# vi /etc/vsftpd-ano.conf ,将如下三行加入文件 listen=YES listen_port=21 tcp_wrappers=YES anon_root=/var/ftp //设置匿名用户本地目录,和ftp用户目录必须相同 listen=YES的意思是使用standalone启动vsftpd,而不是super daemon(xinetd)控制它 (vsftpd推荐使用standalone方式) # /usr/local/sbin/vsftpd-ano /etc/vsftpd-ano.conf & //以后台方式启动vsftpd 注意:每行的值都不要有空格,否则启动时会出现错误,举个例子,假如我在listen=YES后多了个空格,那我启动时就出现如下错误: 500 OOPS: bad bool value in config file for: listen
测试搭建好的匿名用户方式 # ftp 127.0.0.1 Connected to 127.0.0.1. 220 (vsFTPd 2.0.3) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (127.0.0.1:root): ftp 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 \"/\" ftp> quit 221 Goodbye. # OK,已经完成了,very nice.
测试搭建好的匿名用户方式,先测试root用户吧 :) # ftp 127.0.0.1 Connected to 127.0.0.1. 220 (vsFTPd 2.0.3) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (127.0.0.1:root): root 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 \"/root\" ftp> quit 221 Goodbye. 我们看到root用户可以登陆到ftp,他的登陆目录就是自己的主目录。 再测试一个系统用户,那我们先建立一个用户名叫xuchen的 # useradd xuchen # passwd xuchen Changing password for user xuchen. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. 建立好了,让我们开始测试吧!! # ftp 127.0.0.1 Connected to 127.0.0.1. 220 (vsFTPd 2.0.3) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (127.0.0.1:root): xuchen 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 \"/home/xuchen\" ftp> quit 221 Goodbye. 我们看到xuchen用户可以登陆到ftp,他的登陆目录也是自己的主目录。哈哈,又完成了! 高级配置 细心的朋友可能已经看出来如果我们不支持PAM认证方式,那么本地用户就可以登陆,而默认编译的vsftpd支持PAM认证方式,所以是不支持本地用户登陆的。恩,从这点说,这也是vsftp安全的一个表现----禁止本地用户登陆。 我们登陆后进行测试,传一个文件上去,得,失败了,那下载个文件下来吧,恩,这是成功的(见图2),而且我们发现我们可以进入到系统根目录(见图3),这样很危险。
userlist_enable=YES userlist_deny=YES userlist_file=/etc/vsftpd.denyuser 以上三条设定不允许登陆的用户,用户列表存放在/etc/vsftpd.denyuser中,一行一个帐号如果我把xuchen这个用户加到vsftpd.denyuser里,那么登陆时会出现如下错误: # ftp 127.0.0.1 Connected to 127.0.0.1. 220 Welcome to d-1701.com FTP service. 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (127.0.0.1:root): xuchen 530 Permission denied. Login failed. 呵呵,有意思吧,自己测试吧,本地用户登陆方式就介绍到这里吧!
3、虚拟用户形式实现(db及mysql形式) # cd /home/xuchen/vsftpd-2.0.3 //进入vsftpd-2.0.3的源代码目录 # make clean //清除编译环境 # vi builddefs.h \\\\继续编辑builddefs.h 文件,文件内容如下: #ifndef VSF_BUILDDEFS_H
# ftp 127.0.0.1 Connected to 127.0.0.1. 220 (vsFTPd 2.0.3) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (127.0.0.1:root): xuchen 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 \"/\" ftp> size test 213 11 ftp> quit 221 Goodbye. OK,用户名为xuchen,密码为12345可以连接到FTP服务器,看不到文件列表,但可以下载已知文件名的文件,不能上传文件,非常安全吧!!
(7)测试连通 # ftp 127.0.0.1 Connected to 127.0.0.1. 220 (vsFTPd 2.0.3) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (127.0.0.1:root): test1 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 \"/\" ftp> quit 221 Goodbye. 看,成功了!!这样就实现了mysql的认证方式,很简单吧??
