- 论坛徽章:
- 1
|
基于FreeBSD5.4全能服务器安装v1.01(dns,ftp,apache,qmail)
版权声明:本着开源的思想,大家尽可以转载也希望大家不要垄断技术
作者:曹海波(b.s.d)
联系方式:
QQ:76091090
电邮:b.s.d@163.com
强烈建议:安装系统时安装src和ports
理由:经过试验可以提升同步src和ports的速度
2005-10-18给FTP服务器后台管理增加二级登陆密码以增强安全性
2005-10-8 暂停Qmail服务器的公布(一是:需要改进,二是:篇幅太长装不下)
2005-9-13 增加了相应的说明文字特别是在ftp服务器方面
2005-7-18 发表
2005-4-20 成搞
###################################基本设置####################################
setenv PACKAGEROOT "ftp://ftp.jp.freebsd.org"
设置环境变量使pkg_add –r 源代码安装方式选择较快的服务器下载二进制软件安装
pkg_add -r cvsup-without-gui
下载并安装二进制代码程序cvsup-without-gui(cvsup-without-gui无图形支持在文本方式下工作的软件,用来同步代码及ports用。)
编辑/etc/rc.conf
ee /etc/rc.conf
增加以下(用来停止sendmail)
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
mkdir /usr/home/chb/pkg_info
reboot
pkg_info | col -b >; /usr/home/chb/pkg_info/pkg_info_cvsup-without-gui.txt
(主要是记录安装的软件,用来以后分析软件包的关联性)
################################同步系统代码###################################
cvsup -g -L 2 -h cvsup.jp.FreeBSD.org /usr/share/examples/cvsup/standard-supfile
(注意:standard-supfile这个文件同步前一定要查看里面内容是否正确!即:[*default release=cvs tag= ] 默认的情况下可能会把代码同步到当前的最新版本,当然这个最新版本可能是current版!所以一定要指定!
我的写法是:
*default release=cvs tag=RELENG_5_4 意思是同步到FreeBSD5.4的当前稳定版代码
还有就是值得注意的是:
目前同步代码可以选择两个文件
一是:stable-supfile
二是:standard-supfile
stable-supfile 一般已经指定了同步代码的版本,一般也不需要设定!但是用FreeBSD5.2.1的朋友们就需要注意了因为FreeBSD5.2.1会把代码同步到4系的最新版,我一直没明白FreeBSD开发小组为什么会这么做!一旦没有修改就同步的话,轻则造成部分软件无法使用重则造成内核错误根本就无法进入系统!我可亲身经历过
standard-supfile 我认为同步前最好核对一下里面关于同步代码版本的部分。
至于为什么选择standard-supfile而不选择stable-supfile我可是经过N次的重做才确定用standard-supfile
登陆系统后运行uname –v查看系统版本号你会发现
以standard-supfile同步的系统显示的是FreeBSD 5.4-RELEASE-p4 #0: Sat Jul 16 09:29:22 CST 2005 chb@ns1.tjhaina.net:/usr/obj/usr/src/sys/GENERIC
注意这里的5.4-RELEASE-p4用stable-supfile是不会出现p4的!
当然这只是我个人的做法!
)
reboot
################################编译系统内核###################################
cd /usr/src
make -j4 buildworld
多线程支持加快编译速度(注意:cpu的占用率会升高)
cd /usr/src/sys/i386/conf
cp GENERIC /root/GENERIC.OLD
ee NS1
编辑内核
cd /usr/src
make buildkernel
建立内核
make installkernel
安装内核
shutdown -r now
mergemaster -p
更新系统配置文件。这个命令后会跟随多个提示问题建议仔细阅读后做出选择,如果是安装系统后第一次同步代码,并是在没有安装任何软件的情况下,可以考虑执行mergemaster –ai
跳过询问信息选择全部跟新
cd /usr/src
make installworld
mergemaster
shutdown -r now
delete
删除/usr/obj(以防影响下一次编译内核)
/usr/obj
cd /usr/obj
chflags -R noschg *
rm -rf *
##############################同步ports软件包##################################
cvsup -g -L 2 -h cvsup.jp.FreeBSD.org /usr/share/examples/cvsup/ports-supfile
reboot
DNS服务器
################################设置bind9.3.1##################################
%%%%%%%%%%%%%%%%%建立正反向解析目录%%%%%%%%%%%%%%
mkdir /etc/namedb/rev
mkdir /etc/namedb/hosts
%%%%%%%%%%%%%%%改变正反向解析目录属性%%%%%%%%%%%%%%
chown bind:bind /etc/namedb/rev
chown bind:bind /etc/namedb/hosts
chmod 750 /etc/namedb/rev
chmod 750 /etc/namedb/hosts
%%%%%%%%%%%%%生成正反向解析文件的例子文件%%%%%%%%%%%%
cd /etc/namedb
sh make-localhost
%%%%%%%%%%%%%%%%生成这正反向解析文件%%%%%%%%%%%%%%
cp /etc/namedb/master/localhost.rev /etc/namedb/rev/192.168.0.rev
cp /etc/namedb/master/localhost.rev /etc/namedb/hosts/tjhaina.net.hosts
%%%%%%%%%%%%%%%%设置DNS服务器的主域%%%%%%%%%%%%%%%
ee /etc/namedb/named.conf
zone "0.168.192.IN-ADDR.ARPA" {
type master;
file "/etc/namedb/rev/192.168.0.rev";
};
zone "tjhaina.net" {
type master;
file "/etc/namedb/hosts/tjhaina.net.hosts";
};
%%%%%%%%%%%%%设置DNS服务器反向解析文件%%%%%%%
ee /etc/namedb/rev/192.168.0.rev
$TTL 3600
@ IN SOA ns1.tjhaina.net. root.ns1.tjhaina.net. (
20050430 ; Serial
3600 ; Refresh
900 ; Retry
3600000 ; Expire
3600 ) ; Minimum
IN NS ns1.tjhaina.net.
