Vsftp, vsftpd

Vsftp, vsftpd

1 yum install vsftpd -y2 iptables -I INPUT 1 -p tcp --dport 20:21 -j ACCEPT3 service iptables save

1 vim/etc/vsftpd. conf

1 anonymous_enable = YES // you can log on to an anonymous account. 2 anon_root =/var/ftp // The default logon directory for anonymous users is/var/ftp/3 local_enable = YES // The local account can log on to 4 write_enable = YES // whether the user has the write permission on the server over ftp; 5 local_umask = 022 // The default permission at creation. Folder = 777-umask, file = 666-umask 6 anon_upload_enable = YES // allow anonymous accounts to upload 7 anon_mkdir_write_enable = YES // allow anonymous accounts to create folders 8 dirmessage_enable = YES // whether to enable. message file description 9 xferlog_enable = YES // whether to enable log 10 connect_from_port_20 = YES // The default value is YES. Specify Port 20 for the FTP data transmission connection. If it is set to NO, the port used for data connection is specified by ftp_data_port. 11 ftp_data_port = 20 // set the PORT used for FTP data connection in PORT mode. The default value is 20. 12 chown_uploads = YES // enable Anonymous Account upload to automatically change the function 13 chown_username = bob // change the owner to bob14 xferlog_file =/var/log/xferlog // log storage location 15 idle_session_timeout = 600 // Idle session timeout time 16 data_connection_timeout = 120 // set the ftp connection timeout time 17 ascii_upload_enable = YES // upload 18 ftpd_banner = Welcome to blah FTP service in ASCII mode. // welcome page 19 chroot_list_enable = YES // enable the user to change the root directory function. By default, the change root 20 chroot_list_file =/etc/vsftpd is disabled. chroot_list // all users in this file enable chroot21 Non_other_write_enable = YES // allow anonymous accounts to delete and rename 22 anon_root =/ftp // change the root directory of an anonymous account, the default value is "/var/ftp" 23 local_root =/local // change the local account root directory to/local, by default, the user's home directory is 24 userlist_enable = YES // enables the user list function 25 userlist_deny = YES // all accounts in the user list file are rejected. When NO, only users in the list can log on to 26 deny_file = {*. xxx} // restrict the file type uploaded by users. 27. userlist_file =/etc/vsftpd. user_list // user list file 28 anon_max_rate = 0 // maximum transmission rate of anonymous users, 0 is unlimited 29 local_max_rate = 0 // maximum transmission rate of local users, 0 is infinite 30 max_clients = 0 // maximum number of client connections, 0 is infinite 31 max_per_ip = 5 // maximum number of clients per ip 32 pasv_max_port = 0 // maximum number of client ports, 0 is unrestricted 33 pasv_min_port = 0 // The minimum limit on the client port, 0 is unrestricted 34 connect_from_port20 = YES // use the standard Port 20 to connect to ftp35 listen_address = 192.168.10.14 // bind to an ip address, other ip addresses cannot access 36 anon_upload_enable = YES // allow upload 37 anon_world_readable_only = YES // allow download 38 anon_mkdir_write_enable = YES // allow new directory 39 bytes = YES // have other permissions 40 local_root =/var/ftp/ziji // user's folder

 

Anon_world_readable_only: by default, all anonymous users upload and download files. All users are granted ftp user permissions. to upload files, ftp users must have write permissions. to download files, the ftp user must have the read permission. That is to say, if an ftp user has the read permission on the file, the ftp user has the download permission on the file. The ftp user has three permissions: file owner and all file groups, the anon_world_readable_only parameter indicates that when the anon_world_readable_only parameter is set to YES, the other person in the file must have the read permission to download the object, download is not allowed only when all users have ftp and read permissions. Download is allowed only when others have read permissions. This is a security aspect, if NO, you can download the file as long as the ftp user has the permission to read the file. in centos6.5, allow a local user to log on but cannot log on. solution 1: Set setenforce to 0; Method 2: Modify the Boolean value setsebool-P ftp_home_dir on 2. file Upload Method Bin mode is generally the ascii mode of some files that cannot be edited. Generally, the put file path of some file upload commands that can be edited is logged on to the/var/ftp/folder by anonymous users, you cannot upload files because you do not have permission for this directory. Solution: mkdir/var/ftp/ceshi // create a directory chown ftp: ftp ceshi // change the owner and all groups of the file and then modify the Boolean value: setsebool-P allow_ftpd_anon_write onsetsebool-P allow_ftpd_full_access on 3. if only chroot_local_user = YES is enabled for local users, chroot is enabled for all users. If only chroot_list_enable = YES is enabled, only the list file users are processed as chroot. When both files are enabled, the remaining chroot operations are performed in addition to the list file. 4. method to restrict User Logon: Enable pam_service_name = vsftpd userlist_enable = YES Method 1: echo User Name> ftpusers Method 2: echo User Name> us Er_list 5. add a virtual user ① Add a virtual user password file: touch vsftpd_login.txt the odd number of lines in the file write an even number of user names write a password ② generate a vsftpd authentication file: success, set the command parameter to the authentication file name vsftpd_login.db to be generated. The file and password file must be placed in a folder. Note: db_load is self-contained in centos6.5, which is supported only when db4_utils is installed in centos5.5. It is best to change the permission of this file ③ create the PAM Configuration File required by the virtual user: Modify/etc/pam. d/vsftpd file add auth required/lib/security/pam_userdb.so db =/etc/vsftpd/vsftpd_loginaccount required/lib/security/pam_userdb.so db =/etc/vsftpd/vsftpd_login (the file path can be viewed under the folder) ④ create the local account corresponding to the virtual user: useradd-d/var/ftp/user1 user1 ⑤ add user_config_dir = user configuration file directory in the configuration file to create a virtual user file and configure the corresponding permissions, note that you need to enable the logon of a local user so that the virtual user can log on to V6. ip-based vsftp service ① add ip Address: ip addr add 192.168.10.141/24 dev eth0 label eth0: 1 ② configuration file cp-p ifcfg-eth0 ifcfg-eth0: 1 ③ on the configuration file to modify and restart the NIC cp-p vsftpd. conf vsftpd2.conf add listen_address = IP address to the configuration file