4、为FTP增加磁盘配额,从而避免恶意用户用垃圾数据塞满你的硬盘 我首先要说的是这个功能是系统自带的,而不是vsftp 的功能之一,千万别搞混了。好了,我们先假设我们的系统用户ftpd的主目录是/home/ftpd,它是建立在/home分区中,那么如果我们要对ftpd用户进行磁盘限额,那我们需要修改/etc/fstab中根分区的记录,将/home分区的第4个字段改成defaults,usrquota,如下: LABEL=/home /home ext3 defaults,usrquota 1 2 # reboot //重新启动系统使设置生效 也可以用 # mount -o remount /dev/sda6 ///dev/sda6的挂接点就是/home,这样可以不用启动系统。 这里我还要说明一下,如果我们对一个组进行磁配额,那我们需要增加参数grpquota,例如 LABEL=/home /home ext3 defaults,grpquota 1 2 也可以 LABEL=/home /home ext3 defaults,usrquota,grpquota 1 2 你想怎么限制都可以,自己组合参数吧。 # quotacheck -avu 说明:a-自动开启挂载文件系统的配额,v-显示信息,u-启用用户配额or g-启用组配额 # edquota ftpd //为用户ftpd设置磁盘配额 OR # edquota -g grp //为组grp设置磁盘配额 系统会自动打开配额文件,如下: Disk quotas for user ftpd (uid 502): Filesystem blocks soft hard inodes soft hard /dev/sda6 424 0 0 13 0 0 第一列是启用了配额的文件系统的名称。第二列显示了用户当前使用的块数,单位为KB。随后的两列用来设置用户在该文件系统上的软硬块限度。inodes 列显示了用户当前使用的i节点数量。最后两列用来设置用户在该文件系统上的软硬i节点限度.硬限是用户或组群可以使用的磁盘空间的绝对最大值。达到了该限度后,磁盘空间就不能再被用户或组群使用了。软限定义可被使用的最大磁盘空间量。和硬限不同的是,软限可以在一段时期内被超过。这段时期被称为过渡期(grace period),默认七天的超越。过渡期可以用秒钟、分钟、小时、天数、周数、或月数表示。如果以上值中的任何一个被设置为 0,那个限度就不会被设置。我设置了硬块限度为1KB,是为了测试方便。 # quotaon -avu //打开磁盘配额监控进程,u是用户g是组,这里我没设置g参数 要校验用户的配额是否被设置,我们可以使用以下命令: # quota ftpd Disk quotas for user ftpd (uid 502): Filesystem blocks quota limit grace files quota limit grace /dev/sda6 424* 0 1 13 0 0 # edquota –t(-g)来设置过渡期(grace period) //当然只针对软限制而言 和另一个 edquota 命令相似,这个命令也会在文本编辑器中打开当前的文件系统配额: Grace period before enforcing soft limits for users: Time units may be: days, hours, minutes, or seconds Filesystem Block grace period Inode grace period /dev/sda6 7days 7days 按你的需要修改后存盘退出 用以下命令显示磁盘配额使用状态 # repquota -a 或 repquota /dev/sda6(用户配额) # repquota -g -a 或 repquota -a /dev/sda6 (组的配额) 如果一切按照你的意思实施了,那么我们就进行测试了!如下图4
其它 =================== 测试平台 (已通过) -流行的,功能完善的平台都能测试通过。在以下平台的较新版本,VSFTPD工作得很好。在其大部分较早的版本下,也运行正常。 - RedHat Linux - RedHat Enterprise Linux - Solaris / GNU tools (Solaris 8 or newer) - SuSE Linux - Debian Linux - OpenBSD - FreeBSD - NetBSD - HP-UX / GNU tools - IRIX / GNU tools - Mac OS X (note; older versions have setgroups() problem. 10.3.4 reported OK) 虚拟用户1 ============= 这个例子示范了如何为虚拟用户设置VSFTPD/PAM。 虚拟用户是一个在系统中并不作为一个登录实体而存在的用户。使用虚拟用户比使用真实的用户更安全,因为这个账号只能用于FTP服务器。
ftp localhost 10021 Connected to localhost (127.0.0.1). 220 ready, dude (vsFTPd 1.1.0: beat me, break me) Name (localhost:chris): tom 331 Please specify the password. Password: 230 Login successful. Have fun. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 \"/\" ftp> ls 227 Entering Passive Mode (127,0,0,1,117,135) 150 Here comes the directory listing. 226 Transfer done (but failed to open directory). ftp> size hosts 213 147 ftp>
注释: 密码是\"foo\" 出现”failed to open directory“的话,别担心。这是因为/home/ftpsite目录不容许被任意浏览。 (我们可以更改anon_world_readable_only=NO以消除告警,但为了安全,还是保留这个配置)。 我们能通过size命令看到我们已经访问了被我们拷贝到这里的\"hosts\"文件。
no_log_lock 启用时,VSFTPD在写入LOG文件时将不会把文件锁住。这一项一般不启用。它对一些工作区操作系统问题,如Solaris / Veritas文件系统共存时有用。 因为那在试图锁定LOG文件时,有时候看上去象被挂死(无响应)了。(daidong注:这我也不是很理解。所以翻译未必近乎原意。原文如下:It exists to workaround operating system bugs such as the Solaris / Veritas filesystem combination which has been observed to sometimes exhibit hangs trying to lock log files.) 默认值:NO
passwd_chroot_enable (daidong注:这段自己看,无语...) if enabled, along with .BR chroot_local_user , then a chroot() jail location may be specified on a per-user basis. Each user\'s jail is derived from their home directory string in /etc/passwd. The occurrence of /./ in the home directory string denotes that the jail is at that particular location in the path. 默认值:NO
3、未完成的实验 his example should quickly show you the possibilites of per-IP configuration with vsftpd\'s tcp_wrappers integration. This is new with v1.1.3.
