Setting options for VSFTPD
The VSFTPD settings file/etc/vsftpd/vsftpd.conf is a text file. The line starting with the "#" character is the comment line. Each option is set to one row, lattice
As "Option=value", note that the "=" number can not leave blank characters on either side. In addition to this master settings file, you can also set personal settings files for specific users, the specific introduction to see after.
The vsftpd.conf file set in the VSFTPD package is simple and very paranoid (the file claims to be:-)). We can set it up according to the actual situation to make the vsftpd more usable.
Connection options
This section is mainly about some of the options associated with establishing an FTP link.
Monitor address and control port
Listen_address=ip Address
This parameter is valid in VSFTPD using standalone (standalone) mode. This parameter
Defines which IP address on the host is listening for FTP requests, that is, which IP address provides the FTP service. You do not have to use this parameter for a host that has only one IP address. For multiple-access hosts, do not set
This parameter, all IP addresses are monitored. The default value is None.
Listen_port=port_value
Specifies the port number (control port) that the FTP server listens on, and the default value is 21. This option takes effect in standalone mode.
FTP Mode and Data port
FTP is divided into two categories, PORT ftp and PASV ftp,port
FTP is a general form of FTP. The two FTP operations are the same when establishing a control connection, which is created by the client first and the control port of the FTP server (the default value is 21), and the
This link carries out the transfer operation instruction. Their difference is in the way they use data transfer ports (Ftp-data). PORT
FTP Specifies the port used by the FTP server for data transfer, with a default value of 20. PASV FTP is the port that the FTP client determines the data transfer. PASV
FTP This approach, mainly considering the existence of a firewall environment, the client and the server to communicate (the client sent to the server data transmission request included in the data port), determine the number between the two
It is more convenient to transmit ports.
Port_enable=yes|no
If you want to cancel port mode when data is connected, set this option to No. The default value is yes.
Connetc_from_port_20=yes|no
Controls whether 20 ports (ftp-data) are used for data transfer in port mode. Yes use, no no use. The default value is no, but this parameter is set to Yes in the vsftpd.conf file with RHL.
Ftp_data_port=port number
Sets the FTP data transfer port (ftp-data) value. The default value is 20. This parameter is used for port FTP mode.
Port_promiscuous=yes|no
The default value is No. When yes, cancels the port security check. This check ensures that outgoing data is only connected to the client. Be careful to open this option.
Pasv_enable=yes|no
YES, PASV mode is allowed when transferring data. No, you are not allowed to use PASV mode. The default value is yes.
Pasv_min_port=port number
Pasv_max_port=port number
Set in PASV mode, the lower and upper bounds of the port range can be used to establish the data transmission, and 0 indicates arbitrary. The default value is 0. Setting the port range in a relatively high range, such as 50000-60000, will help improve security.
Pasv_promiscuous=yes|no
When this option is activated, the security check for PASV mode is turned off. This check ensures that data connections and control connections are from the same IP address. Be careful to open this option. The only reasonable use of this option is in an organization composed of a secure tunneling scheme. The default value is No.
pasv_address=
This option is a numeric IP address, as a response to the PASV command. The default value is None, that is, the address is obtained from the incoming connection socket (incoming CONNECTD socket).
ASCII mode
By default, VSFTPD is prohibited from using ASCII transfer mode. Even if the FTP client uses the ASC command to indicate that the ASCII mode is to be used, the ASC command is accepted on the vsftpd surface, and the binary is used when the file is actually transferred. The following options control whether VSFTPD uses ASCII transfer mode.
Ascii_upload_enable=yes|no
Controls whether to allow uploading of files in ASCII mode, yes, no no, default No.
Ascii_download_enable=yes|no
Controls whether the file is allowed to be downloaded using ASCII mode, yes, no, no.
Performance and load control
Timeout option
idle_session_timeout=
Idle (Daze) User session timeout, if more than this time no data transmission or instruction input, will be forced to disconnect. The unit is seconds, and the default value is 300.
data_connection_timeout=
Timeout time for the idle data connection. The default value is 300 seconds.
Accept_timeout=numerical value
Accept the set timeout set to be online, in seconds. The default value is 60.
