Ultra-complete REDHAT9.0-VSFTP configuration Encyclopedia _unix Linux

Source: Internet
Author: User
Tags anonymous default ftp port ftp client file permissions file transfer protocol iptables

3.2 vsftp FTP server with both safety and efficiency
3.2.1 Vsftp Overview
Ftp,file Transfer Protocol, which is the communication protocol for file transmission, is also the most commonly used way to transfer files. Readers in the use of RedHat9, you may feel the FTP server has some changes: first, the FTP server is only left Vsftp, the original wuftp and so did not put into the second, is vsftp from the Xinetd Independent, and will set the file from the/etc/ Vsftpd.conf moved to/etc/vsftpd/vsftpd.conf.
Why do you make such a change? Can imagine that vsftp already has the ability to operate independently, do not need xinetd to do further control, and similar to SendMail, httpd, ssh, samba, etc., will set the file into the/etc under the separate directory.
FTP is divided into two categories, one for the port FTP, that is, the general FTP another class is pasvftp, described as follows:
PORT FTP
This is the general form of FTP, the first will establish a control channel, the default value is port 21, that is, with the port 21 set up online, and through this online release instructions. Second, the FTP server will establish a data transmission channel, the default value is 20, that is, with Port 20 to establish online, and through port 20 data transmission.
PASV FTP
Similar to port FTP, first set up the control channel, the default is Port 21, that is, with the port 21 set up online, and through this online release instructions. Second, the client side will make the data transfer request, including data transfer port number.
What is the difference between the two? Port FTP in the data transfer port is specified by the FTP server, while the PASV FTP data transfer port is determined by the FTP client. Usually we use PASV FTP, in the context of a firewall, through client and server communication, determine the port of data transmission.

3.2.2 Example

3.2.1. Direct Start VSFTP Service
This example is the default example of applying Redhat, which starts the vsftp directly.
[Root@relay vsftpd]#/sbin/service vsftpd start
Starting vsftpd for Vsftpd:ok]

3.2.2. Replace port service: Replace the preset port 21 with 2121
For security, or to port to separate FTP services, we may change the FTP port to port 21, you can refer to the following steps.
Step1. Modify/etc/vsftpd/vsftpd.conf
New Line below
listen_port=2121
Step2. Reboot VSFTPD
[Root@home vsftpd]#/sbin/service vsftpd Restart
Shutting down Vsftpd:ok]
Starting vsftpd for Vsftpd:ok]

3.2.3. Specific user Peter, John may not change the catalogue
The user's default directory is/home/username, if we do not want users to be able to
To switch to the previous level of directory/home, you can refer to the following steps.
Step1. Modify/etc/vsftpd/vsftpd.conf
will be three lines below
#chroot_list_enable =yes
# (default follows)
#chroot_list_file =/etc/vsftpd.chroot_list
To
Chroot_list_enable=yes
# (default follows)
Chroot_list_file=/etc/vsftpd/chroot_list
Step2. Add a file:/etc/vsftpd/chroot_list
Add two lines to the content:
Peter
John
Step3. Reboot VSFTPD
[Root@home vsftpd]#/sbin/service vsftpd Restart
Shutting down Vsftpd:ok]
Starting vsftpd for Vsftpd:ok]
If Peter wants to switch to a directory other than the root directory, the following warning appears:
Ftp> Cd/home
Failed to change directory.

3.2.4. Cancel Anonymous Login
If the reader's host does not want the user to login anonymously, refer to the following steps.
Step1. Modify/etc/vsftpd/vsftpd.conf
Will
Anonymous_enable=yes
To
Anonymous_enable=no
Step2. Reboot VSFTPD
[Root@home vsftpd]#/sbin/service vsftpd Restart
Shutting down Vsftpd:ok]
Starting vsftpd for Vsftpd:ok]

3.2.5. Arranging the Welcome speech
If we want the user to be able to see the welcome words when they log in, may include a description of the host, or an introduction to the directory, refer to the following steps.
First determine if there is a line in the/etc/vsftpd/vsftpd.conf
Dirmessage_enable=yes
The default value for RedHat9 is the above line.
Next, in each directory, add a file named. message, and then assume there is a user test1, and this user's root directory has a directory named ABC, then first we/home/test1
Under the new. Message, as follows:
Hello~ Welcome to the home directory
This is to test only ...
Next, add the. Message in the/HOME/TEST1/ABC directory, which reads as follows:
Welcome to ABC ' s DIRECTORY
This is subdir ...
Then, when the user test1 log in, he sees the following message:
230-hello~ Welcome to the home directory
230-
230-this is to test only ...
230-
If you switch to the ABC directory, you receive the following message:
250-welcome to ABC ' s DIRECTORY
250-
250-this is subdir ...