To use this, you need vsftpd built with tcp_wrappers! This is accomplished by editing \"builddefs.h\" and changing
#undef VSF_BUILD_TCPWRAPPERS to #define VSF_BUILD_TCPWRAPPERS
And then rebuild. If you are lucky your vendor will have shipped the vsftpd binary with this already done for you.
Next, to enable tcp_wrappers integration, you need this in your vsftpd.conf:
tcp_wrappers=YES
And you\'ll need a tcp_wrappers config file. An example one is supplied in this directory: hosts.allow. It lives at /etc/hosts.allow.
The first line: If a client connects from 192.168.1.3, then vsftpd will apply the vsftpd config file /etc/vsftpd_tcp_wrap.conf to the session! These settings are applied ON TOP of the default vsftpd.conf. This is obviously very powerful. You might use this to apply different access restrictions for some IPs (e.g. the ability to upload). Or you could give certain classes of IPs the ability to skip connection limits (max_clients=0). Or you could increase / decrease the bandwidth limiter for certain classes of IPs. You get the point
The second line: Denies the ability of 192.168.1.4 to connect. Very useful to take care of troublemakers. And now you don\'t need xinetd to do it - hurrah.
This example shows how you might set up virtual hosts. Virtual hosting is where different clients access your machine on different IP addresses (virtual IPs) and get redirected to different ftp sites.
For example, if your machine responds to two IPs - 127.0.0.1 and 127.0.0.2, you could have the two different IPs represent two totally different FTP sites.
For this example, we are going to build on the \"INTERNET_SITE\" example.
Step 1) Set up a virtual IP address.
ifconfig eth0:1 192.168.1.10 up (the standard IP address is 192.168.1.2) (note - this isn\'t quite complete, the route for local connects hasn\'t been added, but it will do for now)
Step 2) Create a user / location for the new virtual site.
Step 3) Modify the existing site to respond to the primary IP.
Edit /etc/xinetd.d/vsftpd, and add the config line: This example shows how you might set up virtual hosts. Virtual hosting is where different clients access your machine on different IP addresses (virtual IPs) and get redirected to different ftp sites.
For example, if your machine responds to two IPs - 127.0.0.1 and 127.0.0.2, you could have the two different IPs represent two totally different FTP sites.
For this example, we are going to build on the \"INTERNET_SITE\" example.
Step 1) Set up a virtual IP address.
ifconfig eth0:1 192.168.1.10 up (the standard IP address is 192.168.1.2) (note - this isn\'t quite complete, the route for local connects hasn\'t been added, but it will do for now)
Step 2) Create a user / location for the new virtual site.
Step 3) Modify the existing site to respond to the primary IP.
Edit /etc/xinetd.d/vsftpd, and add the config line:
bind = 192.168.1.2
Step 4) Create the new site, responding on the virtual IP.
cp /etc/xinetd.d/vsftpd /etc/xinetd.d/vsftpd2
Edit vsftpd2, and change - The bind line to refer to the IP address 192.168.1.10 - Add the line server_args = /etc/vsftpd_site2.conf
This launches this FTP site with a different vsftpd configuration file.
cp /etc/vsftpd.conf /etc/vsftpd_site2.conf
Add two lines: ftp_username=ftp_site2 ftpd_banner=This is the alternative FTP site.
Step 5) Restart xinetd and test!
/etc/rc.d/init.d/xinetd restart
[chris@localhost vsftpd] $ ftp 192.168.1.2 Connected to 192.168.1.2 (192.168.1.2). 220 ready, dude (vsFTPd 1.1.0: beat me, break me) Name (192.168.1.2:chris): [chris@localhost vsftpd] $ [chris@localhost vsftpd] $ ftp 192.168.1.2 Connected to 192.168.1.2 (192.168.1.2). 220 ready, dude (vsFTPd 1.1.0: beat me, break me) Name (192.168.1.2:chris): 530 This FTP server is anonymous only. Login failed. ftp> quit 221 Goodbye.
[chris@localhost vsftpd] $ ftp 192.168.1.10 Connected to 192.168.1.10 (192.168.1.10). 220 This is the alternative FTP site. Name (192.168.1.10:chris): 530 This FTP server is anonymous only. Login failed. ftp>