CentOS7 搭建 Ftp 服务器
1.查看
[root@ppl ~]# rpm -qa |grep vsftpd
vsftpd-3.0.2-22.el7.x86_64
[root@ppl ~]#
如果没有则通过 yarm 源进行安装
yum install -y vsftpd
2.卸载
[root@ppl ~]# rpm -e vsftpd-3.0.2-22.el7.x86_64
warning: /etc/vsftpd/vsftpd.conf saved as /etc/vsftpd/vsftpd.conf.rpmsave
warning: /etc/vsftpd/user_list saved as /etc/vsftpd/user_list.rpmsave
[root@ppl ~]#
查看指令
find / -name '*vsftpd*'
3.配置
进入到 ftp 的根目录默认是**/etc/vsftpd/**文件中进行配置
[root@ppl vsftpd]# pwd
/etc/vsftpd
[root@ppl vsftpd]# ll -h
total 24K
-rw-r--r--. 1 root root 9 Oct 30 06:50 chroot_list
-rw-------. 1 root root 125 Aug 3 2017 ftpusers
-rw-------. 1 root root 361 Aug 3 2017 user_list
-rw-------. 1 root root 5.0K Oct 30 06:50 vsftpd.conf
-rwxr--r--. 1 root root 338 Aug 3 2017 vsftpd_conf_migrate.sh
[root@ppl vsftpd]#
/etc/vsftpd/vsftpd.conf:vsftpd 的核心配置文件
/etc/vsftpd/ftpusers:用于指定哪些用户不能访问 FTP 服务器。 黑名单
/etc/vsftpd/user_list:指定允许使用 vsftpd 的用户列表文件。 白名单
/etc/vsftpd/chroot_list:指定允许使用 vsftpd 的用户列表文件。 控制名单下的目录能不能离开 ftp 根目录
vsftpd.conf 具体配置如下:
# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO #允许匿名用户访问为了安全选择关闭
#
# Uncomment this to allow local users to log in.
# When SELinux is enforcing check for SE bool ftp_home_dir
local_enable=YES # 允许本地用户登录
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES # 是否允许写入
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022 # 本地用户上传文件的umask
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES #为YES则进入目录时显示此目录下由message_file选项指定的文本文件(,默认为.message)的内容
#
# Activate logging of uploads/downloads.
xferlog_enable=YES #开启日志
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/xferlog #ftp日志目录
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=YES #标准格式
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600 #设置客户端连接时间
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120 #设置数据连接时间 针对上传,下载
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
chroot_local_user=NO
chroot_list_enable=YES #若为NO,则记录在chroot_list_file所指定的文件(默认是/etc/vsftpd/chroot_list)中的用户将被chroot在登录后所在目录中,无法离开.如果为YES,则所记录的用户将不被chroot.这里YES.
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list #设置为YES则下面的控制有效
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=NO
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
# Make sure, that one of the listen options is commented !!
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES #若为NO,则仅接受记录在userlist_file选项指定文件(默认是/etc/vsftpd/user_list)中的用户的login请求.若为YES则不接受这些用户的请求.
tcp_wrappers=YES
初步保证下面 3 项为 YES
anonymous_enable=YES #后期改为NO
anon_upload_enable=YES
anon_mkdir_write_enable=YES
做完第四步没错后,再进一步配置
#打开配置文件
vim /etc/vsftpd/vsftpd.conf
#显示行号
:set number
#修改配置 12 行
anonymous_enable=NO
#修改配置 33 行
anon_mkdir_write_enable=YES
#修改配置48行
chown_uploads=YES
#修改配置72行
async_abor_enable=YES
#修改配置82行
ascii_upload_enable=YES
#修改配置83行
ascii_download_enable=YES
#修改配置86行
ftpd_banner=Welcome to blah FTP service.
#修改配置100行
chroot_local_user=YES
在最后追加以下内容:
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
use_localtime=YES
listen_port=21
idle_session_timeout=300
guest_enable=YES
guest_username=vsftpd
user_config_dir=/etc/vsftpd/vconf
data_connection_timeout=10
virtual_use_local_privs=YES
pasv_min_port=40000
pasv_max_port=40010
accept_timeout=15
connect_timeout=10
allow_writeable_chroot=YES
4.启动
设置开机启动
systemctl enable vsftpd.service
启动并查看 vsftpd 服务状态,systemctl 启动服务成功不会有任何提示,绿色的 active 表示服务正在运行
systemctl start vsftpd.service
systemctl status vsftpd.service
systemctl stop vsftpd.service
CentOS6 的启动设置
#设置开机启动
chkconfig vsftpd on
#启动
service vsftpd start
service vsftpd restart
========示例=======
[root@localhost vsftpd]# chkconfig vsftpd on
[root@localhost vsftpd]# service vsftpd start
为 vsftpd 启动 vsftpd: [确定]
[root@localhost vsftpd]# service vsftpd status
vsftpd (pid 39872) 正在运行...