205 IN PTR ns1.tjhaina.net.
205 IN PTR www.tjhaina.net.
205是你的IP地址
(增加反向解析PTR记录 注意:不建议全部的域名及二级域名增加PTR记录)
%%%%%%%%%%%%%设置DNS服务器的正向解析文件%%%%%%%
ee /etc/namedb/hosts/tjhaina.net.hosts
$TTL 3600
@ IN SOA ns1.tjhaina.net. root.ns1.tjhaina.net. (
20050621 ; Serial
3600 ; Refresh
900 ; Retry
3600000 ; Expire
3600 ) ; Minimum
IN NS ns1.tjhaina.net.
ns1 IN A 192.168.0.205
www IN A 192.168.0.205
mail IN A 192.168.0.205
tjhaina.net. IN MX 10 mail.tjhaina.net
(注意:MX记录的添加要先做一个mail的A记录再做MX记录。MX记录添加的原则是用你的域名指向你的mail的二级域名。不过还有其他的添加方法大家自己可以找一下相关资料)
%%%%%%%%%%%%%生成DNS服务器的key文件%%%%%%%%%%%%%%%
/usr/sbin/rndc-confgen >; /etc/namedb/rndc.conf
%%%%%%%%%%%%%将key文件导入named.conf文件%%%%%%%%%%%%%
cd /etc/namedb
tail -n10 rndc.conf | head -n9 | sed -e s/#\ //g >;>; named.conf
(这个命令我也不知道为什么这么写!希望大家一起讨论)
%%%%%%%%%%%%%启动DNS服务器%%%%%%%%%%%%%%%%%%%%%
/usr/sbin/named -gc /etc/namedb/named.conf &
(& 表示后台运行)
/usr/sbin/rndc status
(查看DNS的启动情况)
%%%%%%%%%%%%%设置本机DNS服务器地址%%%% %%%%%%%%%%%%
ee /etc/resolv.conf
添加
nameserver 127.0.0.1
nameserver 211.98.2.4
nameserver 202.99.104.68
nameserver 202.99.96.68
nameserver 202.102.128.68
nameserver 202.103.0.117
nameserver 202.103.44.5
(所以选这么多DNS是考虑到了冗余设计防止万一出错)
%%%%%%%%%%%%删除或注释掉DNS服务器的监听地址%%%%%%
ee /etc/namedb/named.conf
删除
20 listen-on { 127.0.0.1; };
注释掉
// listen-on { 127.0.0.1; };
rndc reload
(由于bind9在默认的情况下只是给自己,所以要去除监听地址listen-on { 127.0.0.1; };)
%%%%%%%%%%%%使DNS服务器和系统一起启动%%%%%%%%
ee /etc/rc.conf
添加
named_enable="YES"
###################安装perl5.8.X################
cd /usr/ports/lang/perl5.8
make WITH_DEBUGGING=yes \
WITH_GDBM=yes \
WITHOUT_PERL_MALLOC=yes \
WITHOUT_PERL_64BITINT=yes \
WITH_THREADS=yes \
ENABLE_SUIDPERL=yes
(注意:以上命令及参数是按行输入)
make test
make install
make clean
make rmconfig
shutdown -r now
perl -v
ps auwx|grep perl
pkg_info
pkg_info | col -b >; /usr/home/chb/pkg_info/pkg_info_perl5.8.txt
###############更改ports软件包的默认下载路径(因为只有安装了perl后才会有/etc/make.conf)#######
ee /etc/make.conf
添加
MASTER_SITE_OVERRIDE=ftp://ftp3.jp.freebsd.org/pub/FreeBSD/ports/distfiles/${DIST_SUBDIR}
(更改ports默认的下载路径,可以根据自己的实际情况进行设置)
################################安装openssl####################################
cd /usr/ports/security/openssl
make
make install
make clean
make rmconfig
pkg_info
pkg_info | col -b >; /usr/home/chb/pkg_info/pkg_info_openssl.txt
#################################安装web管理系统##############################
cd /usr/ports/sysutils/webmin
make
make install
make clean
make rmconfig
/usr/local/lib/webmin/setup.sh
ee /etc/rc.conf
添加
webmin_enable="YES"
pkg_info
pkg_info | col -b >; /usr/home/chb/pkg_info/pkg_info_webmin.txt
#################################安装数据库mysql4.0############################
cd /usr/ports/databases/mysql40-server
make WITH_CHARSET=gbk \
WITH_XCHARSET=all \
SKIP_DNS_CHECK=yes \
BUILD_OPTIMIZED=yes \
BUILD_STATIC=yes
make install
make clean
make rmconfig
pkg_info
pkg_info | col -b >; /usr/home/chb/pkg_info/pkg_info_mysql40-server.txt
%%%%%%%%%%%%安装mysql40组件%%%%%%%%%%%%%%
cd /usr/ports/databases/p5-DBD-mysql40
make
make install
make clean
make rmconfig
%%%%%%%%%%%使mysql40和系统一起启动%%%%%%%%%%%
ee /etc/rc.conf
mysql_enable="YES"
%%%%%%%%%%%设置mysql40的密码%%%%%%%%%%%%%%
/usr/local/bin/mysqladmin -u root password 'password'
mysql -u root -ppassword
%%%%%%%%%%启动mysql40%%%%%%%%%%%%%%%%%%%
start mysql
#/usr/local/share/mysql/mysql.server start
/usr/local/etc/rc.d/mysql-server.sh start
如果以上两条命令不能启动mysql
那么请reboot系统来启动mysql
pkg_info
pkg_info | col -b >; /usr/home/chb/pkg_info/pkg_info_mysql40.txt
###############################安装expat2#####################################
cd /usr/ports/textproc/expat2
make
make install
