The most detailed vsftpd configuration file in history _ftp server

VSFTPD as a flagship secure FTP server, there are a number of options settings. The following is a list of vsftpd profiles, all of which are based on the vsftpd.conf configuration file. This article will provide a complete vsftpd.conf Chinese description. Learning the content of this article will help you to get a first look at the vsftpd configuration file, but you need to develop specific configuration methods for specific situations.

VSFTPD configuration file

/etc/vsftpd/vsftpd.conf	Primary configuration file
/usr/sbin/vsftpd	VSFTPD's main program
/etc/rc.d/init.d/vsftpd	Startup script
/etc/pam.d/vsftpd	Pam Authentication File (the File=/etc/vsftpd/ftpusers field in this file indicates that the user who blocked access is from a user in the/etc/vsftpd/ftpusers file)
/etc/vsftpd/ftpusers	Disables the use of VSFTPD user list files. Records do not allow access to the FTP server's list of users, the administrator can put some security threats to the system user account records in this file, so that users from FTP login to obtain greater than the right to upload the download operation, and the system caused damage. (Note: This file is in the/etc/directory in linux-4)
/etc/vsftpd/user_list	Prohibit or allow the use of VSFTPD user list files. The user defaults specified in this file (that is, set userlist_deny=yes in/etc/vsftpd/vsftpd.conf) also do not have access to the FTP server, and when Userlist_deny=no is set, only User_ is allowed The user specified in the list accesses the FTP server. (Note: This file is in the/etc/directory in linux-4)
/var/ftp	Anonymous user home directory, local user home directory is:/home/user home directory, that is, log into their home directory
/var/ftp/pub	Download directory for anonymous users, this directory should be assigned to the root chmod 1777 pub (1 for special permissions so that cannot be deleted after upload)
/etc/logrotate.d/vsftpd.log	Log files for vsftpd

VSFTPD master configuration file/etc/vsftpd/vsftpd.conf description (back up before modification)

As with most of the configuration files in the Linux system, the VSFTPD configuration file starts with a # comment.