Connect_timeout=numerical value
Timeout setting for data online in response to port, in seconds. The default value is 60. The above two options are for the client and will cause the client to automatically disconnect after 1 minutes of inactivity and automatically activate the connection after 1 minutes of interruption.
Load control
Max_clients=numerical value
This parameter is valid in VSFTPD using standalone (standalone) mode. This parameter defines the maximum number of concurrent connections for the FTP server, and when the number of this connection is exceeded, the server rejects the client connection. The default value is 0, which means that the maximum number of connections is unlimited.
?
Max_per_ip=numerical value
This parameter is valid in VSFTPD using standalone (standalone) mode. This parameter defines the maximum number of concurrent connections per IP address. Exceeding this number will reject the connection. The settings for this option will affect multiple process download software such as the Internet. The default value is 0, which means no limit.
Anon_max_rate=value
Set the maximum data transfer speed of the anonymous user value, in BYTES/S as the unit. Default None.
Local_max_rate=value
Set the maximum data transfer speed value of the user to bytes/s as the unit. Default None. This option is in effect for all users. In addition, you can use this option in the user's personal settings file to specify the maximum data transfer rate that a particular user can obtain.
The steps are as follows:
① Specifies the directory where the user's personal settings files are located in vsftpd.conf, such as:
User_config_dir=/etc/vsftpd/userconf
② generates the/etc/vsftpd/userconf directory.
③ User personal settings file is in this directory, and a specific user with the same name of the file, such as:
/etc/vsftpd/userconf/xiaowang
④ sets Local_max_rate parameters in the user's personal settings file, such as:
local_max_rate=80000
The above steps set the maximum data transfer speed of the FTP user Xiaowang to 80KBYTES/S.
The range of VSFTPD for speed control is about 80% to 120%. For example, we limit the maximum speed to 100kbytes/s, but the actual speed may be between 80kbytes/s and 120KBYTES/S. Of course, if the line bandwidth is insufficient, the rate will naturally be lower than this limit.
User options
VSFTPD users are grouped into three categories: anonymous, local, and virtual
Anonymous user
Anonymous_enable=yes|no
Controls whether anonymous users are allowed to log on, yes, no, no, the default is yes.
Ftp_username=
The system user name used by the anonymous user. By default, this parameter does not appear in the settings file, and the value is FTP.
No_anon_password=yes|no
Controls whether anonymous users need a password to log in, yes, no, no need. The default value is No.
Deny_email_enable=yes|no
The default value for this parameter is no. When the value is yes, the anonymous user who is denied logon by using the Banned_email_file parameter to specify the e-mail address listed in the file. That is, when
Anonymous users are rejected when they log on using the e-mail listed in the Banned_email_file file. Obviously, this is valid for blocking certain Dos attacks. When this parameter is in effect,
Need to append banned_email_file parameter
Banned_email_file=/etc/vsftpd.banned_emails
Specifies the file containing the rejected e-mail address, and the default file is/etc/vsftpd.banned_emails.
anon_root=
Sets the root directory of anonymous users, that is, when anonymous users log in, they are located in this directory. This is not the default in the primary settings file, and the default value is/var/ftp/.
Anon_world_readable_only=yes|no
Controls whether anonymous users are allowed to download only readable files. YES, only anonymous users are allowed to download the readable files. NO, allows anonymous users to browse the file system of the entire server. The default value is yes.
Anon_upload_enable=yes|no
Controls whether anonymous users are allowed to upload files, yes allow, no not allowed, default is no value, that is no. In addition to this parameter, anonymous users need to be able to upload files, also requires two conditions: first, the write_enable parameter is yes; second, on the file system, FTP anonymous users have write access to a directory.
Anon_mkdir_write_enable=yes|no
Controls whether anonymous users are allowed to create new directories, yes allows, no not allowed, default is no value, that is no. Of course on the file system, FTP anonymous users must have write access to the upper directory of the new directory.
Anon_other_write_enable=yes|no
Controls whether anonymous users have permissions other than uploading and creating a new directory, such as deleting, renaming, and so on. Yes owns, no does not, the default value is No.
