Vsdftp configuration file in Linux

Vsftpd. conf is the configuration file of vsftpd. It is used to control vsftpd functions. By default, it is located at/etc/vsftpd. conf or/etc/vsftpd. conf.
However, you can also specify other directories by modifying the configuration line. This is useful because you may want to use some advanced inetd functions, such as Xinetd, to call different configuration files on a machine with multiple virtual hosts.
Format
The format of vsftpd. conf is very simple. Each line is either a comment or a command. The comment line starts with # And is ignored. The command line format is as follows:
Configuration item = parameter value
It is very important that there is no space in this format.
By default, each configuration item occupies an editing line in the configuration file and can be modified.
Boolean Option
The Boolean options of the parameter value can be yes or no.
Allow_anon_ssl
This option can be enabled only when ss1_enable is activated. If yes, Anonymous Users are allowed to connect to the server using secure SSL.
Default Value: No
Anon_mkdir_write_enable
If set to yes, Anonymous Users are allowed to create new directories in the specified environment. To take effect, the write_enable configuration must be activated, and anonymous users must have the write permission in their parent directory.
Default Value: No
Anon_other_write_enable
If yes, anonymous users are granted a large write permission, such as deleting and renaming. This is generally not recommended unless you want to grant full authorization. You can also implement control with cmds_allowed to achieve the file Resume function.
Default Value: No
Anon_upload_enable
If set to yes, Anonymous Users are allowed to upload files in the specified environment. To take effect, write_enable must be activated. And anonymous users must have the write permission in the relevant directory.
Default Value: No
Anon_world_readable_only
When enabled, anonymous users can only download fully readable files, which allows ftp users to have ownership of the files, especially when uploading files.
Default Value: Yes
Anonymous_enable
Checks whether anonymous users are allowed to log on. If yes, both "ftp" and "anonymous" will be considered "anonymous" and Allow logon.
Default Value: Yes
Ascii_download_enable
When enabled, files are transmitted in ASCII mode during download.
Default Value: No
Ascii_upload_enable
When enabled, files are transmitted in ASCII mode during upload.
Default Value: No
Async_abor_enable
When enabled, a special FTP command "async Abor" is allowed. This is only required for abnormal FTP clients. In addition, this function is difficult to operate, so,
It is disabled by default. However, some clients will be suspended when canceling a transfer (daidong Note: it is estimated that the client has no response). You can only enable this function to avoid this situation.
Default Value: No
Background
When enabled, and vsftpd is started in "listen" mode (daidong Note: Standalone mode), vsftpd will place the listening process in the background. However, when you access vsftpd, the console will be immediately returned to the shell.
Default Value: No
Check_shell
Note: This option is only valid for vsftpd of non-Pam structures. If it is disabled, vsftpd does not check/etc/shells to determine whether a locally logged-on user has an available shell.
Default Value: Yes
Chmod_enable
When enabled, the site chmod command is allowed. Note: this can only be used for local users. Anonymous Users cannot use site chmod.
Default Value: Yes
Chown_uploads
If this feature is enabled, the owner of the File Uploaded by an anonymous user will be the user specified in chown_username. This is useful for managing FTP and may also be beneficial to security.
Default Value: No
Chroot_list_enable
If activated, you need to provide a list of users. The users in the table will be placed in the home directory after login and locked under the virtual root (daidong Note: After Entering FTP, PWD a bit, you can see that the current directory is "/", which is the virtual root. Is the FTP root directory, not the FTP server system root directory ). If chroot_local_user is set to yes, its meaning changes a bit.
In this case, users in this list will not be locked under the virtual root.
By default, the list file is/etc/vsftpd. chroot_list, but you can change the default value by modifying chroot_list_file.
Default Value: No
Chroot_local_user
If it is set to yes, the local user will be (by default) locked under the virtual root and placed in his home directory after logon.
Warning:
This configuration item is safe, especially if the user has the upload permission or can use shell. Enable it if you are sure.
Note: This security hint does not only exist in vsftpd, but is widely used in all FTP software that wants to lock users under the virtual root.