# Allow Anonymous Logon to the FTP server, the default is yes to allow # users can use the user name FTP or anonymous FTP login, password for the user's e-mail address. # If anonymous access is not allowed, set to no Anonymous_enable=yes # whether the local user (that is, the user account on the Linux system) is allowed to log on to the FTP server, and the default is YES to allow the # Local user to log in and enter the user's home directory. and anonymous users log in to the anonymous user's download directory/var/ftp/pub # If you only allow anonymous users to access, precede with # comments to prevent local users from accessing FTP server Local_enable=yes # whether to allow local users to have write access to FTP server files, The default setting is YES to allow the Write_enable=yes # mask, the local user default mask is 077 # you can set the local user's file mask to be the default 022, or you can set it to a different value according to your preferences #local_umask = 022 # Whether anonymous users are allowed to upload files, It is necessary to write_enable=yes the global. The default is YES #anon_upload_enable =yes # Allow anonymous users to create a new folder #anon_mkdir_write_enable =yes # Activate directory welcome information function # When users first access a directory on the server in CMD mode, The FTP server will display the welcome message # By default, the welcome information is obtained by using the. message file in the directory. This file saves custom welcome information and is created by the user #dirmessage_enable =yes # Whether the system automatically maintains uploaded and downloaded log files # By default, the log file is/var/log/vsftpd.log, or it can be set by the following Xferlog_file option # The default value is no Xferlog_enable=yes # make sure PORT transfer
Connections originate from port (ftp-data). # Whether to set the FTP server will enable the FTP data port connection request # Ftp-data data transfer, 21 for connection control Port Connect_from_port_20=yes # Set whether to allow changes to the owner of the uploaded file, with a set of the following use # Note, It is not recommended to use the root upload file #chown_uploads =yes # Set the owner of the uploaded file that you want to change, and if necessary,Enter a system user name # You can change the uploaded files to root owner. Whoever: anyone #chown_username =whoever # set up system maintenance log file for FTP server upload and download/var/log/vsftpd.log is the default, and other #xferlog_file can be set =/ Var/log/vsftpd.log # Whether to write the transfer log file in a standard xferlog format # The default is/var/log/xferlog, and you can set it by the Xferlog_file option # The default is no #xferlog_std_ Format=yes # The following are additional configurations, and adding the appropriate options will enable the appropriate setting # whether to generate two similar log files # Default in/var/log/xferlog and/var/log/vsftpd.log directories # The former is a wu_ftpd type of transport log, It can be analyzed using the standard logging tool, which is the vsftpd type of log #dual_log_enable # whether to output the log in the original output to the/var/log/vsftpd.log log #syslog_enable # Set the data transfer interrupt interval, which indicates that the idle user session is interrupted by 600 seconds # that is, when the data transfer ends, the user should not connect to the FTP server for more than 600 seconds. This value can be modified according to the actual situation #idle_session_timeout = 600 # Set the data connection timeout, which indicates that the data connection timeout is 120 seconds and can be modified according to the actual situation #data_connection_timeout =
120 # The unprivileged system user required to run VSFTPD, by default, is nobody #nopriv_user =ftpsecure # to recognize asynchronous Abor requests. # If the FTP client will release the ' Async abor ' directive, this setting needs to be enabled # and generally this setting is not secure, so it is usually canceled #async_abor_enable =yes # is transferring data in ASCII mode.
By default, the server ignores requests in ASCII mode. # Enabling this option will allow the server to transmit data in ASCII # However, this may cause Dos attacks caused by the "Size/big/file" mode #ascii_upload_enable =yes #ascii_download_enable = YES # When you log on to the FTP serverDisplayed welcome # If necessary, create a file named. Message in the directory that changes directory welcome information and write the Welcome information #ftpd_banner =welcome to blah FTP service. # blacklist settings.
If you hate certain email address, you can use this setting to cancel his login # you can put some special email address out of your reach. #deny_email_enable =yes # When the above Deny_email_enable=yes, you can use this setting to specify which e-mail addresses are not logged in VSFTPD server # This file needs to be created by the user, one line an email Address to #banned_email_file =/etc/vsftpd/banned_emails # User logon to FTP server with permission to access files other than their own directory # when set to Yes, the user is locked in their home directory , VSFTPD will look for the chroot_list file at the Chroot_list_file option value below to match the following settings #chroot_list_enable =yes # The user who is included in this file, You will not be able to switch to a directory other than your directory after you log on to help secure administration and privacy protection for your FTP server. This file needs to be established by itself #chroot_list_file =/etc/vsftpd/chroot_list # Whether recursive queries are allowed.
The default is off to prevent remote users from causing excessive I/O #ls_recurse_enable =yes # is allowed to listen. # If set to YES, VSFTPD will run in standalone mode, and the connection request Listen=yes # Set by VSFTPD to monitor and process the IPV4 port is supported by IPV6. To monitor both IPV4 and IPV6 ports at the same time, # You must run two sets of vsftpd with two sets of configuration files # while ensuring that one of the listening options is commented out #listen_ipv6 =yes # Set the profile name used by the authentication service provided by the Pam plug-in module, that is,/etc/ PAM.D/VSFTPD File # file=/etc/vsftpd/ftpusers fields in this file indicate that the PAM module can withstand the account content from the file/etc/vsftpd/ftpusers #pam_service_name = VSFTPD # allows users in ftpusers files to log on to the FTP server by default of nO # If this is set to YES, the user in the User_list file is allowed to log on to the FTP server and if Userlist_deny=yes is set, the user in the User_list file will not be allowed to log on to the FTP server or even enter the password hint message
Userlist_enable=yes/no # Setting whether the user in the User_list file is blocked from logging on to the FTP server, the default is YES #userlist_deny =yes/no # Whether to use Tcp_wrappers as host access control. # tcp_wrappers can realize access control based on host address of Network service in Linux system # in the/etc directory Hosts.allow and hosts.deny two files are used to set the access control for Tcp_wrappers the former settings allow access to records,
The latter setting denies access to the record. # If you want to limit the anonymous access of some hosts to the FTP server 192.168.57.2, edit/etc/hosts.allow files, such as adding two lines below: # Vsftpd:192.168.57.1:deny and VSFTPD : 192.168.57.9:deny # Indicates that IP is restricted to 192.168.57.1/192.168.57.9 host access IP 192.168.57.2 FTP server # at this time, although the FTP server can ping, but cannot connect tcp_ Wrappers=yes

The following sections describe the options for restrictions and permissions control further.

