First, the basic information Vsftpd: the official website: http: //vsftpd.beasts.org/ Author: Chris Evans the latest version: vsftpd-2.0.3 (FC3 own version: vsftpd-2.0.1-5, quite new Well: P) FAQ: ftp://vsftpd.beasts.org/Users/cevans/untar/vsftpd 1.2.2/faqftp://vsftpd.beasts.org/Users/cevans/untar/vsftpd-2.0.3 / FAQ online documentation / source code: ftp: //vsftpd.beasts.org/Users/cevans/untar/vsftpd-2.0.3/ vsftpd is a FTP server software that meets the GPL protocol, which is suitable for running in the Unix system, including Linux, for other FTP servers, VSFTPD is better in security, reliability, and speed. Typical websites with vsftpd are: ftp.redhat.com mainly uses vsftpdftp.Openbsd.org mainly for speed requirements, which uses vsftpdftp.suse.com vsftpdftp.suse.com vsftpd's typical features: · Support virtual IP configuration · Support virtual virtual User · Standalone or inetd (After different) • Strong setup function for a single user · Support bandwidth control · Support for a single IP setting · Support for single IP restrictions · Support IPv6 · integrated SSL encryption function · If you want to configure the FTP server pursuing the following requirements: → Security → High performance → Reliability So vsftpd is your correct choice. In fact, VSFTPD is suitable for most applications, even if it may lack a certain feature you need, this is often available to external components PAM or XINETD / TCP_WRAPPERS. At this point, VSFTP meets Unix's modular thinking, which is a modular component. Finally, migrating to VSFTPD may mean losing the strange and excess functions provided by some existing servers, but this should be completely worthwhile. SAC team, IBM and Redhat recommend VSFTPD, even if you don't believe me, then what do they always do? Also, do you know why it is vsftpd? Its authentic name is Very Secure FTP Daemon, you can see its characteristics from your name, of course, I'm not believed.
Second, VSFTPD download installation: Ok, suppose you have believed in the words in front and gave a VSFTPD RPM installation package from its official website. . . Hey, in fact, in the installation of the Fedora Core Release 3, there is a vsftpd RPM installation package, but it doesn't matter, it is not more time than looking for the installation disc. Of course, if you have installed vsftpd when you install the system on your machine, it is a bit awkward. It is very simple. If you use the following command to see if you have a vsftpd: [root @ mmpire ~] # rpm -qa | grep vsftpd If VSFTPD is already installed, the version information is returned, otherwise no information is returned.
Recommend a relatively full website for VSFTPD installation and configuration: http://www.vsftpdrocks.org/ English is not too bad, you can go directly there, don't have to waste time again. There is also a web page written by Taiwanese. Although I have a little earlier, I still have a reference value: http://linux.vbird.org/linux_server/0410vsftpd.php The brothers left, nonsense, don't say, start installation . VSFTPD has three installation methods: √ Source code installation
√ Install via FreeBSD package
√ Installation by rpm Because the RPM package comes from the FC3 installation disc, it can also be easily up to the RPM package from the official website. The most important thing is that the RPM package is very easy to install, so I choose the third installation method. 1. Download VSFTPD, provide the website of the RPM installation package is: Official website: ftp://vsftpd.beasts.org/users/cevans/ redhat's rpm collection (http://rhn.redhat.com/) rpmfind.net (http) : //www.rpmfind.net/ 2, install vsftpd [root @ mmpire ~] # rpm -ivh vsftpd-2.0.1-5.i386.rpm
3, attachment steps, you can skip: This installation uses the RPM package in the FC3 installation disk, and in order to save the RPM package from the server side, use the local folder directly to the server ISO file on the server The way, install (huh, what is interesting, is interested in this server side is also vsFTPD).
