1、sudo apt-get install proftpd 和 sudo apt-get install vsftpd
安
装
1、安装vsftpd
sudo apt-get install vsftpd
安装了之后会在/srv/下建立一个ftp目录,这时候你可以试着访问下ftp://IP地址,应该可以看到一个空白内容的ftp空间。
说明:
(1)网上很多都说是在/home目录下产生ftp目录,可我的机子不是;
(2)/srv/ftp 目录为默认匿名用户的登陆目录
2、设置 vsftpd.conf文件
sudo gedit /etc/vsftpd.conf
服务器的配置
1. 匿名服务器的连接(独立的服务器)
在/etc/vsftpd/vsftpd.conf配置文件中添加如下几项:
Anonymous_enable=yes (允许匿名登陆)
Dirmessage_enable=yes (切换目录时,显示目录下.message的内容)
Local_umask=022 (FTP上本地的文件权限,默认是077)
Connect_form_port_20=yes (启用FTP数据端口的数据连接)*
Xferlog_enable=yes (激活上传和下传的日志)
Xferlog_std_format=yes (使用标准的日志格式)
Ftpd_banner=Moonlight Ftp Server (欢迎信息)
Pam_service_name=vsftpd (验证方式)*
Listen=yes (独立的VSFTPD服务器)*
功能:只能连接FTP服务器,不能上传和下传
注:其中所有和日志欢迎信息相关连的都是可选项,打了星号的无论什么帐户都要添加,是属于FTP的基本选项
2. 开启匿名FTP服务器上传权限
在配置文件中添加以下的信息即可:
Anon_upload_enable=yes (开放上传权限)
Anon_mkdir_write_enable=yes (可创建目录的同时可以在此目录中上传文件)
Write_enable=yes (开放本地用户写的权限)
Anon_other_write_enable=yes (匿名帐号可以有删除的权限)
3. 开启匿名服务器下传的权限
在配置文件中添加如下信息即可:
Anon_world_readable_only=no
注:要注意文件夹的属性,匿名帐户是其它(other)用户要开启它的读写执行的权限
(R)读-----下传 (W)写----上传 (X)执行----如果不开FTP的目录都进不去
4.普通用户FTP服务器的连接(独立服务器)
在配置文件中添加如下信息即可:
Local_enble=yes (本地帐户能够登陆)
Write_enable=no (本地帐户登陆后无权删除和修改文件)
功能:可以用本地帐户登陆vsftpd服务器,有下载上传的权限
注:在禁止匿名登陆的信息后匿名服务器照样可以登陆但不可以上传下传
5. 用户登陆限制进其它的目录,只能进它的主目录
设置所有的本地用户都执行chroot
Chroot_local_user=yes (本地所有帐户都只能在自家目录)
设置指定用户执行chroot
Chroot_list_enable=yes (文件中的名单可以调用)
local_root=/var/www/web (路径自定义)
Chroot_list_file=/任意指定的路径/vsftpd.chroot_list
注意:vsftpd.chroot_list 是没有创建的需要自己添加,要想控制帐号就直接在文件中加帐号即可
6. 限制本地用户访问FTP
Userlist_enable=yes (用userlistlai 来限制用户访问)
Userlist_deny=no (名单中的人不允许访问)
Userlist_file=/指定文件存放的路径/ (文件放置的路径)
注:开启userlist_enable=yes匿名帐号不能登陆
7. 安全选项
Idle_session_timeout=600(秒) (用户会话空闲后10分钟)
Data_connection_timeout=120(秒) (将数据连接空闲2分钟断)
Accept_timeout=60(秒) (将客户端空闲1分钟后断)
Connect_timeout=60(秒) (中断1分钟后又重新连接)
Local_max_rate=50000(bite) (本地用户传输率50K)
Anon_max_rate=30000(bite) (匿名用户传输率30K)
Pasv_min_port=50000 (将客户端的数据连接端口改在
Pasv_max_port=60000 50000—60000之间)
Max_clients=200 (FTP的最大连接数)
Max_per_ip=4 (每IP的最大连接数)
Listen_port=5555 (从5555端口进行数据连接)
8. 查看谁登陆了FTP,并杀死它的进程
ps –xf |grep ftp
kill 进程号
=============================================
最后重启动服务
sudo /etc/init.d/vsftpd restart ==========================================
出现问题:
500 OOPS: vsftpd: refusing to run with writable anonymous root
解决方案一、
已解决,我说一下我解决的过程,也许大多数知,但我还是想说出来,与大家共享一下/如有不对的地方,欢迎大家指出/
谢谢.