make clean
make rmconfig
pkg_info
pkg_info | col -b >; /usr/home/chb/pkg_info/pkg_info_expat2.txt
###############################安装web服务器apache1.33######################
cd /usr/ports/www/apache13
make
make install
make clean
make rmconfig
%%%%%%%%%%%使apache和系统一起启动%%%%%%%%%%%
ee /etc/rc.conf
添加
apache_enable="YES"
%%%%%%%%%%%%更改apache的相应设置%%%%%%%%%%%
ee /usr/local/etc/apache/httpd.conf
change 330
ServerAdmin you@your.address ==>;ServerAdmin b.s.d@163.com
change 348
#ServerName www.example.com==>;ServerName www.tjhaina.net
添加 794
添加Language zh-cn .zh-cn
添加 822
添加charset GB2312 .gb2312
添加 977
NameVirtualHost 192.168.0.205 (your hosts ip)
%%%%%%%%%%%%启动apache%%%%%%%%%%%%%%%%%
start apache
/usr/local/sbin/apachectl start
pkg_info
pkg_info | col -b >; /usr/home/chb/pkg_info/pkg_info_apache.txt
####################################安装php###################################
cd /usr/ports/lang/php4
make
make install
make clean
make rmconfig
pkg_info
pkg_info | col -b >; /usr/home/chb/pkg_info/pkg_info_php4.txt
###################################安装php扩展################################
cd /usr/ports/lang/php4-extensions
make (+ bz2)
make install
make clean
make rmconfig
cd /usr/local/etc
cp php.ini-recommended php.ini
pkg_info
pkg_info | col -b >; /usr/home/chb/pkg_info/pkg_info_php4-extensions.txt
########################安装phpSysInfo基于php的系统监测#######################
cd /usr/ports/www/phpSysInfo/
make
make install
make clean
make rmconfig
cd /usr/local/www/data/phpSysInfo/
cp config.php.new config.php
chown www:www config.php
(改变config.php的所属组和用户)
pkg_info
pkg_info | col -b >; /usr/home/chb/pkg_info/pkg_info_phpSysInfo.txt
####################安装phpmyadmin基于php的数据库web管理系统################
cd /usr/ports/databases/phpmyadmin/
make
make install
make clean
make rmconfig
%%%%%%%%%%%%%更改phpMyAdmin的配置%%%%%%%%%%%%
cd /usr/local/www/phpMyAdmin
chmod 755 config.inc.php
ee /usr/local/www/phpMyAdmin/config.inc.php
将84行
$cfg['Servers'][$i]['auth_type'] = 'config'; // Authentication method (config, http or cookie based)?
改成
$cfg['Servers'][$i]['auth_type'] = 'http'; // Authentication method (config, http or cookie based)?
[#将39行
#$cfg['PmaAbsoluteUri'] = ' ';
#改成
#$cfg['PmaAbsoluteUri'] = 'http://192.168.0.205/phpMyAdmin/';
pkg_info
pkg_info | col -b >; /usr/home/chb/pkg_info/pkg_info_phpmyadmin.txt ]
(我现在不建议更改39行的内容虽然phpMyAdmin提示更改!但并没有发现39行对phpMyAdmin的运行有影响!改不好反而使phpMyAdmin不能正常显示)
安装FTP服务器
#############################安装ftp服务器pure-ftpd#############################
cd /usr/ports/ftp/pure-ftpd
ee /usr/ports/ftp/pure-ftpd/Makefile
添加
--with-everything \
--with-paranoidmsg \
--with-virtualchroot \
--with-tls \
--with-largefile \
--with-welcomemsg \
--with-uploadscript \
--with-cookie \
--with-virtualhosts \
--with-virtualroot \
--with-diraliases \
--with-quotas \
--with-sysquotas \
--with-ratios \
--with-ftpwho \
--with-throttling \
--sysconfdir=${PREFIX}/etc
make WITH_MYSQL=1 \
WITH_LANG=simplified-chinese
make install
make clean
make rmconfig
cd /usr/local/etc
cp pureftpd-mysql.conf.sample pureftpd-mysql.conf
cp pure-ftpd.conf.sample pure-ftpd.conf
ee /usr/local/etc/pure-ftpd.conf
安装参数详解
--with-everything: 编译一个几乎所有特性都开启的“大”服务器。
--with-paranoidmsg: 当该参数被开启,不论何种原因登录失败都将显示同样的信息给用户。不开启该参数是,密码问题将显示“验证失败”,被禁止用户将显示“对不起,我不信任你”。
--with-virtualchroot:通常一个用户使用chrooted(使用-A 和 -a 参数)命令不会转出他的home目录。开启该功能之后将使其成为可能:符号连接总是一起作用,甚至他们指向的目录不在用户的home目录内。这对于共享路径是一个非常拥有的功能(例如,每一个home目录下都有一个符号连接到/var/incoming)。该功能默认不开启。
--with-tls \
--with-largefile: 支持在32位架构下下载大于2 gigabytes 的文件。通过FTP传输一个如此之大的文件是一个较为奇怪的主意。并且你的文件系统,你的系统内核、你的FTP客户端也需要支持才行。并且当该功能被开启后,下载将会比不开启变慢(或需要耗费更多的CPU)。简单的说,不要应为好玩而开启该功能,除非你真的计划下载大于gigabytes的文件。