[root@localhost vsftpd]#
5.创建用户
创建编辑用户文件
vim /etc/vsftpd/virtusers
#第一行为用户名,第二行为密码。不能使用root作为用户名
leo
123456
生成用户数据文件(添加多用户时,这个地方一定要再执行一遍!!)
db_load -T -t hash -f /etc/vsftpd/virtusers /etc/vsftpd/virtusers.db
#设定PAM验证文件,并指定对虚拟用户数据库文件进行读取
chmod 600 /etc/vsftpd/virtusers.db
修改 /etc/pam.d/vsftpd 文件
# 修改前先备份
cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd.bak
vim /etc/pam.d/vsftpd
#先将配置文件中原有的 auth 及 account 的所有配置行均注释掉,再追加
auth sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/virtusers
account sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/virtusers
# 如果系统为32位,上面改为lib
新建系统用户 vsftpd,用户目录为/home/vsftpd
#用户登录终端设为/bin/false(即:使之不能登录系统)
useradd vsftpd -d /home/vsftpd -s /bin/false
chown -R vsftpd:vsftpd /home/vsftpd
建立虚拟用户个人配置文件(可以配置添加多个用户,都加在/home/vsftpd/下)
mkdir /etc/vsftpd/vconf
cd /etc/vsftpd/vconf
#这里建立虚拟用户leo配置文件
touch leo
=====示例=====
[root@localhost vsftpd]# mkdir /etc/vsftpd/vconf
[root@localhost vsftpd]# cd /etc/vsftpd/vconf
[root@localhost vconf]# ll -h
总用量 0
[root@localhost vconf]# pwd
/etc/vsftpd/vconf
[root@localhost vconf]# touch leo
[root@localhost vconf]# ll -h
总用量 0
-rw-r--r--. 1 root root 0 11月 10 09:22 leo
[root@localhost vconf]#
=======================
接下来继续操作
#编辑leo用户配置文件,内容如下,其他用户类似
vim leo
local_root=/home/vsftpd/leo/
write_enable=YES
anon_world_readable_only=NO
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
#建立leo用户根目录
mkdir -p /home/vsftpd/leo/
chmod -R 777 /home/vsftpd/leo
添加多用户时,/home/vsftpd/的权限一定要检查一下,重新设置一遍!!!
防火墙设置
firewall 的设置方式:
firewall-cmd --zone=public --add-service=ftp --permanent
firewall-cmd --zone=public --add-port=21/tcp --permanent
firewall-cmd --zone=public --add-port=40000-40010/tcp --permanent
最后记得重启
firewall-cmd --reload
CentOS6 防火墙设置
[root@localhost vconf]# chkconfig iptables on
[root@localhost vconf]# iptables -A INPUT -p tcp --dport 21 -j ACCEPT
[root@localhost vconf]# iptables -A INPUT -p tcp --dport 40000:40010 -j ACCEPT
[root@localhost vconf]# /etc/rc.d/init.d/iptables save
iptables:将防火墙规则保存到 /etc/sysconfig/iptables: [确定]
[root@localhost vconf]# /etc/init.d/iptables restart
iptables:将链设置为政策 ACCEPT:filter [确定]
iptables:清除防火墙规则: [确定]
iptables:正在卸载模块: [确定]
iptables:应用防火墙规则: [确定]
[root@localhost vconf]#
重启 vsftpd 服务器
systemctl restart vsftpd.service
#Centos6
service vsftpd restart
7.修改 SELINUX
SELINUX 不对 vsftp 不做任何限制
setsebool -P ftpd_connect_all_unreserved 1
传输文件的时候,会发现文件上传和下载都会出现
500、503 、200 等问题。这个时候,可以进行以下操作:
#打开SELINUX配置文件
vim /etc/selinux/config
#修改配置参数
#注释
SELINUX=enforcing
#增加
SELINUX=disabled
#修改完成后,需要重启!
