) If you have an account on the FTP server, but this account can only be used for file transfer services, this account is guest, and guest is a form of real accounts. The difference between them is that, after logging on to the FTP server, geust cannot access contents other than the home directory.


The following describes how to install and start vsftpd first.


The version 2.0.1 is installed. If not, select "application" on the desktop. Program "/" System settings "Add/delete Applications" command. to install the FTP software package. after the vsftpd package is installed and configured, you must start the FTP server to use it. there are two startup methods: 1. start the instance in graphical mode and select "application", "system settings", "Server Settings", and "service. you can see vsftpd. Check it and start it. 2. start in the terminal window with commands.


You can also use the service command.


2. FTP-related configuration files /Etc/vsftpd. conf, /Etc/vsftpd. ftpusers, /Etc/vsftpd. user_list When configuring the FTP server, modify the statements in these files.


1. Vsftpd. conf File description

# Example config file/etc/vsftpd. conf
# The default compiled in settings are fairly paranoid. This sample file
# Loosens things up a bit, to make the FTP daemon more usable.
# Please see vsftpd. CONF.5 for all compiled in defaults.
# Read this: this example file is not an exhaustive list of vsftpd options.
# Please read the vsftpd. CONF.5 manual page to get a full idea of vsftpd's
# Capabilities.
# Allow Anonymous FTP? (Beware-allowed by default if you comment this out ).
Anonymous_enable = Yes // whether to allow anonymous to log on to the FTP server. The default value is yes.
# Uncomment this to allow local users to log in.
Local_enable = Yes // whether to allow local users to log on to the FTP server. The default value is yes
# Uncomment this to enable any form of FTP write command.
Write_enable = Yes // whether to allow users to execute write operations in FTP server files. By default
# Default umask for local users is 077. You may wish to change this to 022,
# If your users CT that (022 is used by most other ftpd's)
Local_umask = 022 // set the local user's file generation mask to 022. The default value is 077.
# Uncomment this to allow the anonymous FTP user to upload files. This only
# Has an effect if the above global write enable is activated. Also, you will
# Obviously need to create a Directory Writable By the FTP user.
# Anon_upload_enable = Yes
# Uncomment this if you want the anonymous FTP user to be able to create
# New directories.
# Anon_mkdir_write_enable = Yes // whether anonymous accounts are allowed to create directories on the FTP server
# Activate directory messages-messages given to remote users when they
# Go into a certain directory.
Dirmessage_enable = Yes // activates the directory information. When a remote user changes the directory, a prompt is displayed.
# Activate logging of uploads/downloads.
Xferlog_enable = Yes // enable the log upload and download Functions
# Make sure port transfer connections originate from Port 20 (ftp-data ).
Connect_from_port_20 = Yes // Connection Request for enabling the FTP data port
# If you want, you can arrange for uploaded anonymous files to be owned
# A different user. Note! Using "root" for uploaded files is not
# Recommended!
# Chown_uploads = Yes
# Chown_username = whoever
# You may override where the log file goes if you like. The default is shown
# Below.
# Xferlog_file =/var/log/vsftpd. Log // set the log file name and storage path, which is the default
# If you want, you can have your log file in standard ftpd xferlog format
Xferlog_std_format = Yes // whether the standard ftpd xferlog log file format is used
# You may change the default value for timing out an idle session.
# Idle_session_timeout = 600 // sets the idle user session interruption time. The default value is 10 minutes.
# You may change the default value for timing out a data connection.
# Data_connection_timeout = 120 // set the data connection timeout. The default value is 120 seconds.
# It is recommended that you define on your system a unique user which
# Ftp server can use as a totally isolated and unprivileged user.
# Nopriv_user = ft1_cure
# Enable this and the server will recognize asynchronous Abor requests. Not
# Recommended for Security (the code is non-trivial). Not enabling it,
# However, may confuse older FTP clients.
# Async_abor_enable = Yes
# By default the server will pretend to allow ASCII mode but in fact ignore
# The request. Turn on the below options to have the server actually do ASCII
# Mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# To consume your I/O resources, by issuing the command "size/big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# To enable ASCII uploads (to prevent uploaded scripts etc. From breaking ),
# Without the DOS risk of size and ASCII downloads. ASCII mangling shoshould be
# On the client anyway ..
# Ascii_upload_enable = Yes
# Ascii_download_enable = Yes // whether to allow uploading and downloading files in ASCII format
# You may fully customise the login banner string:
# Ftpd_banner = welcome to blah FTP service. // set the welcome logon information on the FTP server.
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# Useful for combatting certain DoS attacks.
# Deny_email_enable = Yes
# (Default follows)
# Banned_email_file =/etc/vsftpd. banned_emails
# You may specify an explicit list of local users to chroot () to their home
# Directory. If chroot_local_user is yes, then this list becomes a list
# Users to not chroot ().
# Chroot_list_enable = Yes // if you want to log on to a directory other than your own directory, you need to set this item. If you set chroot_list_enable = Yes, only/etc/vsftpd is allowed. users listed in chroot_list have this function. if you want all local users to execute chroot, add the following line: chroot_local_user = yes.
# (Default follows)
# Chroot_list_file =/etc/vsftpd. chroot_list
# You may activate the "-R" option to the builtin ls. This is disabled
# Default to avoid remote users being able to cause excessive I/O on large
# Sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# The presence of the "-R" option, so there is a strong case for enabling it.
# Ls_recurse_enable = Yes
Pam_service_name = vsftpd // set the name of the configuration file for the PAM Authentication Service, which is stored in the/etc/PAM. d/directory.
Userlist_enable = Yes // whether the user in the user list can log on to the FTP server. By default
# Enable for standalone Mode
Listen = Yes // make vsftpd in independent Startup Mode
Tcp_wrappers = Yes // use tcp_wrqppers as the host access control method 2.Vsftpd. ftpusers File description


