"Go" Ubuntu Install FTP server

Original URL: Https://wiki.archlinux.org/index.php/Very_Secure_FTP_Daemon_ (%e7%ae%80%e4%bd%93%e4%b8%ad%e6%96%87)

vsftpd (Very Secure FTP Daemon) is a lightweight, stable, and secure FTP server developed for UNIX-class systems.

Contents[Hide]

• 1 Installation
• 2  configure
  Li class= "toclevel-2 tocsection-3" > 2.1  allow uploading of
  • 2.2  local user login
  • 2.3  anonymous user Login
  • 2.4  Chroot limit
  • 2.5  Restrict user login
  • 2.6  Limit number of connections
  • 2.7  use xinetd
• 3 Tips
  • 3.1 Pam authentication for virtual users
    • 3.1.1 Creating a private directory for a virtual user
• 4 Problem Solving
  • 4.1 vsftpd:refusing to run with writable root inside chroot ()
• 5 More Resources

installation

VSFTPD is included in the official software library and can be easily installed via Pacman

# pacman-s VSFTPD

Modifications /etc/hosts.allow can limit the allowed connections to VSFTP:

# Allow all connections vsftpd:all# to allow only fixed IP range users to log in vsftpd:10.0.0.0/255.255.255.0

The server can be started with the following script:

# Systemctl Start Vsftpd.service

Let vsftpd start automatically with the system:

# Systemctl Enable Vsftpd.service

Configuration

Most configurations of VSFTPD can be implemented by editing /etc/vsftpd.conf files. The file itself has a lot of explanatory notes, so this section only explains some important configurations. If you want to know all the top and the documents, use the man vsftpd.conf (5).

Allow upload

You must /etc/vsftpd.conf set the write_enable value in to Yes to allow the system to be modified, such as uploading:

Write_enable=yes

Local User Login

You can modify /etc/vsftpd.conf the following values in to allow /etc/passwd the user to log in:

Local_enable=yes

Anonymous User Login

/etc/vsftpd.confIf the downlink controls anonymous user logon:

Anonymous_enable=yes # Allow anonymous users to log on No_anon_password=yes # Anonymous user login no longer requires password anon_max_rate=30000  # maximum download speed per anonymous user (in bytes per second)

chroot Restrictions

In order to prevent users from leaving the home directory, you can set the chroot environment. The /etc/vsftpd.conf following line implementations are added:

Chroot_list_enable=yeschroot_list_file=/etc/vsftpd.chroot_list

chroot_list_fileDefines a list of users that can be restricted by chroot.

If you want to set a stricter chroot environment, you can set it as follows:

Chroot_local_user=yes

By default, the Chroot environment is enabled for all users, and chroot_list_file a list of users who do not use chroot is defined.

Restrict User Login

/etc/vsftpd.confAdd the following two lines:

Userlist_enable=yesuserlist_file=/etc/vsftpd.user_list

userlist_fileLists the users who are not allowed to log on.

If you only want to allow a specific user to log in, add this line:

Userlist_deny=no

userlist_filethe user who is allowed to log in is listed here.

Limit number of connections

You can set the data transfer rate, the maximum number of clients, and the number of connections per IP for the local user, /etc/vsftpd.conf adding the following line:

local_max_rate=1000000 # Maximum data transfer rate (units: bytes per second) max_clients=50         # Number of simultaneous online maximum clients max_per_ip=2           # Number of connections allowed per IP

using xinetd

If you want to enable XINETD boot vsftpd, create the /etc/xinetd.d/vsftpd file and add the following:

Service ftp{        Socket_type             = Stream        Wait                    = no        user                    = root        Server                  =/usr/sbin/vsftpd        log_on_success  + = host DURATION        log_on_failure  + = host        disable                 = no}

and enable /etc/vsftpd.conf the following in the top selection:

Pam_service_name=ftp

Finally, the xinetd is added to the /etc/rc.conf daemon list, which is no longer required to add vsftpd because it will be called by xinetd:

If you are connecting to the server, get the following error message:

Oops:cap_set_proc

You need to /etc/rc.conf add capability on the modules= line

After upgrading to version 2.1.0, the following error may occur when connecting to the server:

Oops:could not bind listening IPv4 socket

In previous versions, it was sufficient to comment out the following lines:

# Use this to use VSFTPD in standalone mode, otherwise it runs through (x) inetd# Listen=yes

However, in both the new and future versions, the specified daemon startup mode must be displayed:

# Use this to use VSFTPD in standalone mode, otherwise it runs through (x) inetdlisten=no

Little TricksPam authentication for virtual users

The biggest benefit of using virtual users is that there is no need to create too many real users in the system, and limiting the entire environment to a fixed container can provide greater security.

A virtual user database can be created with the following simple text:

User1password1user2password2

It contains all the virtual users that you want to enable. Save it as Logins.txt; This file name does not have any special meaning. The next step will be the Berkeley Data tool, which is included in the arch core system. Execute the following command to generate the database:

# db_load-t-T hash-f logins.txt/etc/vsftpd_login.db

Changlie recommends that you vsftpd_login.db give your files more restrictive permissions:

# chmod 600/etc/vsftpd_login.db

Warning:It is not safe to list passwords in clear text. Do not forget to delete temporary files, rm logins.txt.

Make Pam use the VSFTPD_LOGIN.DB database. /etc/pam.d/ Create the file ftp in, and add the following content:

Auth Required pam_userdb.so db=/etc/vsftpd_login crypt=hash account required pam_userdb.so Db=/etc/vsftpd_login crypt= Hash

Note:/etc/vsftpd_login does not start. db suffix Name

Now create a home directory for the virtual user, in this case /srv/ftp . First create a real user virtual and /srv/ftp set it to its home directory:

# useradd-d/srv/ftp virtual# chown virtual:virtual/srv/ftp

Modify the/etc/vsftpd.conf and add the following line. It maps all virtual users to Vsan and restricts them to /srv/ftp :

Anonymous_enable=nolocal_enable=yeschroot_local_user=yesguest_enable=yesguest_username=virtualvirtual_use_ Local_privs=yes

If the VSFTPD service is started by the Xinetd method, only the users listed in the database will now be allowed to log on.

Create a private directory for a virtual user

First create the folder and set the owner as virtual user

# mkdir/srv/ftp/user1# mkdir/srv/ftp/user2# chown virtual:virtual/srv/ftp/user?/

Then, /etc/vsftpd.conf add the following line:

local_root=/srv/ftp/$USERuser _sub_token= $USER

Problem Solvingvsftpd:refusing to run with writable root inside chroot ()

To avoid a security vulnerability, the Chroot directory must not be writable starting with vsftpd 2.3.5. Use the command:

# chmod A-w/home/user

For virtual users, use the command:

# chmod A-w/srv/ftp/user1

"Go" Ubuntu Install FTP server