ftp之vsftpd使用过程遇到的坑

需求：被动模式访问ftp，用户只能访问该用户家目录里面的内容，不能切换除用户目录之外的目录

另外，win 下推荐几个 ftp（sftp）工具

1.Freeftp（功能：ftp+sftp； 小白最适用，简单、适用于对权限无要求的情况）

2.FireZilla（功能：ftp；能对用户权限和目录权限做详细配置）

3.Titan ftp（功能：ftp+sftp 等等，功能全面，了解使用需要一定时间）

一、安装与启动vsftpd

1.1 安装vsftpd

yum install -y vsftpd

1.2 启动vsftpd

centos6：service vsftpd start
centos7：systemctl start vsftpd

1.3 设置开机自启动

centos6：chkconfig vsftpd on

centos7：systemctl enable vsftpd

二、了解配置文件 vsftpd.cond

配置文件默认位置：/etc/vsftpd/vsftpd.conf

anonymous_enable=YES                         #允许匿名用户登录
local_enable=YES                             #vsftpd所在的系统用户可以登录vsftpd
write_enable=YES                             #允许使用任何可以修改文件系统的FTP的指令 
local_umask=022                              #匿名用户新增文件的umask数值
#anon_upload_enable=YES                      #匿名用户能否上传文件
#anon_mkdir_write_enable=YES                 #匿名用户能否修改文件
dirmessage_enable=YES                        
xferlog_enable=YES                           #启动一个日志文件，详细记录上传和下载记录
connect_from_port_20=YES                     #开启20端口
#chown_uploads=YES                           #设置是否改变匿名用户上传文件的属主。默认为NO。chown_uploads=YES的时候不设置chown_users列表，anon_umask是不生效的。
#chown_username=whoever                      #设置匿名用户上传文件的属主名 
#xferlog_file=/var/log/xferlog               #记录日志位置
xferlog_std_format=YES                       #记录日志使用标准格式
#idle_session_timeout=600                    #登录之后超时60秒不操作则自动断开
#data_connection_timeout=120                 #数据传输超时时间
#nopriv_user=ftpsecure
#async_abor_enable=YES
#ascii_upload_enable=YES
#ascii_download_enable=YES
#ftpd_banner=Welcome to blah FTP service.
#deny_email_enable=YES
#banned_email_file=/etc/vsftpd/banned_emails
#chroot_local_user=YES                       #是否将所有用户限制在主目录，YES为启用（开启的话只能访问固定目录），默认是NO，即可以随意切换目录
#chroot_list_enable=YES                      #是否启用限制用户名单，YES为启用（开启后只有chroot_list里的用户不能切换目录），若为NO的话chroot_list则没作用
#chroot_list_file=/etc/vsftpd/chroot_list
#ls_recurse_enable=YES
listen=NO                                    #开启监听
listen_ipv6=YES

pam_service_name=vsftpd                      #验证文件的名字
userlist_enable=YES                          #允许由userlist_file指定文件中的用户登录FTP服务器
tcp_wrappers=YES                             #支持tcp_wrappers，限制访问(/etc/hosts.allow,/etc/hosts.deny)

三、配置与调试

3.1 匿名登录

（1）当 anonymous_enable=YES 时，默认用户是 ftp 密码为空，默认目录是 /var/ftp，安装后本地匿名登录测试：

[root@bogon ~]# ftp 127.0.0.1
Connected to 127.0.0.1 (127.0.0.1).
220 (vsFTPd 3.0.2)
Name (127.0.0.1:root): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

（2）本地用户登录测试：使用root用户测试（报530错误）

[root@bogon ~]# ftp 127.0.0.1
Connected to 127.0.0.1 (127.0.0.1).
220 (vsFTPd 3.0.2)
Name (127.0.0.1:root): root
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.

（3）临时关闭防火墙

centos6：service iptables stop
centos7：systemctl stop firewalld

（4）若 配置 userlist_enable=YES 为 YES (则启用该功能)时，配置 userlist_deny 以实现白名单或者黑名单控制用户，即 userlist_deny 参数userlist_deny=YES（黑名单，默认）userlist_deny=NO（白名单）

userlist_enable=YES                # 启用名单控制
userlist_deny=NO                   # 启用白名单（YES:启用黑名单）
userlist_file=/etc/vsftp/user_list # 白名单文件（黑名单文件）

（5）默认启动是ipv6监听，不影响使用，改ipv4方式如下：

listen=YES       # 启用 ipv4 监听
#listen_ipv6=YES # 停用 ipv6 监听

（6）值得注意的是，这些配置完成后本该能连接上ftp的，仍提示 530 错误：

[root@bogon ~]# ftp 127.0.0.1
Connected to 127.0.0.1 (127.0.0.1).
220 (vsFTPd 3.0.2)
Name (127.0.0.1:root): root
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.

