VSFTPD installation and configuration--study TCP and firewalls

Configuration file for vsftpd

/etc/vsftpd/vsftpd.conf	Master configuration file
/usr/sbin/vsftpd	VSFTPD's main program
/etc/rc.d/init.d/vsftpd	Startup scripts
/etc/pam.d/vsftpd	Pam Authentication File (the File=/etc/vsftpd/ftpusers field in this file indicates that the user who blocked access is from a user in the/etc/vsftpd/ftpusers file) PAM.D is some software that requires login authentication to prevent the configuration of the folder, where the Ftpusers file is specified as the user to restrict
/etc/vsftpd/ftpusers	Prohibit the use of VSFTPD user list files. Records the user list that does not allow access to the FTP server, the administrator can record some user accounts that threaten the security of the system in this file, in order to avoid the user from the FTP login to get more than the upload download operation rights, and damage to the system. (Note: This file is in the/etc/directory in linux-4)
/etc/vsftpd/user_list	Prohibits or allows the use of VSFTPD user list files. The user defaults specified in this file (that is, set userlist_deny=yes in/etc/vsftpd/vsftpd.conf) also cannot access the FTP server, and when Userlist_deny=no is set, only User_ is allowed The specified user in the list accesses the FTP server. (Note: This file is in the/etc/directory in linux-4)
/var/ftp	Anonymous user home directory, local user home directory:/home/user home directory, that is, after login into their home directory
/var/ftp/pub	Anonymous user's download directory, this directory needs to empower root chmod 1777 pub (1 for special permissions, so that cannot be deleted after upload)
/etc/logrotate.d/vsftpd.log	Log files for vsftpd