以下就是解决的三个步骤,其中第一步,是我一直没有搞明白的,也是其中的重点:
1当时我在服务器上用命令ftp时,出现了以下的提示500 OOPS: vsftpd: refusing to run with writable anonymous root
所以在网上找到了这一篇文章:
"如果我们已经把vsFTPd服务器启动好了,但登录测试是会出现类似下面的提示;
500 OOPS: vsftpd: refusing to run with writable anonymous root
这表示ftp用户的家目录的权限不对,应该改过才对;
[root@localhost ~]# more /etc/passwd |grep ftp
ftp:x:1000:1000:FTP User:/var/ftp:/sbin/nologin
我们发现ftp用户的家目录在/var/ftp,就是这个/var/ftp的权限不对所致,这个目录的权限是不能打开所有权限的;是您运行了chmod 777 /var/ftp所致;如果没有ftp用户这个家目录,当然您要自己建一个;
如下FTP用户的家目录是不能针对所有用户、用户组、其它用户组完全开放;
[root@localhost ~]# ls -ld /var/ftp
drwxrwxrwx 3 root root 4096 2005-03-23 /var/ftp
修正这个错误,应该用下面的办法;
[root@localhost ~]# chown root:root /var/ftp
[root@localhost ~]# chmod 755 /var/ftp
有的弟兄可能会说,那匿名用户的可读、可下载、可上传怎么办呢?这也简单,在/var/ftp下再建一个目录,权限是777的就行了,再改一改vsftpd.conf就OK了;没有什么难的;
vsFTPd出于安全考虑,是不准让ftp用户的家目录的权限是完全没有限制的,您可以去读一下vsFTPd的文档就明白的了;否则也不能称为最安全的FTP服务器了,对不对?"
2:防火墙的打开相应的端口21,20
3:因为我是adsl双网卡上网的形式,所以还要加载ip_conntrack_ftp这个模块/这个不要忘了.
对老夫的没用,最后只能直接删除/home/ftp目录
# mkdir /home/ftp
# chmod 755 /home/ftp
- # Example config file /etc/vsftpd.conf
- #
- # The default compiled in settings are fairly paranoid. This sample file
- # loosens things up a bit, to make the ftp daemon more usable.
- # Please see vsftpd.conf.5 for all compiled in defaults.
- #
- # READ THIS: This example file is NOT an exhaustive list of vsftpd options.
- # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
- # capabilities.
- #
- #
- # Run standalone? vsftpd can run either from an inetd or as a standalone
- # daemon started from an initscript.
- listen=YES
- #
- # Run standalone with IPv6?
- # Like the listen parameter, except vsftpd will listen on an IPv6 socket
- # instead of an IPv4 one. This parameter and the listen parameter are mutually
- # exclusive.
- #listen_ipv6=YES
- #
- # Allow anonymous FTP? (Disabled by default)
- anonymous_enable=YES
- anon_root=/home/ftp
- #
- # Uncomment this to allow local users to log in.
- local_enable=YES
- #
- # Uncomment this to enable any form of FTP write command.
- write_enable=YES
- #
- # Default umask for local users is 077. You may wish to change this to 022,
- # if your users expect that (022 is used by most other ftpd's)
- local_umask=022
- #
- # Uncomment this to allow the anonymous FTP user to upload files. This only
- # has an effect if the above global write enable is activated. Also, you will
- # obviously need to create a directory writable by the FTP user.
