Chinaunix首页 | 论坛 | 博客
  • 博客访问: 12838918
  • 博文数量: 1293
  • 博客积分: 13501
  • 博客等级: 上将
  • 技术积分: 17974
  • 用 户 组: 普通用户
  • 注册时间: 2011-03-08 18:11
文章分类

全部博文(1293)

文章存档

2019年(1)

2018年(1)

2016年(118)

2015年(257)

2014年(128)

2013年(222)

2012年(229)

2011年(337)

分类: LINUX

2011-03-23 14:47:14

1、sudo apt-get install proftpd 和 sudo apt-get install vsftpd


1、安装vsftpd

sudo apt-get install vsftpd

安装了之后会在/srv/下建立一个ftp目录,这时候你可以试着访问下ftp://IP地址,应该可以看到一个空白内容的ftp空间。

说明:

       (1)网上很多都说是在/home目录下产生ftp目录,可我的机子不是;

       (2)/srv/ftp 目录为默认匿名用户的登陆目录

2、设置 vsftpd.conf文件

sudo gedit /etc/vsftpd.conf

服务器的配置  

1. 匿名服务器的连接(独立的服务器)
在/etc/vsftpd/vsftpd.conf配置文件中添加如下几项:

Anonymous_enable=yes (允许匿名登陆)

Dirmessage_enable=yes (切换目录时,显示目录下.message的内容)

Local_umask=022 (FTP上本地的文件权限,默认是077)

Connect_form_port_20=yes (启用FTP数据端口的数据连接)*

Xferlog_enable=yes (激活上传和下传的日志)

Xferlog_std_format=yes (使用标准的日志格式)

Ftpd_banner=Moonlight Ftp Server (欢迎信息)

Pam_service_name=vsftpd (验证方式)*

Listen=yes (独立的VSFTPD服务器)*

功能:只能连接FTP服务器,不能上传和下传

注:其中所有和日志欢迎信息相关连的都是可选项,打了星号的无论什么帐户都要添加,是属于FTP的基本选项

 

2. 开启匿名FTP服务器上传权限
在配置文件中添加以下的信息即可:

 

Anon_upload_enable=yes (开放上传权限)

Anon_mkdir_write_enable=yes (可创建目录的同时可以在此目录中上传文件)

Write_enable=yes (开放本地用户写的权限)

Anon_other_write_enable=yes (匿名帐号可以有删除的权限)


3. 开启匿名服务器下传的权限
在配置文件中添加如下信息即可:

 

Anon_world_readable_only=no

注:要注意文件夹的属性,匿名帐户是其它(other)用户要开启它的读写执行的权限
(R)读-----下传 (W)写----上传 (X)执行----如果不开FTP的目录都进不去

4.普通用户FTP服务器的连接(独立服务器)
在配置文件中添加如下信息即可:

Local_enble=yes (本地帐户能够登陆)

Write_enable=no (本地帐户登陆后无权删除和修改文件)

功能:可以用本地帐户登陆vsftpd服务器,有下载上传的权限
注:在禁止匿名登陆的信息后匿名服务器照样可以登陆但不可以上传下传

5. 用户登陆限制进其它的目录,只能进它的主目录
设置所有的本地用户都执行chroot

 

Chroot_local_user=yes (本地所有帐户都只能在自家目录)



设置指定用户执行chroot

 

Chroot_list_enable=yes (文件中的名单可以调用)

local_root=/var/www/web (路径自定义)

Chroot_list_file=/任意指定的路径/vsftpd.chroot_list



注意:vsftpd.chroot_list 是没有创建的需要自己添加,要想控制帐号就直接在文件中加帐号即可

6. 限制本地用户访问FTP

Userlist_enable=yes (用userlistlai 来限制用户访问)

Userlist_deny=no (名单中的人不允许访问)

Userlist_file=/指定文件存放的路径/ (文件放置的路径)

注:开启userlist_enable=yes匿名帐号不能登陆

7. 安全选项
 

Idle_session_timeout=600(秒) (用户会话空闲后10分钟)

Data_connection_timeout=120(秒) (将数据连接空闲2分钟断)

Accept_timeout=60(秒) (将客户端空闲1分钟后断)

Connect_timeout=60(秒) (中断1分钟后又重新连接)

Local_max_rate=50000(bite) (本地用户传输率50K)

Anon_max_rate=30000(bite) (匿名用户传输率30K)

Pasv_min_port=50000 (将客户端的数据连接端口改在

Pasv_max_port=60000 50000—60000之间)