In addition to the basic settings above, we can add more security options to the vsftpd.conf file. Several of them are commonly used as follows:

Limit maximum number of connections and transfer rates

In the management of FTP server, whether for local users or anonymous users, the use of FTP server resources need to be controlled to avoid the overload caused by the FTP server running abnormally, you can add the following configuration items to FTP client use FTP server resources to control:

The Max_client setting is used to set the maximum number of client connections allowed by the FTP server, with a value of 0 to indicate no limit. For example, max_client=100 indicates that the maximum number of connections for all clients on an FTP server is no more than 100.
The MAX_PER_IP setting is used to set the maximum number of client connections allowed for the same IP address, with a value of 0 to indicate no limit. For example, max_per_ip=5 the maximum number of connections between an FTP client and an FTP server that represents the same IP address is no more than 5.
The Local_max_rate setting is used to set the maximum transfer rate for local users, which is B/s, and the value 0 means no limit. For example, local_max_rate=500000 indicates that the maximum local user transfer rate for an FTP server is set to 500KB/S.
The Anon_max_rate setting is used to set the maximum rate of transmission for anonymous users, in B/s, with a value of 0 indicating no limit. For example, ano_max_rate=200000 indicates that the maximum transfer rate for an FTP server's anonymous user is set to 200kb/s.
Specify permissions settings for a user

The vsftpd.user_list file needs to be combined with the configuration items in the Vsftpd.conf file to implement access control for the specified user account in the Vsftpd.user_list file:

(1) Set up user accounts that prohibit login

The user account in the Vsftpd.user_list file is disabled for FTP logons when the following settings are included in the vsftpd.conf configuration file:

Userlist_enable=yes

Userlist_enable settings Use the Vsftpd.user_list file, Userlist_deny set to Yes indicates that the Vsftpd.user_list file is used to set a prohibited user account.

(2) Set up user accounts that only allow logins

When the following settings are included in the vsftpd.conf configuration file, only the user account in the Vsftpd.user_list file can log on by ftp:

Userlist_enable=yes

Userlist_enable settings Use the Vsftpd.user_list file, userlist _deny set to No indicates that the Vsftpd.usre_list file is used to set up only user accounts that are allowed to log on. User accounts not included in the file are disabled for FTP logons.

The Userlist_deny and userlist_enable options restrict users from logging on to the FTP server (together with the Userlist_deny option and user_list files can effectively prevent system users such as root,apache,www from logging on to the FTP server. Thus ensuring the hierarchical security of the FTP server). The following are the specific manifestations of the two options and the effects of the two ways in which they are used:

Userlist_enable=yes	User allowed access in Ftpusers User allowed access in User_list
Userlist_enable=no	Users in Ftpusers are prohibited from accessing User allowed access in User_list
Userlist_deny=yes	User is not allowed to access in ftpusers (you can see the password entry prompt at logon but still cannot access it) Users in User_list are prohibited from accessing
Userlist_deny=no	Users in Ftpusers are prohibited from accessing User allowed access in User_list
Userlist_enable=yes and Userlist_deny=yes	Users in Ftpusers are prohibited from accessing Users in User_list prohibit access (no password prompts at logon, directly rejected by server)
Userlist_enable=yes and Userlist_deny=no	Users in Ftpusers are prohibited from accessing User allowed access in User_list

Modify Default port

The default FTP server port number is 21 for security purposes, sometimes you need to modify the default port number, modify/etc/vsftpd/vsftpd.conf, add a statement (example):

listen_port=4449

statement specifies the port number of the modified FTP server, which should be as much as 4000. After modified access

#ftp 192.168.57.2 4449
Note that you need to add the correct port number here, otherwise you will not be able to connect properly.

