- 论坛徽章:
- 0
|
测试环境:vmware server 1.09 CentOS 5.3
vsftpd.conf 官方文档 http://vsftpd.beasts.org/vsftpd_conf.html
或者 man vsftpd.conf
# yum install vsftpd
# updatedb
# locate vsftpd
找到vsftpd的文档路径为/usr/share/doc/vsftpd-2.0.5/EXAMPLE/
INTERNET_SITE 配置vsftpd为xinetd mode服务方式
INTERNET_SITE_NOINETD 配置vsftpd为Standalone mode服务方式
VIRTUAL_HOSTS 虚拟站点配置
VIRTUAL_USERS 虚拟用户的配置
VIRTUAL_USERS_2 虚拟用户的高级配置
我这里喜欢用Standalone mode,就直接用INTERNET_SITE_NOINETD里面的配置就好了
# cp /usr/share/doc/vsftpd-2.0.5/EXAMPLE/INTERNET_SITE_NOINETD/vsftpd.conf /etc/vsftpd/
cp:是否覆盖“/etc/vsftpd/vsftpd.conf”? y
具体配置内容如下:
-------------------------------------
# Standalone mode
listen=YES
max_clients=200
max_per_ip=4
# Access rights
anonymous_enable=YES
local_enable=NO
write_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
# Security
anon_world_readable_only=YES
connect_from_port_20=YES
hide_ids=YES
pasv_min_port=50000
pasv_max_port=60000
# Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
# Performance
one_process_model=YES
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
anon_max_rate=50000
------------------------------------
# /etc/init.d/vsftpd start
为 vsftpd 启动 vsftpd: [确定]
# netstat -tnlp |grep :21
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 2243/vsftpd
现在只允许匿名用户访问只能下载的ftp就搭建好了。
下面就增加虚拟账户登录的配置
# cd /usr/share/doc/vsftpd-2.0.5/EXAMPLE/VIRTUAL_USERS
# ls
logins.txt README README.dir vsftpd.conf vsftpd.pam vsftpd.pam.dir
# cat README |more 看说明一步一步照着做就好了
Step 1) Create the virtual users database.
编辑logins.txt 添加你的用户和密码,文档中第一行为用户名,第二行为该用户的密码。
# cat logins.txt
tom
foo
fred
bar
生成数据文件
# db_load -T -t hash -f logins.txt /etc/vsftpd/login.db
如果提示找不到db_load,请安装相应的工具包 yum install db4-utils
修改数据的权限
# chmod 600 /etc/vsftpd/login.db
Step 2) Create a PAM file which uses your new database.
在 vi /etc/pam.d/vsftpd里面加入下面两行
auth required /lib/security/pam_userdb.so db=/etc/vsftpd/login
account required /lib/security/pam_userdb.so db=/etc/vsftpd/login
# vi /etc/pam.d/vsftpd
屏蔽下面的行
#auth required pam_shells.so
#auth include system-auth
#account include system-auth
或者直接把vsftpd.pam复制成/etc/pam.d/vsftpd。
Step 3) Set up the location of the files for the virtual users.
# useradd -d /home/ftpsite virtual
ls -ld /home/ftpsite
(which should give):
drwx------ 3 virtual virtual 4096 Jul 30 00:39 /home/ftpsite
We have created a user called "virtual" with a home directory "/home/ftpsite".
Let's add some content to this download area:
# cp /etc/hosts /home/ftpsite
# chown virtual.virtual /home/ftpsite/hosts
不过这样的权限还是会有点问题,就是登陆ftp后不能看到内容,所以你可能需要修改一下目录权限
drwx---r-- 3 virtual virtual 4096 Jul 30 00:39 /home/ftpsite
让other的用户能读
或者用设置anon_umask=073的办法来保证ftp上传的文件权限.
Step 4) Create your vsftpd.conf config file.