而原因是 /etc/pam.d/vsftpd 文件中配置了一项：

auth       required     pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed

即 /etc/vsftpd/ftpusers 这个文件要严格按照 pam_listfile.so 模块的规则去认证，就是文件中存在某用户，则返回为假，即拒绝（简单来说就是个黑名单文件），因此作用和 userlist_deny=NO 的作用一样 ，而测试的root用户就在此名单中，因此只要在这个文件中去掉该用户，则可以正常登录

（7）若创建的是不可登录用户，如: useradd -d /home/ftptest1 -m -s /bin/nologin ftpuser

那么验证模块/etc/pam.d/vsftpd 中使用：auth required pam_shells.so 模块验证也会出现 530 Login incorrect 错误，若是你用了这个验证模块，你需要把 ftp 的用户 shell 加入文件 /etc/shells 中，即：/bin/nologin ，这里省略这步验证，把他改成：auth required pam_nologin.so

注意：还有一个可能会造成 530 Login incorrect 的情况，那就是文件权限问题，这个是后来发现的，因为同事图方便，竟然把 vsftpd 的配置文件权限都改成了 777，导致了这个错误，即 /etc/vsftpd 目录下的文件权限，以下是安装完成后正确的文件权限：

[root@localhost ~]# ll /etc/vsftpd/
total 20
-rw-------. 1 root root  125 Mar 22  2017 ftpusers
-rw-------. 1 root root  361 Mar 22  2017 user_list
-rw-------. 1 root root 4599 Mar 22  2017 vsftpd.conf
-rwxr--r--. 1 root root  338 Mar 22  2017 vsftpd_conf_migrate.sh

（8）当你完成以上步骤后以为万事大吉了吗？其实不是的，仍然有报错：

500 OOPS: vsftpd: refusing to run with writable root inside chroot()
login failed.
421 Service not available, remote server ha closed connection

而这个也不难找到原因，官方报错原因是更新导致的问题，而说白了就是：用户在FTP根目录拥有了写权限， 但是vsftpd FTP根目录默认是FTP用户不能写入的。

- Add stronger checks for the configuration error of running with a writeable root directory inside a chroot(). This may bite people who carelessly turned on chroot_local_user but such is life.

解决办法也很简单，把 ftp 用户的根目录去掉写权限就行了

chmod a-w /var/ftp/ftptest1

网上还有说在 vsftpd.conf 加入 allow_writeable_chroot=YES 配置的？？至少我没成功，会导致vsftpd重启失败

（9）还有个坑人的问题，登录进去之后无法列出文件和目录

ftp> ls
227 Entering Passive Mode (127,0,0,1,28,27).
150 Here comes the directory listing.
226 Directory send OK

原因在于 ftp 被selinux 限制，可以通过关闭 selinux 解决

（10）接着再来说说怎么限制用户能否切换目录的配置

chroot_local_user=YES   #是否将所有用户限制在主目录，YES为启用（开启的话只能访问固定目录），默认是NO，即可以随意切换目录，若为YES，则下面两个配置不起作用
chroot_list_enable=YES  #是否启用限制用户名单，YES为启用（开启后只有chroot_list里的用户不能切换目录），若为NO的话chroot_list则没作用
chroot_list_file=/etc/vsftpd/chroot_list

会导致 500 OOPS 错误的原因也是因为限制了该用户目录切换：chroot_list_enable=YES

四、总结

好了，大概就这么多分享的，以后用到更多功能的时候再进行补充。有什么不对的地方也情批评指出！

创建 ftp 用户、配置文件、错误解析上面都做了，最后就把创建用户和配置文件配置列出来做个参考

4.1 创建 ftp 用户

创建用于登录 ftp 用户（不可登录系统）、指定家目录及创建密码

[root@localhost ~]# useradd -d /home/ftptest1 -m -s /bin/nologin ftpuser     
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
[root@localhost ~]# passwd ftpuser
Changing password for user ftpuser.
New password: 
BAD PASSWORD: it is WAY too short
BAD PASSWORD: is too simple
Retype new password: 
passwd: all authentication tokens updated successfully.

4.2 配置文件信息

配置文件：/etc/vsftpd/vsftpd.conf

# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
pasv_enable=YES
pasv_min_port=60000
pasv_max_port=60010
#
# Uncomment this to allow local users to log in.
# When SELinux is enforcing check for SE bool ftp_home_dir
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/xferlog
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
chroot_local_user=NO
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=NO
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
# Make sure, that one of the listen options is commented !!
listen=YES

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

4.3 验证模块配置

配置文件：/etc/pam.d/vsftpd

#%PAM-1.0
session    optional     pam_keyinit.so    force revoke
auth       required     pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
#auth       required    pam_shells.so
auth       required     pam_nologin.so
auth       include      password-auth
account    include      password-auth
session    required     pam_loginuid.so
session    include      password-auth