VSFTPD.CONF Configuration Detailed

This article refers to self-http://my.oschina.net/u/2344008/blog/470096

################ #匿名权限控制 ###############

Anonymous_enable=yes #是否启用匿名用户
No_anon_password=yes #匿名用户login时不询问口令

The following four main statements control the uploading, downloading, creating, deleting, and renaming of this file and folder.
Anon_upload_enable= (yes/no); #控制匿名用户对文件 (non-directory) upload permissions.
Anon_world_readable_only= (yes/no); #控制匿名用户对文件的下载权限
Anon_mkdir_write_enable= (yes/no); #控制匿名用户对文件夹的创建权限
Anon_other_write_enable= (yes/no); #控制匿名用户对文件和文件夹的删除和重命名

Note: Anonymous user download is using nobody this user, so the corresponding o this location to have R permission to be downloaded. To allow anonymous users to upload and delete permissions, you must set the

Write_enable=yes #全局设置, whether to allow write (whether anonymous or local users, to enable upload permissions, it is necessary to open him)
Anon_root= (None) #匿名用户主目录
Anon_max_rate= (0) #匿名用户速度限制
anon_umask= (077) #匿名用户上传文件时有掩码 (this is set to 073 if you want to allow anonymous users to upload files directly to the anonymous download)
Chown_uploads=yes #所有匿名上传的文件的所属用户将会被更改成chown_username
Chown_username=whoever #匿名上传文件所属用户名

################ #本地用户权限控制 ###############

Write_enable=yes #可以上传 (Global control) Delete, rename
local_umask=022 #本地用户上传文件的umask
Userlist_enable=yes #限制了这里的用户不能访问
Local_root #设置一个本地用户登录后进入到的目录
User_config_dir #设置用户的单独配置文件, which account is used to name the login
Download_enable #限制用户的下载权限

Chown_uploads=yes #所有匿名上传的文件的所属用户将会被更改成chown_username
Chown_username=whoever #匿名上传文件所属用户名

Chroot_list_enable=yes #如果启动这项功能, all users who are listed in Chroot_list_file cannot change the root directory
Chroot_list_file=/etc/vsftpd/chroot_list #指定限制的用户文件

User_config_dir= #后面跟存放配置文件的目录. Used to implement different permissions for different users.
Add this sentence #在vsftpd. conf file,
#在相应的目录里面, create your own profile for each user to implement different permissions

You can control the user to switch directories by using the following three configuration files.
Chroot_list_enable=yes/no #设置是否启用chroot_list_file配置项指定的用户列表文件.
#如果启动这项功能, all users listed in Chroot_list_file cannot change the root directory. The default value is yes.

Chroot_list_file=/etc/vsftpd/chroot_list #指出被锁定在自家目录中的用户的列表文件.

Chroot_list_enable=yes
The following effects can be achieved by pairing with chroot_local_user=yes/no:
1, when Chroot_list_enable=yes,chroot_local_user=yes, in the/etc/vsftpd.chroot_list file listed in the user, you can switch to a different directory, not listed in the file users, You cannot switch to a different directory.
2. When Chroot_list_enable=yes,chroot_local_user=no, users listed in the/etc/vsftpd.chroot_list file cannot switch to a different directory, and users who are not listed in the file You can switch to a different directory.
3, when Chroot_list_enable=no,chroot_local_user=yes, all users can not switch to other directories.
4, when Chroot_list_enable=no,chroot_local_user=no, all users can switch to other directories.