Enjoy two folders in my root directory, arbitrarily, set to TMP and ISOTMP, used to map folders on the FTP server:
[root @ mmpire ~] #mount -t nfs 202.118.239.46:/ftp TMP / then enter the TMP directory, go to the ISO / FC3 directory,
[root @ mmpire ~] #mount -o loop FC3-i386-DVD.ISO / ROOT / ISOTMP Enter / ROOT / ISOTMP folder, find the VSFTPD installation RPM package, start the installation:
[root @ mmpire ~] #rpm -ivh vsftpd-2.0.1-5.i386.rpm
Third, VSFTPD operation: The above has been installed, and now you have to run it. In fact, this is very simple, and the truly technical content of the FTP server is how to modify its configuration file so that your server's running efficiency, security and stability are the highest.
Before running, you need to understand the two running modes of the daemon: StandalOne and Xinetd, VSFTPD also provide both StandalOalone and inetd (inetd or xinetd) running modes. Simply explained that the Standalone mode refers to the server one-time startup. It has been residing in memory during the run. The advantage is that the access signal is fast, and the disadvantage is that the loss has a certain system resource, so it is often applied to real-time reactions. Reaction requirements. Professional FTP server. INETD is in contrast, and the FTP process is called only when the request is sent to the request, so it is not suitable for systems with a large number of simultaneous connections. In the original VSFTPD version, in order to facilitate the large server limit from the same IP, the software author recommends using the Xinetd mode, but due to the following two reasons, the author is recommended after the V1.1.3 version: → xinetd mode is not enough Stable, according to many websites report, it sometimes counts errors and refuses to legal connection.
→ The function of Standalone mode is enhanced, you can count your own connections for each IP, and you can control the connection by integrating TCP_WrapPers, and even configuring a single IP.
1, here, I use the Standalone mode to run the vsftpd, the steps are as follows: 1 Open the configuration file vsftpd.conf, set to Standalone mode: [root @ mmpire ~] # vi /etc/vsftpd/vsftpd.conf found this sentence : Listen = yes, the default status is commented, cancel the comment; if this sentence is not found
If you add it.
2 Run the FTP server:
[root @ mmpire ~] # / usr / sbin / vsftpd & then get the login:
[Root @ mmpire ~] # ftp localhostConnected to mmpire.220 Welcome to mmpire FTP service.:P:P:P530 Please login with USER and PASS530 Please login with USER and PASSKERBEROS_V4 rejected as an authentication typeName (localhost: root): anonymous
331 plecify: 230 login successful.remote system type is unix.using binary mode to transfer files.ftp> ls227 entering passive mode (127, 0, 0, 1, 220, 137)
150 Here Comes The Directory ListingDRWXR-XR-X 2 0 0 4096
OCT 04 2004 PubdrwXR-XR-x 2 0 0 4096 APR 02 10:43 SADF
226 Directory Send Ok.ftp> Quit221 Goodbye. [Root @ mmpire ~] #
If you have received similar return information, then your VSFTPD installation is successful.
2, if you want to use the Xinetd mode, use only one connection here: http://www.vsftpdrocks.org/rpm/ You may not pay attention to this sentence, then make a selection: I Recommend Running vsftpd outd. 4, VSFTPD configuration: When it is critical, the server configuration capability is here to see. Dare to write, only the basic information of the configuration file is given here, and several configuration orders recommended by the software author. Let's talk about the concept of local users before entering the configuration file. In fact, local users are users other than anonymous users, that is, the user who saves information (username and password) in the server. There are two files in / etc / under / ETC / lower: vsftpd.ftpusers and vsftpd.user_list, there are many user names, what is it used? → vsftpd.ftpusers: FTP blacklist, users on this list cannot log in to the FTP server. → vsftpd.user_list: This list is different depending on the value of the userlist_deny in the configuration file vsftpd.conf. If UserList_Deny = YES, this list is still blacklisted, that is, the user does not log in; if UserList_Deny = NO Or UserList_Deny is commented off, this list is a legal user list, the username (except Anonymous outside) outside this list, will not be logged in. Note: When the second list is a legal list, consider such a situation: one user name is on both lists, what is the result? Very simple, similar to the account of the permissions in the BBS, will not log in to the FTP server. 1. Profile vsftpd.conf is generally in / etc / vsftpd directory, or it is possible to find it under / etc. There are many entries in it, but there are detailed English annotations. In English, you can go to the Internet to find the translation, here give my understanding:
