一、安装
首先,下载最新的稳定版vsftpd,在这里下载:
最新版本是 Jul 2006 - vsftpd-2.0.5 released
如果系统的发行版已经默认安装了vsftp,则卸载.
下载tar包,包不大才150多K.
tar zxvf vsftpd-2.0.5.tar.gz
cd vsftpd-2.0.5
这个目录里有个EXAMPLE的目录,里面有很多说明文档,详细说明了vsftp在各种情况下的配置方法.值得一看.
make
make install
文件vsftpd安装在
/usr/local/sbin/vsftpd
--------------------------------------------------------------------------------
配置方法:
下面这个是/EXAMPLE/INTERNET_SITE/README 文件的内容.
-------------------------------------------------------------------------------
运行在XINETD模式
--------------------------------------------------------------------------------
$less README
This example shows how you might set up a (possibly large) internet facing
FTP site.
The emphasis will be on security and performance.
We will see how by integrating vsftpd with xinetd, we get a powerful
combination.
Step 1) Set up your xinetd configuration file.
An example xinetd configuration file "vsftpd.xinetd" is supplied.
To install it:
cp vsftpd.xinetd /etc/xinetd.d/vsftpd
Let's look at the important content in this file and see what it does:
disable = no
socket_type = stream
wait = no
This says that the service is active, and it is using standard TCP sockets.
user = root
server = /usr/local/sbin/vsftpd
The server program /usr/local/sbin/vsftpd is used to handle incoming FTP
requests, and the program is started as root (vsftpd will of course quickly
drop as much privilege as possible). NOTE! Make sure that you have the vsftpd
binary installed in /usr/local/sbin (or change the file path in the xinetd
file).
per_source = 5
instances = 200
For security, the maximum allowed connections from a single IP address is 5.
The total maximum concurrent connections is 200.
no_access = 192.168.1.3
As an example of how to ban certain sites from connecting, 192.168.1.3 will
be denied access.
banner_fail = /etc/vsftpd.busy_banner
This is the file to display to users if the connection is refused for whatever
reason (too many users, IP banned).
Example of how to populate it:
echo "421 Server busy, please try later." > /etc/vsftpd.busy_banner
log_on_success += PID HOST DURATION
log_on_failure += HOST
This will log the IP address of all connection attempts - successful or not,
along with the time. If an FTP server is launched for the connection, it's
process ID and usage duration will be logged too. If you are using RedHat
like me, this log information will appear in /var/log/secure.
Step 2) Set up your vsftpd configuration file.
An example file is supplied. Install it like this:
cp vsftpd.conf /etc
Let's example the contents of the file:
# Access rights
anonymous_enable=YES
local_enable=NO
write_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
This makes sure the FTP server is in anonymous-only mode and that all write
and upload permissions are disabled. Note that most of these settings are
the same as the default values anyway - but where security is concerned, it
is good to be clear.
# Security
anon_world_readable_only=YES
connect_from_port_20=YES
hide_ids=YES
pasv_min_port=50000
pasv_max_port=60000
These settings, in order
- Make sure only world-readable files and directories are served.
- Originates FTP port connections from a secure port - so users on the FTP
server cannot try and fake file content.
- Hide the FTP server user IDs and just display "ftp" in directory listings.
This is also a performance boost.
- Set a 50000-60000 port range for passive connections - may enable easier
firewall setup!
# Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
In order,
- Enables recording of transfer stats to /var/log/vsftpd.log
- Disables "ls -R", to prevent it being used as a DoS attack. Note - sites
wanting to be copied via the "mirror" program might need to enable this.
- Disables downloading in ASCII mode, to prevent it being used as a DoS
attack (ASCII downloads are CPU heavy).
- Enables older FTP clients to cancel in-progress transfers.
# Performance
one_process_model=YES
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
anon_max_rate=50000
In order,
- Activates a faster "one process per connection" model. Note! To maintain
security, this feature is only available on systems with capabilities - e.g.
Linux kernel 2.4.
- Boots off idle users after 2 minutes.
