ftp文件服务
1) ftp文件服务器简介
vsftpd 是“very secure FTP daemon”的缩写,是一个完全免费的、开放源代码的ftp服务器软件。特点 是:非常高的安全性需求、带宽限制、良好的可伸缩性等。
工作原理:
vsftpd使用ftp协议,该协议属于应用层协议。它是典型的c/s架构,ftp服务端用来存储文件,ftp客户端 可以通过ftp协议连接服务端实现上传和下载资源。
ftp使用tcp的21端口进行命令传输,然后用tcp 的20端口进行数据传输(主动模式)。默认是被动模 式。
2) 安装部署
服务端:
[root@node6 ~]# yum install vsftpd -y #安装服务端
[root@node6 ~]# systemctl start vsftpd #启动服务
[root@node6 ~]# netstat -tnl #查看端口
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp6 0 0 :::111 :::* LISTEN
tcp6 0 0 :::21 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:25 :::* LISTEN
[root@node6 lib]# cd /var/ftp/ #ftp家目录
[root@node6 ftp]# ll
total 0
drwxr-xr-x. 2 root root 6 Oct 31 2018 pub
客户端:
root@localhost yum.repos.d]# yum install ftp lftp -y #安装客户端 推荐使用lftp
[root@localhost yum.repos.d]# ftp 192.168.136.131 # ftp客户端连接(匿名用户登录,用户名:ftp,且不需要输入密码)
Connected to 192.168.136.131 (192.168.136.131).
220 (vsFTPd 3.0.2)
Name (192.168.136.131:root): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,136,131,108,22).
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 6 Oct 30 2018 pub
226 Directory send OK.
ftp> pwd #查看服务器路径
257 "/"
ftp> !pwd #查看本地路径
/etc/yum.repos.d
lftp登录方式:
92.168.136.131 # lftp客户端连接
lftp 192.168.136.131:~> ls
-rw-r--r-- 1 0 0 465 Apr 15 01:47 fstab
drwxr-xrwx 3 0 0 141 Apr 15 03:29 pub
lftp 192.168.136.131:/> lcd /tmp/ #切换本地目录
lcd ok, local cwd=/tmp
lftp 192.168.136.131:/> ls
-rw-r--r-- 1 0 0 465 Apr 15 01:47 fstab
drwxr-xrwx 3 0 0 141 Apr 15 03:29 pub
lftp 192.168.136.131:/> get fstab #下载单个文件
`fstab' at 0 (0%) [Delaying before reconnect: 17]
465 bytes transferred in 30 seconds (15b/s)
lftp 192.168.136.131:/>
lftp 192.168.136.131:/> ls
-rw-r--r-- 1 0 0 465 Apr 15 01:47 fstab
drwxr-xrwx 3 0 0 141 Apr 15 03:29 pub
lftp 192.168.136.131:/> cd test #切换服务器路径
cd ok, cwd=/test
lftp 192.168.136.131:/test> ls
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file1
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file10
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file2
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file3
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file4
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file5
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file6
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file7
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file8
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file9
lftp 192.168.136.131:/test> mget file* #批量下载文件
Total 10 files transferred
lftp 192.168.136.131:/test>
默认配置只能进行文件的读取和下载,不能进行写入和上传文件:
lftp 192.168.136.131:/test> mkdir abc
mkdir: Access failed: 550 Permission denied. (abc)
lftp 192.168.136.131:/test> put file1
put: Access failed: 550 Permission denied. (file1)
lftp 192.168.136.131:/test>
可以看到上传命令和创建命令都失败了,没有相应的权限!
服务端修改配置文件:
[root@node6 test]# vim /etc/vsftpd/vsftpd.conf
\# Example config file /etc/vsftpd/vsftpd.conf
\#
\# The default compiled in settings are fairly paranoid. This sample file
\# loosens things up a bit, to make the ftp daemon more usable.
\# Please see vsftpd.conf.5 for all compiled in defaults.
\#
\# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
\# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
\# capabilities.
\#
\# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
\#
\# Uncomment this to allow local users to log in.