Chown_uploads=yes|no
Whether to modify the ownership of files uploaded by anonymous users. YES, the ownership of the file uploaded by the anonymous user is changed to a different user, and the user is specified by the Chown_username parameter. The default value for this option is no.
Chown_username=whoever
Specifies the user who has ownership of the uploaded file by an anonymous user. This parameter is associated with the chown_uploads. It is not recommended to use the root user.
Local user
Among users who use the FTP service, in addition to anonymous users, there is a class of users who have an account on the host of the FTP server. VSFTPD that this type of user is a local user and is equivalent to real users in other FTP servers.
Local_enable=yes|no
Controls whether users of the system on which VSFTPD resides can log on to VSFTPD. The default value is yes.
local_root=
Defines the root directory for all local users. When local users log in, they are replaced in this directory. The default value is None.
User_config_dir=
Defines the directory where the user's personal settings file resides. The user's personal settings file is a file with the same name under that directory. The grid of the personal settings file
Type and vsftpd.conf format. For example, define
User_config_dir=/etc/vsftpd/userconf, and there are user Xiaowang,lisi on the host, then we can
The User_config_dir directory adds two files named Xiaowang, Lisi. When the user Lisi log in, VSFTPD reads the
User_config_dir below Lisi the set value in this file, applied to user Lisi. The default value is None.
Virtual user
Guest_enable=yes|no
If you start this feature, all non-anonymous login is considered guest. The default value is off.
Guest_username=
Defines the user name of the VSFTPD Guest user in the system. The default value is FTP.
Security
User Login Control
Pam_service_name=vsftpd
Indicates the PAM setting file name used by VSFTPD for PAM authentication, the default is VSFTPD, and the default Pam settings file is/etc/pam.d/vsftpd.
/etc/vsftpd.ftpusers
VSFTPD prevents users in this file from logging on to the FTP server. This mechanism is set by default in/ETC/PAM.D/VSFTPD.
Userlist_enable=yes|no
When this option is activated, VSFTPD will read the file specified by the Userlist_file parameter
The list of users in. When a user in the list logs on to the FTP server, the user is disabled before prompting for a password. That is, after the username is entered, vsftpd the user name in the list,
VSFTPD directly prohibit the user, will not be asked password, such as subsequent steps to gather. The default value is No.
Userlist_file=/etc/vsftpd.user_list
Indicates the file that contains the list of users that was read after the userlist_enable option is in effect. The default value is/etc/vsftpd.user_list.
Userlist_deny=yes|no
Decide whether to disable or allow only users in the file specified by Userlist_file to log on to the FTP server.
This option is userlist_enable
option does not take effect until it is started. YES, default, prevents users in the file from logging in, and does not send a prompt to enter a password for those users. NO, only users in the file are allowed to log on to the FTP server.
Tcp_wrappers=yes|no
The Tcp_wrappers remote access control mechanism is used in vsftpd, and the default value is yes.
Directory Access control
Chroot_list_enable=yes|no
Lock some users in their own directory. That is, when these users log on, they cannot go to other directories on the system, only under their own directories (and their subdirectories). The specific user is listed in the file specified by the Chroot_list_file parameter. The default value is No.
Chroot_list_file=/etc/vsftpd/chroot_list
Lists files that indicate which users are locked in their own directory. The file format is a one-line user. Usually the file is/etc/vsftpd/chroot_list. This option is not set by default.
Chroot_local_users=yes|no
Lock local Users in their own directory. When this item is activated,
The role of chroot_list_enable and Chroot_local_users parameters will change, chroot_list_file in the specified file
Households will not be locked in their own directory. When this parameter is activated, it can create a security conflict, especially if the user has an upload,
Shell access and other permissions. Therefore, you can open this parameter only if you do know it. The default value is No.
Passwd_chroot_enable
When this option is activated, and with the Chroot_local_user option, the location of the chroot () container can be specified on a per-user basis. The container for each user originates from the Home directory field of each user in the/etc/passwd. The default value is No.
File Manipulation Control
Hide_ids=yes|no
Whether to hide the owner and group information for the file. YES, the owner and group information for all files in the directory list appears as FTP when the user uses instructions such as "Ls-al". The default value is No.