- anon_upload_enable=YES
- #
- # Uncomment this if you want the anonymous FTP user to be able to create
- # new directories.
- anon_mkdir_write_enable=YES
- #
- # Activate directory messages - messages given to remote users when they
- # go into a certain directory.
- dirmessage_enable=YES
- #
- # If enabled, vsftpd will display directory listings with the time
- # in your local time zone. The default is to display GMT. The
- # times returned by the MDTM FTP command are also affected by this
- # option.
- use_localtime=YES
- #
- # Activate logging of uploads/downloads.
- xferlog_enable=YES
- #
- # Make sure PORT transfer connections originate from port 20 (ftp-data).
- connect_from_port_20=YES
- #
- # If you want, you can arrange for uploaded anonymous files to be owned by
- # a different user. Using "root" for uploaded files is not
- #
- #chown_uploads=YES
- #chown_username=whoever
- #
- # You may override where the log file goes if you like. The default is shown
- # below.
- #xferlog_file=/var/log/vsftpd.log
- #
- # If you want, you can have your log file in standard ftpd xferlog format.
- # Note that the default log file location is /var/log/xferlog in this case.
- xferlog_std_format=YES
- #
- # You may change the default value for timing out an idle session.
- #idle_session_timeout=600
- #
- # You may change the default value for timing out a data connection.
- #data_connection_timeout=120
- #
- # It is recommended that you define on your system a unique user which the
- # ftp server can use as a totally isolated and unprivileged user.
- #nopriv_user=ftpsecure
- #
- # Enable this and the server will recognise asynchronous ABOR requests. Not
- # recommended for security (the code is non-trivial). Not enabling it,
- # however, may confuse older FTP clients.
- #async_abor_enable=YES
- #
- # By default the server will pretend to allow ASCII mode but in fact ignore
- # the request. Turn on the below options to have the server actually do ASCII
- # mangling on files when in ASCII mode.
- # Beware that on some FTP servers, ASCII support allows a denial of service
- # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
- # predicted this attack and has always been safe, reporting the size of the
- # raw file.
- # ASCII mangling is a horrible feature of the protocol.
- #ascii_upload_enable=YES
- #ascii_download_enable=YES
- #
- # You may fully customise the login banner string:
- ftpd_banner=Welcome to blah FTP service.
- #
- # You may specify a file of disallowed anonymous e-mail addresses. Apparently
- # useful for combatting certain DoS attacks.
- #deny_email_enable=YES
- # (default follows)
- #banned_email_file=/etc/vsftpd.banned_emails
- #
- # You may restrict local users to their home directories. See the FAQ for
- # the possible risks in this before using chroot_local_user or
- # chroot_list_enable below.
- #chroot_local_user=YES
- #
- # You may specify an explicit list of local users to chroot() to their home
- # directory. If chroot_local_user is YES, then this list becomes a list of
- # users to NOT chroot().
- #chroot_local_user=YES
- #chroot_list_enable=YES
- # (default follows)
- #chroot_list_file=/etc/vsftpd.chroot_list
- #
- # You may activate the "-R" option to the builtin ls. This is disabled by
- # default to avoid remote users being able to cause excessive I/O on large
- # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
- # the presence of the "-R" option, so there is a strong case for enabling it.
- #ls_recurse_enable=YES
- #
- # Debian customization
- #
- # Some of vsftpd's settings don't fit the Debian filesystem layout by
- # default. These settings are more Debian-friendly.
- #
- # This option should be the name of a directory which is empty. Also, the
- # directory should not be writable by the ftp user. This directory is used
- # as a secure chroot() jail at times vsftpd does not require filesystem
- # access.
- secure_chroot_dir=/var/run/vsftpd/empty
- #
- # This string is the name of the PAM service vsftpd will use.
- pam_service_name=vsftpd
- #
- # This option specifies the location of the RSA certificate to use for SSL
- # encrypted connections.
- rsa_cert_file=/etc/ssl/private/vsftpd.pem
- # allow user to delete
- anon_other_write_enable=yes
- #allow user download
- anon_world_readable_only=no