检查 SElinux 状态并关闭
[root@ppl ftp]# sestatus -b | grep ftp
ftpd_anon_write off
ftpd_connect_all_unreserved off
ftpd_connect_db off
ftpd_full_access on
ftpd_use_cifs off
ftpd_use_fusefs off
ftpd_use_nfs off
ftpd_use_passive_mode off
httpd_can_connect_ftp off
httpd_enable_ftp_server off
tftp_anon_write off
tftp_home_dir on
[root@ppl ftp]#
8.注意事项
Linux Vsftpd 连接超时解决方法(被动模式)
CentOS6 版本会出现以下问题
使用 FileZilla FTP Client 连接 Vsftpd FTP,在没有配置传输模式(主动模式、被动模式)时,出现了以下提示信息。我们可以手工设置传输模式为“主动模式”来解决这一问题。但由于客户端防火墙等原因,这种解决方法将不会始终有效。
[T] 连接到 ftp://leo:***@110.137.111.134
[T] 连接到 110.137.111.134:21
[T] 220 Welcome to blah FTP service.
[T] USER leo
[T] 331 Please specify the password.
[T] PASS (隐藏)
[T] 230 Login successful.
[T] SYST
[T] 215 UNIX Type: L8
[T] TYPE A
[T] 200 Switching to ASCII mode.
[T] REST 1
[T] 350 Restart position accepted (1).
[T] REST 0
[T] 350 Restart position accepted (0).
[T] FEAT
[T] 211-Features:
[T] EPRT
[T] EPSV
[T] MDTM
[T] PASV
[T] REST STREAM
[T] SIZE
[T] TVFS
[T] UTF8
[T] 211 End
[T] OPTS UTF8 ON
[T] 200 Always in UTF8 mode.
[T] PWD
[T] 257 "/"
[T] TYPE I
[T] 200 Switching to Binary mode.
[T] PASV
[T] 227 Entering Passive Mode (110,137,111,134,156,72).
[T] 打开数据连接到主机: 110.137.111.134 端口: 40008
[T] REST 0
[T] 350 Restart position accepted (0).
[T] STOR ppl0111.png
[T] 150 Ok to send data.
[T] 226 Transfer complete.
[T] MDTM 20181027100512 ppl0111.png
[T] 213 File modification time set.
[i] ppl0111.png 283.8 k字节/0.08(s)/3,675.90KBps
[T] (用户断开FTP连接)
[i] 传输 1 个文件共 283.8 k 字节,使用0.08秒,速度3,675.90KBps
[T] ftp://leo:***@110.137.111.134 已断开
[1] PASV
[1] 227 Entering Passive Mode (110,137,111,134,156,66).
[1] 打开数据连接到主机: 110.137.111.134 端口: 40002
[1] LIST
在服务端配置被动模式就可以从根源上解决这问题。
vi /etc/vsftpd/vsftpd.conf
#在最下面添加以下信息
pasv_enable=YES #开启被动模式
pasv_min_port=4000 #随机最小端口
pasv_max_port=5000 #随机最大端口
加载内核 ip_conntrack_ftp 和 ip_nat_ftp(终端执行)
[root@localhost vsftpd]# modprobe ip_conntrack_ftp
[root@localhost vsftpd]# modprobe ip_nat_ftp
[root@localhost vsftpd]# service vsftpd restart
配置 iptables 开放 4000 到 5000 端口
vi /etc/sysconfig/iptables 在*filter下加入下
-A OUTPUT -p tcp --sport 4000:5000 -j ACCEPT
-A INPUT -p tcp --dport 4000:5000 -j ACCEPT
加载 iptables 配置
iptables-restore < /etc/sysconfig/iptables
重启 Vsftpd
service vsftpd restart
最后, 与 ssh 一样,vsftp 的配置文件默认开启了 DNS 反向解析,这可能会造成用户在登陆到 FTP 服务器的时候奇慢无比,只要在配置文件中禁用 DNS 反向解析即可解决文件。
编辑/etc/vsftpd/vsftpd.conf
添加
reverse_lookup_enable=NO
技术改变人生 Q 群:702101215
爱学习:www.aixx123.com
欢迎来到这里!
我们正在构建一个小众社区,大家在这里相互信任,以平等 • 自由 • 奔放的价值观进行分享交流。最终,希望大家能够找到与自己志同道合的伙伴,共同成长。
注册 关于