Set up user groups

Regarding the importance of FTP users and user groups, we have already mentioned this when we introduced VSFTPD. Here is a simple description of the user group technology implementation, as to the specific application, or specific needs of specific treatment.

#mkdir-P/home/try recursively creates a new directory
#groupadd try    New group
#useradd-G try-d/home/try try1 New user try1 and specify home directory and group
# Useradd-g try-d/home/try try2 New user Try2 and specify home directory and group
#useradd-G try-d/home/try try3 New user try3 and specify home directory and group
#passwd try 1 set the password for the new user #passwd Try2 the password for the new user #passwd Try3 set the password for the new user
#chown try1/home/try Setting the directory owner Try1 #chown for the user
. Try /home/try Set directory group to group try
#chmod 750/home/try set Directory Access Try1 to read, write, execute; try2,try3 Read, execute

Because local users log on to the FTP server after entering their home directory, and Try1,try2 Try3 to the home directory/home/try assigned different permissions, so access through the FTP is different, try1 access rights: Upload, download, build directory; try2,try3 access permissions for download , browsing, not building directories and uploading. It realizes the different access level of users in the group, and strengthens the classified security management of FTP server.

Connection timeout (This section is provided by Li Yang)

To configure the interrupt time for an idle user session: The following configuration will be interrupted after the user session is idle for 5 minutes to free the server's resources

idle_session_timeout=300
To configure the break time for an idle data connection: The following configuration will be interrupted 1 minutes after the data idle connection, and also to free the server's resources

Data_connection_timeout=60
To configure the automatic interruption and activation of connections when clients are idle: The following configuration will allow the client to automatically disconnect after 1 minutes and automatically activate the connection after 30 seconds

accept_timeout=60
connect_timeout=30

Next, we will introduce the VSFTPD log.

Common VSFTPD Log Solutions

The following content in vsftpd.conf defines how logs are logged:

# indicates FTP server record upload download situation
Xferlog_enable=yes 
# indicates that the uploaded download of the record is written in the file specified by Xferlog_file, that is, in the file
specified by the Xferlog_file option Xferlog_std_format=yes 
xferlog_file=/var/log/xferlog 
# enable double logs. When the server uploads the download with the Xferlog file, the
file specified by # Vsftpd_log_file, that is,/var/log/vsftpd.log will also be used to record the transport of the server
dual_log_enable= YES
Vsftpd_log_file=/var/log/vsftpd.log

VSFTPD's two log files are analyzed as follows:

/var/log/xferlog

Examples of record contents

Tue Sep One 14:59:03 2007 [PID 3460] connect:client "127.0.0.1"
Tue Sep One 14:59:24 2007 [PID 3459] [ftp] OK LOGIN; Client "127.0.0.1", anon password "?"

Analysis and parameter description of data in/var/log/xferlog log file

Record Data	Parameter name	Parameter description
Thu Sep 6 09:07:48 2007	Current time	Current server local time, in the form: DDD MMM DD Hh:mm:ss YYY
7	Transmission time	The time, in seconds, to transfer the file
192.168.57.1	Remote Host name/IP	Remote Host name/IP
4323279	File size	The size of the routed file, in bytes
/home/student/phpmyadmin- 2.11.0-all-languages.tar.gz	Filename	Transfer file name, including path
B	Transport type	Type of transmission, including two kinds: A with ASCII transmission B with binary file transfer
–	Special handling Signs	The flags for special processing, and possible values include: _ Do not do any special processing C file is a compressed format U file is uncompressed format T file is in tar format
I	Transmission direction	File transfer direction, including two kinds: o Transfer from the FTP server to the client I transfer from client to FTP server
R	Access mode	User access mode, including: A anonymous user G Guest User R real user, that is, the user in the system
Student	User name	User name
Ftp	Service Name	The name of the service used, generally FTP
0	Authentication method	Certification methods, including: 0 without 1 RFC931 Certification
*	Authenticated User ID	ID of the authenticated user, if * is used, indicating that the ID cannot be obtained
C	Completion status	Status of the transfer: C means the transfer is complete I means the transmission is complete

Finally, we introduce the common FTP commands, and the meaning of the FTP digital code.