Default Value: No

Connect_from_port_20
This is used to control whether the server uses Port 20 for data transmission. For the sake of security, some customers insist on enabling. Conversely, disabling this option will make vsftpd more popular.
Default Value: No (but it is enabled in the sample configuration file, that is, yes)
Deny_email_enable
If activated, you want to provide a password E-MAIL table for anonymous users (daidong note: we all know that anonymous users use email addresses as passwords) to prevent anonymous users logging on with these passwords.
By default, the list file is/etc/vsftpd. banner_emails, but you can also change the default value by setting banned_email_file.
Default Value: No
Dirlist_enable
If it is set to no, all LIST commands (daidong Note: such as LS) will be returned with the "Permission denied" prompt.
Default Value: Yes
Dirmessage_enable
If it is enabled, the FTP server user will display a piece of information when entering a new directory for the first time. By default, the. Message file will be searched in this directory, but you can also
Change the default value by changing message_file.
Default Value: No (but it is enabled in the configuration example file)
Download_enable
If it is set to no, "Permission denied" is returned for the download request ".
Default Value: Yes
Dual_log_enable
If enabled, two log files are generated separately. The default values are/var/log/xferlog and/var/log/vsftpd. log. The first log is in the wu-ftpd format and can be analyzed by common tools.
The latter is the dedicated log format of vsftpd.
Default Value: No
Force_dot_files
If activated, even if the client does not use the "A" flag (in FTP), files and directories starting with. are displayed in the directory resource list. However, "." and "..." are not displayed. (Daidong note: in Linux
The current directory and the parent directory are not displayed in '.' or ).
Default Value: No
Force_local_data_ssl
It can be enabled only after ssl_enable is activated. If enabled, all non-Anonymous Users are forced to log on with secure SSL to send and receive data on the data line.
Default Value: Yes
Force_local_logins_ssl
It can be enabled only after ssl_enable is activated. If enabled, all non-Anonymous Users are forced to use secure SSL login to send passwords.
Default Value: Yes
Guest_enable
If enabled, all non-anonymous users will be considered as "visitors" when logging on, and their names will be mapped to the names specified in guest_username.
Default Value: No
Hide_ids
If enabled, all users and groups in the directory resource list are displayed as "ftp ".
Default Value: No
Listen
If enabled, vsftpd runs in standalone mode, that is, it can be started independently of inetd or something similar. Run vsftpd directly
And then vsftpd listens to and processes connection requests.
Default Value: No
Listen_ipv6
Similar to the function of the listen parameter, but it is a little different. After the function is enabled, vsftpd listens to IPv6 Sockets instead of IPv4. This setting is mutually exclusive with the listen setting.
Default Value: No
Local_enable
Used to control whether local users are allowed to log on. If enabled, the accounts of normal users in/etc/passwd will be used for logon.
Default Value: No
Log_ftp_protocol
After xferlog_std_format is enabled, all FTP requests and feedback are recorded. This is often used for debugging (debugging ).
Default Value: No
Ls_recurse_enable
If enabled, "ls-R" is allowed. This is to avoid a little security risk. Because in a large site, using this command on the top of the directory will consume a lot of resources.
Default Value: No
No_anon_password
If enabled, vsftpd does not ask anonymous users for a password. Anonymous Users will log on directly.
Default Value: No
No_log_lock
When enabled, vsftpd will not lock the file when writing the log file. This item is not generally enabled. It is useful for operating system problems in some work areas, such as Solaris/Veritas File System coexistence.
Because when trying to lock the log file, it sometimes seems to be suspended (no response. (Daidong Note: I am not very familiar with this. Therefore, the translation may not be close to the original intention. Original article: it exists to workaround
Operating System bugs such as the Solaris/Veritas filesystem combination
Which has been observed to sometimes exhibit hangs trying to lock log files .)
Default Value: No
One_process_model
If your Linux core is 2.4, you may be able to use a different security mode, that is, a connection uses only one process. It is only a small trick, but it can improve the FTP performance. Please make sure you want to enable it again, and also confirm your
Whether a large number of people can access the site at the same time.
Default Value: No

Passwd_chroot_enable (daidong Note: This section is self-reading, speechless ...)