\# When SELinux is enforcing check for SE bool ftp_home_dir
local_enable=YES
\#
\# Uncomment this to enable any form of FTP write command.
write_enable=YES
\#
\# Default umask for local users is 077. You may wish to change this to 022,
\# if your users expect that (022 is used by most other ftpd's)
local_umask=022
\#
\# Uncomment this to allow the anonymous FTP user to upload files. This only
\# has an effect if the above global write enable is activated. Also, you will
\# obviously need to create a directory writable by the FTP user.
\# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
anon_upload_enable=YES #add匿名用户上传
\#
\# Uncomment this if you want the anonymous FTP user to be able to create
\# new directories.
anon_mkdir_write_enable=YES #add匿名用户创建
anon_other_write_enable=YES #add匿名用户删除
\#
\# Activate directory messages - messages given to remote users when they
重启服务,再次进入,发现还是没法创建目录,但是报错信息不一样,如下:
lftp 192.168.136.131:/test> mkdir abc #创建文件夹失败
mkdir: Access failed: 550 Create directory operation failed. (abc)
lftp 192.168.136.131:/test> put file1 #上传文件失败
put: Access failed: 553 Could not create file. (file1)
lftp 192.168.136.131:/test> lcd
lcd ok, local cwd=/root
这是因为目录没有写权限,给test目录授权,如下:
[root@node6 ftp]# ll
total 4
-rw-r--r--. 1 root root 465 Apr 15 09:47 fstab
drwxr-xrwx. 3 root root 141 Apr 15 11:29 pub
drwxr-xr-x. 2 root root 137 Apr 15 17:09 test
[root@node6 ftp]# chmod o+w test/
[root@node6 ftp]# ll test/ -d
drwxr-xrwx. 2 root root 137 Apr 15 17:09 test/
[root@node6 ftp]#
lftp 192.168.136.131:/test> mkdir abc #创建目录
mkdir ok, `abc' created
lftp 192.168.136.131:/test> ls
drwx------ 2 14 50 6 Apr 15 09:26 abc
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file1
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file10
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file2
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file3
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file4
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file5
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file6
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file7
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file8
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file9
lftp 192.168.136.131:/test> put /etc/fstab #上传文件
465 bytes transferred
lftp 192.168.136.131:/test> ls
drwx------ 2 14 50 6 Apr 15 09:26 abc
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file1
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file10
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file2
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file3
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file4
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file5
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file6
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file7
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file8
-rw-r--r-- 1 0 0 0 Apr 15 09:09 file9
-rw------- 1 14 50 465 Apr 15 09:27 fstab
lftp 192.168.136.131:/test>mput /tmp/file* #批量上传文件
3) 本地用户访问ftp
创建本地用户
[root@localhost ~]# id lutixia
id: lutixia: no such user
[root@localhost ~]# useradd lutixia
[root@localhost ~]# id lutixia
uid=1001(lutixia) gid=1001(lutixia) groups=1001(lutixia)
[root@localhost ~]# cd /home/lutixia/
[root@localhost lutixia]# ll
total 0
[root@localhost lutixia]# echo "lutixia"|passwd --stdin lutixia
Changing password for user lutixia.
passwd: all authentication tokens updated successfully.
[root@localhost lutixia]#
修改配置文件,可以设置不让匿名用户登录,只能本地用户登录:
[root@node6 ftp]# vim /etc/vsftpd/vsftpd.conf
\# Example config file /etc/vsftpd/vsftpd.conf
\#
\# The default compiled in settings are fairly paranoid. This sample file
\# loosens things up a bit, to make the ftp daemon more usable.
\# Please see vsftpd.conf.5 for all compiled in defaults.
\#
\# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
\# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
\# capabilities.
\#
\# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
\#
\# Uncomment this to allow local users to log in.
\# When SELinux is enforcing check for SE bool ftp_home_dir
local_enable=YES
\#
\# Uncomment this to enable any form of FTP write command.
write_enable=YES
\#
\# Default umask for local users is 077. You may wish to change this to 022,
\# if your users expect that (022 is used by most other ftpd's)
local_umask=022
\#
\# Uncomment this to allow the anonymous FTP user to upload files. This only
\# has an effect if the above global write enable is activated. Also, you will
\# obviously need to create a directory writable by the FTP user.
\# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
anon_upload_enable=YES
\#
\# Uncomment this if you want the anonymous FTP user to be able to create
\# new directories.
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
\#
\# Activate directory messages - messages given to remote users when they
\# go into a certain directory.
dirmessage_enable=YES
\#
\# Activate logging of uploads/downloads.
xferlog_enable=YES
\#
\# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
\#
\# If you want, you can arrange for uploaded anonymous files to be owned by
\# a different user. Note! Using "root" for uploaded files is not
\# recommended!
\#chown_uploads=YES
\#chown_username=whoever
\#
\# You may override where the log file goes if you like. The default is shown
\# below.
\#xferlog_file=/var/log/xferlog
\#
\# If you want, you can have your log file in standard ftpd xferlog format.
\# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=YES
\#
\# You may change the default value for timing out an idle session.
\#idle_session_timeout=600
\#
\# You may change the default value for timing out a data connection.
\#data_connection_timeout=120
\#
\# It is recommended that you define on your system a unique user which the
\# ftp server can use as a totally isolated and unprivileged user.
\#nopriv_user=ftpsecure
\#
\# Enable this and the server will recognise asynchronous ABOR requests. Not
\# recommended for security (the code is non-trivial). Not enabling it,
\# however, may confuse older FTP clients.
\#async_abor_enable=YES
\#
\# By default the server will pretend to allow ASCII mode but in fact ignore
\# the request. Turn on the below options to have the server actually do ASCII
\# mangling on files when in ASCII mode. The vsftpd.conf(5) man page explains
\# the behaviour when these options are disabled.
\# Beware that on some FTP servers, ASCII support allows a denial of service
\# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
\# predicted this attack and has always been safe, reporting the size of the
\# raw file.
\# ASCII mangling is a horrible feature of the protocol.
\#ascii_upload_enable=YES
\#ascii_download_enable=YES
\#
\# You may fully customise the login banner string:
\#ftpd_banner=Welcome to blah FTP service.
\#
\# You may specify a file of disallowed anonymous e-mail addresses. Apparently
\# useful for combatting certain DoS attacks.
\#deny_email_enable=YES
\# (default follows)
\#banned_email_file=/etc/vsftpd/banned_emails
\#
\# You may specify an explicit list of local users to chroot() to their home
\# directory. If chroot_local_user is YES, then this list becomes a list of
\# users to NOT chroot().
\# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
\# the user does not have write access to the top level directory within the
\# chroot)
chroot_local_user=YES
chroot_list_enable=YES
allow_writeable_chroot=YES
\# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list
\#
\# You may activate the "-R" option to the builtin ls. This is disabled by
\# default to avoid remote users being able to cause excessive I/O on large
\# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
\# the presence of the "-R" option, so there is a strong case for enabling it.
\#ls_recurse_enable=YES
\#
\# When "listen" directive is enabled, vsftpd runs in standalone mode and
\# listens on IPv4 sockets. This directive cannot be used in conjunction
\# with the listen_ipv6 directive.
listen=NO
\#
\# This directive enables listening on IPv6 sockets. By default, listening
\# on the IPv6 "any" address (::) will accept connections from both IPv6
\# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
\# sockets. If you want that (perhaps because you want to listen on specific
\# addresses) then you must run two copies of vsftpd with two configuration
\# files.
\# Make sure, that one of the listen options is commented !!
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
pasv_enable=YES
port_enable=NO
重启服务。然后再次访问:
[root@node6 ftp]# systemctl restart vsftpd
[root@localhost ~]# lftp 192.168.136.131
lftp 192.168.136.131:~> ls
`ls' at 0 [Sending commands...]
上面这个登录,表示匿名用户已经无法登录了。
[root@localhost ~]# lftp lutixia:lutixia@192.168.136.131
lftp lutixia@192.168.136.131:~> ls
lftp lutixia@192.168.136.131:/> lcd
lcd ok, local cwd=/root
然后用本地用户登录,就ok了。