学习笔记：CentOS 7.9 安装 vsftp server

一、 基本安装

参考 How to Install and Configure vsftpd on CentOS 7 - Liquid Web

1. 安装vsftpd

yum -y update

yum -y install vsftpd

2. 配置vsftpd,

#  vim /etc/vsftpd/vsftpd.conf

• Disallow anonymous logins; this allows unidentified users to access files via FTP. Ensure that the anonymous_enable setting to NO:

anonymous_enable=NO

• Enable local users to login, this will allow your regular user accounts to function as FTP accounts. Change the local_enable setting to YES:

local_enable=YES

• If you want local user to be able to write to a directory, then change the write_enable setting to YES:

write_enable=YES

• Local users will be 'chroot jailed' and they will be denied access to any other part of the server.

chroot_local_user=YES

3. 配置vsftpd服务随系统启动

systemctl restart vsftpd

systemctl enable vsftpd --now

4. 配置防火墙

firewall-cmd --permanent --add-port=21/tcp

firewall-cmd --reload

二、配置vsftpd使用SSL

参考 Configure VSFTPD with an SSL - Liquid Web

5. 先要确定一下把 SSL key 放在哪里？

例如：

mkdir /etc/ssl/private

这里使用自签名的 SSL:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.key -out /etc/ssl/certs/vsftpd.crt

注：购买的SSL证书只要把key放在 /etc/ssl/private/vsftpd.key 证书放在 /etc/ssl/certs/vsftpd.crt 即可。

6. 配置vsftpd使用证书

# vim /etc/vsftpd/vsftpd.conf

ssl_enable=YES

allow_anon_ssl=NO

force_local_data_ssl=YES

force_local_logins_ssl=YES

ssl_tlsv1_1=YES

ssl_tlsv1_2=YES

ssl_tlsv1=NO

ssl_sslv2=NO

ssl_sslv3=NO

require_ssl_reuse=YES

ssl_ciphers=HIGH

rsa_cert_file=/etc/ssl/certs/vsftpd.crt

rsa_private_key_file=/etc/ssl/private/vsftpd.key

SSL 设置项的部分注解：

• This option enables our SSL support for vsftpd.

ssl_enable=yes

• Prevent anonymous SSL/TLS encrypted login, in essence, the guest user.

allow_anon_ssl=NO

• We’re going to force SSL/TLS encryption of both your username/password and your data to keep it safe.

force_local_data_ssl=YES

force_local_logins_ssl=YES

• Use the stronger, better, encryption offered by TLS 1.1 and 1.2.

ssl_tlsv1_1=YES

ssl_tlsv1_2=YES

• TLS 1.0 is getting a little more insecure than we would like, so we are going to disable it.

Please note that some older FTP clients are not compatible with newer TLS versions and may require this option to be set to “YES”.

ssl_tlsv1=NO

• To keep the FTP connections safe against the BEAST and POODLE vulnerabilities we are going to disable SSLv2 and SSLv3.

ssl_sslv2=NO

ssl_sslv3=NO

• Continuing our security improvements we are going to add some additional protection against Man In The Middle (MITM) attacks by enabling the following. This may not be compatible with some older FTP clients. If you experience connection loss try setting this option to “NO”.

require_ssl_reuse=YES

• This will require the server to use stronger cipher suites.

ssl_ciphers=HIGH

7. 重启vsftpd服务

systemctl restart vsftpd

三、 使用AD账号作为vsftpd的用户

参考： 配置FTP服务器和pam.d以使用AD对用户进行身份验证(CentOS/RHEL 7/8)-IGI

8. 配置/etc/pam.d/vsftpd

使用Active Directory对用户进行身份验证的主文件是/etc/pam.d/vsftpd

配置成功后显示如下：

# cat /etc/pam.d/vsftpd

session optional pam_keyinit.so force revoke

auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed

auth required pam_shells.so

auth include password-auth

account include password-auth

session required pam_loginuid.so

session include password-auth

auth required pam_env.so

auth sufficient pam_sss.so

account sufficient pam_sss.so

四、配置ftp客户端账号

9. 创建客户端账号，并且配置有效的home目录。

    使用创建的账号在服务器上实际登录一次即可。。。