Recently, a client needs an SSL-certified FTP service. Now, organize your steps.
1 software required for installation
Yum Install Httpd-yyum install vsftpd*-yyum install pam*-yyum install mod_ssl*-y
3, establish vsftpd Service Host user
Useradd Vsftpd–s/sbin/nologin
4. Establish vsftpd virtual Hosting user
Useradd Virtusers–s/sbin/nologin
5,VSFTPD related configuration
1) Edit the vsftpd.conf configuration file
Cp/etc/vsftpd/vsftpd.conf/etc/vsftpd/vsftpd.conf.bak/ Backup configuration file
vi/etc/vsftpd/vsftpd.conf/ vsftp config file
anonymous_enable=no /settings do not allow anonymous access. local_enable=yes /settings Local users can access. Note: Primarily for virtual hosting users, if the item is set to No then all virtual users will not be able to access it. write_enable=yes /settings can be written: local_umask=022 /set the file's permission mask after uploading. anon_upload_enable=no /prohibit anonymous users from uploading anon_mkdir_write_enable=no /prohibit anonymous users from creating directories dirmessage_enable= yes /Set the Open Directory banner feature. xferlog_enable=yes /set the Enable logging function. connect_from_port_20=yes /setting port 20 for data connection chown_uploads=no /settings prohibit uploading files change host #chown_username= The whoever#xferlog_file=/var/log/xferlogxferlog_std_format=yes /settings log uses a standard record format. idle_session_timeout=1200 / Set the idle connection timeout, where default is used. Specify the specific values for each specific user, if not specified, or use the default value here of 600, per second. data_connection_timeout=7200 /set the single maximum continuous transmission time, where the default is used. Specify the specific values for each specific user, if not specified, or use the default value here of 120, per second. nopriv_user=vsftpd /sets the host user that supports the VSFTPD service as a manually established VSFTPD user. Note that once you make changes to the host user, you must be aware of the read and write rights of the read-write files associated with the service. For example, the log file must give the user write permission, and so on. async_abor_enable=yes /Settings Support Asynchronous transfer function ascii_upload_enable=yes /set the upload function that supports ASCII mode ascii_download_enable=yes /set the download function to support ASCII mode ftpd_banner=welcome toairmate ftp service. /set VSFTPD's Landing banner #deny_email_enable=yes#banned_email_file=/etc/vsftpd/banned_emailsls_recurse_enable=no /prohibits users from logging on to FTP after using the "ls -r" command. This command can cause significant overhead for server performance. If this entry is allowed, blocking multiple users using the command at the same time will pose a threat to that server. #ls_recurse_enable =yeschroot_local_user=yeschroot_list_enable=nolisten=yes#listen_ipv6=yespam_service_name= vsftpd /Set the authentication profile name of VSFTPD under Pam service. Pam_service_name=vsftpduserlist_enable=yestcp_wrappers=yesuserlist_deny=yes#userlist_file=/etc/vsftpd/chroot_ list guest_enable=yesguest_username=virtusers /Setting the host user of a virtual user Virtual_use_local_privs=yesuser_config_dir =/etc/vsftpd/virtualuser_conf /Virtual User Profile local_root=/ssl_enable=yes /enable SS authentication rsa_cert_file=/etc/ Vsftpd/vsftpd1.pem /ssl Certificate saved file ssl_sslv2=yes /Enable 3 authentication modes Ssl_sslv3=yesssl_tlsv1=yessyslog_enable=yes pasv_enable=yes /Enable PASV logon mode pasv_max_port=30010 /pasv log on using the maximum port pasv_min_port=30000 /pasv minimum port used for login
~
2) Set up virtual user profile storage path
Mkdir/etc/vsftpd/virtualuser_conf
Configure virtual users
For example, I want to add a user named Tang ,the FTP client will use the user name (after password settings) for uploading and downloading, in
/etc/vsftpd/virtualuser_conf
Create a new file called Tang :Touch Tang . The contents of the file are:
Local_root=/home/ftpfilewrite_enable=yes anon_umask=022 anon_world_readable_only=no Anon_upload_enable=YES anon_ Mkdir_write_enable=yes Anon_other_write_enable=yes Pam_service_name=vsftpdchroot_local_user=yes
Parameter description:
Local_root=/home/ftpuser # the virtual user uploads the downloaded root directory
Write_enable=yes # Writable (can be uploaded)
anon_umask=022 # Mask
Next in /etc/vsftpd/ directory Create a text document that records the user name password for all client users (virtual users):
Touch Virtualuser_passwd.txt
The contents are as follows:
Tang Passwd1 Tony Passwd2
One line user name, one line password
Next, generate a DB file for virtual user authentication
Db_load-t-T Hash-f/etc/vsftpd/virtualuser_passwd.txt/etc/vsftpd/virtualuser_passwd.db
Then, edit the authentication file
/etc/pam.d/vsftpd
, all comments off the original statement
Add the following two sentences
Auth required/lib64/security/pam_userdb.sodb=/etc/vsftpd/virtualuser_passwd Account Required/lib64/security/pam_ userdb.sodb=/etc/vsftpd/virtualuser_passwd
3) Set up the FTP user file storage location
1.mkdir/home/ftpfile/2.chown–r Virtusers.virtusers/home/ftpfile3.chmod U=rwx/home/ftpfile
3) Turn off SElinux to simplify configuration
If you have installed SElinux and not configured, it is recommended to turn it off. The method is to modify The following contents of the/etc/selinux/config file:
selinux=disabled #effective Afterrestart
7. Configure SSL encryption into the/etc/vsftpd/ directory and enter the following command to generate the certificate
Req-x509-nodes-days 365-newkeyrsa:1024-subj "/c=cn/st=gd/l=sz/o=lvzunhai/cn=lvzunhai"-keyout/etc/vsftpd/ Vsftpd1.pem-out/etc/vsftpd/vsftpd1.pem
8, the firewall to open the VSFTPD function
VSFTP+SSL Login Settings under centos6.5