Max_clients=200 (FTP的最大连接数)

Max_per_ip=4 (每IP的最大连接数)

Listen_port=5555 (从5555端口进行数据连接)


8. 查看谁登陆了FTP,并杀死它的进程
 

ps –xf |grep ftp

kill 进程号

=============================================
最后重启动服务
 

sudo  /etc/init.d/vsftpd restart ==========================================

出现问题:
500 OOPS: vsftpd: refusing to run with writable anonymous root

解决方案一、
已解决,我说一下我解决的过程,也许大多数知,但我还是想说出来,与大家共享一下/如有不对的地方,欢迎大家指出/
谢谢.
以下就是解决的三个步骤,其中第一步,是我一直没有搞明白的,也是其中的重点:
1当时我在服务器上用命令ftp时,出现了以下的提示500 OOPS: vsftpd: refusing to run with writable anonymous root
所以在网上找到了这一篇文章:
"如果我们已经把vsFTPd服务器启动好了,但登录测试是会出现类似下面的提示;
500 OOPS: vsftpd: refusing to run with writable anonymous root
这表示ftp用户的家目录的权限不对,应该改过才对;
[root@localhost ~]# more /etc/passwd |grep ftp
ftp:x:1000:1000:FTP User:/var/ftp:/sbin/nologin
我们发现ftp用户的家目录在/var/ftp,就是这个/var/ftp的权限不对所致,这个目录的权限是不能打开所有权限的;是您运行了chmod 777 /var/ftp所致;如果没有ftp用户这个家目录,当然您要自己建一个;
如下FTP用户的家目录是不能针对所有用户、用户组、其它用户组完全开放;
[root@localhost ~]# ls -ld /var/ftp
drwxrwxrwx 3 root root 4096 2005-03-23 /var/ftp
修正这个错误,应该用下面的办法;
[root@localhost ~]# chown root:root /var/ftp
[root@localhost ~]# chmod 755 /var/ftp
有的弟兄可能会说,那匿名用户的可读、可下载、可上传怎么办呢?这也简单,在/var/ftp下再建一个目录,权限是777的就行了,再改一改vsftpd.conf就OK了;没有什么难的;
vsFTPd出于安全考虑,是不准让ftp用户的家目录的权限是完全没有限制的,您可以去读一下vsFTPd的文档就明白的了;否则也不能称为最安全的FTP服务器了,对不对?"
2:防火墙的打开相应的端口21,20
3:因为我是adsl双网卡上网的形式,所以还要加载ip_conntrack_ftp这个模块/这个不要忘了.


对老夫的没用,最后只能直接删除/home/ftp目录
# mkdir /home/ftp
# chmod 755 /home/ftp



  1. # Example config file /etc/vsftpd.conf
  2. #
  3. # The default compiled in settings are fairly paranoid. This sample file
  4. # loosens things up a bit, to make the ftp daemon more usable.
  5. # Please see vsftpd.conf.5 for all compiled in defaults.
  6. #
  7. # READ THIS: This example file is NOT an exhaustive list of vsftpd options.
  8. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
  9. # capabilities.
  10. #
  11. #
  12. # Run standalone? vsftpd can run either from an inetd or as a standalone
  13. # daemon started from an initscript.
  14. listen=YES
  15. #
  16. # Run standalone with IPv6?
  17. # Like the listen parameter, except vsftpd will listen on an IPv6 socket
  18. # instead of an IPv4 one. This parameter and the listen parameter are mutually
  19. # exclusive.
  20. #listen_ipv6=YES
  21. #
  22. # Allow anonymous FTP? (Disabled by default)
  23. anonymous_enable=YES
  24. anon_root=/home/ftp


