yum install vsftpd* vsftpd主程序
yum install pam* 认证程序
yum install db4* 写数据库db4工具
默认安装后,vsftpd就能正常启动,查看基本配置
vi /etc/vsftp/vsftpd.conf
anonymous_enable=YES 匿名用户登录
local_enable=YES 本地用户登录
write_enable=YES 写权限,上传
local_umask=022 去掉其它用户对本用户的写权限
anon_upload_enable=NO 禁止用户上传
anon_mkdir_write_enable=NO 禁止用户建目录
dirmessage_enable=YES 开启目录标语,当进该目录时显示.message信息
xferlog_enable=YES 开启日志记录功能
xferlog_file=/var/log/vsftpd.log 该文件必需touch出来,并赋予写的权限
connect_from_port_20=YES 主动模式
xferlog_std_format=YES 日志文件格式
listen=YES standalone模式
ascii_upload_enable=YES 允许ASCII上传
ascii_download_enable=YES 允许 ASCII下载
ftpd_banner=Welcome to blah FTP service.设定vsftpd的登录标语
pam_service_name=vsftpd PAM认证服务
userlist_enable=YES 用户名单为黑名单
tcp_wrappers=YES 启用wrapper保护
chroot_local_user=YES 用户登进的目录为根目录,不允许随便更换目录
基本测试:
增加用户:vsfpd 无系统登录权限, aa, aaa系统用户作为测试用
[root@hding vsftpd]# useradd vsftpd -s /sbin/nologin
[root@hding vsftpd]# passwd vsftpd
Changing password for user vsftpd.
New UNIX password:
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@hding vsftpd]# useradd aa
[root@hding vsftpd]# passwd aa
Changing password for user aa.
New UNIX password:
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@hding vsftpd]# useradd aaa
[root@hding vsftpd]# passwd aaa
Changing password for user aaa.
New UNIX password:
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@ding ~]# ftp 192.168.0.114 匿名用户可以登录,但不能在默认/var/ftp/pub目录下建文件,没有写权限
Connected to 192.168.0.114.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.0.114:root): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,0,114,94,225)
150 Here comes the directory listing.
drwxrwxrwx 2 0 0 4096 Dec 06 14:14 pub
226 Directory send OK.
ftp> mkdir ftp
550 Create directory operation failed.
ftp> bye
221 Goodbye.
[root@ding ~]# ftp 192.168.0.111 vsftpd可以登录并写文件到自己的家目录
Connected to 192.168.0.111.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.0.111:root): vsftpd
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> mkdir vsftpd
257 "/home/vsftpd/vsftpd" created
ftp> bye
221 Goodbye.
[root@ding ~]# ftp 192.168.0.111 aa用户可以登录并可以在自己的家目录建文件
Connected to 192.168.0.111.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.0.111:root): aa
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> mkdir aa
257 "/home/aa/aa" created
ftp> ^[[A
?Invalid command
ftp> bye
221 Goodbye.
[root@ding ~]# ftp 192.168.0.111 aaa用户可以正常登录,并在自己的家目录建文件
Connected to 192.168.0.111.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.0.111:root): aaa
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> mkdir aaa
257 "/home/aaa/aaa" created
ftp> ls
227 Entering Passive Mode (192,168,0,111,207,64)
150 Here comes the directory listing.
drwxr-xr-x 2 504 505 4096 Jan 14 12:01 aaa
226 Directory send OK.
ftp> bye
在vsftpd, aa, aaa, ftp用户中,最安全的应该是vsftpd,因为它相对来说即使被破解,还不能直接进入系统服务器,在vsftpd中有限制用户的功能,其中有两个文件都可以达到这样的效果
[root@hding vsftpd]# vi ftpusers
1 # Users that are not allowed to login via ftp
2 root
3 bin
4 daemon
5 adm
6 lp
7 sync
8 shutdown
9 halt
10 mail
11 news
12 uucp
13 operator
14 games
15 nobody
16 aa
service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
client aa test:
[root@ding ~]# ftp 192.168.0.114
Connected to 192.168.0.114.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.0.114:root): aa
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
[root@hding vsftpd]# vi user_list
1 # vsftpd userlist
2 # If userlist_deny=NO, only allow users in this file
3 # If userlist_deny=YES (default), never allow users in this file, and
4 # do not even prompt for a password.
5 # Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
6 # for users that are denied.
