FTP服务器配置
FTP协议简介
FTP(File Transfer Protocol,文件传输协议) 是 TCP/IP 协议组中的协议之一。FTP协议包括两个组成部分,其一为FTP服务器,其二为FTP客户端。其中FTP服务器用来存储文件,用户可以使用FTP客户端通过FTP协议访问位于FTP服务器上的资源。在开发网站的时候,通常利用FTP协议把网页或程序传到Web服务器上。此外,由于FTP传输效率非常高,在网络上传输大的文件时,一般也采用该协议。
默认情况下FTP协议使用TCP端口中的 20和21这两个端口,其中20用于传输数据,21用于传输控制信息。但是,是否使用20作为传输数据的端口与FTP使用的传输模式有关,如果采用主动模式,那么数据传输端口就是20;如果采用被动模式,则具体最终使用哪个端口要服务器端和客户端协商决定。
工作方式
FTP支持两种模式,一种方式叫做Standard (也就是 PORT方式,主动方式),一种是 Passive(也就是PASV,被动方式)。 Standard模式 FTP的客户端发送 PORT 命令到FTP服务器。Passive模式FTP的客户端发送 PASV命令到 FTP Server。
下面介绍一下这两种方式的工作原理:
Port
FTP 客户端首先和FTP服务器的TCP 21端口建立连接,通过这个通道发送命令,客户端需要接收数据的时候在这个通道上发送PORT命令。 PORT命令包含了客户端用什么端口接收数据。在传送数据的时候,服务器端通过自己的TCP 20端口连接至客户端的指定端口发送数据。 FTP server必须和客户端建立一个新的连接用来传送数据。
Passive
在建立控制通道的时候和Standard模式类似,但建立连接后发送的不是Port命令,而是Pasv命令。FTP服务器收到Pasv命令后,随机打开一个高端端口(端口号大于1024)并且通知客户端在这个端口上传送数据的请求,客户端连接FTP服务器此端口,通过三次握手建立通道,然后FTP服务器将通过这个端口进行数据的传送。
很多防火墙在设置的时候都是不允许接受外部发起的连接的,所以许多位于防火墙后或内网的FTP服务器不支持PASV模式,因为客户端无法穿过防火墙打开FTP服务器的高端端口;而许多内网的客户端不能用PORT模式登陆FTP服务器,因为从服务器的TCP 20无法和内部网络的客户端建立一个新的连接,造成无法工作。
搭建服务器具体步骤
步骤一
关闭防火墙 和selinux
步骤二
yum -y install vsftpd
步骤三
# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
#匿名用户访问,YES是允许,NO是拒绝
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
# 本地用户登录,YES是允许,NO是拒绝.默认访问的是本地用户家目录,如果你开启了selinux
# 请设置开启布尔值ftp_home_dir为ON
# When SELinux is enforcing check for SE bool ftp_home_dir
local_enable=YES
#:q
#允许本地用户上传
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# 上传的权限是022,使用的是umask权限。对应的目录是755,文件是644
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
# 开启匿名用户上传功能,默认是拒绝的
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
# 开启匿名用户创建文件或文件夹权限
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
# 开启目录欢迎消息,一般对命令行登陆有效
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
# 开启上传和下载日志记录功能
xferlog_enable=YES
#
#使用标准模式
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
# 声明匿名用户上传文件的所有者
# 允许更改匿名用户上传文件的所有者
#chown_uploads=YES
#所有者为whoever
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
# 日志文件路径
#xferlog_file=/var/log/xferlog
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
# 日志文件采用标准格式
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
# 会话超时时间
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
# 数据传输超时时间
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
# FTP子进程管理用户
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
# 是否允许客户端发起“async ABOR”请求,该操作是不安全的默认禁止。
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode. The vsftpd.conf(5) man page explains