This file is used to record "Not Allowed" users logging on to the FTP server, usually some system default users. below is the default list of users not allowed to log on to this file:


# Users that are not allowed to login via FTP
Root // by default, root and the following users are not allowed to log on to the FTP server. users not allowed to log on can be added here. however, each user must occupy a single row.

3.Vsftpd. user_listFile description


In fact, its content is the same as the content of the above file, but in the system Vsftpd. conf " Userlist_deny = Yes ", So this file must exist. The following is the content of this file.


# Vsftpd userlist
# If userlist_deny = No, only allow users in this file
# If userlist_deny = Yes (default), never allow users in this file, and
# Do not even prompt for a password.
# Note that the default vsftpd Pam config also checks/etc/vsftpd. ftpusers
# For users that are denied.
Nobody 3. Configure the FTP server


The following describes how to set an anonymous account server and how to set an anonymous account server. FTP Services with real accounts FTP Server Configuration methods. 1. Anonymous Account Server 1>. configure a simple anonymous account Server To prevent errors during the configuration process, the original configuration file should be /Etc/vsftpd. conf Copy a copy to another directory. Once the configuration fails, you can copy the original configuration file back. Modify the file below. /Etc/vsftpd. conf As follows:



Set allow Anonymous Login FTP Server: allows a local account to log on, and allows a local account to have the write permission.





Users in the user list are not allowed to log on to the FTP server. After configuration, You need to restart Vsftpd The anonymous account can be FTP Or Anonymous , Password Email Address.



Here we can see that there is a default FTP directory. perform the test below



You can see that the anonymous account cannot be logged on when an error is entered. You cannot enter an email address as the password.



Change the user name and enter an email address as the password. The logon is successful.



Check the directory of the FTP account on the FTP server and log out.



Log on with an anonymous account and enter an email address as the password. The logon is successful.



List the directories of anonymous accounts on the FTP server and change them to the pub directory.



This is the content in the pud directory.



You can see that an anonymous account can download files.



You can also download



We can see the two files downloaded just now. I tested them on the local machine, so here is the content in the root directory.



You can see that files cannot be uploaded by an anonymous account. the correctness of the configuration file is verified.



You cannot create a file directory with an anonymous account.



The user logon in the user list is unsuccessful.



Now log on with the local account Yang. It can be seen that the logon is successful. 2>. Configure the upload function for an anonymous account You only need to modify the following:



Remove the previous #. Other configurations are the same for simple anonymous accounts. note that the write permission must be specified for the upload directory because files and directories are uploaded, that is, files and directories are created in the local directory of the FTP server. (1) In /Var/ftp Create a new directory" Ding ".



(2) Change the directory "ding" permission



Because an anonymous server is created here, the file owner belongs" FTP-FTP user ", The file group belongs" FTP ". (3) create an upload directory and restart the FTP server. The test is as follows:



Anonymous Logon



You can see the created Ding Directory



Change Ding Directory, create a directory in the directory Yangming .



Now upload the file to the directory Ding , You can see that the upload is successful.



Now upload the file to the directory FTP, which is visible and failed. Because the anonymous account has no write permission on the directory FTP, we have not set it.



