VSFTPD as a flagship secure FTP server, there are a number of options set. The configuration file list for vsftpd is described below, and all configurations are based on the vsftpd.conf configuration file. This article will provide a complete description of the vsftpd.conf in Chinese. Learning the contents of this article will help you get an initial look at VSFTPD's configuration files, but specific configuration methods are required for specific situations.
vsftpd the configuration file
/etc/vsftpd/vsftpd.conf |
Master configuration file |
/usr/sbin/vsftpd |
VSFTPD's main program |
/etc/rc.d/init.d/vsftpd |
Startup scripts |
/etc/pam.d/vsftpd |
Pam Authentication File (the File=/etc/vsftpd/ftpusers field in this file indicates that the user who blocked access is from a user in the/etc/vsftpd/ftpusers file) |
/etc/vsftpd/ftpusers |
Prohibit the use of VSFTPD user list files. Records the user list that does not allow access to the FTP server, the administrator can record some user accounts that threaten the security of the system in this file, in order to avoid the user from the FTP login to get more than the upload download operation rights, and damage to the system. (Note: This file is in the/etc/directory in linux-4) |
/etc/vsftpd/user_list |
Prohibits or allows the use of VSFTPD user list files. The user defaults specified in this file (that is, set userlist_deny=yes in/etc/vsftpd/vsftpd.conf) also cannot access the FTP server, and when Userlist_deny=no is set, only User_ is allowed The specified user in the list accesses the FTP server. (Note: This file is in the/etc/directory in linux-4) |
/var/ftp |
Anonymous user home directory, local user home directory:/home/user home directory, that is, after login into their home directory |
/var/ftp/pub |
Anonymous user's download directory, this directory needs to empower root chmod 1777 pub (1 for special permissions, so that cannot be deleted after upload) |
/etc/logrotate.d/vsftpd.log |
Log files for vsftpd |
vsftpd the master configuration file /etc/vsftpd/vsftpd.conf Description ( back up before modifying )
As with most configuration files in a Linux system, comments begin with # in the VSFTPD configuration file.
# whether to allow anonymous logons to the FTP server, the default setting is yes allow
# users can use the user name FTP or anonymous FTP login, password for the user's e-mail address.
# set to No if anonymous access is not allowed
Anonymous_enable=yes
# whether to allow local users (that is, user accounts on the Linux system) to log on to the FTP server, the default setting is yes allow
# when a local user logs in, it enters the user's home directory, and the anonymous user logs in to the anonymous user's download directory/var/ftp/pub
# If only anonymous user access is allowed, the front plus # comment out will prevent local users from accessing the FTP server
