VSFTPD configuration file _ftp Server

Source: Internet
Author: User
Tags anonymous ftp connection parent directory file permissions

1. Default configuration:

1> allows anonymous users and local users to log on.
Anonymous_enable=yes
Local_enable=yes
2> Anonymous users use the login name is FTP or anonymous, the password is empty, anonymous users can not leave the anonymous user home directory/var/ftp, and can only download can not upload.
3> Local user's login name is local username, password is the local user's password, local users can read and write in their home directory, Local users can leave their own directory to access other directories, and upload/download with permission.
Write_enable=yes
The local user 4> written in the file/etc/vsftpd.ftpusers is prohibited from landing.

2. Configuration file Format:

The content of vsftpd.conf is very simple, each line is a set. A blank line or a line that starts with a # will be ignored. The content has only one format, as shown below
Option=value
Note that there is no white space on either side of the equals sign.

3. Anonymous user (anonymous) settings

Anonymous_enable=yes/no (YES)
Controls whether anonymous users are allowed to log in, YES to allow anonymous login, no is not allowed. The default value is yes.
Write_enable=yes/no (YES)
Whether to allow logon user to have write permission. is a global setting, and the default value is yes.
No_anon_password=yes/no (NO)
If you start this feature, you will not be asked for a password by using anonymous login. The default value is No.
Ftp_username=ftp
Defines the name of the user who entered the anonymous login. The default value is FTP.
Anon_root=/var/ftp
The directory that is logged in using anonymous login. The default value is/var/ftp. Note The FTP directory cannot be a 777 permission attribute, that is, the anonymous user's home directory cannot have 777 permissions.
Anon_upload_enable=yes/no (NO)
If set to Yes, allows anonymous login to have permission to upload files (not directories), which is valid only when Write_enable=yes. Of course, anonymous users must have write rights to the upper directory. The default value is No.
Anon_world_readable_only=yes/no (YES)
If set to Yes, anonymous users are allowed to download readable files (which can be downloaded to native reading and cannot be read directly from the FTP server). The default value is yes.
Anon_mkdir_write_enable=yes/no (NO)
If set to Yes, the anonymous login is allowed to have new directory permissions, and this entry is valid only when Write_enable=yes. Of course, anonymous users must have write rights to the upper directory. The default value is No.
Anon_other_write_enable=yes/no (NO)
If set to Yes, allow anonymous login to more than upload or create permissions outside the directory, such as delete or rename. (If anon_upload_enable=no, anonymous users cannot upload files, but you can delete or rename files that already exist; if anon_mkdir_write_enable=no, anonymous users cannot upload or create a new folder. However, you can delete or rename a folder that already exists. The default value is No.
Chown_uploads=yes/no (NO)
Sets whether to change the owner of an anonymous user upload file (not a directory). The default value is No.
Chown_username=username
Sets the owner name of an anonymous user upload file (not a directory). It is not recommended to set to root.
anon_umask=077
Sets the Umask value when an anonymous login adds or uploads a file. The default value is 077, then the corresponding permission for the new file is 700.
Deny_email_enable=yes/no (NO)
If you start this function, you must provide a file/etc/vsftpd/banner_emails, the content is email address. If you use anonymous login, you will be required to enter the email address, if the input email address in this file, it is not allowed to enter. The default value is No.
Banned_email_file=/etc/vsftpd/banner_emails
This file is used to enter an email address and will only be used when deny_email_enable=yes. If you use anonymous login, you will be required to enter the email address, if the input email address in this file, it is not allowed to enter.

4. Local User Settings

Local_enable=yes/no (YES)
Controls whether local users are allowed to log in, YES to allow local users to log in, no is not allowed. The default value is yes.
Local_root=/home/username
When local users log in, they are replaced to the defined directory. The default value is the home directory for each user.
Write_enable=yes/no (YES)
Whether to allow logon user to have write permission. is a global setting, and the default value is yes.
local_umask=022
Umask value when a local user adds a file. The default value is 077.
file_open_mode=0755
The file permissions for local users to upload files are the same as the values used by chmod. The default value is 0666.

5. Welcome Language Settings

Dirmessage_enable=yes/no (YES)
If you start this option, the first time a user enters a directory, it checks to see if there is a. message file, and if so, the contents of the file, usually with a welcome speech or a description of the directory. The default value is open.
Message_file=.message
Set up a catalog message file that you can write to the file you want to display. The default value is. message.
Banner_file=/etc/vsftpd/banner
When the user is logged in, the content of the file is displayed, usually as a welcome word or description. The default value is None. If more information is welcome, use this configuration item.
Ftpd_banner=welcome to BOB ' s FTP server
The string used here to define the welcome discourse, Banner_file is the form of the file, while the Ftpd_banner is the form of a string. Default is None.