Ls_recurse_enable=yes|no
Yes, allow the "ls-r" instruction to be used. This option has a small security risk because using "ls-r" in the root directory of a large FTP site consumes a large amount of system resources. The default value is No.
Write_enable=yes|no
Controls whether to allow the use of all FTP-enabled commands that modify the file system, such as Stor, DELE, RNFR, Rnto, MKD, RMD, AppE, and site. The default value is no, but this option is turned on in the simple settings file that you brought.
Secure_chroot_dir=
This option points to an empty directory and the FTP user does not have write permissions to this directory. When VSFTPD does not have to access the file system, this directory will be used as a secure container and the user will be restricted to this directory. The default directory is/usr/share/empty.
New File permission settings
anon_umask=
The umask value of the new file added by the anonymous user. The default value is 077.
File_open_mode=
The permissions for uploading files are the same as the values used by chmod. If you want the uploaded file to execute, set this value to 0777. The default value is 0666.
local_umask=
Umask value when a local user adds a file. The default value is 077. However, most of the other FTP servers are using 022. If your users want to, you can change to 022. This is set to 022 in your own settings file.
Hint Information
Ftpd_banner=login Banner String
This parameter defines the login banner string (the login welcome string). Users can modify their own. The preset value is none. When Ftpd_banner is set, the original welcome word for the system is replaced.
Banner_file=/directory/vsftpd_banner_file
This item specifies a text file that, when the user is logged in,
Displays the contents of this file, usually a welcome speech or description. The default value is None. Compared with Ftpd_banner,
Banner_file is the form of a text file, and Ftpd_banner is a string format. The Banner_file option replaces the Ftpd_banner option.
dirmessage_enable=yes| MO
Controls whether the directory hint information feature is enabled. Yes is enabled, no is not enabled, and the default value is yes. When this feature is enabled, when a user enters a directory, it checks to see if there is a file specified by the Message_file option in the directory, and if so, the contents of the file will appear, usually with a welcome speech or a description of the directory.
message_file=
This option only takes effect on the dirmessage_enable option activation side. The default value is. message.
Log Settings
Xferlog_enable=yes|no
Controls whether a log file is enabled for detailed recording of uploads and downloads. The log file is specified by the Xferlog_file option. The default value is no, but this option is activated in the simple settings file.
xferlog_file=
This option sets the file name of the record transfer log. The default value is/var/log/vsftpd.log.
Xferlog_std_format=yes|no
Controls whether the log file uses the Xferlog standard format, as WU-FTPD. Using the Xferlog format, you can reuse the existing transport statistics generator. However, the default log format is more readable. The default value is no, but this option is activated in the settings file that you brought.
Log_ftp_protocol=yes|no
When this option is active, all FTP requests and responses are logged to the log. When this option is provided, Xferlog_std_format cannot be activated. This option is useful for debugging. The default value is No.
Other settings
Setproctitle_enable=yes|no
YES,VSFTPD will display each session in the list of system processes (sessions)
's state. In other words, the process report will show what each VSFTPD session is doing (hang, download, etc.), such as using Ps-ef|grep
Ftp. For security purposes, consider shutting down this option. NO, the process report shows only one VSFTPD process running. The default value is NO.
text_userdb_names=yes| No
The user and Group information field of the directory list, by default, is the UID of the owner, not the name of the owner of the file, when users log in and use instructions such as Ls-al. If you want the owner's name to appear, turn this feature on. The default value is No.
User_localtime=yes|no
The default is No. YES,VSFTPD the time of your local time zone when displaying the list of directories. The default is to display GMT time. Similarly, the time value returned by the FTP command "MDTM" is also affected by this option.
Check_shell=yes|no
This option is only effective for vsftpd that do not use the Pam method. When this option is turned off, VSFTPD does not check the/etc/shells file for a valid user shell when the local user logs on. The default is yes.
Nopriv_user=
Specify a user who will use this user identity when VSFTPD does not want any permissions. This user is best to be a dedicated user, not a user nobody. On most machines, nobody users are used in a number of important things. The default value is nobody.
Pam_service_name=
Indicates that VSFTPD uses the PAM settings file name when using PAM to authenticate the service. The default value is FTP.