Local_enable=yes
# whether local users are allowed to have write access to FTP server files, the default setting is Yes allows
Write_enable=yes
# mask, local user default mask is 077
# you can set the local user's file mask to default 022, or set it to a different value depending on your preferences
#local_umask =022
# whether to allow anonymous users to upload files, the global write_enable=yes must be. The default is Yes
#anon_upload_enable =yes
# Whether anonymous users are allowed to create new folders
#anon_mkdir_write_enable =yes
# Whether to activate directory Welcome info feature
# when the user first accesses a directory on the server in CMD mode, the FTP server displays a welcome message
# By default, the welcome information is obtained through the. message file in this directory.
# This file saves custom welcome information that is created by the user himself
#dirmessage_enable =yes
# whether to let the system automatically maintain the uploaded and downloaded log files
# This log file is/var/log/vsftpd.log by default and can be set by the Xferlog_file option below
# Default value is no
Xferlog_enable=yes
# Make sure port transfer connections originate from port (ftp-data).
# Whether to set the FTP server to enable connection requests for FTP data ports
# Ftp-data data transfer, 21 for connection control port
Connect_from_port_20=yes
# Set whether to allow changes to the owner of the uploaded file, in conjunction with one of the following settings
# Note that it is not recommended to use the root user to upload files
#chown_uploads =yes
# Set the owner of the upload file you want to change, and if necessary, enter a system user name
# You can change the uploaded files to the root owner. Whoever: anyone
#chown_username =whoever
# Set up system maintenance log file for FTP server upload and download
#/var/log/vsftpd.log is the default, you can also set another
#xferlog_file =/var/log/vsftpd.log
# whether to write the transfer log file in standard Xferlog format
# default is/var/log/xferlog, or it can be set by the Xferlog_file option
# Default value is no
#xferlog_std_format =yes
# Here is the additional configuration, adding the appropriate options will enable the appropriate settings
# whether to generate two similar log files
# Default in/var/log/xferlog and/var/log/vsftpd.log directories
# The former is a wu_ftpd type of transport log, which can be analyzed using standard logging tools, which are vsftpd types of logs
#dual_log_enable
# whether the original output to the/var/log/vsftpd.log log, output to the system log
#syslog_enable
# Set data transfer interrupt interval, this statement indicates idle user session interrupt time is 600 seconds
# that is, when the data transfer ends, the user should not connect to the FTP server for more than 600 seconds. The value can be modified according to the actual situation
#idle_session_timeout =600
# Set the data connection timeout time, which indicates that the data connection time-out is 120 seconds, can be modified according to the actual situation
#data_connection_timeout =120
# Non-privileged system user required to run VSFTPD, default is nobody
#nopriv_user =ftpsecure
# whether asynchronous Abor requests are recognized.
# This setting only needs to be enabled if the FTP client will release the "Async ABOR" command
# and generally this setting is not secure, so it is usually canceled
#async_abor_enable =yes
# Whether to transfer data in ASCII mode. By default, the server ignores ASCII-style requests.
# Enable this option to allow the server to transmit data in ASCII mode
# However, this could lead to a Dos attack caused by the "size/big/file" approach
#ascii_upload_enable =yes
#ascii_download_enable =yes
# Welcome information displayed when you log in to an FTP server
# If necessary, create a file named. Message in the directory where you want to change the directory welcome information and write the welcome message after saving
#ftpd_banner =welcome to blah FTP service.
# blacklist settings. If you hate some email address, you can use this setting to cancel his login privileges.
# Some special email address can be resisted.
#deny_email_enable =yes
# when Deny_email_enable=yes above, you can use this setting to specify which mail addresses are not allowed to log on to the VSFTPD server
# This file needs to be created by the user, a single email address can be
#banned_email_file =/etc/vsftpd/banned_emails
# Whether users have permission to access files other than their own directory after they log on to the FTP server
# When set to Yes, the user is locked in their home directory, VSFTPD will find the Chroot_list file in the location below chroot_list_file option value
# must mate with the following setup items
#chroot_list_enable =yes
# users who are listed in this file will not be able to switch to a directory other than their own directory after logging in
# thus facilitates the security management and privacy protection of FTP servers. This file needs to be created on its own
#chroot_list_file =/etc/vsftpd/chroot_list
# whether recursive queries are allowed. Off by default to prevent excessive I/O by remote users
#ls_recurse_enable =yes
# whether to allow monitoring.
# If set to Yes, VSFTPD will run in standalone mode, and the connection request from VSFTPD to listen and process the IPV4 port itself
Listen=yes
# Set whether IPV6 is supported. To monitor both the IPV4 and IPV6 ports,
# You must run two sets of vsftpd with two sets of configuration files
# also make sure one of the listening options is commented out
#listen_ipv6 =yes
# Set the profile name used by the authentication service provided by the PAM plug-in module, which is the/etc/pam.d/vsftpd file
# The File=/etc/vsftpd/ftpusers field in this file indicates that the PAM module can withstand the account content from the file/etc/vsftpd/ftpusers
#pam_service_name =vsftpd
# whether to allow users in the Ftpusers file to log on to the FTP server, default to No
# If this is set to Yes, users in the User_list file are allowed to log on to the FTP server
# and if Userlist_deny=yes is set at the same time, the user in the User_list file will not be allowed to log on to the FTP server, even if the input password hint information is not
#userlist_enable =yes/no
# Set whether to drag the user in the User_list file to log on to the FTP server, by default Yes
#userlist_deny =yes/no
# whether to use Tcp_wrappers as the host access control mode.
# Tcp_wrappers can implement host address-based access control for network services in Linux systems
# Hosts.allow and Hosts.deny in the/etc directory two files for setting Tcp_wrappers access control
# The former setting allows access to the record, which sets the Deny access record.
# to restrict the anonymous access of some hosts to the FTP server 192.168.57.2, edit the/etc/hosts.allow file, such as add two lines below:
# Vsftpd:192.168.57.1:deny and Vsftpd:192.168.57.9:deny
# indicates an FTP server that restricts IP to 192.168.57.1/192.168.57.9 host access IP 192.168.57.2
# At this time the FTP server can ping, but cannot connect
Tcp_wrappers=yes
The following sections describe some of the options for restricting and controlling permissions further.