Example # Example config file /etc/vsftpd/vsftpd.conf profile /etc/vsftpd/vsftpd.conf# The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable These default settings are quite relaxed, the purpose is just to let FTP run, which means you need to add some restrictions to achieve your security , Performance and stability requirements. There is a default value determined by all compilation times in vsftpd.conf.5. # Read this: This Example File is not an examstive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full dea of vsftpd's # Capabilities. Note: This sample file does not contain all VSFTPD setting options If necessary, you can refer to the vsftpd.conf.5 manual, its download address is: ftp: //vsftpd.beasts.org/Users/cevans/untar/vsftpd-2.0.3/vsftpd.conf.5 # allow anonymous ftp ? # Nonymous_enable = yes Allow anonymous user access to YES (Note: If you only comment this sentence, it is also equivalent to allowing anonymous access) Note: Yes, yes or yes can, but there is no space between the equal number and YES, otherwise the FTP server does not work properly. Error usage: anonymous_enable = yes (not allowed to have spaces) # UNCOMMENT THIS ALLOW LOCAL Users to log in.local_enable = YES allows local user access to YES, which is not allowed to be NO or comment out. Note: The so-called "local user" refers to a user who saves user information (username and password) in the system refers to all users other than anonymous users. # Uncomment this to enable any form of ftp write command.write_enable = yes # uncomment this to enable any form of ftp write command.write_enable = yes allows write permissions to Yes, Note that this is for all users, that is, if set to NO or comment out this sentence, all users will not be able to write a class. Note 1: This is set to YES does not mean that all users can write, and there are specific settings for various users. But if it is set to No or commented here, then how to set it back is useless, all users can not write. Note 2: Writing operations include uploading, modifying, deleting, creating a directory, etc.
# Default umask for local user this to 022, # if Your users evECT THAT (022 IS Used by MOSTHER FTPD'S) local_umask = 022 Local User's default umask value is 077, you can put it here It is set to 022, most FTP uses this umask value. About umask values, you can write a lot, here is a brief introduction: Note: UMASK is probably the meaning of User Mask, each user who logs in to the server has its own Mask, umask value determines the directory and file generated by this user. Default permissions. For example, Mmpire users' umask values are 022, then the default permissions of the directory and files he created are 755 and 644, respectively, and the directory and file are distinguished. This conversion rule is simple, just use the following table: UMASK value file attribute value directory attribute value 0 6 7 1 6 6 2 4 5 3 4 4 2 3 5 2 2 6 0 1 7 0 0 is actually in the Linux system There are also umask, you can view the umask command: [root @ mmpire vsftpd] # umask0022 [root @ mmpire vsftpd] #su mmpire [mmpire @ mmpire vsftpd] umask0002 notice, root users and Mmpire users' umask values are different. The default permissions of the catalogs and files they have created are different, how much is your own! # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user.anon_upload_enable = YES to allow anonymous User upload is set to YES, and it is not allowed to set it to NO or annotate this sentence. Note: This setting is a valid premise that the previous Write_enable is set to YES, otherwise no one has written permissions, not to say anonymous users. # Uncomment this if you want the anonymous ftp user to becomment.anon_mkdir_write_enable = yes Allow anonymous users to create a new directory set to YES, which is not allowed to be NO or comment out. # Activate Directory Messages - Messages Given to Remote Users when # Go Into a Certain Directory.DirMessage_enable = YES means the directory message is given when the user accesses a particular file. The specific use method is: 1, set this value to YES, as shown above, then save vsftpd.conf, restart the FTP server.