--with-welcomemsg: (为兼容)其它FTP服务器pure-ftp可以阅读 'welcome.msg' 。这是一个安全的缺陷(匿名用户可以上载'welcome.msg'文件到随机显示)。Pure-ftpd 默认使用 '.banner'文件。
--with-uploadscript: 自从0.98版开始, Pure-FTPd 开始关注上传。当一个上传成功完成之后,任何额外的程序或脚本可以被自动启动。该功能需要一个称为“pure-uploadscript”的程序安装在Pure-FTPd包内。
--with-cookie: 在用户登录的时候显示随机或定制的信息。
--with-virtualhosts: 支持虚拟主机。这意味着每个IP地址可以有不同的匿名FPT区域。如果服务器只有一个IP地址,就不需要该功能。但是如果有多个IP地址,并且需要一个客户端连接到IP xxx 去获得/etc/pure-ftpd/xxx/而不是~ftp/,就可以开启该功能。
--with-virtualroot \ //虚拟root支持
--with-diraliases: 支持路径的别名。
--with-quotas: 开启虚拟限额,可以限制一个用户可以在他的帐号下存储的最大数字,也可以限制总的大小。
--with-sysquotas: 支持系统限额(非Pure-ftpd的虚拟限额)。只有在计划使用系统限额的时候启用。
--with-ratios: 支持上传/下载比。
--with-ftpwho: 支持'pure-ftpwho' 命令。开启这个功能需要额外的内存。当pure-ftp运行在standalone模式时比较好,在inetd模式下启用较慢。
--with-throttling: 支持带宽限制。
其它参数
--with-altlog: 除了系统输出,还支持一些特殊的文件格式,目前已实现了:CLF, Stats, W3C 和 xferlog 格式
CLF (通用日志格式)是Apache, WebFS, Roxen以及其它最常用 web 服务器的基本格式;该日志文件仅仅记录文件传输,可以被web流量统计软件(Analog, Webalizer, etc.) 所分析。Stats格式是一种专门为日志文件分析软件设计的特殊输出格式。W3C格式是一种商业日志分析软件(所有支持IIS日志的分析器)的标准格式。Xferlog 是一种源于wu-ftpd的格式。
--with-brokenrealpath: 一些 Solaris 版本中realpath()运行不可靠。如果altlog和(或)pure-uploadscript没有很好的运行,请用这个参数重新编译。
--with-certfile=;: 该file用来做SSL认证,默认为 /etc/ssl/private/pure-ftpd.pem .
--with-extauth: 支持额外的校验模块。大多数用户不需要此参数。.
所支持语言
--with-language=english
--with-language=german
--with-language=romanian
--with-language=french
--with-language=polish
--with-language=spanish
--with-language=danish
--with-language=italian
--with-language=brazilian-portuguese
--with-language=slovak
--with-language=dutch
--with-language=korean
--with-language=swedish
--with-language=norwegian
--with-language=russian
--with-language=traditional-chinese
--with-language=simplified-chinese
--with-language=hungarian
--with-language=catalan
--with-language=czech: change the language of server messages.
默认为英语。
--with-ldap: 支持原始的LDAP路径。当该功能被开启,系统帐号将被忽略。你同时需要使用OpenLDAP。如果OpenLDAP被安装在一个特定的位置,你可以使用--with-ldap=; 的参数。
--with-minimal: 为了有效运用现代FTP客户端的功能,Pure-FTPd采用基本的FTP协议加扩展(SITE IDLE,SITE CHMOD, MLSD, ...)的方式 。使用 --with-minimal 参数,这些扩展间不会被编译。同样的,也就不会有standalone server, 不会有lookup for user/group names, 不会有 humor也不会有 ASCII 的支持。但是执行文件将会比默认安装更小。该参数你至少需要GCC 3.3 以上来编译。如果你还想减少(执行)文件大小,可以采用--without-globbing 关联--with-minimal参数。如果你建立一个嵌入系统,可以这样使用;在其它场合,为了避免客户的抱怨(特别是使用windows客户端的客户),请忘记它吧
--with-mysql: 使用MySQL来提供用户数据库。当开启该参数,系统帐号被忽略。使用该功能MySQL 客户端的库文件将被安装。如果MySQL安装在特殊位置,可以使用--with-mysql=; 语法。
--with-nonroot: 设置服务以非root特权用户启动。任何普通用户都可以运行服务。这对于在服务器上只有一个受限帐号的情况非常有用。但是一些特性将不能使用,而且密码只能通过LDAP,SQL或PureDB进行校验。当虚拟 chroot 被开启,用户将被限制在服务启动的目录。这是一种不安全的模式,一般用于普通(非root)用户建立临时性的服务器。在standalone模式下,2121端口将被侦听。如果想采用nonroot模式,需要编译并安装该软件(./configure --prefix=... && make install-strip) . /sbin, /bin and /man 目录需要被写入 prefix,同时还需要增加运行pure-ftpd用户在 /etc 目录的读写权限。
--with-pam: 使用紧密校验模式。Don't use this option if your login/passwd pairs are always refused (but the real fix would be to
fix your PAM configuration). 需要创建一个 /etc/pam.d/pure-ftpd 文件来运用PAM校验。'pam' 路径中包含该文件的一个样本。
--with-peruserlimits: 开启每用户同时在线限制,在繁忙的服务器上避免该参数。
--with-pgsql: 使用 Postgres 提供用户数据库。当开启该参数,系统帐号将被忽略,Postgres客户端库将被安装。如果Postgres安装与特殊位置,可以使用--with-pgsql=; 语法。
--with-probe-random-dev: Pure-FTPd 使用 /dev/arandom, /dev/urandom 或者/dev/random 设备来提供严格的随机数字。这些设备通常在编译时被探测。如果想编译一个二进制包在其它主机上运行,该参数将在运行时被探测。该参数在Linux和BSD系统上无效,但可以使用在Solaris 和 QNX上。
--with-puredb: 支持虚拟用户,一个本地的用户数据库,不用于系统帐号。
--with-boring: 显示 "professionnal-looking" 信息。
--with-privsep: 开启权限分离。
--withrendez-vous: 允许在MacOS X上支持Rendezvous。
--without-ascii: 不支持 7-bits 传输 (ASCII)。如果有客户使用windows客户端程序发送脚本和HTML文件,不要使用 该参数或让他们对你大叫。