Here is an example, we hope to be useful to you:

1, can only upload. Cannot download, delete, rename.
Cmds_allowed=feat,rest,cwd,list,mdtm,mkd,nlst,pass,pasv,port,pwd,quit,rmd,size,stor,type,user,acct,appe,cdup, Help,mode,noop,rein,stat,stou,stru,syst

For a detailed explanation of the parameters
CMDS_ALLOWED=ABOR,ACCT,APPE,CWD,CDUP,DELE,HELP,LIST,MODE,MDTM,MKD,NOOP,NLST,PASS,PASV,PORT,PWD,QUIT,REIN,RETR, Rmd,rnfr,rnto,site,size,stor,stat,stou,stru,syst,type,user

Cwd-change Working Directory Change directories
Dele-delete A remote file delete files
List-list Remote Files Column directory
Mkd-make a remote directory new folder
Nlst-name List of remote directory
Pwd-print working directory displays the current working directory
Retr-retrieve a remote file download file
Rmd-remove A remote directory delete directories
Rnfr-rename from Rename
Rnto-rename to rename
Stor-store a file on the remote host uploads files

# Abor-abort A file transfer canceling the transfer of files
# cwd-change working Directory change directories
# dele-delete A remote file delete files
# list-list Remote Files column directory
# Mdtm-return The modification time of a file returns the update times for files
# Mkd-make A remote directory new folder
# nlst-name List of remote directory
# pass-send Password
# pasv-enter Passive Mode
# Port-open A data port opens a transport port
# Pwd-print Working directory displays the current working directory
# Quit-terminate the connection exit
# retr-retrieve A remote file download file
# Rmd-remove a remote directory
# Rnfr-rename from
# Rnto-rename to
# site-site-specific Commands
# Size-return the size of a file returns the FileSize
# Stor-store a file on the remote host uploading files
# Type-set Transfer TYPE
# user-send Username

# Less common commands:

# acct*-Send account information
# appe-append to a remote file
# CDUP-CWD to the parent of the current directory
# Help-return Help on using the server
# Mode-set Transfer MODE
# noop-do Nothing
# rein*-Reinitialize the connection
# Stat-return Server Status
# Stou-store a file uniquely
# Stru-set File transfer structure
# Syst-return System Type

2, can only download. Cannot be uploaded, deleted, renamed. Write_enable=no
3, can only upload, delete, rename. cannot be downloaded. Download_enable=no

4, can only download, delete, rename. Cannot be uploaded.
Cmds_allowed=feat,rest,cwd,list,mdtm,mkd,nlst,pass,pasv,port,pwd,quit,rmd,rnfr,rnto,retr,dele,size,type,user, Acct,appe,cdup,help,mode,noop,rein,stat,stou,stru,syst

################## #虚拟用户设置 ###################

The virtual user uses the PAM authentication method.
PAM_SERVICE_NAME=VSFTPD #设置PAM使用的名称, the default value is/ETC/PAM.D/VSFTPD.

Check_shell=yes # (Note: It is only useful to check if the user has a valid shell to log in without Pam verifying the version)
guest_enable= yes/no #启用虚拟用户. The default value is No.
Guest_username=ftp #这里用来映射虚拟用户. The default value is FTP.
Virtual_use_local_privs=yes/no #当该参数激活 (YES), the virtual user uses the same permissions as the local user.
When #当此参数关闭 (NO), the virtual user uses the same permissions as the anonymous user. By default, this parameter is off (NO).

################## #访问控制设置 ###################

Two control modes: one to control host access and another to control user access.

1, control the host access:
Tcp_wrappers=yes/no

Sets whether VSFTPD is combined with TCP wrapper for host access control. The default value is yes. If enabled, the VSFTPD server checks the settings in/etc/hosts.allow and/etc/hosts.deny to determine whether the host requesting the connection is allowed access to the FTP server. These two files can play a simple firewall function.

For example: To allow only 192.168.10.1-192.168.10.254 users to connect to an FTP server,

Then in
/etc/hosts.allow
/etc/hosts.deny
File, add the following:

The format is as follows:

Restricted Services: IP (network segment)
vsftpd:192.168.1.
vsftpd:192.168.1.12
vsftpd:192.168.1.0/255.255.255.0 can't be written 192.168.1.0/24 here.

2. Control user access:

Vsftpd.ftpusers #用于保存不允许进行FTP登录的本地用户帐号. Is the blacklist of vsftp users.