If enabled, along
. BR chroot_local_user
, Then a chroot () jail location may be specified on a per-user basis. Each
User's jail is derived from their home directory string in/etc/passwd.
Occurrence of/./In the home directory string denotes that the jail is at that
Particle location in the path.
Default Value: No
Pasv_enable
If you do not want to obtain data connections passively, set it to No.
Default Value: Yes
Pasv_promiscuous
If you want to disable the passive mode security check (this security check ensures that the data connection comes from the same IP address), set it to yes. Click "OK" and then enable it (daidong note: the original saying is that you only enable it when you know what you are doing !)
A reasonable usage is to enable fxp in some security tunnel configuration environments or better support ).
Default Value: No
Port_enable
If you want to disable the data connection obtained through a port, disable it.
Default Value: Yes
Port_promiscuous
If you want to disable the port security check (this check can ensure that the external (outgoing) data line only leads to the client), disable it. Confirm and try again!
Default Value: No
Run_as_launching_user
If you want a user to enable vsftpd, set it to yes. It is useful when the root user cannot start vsftpd (daidong Note: it should not be said that the root user has no permission to start vsftpd,
It is because, for example, security restrictions, vsftpd cannot be directly started as root ). Strong warning !! Do not enable this option unless you fully understand what you are doing (daidong: speechless ....)!!! Starting this item at Will will result in
Very serious security issues, especially when vsftpd does not or cannot use the virtual root technology to restrict file access (or even vsftpd is started by root ). One silly alternative is to enable deny_file and set it to {/*, *... *}, etc,
However, its reliability cannot be inferior to that of the virtual root.
If this option is enabled, other configuration item restrictions take effect. For example, for non-Anonymous login requests, the ownership conversion of the uploaded files will not work for Port 20 connected and listening ports lower than 1024. Other configuration items may also be affected.
Default Value: No
Secure_email_list_enable
Enable it if you want to only accept anonymous users logging on with a specified E-MAIL address. This is generally used to access resources with lower security levels without virtual users. If it is enabled, anonymous users do not
Use the E-MAIL specified in email_password_file as the password, otherwise you cannot log on. The format of this file is a password line with no extra space (daidong Note: whitespace, translated as space, I do not know if it is correct ).
The default file name is/etc/vsftpd. email_passwords.
Default Value: No
Session_support
This will configure whether to allow vsftpd to try to manage login sessions. If vsftpd manages sessions, it tries and updates utmp and wtmp. It will also open a pam SESSION (pam_session), and will not close it until logout, if you use Pam for authentication.
If you do not need a session record, or want vsftpd to run fewer processes, or make it more popular, you can disable it.
Note: utmp and wtmp are only supported in the PAM environment.
Default Value: No
Setproctitle_enable
If enabled, vsftpd displays session status information in the system process list. In other words, the process name is changed to the action (waiting, downloading, and so on) currently being executed by the vsftpd session ). You can disable this item for security purposes.
Default Value: No
Ssl_enable
If enabled, vsftpd enables OpenSSL and supports secure connections through SSL. This setting is used to control the connection (including logon) and data line. At the same time, your client must support SSL.
Note: enabling this option with caution does not ensure the security of the OpenSSL library. When this option is enabled, you must be sure that the OpenSSL library you have installed is secure.
Default Value: No
Ssl_sslv2
To enable ssl_enable. If enabled, SSL v2 protocol connections are allowed. TLS v1 connections will be the first choice.
Default Value: No
Ssl_sslv3
To enable ssl_enable. If enabled, SSL V3 protocol connections are allowed. TLS v1 connections will be the first choice.
Default Value: No
Ssl_tlsv1
To enable ssl_enable. If enabled, TLS v1 protocol connections are allowed. TLS v1 connections will be the first choice.
Default Value: Yes
Syslog_enable
If enabled, the system log will replace the log output from vsftpd to/var/log/vsftpd. log. ftpd. The log tool does not work.
Default Value: No
TCP_WRAPPERS
If enabled, vsftpd is supported by TCP_WRAPPERS. The incoming connection is fed back by the access control of TCP_WRAPPERS. If TCP_WRAPPERS is set
Vsftpd_load_conf environment variable, vsftpd will try to call the configuration specified by this variable.