--without-banner: 不使用初始标语,这是一种通过隐瞒获得的愚蠢的安全。
--without-capabilities: 如果性能库 (libcap) 被找到,Pure-FTPd 将使用其提供安全性。该参数不测试这个库是否存在。如果性能库没有正常工作,可以到ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/ 下载。
--without-globbing: 不包括全局代码。能够减少内存消耗但经常不能工作。大多数用户不需要使用--without-globbing。Globbing是一个不错的功能。
--without-humor: 如果你没有查看过源代码而使用这个参数,就只好祝你幸运了。
--without-inetd: 如果Pure-FTPd总是运行在standalone模式下,这个参数可以节约一些代码字节。不要同时使用 --without-inetd和
--without-standalone参数,可能会导致服务不能运行。这些参数在Pure-FTPd的二进制分发包上都没有使用,所以inetd和standalone都被支持。
--without-iplogging: 为了保守机密而不记录任何IP地址,除非是政治敏感的服务器。
--without-nonalnum: 非法文件名检查。只支持基本的字符。不要盲目的使用这个参数,或者接受用户的抱怨。
--without-unicode: 不接受非拉丁字符。如果服务器文件名不含特殊字符则推荐使用。
--without-sendfile: 在Linux, Solaris, HPUX 和 FreeBSD 内核, Pure-FTPd采用特殊系统调用(sendfile)尝试减少CPU和内存的使用。在大多数文件系统中该方式运行良好,但该优化并不能在所有文件系统中正常工作。用户曾经报告过SMBFS(Samba)在FreeBSD以及TmpFS和NTFS在Linux(服务器报告错误为“broken pipe”或“Error during write to data connection”)上通过Pure-FTPd下载文件失败。如果计划在上述文件系统中运行服务,就不得不使用
--without-sendfile 参数来定义一个工作区。同样来自PA-Risc Linux 的系统也需要这个参数。
--without-shadow: 忽略shadow密码,即使他们被自动探测到。这通常是一个坏主意,除非使用的是PAM, LDAP 或 SQL。Pure-FTPd 支持shadow密码有效期 (包括帐号和密码)。.
--without-standalone: FTP 服务器能够正常地以 standalone 模式运行(没有任何超级服务)。如果不需要该功能并且想要节省一些代码字节的话,就可以开启该参数。一个类似于g2s, xinetd或tcpserver 的超级服务将强制运行该服务,但是推荐使用standalone模式。
--without-usernames: 从不在在路径列表里输出用户和组名,而代之以UIDs和GIDs。这将提高安全和性能,但会有用户觉得不够友好。
--without-capabilities: 如果性能库 (libcap) 被找到,Pure-FTPd 将使用其提供安全性。该参数不测试这个库是否存在。如果性能库没有正常工作,可以到ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/ 下载。
--without-usernames: 从不在在路径列表里输出用户和组名,而代之以UIDs和GIDs。这将提高安全和性能,但会有用户觉得不够友好。
"--prefix=" 改变安装路径,默认为 "/usr/local/".
配置文件详解
pure-ftpd.conf
ChrootEveryone yes
chroot每一个用户,等同于Proftpd 中的DefaultRoot~ , 可以限制用户在某个地方活动,增强服务器的安全性。使用户不能通过cd命令进入上一级目录。
TrustedGID 50
#以上两者要一起用
BrokenClientsCompatibility no
MaxClientsNumber 50
#最大链接数
Daemonize yes
#Fork in background 以守护进程方式在后台运行
MaxClientsPerIP 5
#每个ip最多链接数,最好设小点。
VerboseLog no
#是否要把所有client端的指令都log下来
DisplayDotFiles no
#显示开头的文件
AnonymousOnly no
#是否只让匿名登录
NoAnonymous no
#不开放匿名登入
SyslogFacility ftp
#应该是对日志做一下过滤 (auth, authpriv, daemon, ftp, security, user, local*)可以让日志只记录想要的信息
DontResolve yes
#不反向解释客户端的ip
MaxIdleTime 5
#最大闲置時間
#LDAPConfigFile /usr/local/pureftpd/etc/pureftpd-ldap.conf
#使用LDAP认证,
MySQLConfigFile /usr/local/pureftpd/etc/pureftpd-mysql.conf
#使用MySQL认证
#PGSQLConfigFile /usr/local/pureftpd/etc/pureftpd-pgsql.conf
#使用PGSQL认证
#PureDB /ftp/etc/pureftpd.pdb
#使用者资料的DB存放地点 [由于我是用PureFTPD的內建DB.固有此选项]
#ExtAuth /var/run/ftpd.sock
#pure-authd socket 路径 (详细请看 README.Authentication-Modules)
#PAMAuthentication yes
#开启PAM认证
#UnixAuthentication yes
#如果你想要有简单的Unix(/etc/passwd)的认证的話
FortunesFile /usr/local/pureftpd/etc/.welcome
#显示的欢迎信息文件,你可以创建该文件,输入一些文字,然后你重启你的FTP服务,就会有意外的发现。
LimitRecursion 2000 8
#ls最多列出3000个文件.最深8层
AnonymousCanCreateDirs no
#匿名用户可以创建目录
MaxLoad 4
#当system load超过4時.使用者将不能再下载
PassivePortRange 30000 50000
#被动连接应答范围
ForcePassiveIP 192.168.0.1
#
AnonymousRatio 1 10
#Anonymous连接上传/下载比率
UserRatio 1 10
#用户上传/下载比率(注:如果使用ldap,mysql,pgsql,pam不要启用该功能,否则你在ldap等中设置的Ratio无校)
AntiWarez no
#上传的文件不能被下载(owner is ftp).等到local admin确认
Bind 127.0.0.1,8021
#要绑定和ip/port,在你的系统中有两个FTP Server这样你其中一个FTP就要使用其它端口。
#格式->; 127.0.0.1,21 如果只写port表All ip,port
AnonymousBandwidth 8
#Anonymous 带宽,单位KB/s
UserBandwidth 8
#用户带宽,单位KB/s
Umask 133:022
#上传文件的Umask.(;:; )
MinUID 1000
# UID至少多少才能登录
AllowUserFXP yes
#支不支持FXP
AllowAnonymousFXP no
#Anonymous支不支持FXP
ProhibitDotFilesWrite no
ProhibitDotFilesRead no
#(”.”)开头的文件能不能被读/写,UNIX Like下以点开头的文件是隐藏文件ls –a才能列出
#Pureftpd Quota模式下做产生” .ftpquota”文件。
AutoRename no
#上传文件若有相同文件名自动改名(file.1,file.2...)