Vsftpd.user_list

(1) Set prohibit user login in Vsftpd.user_list file: To modify the following two items in the master profile vsftpd.conf,
Userlist_enable=yes
Userlist_deny=yes
Description: After configuration, other FTP users can log in except for FTP users logged in vsftpd.ftpusers files and vsftpd.user_list files that cannot log on to the VSFTP service.

(2) Settings allow only users in the Vsftpd.user_list file to log in; the same is true for the vsftpd.conf in the main configuration file, modify the following two items:
Userlist_enable=yes
Userlist_deny=no
Description: After configuration, only FTP users logged in the Vsftpd.user_list file are allowed to log in to the VSFTP service, and no other FTP users can log on.

################## #超时设置 ##################

idle_session_timeout=600 #空闲连接超时
data_connection_timeout=120 #数据传输超时
Accept_timeout=60 #PAVS请求超时
Connect_timeout=60 #PROT模式连接超时

############### #服务器功能选项 ###############

Xferlog_enable=yes #开启日记功能
Xferlog_std_format=yes #使用标准格式
Log_ftp_protocol=no #当xferlog_std_format关闭且本选项开启时, logging all FTP requests and replies, when debugging is more useful.
Pasv_enable=yes #允许使用pasv模式
Pasv_promiscuous+no #关闭安全检查, be careful.
Port_enable=yes #允许使用port模式
Prot_promiscuous #关闭安全检查
Tcp_wrappers=yes #开启tcp_wrappers支持
PAM_SERVICE_NAME=VSFTPD the name used by the #定义PAM, preset to VSFTPD.
Nopriv_user=nobody #当服务器运行于最底层时使用的用户名
Pasv_address= (None) #使vsftpd在pasv命令回复时跳转到指定的IP地址. (server join jump?)

################ #服务器性能选项 ##############
Ls_recurse_enable=yes #是否能使用ls-r command to prevent wasting large amounts of server resources
One_process_model #是否使用单进程模式
Listen=yes bound to the port specified by Listen_port, since it is bound to be open every time, that's what standalone mode
Text_userdb_names=no #当使用者登入后使用ls-al such as the command to query the management of the file, the default will appear the owner's UID, not the owner of the file name #称. If you want the name of the owner to appear, turn this feature on.

Use_localtime=no #显示目录清单时是用本地时间还是GMT时间, can achieve the same effect by MDTM command
#use_sendfile =yes #测试平台优化

############### #信息类设置 ################

Ftpd_banner=welcome to FTP. #login时显示欢迎信息. If Banner_file is set, this setting is not valid
Dirmessage_enable=yes #允许为目录配置显示信息 to display the contents of the Message_file file below each directory
Setproctitle_enable=yes #显示会话状态信息, Off!

############## file Definition ##################

Chroot_list_file=/etc/vsftpd/vsftpd.chroot_list #定义不能更改用户主目录的文件
Userlist_file=/etc/vsftpd/vsftpd.user_list #定义限制/files that allow users to log on
Banner_file=/etc/vsftpd/banner #定义登录信息文件的位置
Banned_email_file=/etc/vsftpd.banned_emails #禁止使用的匿名用户登陆时作为密码的电子邮件地址
Xferlog_file=/var/log/vsftpd.log #日志文件位置
Message_file=.message #目录信息文件

############## Directory Definition #################

User_config_dir=/etc/vsftpd/userconf #定义用户配置文件的目录
Local_root=webdisk #此项设置每个用户登陆后其根目录为/home/username/webdisk
#定义本地用户登陆的根目录, note that defining a root directory can be a relative path or an absolute path. Relative paths are #来说的 for the user home directory.
Anon_root=/var/ftp #匿名用户登陆后的根目录

############ #用户连接选项 #################

max_clients=100 #可接受的最大client数目
Max_per_ip=5 #每个ip的最大client数目
Connect_from_port_20=yes #使用标准的20端口来连接ftp
listen_address=192.168.0.2 #绑定到某个IP, other IP cannot be accessed
listen_port=2121 #绑定到某个端口
ftp_data_port=2020 #数据传输端口
Pasv_max_port=0 #pasv连接模式时可以使用port the upper bound of the range, 0 means arbitrary. The default value is 0.
Pasv_min_port=0 #pasv连接模式时可以使用port the lower bound of the range, 0 means arbitrary. The default value is 0.

