Linux remote FTP

Source: Internet
Author: User
Tags ftp site rfc822 syslog


Wu-ftpd is easy to install. In most versions of Linux, the rpm package of wu-ftpd is included. You can specify the mount when installing Linux. If you want to compile the source code on your own, you can also go to the ftp://ftp.wu-ftpd.org to download the latest version of the source code package.
After installation, run the ckconfig command to check whether the installation is correct. You can specify the ftp user logon directory in/etc/passwd.
Wu-ftpd has the following six configuration files:
Ftpaccess (main configuration file to control access permissions)
Ftpconvertions (Configuration File compression/Decompression conversion)
Ftpgroups (set a group defined by ftp)
Ftphosts (set individual user permissions)
Ftpservers (set different IP addresses/Domain names to correspond to different virtual hosts)
Ftpusers (set which accounts cannot be connected using ftp)
Next we will introduce them one by one.
Login/etc/ftpaccess (main configuration file of wu-ftpd)
Class -- defines a group. Its usage is as follows:
Class <type> <user address> [<user address>...]
Only group users defined by the class can be connected. You can use a multi-layer class to regulate where the group users can come from. There are three important types: real and anonymous guest. If real is not listed in the definition, no real general users on this machine can connect to the machine using their own accounts. If anonymous is not defined, it means that no one without an account will be connected. If you have a defined guest, the people in the guest group can come up. In addition, <user address> refers to the IP address used by ftp users, which can be set by themselves. Here are some examples:
Class all real, guest, anonymous *
Defines a class named all, which contains three types of connected users of all IP addresses (that is, all users are included)
Class local real localhost loopback
The local class says that only real users can connect to the local machine.
Class remote guest, anonymous *
The remote class contains the guest and anonymous users from anywhere, but real users do not count
Class rmtuser real! * .Example.com
Rmtuser this class contains real users from outside (except example.com)
Autogroup -- automatically corresponds to a group. Its usage is as follows:
Autogroup […]
When you define users of the same class, Once connected, they will be mapped to a corresponding group, in this way, you can use Unix File permissions to restrict a group of people.
Deny: rejects connections from some addresses. The usage is as follows:
Deny <rejected connection address> <Information File>
Disable connections from some machines and display <information files>. For example:
Deny 210.62.146. *: commandid 254/etc/reject. msg
Guestgroup -- set a visitor Group
Guestuser -- set the Guest account
Realgroup -- set a real group
Realuser -- set the real account
Nice -- set the priority for some classes. The usage is as follows:
Nice
In Linux, nice values are-20 (top priority) to 19 (last Processing). Here you can specify negative values to improve the priority of a class.
Defumask -- set the umask of a class. The usage is as follows:
Defumask []
Umask is the permission mask of the file when the file is created.
Tcpwindow -- set the tcpwindow size
Keepalive -- set whether to use TCP SO_KEEPALIVE to control disconnection
Timeout -- sets the connection timeout. The usage is as follows:
Timeout accept <sec>
Accept connection timeout. The default value is 120 seconds.
Timeout connect <sec>
Connection establishment timeout. The default value is 120 seconds.
Timeout data <second>
Data transmission time-out, default 1200 seconds
Timeout idle <second>
User daze timeout, default 900 seconds
File-limit -- restrict a class to only a few files. The usage is as follows:
File-limit [] []
Restrict the number of access files to a class, including in (upload) and out (download). total raw indicates the entire transfer result, not just data files. For example:
File-limit out 20 lvfour
Users of lvfour class can only download up to 20 files.
Byte-limit -- restrict a class to only a few bytes. Its usage is similar to that of file-limit.
Limit-time -- limits how long a connection can last. The usage is as follows:
Limit-time {* | anonymous | guest} <min>
To prevent the user from being unable to log on to the website, you can use this method to limit the user's online time. For example:
Limit-time guest 5
It takes only 5 minutes for the user of the guest account
Limit -- limits the number of people allowed to launch a class at the same time. The usage is as follows:
Limit <Number of connections> <time segment> <full information File>
Set the maximum number of concurrent users of a class in a certain time segment, followed by the information to be displayed when the number of connections exceeds. For example:
Limit all 32 Any/home/ftp/etc/toomanyuser. msg
Only 32 Users can be bound to all connections at any time. If the connection limit is exceeded, the connection is denied and information is displayed.
Limit levellone 5 Any2300-0600/home/ftp/etc/toomanyuser. msg
Limit that levellone class users can only have five connections between and.
Noretrieve -- set which files cannot be downloaded
Noretrieve [absolute/relative] [class =]… [-] [<File Name>…]
Absolute or relative indicates whether the file uses an absolute or relative path.