AnonymousCantUpload no
#匿名用户上传文件
TrustedIP 10.1.1.1
#锁IP.
LogPID
#Log文件添加PID
AltLog stats:/ftp/etc/log/pureftpd.log
#log存放地点,注日志有几种常用的格式
#clf 类似apache格式,stats UNIX log格式,w3c 标准W3C格式,可能是HTML格式
NoChmod yes
#不给Chmod指令的权限
KeepAllFiles no
#使用者可续传.但不可刪除文件
CreateHomeDir yes
#如果user的home不存在自动建立(我把这个设为YES)
Quota 1000:10
#Quota ;:;,FTP限制10M空间,可以上传1000个文件(注:如果使用ldap,mysql,pgsql,pam不要启用该功能,否则你在ldap等中设置的Quota无校)
PIDFile /ftp/etc/log/pure-ftpd.pid
#记录pure-ftpd的PID文件
CallUploadScript yes
#呼叫UploadScript
MaxDiskUsage 99
#当硬盘使用率到多少時将停止上传
NoRename yes
#用户不能重命名文件名
CustomerProof yes
PerUserLimits 3:20
#;
pureftpd-mysql.conf
MYSQLServer 127.0.0.1
#MYSQL服务器的 IP
MYSQLPort 3306
#MYSQL 端口号
MYSQLSocket /var/lib/mysql/mysql.sock
#使用UNIX.sock本地连接
注:MYSQLServer 与 MYSQLSocket 选择一种即可
MYSQLUser ftp
#MYSQLUser 数据用户名
MYSQLPassword 123456
#MYSQL数据库用户的密码
MYSQLDatabase ftpusers
#FTP数据数据库
MYSQLCrypt md5
#密码加密方式"cleartext", "crypt", "md5" and "password"
# cleartext 明文,crypt,md5,password是Backend password(‘your-passwd’)函数(MYSQL数据库所使用的password()函数)
MYSQLGetPW SELECT Password FROM users WHERE User="\L"
# 密码字段,我使用users表中的Password做为密码字段
MYSQLGetUID SELECT Uid FROM users WHERE User="\L"
#UID用户ID字段
MYSQLDefaultUID 1000
#默认的UID (注:如何开启该选项,MYSQLGetUID将失去作用)
MYSQLGetGID SELECT Gid FROM users WHERE User="\L"
#GID组ID字段
MYSQLDefaultGID 1000
#默认的GID (注:如何开启该选项,MYSQLGetGID将失去作用)
MYSQLGetDir SELECT Dir FROM users WHERE User="\L"
#FTP用户目录如/home/web/www-9812-net
MySQLGetQTAFS SELECT QuotaFiles FROM users WHERE User="\L"
#磁盘限额,文件数限制。如1000,允许用户上传1千个文件
MySQLGetQTASZ SELECT QuotaSize FROM users WHERE User="\L"
#磁盘限额,FTP用户空间限制(单位为M),如:100M
MySQLGetRatioUL SELECT ULRatio FROM users WHERE User="\L"
MySQLGetRatioDL SELECT DLRatio FROM users WHERE User="\L"
#上传/下载比率。MySQLGetRatioUL为上传比,MySQLGetRatioDL下载比。如:1:5
MySQLGetBandwidthUL SELECT ULBandwidth FROM users WHERE User="\L"
MySQLGetBandwidthDL SELECT DLBandwidth FROM users WHERE User="\L"
#下传/下载带宽(单位KB/s)。MySQLGetBandwidthUL上传带宽,MySQLGetBandwidthDL下载带宽。如上传500KB/s,下载50KB/s