  25. #
  26. # Uncomment this to allow local users to log in.
  27. local_enable=YES
  28. #
  29. # Uncomment this to enable any form of FTP write command.
  30. write_enable=YES
  31. #
  32. # Default umask for local users is 077. You may wish to change this to 022,
  33. # if your users expect that (022 is used by most other ftpd's)
  34. local_umask=022
  35. #
  36. # Uncomment this to allow the anonymous FTP user to upload files. This only
  37. # has an effect if the above global write enable is activated. Also, you will
  38. # obviously need to create a directory writable by the FTP user.
  39. anon_upload_enable=YES
  40. #
  41. # Uncomment this if you want the anonymous FTP user to be able to create
  42. # new directories.
  43. anon_mkdir_write_enable=YES
  44. #
  45. # Activate directory messages - messages given to remote users when they
  46. # go into a certain directory.
  47. dirmessage_enable=YES
  48. #
  49. # If enabled, vsftpd will display directory listings with the time
  50. # in your local time zone. The default is to display GMT. The
  51. # times returned by the MDTM FTP command are also affected by this
  52. # option.
  53. use_localtime=YES
  54. #
  55. # Activate logging of uploads/downloads.
  56. xferlog_enable=YES
  57. #
  58. # Make sure PORT transfer connections originate from port 20 (ftp-data).
  59. connect_from_port_20=YES
  60. #
  61. # If you want, you can arrange for uploaded anonymous files to be owned by
  62. # a different user. Using "root" for uploaded files is not
  63. #
  64. #chown_uploads=YES
  65. #chown_username=whoever
  66. #
  67. # You may override where the log file goes if you like. The default is shown
  68. # below.
  69. #xferlog_file=/var/log/vsftpd.log
  70. #
  71. # If you want, you can have your log file in standard ftpd xferlog format.
  72. # Note that the default log file location is /var/log/xferlog in this case.
  73. xferlog_std_format=YES
  74. #
  75. # You may change the default value for timing out an idle session.
  76. #idle_session_timeout=600
  77. #
  78. # You may change the default value for timing out a data connection.
  79. #data_connection_timeout=120
  80. #
  81. # It is recommended that you define on your system a unique user which the
  82. # ftp server can use as a totally isolated and unprivileged user.
  83. #nopriv_user=ftpsecure
  84. #
  85. # Enable this and the server will recognise asynchronous ABOR requests. Not
  86. # recommended for security (the code is non-trivial). Not enabling it,
  87. # however, may confuse older FTP clients.
  88. #async_abor_enable=YES
  89. #
  90. # By default the server will pretend to allow ASCII mode but in fact ignore
  91. # the request. Turn on the below options to have the server actually do ASCII
  92. # mangling on files when in ASCII mode.
  93. # Beware that on some FTP servers, ASCII support allows a denial of service
  94. # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
  95. # predicted this attack and has always been safe, reporting the size of the
  96. # raw file.
  97. # ASCII mangling is a horrible feature of the protocol.
  98. #ascii_upload_enable=YES
  99. #ascii_download_enable=YES
  100. #
  101. # You may fully customise the login banner string:
  102. ftpd_banner=Welcome to blah FTP service.
  103. #
  104. # You may specify a file of disallowed anonymous e-mail addresses. Apparently
  105. # useful for combatting certain DoS attacks.
  106. #deny_email_enable=YES
  107. # (default follows)
  108. #banned_email_file=/etc/vsftpd.banned_emails
  109. #
  110. # You may restrict local users to their home directories. See the FAQ for
  111. # the possible risks in this before using chroot_local_user or
  112. # chroot_list_enable below.
  113. #chroot_local_user=YES
  114. #
  115. # You may specify an explicit list of local users to chroot() to their home
  116. # directory. If chroot_local_user is YES, then this list becomes a list of
  117. # users to NOT chroot().
  118. #chroot_local_user=YES
  119. #chroot_list_enable=YES
  120. # (default follows)
  121. #chroot_list_file=/etc/vsftpd.chroot_list
  122. #
  123. # You may activate the "-R" option to the builtin ls. This is disabled by
  124. # default to avoid remote users being able to cause excessive I/O on large
  125. # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
  126. # the presence of the "-R" option, so there is a strong case for enabling it.
  127. #ls_recurse_enable=YES
  128. #
  129. # Debian customization
  130. #
  131. # Some of vsftpd's settings don't fit the Debian filesystem layout by
  132. # default. These settings are more Debian-friendly.
  133. #
  134. # This option should be the name of a directory which is empty. Also, the
  135. # directory should not be writable by the ftp user. This directory is used
  136. # as a secure chroot() jail at times vsftpd does not require filesystem
  137. # access.
  138. secure_chroot_dir=/var/run/vsftpd/empty
  139. #
  140. # This string is the name of the PAM service vsftpd will use.
  141. pam_service_name=vsftpd
  142. #
  143. # This option specifies the location of the RSA certificate to use for SSL
  144. # encrypted connections.
  145. rsa_cert_file=/etc/ssl/private/vsftpd.pem


  146. # allow user to delete
  147. anon_other_write_enable=yes

  148. #allow user download
  149. anon_world_readable_only=no



阅读(2133) | 评论(0) | 转发(1) |
0

上一篇:dyli指针初探

下一篇:Linux内核开发体会

给主人留下些什么吧!~~