3.2.6. For each online, to operate independently of the process
When we start vsftp, we'll only see a process called vsftpd working, but if the reader wants each one to be presented as a separate process, perform the following steps.
Step1. Modify/etc/vsftpd/vsftpd.conf
New Line below
Setproctitle_enable=yes
Step2. Reboot VSFTPD
[Root@home vsftpd]#/sbin/service vsftpd Restart
Shutting down Vsftpd:ok]
Starting vsftpd for Vsftpd:ok]
Using the PS-EF directive, you can look at the situation where different users are online, as shown in the following illustration:
[Root@home vsftpd]# ps-ef|grep FTP
Root 2090 1 0 16:41 pts/0 00:00:00 vsftpd:listener
Nobody 2120 2090 0 17:18? 00:00:00 vsftpd:192.168.10.244:
Connected
Test1 2122 2120 0 17:18? 00:00:00 Vsftpd:192.168.10.244/test1:
IDLE
Nobody 2124 2090 0 17:19? 00:00:00 vsftpd:192.168.10.244:
Connected
Test2 2126 2124 0 17:19? 00:00:00 Vsftpd:192.168.10.244/test2:
IDLE
Root 2129 1343 0 17:20 pts/0 00:00:00 grep ftp
[Root@home vsftpd]#

3.2.7. Limit the speed at which files are transferred:
The maximum speed of the user on this machine is 200kbytes/s, and the maximum speed that anonymous login can use is 50KBYTES/S
Step1. Modify/etc/vsftpd/vsftpd.conf
Add two lines below
anon_max_rate=50000
local_max_rate=200000
Step2. Reboot VSFTPD
[Root@home vsftpd]#/sbin/service vsftpd Restart
Shutting down Vsftpd:ok]
Starting vsftpd for Vsftpd:ok]
On this side the speed of the unit is BYTES/S, where anon_max_rate is restricted by anonymous login
User, and the local_max_rate is restricted by the user of this machine. VSFTPD for Speed limits
System, the range is between 80% and 120%, which means we limit the maximum speed to 100kbytes/s,
But the actual speed may be between 80kbytes/s and 120kbytes/s, of course, if the bandwidth is insufficient
, the value is below this limit.

3.2.8. Limit different speeds for different users:
Assume that the maximum speed that test1 can use is 500kbytes/s for the maximum speed that 250kbytes/s,test2 can use.
Step1. Modify/etc/vsftpd/vsftpd.conf
New Line below
User_config_dir=/etc/vsftpd/userconf
Step2. Add a directory:/etc/vsftpd/userconf
Mkdir/etc/vsftpd/userconf
Step3. Under/etc/vsftpd/userconf, add a file called Test1.
Add one line to the content:
local_max_rate=250000
Step4. Under/etc/vsftpd/userconf, add a file called Test2.
Add one line to the content:
local_max_rate=500000
Step5. Reboot VSFTPD
[Root@home vsftpd]#/sbin/service vsftpd Restart
Shutting down Vsftpd:ok]
Starting vsftpd for Vsftpd:ok]

3.2.9-1. Build an FTP server under a firewall using port FTP mode:
The Default FTP port:21 and FTP data port:20
After the VSFTPD is started, the following two lines are executed, allowing only port 21 and port 20 to be opened and others to shut down.
Iptables-a input-p tcp-m multiport--dport 21,20-j
Iptables-a input-p tcp-j REJECT--reject-with tcp-reset

3.2.9-2. Build an FTP server under a firewall using port FTP mode:
FTP port:2121 and FTP data port:2020
Step1. Execute the following two lines, allowing only port 2121 and Port 2020 to open and others to shut down.
Iptables-a input-p tcp-m multiport--dport 2121,2020-j
Iptables-a input-p tcp-j REJECT--reject-with tcp-reset
Step2. Modify/etc/vsftpd/vsftpd.conf
Add two lines below
listen_port=2121
ftp_data_port=2020
Step3. Reboot VSFTPD
[Root@home vsftpd]#/sbin/service vsftpd Restart
Shutting down Vsftpd:ok]
Starting vsftpd for Vsftpd:ok]
Note here, in 8, 92 examples, the FTP client (such as CUTEFTP) online mode can not choose Passive mode, otherwise can not establish the data online. Which means the reader can connect to the FTP
Server, but it does not work when you execute instructions for LS, get, and so on.