Switch to the created Yangmin The directory cannot be opened at the beginning, because it does not have the write permission,



Then, set the write permission to view the result. That is 755



The file is successfully uploaded. 3>. Set the maximum number of concurrent connections to the server and the maximum number of threads to the user. As an FTP server, it must serve multiple users. If too many users log on to the FTP server during the same period or excessive data downloads, the performance of the server will be affected, when creating an FTP server, you must set the maximum number of concurrent users connected to the server and the maximum number of threads for concurrent file downloads for each user. modify the configuration file/etc/vsftpd. add the following statement to conf:



In the last two sentences, the concurrent user is 100. The number of threads is 2, that is, only two files can be downloaded at the same time. 4>. Set the maximum transmission rate for anonymous users The download speed has a great impact on the performance of the FTP server. to limit the maximum transmission rate, you can evenly allocate network bandwidth to improve the smoothness of the network and avoid network congestion. /Etc/vsftpd. conf , Add the following statement:



In the last two rows, set the maximum transmission rate of anonymous users to 20 kbps, and set the maximum transmission rate of local users to 1 Mbps. 5>. Prohibit anonymous users of some IP segments from accessing the FTP server. In some cases, FTP servers do not want to be opened to some hosts, but they are in the same network or VLAN. In this case, you can restrict some hosts to access the FTP server. See the following method: (1) confirm the configuration file /Etc/vsftpd. conf The statement is as follows:



That is, the last sentence. (2) modifying files /Etc/hosts. Allow As follows:



Restrict hosts with IP addresses from accessing the FTP server. (3) perform the following tests:



You can see that the server can be pinged, but the login is rejected. (4) Only anonymous users are allowed to access If only anonymous accounts are allowed to access the FTP server, restrict access to the local account. You can modify the configuration file/etc/vsftpd. conf and comment out the following two statements:



The test is as follows:



The anonymous logon is successful.


Failed to log on with a local account. You can also see the error message. Only anonymous logon is allowed.


Accounts in the list are not allowed to log on. 6>. Set to transmit data in ASCII mode Generally, the ASCII transmission mode is used when data is transmitted by the FTP server. Therefore, it is necessary to set the format of data transmitted by the FTP server. /Etc/vsftpd. conf.



7>. set various welcome information. Setting the welcome information for accessing the FTP server can make the user feel very friendly when accessing the FTP server. /Etc/vsftpd. conf.



The test is as follows:



You can see the logon information. 8>. Set the time interval for data transmission interruption. If data transmission has been stopped between the user and the FTP server, but the user has been connected to the FTP server, the network bandwidth and the maximum number of users of the FTP server will be used. modify, configuration file /Etc/vsftpd. conf.



2. Real Account Server (1) users in the user list cannot access the FTP server. Other users not in the list can access. modify the configuration file. /Etc/vsftpd. conf.



Add the user accounts that are not allowed to access the FTP server Vsftpd. user_list File.



Here Pudding Add. The test results are as follows:



Root Account Not Allowed


Pudding is not allowed to be accessed either. It can be seen that the configuration is successful.


You can access it with another account on the local machine. (2) Change the default port number of the FTP server Generally, the default port number of the FTP server is 21. All users must enter the default port number when logging on to the FTP server, it is necessary to specify a specific port number for the FTP server to make it more difficult for hackers to attack the server to a certain extent. in the configuration file /Etc/vsftpd. conf . Add the following statement:



The test results are as follows:



The access fails if no port is specified.



Enter the port number and the access is successful. (3) set a group to access the FTP server To set different security levels and ease of management, you can use user group groups to access the FTP server. In this way, different users can have different access permissions for the same directory. for example, three users are created for test. Test1 , Test2 And Test3 , Requiring users Test1 Directory /Home/test Has read, write, and execute permissions (that is, browsing, downloading, uploading, and creating directories and files), users Test2 And Test3 Directory /Home/test Only have read and execution permissions, that is, browsing and downloading permissions) 1) create a directory in graphical mode /Home/test



Create a user Test2 , Test3 And remove the default check box.



We can see that three users have been created.



Enter the path in the main directory. The same applies to the other two users.



And add users to the group Test This is a group that has been created before. The other two users perform the same operation.



3) set the directory. /Home/test .



In this way, the access permission of each user is satisfied. . Test1 Read/write operations are available, Test2 , Test3 Read and execute the directory. perform the following test:



Use Test1 Login successful.



Display Test Directory content, which is currently empty, and then created successfully



Upload files to directories Test .



User Test2 Login.



Failed to create directory and upload file. 4) Directories restricted by user access. by default, users log on to the FTP server and can access files outside their directories on the server, to increase security. it is necessary to restrict user access to directories. in the configuration file/etc/vsftpd. add the following statement in Conf.



Perform the following tests:



Log on successfully. Check that the local directory is normal.



The directory is successfully changed, but the files in the Yang directory are still displayed. It is not the root directory. OK. Here we have completed the FTP introduction.












Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.