Outline: 1. VsFTPd Overview 2. Enterprise Linux vsFTPD solution 3. VsFTPD configuration file description 1. VsFTPd Overview: VSFTP (VerySecureFTPDaemon, very secure FTP server ). As the name suggests, the starting point of VSFTPD design is security. At the same time, as the version continues to upgrade, VSFTPD is available
Outline:
1. VsFTPd overview
II. Enterprise Linux vsFTPD solution
III. VsFTPD configuration files
I. Brief introduction to VsFTPd:
VSFTP (Very Secure FTP Daemon, a Very Secure FTP server ). As the name suggests, the starting point of VSFTPD design is security. At the same time, with the continuous upgrade of the version, VSFTPD has made great progress in performance and stability. In addition to excellent security and performance, there are also good usability. Red Hat uses vsFTPd on its FTP server (ftp.redhat.com ).
II. practical vsFTPD solution in Enterprise Linux
Requirements:
1. User: netseek_com; FTP: ftp.netseek.com (192.168.0.21, I have configured the relevant DNS)
2. prohibit anonymous login and prohibit users from leaving the user directory.
3. use 5021 as the command channel port and 5020 as the data channel port (you can change it to the port you want to set, for example)
4. the range of ports allowed to be used in passive mode is 10010 ~ 10020.
5. the user bandwidth is set to 300 KPS, the user space is limited to M, and a buffer of 10 Mb is allowed within the grace period.
The procedure is as follows:
To fully describe the entire installation process, I configured it on my other host (netseek), bound 192.168.0.21 to the IP address 192.168.0.20 of the server, and configured the relevant DNS resolution, for more information, see "Linux all-around web server setup ".
1. configure related services
Start the service:
[Root @ netseek root] # rpm? Qa | grep vsftpd; check whether the vsftpd service is installed
#/Etc/init. d/vsftpd start; start the service
# Chkconfig vsftpd on; enable system services as the system starts
Configuration documents:
# Vi/etc/vsftpd. conf
Prohibit anonymous user access:
Anonymous_enable = YES, change YES to NO
Add the following settings at the end of the file:
# New added by netseek
Listen_port = 5021; command channel port; default value: 21
Listen_data_port = 5020; data channel port; default value: 20
Pasv_enable = YES; allow passive mode
Pasv_min_port = 10000; Port range used in passive mode
Pasvanderbilt max_port = 10010
Local_max_rate = 200000; user bandwidth limit
Chroot_local_user = YES; disable the user to exit the main directory
Listen_address = 192.168.0.21; let him listen to ip address: 192.168.0.21
Note: Do not add ";" and these Chinese notes during the adding process. I will add them here for your convenience.
2. add a VM user
Add the user netseek_com and specify the user directory as/var/www/netseek.com. the user cannot log on to the system.
# Mkdir/var/www/netseek.com
# Useradd? S/sbin/nologin? D/var/www/netseek.com netseek_com
Note that-s/sbin/nologin makes it unable to log on to the system.-d specifies the user directory as/var/www/netseek.com.
# Passwd netseek_com (Do not Hack me 3ks) DnHm3ks this is the password I set
# Chown? R netseek_com: netseek_com/var/www/netseek.com
Note: set all and groups of user directories and their subdirectories to netseek_com.
3. configure the disk quota
During installation, I have multiple partitions on the disk, including/home,/var,/,/www, tmp, swap, and/boot. We recommend that you split the disk into multiple independent partitions to reduce the risk of data loss caused by disk partition corruption.
# [Root @ netseek root] # rpm-qa | grep quota
Quota-3.06-9; my system has installed the disk quota tool
# Vi/etc/fstab
Find similar
LABEL =/var ext3 defaults 1 2
After ULTS ults, add usrquota as follows:
LABEL =/var ext3 defaults, usrquota 1 2
Reload the/var partition:
# Mount? O remount/var
# Cd/var enter this directory
# Touch quota. user
# Chmod 600 quota. user
# Quotacheck? Mf/var forcibly checks disk partition space usage
[Root @ localhost var] # quotacheck-mf/var
Quotacheck: WARNING-Quotafile/var/quota. user was probably truncated. Cant save quota settings...
Restart the system
This warning will appear during the first running, but it won't happen again.
Specify the user quota:
# Edquota netseek_com sets the disk quota for the user netseek_com.
Disk quotas for user netseek_com (uid 501 ):
Filesystem blocks soft hard inodes soft hard
/Dev/sda5 6616 307200 0 15 0 0
Note:
Ilesystem blocks soft hard inodes soft hard
Filesystem-the file system being set. do not modify or delete it.