MySQLForceTildeExpansion 1
MySQLTransactions On
配置文件实例
pure-ftpd.conf配置文件
###############################################################################
# #
# Configuration file for pure-ftpd wrappers #
# #
###############################################################################
# If you want to run Pure-FTPd with this configuration
# instead of command-line options, please run the
# following command :
#
# /usr/local/pureftpd/sbin/pure-config.pl /usr/local/pureftpd/etc/pure-ftpd.conf
#
# RPM binary files use another configuration file by default :
# /etc/sysconfig/pure-ftpd
#
# Please don't forget to have a look at documentation at
# http://www.pureftpd.org/documentation.html for a complete list of
# options.
# Cage in every user in his home directory
ChrootEveryone yes
# If the previous option is set to "no", members of the following group
# won't be caged. Others will be. If you don't want chroot()ing anyone,
# just comment out ChrootEveryone and TrustedGID.
# TrustedGID 100
# Turn on compatibility hacks for broken clients
BrokenClientsCompatibility no
# Maximum number of simultaneous users
MaxClientsNumber 50
# Fork in background
Daemonize yes
# Maximum number of sim clients with the same IP address
MaxClientsPerIP 8
# If you want to log all client commands, set this to "yes".
# This directive can be duplicated to also log server responses.
VerboseLog no
# List dot-files even when the client doesn't send "-a".
DisplayDotFiles yes
# Don't allow authenticated users - have a public anonymous FTP only.
AnonymousOnly no
# Disallow anonymous connections. Only allow authenticated users.
NoAnonymous no
# Syslog facility (auth, authpriv, daemon, ftp, security, user, local*)
# The default facility is "ftp". "none" disables logging.
SyslogFacility ftp
# Display fortune cookies
# FortunesFile /usr/share/fortune/zippy
# Don't resolve host names in log files. Logs are less verbose, but
# it uses less bandwidth. Set this to "yes" on very busy servers or
# if you don't have a working DNS.
DontResolve yes
# Maximum idle time in minutes (default = 15 minutes)
MaxIdleTime 15
# LDAP configuration file (see README.LDAP)
# LDAPConfigFile /etc/pureftpd-ldap.conf
LDAPConfigFile /usr/local/pureftpd/etc/pureftpd-ldap.conf
# MySQL configuration file (see README.MySQL)
# MySQLConfigFile /etc/pureftpd-mysql.conf
MySQLConfigFile /usr/local/pureftpd/etc/pureftpd-mysql.conf
# Postgres configuration file (see README.PGSQL)
# PGSQLConfigFile /etc/pureftpd-pgsql.conf
PGSQLConfigFile /usr/local/pureftpd/etc/pureftpd-pgsql.conf
# PureDB user database (see README.Virtual-Users)
# PureDB /etc/pureftpd.pdb
PureDB /usr/local/pureftpd/etc/pureftpd.pdb
# Path to pure-authd socket (see README.Authentication-Modules)
# ExtAuth /var/run/ftpd.sock
# If you want to enable PAM authentication, uncomment the following line
# PAMAuthentication yes
# If you want simple Unix (/etc/passwd) authentication, uncomment this
# UnixAuthentication yes
# Please note that LDAPConfigFile, MySQLConfigFile, PAMAuthentication and
# UnixAuthentication can be used only once, but they can be combined
# together. For instance, if you use MySQLConfigFile, then UnixAuthentication,
# the SQL server will be asked. If the SQL authentication fails because the
# user wasn't found, another try # will be done with /etc/passwd and
# /etc/shadow. If the SQL authentication fails because the password was wrong,
# the authentication chain stops here. Authentication methods are chained in
# the order they are given.
# 'ls' recursion limits. The first argument is the maximum number of
# files to be displayed. The second one is the max subdirectories depth
LimitRecursion 2000 8
# Are anonymous users allowed to create new directories ?
AnonymousCanCreateDirs no
# If the system is more loaded than the following value,
# anonymous users aren't allowed to download.
MaxLoad 4
# Port range for passive connections replies. - for firewalling.
# PassivePortRange 30000 50000
# Force an IP address in PASV/EPSV/SPSV replies. - for NAT.
# Symbolic host names are also accepted for gateways with dynamic IP
# addresses.
# ForcePassiveIP 192.168.0.1
# Upload/download ratio for anonymous users.
# AnonymousRatio 1 10
# Upload/download ratio for all users.
# This directive superscedes the previous one.
# UserRatio 1 10
# Disallow downloading of files owned by "ftp", ie.
# files that were uploaded but not validated by a local admin.
AntiWarez yes
# IP address/port to listen to (default=all IP and port 21).
# Bind 127.0.0.1,21
Bind 127.0.0.1,8021
# Maximum bandwidth for anonymous users in KB/s
# AnonymousBandwidth 8
# Maximum bandwidth for *all* users (including anonymous) in KB/s
# Use AnonymousBandwidth *or* UserBandwidth, both makes no sense.
# UserBandwidth 8
# File creation mask. ;:; .
# 177:077 if you feel paranoid.
Umask 133:022
# Minimum UID for an authenticated user to log in.
MinUID 100
# Allow FXP transfers for authenticated users only.
AllowUserFXP yes
# Allow anonymous FXP for anonymous and non-anonymous users.
AllowAnonymousFXP no
# Users can't delete/write files beginning with a dot ('.')
# even if they own them. If TrustedGID is enabled, this group
# will have access to dot-files, though.
ProhibitDotFilesWrite no
# Prohibit *reading* of files beginning with a dot (.history, .ssh...)
ProhibitDotFilesRead no
# Never overwrite files. When a file whoose name already exist is uploaded,
# it get automatically renamed to file.1, file.2, file.3, ...
AutoRename no
# Disallow anonymous users to upload new files (no = upload is allowed)
AnonymousCantUpload no
# Only connections to this specific IP address are allowed to be
# non-anonymous. You can use this directive to open several public IPs for
# anonymous FTP, and keep a private firewalled IP for remote administration.
# You can also only allow a non-routable local IP (like 10.x.x.x) to
# authenticate, and keep a public anon-only FTP server on another IP.
#TrustedIP 10.1.1.1
# If you want to add the PID to every logged line, uncomment the following
# line.
#LogPID yes
# Create an additional log file with transfers logged in a Apache-like format :
# fw.c9x.org - jedi [13/Dec/1975] "GET /ftp/linux.tar.bz2" 200 21809338
# This log file can then be processed by www traffic analyzers.
# AltLog clf:/var/log/pureftpd.log
# Create an additional log file with transfers logged in a format optimized
# for statistic reports.
# AltLog stats:/var/log/pureftpd.log
#AltLog stats:/var/log/pureftpd.log