- Boots off idle downloads after 5 minutes.
- Boots off hung passive connects after 1 minute.
- Boots off hung active connects after 1 minute.
- Limits a single client to ~50kbytes / sec download speed.
Step 3) Restart xinetd.
(on RedHat)
/etc/rc.d/init.d/xinetd restart
If you run into problems, check:
1) Your /etc/xinetd.d directory only has one FTP service.
---------------------------------------------------------------
$cat vsftpd.conf
# Access rights
anonymous_enable=YES
local_enable=NO
write_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
# Security
anon_world_readable_only=YES
connect_from_port_20=YES
hide_ids=YES
pasv_min_port=50000
pasv_max_port=60000
# Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
# Performance
one_process_model=YES
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
anon_max_rate=50000
------------------------------------------------------
$cat vsftpd.xinetd
# vsftpd is the secure FTP server.
service ftp
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/local/sbin/vsftpd
per_source = 5
instances = 200
no_access = 192.168.1.3
banner_fail = /etc/vsftpd.busy_banner
log_on_success += PID HOST DURATION
log_on_failure += HOST
}
-------------------------------------------------------------------------------
STANDLONE 模式
-------------------------------------------------------------------------------
在./EXAMPLE/INTERNET_SITE_NOINETD下的文件,说明了vsftpd在standlone模式下的配置方法和详细说明.
$less README
This example shows how to run vsftpd in "standalone" mode - i.e. without
needing to run an inetd of some kind (inetd, xinetd, tcpserver etc).
vsftpd has supported standalone mode since v1.1.0.
With the release of v1.1.3, the feature list of standalone mode has grown so
that large internet sites no longer need to use an inetd.
Previously, large internet sites were forced to use xinetd for the important
feature of "limit number of concurrent connections from a single IP address".
Unfortunately, there seem to be xinetd stability issues - various larger
sites are reporting that xinetd's session counting can go wrong and incorrectly
kick off users because it thinks the FTP site is full when it is not.
vsftpd now natively handles maximum session counts and maximum session per IP
counts. It can also do native access control via tcp_wrappers integration and
even per-connect-IP configurability.
To use this example config:
1) Copy the vsftpd.conf file in this directory to /etc/vsftpd.conf.
2) Start up vsftpd, e.g.
vsftpd &
3) That should be it!
The example vsftpd.conf is based on the vsftpd.conf from the INTERNET_SITE
example. Let's look at the differences (at the top):
# Standalone mode
listen=YES
This tells vsftpd to run in standalone mode. Do NOT try and run vsftpd from
an inetd with this option set - it won't work, you may well get 500 OOPS:
could not bind listening socket.
max_clients=200
max_per_ip=4
The maximum number of session is 200 (new clients will get refused with a
busy message). The maximum number of sessions from a single IP is 4 (the
5th connect will get refused with a suitable message).
One further note on standalone mode, regarding virtual IPs. This is very
easy - just run one copy of vsftpd per virtual IP (remembering to give each
a separate config file on the command line).
Distinguish which vsftpd is for which virtual IP with a setting like this
in the vsftpd.conf:
listen_address=192.168.1.2
And launch vsftpd with a specific config file like this:
vsftpd /etc/vsftpd.conf.site1 &
-----------------------------------------------------------------------------
配置文件
$cat vsftpd.conf
# Standalone mode
listen=YES
max_clients=200
max_per_ip=4
# Access rights
anonymous_enable=YES
local_enable=NO
write_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
# Security
anon_world_readable_only=YES
connect_from_port_20=YES
hide_ids=YES
pasv_min_port=50000
pasv_max_port=60000
# Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
# Performance
one_process_model=YES
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
anon_max_rate=50000
-----------------------------------------------------------------------------
针对IP的配置 (加载这个功能,需要在make前修改文件,不过这个功能很有用,坚决加上)
-----------------------------------------------------------------------------
在./EXAMPLE/PER_IP_CONFIG
$less README
This example should quickly show you the possibilites of per-IP configuration
with vsftpd's tcp_wrappers integration. This is new with v1.1.3.
