为什么vsftpd改成xinetd后登录慢30秒左右（已解决）

wlacf

如题，安装最新的vsftpd tar包2.1.0后，standalone运行登录5秒内就登录成功，如果改成xinetd后就变成30秒左右。有什么办法吗，日志没什么有用的信息。下面是我的vsftpd.conf，麻烦帮忙看看。

1. 
   
2. [root@www ~]# cat /etc/vsftpd.conf
   
3. # Example config file /etc/vsftpd.conf
   
4. #
   
5. # The default compiled in settings are fairly paranoid. This sample file
   
6. # loosens things up a bit, to make the ftp daemon more usable.
   
7. # Please see vsftpd.conf.5 for all compiled in defaults.
   
8. #
   
9. # READ THIS: This example file is NOT an exhaustive list of vsftpd options.
   
10. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
    
11. # capabilities.
    
12. #
    
13. # Allow anonymous FTP? (Beware - allowed by default if you comment this out).
    
14. #anonymous_enable=YES
    
15. anonymous_enable=NO
    
16. #
    
17. # Uncomment this to allow local users to log in.
    
18. #local_enable=YES
    
19. local_enable=NO
    
20. #
    
21. # Uncomment this to enable any form of FTP write command.
    
22. #write_enable=YES
    
23. write_enable=YES
    
24. #
    
25. # Default umask for local users is 077. You may wish to change this to 022,
    
26. # if your users expect that (022 is used by most other ftpd's)
    
27. #local_umask=022
    
28. local_umask=022
    
29. #
    
30. # Uncomment this to allow the anonymous FTP user to upload files. This only
    
31. # has an effect if the above global write enable is activated. Also, you will
    
32. # obviously need to create a directory writable by the FTP user.
    
33. #anon_upload_enable=YES
    
34. #
    
35. # Uncomment this if you want the anonymous FTP user to be able to create
    
36. # new directories.
    
37. #anon_mkdir_write_enable=YES
    
38. #
    
39. # Activate directory messages - messages given to remote users when they
    
40. # go into a certain directory.
    
41. dirmessage_enable=YES
    
42. #
    
43. # Activate logging of uploads/downloads.
    
44. xferlog_enable=YES
    
45. #
    
46. # Make sure PORT transfer connections originate from port 20 (ftp-data).
    
47. connect_from_port_20=YES
    
48. #
    
49. # If you want, you can arrange for uploaded anonymous files to be owned by
    
50. # a different user. Note! Using "root" for uploaded files is not
    
51. # recommended!
    
52. #chown_uploads=YES
    
53. #chown_username=whoever
    
54. #
    
55. # You may override where the log file goes if you like. The default is shown
    
56. # below.
    
57. #xferlog_file=/var/log/vsftpd.log
    
58. xferlog_file=/var/log/vsftpd.log
    
59. #
    
60. # If you want, you can have your log file in standard ftpd xferlog format.
    
61. # Note that the default log file location is /var/log/xferlog in this case.
    
62. #xferlog_std_format=YES
    
63. xferlog_std_format=YES
    
64. #
    
65. # You may change the default value for timing out an idle session.
    
66. #idle_session_timeout=600
    
67. idle_session_timeout=600
    
68. #
    
69. # You may change the default value for timing out a data connection.
    
70. #data_connection_timeout=120
    
71. data_connection_timeout=12000
    
72. #
    
73. # It is recommended that you define on your system a unique user which the
    
74. # ftp server can use as a totally isolated and unprivileged user.
    
75. #nopriv_user=ftpsecure
    
76. #
    
77. # Enable this and the server will recognise asynchronous ABOR requests. Not
    
78. # recommended for security (the code is non-trivial). Not enabling it,
    
79. # however, may confuse older FTP clients.
    
80. #async_abor_enable=YES
    
81. #
    
82. # By default the server will pretend to allow ASCII mode but in fact ignore
    
83. # the request. Turn on the below options to have the server actually do ASCII
    
84. # mangling on files when in ASCII mode.
    
85. # Beware that on some FTP servers, ASCII support allows a denial of service
    
86. # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
    
87. # predicted this attack and has always been safe, reporting the size of the
    
88. # raw file.
    
89. # ASCII mangling is a horrible feature of the protocol.
    
90. #ascii_upload_enable=YES
    
91. #ascii_download_enable=YES
    
92. #
    
93. # You may fully customise the login banner string:
    
94. #ftpd_banner=Welcome to blah FTP service.
    
95. ftpd_banner=Welcome to  FTP service.
    
96. #
    
97. # You may specify a file of disallowed anonymous e-mail addresses. Apparently
    
98. # useful for combatting certain DoS attacks.
    
99. #deny_email_enable=YES
    
100. # (default follows)
     
101. #banned_email_file=/etc/vsftpd.banned_emails
     
102. #
     
103. # You may specify an explicit list of local users to chroot() to their home
     
104. # directory. If chroot_local_user is YES, then this list becomes a list of
     
105. # users to NOT chroot().
     