3.2.10. Build an FTP server under a firewall using pass FTP mode:
FTP port:2121 and FTP data port from 9981 to 9986.
Step1. Execute the following two lines, allowing only port 2121 and port 9981-9990 to open and others to shut down.
Iptables-a input-p tcp-m multiport--dport
2121,9981,9982,9983,9984,9985,9986,9987,9988,9989,9990-j ACCEPT
Iptables-a input-p tcp-j REJECT--reject-with tcp-reset
Step2. Modify/etc/vsftpd/vsftpd.conf
Add four lines below
listen_port=2121
Pasv_enable=yes
pasv_min_port=9981
pasv_max_port=9986
Step3. Reboot VSFTPD
[Root@home vsftpd]#/sbin/service vsftpd Restart
Shutting down Vsftpd:ok]
Starting vsftpd for Vsftpd:ok]
In this case, note that in the 10 example, the FTP client (such as CUTEFTP) online must choose Passive mode, otherwise the data online cannot be established. That is, the reader can connect to the FTP server, but the implementation of ls,get and so on instructions, it will not work.

3.2.11. Combine vsftpd with Tcp_wrapper
If the reader wishes to define a permitted or denied source address directly in/etc/hosts.allow, perform the following steps. This is a simple firewall setting.
Step1. Determine if the tcp_wrappers in the/etc/vsftpd/vsftpd.conf is set to Yes, as shown in the following figure
Shown
Tcp_wrappers=yes
This is the default value of the RedHat9, and basically does not need to be modified.
Step2. Reboot VSFTPD
[Root@home vsftpd]#/sbin/service vsftpd Restart
Shutting down Vsftpd:ok]
Starting vsftpd for Vsftpd:ok]
Step3. Set/etc/hosts.allow, such as providing 111.22.33.4 and 10.1.1.1 to 10.1.1.254 Company
Line, you can do the following diagram setting:
vsftpd:111.22.33.4 10.1.1. : Allow
ALL:ALL:DENY

3.2.12. Incorporation of VSFTPD into xinetd
If the reader wants to incorporate VSFTPD into the xinetd, which is the default setting for the 7.x version,
? The reader can perform the following steps.
Step1. Modify/etc/vsftpd/vsftpd.conf
Will
Listen=yes
To
Listen=no
Step2. Add a file:/etc/xinetd.d/vsftpd
The contents are as follows:
Service VSFTPD
{
Disable = no
Socket_type = Stream
wait = no
user = root
Server =/USR/SBIN/VSFTPD
Port = 21
Log_on_success + = PID HOST DURATION
Log_on_failure = HOST
}
Step3. Reboot xinetd
[Root@home vsftpd]#/sbin/service xinetd Restart
Stopping Xinetd:ok]
Starting Xinetd:ok]