############# #数据传输选项 #################

anon_max_rate=51200 #匿名用户的传输比率 (b/s)
local_max_rate=5120000 #本地用户的传输比率 (b/s)

############# #安全选项 #################

idle_session_timeout=600 # (10 minutes after user session is idle)
DATA_CONNECTION_TIMEOUT=120 # (The data connection is idle for 2 minutes)
ACCEPT_TIMEOUT=60 # (Disconnect the client after 1 minutes of inactivity)
CONNECT_TIMEOUT=60 # (Interrupt 1 minutes and reconnect)
local_max_rate=50000 # (Local user transfer rate 50K)
anon_max_rate=30000 # (anonymous user transfer rate 30K)

pasv_min_port=50000 # (change the client's data connection port to
pasv_max_port=60000 #50000-60000)

MAX_CLIENTS=200 # (Maximum number of connections to FTP)
Max_per_ip=4 # (maximum number of connections per IP)
LISTEN_PORT=5555 # (data connection from Port 5555)

Above if there is any incomplete or wrong place, please contact me, I timely improve, thank you

Case 1 establishes the FTP server based on the virtual user and configures the FTP server according to the following requirements.

(1) Configure the FTP anonymous user's home directory to/var/ftp/anon. Download bandwidth limit is 100kb/s

(2) Create an FTP account named ABC with the password xyz. The download bandwidth limit is 500kb/s.

(3) Set the maximum number of links for FTP server to log on to the FTP server is 100, the maximum number of links per IP is 3, and the user idle time exceeds the limit of 5 minutes.

Mkdir/var/fpt/anon

Useradd ABC
PASSWD ABC

Vim/etc/vsftpd/vsftpd.conf

The main contents are as follows

Anonymous_enable=yes
Anon_root=/var/ftp/anon
anon_max_rate=100000
# Uncomment this to allow local users to log in.
Local_enable=yes
local_max_rate=500000
max_clients=100
Max_per_ip=3
connect_timeout=300

The above is a local user

The following is the use of virtual users to implement

Vim/etc/vsftpd/vuser

The contents are as follows

Tom
123

Generate Database files
Db_load-t-T Hash-f/etc/vsftpd/vuser/etc/vsftpd/vuser.db
chmod 600/etc/vsftpd/vuser.db

Vim/etc/pam.d/vsftpd

Comment out the original content

Then join

Auth Required pam_userdb.so Db=/etc/vsftpd/vuser
Account Required Pam_userdb.so Db=/etc/vsftpd/vuser

Last edited vsftpd.conf add the following two sentences

Guest_enable=yes
Guest_username=abc

You can test them yourself.

Here, the case is completed

"Case 2"
1, a new partition, 10G space, ext3 file system, hanging in the/ftp, as the FTP server data storage place.

2, four departments: DEP1,DEP2, DEP3, DEP4, respectively, corresponding to the directory/FTP/DEP1,/FTP/DEP2,/FTP/DEP3,/FTP/DEP4. Also set a common directory/ftp/public.

3, five users: Admin,user1,user2,user3,user4. Where: User 1/2/3/4 department dep 1/2/3/4 respectively, they can only access the directory and public directory of their respective departments. For example: User1 can only access the DEP1 and public directories, and cannot access other directories. Admin is the Admin user and can access any directory on the FTP server.

4, User access restrictions: USER1/2/3/4 in the directory can be accessed, with the ability to upload files, download files, but can not delete files, change file permissions and other functions. Admin Admin user has file upload, download, delete, permission change and other functions for all directories.

5, for each department to customize a quota, set the file quota for this account is 1000; disk quota is 2G.