7 root
8 bin
9 daemon
10 adm
11 lp
12 sync
13 shutdown
14 halt
15 mail
16 news
17 uucp
18 operator
19 games
20 nobody
21 aaa
vi /etc/vsftpd/vsftpd.conf
117 userlist_enable=YES
ftp> open 192.168.0.111
Connected to 192.168.0.111.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.0.111:root): aaa
530 Permission denied.
Login failed.
vsftp家目录显示友限界面功能
[root@hding vsftpd]# vi /etc/vsftpd/vsftpd.conf
35 dirmessage_enable=YES
85 ftpd_banner=Welcome to blah FTP service.
[root@hding vsftpd]# vi /home/vsftpd/.message
1 hi, here is vsftpd's home
vsftpd 用户测试:
ftp> open 192.168.0.111
Connected to 192.168.0.111.
220 Welcome to blah FTP service.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.0.111:root): vsftpd
331 Please specify the password.
Password:
230-hi, here is vsftpd's home
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
一般情况下,用户连上ftp后可以随意进入别人的文件夹或者看到别人的文件,这样不安全,为了让用户只能看到自己的家目录,在配置文件中添加一句
[root@hding vsftpd]# vi /etc/vsftpd/vsftpd.conf
96 chroot_list_enable=YES
98 chroot_list_file=/etc/vsftpd/chroot_list
[root@hding vsftpd]# vi /etc/vsftpd/chroot_list
1 vsftpd
配置前:
ftp> open 192.168.0.111
Connected to 192.168.0.111.
ftp> ls
227 Entering Passive Mode (192,168,0,111,80,58)
150 Here comes the directory listing.
drwxr-xr-x 2 502 503 4096 Jan 14 12:00 vsftpd
226 Directory send OK.
ftp> cd ..
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (192,168,0,111,112,100)
150 Here comes the directory listing.
drwx------ 4 503 504 4096 Jan 14 12:00 aa
drwx------ 4 504 505 4096 Jan 14 12:01 aaa
drwx------ 4 501 501 4096 Nov 14 06:57 dh
drwxrwxrwx 6 0 0 4096 Dec 05 14:07 share
drwx------ 3 500 500 4096 Aug 24 07:08 terry
drwx------ 4 502 503 4096 Jan 14 12:33 vsftpd
226 Directory send OK.
配置后:
ftp> open 192.168.0.111
Connected to 192.168.0.111.
ftp> ls
227 Entering Passive Mode (192,168,0,111,252,39)
150 Here comes the directory listing.
drwxr-xr-x 2 502 503 4096 Jan 14 12:00 vsftpd
226 Directory send OK.
ftp> cd ..
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (192,168,0,111,20,136)
150 Here comes the directory listing.
drwxr-xr-x 2 502 503 4096 Jan 14 12:00 vsftpd
226 Directory send OK.
基于虚拟用户的登录:
设置虚拟用户[root@hding vsftpd]# vi login_list
1 Alicia
2 password
3 Samsun
4 password
5 Laffan
6 password
生成数据库
[root@hding vsftpd]# db_load -T -t hash -f login_list vsftpd_login.db
修改PAM认证
[root@hding vsftpd]# vi /etc/pam.d/vsftpd.vu
1 auth required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
2 account required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
之前最好查一下自己的pam_userdb.so在哪,如果是64位机子,应改成/lib64/security/pam_userdb.so
修改配置文件
启用虚拟用户,设定虚拟用户的统一用户名,改变原始认证文件,为虚拟用户定义目录
[root@hding vsftpd]# vi /etc/vsftpd/vsftpd.conf
120 guest_enable=YES
121 guest_username=virtual 虚拟用户统一用户
122 pam_service_name=vsftpd.vu 认证文件
123 user_config_dir=/etc/vsftpd/vsftpd_user_conf/ 用户权限文件
定义各用户权限
anon_world_readable_only 可以浏览和下载
anon_upload_enable 上传
anon_mkdir_write_enable 具有建立和删除目录
anon_other_write_enable 用户具有文件改名和删除文件的权限
为各用户建立相应的权限文件
[root@hding vsftpd]# mkdir /etc/vsftpd/vsftpd_user_conf
[root@hding vsftpd]# vi vsftpd_user_conf/Alicia 只有可读权限
1 anon_world_readable_only=YES
2 anon_upload_enable=NO
3 anon_mkdir_write_enable=NO
4 anon_other_write_enable=NO
[root@hding vsftpd]# vi vsftpd_user_conf/Samsun 不仅可读还可以上传
1 anon_world_readable_only=YES
2 anon_upload_enable=YES
3 anon_mkdir_write_enable=NO
4 anon_other_write_enable=NO
[root@hding vsftpd]# vi vsftpd_user_conf/Laffan 拥有全部权限
1 anon_world_readable_only=YES
2 anon_upload_enable=YES
3 anon_mkdir_write_enable=YES
4 anon_other_write_enable=YES
为用户定义一个虚拟目录
[root@hding vsftpd_user_conf]# useradd -d /home/ftpsite virtual
测试:
Alicia
ftp> open 192.168.0.111
Connected to 192.168.0.111.