3.2.3 Profile Description
In the example, some of the omitted settings can be found here, such as the total number of online, the number of the same address online, display the name of the owner of the file, and so on, I hope the reader to read, you can make the most suitable for their own settings.
Format
The content of vsftpd.conf is very simple, each line is a set. A blank line or a line that starts with a # will be ignored. The content has only one format, as shown below
Option=value
Note that the equals sign can not be added blank, otherwise it is not the correct setting.
===ascii Set =====================
Ascii_download_enable
Control is available in ASCII mode for downloading. The default value is No.
Ascii_upload_enable
Controls whether the ASCII mode is available for uploading. The default value is No.
= = Individual user set ===================
Chroot_list_enable
If this feature is started, all native users are logged into a folder outside the root directory, except for the column
Outside the user in the/etc/vsftpd.chroot_list. The default value is No.
Userlist_enable
Usage: yes/no
If you start this feature, the user name in the/etc/vsftpd.user_list will be read. This feature can have a failure message before you ask for a password, without requiring a password-checking program. The default value is off.
Userlist_deny
Usage: yes/no
This option is only checked when the userlist_enable is started. If you set this option to Yes, the consumer in/etc/vsftpd.user_list will not be able to log in if set to No, only the
Users in the/etc/vsftpd.user_list can log in. And this feature will be able to ask the password before the error message, and do not need to verify the password of the program.
User_config_dir
Define the directory where individual user settings are located, such as defining user_config_dir=/etc/vsftpd/userconf, and there is a user test1,test2 on the host, then we can User_config_dir The directory new file name is Test1 and Test2. If the test1 login, it will read the User_config_dir under the Test1 in this file settings. The default value is None.
= = = Welcome language Setting =====================
Dirmessage_enable
If you start this option, the first time a user enters a directory, it checks to see if there is a. message file, and if so, the contents of the file will appear, usually with a welcome speech or a description of the directory. The default value is open.
Banner_file
When the user is logged in, the content of the file is displayed, usually as a welcome word or description. The default value is None.
Ftpd_banner
Here you can define the string of welcome words, rather than banner_file is the form of the file, and Ftpd_banner is the format of the string. Default is None.
= = = Special Security Setting ====================
Chroot_local_user
If set to Yes, all users of the native computer can switch to a folder other than the root directory. The preset value is no.
Hide_ids
If you start this feature, all files are owned and grouped by FTP, that is, users log in using Ls-al, and so on, the file owner and group are FTP. The default value is off.
Ls_recurse_enable
If this feature is started, the login is allowed to use the LS-R directive. The default value is No.
Write_enable
Usage: yes/no
This option allows you to control whether the FTP instructions allow you to change the file system, such as Stor, DELE,
RNFR, Rnto, MKD, RMD, AppE, and site. Preset is off.
Setproctitle_enable
Usage: yes/no
By starting this feature, VSFTPD will present all of the different process situations that are online, in other words, using instructions such as PS-EF to see the status online. The default value is off.
Tcp_wrappers
Usage: yes/no
If started, the VSFTPD is combined with the TCP wrapper, which means that you can define a source address that can be brought online or rejected in/etc/hosts.allow and/etc/hosts.deny.
Pam_service_name
This defines the name used by Pam, which defaults to VSFTPD.
Secure_chroot_dir
This option must specify an empty folder and no login can have write permission, and the user is restricted to this folder when VSFTPD does not need the permissions of the file system. The default value is/usr/share/empty

= = = Record File Set =====================
Xferlog_enable
Usage: yes/no
If activated, the uploaded and downloaded information will be fully recorded in the file defined below Xferlog_file. Preset to open.
Xferlog_file
This option sets the location where the record file is located, and the default value is/var/log/vsftpd.log.
Xferlog_std_format
If it starts, the record file will be written as a standard format for Xferlog, as in the WU-FTPD general. The default value is off.