In addition to the basic settings above, we can also add more security options to the vsftpd.conf file. Several of these are commonly used as follows:
Limit the maximum number of connections and transfer rates
In the management of FTP server, whether to local users or anonymous users, the use of FTP server resources need to be controlled, to avoid excessive burden on the FTP server to run the exception, you can add the following configuration to the FTP client using FTP server resources to control:
1. The Max_client setting entry is used to set the maximum number of client connections allowed by the FTP server, and a value of 0 indicates no limit. For example, max_client=100 indicates that the maximum number of connections for all clients of an FTP server is no more than 100.
2. The MAX_PER_IP setting item is used to set the maximum number of client connections allowed for the same IP address, and a value of 0 indicates no limit. For example, max_per_ip=5 indicates that an FTP client with the same IP address does not have more than 5 connections to the FTP server.
3. The Local_max_rate setting is used to set the maximum transfer rate for local users, in B/s and 0 for no limit. For example, local_max_rate=500000 indicates that the FTP server's local user maximum transfer rate is set to 500kb/s.
4. The Anon_max_rate setting is used to set the maximum transfer rate for anonymous users in B/s, and a value of 0 indicates no limit. For example, ano_max_rate=200000 indicates that the FTP server's anonymous user maximum transfer rate is set to 200kb/s.
Specify permission settings for a user
The vsftpd.user_list file needs to be combined with the configuration items in the Vsftpd.conf file to implement access control for the specified user account in the Vsftpd.user_list file:
(1) Set the user account to disable login
When the following settings are included in the vsftpd.conf configuration file, the user account in the Vsftpd.user_list file is disabled for FTP logon:
Userlist_enable=yes
Userlist_deny=yes
Userlist_enable settings are set using the Vsftpd.user_list file, Userlist_deny set to Yes indicates that the Vsftpd.user_list file is used to set the prohibited user account.
(2) Set user accounts that are only allowed to log in
When the following settings are included in the vsftpd.conf configuration file, only the user account in the Vsftpd.user_list file can be ftp-logged in:
Userlist_enable=yes
Userlist_deny=no
Userlist_enable Settings Settings Use the Vsftpd.user_list file, userlist _deny set to No indicates that the Vsftpd.usre_list file is used to set only the user account that is allowed to log on. User accounts not included in the file are disabled for FTP login.
The Userlist_deny and userlist_enable options restrict users from logging on to an FTP server (using the Userlist_deny option and the User_list file can effectively prevent system users such as root,apache,www from logging on to the FTP server. So that the FTP server classification security). The following are the specific representations of the two options and the effects of the two ways to use them:
Userlist_enable=yes |
User allowed access in Ftpusers User allowed access in User_list |
Userlist_enable=no |
User Forbidden Access in Ftpusers User allowed access in User_list |
Userlist_deny=yes |
User Forbidden Access in ftpusers (can see password input prompt when login, but still can't access) User Forbidden Access in User_list |
Userlist_deny=no |
User Forbidden Access in Ftpusers User allowed access in User_list |
Userlist_enable=yes and Userlist_deny=yes |
User Forbidden Access in Ftpusers User Forbidden Access in user_list (no password prompt at logon, directly rejected by the server) |
Userlist_enable=yes and Userlist_deny=no |
User Forbidden Access in Ftpusers User allowed access in User_list |
Modify the default port
The default FTP server port number is 21, for security purposes, sometimes you need to modify the default port number, modify the/etc/vsftpd/vsftpd.conf, add a statement (example):
listen_port=4449
statement specifies the port number of the modified FTP server, which should be as much as 4000. Access after modification
#ftp 192.168.57.2 4449
Note that it is necessary to add the correct port number, otherwise it will not connect properly.
Set up user groups
Here is mainly a simple description of the user group of technical implementation, as to how the specific application, or specific needs specific treatment.