6. Control whether the user is allowed to switch to the parent directory

Under the default configuration, a local user can use the CD command to switch to a different directory after logging in FTP, which poses a security risk to the system. You can control the user Switching directory by using the following three configuration files.
Chroot_list_enable=yes/no (NO)
Sets whether the user list file specified by the Chroot_list_file configuration entry is enabled. The default value is No.
Chroot_list_file=/etc/vsftpd.chroot_list
Used to specify a user list file that controls which users can switch to the parent directory of the user's home directory.
Chroot_local_user=yes/no (NO)
Lets you specify whether users in the user list file are allowed to switch to a parent directory. The default value is No.
The following effects can be achieved by collocation:
① users listed in the/etc/vsftpd.chroot_list file can switch to other directories when Chroot_list_enable=yes,chroot_local_user=yes, and users that are not listed in the file. You cannot switch to a different directory.
② users listed in the/etc/vsftpd.chroot_list file cannot switch to another directory when Chroot_list_enable=yes,chroot_local_user=no, and users who are not listed in the file can switch to another directory.
③ when Chroot_list_enable=no,chroot_local_user=yes, all users cannot switch to a different directory.
④ when Chroot_list_enable=no,chroot_local_user=no, all users can switch to a different directory.

7. Data transfer Mode Setup

FTP can use binary when transferring data, or it can use ASCII mode to upload or download data.
Ascii_upload_enable=yes/no (NO)
Sets whether ASCII-mode upload data is enabled. The default value is No.
Ascii_download_enable=yes/no (NO)
Sets whether to enable ASCII mode download data. The default value is No.

8. Access Control Settings

Two kinds of control methods: one control host access, the other control user access.
① Control host Access:
Tcp_wrappers=yes/no (YES)
Sets whether the VSFTPD is combined with the TCP wrapper for host access control. The default value is yes. If enabled, the VSFTPD server checks the settings in/etc/hosts.allow and/etc/hosts.deny to determine whether the host requesting the connection is allowed to access the FTP server. These two files can play a simple firewall function.
For example, to allow only 192.168.0.1-192.168.0.254 users to connect to an FTP server, add the following in the/etc/hosts.allow file:
vsftpd:192.168.0. : Allow
All:all:d Eny
② Control user access:
Access control for users can be achieved through the vsftpd.user_list and ftpusers files in the/etc directory.
Userlist_file=/etc/vsftpd.user_list
Control user access to FTP files, which write the user name. One row for the user name.
Userlist_enable=yes/no (NO)
Whether to enable Vsftpd.user_list files.
Userlist_deny=yes/no (YES)
Determines whether users in the Vsftpd.user_list file can access the FTP server. If set to Yes, the user in the Vsftpd.user_list file is not allowed access to FTP, and if set to No, only users in the Vsftpd.user_list file can access FTP.
The/etc/vsftpd/ftpusers file is specifically designed to define a list of users who do not allow access to the FTP server (note: If userlist_enable=yes,userlist_deny=no, this time if the Vsftpd.user_ When there is a user in both list and ftpusers, the user is not able to access FTP, that is, the ftpusers priority is high. By default, Vsftpd.user_list and Ftpusers, these two files have preset some system internal accounts that do not allow access to the FTP server. If the system does not have these two files, then create the two files and add the user.

9. Access Rate Settings

Anon_max_rate=0
Sets the maximum transfer speed that is used by an anonymous login, in b/s,0, which indicates that the speed is not limited. The default value is 0.
Local_max_rate=0
The maximum transfer speed used by local users, in units of b/s,0, to express unlimited speed. The preset value is 0.

10. Timeout setting

Accept_timeout=60
Sets the timeout in seconds for establishing an FTP connection. The default value is 60.
Connect_timeout=60
The PORT method to establish a data connection timeout, in seconds. The default value is 60.
data_connection_timeout=120
Sets the timeout time, in seconds, to establish an FTP data connection. The default value is 120.
idle_session_timeout=300
Set how long to do nothing with the FTP server, then disconnect the FTP connection in seconds. The default value is 300.