# the behaviour when these options are disabled.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
# 该选项用于指定是否允许上传时以ASCII模式传输数据
#ascii_upload_enable=YES
#该选项用于指定是否允许下载时以ASCII模式传输数据
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
# FTP文本界面登陆欢迎词
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
# 是否开启拒绝的Email功能
#deny_email_enable=YES
# (default follows)
# 指定保存被拒接的Email地址的文件
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
# 是否开启对本地用户chroot的限制,YES为默认所有用户都不能切出家目录,NO代表默认用户都可以切出家目录
# 设置方法类似于:YES拒绝所有,允许个别 NO 允许所有拒绝个别
#chroot_local_user=YES
#开启特例列表
#chroot_list_enable=YES
# (default follows)
# 如果chroot_local_user的值是YES则该文件中的用户是可以切出家目录,如果是NO,该文件中的用户则不能切出家目录
# 一行一个用户。
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
# 是否开启ls 递归查询功能 ls -R
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
# 是否开启ftp独立模式在IPV4
listen=NO
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
# Make sure, that one of the listen options is commented !!
# 是否开启ftp独立模式在ipv6
listen_ipv6=YES
#启用pam模块验证
pam_service_name=vsftpd
#是否开启userlist功能.
#对列表中的用户做定义
userlist_deny=NO
#NO拒绝所有人访问,对应列表中的用户可以访问,YES允许所有人访问,列表中的用户无法访问。
#只有userlist_file=/etc/vsftpd/user_list定义的用户才可以访问或拒绝访问
userlist_enable=YES
#是否开启tcp_wrappers管理,TCP_Wrappers是一个工作在第四层(传输层)的的安全工具,
#对有状态连接的特定服务进行安全检测并实现访问控制
tcp_wrappers=YES
启动 FTP服务
1. 设置开机启动
2. [root@baism ~]# systemctl enable vsftpd
3. Created symlink from /etc/systemd/system/multi-user.target.wants/vsftpd.service to /usr/lib/systemd/system/vsftpd.service.
4.
5. 启动vsftp服务
6. [root@baism ~]# systemctl start vsftpd
7.
8. 验证启动
9. [root@baism ~]# lsof -i :21
10. COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
11. vsftpd 1951 root 4u IPv6 32837 0t0 TCP *:ftp (LISTEN)
12.
13. 重启vsftpd
14. [root@baism dhcp]# systemctl restart vsftpd
FTP客户端访问
l 浏览器:可以通过浏览器中输入 ftp://ip或者ftp://域名的方式来访问FTP
实现:匿名用户登录:下载文件
本地用户登录:上传下载文件
l 自带客户端:命令行下可以使用ftp命令去连接
(1)软件包安装
yum -y install lrzsz //安装上传下载命令 rz sz
yum -y remove lrzsz
下载ftp-0.17-51.1.el6.x86_64.rpm,下载地址:http://rpm.pbone.net/index.php3/stat/4/idpl/15988817/dir/scientific_linux_6/com/ftp-0.17-51.1.el6.x86_64.rpm.html;
rz –E //从windows上传到linux
也可使用wget命令下载:
wget http://rpm.pbone.net/index.php3/stat/4/idpl/15988817/dir/scientific_linux_6/com/ftp-0.17-51.1.el6.x86_64.rpm.html;
cp ftp-0.17-51.1.el6.x86_64.rpm /usr/local/src
rpm -ivh /usr/local/src/ftp-0.17-51.1.el6.x86_64.rpm
(2)yum -y install ftp
文本登录界面
1. 文本界面匿名登录
2. [root@baism ~]# ftp 10.0.0.200
3. Connected to 10.0.0.200 (10.0.0.200).
4. 220 (vsFTPd 3.0.2)
5. Name (10.0.0.200:root): ftp #账号选ftp或者anonymous都可以
6. 331 Please specify the password.
7. Password: #密码随便输入一个email地址即可
8. 230 Login successful. #显示登陆成功
9. Remote system type is UNIX.
10. Using binary mode to transfer files.
11.
12. ftp> ls
13. 227 Entering Passive Mode (10,0,0,200,217,135).
14. 150 Here comes the directory listing.
15. drwxr-xr-x 2 0 0 6 Oct 30 19:45 pub
16. 226 Directory send OK.
