Original URL: Https://wiki.archlinux.org/index.php/Very_Secure_FTP_Daemon_ (%e7%ae%80%e4%bd%93%e4%b8%ad%e6%96%87)
vsftpd (Very Secure FTP Daemon) is a lightweight, stable, and secure FTP server developed for UNIX-class systems.
Contents[Hide]
- 1 Installation
- 2 configure
Li class= "toclevel-2 tocsection-3" > 2.1 allow uploading of
- 2.2 local user login
- 2.3 anonymous user Login
- 2.4 Chroot limit
- 2.5 Restrict user login
- 2.6 Limit number of connections
- 2.7 use xinetd
- 3 Tips
- 3.1 Pam authentication for virtual users
- 3.1.1 Creating a private directory for a virtual user
- 4 Problem Solving
- 4.1 vsftpd:refusing to run with writable root inside chroot ()
- 5 More Resources
installation
VSFTPD is included in the official software library and can be easily installed via Pacman
# pacman-s VSFTPD
Modifications /etc/hosts.allow
can limit the allowed connections to VSFTP:
# Allow all connections vsftpd:all# to allow only fixed IP range users to log in vsftpd:10.0.0.0/255.255.255.0
The server can be started with the following script:
# Systemctl Start Vsftpd.service
Let vsftpd start automatically with the system:
# Systemctl Enable Vsftpd.service
Configuration
Most configurations of VSFTPD can be implemented by editing /etc/vsftpd.conf
files. The file itself has a lot of explanatory notes, so this section only explains some important configurations. If you want to know all the top and the documents, use the man vsftpd.conf (5).
Allow upload
You must /etc/vsftpd.conf
set the write_enable
value in to Yes to allow the system to be modified, such as uploading:
Write_enable=yes
Local User Login
You can modify /etc/vsftpd.conf
the following values in to allow /etc/passwd
the user to log in:
Local_enable=yes
Anonymous User Login
/etc/vsftpd.conf
If the downlink controls anonymous user logon:
Anonymous_enable=yes # Allow anonymous users to log on No_anon_password=yes # Anonymous user login no longer requires password anon_max_rate=30000 # maximum download speed per anonymous user (in bytes per second)
chroot Restrictions
In order to prevent users from leaving the home directory, you can set the chroot environment. The /etc/vsftpd.conf
following line implementations are added:
Chroot_list_enable=yeschroot_list_file=/etc/vsftpd.chroot_list
chroot_list_file
Defines a list of users that can be restricted by chroot.
If you want to set a stricter chroot environment, you can set it as follows:
Chroot_local_user=yes
By default, the Chroot environment is enabled for all users, and chroot_list_file
a list of users who do not use chroot is defined.
Restrict User Login
/etc/vsftpd.conf
Add the following two lines:
Userlist_enable=yesuserlist_file=/etc/vsftpd.user_list
userlist_file
Lists the users who are not allowed to log on.
If you only want to allow a specific user to log in, add this line:
Userlist_deny=no
userlist_file
the user who is allowed to log in is listed here.
Limit number of connections
You can set the data transfer rate, the maximum number of clients, and the number of connections per IP for the local user, /etc/vsftpd.conf
adding the following line:
local_max_rate=1000000 # Maximum data transfer rate (units: bytes per second) max_clients=50 # Number of simultaneous online maximum clients max_per_ip=2 # Number of connections allowed per IP
using xinetd
If you want to enable XINETD boot vsftpd, create the /etc/xinetd.d/vsftpd
file and add the following:
Service ftp{ Socket_type = Stream Wait = no user = root Server =/usr/sbin/vsftpd log_on_success + = host DURATION log_on_failure + = host disable = no}
and enable /etc/vsftpd.conf
the following in the top selection:
Pam_service_name=ftp
Finally, the xinetd is added to the /etc/rc.conf
daemon list, which is no longer required to add vsftpd because it will be called by xinetd:
If you are connecting to the server, get the following error message:
Oops:cap_set_proc
You need to /etc/rc.conf
add capability on the modules= line
After upgrading to version 2.1.0, the following error may occur when connecting to the server:
Oops:could not bind listening IPv4 socket
In previous versions, it was sufficient to comment out the following lines:
# Use this to use VSFTPD in standalone mode, otherwise it runs through (x) inetd# Listen=yes
However, in both the new and future versions, the specified daemon startup mode must be displayed:
# Use this to use VSFTPD in standalone mode, otherwise it runs through (x) inetdlisten=no
Little TricksPam authentication for virtual users
The biggest benefit of using virtual users is that there is no need to create too many real users in the system, and limiting the entire environment to a fixed container can provide greater security.
A virtual user database can be created with the following simple text:
User1password1user2password2
It contains all the virtual users that you want to enable. Save it as Logins.txt; This file name does not have any special meaning. The next step will be the Berkeley Data tool, which is included in the arch core system. Execute the following command to generate the database:
# db_load-t-T hash-f logins.txt/etc/vsftpd_login.db
Changlie recommends that you vsftpd_login.db
give your files more restrictive permissions:
# chmod 600/etc/vsftpd_login.db
Warning:It is not safe to list passwords in clear text. Do not forget to delete temporary files,
rm logins.txt
.
Make Pam use the VSFTPD_LOGIN.DB database. /etc/pam.d/
Create the file ftp in, and add the following content:
Auth Required pam_userdb.so db=/etc/vsftpd_login crypt=hash account required pam_userdb.so Db=/etc/vsftpd_login crypt= Hash
Note:/etc/vsftpd_login does not start. db suffix Name
Now create a home directory for the virtual user, in this case /srv/ftp
. First create a real user virtual and /srv/ftp
set it to its home directory:
# useradd-d/srv/ftp virtual# chown virtual:virtual/srv/ftp
Modify the/etc/vsftpd.conf and add the following line. It maps all virtual users to Vsan and restricts them to /srv/ftp
:
Anonymous_enable=nolocal_enable=yeschroot_local_user=yesguest_enable=yesguest_username=virtualvirtual_use_ Local_privs=yes
If the VSFTPD service is started by the Xinetd method, only the users listed in the database will now be allowed to log on.
Create a private directory for a virtual user
First create the folder and set the owner as virtual user
# mkdir/srv/ftp/user1# mkdir/srv/ftp/user2# chown virtual:virtual/srv/ftp/user?/
Then, /etc/vsftpd.conf
add the following line:
local_root=/srv/ftp/$USERuser _sub_token= $USER
Problem Solvingvsftpd:refusing to run with writable root inside chroot ()
To avoid a security vulnerability, the Chroot directory must not be writable starting with vsftpd 2.3.5. Use the command:
# chmod A-w/home/user
For virtual users, use the command:
# chmod A-w/srv/ftp/user1
"Go" Ubuntu Install FTP server