11. log File Settings

xferlog_enable= yes/no (YES)
Whether to enable upload/download log records. If enabled, the uploaded and downloaded information will be fully recorded in the file defined by Xferlog_file. Preset to open.
Xferlog_file=/var/log/vsftpd.log
Sets the log file name and path, and the default value is/var/log/vsftpd.log.
Xferlog_std_format=yes/no (NO)
If enabled, the log file will be written as a Xferlog standard format, as in WU-FTPD General. The default value is off.
log_ftp_protocol=yes| No (NO)
If this option is enabled, all FTP requests and responses are logged to the log, and the default log file is/var/log/vsftpd.log. When this option is enabled, Xferlog_std_format cannot be activated. This option is useful for debugging. The default value is No.

12. Define User Profiles

In vsftpd, you can define user profiles to enable different users to use different configurations.
User_config_dir=/etc/vsftpd/userconf
Sets the directory where the user profile resides. When the configuration item is set, after the user logs on to the server, the system goes to the/etc/vsftpd/userconf directory, reads the same file as the current user name, and makes a further configuration of the current user according to the configuration commands in the file.
For example: Define USER_CONFIG_DIR=/ETC/VSFTPD/USERCONF, and there is a user test1,test2 on the host, then we will add the file name Test1 and test2 two files in the User_config_dir directory. If the test1 login, it will read the User_config_dir under the Test1 in this file settings. The default value is None. Using user profiles, you can control the speed of access to different users, and define LOCAL_MAX_RATE=XX in each user profile.

13.FTP working mode and port setting

FTP works in two ways: PORT FTP (Active mode) and PASV FTP (passive mode)
Listen_port=21
Sets the port on which the FTP server is listening to establish a connection, with the default value of 21.
Connect_from_port_20=yes/no
Specifies that FTP uses port 20 for data transfer, and the default value is yes.
Ftp_data_port=20
Sets the port to use for FTP data connections, with a default value of 20.
Pasv_enable=yes/no (YES)
If set to Yes, the PASV work mode is used, and port mode is used if set to No. The default value is Yes, that is, the PASV mode of work is used.
Pasv_max_port=0
In PASV mode, the maximum port range that a data connection can use, 0 represents any port. The default value is 0.
Pasv_min_port=0
In PASV mode, the minimum port range for a data connection to use, and 0 represents any port. The default value is 0.

14. Connection-Related Settings

Listen=yes/no (YES)
Sets whether the VSFTPD server runs in standalone mode. It is a good way to run in standalone mode, at which point listen must be set to Yes, which is the default value. It is recommended that you do not change, there are many configuration commands that are related to the operation of the server and need to be valid in this mode. If set to No, then VSFTPD is not run as an independent service, to be subject to the XINETD service control, the function will be limited.
Max_clients=0
Sets the maximum number of connections allowed for VSFTPD, the default value is 0, which means unrestricted. When set to 100, 100 connections are allowed at the same time, and the excess is denied. Only works in standalone mode.
Max_per_ip=0
Sets the number of connections that each IP allows to establish with the FTP server. The default value is 0, which means unrestricted. Only works in standalone mode.
Listen_address=ip Address
Sets the FTP server to listen for user's FTP requests on the specified IP address. If not set, all IP addresses that are bound by the server are listened to. Only works in standalone mode.
Setproctitle_enable=yes/no (NO)
Sets each connection to the FTP server, and whether it is represented by a different process. The default value is no, this time using PS aux |grep ftp will only have a vsftpd process. If set to Yes, each connection will have a vsftpd process.
 
15. Virtual User Settings

The virtual user uses the PAM authentication method.
Pam_service_name=vsftpd
Set the name that Pam uses, and the default value is/ETC/PAM.D/VSFTPD.
guest_enable= yes/no (NO)
Enable virtual users. The default value is No.
Guest_username=ftp
This is used to map virtual users. The default value is FTP.
Virtual_use_local_privs=yes/no (NO)
When this parameter is activated (YES), the virtual user uses the same permissions as the local user. When this parameter is turned off (NO), the virtual user uses the same permissions as the anonymous user. This parameter is off by default (NO).

16. Other Settings

text_userdb_names= yes/no (NO)
Sets whether the UID, GID, or specific user and group names are displayed when executing commands such as Ls–la. The default value is no, which is displayed in UID and GID mode. Set to Yes if you want to display the user name and group name.
Ls_recurse_enable=yes/no (NO)
Enabling this feature allows the login to use Ls–r, which allows you to view files in the directory below the current directory. The default value is No.
Hide_ids=yes/no (NO)
If this feature is enabled, the owner and group of all files are FTP, that is, users log in using Ls-al, and so on, the file owner and group are all FTP. The default value is off.
Download_enable=yes/no (YES)
If set to No, all files cannot be downloaded to the local folder and the folders are unaffected. The default value is yes.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.