阿里云ECS Centos7 搭建 FTP服务器 踩坑之旅，解决 ftp用户登录 服务器发回了不可路由的地址 等问题

在用阿里云ecs搭建ftp服务器的时候遇到了不少问题，现将完整的安装和踩坑过程记录下来，避免大家少走弯路。

1、安装vsftp

1.1 yum 安装 vsftp

sudo yum -y install vsftpd

1.2 修改vsftp的配置文件

vim /etc/vsftpd/vsftpd.conf

改配置文件是一个大坑，稍有不慎就无法启动，我也是改了好几次，现将自己修改过的配置文件贴出来：

# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
# 不允许匿名访问
anonymous_enable=NO
# anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
# When SELinux is enforcing check for SE bool ftp_home_dir
# 这个设定值必须要为YES 时，在/etc/passwd内的账号才能以实体用户的方式登入我们的vsftpd主机
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
# 具有写权限
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
# 本地用户创建文件或目录的掩码
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
# 当dirmessage_enable=YES时，可以设定这个项目来让vsftpd寻找该档案来显示讯息，也可以设定其它档名
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
# 当设定为YES时，使用者上传与下载日志都会被纪录起来。记录日志与下一个xferlog_file设定选项有关
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
# 开启20端口
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
xferlog_file=/var/log/xferlog
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode. The vsftpd.conf(5) man page explains
# the behaviour when these options are disabled.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
# 关于系统安全的设定值，如果设定为YES ，那么 client 就可以使用 ASCII 格式下载档案。
# 一般来说，由于启动了这个设定项目可能会导致DoS 的攻击，因此预设是NO。
ascii_upload_enable=NO
ascii_download_enable=NO
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
# 限制是否只有本地用户可以切换目录
chroot_local_user=YES
# 在/etc/vsftpd.chroot_list文件中列出的用户，可以切换到其他目录；未在文件中列出的用户，不能切换到其他目录
chroot_list_enable=NO
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
# 当为YES时,vsftpd将以单独模式运行.这意味着vsftpd不必以某种inetd运行,而是可以直接执行
# .vsftpd执行后会自己侦听和操作进入的连接
listen=YES
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
# Make sure, that one of the listen options is commented !!
# 类似listen选项,但该选项使vsftpd侦听的地址为IPv6格式的
listen_ipv6=NO
#
# pam_service_name=vsftpd
pam_service_name=vsftpd.vu
# 启动被动式联机(passivemode)
# pasv_enable=YES
# 上面两个是与passive mode 使用的 port number 有关，如果您想要使用52100 到52280 来进行被动式资料的连接，可以这样设定
pasv_min_port=52100
pasv_max_port=52280
pasv_address=
# 
# ftp数据端口
# ftp_data_port=10020
#
# 黑白名单控制
# 当userlist_enable=YES时，userlist_deny=YES时：user_list是一个黑名单，即：所有出现在名单中的用户都会被拒绝登入
# 当userlist_enable=YES时，userlist_deny=NO时：user_list是一个白名单，即：只有出现在名单中的用户才会被准许登入(user_list之外的用户都被拒绝登入)
# 另外需要特别提醒的是：使用白名单后，匿名用户将无法登入！除非显式在user_list中加入一行：anonymous
userlist_enable=YES
userlist_deny=NO
#
# 开启就对了
tcp_wrappers=YES
#
# 允许写目录
allow_writeable_chroot=YES
#
# ftp根目录
local_root=/home/www/ftp/
#
# ftp的端口号，默认为21
listen_port=3000
#

带中文的都是我修改的，要特别注意的是以下几点：

1、开启的相应端口要在阿里云的安全组中开启对外访问。
比如设置中的：

# 开启20端口
connect_from_port_20=YES
# ftp的端口号，默认为21
listen_port=3000

pasv_min_port=52100
pasv_max_port=52280

都要在安全组开启允许外部访问：

不然我在使用FileZilla连接的时候，能够登录，但是报 服务器发回了不可路由的地址 的错误。

2、黑白名单的设置

# 黑白名单控制
# 当userlist_enable=YES时，userlist_deny=YES时：user_list是一个黑名单，即：所有出现在名单中的用户都会被拒绝登入
# 当userlist_enable=YES时，userlist_deny=NO时：user_list是一个白名单，即：只有出现在名单中的用户才会被准许登入(user_list之外的用户都被拒绝登入)
# 另外需要特别提醒的是：使用白名单后，匿名用户将无法登入！除非显式在user_list中加入一行：anonymous
userlist_enable=YES
userlist_deny=NO

我在配置中关掉了匿名登录，并开启白名单，需要在 userlist 添加允许登录的用户并且保证该用户不在 ftpuser 文件中，默认的这两个文件都是没有配置好的，ftp登录就会出问题，当然这个会在第二步细说。

3、ipv4和ipv6的问题

# 默认监听ipv4是关闭的
listen=YES
# 默认监听ipv6是开启的
listen_ipv6=NO

使用默认的监听设置，启动时候可能会报错，所以要把默认的YES跟NO改过来。

---

2、添加ftp登录用户

2.1 创建ftp登录用户

useradd -d /home/ftp/ -s /sbin/nologin ftpuser

-d /home/ftp/ 表示设置ftpuser的根目录，
-s /sbin/nologin 表示设置ftpuser为禁止ssh登录，只能ftp登录

另外再说下，由于做了重新安装，用 userdel ftpuser 删除了用户新建，结果报错，邮箱什么的还在，需要用 userdel -r ftpuser 才能完全删除一个用户的信息和根目录。

2.2 设置用户密码

passwd ftpuser

两次输入你要设置的密码就行，密码是暗文看不见，不用担心，都有输入的。

2.3 设置ftp文件夹的权限

把ftp文件夹的权限加到ftpuser上

chown -R ftpuser /home/ftp

2.4 在白名单中添加新建的ftp用户

vim /etc/vsftpd/userlist
在最后一行加上 ftpuser，wq 保存退出即可

---

经过以上设置，ftp的简单配置就完成了，接下来启动服务

---

3、启动ftp服务

# 启动ftp服务
systemctl start vsftpd.service 

# 查看ftp状态，如果启动失败的话能够看到报错原因
systemctl status vsftpd.service 

# 打开开机启动
systemctl enable vsftpd.service

# 关闭开机启动
systemctl disable vsftpd.service

然后使用FileZilla进行远程连接就行了。
要注意的是，这个时候还只是完成简单的使用，连接方式是明文传输，我因为是临时使用所以无所谓，如果要确保安全，还需要在配置文件中再做修改，添加ssl加密传输。