To use this, you need vsftpd built with tcp_wrappers! This is accomplished
by editing "builddefs.h" and changing
#undef VSF_BUILD_TCPWRAPPERS
to
#define VSF_BUILD_TCPWRAPPERS
And then rebuild. If you are lucky your vendor will have shipped the vsftpd
binary with this already done for you.
Next, to enable tcp_wrappers integration, you need this in your vsftpd.conf:
tcp_wrappers=YES
And you'll need a tcp_wrappers config file. An example one is supplied in this
directory: hosts.allow. It lives at /etc/hosts.allow.
Let's have a look at the example:
vsftpd: 192.168.1.3: setenv VSFTPD_LOAD_CONF /etc/vsftpd_tcp_wrap.conf
vsftpd: 192.168.1.4: DENY
The first line:
If a client connects from 192.168.1.3, then vsftpd will apply the vsftpd
config file /etc/vsftpd_tcp_wrap.conf to the session! These settings are
applied ON TOP of the default vsftpd.conf.
This is obviously very powerful. You might use this to apply different
access restrictions for some IPs (e.g. the ability to upload).
Or you could give certain classes of IPs the ability to skip connection
limits (max_clients=0).
Or you could increase / decrease the bandwidth limiter for certain classes
of IPs.
You get the point :-)
The second line:
Denies the ability of 192.168.1.4 to connect. Very useful to take care of
troublemakers. And now you don't need xinetd to do it - hurrah.
-----------------------------------------------------------------------------
针对README的配置样本
$cat hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
vsftpd: 192.168.1.3: setenv VSFTPD_LOAD_CONF /etc/vsftpd_tcp_wrap.conf
vsftpd: 192.168.1.4: DENY
-----------------------------------------------------------------------------
虚拟主机的配置VIRTUAL_HOSTS
在./EXAMPLE/VIRTUAL_HOSTS 下
$less README
This example shows how you might set up virtual hosts. Virtual hosting is
where different clients access your machine on different IP addresses (virtual
IPs) and get redirected to different ftp sites.
For example, if your machine responds to two IPs - 127.0.0.1 and 127.0.0.2,
you could have the two different IPs represent two totally different FTP sites.
For this example, we are going to build on the "INTERNET_SITE" example.
Step 1) Set up a virtual IP address.
ifconfig eth0:1 192.168.1.10 up
(the standard IP address is 192.168.1.2)
(note - this isn't quite complete, the route for local connects hasn't been
added, but it will do for now)
Step 2) Create a user / location for the new virtual site.
useradd -d /var/ftp_site2 ftp_site2
chown root.root /var/ftp_site2
chmod a+rx /var/ftp_site2
umask 022
mkdir /var/ftp_site2/pub
echo "test" > /var/ftp_site2/pub/content
Step 3) Modify the existing site to respond to the primary IP.
Edit /etc/xinetd.d/vsftpd, and add the config line:
bind = 192.168.1.2
Step 4) Create the new site, responding on the virtual IP.
cp /etc/xinetd.d/vsftpd /etc/xinetd.d/vsftpd2
Edit vsftpd2, and change
- The bind line to refer to the IP address 192.168.1.10
- Add the line
server_args = /etc/vsftpd_site2.conf
This launches this FTP site with a different vsftpd configuration file.
cp /etc/vsftpd.conf /etc/vsftpd_site2.conf
Add two lines:
ftp_username=ftp_site2
ftpd_banner=This is the alternative FTP site.
Step 5) Restart xinetd and test!
/etc/rc.d/init.d/xinetd restart
[chris@localhost vsftpd]$ ftp 192.168.1.2
Connected to 192.168.1.2 (192.168.1.2).
220 ready, dude (vsFTPd 1.1.0: beat me, break me)
Name (192.168.1.2:chris): [chris@localhost vsftpd]$
[chris@localhost vsftpd]$ ftp 192.168.1.2
Connected to 192.168.1.2 (192.168.1.2).