#mkdir-P/home/try recursive creation of a new directory
#groupadd try New Group
#useradd-G try-d/home/try try1 New user try1 and specify home directory and genus Group
#useradd-G try-d/home/try try2 New user Try2 and specify home directory and genus Group
#useradd-G try-d/home/try try3 New user try3 and specify home directory and genus Group
#passwd Try1 to set a password for a new user
#passwd Try2 to set a password for a new user
#passwd Try3 to set a password for a new user
#chown Try1/home/try Set directory owner to user Try1
#chown. Try/home/try setting directory genus Group as group try
#chmod 750/home/try Set Directory access permissions Try1 for read, write, execute; try2,try3 Read, execute
Because the local user login to the FTP server after entering their home directory, and Try1,try2 Try3 to the home directory/home/try assigned permissions are different, so the permissions through the FTP access is also different, the Try1 access rights are: Upload, download, build directory; try2,try3 access rights for download , browse, can't build directories and upload. It realizes the different access level of users in the group, and strengthens the hierarchical security management of FTP server.
Connection Timeout configures the time to break for idle user sessions: The following configuration will be interrupted after the user session has been idle for 5 minutes to release the server's resources
idle_session_timeout=300
Configure the interrupt time for an idle data connection: The following configuration will be interrupted after 1 minutes of data idle connection, also to release the server's resources
Data_connection_timeout=60
Configure the time when clients are idle for automatic interrupts and activation of connections: The following configuration will cause the client to automatically disconnect after 1 minutes of inactivity and automatically activate the connection after 30 seconds
Accept_timeout=60
Connect_timeout=30
Next, we will introduce the log of the vsftpd.
of Common vsftpd Log Solutions
In vsftpd.conf, the following content defines how logs are recorded:
# indicates that the FTP server records upload and download conditions
Xferlog_enable=yes
# indicates that the upload download of the record is written in the file specified by Xferlog_file, which is the file specified in the Xferlog_file option
Xferlog_std_format=yes
Xferlog_file=/var/log/xferlog
# enable double-copy logging. While using Xferlog file to record server upload download situation,
# The file specified by Vsftpd_log_file, or/var/log/vsftpd.log, will also be used to record the server's transport status
Dual_log_enable=yes
Vsftpd_log_file=/var/log/vsftpd.log
The VSFTPD two log files are analyzed as follows:
/var/log/xferlog
Examples of recorded content
Thu Sep 6 09:07:48 7 192.168.57.1 4323279/home/student/phpmyadmin-2.11.0-all-languages.tar.gz b-i r student FTP 0 * C
/var/log/vsftpd.log
Examples of recorded content
Tue Sep 14:59:03 [pid 3460] connect:client "127.0.0.1"
Tue Sep 14:59:24 [pid 3459] [ftp] OK LOGIN; Client "127.0.0.1", anon password "?"
/var/log/xferlog Analysis and parameter description of data in log file
Record Data |
Parameter name |
Parameter description |
Thu Sep 6 09:07:48 2007 |
Current time |
Current server local time in the format: DDD MMM DD Hh:mm:ss YYY |
7 |
Transmission time |
The time, in seconds, to transfer the file |
192.168.57.1 |
Remote Host name/IP |
Remote Host name/IP |
4323279 |
File size |
The size of the transferred file, in units of byte |
/home/student/phpmyadmin- 2.11.0-all-languages.tar.gz |
Filename |
Transfer file name, including path |
B |
Transport type |
Type of transmission, including two types: A in ASCII transfer B with binary file transfer |
– |
Special handling Signs |
Special handling of flag bits, possible values include: _ Do not do any special treatment C file is a compressed format U file is non-compressed format T file is in tar format |
I |
Transmission direction |
File transfer direction, including two types: o Transfer from FTP server to client I transfer from client to FTP server |
R |
Access mode |
User access modes, including: A anonymous user G Guest User R real users, that is, users in the system |
Student |
User name |
User name |
Ftp |
Service Name |
The name of the service used, typically FTP |
0 |
Authentication method |
Authentication methods, including: 0 No 1 RFC931 Certification |
* |
Authentication User ID |
ID of the authenticated user, if * is used, indicates that the ID cannot be obtained |
C |
Completion status |
Status of the transfer: C means the transfer is complete I means completion of the transmission display |
|
|
|
Finally, we introduce the common FTP command, and FTP the meaning of the digital code.