106. #chroot_list_enable=YES
     
107. # (default follows)
     
108. #chroot_list_file=/etc/vsftpd.chroot_list
     
109. #
     
110. # You may activate the "-R" option to the builtin ls. This is disabled by
     
111. # default to avoid remote users being able to cause excessive I/O on large
     
112. # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
     
113. # the presence of the "-R" option, so there is a strong case for enabling it.
     
114. #ls_recurse_enable=YES
     
115. #
     
116. # When "listen" directive is enabled, vsftpd runs in standalone mode and
     
117. # listens on IPv4 sockets. This directive cannot be used in conjunction
     
118. # with the listen_ipv6 directive.
     
119. #listen=YES
     
120. listen=NO
     
121. 
     
122. #
     
123. # This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
     
124. # sockets, you must run two copies of vsftpd whith two configuration files.
     
125. # Make sure, that one of the listen options is commented !!
     
126. #listen_ipv6=YES
     
127. 
     
128. chroot_local_user=YES
     
129. pam_service_name=ftp
     
130. user_config_dir=/etc/vsftpd_user_conf/local_user_config
     
131. max_clients=5
     
132. max_per_ip=5
     
133. [root@www ~]#
     

复制代码

xinetd下面的

1. [root@www ~]# cat /etc/xinetd.d/vsftpd
   
2. # default: on
   
3. # description:
   
4. #   The vsftpd FTP server serves FTP connections. It uses
   
5. #   normal, unencrypted usernames and passwords for authentication.
   
6. # vsftpd is designed to be secure.
   
7. service ftp
   
8. {
   
9.         socket_type             = stream
   
10.         wait                    = no
    
11.         user                    = root
    
12.         server                  = /usr/local/sbin/vsftpd
    
13. #       server_args             =
    
14.         server_args             =/etc/vsftpd.conf
    
15. #       log_on_success          += DURATION USERID
    
16.        log_on_success          += DURATION USERID
    
17. #       log_on_failure          += USERID
    
18.         nice                    = 10
    
19.         disable                 = no
    
20.         port                    = 21
    
21. }
    
22. 
    
23. [root@www ~]#

复制代码

用CUTEFTP登录时显示卡在下面这个地方。

1. 状态:>          [2009-3-1 17:06:12] Socket 已连接。正在等候欢迎消息...
   
2.                 [2009-3-1 17:06:42] 220 Welcome to FTP service.
   
3. 状态:>          [2009-3-1 17:06:42] 已连接。正在验证...

复制代码

加了被动模式也还是这样，也添加了防火墙的端口。

[ 本帖最后由 wlacf 于 2009-3-4 13:15 编辑 ]

kenduest

1. log_on_success          += DURATION USERID

复制代码

拿掉 xinetd 配置內 USERID 該參數後測試看看.....

wlacf

没理由啊，真行了。厉害，万分感谢版主kenduest，感谢版主大大从一般平民到荣升版主之后一直以来对我的关怀！呵呵。

1. 状态:>          [2009-3-4 13:07:21] Socket 已连接。正在等候欢迎消息...
   
2.                 [2009-3-4 13:07:21] 220 Welcome to FTP service.
   
3. 状态:>          [2009-3-4 13:07:21] 已连接。正在验证...
   
4. 命令:>          [2009-3-4 13:07:21] USER downloadftp
   

复制代码

整个登录过程只用了5秒左右！

只是这是为什么呢？知其然，更想知其所以然。谢谢！

kns1024wh

xinetd下面的
log_on_success          += DURATION USERID参数的含义要清楚，在『成功登入』之后，需要记录的项目：PID为纪录该 server 启动时候的 process ID ，HOST 为远端主机的 IP、USERID 为登入者的帐号、EXTI 为离开的时候记录的项目、DURATION 为该使用者使用此服务多久
当然消耗时间

kenduest

主要是使用 USERID 的參數問題

這個 server 會連到 client 的 port 113 進行 auth ident 查詢動作，詢問對方是那個 id 連到 server 的。

早期許多 unix 系統會開 auth ident daemon 提供連線查詢，不過目前 client 不一定都是 unix/linux 系統，甚至可能是 windows，所以更別說有執行 ident daemon 提供連結存取。而目前許多 client 都用 firewall 禁止連結存取，所以當然就會卡在連線的問題需要等 timeout 後才會放棄。

所以您的問題就是這樣來的....

有興趣建議研究一下 port 113 該 ident dameon 等用途。

wlacf

非常感谢！看来真得要好好看看USERID的资料才行了。不然真对不起kenduest版主凌晨四点还爬起来回贴的热心帮助了。

结贴了

加油

qtdszws

最近也碰到这个问题，ftp老是要等好长时间才能连上，经过看源码和调试，才查出是这个搞鬼.

bobobian

学习！