Bolock-currently used disk space, in KB
Soft (first)-Limited disk space. the default value is 0, which indicates no limit. here I set it to 300 MB.
Hard (first)-hard quota limit. 0 indicates no limit.
Inodes-Current file count
Soft (second)-soft limit on the number of files. 0 indicates no limit
Hard (second)-hard limit on the number of files. 0 indicates no limit.
Enable automatic loading for the system:
# Vi/etc/rc. d/rc. local, add the following:
/Etc/init. d/vsftpd start
/Sbin/quotacheck
/Sbin/quotaon? Avu
View the disk space used by netseek_com users.
[Root @ localhost ~] # Quota-u netseek_com
Disk quotas for user netseek_com (uid 501 ):
Filesystem blocks quota limit grace files quota limit grace
/Dev/sda5 6616 307200 0 15 0 0
Note: For more quota commands, run the man command to check them. VBird says we want to learn how to find men!
4. Effect demonstration:
IV. VsFTPd-related configuration details
1. anonymous user settings
Anonymous_enable = YES, change YES to NO, disable anonymous user login
# Non_mkdir_write_enable = YES, remove the # annotation, and allow anonymous users to create directories.
# Non_upload_enalbe = YES, remove #, allow anonymous users to upload
Anon_world_readable_only = YES. anonymous users are allowed to download data. by default, this parameter is disabled. you can add this parameter on your own.
Anon_other_write_enable = YES. if you set it to YES, in addition to uploading and creating directories, you can also rename and delete files. the default value is NO.
Set no_anon_password = NO to YES. anonymous users do not query user passwords and log on directly.
Ftp_username = ftp. the default account for anonymous users to log on to the system is ftp. do not change this option. otherwise, improper configuration will threaten the system security.
2. specify the FTP service port
Listen_port = 8021. specify the command channel as 8021. the default value is 21.
Listen_data_port = 8020. set the data channel to 8020. the default value is 20.
3. set the upload mode
Pasv_enable = YES. whether to allow passive mode. the default value is allowed.
Pasv_min_port = 10000, which specifies the minimum value of the port opened when passive mode is used.
Pasv_max_port = 10004, which specifies the maximum value of the port opened when passive mode is used.
4. Vsftp server IP address
Listen_address = 192.168.0.21, specifying FTP and IP address
Note: the specified IP address is allowed only when vsftp runs in standalone mode. if the vsfpd file has been created under the d directory, you must set the disable in the file to yes.
5. lock the user and prevent the user from leaving the user's home directory.
Chroot_local_user = YES, set it to YES, it will be locked in the user's main directory, set to NO, you can switch
Set the specified user to lock the user's main directory:
# Chroot_list_enable = YES
# Chroot_list_file =/etc/vsftpd. chroot_list
Change it to the following:
Chroot_list_enable = NO
Chroot_list_file =/etc/vsftpd. chroot_list
Save the above and perform the following operations:
# Touch/etc/vsftpd. chroot_list
# Vi/etc/vsftpd. chroot_list: add a user name list to the file, for example:
Netseek_com
6. FTP server traffic control
Max_clients = 100; maximum number of connections allowed, defined as 100. the default value is 0, and there is no limit on the table.
Max_per_ip = 5; number of connections allowed by each IP address. table 0 has no limit and must run in independent mode.
Anon_max_rate = 50000; maximum bandwidth of anonymous users, in bps
Local_max_rate = 200000; maximum bandwidth of the system user
How can I limit the traffic of a specified user?
# Vi/etc/vsftpd. conf, add one line:
User_config_dir =/etc/vsftpd/userconf
# Touch/etc/vsftpd/userconf/netseek_com: The user netseek_com creates a netseek_com file.
# Vi/etc/vsftpd/userconf/netseek_com add the following content
Local_max_rate = 100000
Save and restart the service.
7. customize welcome information
Directory Description settings
# Vi/etc/vsftpd. conf
# Dirmessage_enable = YES, remove the previous.
Then we customize a. message, write what you want to write, and copy the file to the home directory of each user.
System welcome message settings
Ftpd_banner = Welcome to ftp.netseek.com, Yeah !!!
System welcome message File settings
Banner_file =/etc/vsftpd/welcome is similar to ftpd_banner. The difference is that banner_file specifies the welcome file