220 ready, dude (vsFTPd 1.1.0: beat me, break me)
Name (192.168.1.2:chris):
530 This FTP server is anonymous only.
Login failed.
ftp> quit
221 Goodbye.
[chris@localhost vsftpd]$ ftp 192.168.1.10
Connected to 192.168.1.10 (192.168.1.10).
220 This is the alternative FTP site.
Name (192.168.1.10:chris):
530 This FTP server is anonymous only.
Login failed.
ftp>
-------------------------------------------------------------------------
虚拟用户的配置 (VIRTUAL_USERS) 在./EXAMPLE/VIRTUAL_USERS 下
$less README
This example shows how to set up vsftpd / PAM with "virtual users".
A virtual user is a user login which does not exist as a real login on the
system. Virtual users can therefore be more secure than real users, beacuse
a compromised account can only use the FTP server.
Virtual users are often used to serve content that should be accessible to
untrusted users, but not generally accessible to the public.
Step 1) Create the virtual users database.
We are going to use pam_userdb to authenticate the virtual users. This needs
a username / password file in "db" format - a common database format.
To create a "db" format file, first create a plain text files with the
usernames and password on alternating lines.
See example file "logins.txt" - this specifies "tom" with password "foo" and
"fred" with password "bar".
Whilst logged in as root, create the actual database file like this:
db_load -T -t hash -f logins.txt /etc/vsftpd_login.db
(Requires the Berkeley db program installed).
NOTE: Many systems have multiple versions of "db" installed, so you may
need to use e.g. db3_load for correct operation. This is known to affect
some Debian systems. The core issue is that pam_userdb expects its login
database to be a specific db version (often db3, whereas db4 may be installed
on your system).
This will create /etc/vsftpd_login.db. Obviously, you may want to make sure
the permissions are restricted:
chmod 600 /etc/vsftpd_login.db
For more information on maintaing your login database, look around for
documentation on "Berkeley DB", e.g.
Step 2) Create a PAM file which uses your new database.
See the example file vsftpd.pam. It contains two lines:
auth required /lib/security/pam_userdb.so db=/etc/vsftpd_login
account required /lib/security/pam_userdb.so db=/etc/vsftpd_login
This tells PAM to authenticate users using our new database. Copy this PAM
file to the PAM directory - typically /etc/pam.d/
cp vsftpd.pam /etc/pam.d/ftp
(Note - if you set pam_service_name to e.g. vsftpd instead, you'll need to copy
to /etc/pam.d/vsftpd).
Step 3) Set up the location of the files for the virtual users.
useradd -d /home/ftpsite virtual
ls -ld /home/ftpsite
(which should give):
drwx------ 3 virtual virtual 4096 Jul 30 00:39 /home/ftpsite
We have created a user called "virtual" with a home directory "/home/ftpsite".
Let's add some content to this download area:
cp /etc/hosts /home/ftpsite
chown virtual.virtual /home/ftpsite/hosts
Step 4) Create your vsftpd.conf config file.
See the example in this directory. Let's go through it line by line:
anonymous_enable=NO
local_enable=YES
This disables anonymous FTP for security, and enables non-anonymous FTP (which
is what virtual users use).
write_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
These ensure that for security purposes, no write commands are allowed.
chroot_local_user=YES
This makes sure that the virtual user is restricted to the virtual FTP area
/home/ftpsite we set up above.
guest_enable=YES
guest_username=virtual
The guest_enable is very important - it activates virtual users! And
guest_username says that all virtual users are mapped to the real user
"virtual" that we set up above. This will also determine where on the
filesystem the virtual users end up - the home directory of the user
"virtual", /home/ftpsite.
listen=YES
listen_port=10021
This puts vsftpd in "standalone" mode - i.e. not running from an inetd. This
means you just run the vsftpd executable and it will start up. This also
makes vsftpd listen for FTP requests on the non-standard port of 10021 (FTP
is usually 21).
pasv_min_port=30000
pasv_max_port=30999
These put a port range on passive FTP incoming requests - very useful if
you are configuring a firewall.