Common FTP commands and their functions
FTP command |
Function |
FTP command |
Function |
Ls |
displaying directories on the server |
LS [remote-dir][local-file] |
Displays the remote directory Remote-dir and stores the local file Local-file |
Get Remote-file [Local-file] |
Download the specified file from the server to the client |
Mget Remote-files |
Download multiple remote files (the Mget command allows you to download multiple files with a wildcard character) |
Put Local-file [Remote-file] |
Upload the specified file to the server from the client |
Mput Local-file |
Uploading multiple files to a remote host (mput command allows multiple files to be uploaded with wildcards) |
Open |
Connecting to an FTP server |
Mdelete [Remote-file] |
To delete a remote host file |
Close |
Interrupt the FTP session with the remote server (corresponding to open) |
mkdir Dir-name |
To create a directory in a remote host |
Open Host[port] |
Establishes the specified FTP server connection to specify the connection port |
Newer File-name |
If the file-name in the remote host is modified more closely than the file with the same name as the local hard disk, the file is re-transmitted |
CD Directory |
Changing the working directory of the server |
Rename [From][to] |
Change the file name of a remote host |
LCD Directory |
Changing the working directory on the client (local) |
Pwd |
Displays the current working directory of the remote host |
Bye |
Exit FTP command Status |
Quit |
With bye, exit the FTP session |
Ascii |
Set file transfer mode to ASCII mode |
Reget Remote-file [Local-file] |
Similar to get, but if local-file exists, it is resumed from the last transmission interrupt |
Binary |
To set the file transfer method to binary mode |
Rhelp [Cmd-name] |
Request help for a remote host |
! [cmd [args]] |
In the local host, interact with the shell back to the FTP environment, such as:!ls *.zip |
Rstatus [File-name] |
Displays the status of the remote host if no file name is specified, otherwise the file status is displayed |
accout [Password] |
Provides the password required to access system resources after a successful logon to the remote system |
Hash |
1024 bytes per transmission, showing a hash symbol (#) |
Append Local-file [Remote-file] |
Appends a local file to the remote system host, using a local file name if the remote system file name is not specified |
Restart Marker |
Restart get or put from the specified flag marker, such as restart 130 |
Bye |
Exiting the FTP session process |
RmDir dir-name |
To delete a remote host directory |
Case |
When using the Mget command, capitalize the remote host file name into lowercase letters |
Size File-name |
Displays the remote host file size, such as: Size Idle 7200 |
CD Remote-dir |
Go to the remote host directory |
Status |
Show Current FTP status |
Cdup |
Enter the parent directory of the remote host directory |
System |
Displays the operating system of the remote host |
Delete Remote-file |
To delete a remote host file |
User User-name [Password][account] |
To indicate your identity to a remote host, you must enter a password when you need it, such as: User anonymous [email protected] |
dir [Remote-dir][local-file] |
Display the remote host directory and save the results to a local file |
Help [cmd] |
Displays help for the FTP internal command cmd, such as assist get |
FTP the meaning of digital code
110 reboot Tag answer.
120 How long is the service available?
125 Data Link port open, ready to transmit.
150 file status OK, open the data connection port.
200 command execution succeeded.
202 command execution failed.
211 System status or system help response.
212 The status of the catalog.
The status of the 213 file.
214 message for help.
215 Name System type.
220 new online Services ready.
221 The control connection port of the service is off and can be logged off.
225 data connection is turned on, but no transfer action.
226 The data connection port is closed and the requested file operation succeeds.
227 Enter passive mode.
230 users log in.
250 The requested file operation is complete.
257 Displays the current path name.
331 the user name is correct and a password is required.
332 Login required account information.
350 The requested operation requires a command in the next section.
421 Unable to provide service, close control link.
425 The data link cannot be turned on.
426 Close the connection and terminate the transfer.
450 The requested operation was not performed.
451 Command termination: There is a local error.
452 command not executed: insufficient disk space.
500 format error, command not recognized.
501 parameter syntax error.
502 command execution failed.
503 Command sequence error.
The 504 command received an incorrect parameter.
530 not logged in.
532 Storage file requires account login.
550 the requested operation was not performed.
551 The requested command terminates, the type is unknown.
552 the requested file terminates and the storage bit overflows.
553 The requested command is not executed, the name is incorrect.
If there's anything you don't understand, Dabigatran discussion 347742514
----light rain
VSFTPD most detailed configuration file