# Create an additional log file with transfers logged in the standard W3C
# format (compatible with most commercial log analyzers)
# AltLog w3c:/var/log/pureftpd.log
# Disallow the CHMOD command. Users can't change perms of their files.
#NoChmod yes
# Allow users to resume and upload files, but *NOT* to delete them.
#KeepAllFiles yes
# Automatically create home directories if they are missing
#CreateHomeDir yes
# Enable virtual quotas. The first number is the max number of files.
# The second number is the max size of megabytes.
# So 1000:10 limits every user to 1000 files and 10 Mb.
#Quota 1000:10
# If your pure-ftpd has been compiled with standalone support, you can change
# the location of the pid file. The default is /var/run/pure-ftpd.pid
#PIDFile /var/run/pure-ftpd.pid
# If your pure-ftpd has been compiled with pure-uploadscript support,
# this will make pure-ftpd write info about new uploads to
# /var/run/pure-ftpd.upload.pipe so pure-uploadscript can read it and
# spawn a script to handle the upload.
#CallUploadScript yes
# This option is useful with servers where anonymous upload is
# allowed. As /var/ftp is in /var, it save some space and protect
# the log files. When the partition is more that X percent full,
# new uploads are disallowed.
MaxDiskUsage 99
# Set to 'yes' if you don't want your users to rename files.
#NoRename yes
# Be 'customer proof' : workaround against common customer mistakes like
# 'chmod 0 public_html', that are valid, but that could cause ignorant
# customers to lock their files, and then keep your technical support busy
# with silly issues. If you're sure all your users have some basic Unix
# knowledge, this feature is useless. If you're a hosting service, enable it.
CustomerProof yes
# Per-user concurrency limits. It will only work if the FTP server has
# been compiled with --with-peruserlimits (and this is the case on
# most binary distributions) .
# The format is : ;:;
# For instance, 3:20 means that the same authenticated user can have 3 active
# sessions max. And there are 20 anonymous sessions max.
# PerUserLimits 3:20
pureftpd-mysql.conf配置文件
###############################################################################
# #
# Sample Pure-FTPd Mysql configuration file. #
# See README.MySQL for explanations. #
# #
###############################################################################
# Optional : MySQL server name or IP. Don't define this for unix sockets.
#MYSQLServer 127.0.0.1
# Optional : MySQL port. Don't define this if a local unix socket is used.
#MYSQLPort 3306
# Optional : define the location of mysql.sock if the server runs on this host.
MYSQLSocket /var/lib/mysql/mysql.sock
# Mandatory : user to bind the server as.
MYSQLUser pureftpd
# Mandatory : user password. You must have a password.
MYSQLPassword qKiscCbwbXAkWp.
# Mandatory : database to open.
MYSQLDatabase pureftpd
# Mandatory : how passwords are stored
# Valid values are : "cleartext", "crypt", "md5" and "password"
# ("password" = MySQL password() function)
# You can also use "any" to try "crypt", "md5" *and* "password"
#MYSQLCrypt leartext
MYSQLCrypt crypt
# In the following directives, parts of the strings are replaced at
# run-time before performing queries :
#
# \L is replaced by the login of the user trying to authenticate.
# \I is replaced by the IP address the user connected to.
# \P is replaced by the port number the user connected to.
# \R is replaced by the IP address the user connected from.
# \D is replaced by the remote IP address, as a long decimal number.
#
# Very complex queries can be performed using these substitution strings,
# especially for virtual hosting.
# Query to execute in order to fetch the password
MYSQLGetPW SELECT Password FROM users WHERE User="\L"
# Query to execute in order to fetch the system user name or uid
MYSQLGetUID SELECT Uid FROM users WHERE User="\L"
# Optional : default UID - if set this overrides MYSQLGetUID
#MYSQLDefaultUID 1000
# Query to execute in order to fetch the system user group or gid
MYSQLGetGID SELECT Gid FROM users WHERE User="\L"
# Optional : default GID - if set this overrides MYSQLGetGID
#MYSQLDefaultGID 1000
# Query to execute in order to fetch the home directory
MYSQLGetDir SELECT Dir FROM users WHERE User="\L"
# Optional : query to get the maximal number of files
# Pure-FTPd must have been compiled with virtual quotas support.
MySQLGetQTAFS SELECT QuotaFiles FROM users WHERE User="\L"
# Optional : query to get the maximal disk usage (virtual quotas)
# The number should be in Megabytes.
# Pure-FTPd must have been compiled with virtual quotas support.
MySQLGetQTASZ SELECT QuotaSize FROM users WHERE User="\L"
# Optional : ratios. The server has to be compiled with ratio support.
# MySQLGetRatioUL SELECT ULRatio FROM users WHERE User="\L"
# MySQLGetRatioDL SELECT DLRatio FROM users WHERE User="\L"
# Optional : bandwidth throttling.
# The server has to be compiled with throttling support.
# Values are in KB/s .
MySQLGetBandwidthUL SELECT ULBandwidth FROM users WHERE User="\L"
MySQLGetBandwidthDL SELECT DLBandwidth FROM users WHERE User="\L"
# Enable ~ expansion. NEVER ENABLE THIS BLINDLY UNLESS :
# 1) You know what you are doing.
# 2) Real and virtual users match.
# MySQLForceTildeExpansion 1
# If you upgraded your tables to transactionnal tables (Gemini,
# BerkeleyDB, Innobase...), you can enable SQL transactions to
# avoid races. Leave this commented if you are using the
# traditionnal MyIsam databases or old (;
DocumentRoot "/home/chb/ftp"
ServerName www.chb.com
;
allow from all
Options +Indexes
;
;
#######################增加二级登陆密码以增强安全性############################
ee /web/ftp/.htaccess
添加以下内容
AuthType Basic
AuthUserFile /usr/local/etc/pureftpd.passwd
AuthName FTP服务器后台管理登陆界面
require valid-user
satisfy any
cd /web/chinaPHP_Manager/ftp
chown www .htaccess
chmod 644 .htaccess
touch pureftpd.passwd
htpasswd -bc /usr/local/etc/pureftpd.passwd 用户名 123456
chmod 644 /usr/local/etc/pureftpd.passwd
###################################增加ftp启动项###############################
ee /etc/rc.conf
添加
pureftpd_enable="YES"
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/19810/showart_118786.html |
|