Common FTP commands and their functions

FTP command	Function	FTP command	Function
Ls	displaying directories on the server	LS [remote-dir][local-file]	Displays the remote directory Remote-dir and stores the local file Local-file
Get Remote-file [Local-file]	Download the specified file from the server to the client	Mget Remote-files	Download multiple remote files (the Mget command allows you to download multiple files with wildcards)
Put Local-file [Remote-file]	Upload the specified file from the client to the server	Mput Local-file	Upload multiple files to a remote host (the Mput command allows multiple files to be uploaded with wildcards)
Open	Connecting to an FTP server	Mdelete [Remote-file]	To delete a remote host file
Close	Interrupt the FTP session with the remote server (corresponding to open)	mkdir Dir-name	Create a directory in a remote host
Open Host[port]	To establish a specified FTP server connection, specify a connection port	Newer File-name	If the File-name modification time in the remote host is more recent than the local hard disk file with the same name, the file is retransmission
CD Directory	Changing the server's working directory	Rename [From][to]	To change the file name of a remote host
LCD Directory	Change the working directory on the client (local)	Pwd	Displays the current working directory of the remote host
Bye	Exit FTP command Status	Quit	With bye, exit the FTP session
Ascii	Set file transfer mode to ASCII mode	Reget Remote-file [Local-file]	Similar to get, but if local-file exists, it is resumed from the last transmission interrupt
Binary	Set file transfer mode to binary mode	Rhelp [Cmd-name]	Request help for a remote host
! [cmd [args]]	Interactive shell in the local host back to the FTP environment, such as:!ls *.zip	Rstatus [File-name]	If no filename is specified, the status of the remote host is displayed, otherwise the file status is displayed
accout [Password]	Provides the password required to access system resources after a successful logon to the remote system	Hash	1024 bytes per transmission, displaying a hash symbol (#)
Append Local-file [Remote-file]	Append the local file to the remote system host, and if no remote system file name is specified, use the local file name	Restart Marker	Marker a GET or put, such as restart 130, from the specified flag.
Bye	Exit the FTP session process	RmDir dir-name	To delete a remote host directory
Case	Converts the upper case of a remote host file name to a lowercase letter when using the Mget command	Size File-name	Displays the remote host file size, such as: Size Idle 7200
CD Remote-dir	Access to remote host directory	Status	Display current FTP status
Cdup	Enter the parent directory of the remote host directory	System	Display the operating system of a remote host
Delete Remote-file	To delete a remote host file	User User-name [Password][account]	To the remote host to indicate their identity, need a password, you must enter a password, such as: User anonymous My@email
dir [Remote-dir][local-file]	Displays the remote host directory and stores the results in a local file	Help [cmd]	Displays the FTP internal command cmd Help information, such as a

The meaning of FTP digital code

110 Reboot the tag response.
120 How long the service ready.
125 Data Link port open, ready to transmit.
150 file status is normal, open data connection port.
200 command execution succeeded.
202 command execution failed.
211 System status or system request response.
212 The status of the directory.
213 The status of the file.
214 messages for help.
215 called system type.
220 new online service ready.
221 The control connection port of the service is closed and can be logged off.
225 Data link is turned on, but no transmission action.
226 The data connection port is turned off and the requested file operation is successful.
227 Enter passive mode.
230 User Login.
250 The requested file operation is complete.
257 Displays the current path name.
331 The user name is correct and requires a password.
332 Login required account information.
350 The requested operation requires a command to be entered.
421 Unable to provide service, close control link.
425 cannot open Data link.
426 shut down online to terminate the transmission.
450 The requested operation was not performed.
451 Command Terminated: There is a local error.
452 not executing command: insufficient disk space.
500 format error, command not recognized.
501 parameter syntax error.
502 Command execution failed.
503 Command Order error.
The 504 command did not have the correct parameters.
530 not logged in. 
532 storage files require account login.
550 The requested operation was not performed.
551 The requested command terminated, the type is unknown.
552 The requested file terminated and the storage bit overflowed. 
553 The requested command was not executed with the correct name.