Name (192.168.0.111:root): Alicia 只读
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> !pwd
/root
ftp> !cd /root
ftp> !ls
anaconda-ks.cfg install.log.syslog python setup web06.db
Desktop jpg python-tab.sh vu_list.txt
ftp> put vu_list.txt
local: vu_list.txt remote: vu_list.txt
227 Entering Passive Mode (192,168,0,111,182,227)
550 Permission denied.
ftp> mkdir Alicia
550 Permission denied.
ftp> close
221 Goodbye.
Samsun
ftp> open 192.168.0.111
Connected to 192.168.0.111.
Name (192.168.0.111:root): Samsun 只读和上传
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> !cd /root
ftp> put vu_list.txt
local: vu_list.txt remote: vu_list.txt
227 Entering Passive Mode (192,168,0,111,52,71)
150 Ok to send data.
226 File receive OK.
44 bytes sent in 0.026 seconds (1.6 Kbytes/s)
ftp> mkdir Samsun
550 Permission denied.
ftp> close
221 Goodbye.
Laffan
ftp> open 192.168.0.111
Connected to 192.168.0.111.
Name (192.168.0.111:root): Laffan 拥有全部权限
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> !cd /root
ftp> put vu_list.txt
local: vu_list.txt remote: vu_list.txt
227 Entering Passive Mode (192,168,0,111,115,207)
150 Ok to send data.
226 File receive OK.
44 bytes sent in 0.00035 seconds (1.2e+02 Kbytes/s)
ftp> mkdir Laffan
257 "/Laffan" created
ftp> bye
221 Goodbye.
基于IP的虚拟服务器,一个服务器可以有多个IP,因此它也支持开启多个FTP服务给不同的用户
增加子接口:[root@hding ]# ifconfig eth0:0 192.168.0.112
增加配置文件
[root@hding vsftpd]# cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd2.conf
[root@hding vsftpd]# vi /etc/vsftpd/vsftpd2.conf
109 listen=YES
110 listen_address=192.168.0.112
116 ftp_username=ftp2
117 pam_service_name=vsftpd
118 userlist_enable=YES
119 tcp_wrappers=YES
120 #guest_enable=YES
121 #guest_username=virtual
122 #pam_service_name=vsftpd.vu
123 #user_config_dir=/etc/vsftpd/vsftpd_user_conf/
修改原先配置
[root@hding vsftpd]# vi /etc/vsftpd/vsftpd.conf 单独监听
110 listen_address=192.168.0.111
增加用户和目录
[root@hding vsftpd]# mkdir -p /var/ftp2/pub
[root@hding vsftpd]# useradd -d /var/ftp2 -M ftp2
[root@hding vsftpd]# service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd2: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
测试:
ftp> open 192.168.0.112 112服务器是原本的FTP
Connected to 192.168.0.112.
220 Welcome to blah FTP service.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.0.112:root): Alicia Alicia虚拟用户不支持
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> close
221 Goodbye.
ftp> open 192.168.0.112 原本FTP支持vsftpd用户
Connected to 192.168.0.112.
220 Welcome to blah FTP service.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.0.112:root): vsftpd
331 Please specify the password.
Password:
230-hi, here is vsftpd's home
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> close
221 Goodbye.
ftp> open 192.168.0.111 111是FTP虚拟服务器,vsftpd用户不存在
Connected to 192.168.0.111.
220 Welcome to blah FTP service.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.0.111:root): vsftpd
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
FTPS:
生成证书[root@hding vsftpd]# cd /etc/pki/tls/certs/
[root@hding certs]# make vsftpd.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 > vsftpd.pem ; \
echo "" >> vsftpd.pem ; \
cat $PEM2 >> vsftpd.pem ; \
rm -f $PEM1 $PEM2
Generating a 2048 bit RSA private key
.....................................................................................................................................+++
.+++
writing new private key to '/tmp/openssl.ke9778'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:delar
Organizational Unit Name (eg, section) []:qa
Common Name (eg, your name or your server's hostname) []:192.168.0.111
Email Address []:
增加SSL 配置
[root@hding certs]# vi /etc/vsftpd/vsftpd.conf
126 #SSL configure
127 ssl_enable=YES
128 ssl_tlsv1=YES
129 ssl_sslv2=YES
130 ssl_sslv3=YES
131 rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem
132 rsa_private_key_file=/etc/pki/tls/certs/vsftpd.pem
此时需要用客户端连服务器,就会自动有证书需要确认
至此,vsftpd的实验就做完了~