任何需要具有较高执行权限的 vsftpd 指令均以一支特殊的上层程序所控制
相关文件列表
? /etc/vsftpd/vsftpd.conf
? /etc/pam.d/vsftpd
? /etc/vsftpd/ftpusers
? /etc/vsftpd/user_list 这个档案是否能够生效与 vsftpd.conf 内的两个参数有关,分别是『 userlist_enable, userlist_deny 』。
? /etc/vsftpd/chroot_list 这个档案预设是不存在的,所以你必须要手动自行建立。这个档案要生效与 vsftpd.conf 内的『 chroot_list_enable, chroot_list_file 』两个参数有关
配置参数解析:
1 guest_enable=YES (NO) -- 若这个值设定为 YES 时,那么任何实体账号,均会被假设成为 guest 喔 (所以预设是不开放的)!
guest_enable
If enabled, all non-anonymous logins are classed as "guest" logins. A guest login is remapped to the user specified in the
guest_username setting.
Default: NO
2 chroot_list_enable -- 注意,这个参数因 chroot_local_user 的设置而含义相反。
chroot_list_enable
If activated, you may provide a list of local users who are placed in a chroot() jail in their home directory upon login. The
meaning is slightly different if chroot_local_user is set to YES. In this case, the list becomes a list of users which are NOT
to be placed in a chroot() jail. By default, the file containing this list is /etc/vsftpd/chroot_list, but you may override
this with the chroot_list_file setting.
Default: NO
3.use_localtime=YES
场景模拟1:让匿名者仅具有上传权限,不可下载匿名者上传的东西
1、修改配置文件vsftpd.conf
chown_upload_mode=0600
anon_upload_enable=YES
chown_uploads=YES
chown_username=daemon
效果:匿名用户上传的文件,其属主将变更为daemon,而匿名用户不能读取daemon用户的文件,所以无法下载。
附参数释义,摘自man vsftpd.conf
chown_uploads
If enabled, all anonymously uploaded files will have the ownership changed to the user specified in the setting chown_username.
This is useful from an administrative, and perhaps security, standpoint.
Default: NO
chown_username
This is the name of the user who is given ownership of anonymously uploaded files. This option is only relevant if another
option, chown_uploads, is set.
Default: root
chown_upload_mode
The file mode to force for chown()ed anonymous uploads. (Added in v2.0.6).
Default: 0600
2、重启vsftpd服务
场景模拟2:让 vsftpd 增加 SSL 的加密功能
1、建立专门给 vsftpd 使用的凭证数据:
cd /etc/pki/tls/certs
make vsftpd.pem
cp -a vsftpd.pem /etc/vsftpd/
ll /etc/vsftpd/vsftpd.pem
2、修改 vsftpd.conf 的配置文件
# 针对 SSL 所加入的特别参数!每个项目都很重要!
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem
3、重启vsftpd服务
相关文件列表
? /etc/vsftpd/vsftpd.conf
? /etc/pam.d/vsftpd
? /etc/vsftpd/ftpusers
? /etc/vsftpd/user_list 这个档案是否能够生效与 vsftpd.conf 内的两个参数有关,分别是『 userlist_enable, userlist_deny 』。
? /etc/vsftpd/chroot_list 这个档案预设是不存在的,所以你必须要手动自行建立。这个档案要生效与 vsftpd.conf 内的『 chroot_list_enable, chroot_list_file 』两个参数有关
配置参数解析:
1 guest_enable=YES (NO) -- 若这个值设定为 YES 时,那么任何实体账号,均会被假设成为 guest 喔 (所以预设是不开放的)!
guest_enable
If enabled, all non-anonymous logins are classed as "guest" logins. A guest login is remapped to the user specified in the
guest_username setting.
Default: NO
2 chroot_list_enable -- 注意,这个参数因 chroot_local_user 的设置而含义相反。
chroot_list_enable
If activated, you may provide a list of local users who are placed in a chroot() jail in their home directory upon login. The
meaning is slightly different if chroot_local_user is set to YES. In this case, the list becomes a list of users which are NOT
to be placed in a chroot() jail. By default, the file containing this list is /etc/vsftpd/chroot_list, but you may override
this with the chroot_list_file setting.
Default: NO
3.use_localtime=YES
场景模拟1:让匿名者仅具有上传权限,不可下载匿名者上传的东西
1、修改配置文件vsftpd.conf
chown_upload_mode=0600
anon_upload_enable=YES
chown_uploads=YES
chown_username=daemon
效果:匿名用户上传的文件,其属主将变更为daemon,而匿名用户不能读取daemon用户的文件,所以无法下载。
附参数释义,摘自man vsftpd.conf
chown_uploads
If enabled, all anonymously uploaded files will have the ownership changed to the user specified in the setting chown_username.
This is useful from an administrative, and perhaps security, standpoint.
Default: NO
chown_username
This is the name of the user who is given ownership of anonymously uploaded files. This option is only relevant if another
option, chown_uploads, is set.
Default: root
chown_upload_mode
The file mode to force for chown()ed anonymous uploads. (Added in v2.0.6).
Default: 0600
2、重启vsftpd服务
场景模拟2:让 vsftpd 增加 SSL 的加密功能
1、建立专门给 vsftpd 使用的凭证数据:
cd /etc/pki/tls/certs
make vsftpd.pem
cp -a vsftpd.pem /etc/vsftpd/
ll /etc/vsftpd/vsftpd.pem
2、修改 vsftpd.conf 的配置文件
# 针对 SSL 所加入的特别参数!每个项目都很重要!
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem
3、重启vsftpd服务
88
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