Default Value: No
Text_userdb_names
By default, the number ID is displayed in the user and group area in the file list. You can edit this parameter to convert it into text by using a Number ID. To ensure FTP performance, default
This option is disabled.
Default Value: No
Tilde_user_enable
If enabled, vsftpd will try to parse something similar ~ The path name of Chris/PICS ("~ "(Tilde) followed by a user name ). Note that vsftpd sometimes always resolves the path name "~ "And "~ /"(Here ,~ Resolved to the internal logon directory ).
~ User path (~ User paths) is parsed only when the/etc/passwd file is found under the current virtual root.
Default Value: No
Use_localtime
If enabled, vsftpd displays your local time when displaying the directory resource list. The default value is GMT (Greenwich Mean Time ). If you use the mdtm ftp command to display the time, this setting will also be affected.
Default Value: No
Use_sendfile
An internal setting is used to test the benefits of using sendfile () system call on your platform (benefit ).
Default Value: Yes

Userlist_deny
This setting can be verified after userlist_enable is activated. If you set it to no, only users explicitly listed in userlist_file can log on.
If logon is denied, the user will be rejected by the system before being asked for the password.
Default Value: Yes
Userlist_enable
If enabled, vsftpd reads the user list in userlist_file. If a user attempts to log on with the username in the file, the user will be rejected by the system before being asked about the user password.
This prevents plaintext passwords from being transmitted. See userlist_deny.
Default Value: No
Virtual_use_local_privs
If enabled, the virtual user has the same permissions as the local user. By default, virtual users have the same permissions as anonymous users, while the latter often has more restrictions (especially write permissions ).
Default Value: No
Write_enable
This determines whether to allow some FTP commands to change the file system. These commands are STOR, DELE, RNFR, RNTO, MKD, RMD, APPE, and site.
Default Value: No
Xferlog_enable
If enabled, a log file records the upload and download details. By default, this file is/var/log/vsftpd. log, but you can also change vsftpd_log_file to specify its default location.
Default Value: No (this option is enabled in the sample configuration file)
Xferlog_std_format
If enabled, log files are written in the standard xferlog format (in the format used by wu-ftpd), so that you can use the existing statistical analysis tools for analysis. However, the default format is more readable. By default, log files are stored in/var/log/xferlog.
However, you can modify xferlog_file to specify a new path.
Default Value: No
Number options
The following are numeric configuration items. These items must be set to non-negative integers. To facilitate umask settings, the number of octal values is allowed. In this case, the number must start with 0.
Accept_timeout
Timeout, in seconds, sets the maximum time for a remote user to attempt to establish a connection in a passive mode.
Default Value: 60
Anon_max_rate
For anonymous users, set the maximum allowed transmission rate, in bytes/second.
Default Value: 0 (unlimited)
Anon_umask
Set permissions for files created by anonymous users. Note: If you want to enter an octal value, the value 0 is different from the value 0 in decimal format.
Default Value: 077
Connect_timeout
Timeout. Unit: seconds. Specifies the maximum time for a remote user to respond to a port-type data connection.
Default Value: 60
Data_connection_timeout
Timeout. Unit: seconds. Sets the maximum delay time for data transmission. Once the time reaches, the remote user will be disconnected.
Default Value: 300
File_open_mode
Set permissions for uploaded files. If the file you want to upload can be executed, replace umask with 0777.
Default Value: 0666
Ftp_data_port
Set the connection port in Port mode (as long as connect_from_port_20 is activated ).
Default Value: 20
Idle_session_timeout
Timeout. Unit: seconds. Sets the maximum time for a remote client to enter an FTP command twice. Once the time reaches, the remote client will be disconnected.
Default Value: 300
Listen_port
If vsftpd is in standalone mode, this port is set to listen to FTP connection requests.
Default Value: 21
Local_max_rate
Sets the maximum transmission speed for Local Authenticated users. The unit is byte/second.
Default Value: 0 (unlimited)
Local_umask
Set the permissions for the files created by the local user. Note: If you want to enter an octal value, the value 0 is different from the value 0 in decimal format.