vsftpd.conf File Contents

# Whether to allow anonymous logons to the FTP server, the default setting is yes allow # users can use the user name FTP or anonymous FTP login, password for the user's e-mail address. # set to noanonymous_enable if anonymous access is not allowed=yes# whether to allow local users (that is, user accounts in the Linux system) to log on to the FTP server, the default setting is YES to allow # Local users to log on to the user home directory, and anonymous users to enter the anonymous user's download directory/var/FTP/pub# If only anonymous user access is allowed, the front plus # comment will prevent local users from accessing the FTP server local_enable=yes# allow local users to have write access to FTP server files, the default setting is YES to allow write_enable=YES # Mask, local user default mask is 077# you can set the local user's file mask to default 022, or you can set it to a different value according to your preference #local_umask=022# Whether to allow anonymous users to upload files, the global write_enable must be=YES. Default is Yes#anon_upload_enable=yes# whether to allow anonymous users to create new folders #anon_mkdir_write_enable=Yes # activate directory welcome message # When the user first accesses a directory on the server in CMD mode, the FTP server displays the welcome message # By default, the welcome message is obtained by using the. message file in this directory # This file saves the custom welcome information, Created by the user himself #dirmessage_enable=yes# let the system automatically maintain the uploaded and downloaded log files # By default the log file is/var/log/Vsftpd.log, you can also set it by using the Xferlog_file option below # Default value is Noxferlog_enable=yes# Make sure port transfer connections originate from Port -(FTP-data). # Whether to set the FTP server to enable connection requests for FTP data ports #FTP-Data data transfer, 21 for connection control Port Connect_from_port_20=yes# Set whether the owner of the uploaded file is allowed to change, use with one of the following settings # Note that it is not recommended to use the root user to upload files #chown_uploads=yes# set the owner of the upload file you want to change, and if necessary, enter a system user name # To change the uploaded file to the root owner. Whoever: anyone #chown_username=whoever# Set System maintenance log file for uploading and downloading of FTP server #/var/log/Vsftpd.log is the default, you can also set other #xferlog_file=/var/log/vsftpd.log# whether to write the transfer log file in the standard Xferlog format # defaults to/var/log/Xferlog, it can also be set by the Xferlog_file option # Default value is No#xferlog_std_format=yes# The following is an additional configuration, adding the appropriate option will enable the corresponding setting # whether to generate two similar log files # default in/var/log/xferlog and/var/log/Vsftpd.log Directory # The former is the WU_FTPD type of transport log, which can be analyzed using standard logging tools, which is the vsftpd type of log #dual_log_enable# will originally output to/var/log/log in Vsftpd.log, output to system log #syslog_enable# set data transfer interrupt interval, this statement indicates that idle user session interrupt time is 600 seconds # that is, when the data transfer ends, the user should not connect to the FTP server for more than 600 seconds. The value can be modified according to the actual situation #idle_session_timeout= -# Set the data connection timeout time, the statement indicates that the data connection timeout time is 120 seconds, can be modified according to the actual situation #data_connection_timeout= -# Non-privileged system user required to run VSFTPD, default is Nobody#nopriv_user=ftpsecure# whether the asynchronous Abor request is recognized. # If the FTP client will release the "Async ABOR" command, this setting needs to be enabled # and generally this setting is not secure, so it is usually canceled #async_abor_enable=yes# Whether the data is transmitted in ASCII mode. By default, the server ignores ASCII-style requests. # Enabling this option will allow the server to transmit data in ASCII mode # However, this may cause the"Size/big/file"mode of attack caused by DOS #ascii_upload_enable=yes#ascii_download_enable=yes# Welcome message displayed when you log on to an FTP server # If necessary, create a file named. Message in the directory where you want to change the directory welcome information and write the welcome message after saving #ftpd_banner=Welcome to blah FTP service.# blacklist settings. If you hate some email address, you can use this setting to cancel his login privileges # Some special email address can be resisted. #deny_email_enable=yes# when the upper deny_email_enable=Yes, you can use this setting to specify which mail addresses are not allowed to log on to the VSFTPD server # This file needs to be created by the user, an email address can be #banned_email_file=/etc/vsftpd/banned_emails# If the user has permission to access files other than their own directory after logging on to the FTP server # set to Yes when the user is locked in their home directory, VSFTPD will be below Chroot_list_ The location of the file option value find chroot_list file # must mate with the following setup items #chroot_list_enable=yes# users who are listed in this file will not be able to switch to a directory other than their own directory after logging in # which facilitates the security management and privacy protection of the FTP server. This file needs to be established by itself #chroot_list_file=/etc/vsftpd/chroot_list# Whether recursive queries are allowed. The default is off to prevent the remote user from causing excessive i/o#ls_recurse_enable=yes# whether to allow monitoring. # If set to Yes, the VSFTPD will run in stand-alone mode, and the connection request for the IPv4 port is monitored and processed by VSFTPD itself listen=yes# sets whether to support IPV6. To listen to both the IPV4 and IPV6 ports, # You must run two sets of VSFTPD, using two sets of profiles # while ensuring that one of the listening options is commented out #listen_ipv6=yes# Set the profile name used by the authentication service provided by the PAM plug-in module, i.e./etc/pam.d/vsftpd File # in this fileThe =/etc/vsftpd/ftpusers field indicates that the PAM module can withstand the account content from the file/etc/vsftpd/ftpusers in #pam_service_name=vsftpd# whether the user in the Ftpusers file is allowed to log on to the FTP server, the default is no# if this is set to Yes, the user in the User_list file is allowed to log on to the FTP server # and if the Userlist_deny=YES, users in the User_list file will not be allowed to log on to the FTP server or even enter a password hint #userlist_enable=yes/no# Set whether to drag the user in the User_list file to log on to the FTP server, default to Yes#userlist_deny=yes/no# whether to use Tcp_wrappers as the host access control mode. # Tcp_wrappers can implement host address-based access control for network services in Linux systems # in/the Hosts.allow and hosts.deny two files in the ETC directory are used to set access control for Tcp_wrappers # The former setting allows access to the record, which sets the Deny access record. # If you want to restrict some hosts to the FTP server 192.168.57.2 anonymous access, editing/etc/Hosts.allow file, such as add two lines below command: # vsftpd:192.168.57.1:D Eny and VSFTPD:192.168.57.9:D eny# indicates that the limit IP is 192.168.57.1/192.168. $.9 Host Access IP is 192.168.57. 2 FTP Server # Now the FTP server can ping, but cannot connect tcp_wrappers=yes

VSFTPD installation and configuration--study TCP and firewalls