vsftp问题,已经严究了一天了,请高手支招

hljwxdn

原帖由 hiwoody 于 2008-7-11 10:40 发表
setup
一下然后把 20 21端口给开上去

不太明白你说的意思高手．　　请详细指教

acmilanwin

是不是selinux的原因

hljwxdn

不是那个东西没开

hljwxdn

看来这回是真没有人回答我了

hljwxdn

这是我的配制文件
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES

#pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
listen=YES
#tcp_wrappers=YES
pasv_enable=YES
pasv_min_port=40000
pasv_max_port=40080
pasv_promiscuous=YES


anonymous_enable=NO
local_enable=YES
write_enable=YES

listen_port=21

local_root=/var/ftp

pam_service_name=/etc/pam.d/vsftpd

guest_enable=YES
guest_username=virtual

virtual_use_local_privs=YES
user_config_dir=/etc/vsftpd/vsftpd_user_conf

chroot_local_user=YES
local_umask=033

hljwxdn

这是我的防火墙配制文件
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

cuci

sestatus看看selinux是否关掉了

hljwxdn

SELinux status:         enabled
SELinuxfs mount:        /selinux
Current mode:           permissive
Mode from config file:  error (Success)
Policy version:         18
Policy from config file:targeted

Policy booleans:
allow_syslog_to_console inactive
allow_ypbind            inactive
dhcpd_disable_trans     inactive
httpd_builtin_scripting active
httpd_disable_trans     inactive
httpd_enable_cgi        active
httpd_enable_homedirs   active
httpd_ssi_exec          active
httpd_tty_comm          inactive
httpd_unified           active
mysqld_disable_trans    inactive
named_disable_trans     inactive
named_write_master_zonesinactive
nscd_disable_trans      inactive
ntpd_disable_trans      inactive
pegasus_disable_trans   inactive
portmap_disable_trans   inactive
postgresql_disable_transinactive
snmpd_disable_trans     inactive
squid_disable_trans     inactive
syslogd_disable_trans   inactive
use_nfs_home_dirs       inactive
use_samba_home_dirs     inactive
use_syslogng            inactive
winbind_disable_trans   inactive
ypbind_disable_trans    inactive

zhoushile

应该考虑两个方面的问题
1、对于FTP虚拟用户的安全控制
2、SELinux

Dreamhat

这是关了？。。。。。。。。。。。。。