Default Value: 077
Max_clients
If vsftpd runs in standalone mode, the maximum number of clients allowed for connection is set here. Then, the client will get an error message.
Default Value: 0 (unlimited)
Max_per_ip
If vsftpd runs in standalone mode, the maximum access client that allows an IP address is set here. If the maximum limit is exceeded, an error message is returned.
Default Value: 0 (unlimited)
Pasv_max_port
Specify the maximum port allocated for the passive mode data connection. Can be used to specify a small range to work with the firewall.
Default Value: 0 (use any port)
Pasv_min_port
Specify the minimum port allocated for the passive mode data connection. Can be used to specify a small range to work with the firewall.
Default Value: 0 (use any port)
Trans_chunk_size
You generally do not need to change this setting. However, you can also try to reduce the effect of bandwidth limit by 8192.
Default Value: 0 (For vsftpd to be selected)
String configuration item
The following are string configuration items
Anon_root
Set a directory. After an anonymous user logs on, vsftpd tries to enter this directory. If it fails, it is skipped.
Default Value: None
Banned_email_file
After deny_email_enable is started, anonymous users are denied logon using the E-MAIL password specified in this file.
Default Value:/etc/vsftpd. banned_emails
Banner_file
Set a text to display the text after the user logs on. If you set ftpd_banner, ftpd_banner is invalid.
Default Value: None
Chown_username
Change the owner of files uploaded by anonymous users. Set chown_uploads.
Default Value: Root

Chroot_list_file
This item provides a list of local users. users in the table will be placed under the virtual root after logon and locked in the home directory. This requires that the chroot_list_enable item be enabled.
If the chroot_local_user item is enabled, the list will become a list of users that do not lock the users in the list under the virtual root.
Default Value:/etc/vsftpd. chroot_list
Cmds_allowed
Use commas to separate available FTP commands (post login. User, pass and quit are always available commands ).
Other commands will be blocked. This is a powerful means of locking down an FTP server. Example: cmds_allowed = PASV, RETR, quit (only file retrieval is allowed)
Cmds_allowed = Abor, APPE, CWD, cdup, feat, list, MKD, MDTM, pass, PASV, PWD, quit, RETR, rest,
Stor, stru, type, user (supports resumable upload and download commands ).
Http://www.nsftools.com/tips/RawFTP.htm
Default Value: None
Deny_file
This allows you to set a file name or directory name to prevent access to them under any circumstances. Instead of hiding them, They refuse any operations (download, change the directory layer,
And other affected operations ). This setting is simple and will not be used for strict access control-file system permissions will take effect first. However, this setting is useful for determining virtual user settings.
In particular, if a file can be accessed with multiple user names (probably through soft connections or hard connections), all access names must be rejected.
We recommend that you set important security policies for file system permissions for higher security. For example, deny_file = {*. MP3, *. mov,. Private}
Default Value: None
Dsa_cert_file
This setting specifies the location of the DSA certificate for the SSL encrypted connection.
Default Value: none (an RSA certificate is enough)
Email_password_file
After secure_email_list_enable is set, this setting can be used to provide a backup file.
Default Value:/etc/vsftpd. email_passwords
Ftp_username
This is the username used to control anonymous FTP. This user's home directory is the root of the anonymous FTP region.
Default Value: ftp
Ftpd_banner
When a connection is accessed for the first time, a welcome page is displayed.
Default Value: none (the default interface will be displayed)
Guest_username
For more information, see set guest_enable. This setting sets the name mapped to visitors when they enter.
Default Value: ftp
Hide_file
If a file name or directory name list is set, the resources in the list will be hidden, regardless of whether there is a hidden attribute. However, if the user knows its existence,
It can be fully accessed. Resources in hide_file and resources that comply with the rule expressions specified by hide_file will be hidden. Vsftpd
The rule expression is simple, such as hide_file = {*. MP3,. Hidden, hide *, H ?}
Default Value: None
Listen_address
If vsftpd runs in standalone mode, the default listening address of the Local interface will be replaced by this setting.
A digital address is required.
Default Value: None
Listen_address6
If vsftpd runs in standalone mode, you must specify a listening address for IPv6 (if listen_ipv6 is enabled ).