17. 通过ls可以列出当前目录下有哪些内容 看到有一个目录叫pub
18.
19. ftp> pwd
20. 257 "/"
21. 通过pwd命令查看当前路径 注意这里显示的是FTP的根目录
22.
23. ftp> bye
24. 221 Goodbye.
25. 退出使用bye命令
26.
27. 文本界面本地用户登录(服务器端用户)
28. [root@baism ~]# ftp 10.0.0.200
29. Connected to 10.0.0.200 (10.0.0.200).
30. 220 (vsFTPd 3.0.2)
31. Name (192.168.11.16:root): baism
32. 331 Please specify the password.
33. Password:
34. 230 Login successful.
35. Remote system type is UNIX.
36. Using binary mode to transfer files.
37.
38. ftp> pwd
39. 257 "/home/baism"
40. 默认登陆的是用户的家目录
FTP客户端使用
1. 键入help命令可以查看所有可使用的命令
2. ftp> help
3. Commands may be abbreviated. Commands are:
4.
5. ! debug mdir sendport site
6. $ dir mget put size
7. account disconnect mkdir pwd status
8. append exit mls quit struct
9. ascii form mode quote system
10. bell get modtime recv sunique
11. binary glob mput reget tenex
12. bye hash newer rstatus tick
13. case help nmap rhelp trace
14. cd idle nlist rename type
15. cdup image ntrans reset user
16. chmod lcd open restart umask
17. close ls prompt rmdir verbose
18. cr macdef passive runique ?
19. delete mdelete proxy send
20.
21.
22. !+linux命令 执行系统命令
23. !ls /opt 显示linux系统中/opt目录下的内容
24. ftp> !ls /opt
25. dhcp dns rh
26.
27.
28. lcd 切换linux系统中的当前目录
29. lcd /root 将linux系统中的当前目录切换到/root下
30. ftp> lcd /root
31. Local directory now /root
32.
33.
34. put 上传命令,mput批量上传命令
35. 上传initial-setup-ks.cfg文件到biasm家目录下
36. ftp> put initial-setup-ks.cfg
37. local: initial-setup-ks.cfg remote: initial-setup-ks.cfg
38. 227 Entering Passive Mode (10,0,0,200,122,242).
39. 150 Ok to send data.
40. 226 Transfer complete.
41. 1803 bytes sent in 0.00135 secs (1333.58 Kbytes/sec)
42. 可以看到上传成功了
43.
44. 验证一下上传结果
45. ftp> ls
46. 227 Entering Passive Mode (10,0,0,200,122,242).
47. 150 Here comes the directory listing.
48. -rw-r--r-- 1 1000 1000 1803 Feb 26 07:01 initial-setup-ks.cfg
49. 226 Directory send OK.
50.
51. 切换linux当前目录到/tmp
52. ftp> lcd /tmp
53. Local directory now /tmp
54.
55. get下载命令,mget批量下载
56. 下载initial-setup-ks.cfg到linux系统当前目录/tmp
57. ftp> get initial-setup-ks.cfg
58. local: initial-setup-ks.cfg remote: initial-setup-ks.cfg
59. 227 Entering Passive Mode (10,0,0,200,122,242).
60. 150 Opening BINARY mode data connection for initial-setup-ks.cfg (1803 bytes).
61. 226 Transfer complete.
62. 1803 bytes received in 2.9e-05 secs (62172.41 Kbytes/sec)
63.
64. ftp> ls
65. Not connected.
66. 当连接断开希望再次连接直接使用open命令即可
67. ftp> open 10.0.0.200
68. Connected to 10.0.0.200 (10.0.0.200).
69. 220 (vsFTPd 3.0.2)
70. Name (10.0.0.200:root): baism
71. 331 Please specify the password.
72. Password:
73. 230 Login successful.
74. Remote system type is UNIX.
75. Using binary mode to transfer files.
76.
77.
78. delete命令可以删除属于自己的文件
79. 删除initial-setup-ks.cfg文件
80. ftp> delete initial-setup-ks.cfg
81. 250 Delete operation successful.
82. ftp> ls
275
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