See the example in this directory. Let's go through it line by line:
anonymous_enable=NO
local_enable=YES
This disables anonymous FTP for security, and enables non-anonymous FTP (which
is what virtual users use).
write_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
These ensure that for security purposes, no write commands are allowed.
chroot_local_user=YES
This makes sure that the virtual user is restricted to the virtual FTP area
/home/ftpsite we set up above.
guest_enable=YES
guest_username=virtual
The guest_enable is very important - it activates virtual users! And
guest_username says that all virtual users are mapped to the real user
"virtual" that we set up above. This will also determine where on the
filesystem the virtual users end up - the home directory of the user
"virtual", /home/ftpsite.
关于pam_service_name的部分
This string is the name of the PAM service vsftpd will use.
Default: ftp
因为我的pam.d的文件名是vsftpd,所以必须加上下面的设置:
pam_service_name=vsftpd
当然你也可以把/etc/pam.d/vsftpd改为/etc/pam.d/ftp,这样你就不需要定义pam_service的名称了。
屏蔽掉one_process_model=YES,这个值默认为NO.否则会报500 OOPS: vsftpd: security: 'one_process_model' is anonymous only
重启ftp服务进行测试
# /etc/init.d/vsftpd restart
关闭 vsftpd: [确定]
为 vsftpd 启动 vsftpd: [确定]
虚拟用户的认证部分就完成了,如果想让不同虚拟用户拥有不同的使用权限喃.下面我们接着继续看看/usr/share/doc/vsftpd-2.0.5/EXAMPLE/VIRTUAL_USERS_2/README
Step 1) Activate per-user configurability.
To activate this powerful vsftpd feature, add the following to
/etc/vsftpd.conf:
user_config_dir=/etc/vsftpd_user_conf
And, create this directory:
# mkdir /etc/vsftpd_user_conf
Step 2) Give tom the ability to read all files / directories.
在vsftpd.conf已有的权限如下:
write_enable=NO 允许用户上传数据
anon_upload_enable=NO 上传
anon_mkdir_write_enable=NO 新建目录
anon_other_write_enable=NO 写入(删除)
anon_world_readable_only=YES 允许下载
At the end of the last example, we noted that the virtual users can only
see world-readable files and directories. We could make the /home/ftpsite
directory world readable, and upload files with world-read permission. But
another way of doing this is giving tom the ability to download files which
are not world-readable.
配置tom账号只有浏览ftp的权限,不能下载
For the tom user, supply a config setting override for
anon_world_readable_only:
echo "anon_world_readable_only=NO" > /etc/vsftpd_user_conf/tom
Step 3) Give fred the ability to read all files / directories and create
new ones but not interfere with existing files.
赋予fred用户浏览、下载、上传权限,但不能建立目录和删除。
echo "anon_world_readable_only=NO" > /etc/vsftpd_user_conf/fred
echo "write_enable=YES" >> /etc/vsftpd_user_conf/fred
echo "anon_upload_enable=YES" >> /etc/vsftpd_user_conf/fred
Check it out - login as tom and you can't upload. Log in as fred and you can!
Try and delete a file as both tom and fred - you can't.
如果希望fred能建立目录和删除的话,请加上一下的配置
anon_other_write_enbale=YES
anon_mkdir_write_enable=YES
如何让虚拟用户拥有自己的目录?
user_sub_token
This option is useful is conjunction with virtual users. It is used to automatically generate a home directory for each virtual user, based on a template. For example, if the home directory of the real user specified via guest_username is /home/virtual/$USER, and user_sub_token is set to $USER, then when virtual user fred logs in, he will end up (usually chroot()'ed) in the directory /home/virtual/fred. This option also takes affect if local_root contains user_sub_token.
首先修改virtual用户的家目录
# vi /etc/passwd
virtual :501:501::/home/ftpsite/$USER:/bin/bash
然后在/etc/vsftpd.conf 加入user_sub_token=$USER
在/home/virtual目录下建立与用户名相同的目录。重启服务后,虚拟用户就会进入自己的家目录了。
如何限制用户上传文件的类型?
deny_file=*.mp3,*.avi
[ 本帖最后由 tenhlf 于 2009-9-16 23:13 编辑 ] |
|
免费注册
发表于 2009-09-15 20:40
发表于 2009-09-16 10:22
发表于 2009-09-27 12:26