An IPv6 address is required.
Default Value: None
Local_root
After a local (non-Anonymous) user is set to log on, vsftpd tries to make him into a directory. If it fails, it is skipped.
Default Value: None
Message_file
When you enter a new directory, the system searches for the file and displays the content of the file to the remote user. Dirmessage_enable must be enabled.
Default Value:. Message
Nopriv_user
This is the name of vsftpd as a non-privileged user. This is a dedicated user, more powerful than nobody. User nobody is often used to do important things on some machines.
Default Value: Nobody.
Pam_service_name
Set the name of the PAM service to be used in vsftpd.
Default Value: ftp
Pasv_address
When PASV is used, vsftpd uses this address for feedback. A Digital IP address is required.
Default Value: none (the socket from which the address will be taken from incoming)
Rsa_cert_file
This setting specifies the location of the RSA certificate required for the SSL encrypted connection.
Default Value:/usr/share/SSL/certs/vsftpd. pem
Secure_chroot_dir
This setting specifies an empty directory, which does not allow ftp users to write data. When vsftpd does not want the file system to be accessed, the directory is used as a secure virtual root.
Default Value:/usr/share/empty
Ssl_ciphers
This setting selects vsftpd as the SSL password used for the encrypted SSL connection. For more information, see ciphers.
Default: DES-CBC3-SHA

User_config_dir
This powerful setting allows you to overwrite some configuration items specified on the manual page (based on a single user ). It is easy to use. It is best to combine examples. If you set user_config_dir
Change to/etc/vsftpd_user_conf. Log On with Chris and vsftpd will call the configuration file/etc/vsftpd_user_conf/Chris.
Default Value: None
User_sub_token
This setting creates a home directory for each virtual user based on a template. For example, if the Home Directory of a real user is specified as/home/virtual/$ user through guest_username,
User_sub_token is set to $ user. After logon, the virtual user Fred will be locked under/home/virtual/Fred.
Default Value: None
Userlist_file
When userlist_enable is activated, the system will call the file here.
Default Value:/etc/vsftpd. user_list
Vsftpd_log_file
This option takes effect only when xferlog_enable is set and xferlog_std_format is not set. This is the name of the log file in the generated vsftpd format.
Dual_log_enable cannot be enabled at the same time. If syslog_enable is enabled, this file is not generated, but only one system log is generated.
Default Value:/var/log/vsftpd. Log
Xferlog_file
This setting is used to set the file name of the log that generates the wu-ftpd format. It takes effect only when xferlog_enable and xferlog_std_format are enabled.
However, it cannot be enabled with dual_log_enable at the same time.
Default Value:/var/log/xferlog
==========================================
Significance of FTP digital code
110 restart and mark the response.
120 how long is the service ready.
125 data link port is enabled and ready for transmission.
150 the File status is normal and the data connection port is enabled.
200 the command is successfully executed.
202 command execution failed.
211 system status or system help response.
212 directory status.
The status of the 213 file.
214 help message.
215 name system type.
220 new online service ready.
221 the Service's control port is closed and can be canceled.
225 Data Link is enabled, but there is no transmission action.
226 close the data connection port and the requested file operation is successful.
227 enters the passive mode.
230 user login.
250 the requested file operation is complete.
257 display the current path name.
331 the user name is correct and the password is required.
332 account information is required for logon.
350 the requested operation requires a command.
421 unable to provide services. Disable the control link.
425 the data link cannot be enabled.
426 disable online and terminate transmission.
450 the requested operation was not executed.
451 command termination: there is a local error.
452 unexecuted command: the disk space is insufficient.
500 the format is incorrect and the command cannot be identified.
501 parameter syntax error.
502 command execution failed.
503 command order error.
504 the parameters connected to the command are incorrect.
530 not logged in.
532 Account Login is required to store files.
550 the requested operation is not performed.
551 the Request command is terminated and the type is unknown.
552 the requested file is terminated and the storage space overflows.
553 the name of the requested command is incorrect.

 

In a detailed experiment:

 

Post address http://club.topsage.com/thread-1241382-1-2.html