Allow = retrieve -- set which files can be downloaded
Allow [absolute/relative] [class =]… [-] [<File Name>…]
Loginfails -- set the number of failed login attempts
When a user is connected, the ID or password may be wrong. This setting can cause the user to be disconnected after a few attempts, so that no one can guess the password using the brute force method.
Private -- set whether site group/site gpass can be executed online
When the site group and site gpass commands are enabled, you can use these two commands to switch to the/etc/ftpgroup GROUP. Generally, this function is not used to avoid security vulnerabilities.
Greeting -- display the version information of the Server. The usage is as follows:
Greeting
When the server information displayed on the user login screen is full, it is the default value, including the version number and hostname. brief only has hostname, while terse only has "FTP server ready" information.
Barnner -- set the information that the user sees before entering the Login screen. The usage is as follows:
Banner <file path>
This section describes the information that appears before the ID/Password is entered during user login. The file path is relative to the actual path, rather than the ftp root directory.
Host -- set the ftp host Name
Email -- specifies the ftp administrator's email address
Message -- Information File Settings, usage:
Message <file >{< when> {......}}
The file path here is relative to the ftp root directory. "When" refers to the response after you perform any action. There are several options:
Login (login time)
Cwd = <directory> (when you enter a directory)
The class name is defined previously. You can send your information to only the persons you want.
In addition to text, the content of the information file can also use the following predefined codes:
% T (local time)
% F (the space remaining in the current partition)
% C (current directory)
% E (administrator's email)
% R (client host name)
% L (local host name)
% U (user name)
% M (how many people are allowed to connect to my same class user)
% N (how many people are connected to my same class user currently)
% B (absolute disk size, current partition (unit: blocks ))
% B (preferred disk size, current partition (unit: blocks ))
% Q (currently used blocks)
% I (maximum available inodes (+ 1 ))
% I (Preferred inodes restrictions)
% Q (currently used indoes)
% H (Time Limit for excessive disk space usage)
% H (Time Limit for Excessive File Usage)
Readme -- notifies users of README files that have been updated
Log commands -- Record the commands used by the user. The usage is as follows:
Log commands <user type>
Log transfers -- records the files transmitted by the user. The usage is as follows:
Log transfers <user type> <transmission direction>
Set the types of user files to be recorded, including inbound (User upload) and outbound (user download), for example:
Log transfers anonymous, guest inbound, outbound
Log security -- Record security, which is used as follows:
Log security <user type>
It is especially used to record security records of certain users, such as noretrive and notar.
Log syslog-record the syslog file to the System
Alias -- sets the directory alias. Its usage is as follows:
Alias <alias string> <directory>
Cdpath -- set the sequence of searching for cd replace Directories
Compress, tar -- set whether to automatically compress. Usage:
Compress […]
Tar […]
Define who can perform compression and tar
Shutdown -- notifies the user that the site is shutting down
Shutdown <Information File>
If the information file exists, the connection will be rejected and the existing connection will be cut off after the specified time. The format of this information file is as follows:
<Year> <month> <day> Daemon address -- specifies to listen to only one IP address. The usage is as follows:
Daemon address

When you have many IP addresses, using this option will cancel any other virtual FTP host settings. If not set, listen to all IP addresses.
Virtual -- set the virtual FTP site
Wu-ftpd provides the virtual host function, that is, different FTP sites are provided on the same machine, which are distinguished by the host name or IP address. If you want to use a name, you also need to work with DNS. Virtual has many settings:
Virtual
<Path>

It can be a host name or IP address.
Root refers to the ftp root directory, banner is the welcome information, and logfile refers to the log file of this virtual platform
Here are some examples:
Virtual virtual.com. bj root/home/ftp2
Virtual virtual.com. bj banner/etc/vftpbanner.2
Virtual virtual.com. bj logfile/etc/viftplog.2
Virtual
<Letter>
You can check the hostname and administrator email. The following are some examples:
Virtual 210.62.146.50 hostname virtual.site.com. bj
Virtual vritual.site.com. bjemail ftpown@virtual.site.com.bj
Virtual
Allow <user> [<user>...]
Virtual
Deny <user> [<user>...]
Obviously, the above two options are used to determine whether to allow connections. The following are some examples:
Virtual virtual.site.com. bj allow *
Virtual virtual.site.com. bj deny badman
Virtual
Private
This virtual platform rejects anonymous Users
Defaultserver deny <user> [<user>…]
Defaultserver allow <user> [<user>...]
When we use a virtual host, the original deny and allow settings do not know which server to set, so it will be invalid. defaultserver is used to represent the original host.
Defaultserver private
The main platform rejects anonymous Users
Passive address -- convert IP value
Passive address <external IP>/cidr
Passive ports -- the range of passive ports
Passive ports
Pasv-allow -- allow pasv
Pasv-allow [<address>...]