Copy the example vsftpd.conf file to /etc:
cp vsftpd.conf /etc/
Step 5) Start up vsftpd.
Go to the directory with the vsftpd binary in it, and:
./vsftpd
If all is well, the command will sit there. If all is not well, you will
likely see some error message.
Step 6) Test.
Launch another shell session (or background vsftpd with CTRL-Z and then "bg").
Here is an example of an FTP session:
ftp localhost 10021
Connected to localhost (127.0.0.1).
220 ready, dude (vsFTPd 1.1.0: beat me, break me)
Name (localhost:chris): tom
331 Please specify the password.
Password:
230 Login successful. Have fun.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> ls
227 Entering Passive Mode (127,0,0,1,117,135)
150 Here comes the directory listing.
226 Transfer done (but failed to open directory).
ftp> size hosts
213 147
ftp>
Comments:
The password we gave was "foo".
Do not be alarmed by the "failed to open directory". That is because the
directory /home/ftpsite is not world readable (we could change this
behaviour if we wanted using anon_world_readable_only=NO but maybe we want
it this way for security.
We can see that we have access to the "hosts" file we copied into the virtual
FTP area, via the size command.
------------------------------------------------------------------------------
虚拟用户的帐号和密码的配置文件 一行是username,下一行是passwd
$less logins.txt
tom ----username
foo ----passwd
fred ----username
bar ----passwd
------------------------------------------------------------------------------
针对虚拟用户的配置文件
$cat vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
chroot_local_user=YES
guest_enable=YES
guest_username=virtual
listen=YES
listen_port=10021
pasv_min_port=30000
pasv_max_port=30999
-------------------------------------------------------------------------------
$cat vsftpd.pam
auth required /lib/security/pam_userdb.so db=/etc/vsftpd_login
account required /lib/security/pam_userdb.so db=/etc/vsftpd_login
-------------------------------------------------------------------------------
虚拟用户的高级设置
-------------------------------------------------------------------------------
$less README
This example shows how to extend the "VIRTUAL_USERS" example to reflect
a slightly more complex setup.
Let's assume that we want two types of virtual user - one that can only browse
and download content, and another that can upload new content as well as
download existing content.
This example shows how to extend the "VIRTUAL_USERS" example to reflect
a slightly more complex setup.
To achieve this setup, we can use use of vsftpd's powerful per-user
configurability (new in v1.1.0).
In the previous virtual user example, we created two users - tom and fred.
Let's say that we want fred to have write access to upload new files whilst
tom can only download.
Step 1) Activate per-user configurability.
To activate this powerful vsftpd feature, add the following to
/etc/vsftpd.conf:
user_config_dir=/etc/vsftpd_user_conf
And, create this directory:
mkdir /etc/vsftpd_user_conf
Step 2) Give tom the ability to read all files / directories.
At the end of the last example, we noted that the virtual users can only
see world-readable files and directories. We could make the /home/ftpsite
directory world readable, and upload files with world-read permission. But
another way of doing this is giving tom the ability to download files which
are not world-readable.
For the tom user, supply a config setting override for
anon_world_readable_only:
echo "anon_world_readable_only=NO" > /etc/vsftpd_user_conf/tom
Check it out - login as tom and now "ls" will return a directory listing!
Log in as fred and it won't.
NOTE - restart vsftpd to pick up the config setting changes to
/etc/vsftpd.conf. (Advanced users can send SIGHUP to the vsftpd listener
process).
Step 3) Give fred the ability to read all files / directories and create
new ones but not interfere with existing files.
echo "anon_world_readable_only=NO" > /etc/vsftpd_user_conf/fred
echo "write_enable=YES" >> /etc/vsftpd_user_conf/fred
echo "anon_upload_enable=YES" >> /etc/vsftpd_user_conf/fred
Check it out - login as tom and you can't upload. Log in as fred and you can!
Try and delete a file as both tom and fred - you can't.
--------------------------------------------------------------------------------