= = Timeout Set ======================
Accept_timeout
Accept the timeout set to set up online, in seconds. The default value is 60.
Connect_timeout
Timeout for data online in response to port mode, in seconds. The default value is 60.
Data_connection_timeout
Set up timeout settings for data online. The default value is 300 seconds.
Idle_session_timeout
In a daze timeout setting, if more than this time no data transmission or instruction input, will be forced to disconnect, in seconds. The default value is 300.
= = = Rate Limit ======================
Anon_max_rate
The maximum transmission speed that can be used for anonymous login, the number of bytes,0 per second, unlimited speed. The default value is 0.
Local_max_rate
The maximum transmission speed that the local user can use, the unit is the number of bytes,0 per second to express unlimited speed. The preset value is 0.
= = = new File permissions set ==================
Anon_umask
The umask value of the anonymous login when the file is added. The default value is 077.
File_open_mode
The right to upload files is the same as the value used by chmod. The default value is 0666.
Local_umask
The umask value of the new file when the local login is added. The default value is 077.
===port Set ======================
Connect_from_port_20
Usage: yes/no
If set to Yes, the Ftp-data data transfer is forced to use port 20. The default value is yes.
Ftp_data_port
Sets the port used for FTP data online. The default value is 20.
Listen_port
Port used by FTP server. The default value is 21.
Pasv_max_port
The upper bound of the port range can be used to establish the data online, and 0 represents arbitrary. The default value is 0.
Pasv_min_port
The lower bound of the port range can be used to establish the data online, and 0 represents arbitrary. The default value is 0.
= = Other ========================
Anon_root
The directory that is logged in using anonymous login. The default value is None.
Local_enable
Usage: yes/no
Starting this feature allows native users to log in. The default value is yes.
Local_root
The local user is logged in and will be replaced with the defined directory. The default value is None.
Text_userdb_names
Usage: yes/no
When the user is logged in using an instruction such as Ls-al to query the file for administrative right, the preset will appear with the owner's UID, not the name of the file owner. If you want the owner's name to appear, turn this feature on. The default value is No.
Pasv_enable
If set to No, the use of PASV mode is not allowed to establish the data online. The default value is open.
= = Change file ownership ===================
Chown_uploads
Usage: yes/no
If activated, the owner of all anonymously uploaded data will be replaced with the user set in Chown_username. This option is useful for security and management. The default value is No.
Chown_username
Here you can define the name of the user to whom the owner of the file will be replaced when the anonymous login uploads the file. The default value is root.
===guest Set =====================
Guest_enable
Usage: yes/no
If you start this feature, all non-anonymous login is considered guest. The default value is off.
Guest_username
This will define the name of the guest's user. The default value is FTP.
===anonymous Set ==================
Anonymous_enable
Usage: yes/no
Control allows anonymous login, YES to allow anonymous login, no is not allowed. The default value is yes.
No_anon_password
If you start this feature, you will not be asked for a password by using anonymous login. The default value is No.
Anon_mkdir_write_enable
Usage: yes/no
If set to Yes, anonymous entrants are allowed to add new directories, of course, anonymous users must have write rights to the upper directory. The default value is No.
Anon_other_write_enable
Usage: yes/no
If set to Yes, anonymous login will be allowed to more than upload and build permissions outside the directory, such as delete or rename. The default value is No.
Anon_upload_enable
Usage: yes/no
If set to Yes, anonymous login will be allowed to upload directory permissions, and of course, anonymous users must have write rights to the upper directory. The default value is No.
Anon_world_readable_only
Usage: yes/no
If set to Yes, anonymous login will be allowed to download the readable file. The default value is yes.
Ftp_username
Defines the name of the user who entered the anonymous login. The default value is FTP.
Deny_email_enable
If you start this function, you must provide a file/etc/vsftpd.banner_emails, content for email
Address If you use anonymous login, you will be required to enter the email address, if the input of the email address in this file, it is not allowed online. The default value is No.
===standalone option ==================
Listen
Usage: yes/no
If activated, the VSFTPD will be performed in a stand-alone manner, and if VSFTPD is executed independently, such as RedHat9 defaults, it must be started if VSFTPD is included in xinetd, you must turn off this feature, such as REDHAT8. The default value for RedHat9 is yes.
Listen_address
If VSFTPD uses standalone mode, use this parameter to define which IP address is used to provide this service, if the host only defines an IP address, then this option does not need to use, if there are multiple IP address, you can define in which IP An FTP service is provided on the address. If not set, all IP addresses provide this service. The default value is None.
Max_clients
If VSFTPD uses the standalone mode, you can use this parameter to define the maximum total number of online. More than this number will be rejected online, 0 means unlimited. The default value is 0.
Max_per_ip
If VSFTPD uses the standalone mode, use this parameter to define the number of IP addresses that can be brought online. More than this number will be rejected online, 0 means unlimited. The default value is 0.
=============================

The significance of 3.2.4 FTP Digital Code
110 Reboot the tag response.
120 How long the service ready.
125 Data Link port open, ready to transmit.
150 file status is normal, open data connection port.
200 command execution succeeded.
202 command execution failed.
211 System status or system request response.
212 The status of the directory.
213 The status of the file.
214 messages for help.
215 called system type.
220 new online service ready.
221 the control port of the service is closed and can be logged off.
225 data link is turned on, but no transmission action.
226 The data connection port is turned off and the requested file operation is successful.
227 Enter passive mode.
230 User Login.
250 The requested file operation is complete.
257 Displays the current path name.
331 the user name is correct and requires a password.
332 Login required account information.
350 The requested operation requires a command to be entered.
421 Unable to provide service, close control link.
425 cannot open Data link.
426 shut down online to terminate the transmission.
450 The requested operation was not performed.
451 Command terminated: There is a local error.
452 not executing command: insufficient disk space.
500 format error, command not recognized.
501 parameter syntax error.
502 command execution failed.
503 Command Order error.
The 504 command did not have the correct parameters.
530 not logged in.
532 storage files require account login.
550 the requested operation was not performed.
551 The requested command terminated, the type is unknown.
552 the requested file terminated and the storage bit overflowed.
553 The requested command was not executed with the correct name.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.