Port-allow -- allow port
Port-allow [<address>...]
Mailserver -- specify the mail server for the Upload notification
Incmail -- specifies the email notification address of anonymous upload
Virtual incmail -- specifies the email notification address of the virtual host anonymous upload
Defaultserver incmail -- specify the email notification address of the preset host anonymous upload
Mailfrom -- Notification sender upload
Virtual mailfrom -- sender of the VM upload notification
Defaultserver mailfrom -- specifies the sender of the host upload notification.
Chmod -- set whether the File Permission can be changed
Delete -- sets whether the file can be deleted.
Overwrite -- overwrite the file
Rename -- rename a file
Umask -- allow setting umask
Passwd-check -- set the password check degree of anonymous FTP. The usage is as follows:
Passwd-check ()
Set whether to check the password of the anonymous ftp user. none indicates no check, trivial indicates any password containing @, and rfc822 indicates that the password follows the RFC822 format, enforce indicates that the password check is not allowed, and warn indicates that the password check only contains warning information.
Deny = email -- reject a specific email as a password
Path-filer -- determines which file names are not available
Path-filer <error message File> <Allowed characters> <Not Allowed characters>
Upload -- set upload permission
Upload [absloute/relative] [class =]… [-] <Set directory> [dirs/nodirs] [d_mode]
Used to set permissions for the directory we want to set:
Absoulte/relative use absolute or relative paths
Class = Specify a class
Root-dir refers to the root-dir users, that is, the chroot logon directory.
The Set directory refers to the directory we want to limit
Yes/no indicates whether a new file can be opened in this directory
Owner. The group indicates the file owner and group.
Mode indicates the File Permission.
Dirs/nodirs indicates whether a new directory can be opened.
D_mode: sets the directory permission when a new directory is created. If this parameter is not set, the permission is set based on the mode.
Thoughput -- control download speed
Thoughput <subdirectory list> <File> <remote address list>
To control the speed at which a remote address can capture certain files in a subdirectory, for example:
Thoughput/e/ftp ** oo -*
Thoughput/e/ftp/sw ** 1024 0.5 *
Thoughput/e/ftp sw * readme oo -*
Thoughput/e/ftp sw ** oo-* .foo.com
Can you see the above settings? "Oo" indicates no limit on bytes/sec, "-" or "1.0" means a double. The first line indicates that files under/e/ftp do not limit the download speed. The second line indicates that any file under/sw * is limited to 1024 bytes/sec *
0.5 = 512 bytes/sec; the speed limit of the readme file is canceled in the third line; the last line is open to * .foo.com at full speed.
Anonymous-root -- set the root directory of an anonymous user for a class
Anonymous-root []
Guest-root -- preset a guest user root directory
Guest-root []
Specify the uid range.
Deny-uid, deny-gid -- reject a UID (GID) Range
Allow-uid, allow-gid -- allows a certain UID (GID) Range
Restricted-uid, restricted-gid -- restrict the user from leaving his/her logon directory
Unrestricted-uid, unrestricted-gid -- the user can leave his/her logon directory.
Dns refuse_mismatch
Dns refuse_mismatch <Information File> [override]
When a user uses an unregistered IP address, the user rejects the connection. override disconnects the user from an error and connects the user. The information file is for the user to see.
Dns refuse_no_reverse -- sets no reverse query record to reject connections
Dns refuse_no_reverse <Information File> [override]
When the user's IP address does not have a record, his connection is rejected.
Dns resolveoptions -- set DNS resolution options
Dns resolveoptions [options]
DNS resolution options can be set here
Hosts/etc/ftphosts
The ftphosts file is similar to the access and deny in ftpaccess. It is especially used to set the connections of some IDs. It has no class definition, so it must be a real user.
Allow | deny <user> <address> [<address>…]
Here are some examples:
Allow rose 140.0.0/8
Deny jack 140.123.0.0: 255.255.0.0
Allow rose to come in from 140. *. *. Deny jack from 140. 123. *. *.
Users/etc/ftpservers
This file controls the configuration file used by the incoming connections when you have different IP addresses/hostnames. For example:
10.196.145.10/etc/ftpd/ftpaccess. somedomain/
10.196.145.200/etc/ftpd/ftpaccess. someotherdomain/
Some. domain internal
10.196.145.20/etc/ftpd/config/faqs.org/
Ftp. some. domain/etc/ftpd/config/faqs.org/
Users/etc/ftpusers
Users recorded in this file are prohibited from using FTP
Limits/etc/ftpgroups
Use the site group command to switch the group online. Site exec is prone to security vulnerabilities, which are generally not open to users.
Outputs/etc/ftpconversions
It is used for tar, compress, gzip, and other action instruction configuration files. You only need to use presets. If you do not enable instant compression and packaging, you can also clear the content.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.