6, anonymous users can not access.

First, add a piece of hard disk, then partition, write the partition mount situation to/etc/fstab

# FDISK/DEV/HDB
# MKFS.EXT3/DEV/HDB1
# mkidr/ftp
# Mount/dev/hdb1/ftp-o Usrquota,grpquota

# Vim/etc/fstab
Add the following sentence

/dev/hdb1/ftp ext3 Defaults,usrquota,grpquota 0 0

Second, set up user groups and users and corresponding folders and change permissions to meet the requirements of the topic

# Groupadd DEP1
# Groupadd DEP2
# Groupadd DEP3
# Groupadd DEP4
# Groupadd Boobooke

# usradd-g Dep1,boobooke User1
# usradd-g Dep2,boobooke User2
# usradd-g Dep3,boobooke User3
# usradd-g Dep4,boobooke User4
# usradd-g Dep1,dep2,dep3,dep4,boobooke Admin

# passwd User1
# passwd User2
# passwd User3
# passwd User4
# passwd Admin

# MKDIR/FTP/DEP1
# MKDIR/FTP/DEP2
# MKDIR/FTP/DEP3
# MKDIR/FTP/DEP4
# Mkdir/ftp/public

# chown UESR1:DEP1/FTP/DEP1
# chown UESR2:DEP2/FTP/DEP2
# chown UESR3:DEP3/FTP/DEP3
# chown UESR4:DEP4/FTP/DEP4
# chown Admin:boobooke/ftp/public

# chmod 770/FTP/DEP1
# chmod 770/FTP/DEP2
# chmod 770/FTP/DEP3
# chmod 770/FTP/DEP4
# chmod 770/ftp/pubic

The final result is as follows

-RW-------1 root root 8192 Jul 11:46 aquota.group
-RW-------1 root root 7168 Jul 11:46 aquota.user
DRWXRWX---2 user1 dep1 4096 Jul 20:47 dep1
DRWXRWX---2 user2 dep2 4096 Jul 20:47 DEP2
DRWXRWX---2 user3 dep3 4096 Jul 20:47 dep3
DRWXRWX---2 user4 dep4 4096 Jul 20:47 DEP4
drwx------2 root root 16384 Jul 20:44 lost+found
DRWXRWX---2 admin boobooke 4096 Jul 20:48 Public

Third, create quota, configure disk quotas

#mount/dev/hdb1/ftp-o Usrquota,grpquota
# QUOTACHECK-CUVG/DEV/SDB1
# quotaon-a
# edquota-g DEP1

Disk quotas for group DEP1 (GID 503):
Filesystem blocks soft hard inodes soft hard
/DEV/HDB1 0 1024000 2048000 0 500 1000

# EDQUOTA-G-P dep1 dep2 dep3 dep4 (-u-g apply the quota settings of the source user group and the group to other users or groups. )

IV. Editor VSFTPD.CONF

# vim/etc/vsftpd/vsftpd.conf

Anonymous_enable=no

Join
Local_root=/ftp
User_config_dir=/etc/vsftpd/ftp_config_dir

Open chroot

Chroot_list_enable=yes
Chroot_list_file=/etc/vsftpd/chroot_list

Create a user-independent file

# Mkdir/etc/vsftpd/ftp_config_dir
# Vim/etc/vsftpd/ftp_config_dir/user1

Cmds_allowed=abor,acct,appe,cwd,cdup,help,list,mode,mdtm,noop,nlst,pass,pasv,port,pwd,quit,rein,retr,site,size , Stor,stat,stou,stru,syst,type,user

# Cp/etc/vsftpd/ftp_config_dir/user1/etc/vsftpd/ftp_config_dir/user2
# Cp/etc/vsftpd/ftp_config_dir/user1/etc/vsftpd/ftp_config_dir/user3
# Cp/etc/vsftpd/ftp_config_dir/user1/etc/vsftpd/ftp_config_dir/user4

VSFTPD.CONF Configuration Detailed