2. For example, if you want the PUC directory prompt message, add a .Message file in the PUB directory, write "Hi! Here Are Pub!" 3, log in to the FTP server from the user, and enter the PUB directory, the system will give Tip: "Hi! Here is Pub!" # Activate logging of uploads / downloads.xferlog_enable = YES Set the log for upload / downloaded, set to Yes. The location of the log file is specified by the following xferlog_file parameters, the default is /VAR/LOG/VSFTPD.LOG. # Make Sure Port Transfer Connections Originate from Port 20 (ftp-data) .connect_from_port_20 = YES Allows the connection from the FTP data port 20 to YES. Note: General FTP's data transfer port is 20, and the command transfer port is 21. # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! # Chown_uploads = YES # chown_username = whoever these two commands must be used together And the first one is only effective when YES. If the first is set to YES, and the second set to root, all files uploaded by anonymous users are set to root, and the file properties uploaded by the local user are not affected. Note: More interesting is that the server defaults to a system user FTP, the password is also ftp, its permissions are similar to anonymous users, here, the owners of the owners that it uploaded will also become root. # You may You Like. The default is shown # BELOW.XFERLOG_FILE = / var / log / vsftpd.log This is the location of the log file, and the log records all user activities. Note: However, as far as I observe that there seems to be only recorded by local users, and there is no anonymous user record. # If you want, you can have your log file in standard ftpd xferlog formatxferlog_std_format = yes Set to Yes if you need a log of standard format. # You May Change The Default Value for Timing Out An idle session.idle_session_timeout = 60 Means If a user is not active within 60s, disconnect this user's connection. Note: User activities include uploading, downloading, operational files, switches, and more. # You May Change The Default Value for Timing Out A Data Connection.data_connection_timeout = 120 Mean This data connection is disconnected if a data channel is more than 120s or more. Note: Here, the timeout above is different, the above is the user does not do anything, and this is the user when downloading or uploading data, the data connection may be intermittent due to network reasons, when the server is automatically disconnected This connection.
# It is recommented That You Define on your system a unique user Which the # ftp server can use as a totally isolated and unprivileged user. # NoPriv_user = ftpscure It is best to set a separate and no privileged users to run the FTP server. This ensures that your system is safer and will not damage the entire system because the FTP server is invaded. But I tried to change this option, but I didn't succeed: After setting the Mmpire user in the system, I can't start the FTP server in MMPire, which may be because I installed VSFTPD, it is a root user. # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. # Async_abor_enable = YES opening support early FTP client " The ability of the async abor "command, I don't know the specific meaning of this command, it seems to be an asynchronous transmission request? However, the software author does not recommend setting this value to YES because it may bring a security issue. But disabling it may affect some users who connect to the server with the old FTP client, you will consider it yourself! # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that turning on ascii_download_enable enables malicious remote parties # to consume your I / O resources, by issuing the command "SIZE / big / file" in # ASCII mode. # These ASCII options are split into upload and download because you may wish # to enable ASCII uploads (to prevent uploaded scripts etc . from breaking), # without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be # on the client anyway .. # ascii_upload_enable = YES # ascii_download_enable = YES these two values control the uploading and downloading of ASCII mode. The ASCII mode is not supported by default because the server is easily attacked in this mode. You can only open the upload function of the ASCII mode without allowing the ASCII mode to download, which is also relatively secure. Note: 1. Files transmitted through FTP are divided into two categories: text files (ASCII) and binary (binary). The content of the text file follows the definition of ASCII, consists of defined ASCII, which can be displayed and edited. Binary files are all file formats other than text files.
The text file format between different operating systems will generally have some differences, such as the newline in Linux is different from Windows, so when FTP is transmitted by the ASCII file, some format conversion may be automatically performed, and for binary File, FTP does not perform any conversion. It can be seen that when the ASCII file is transmitted in binary, it is not replaced, and the substantially content is still correct, (128-bit ASCII code is universal), using the editor such as UltraEdit can be automatically converted, so the problem Not large, but never transfer binary files according to ASCII mode, because binary files are often executable, once the content is slightly modified, will result in unused. By default, VSFTPD allows customers to use ASCII transmission mode on the surface, and actually ignore this request, still transmitted in binary mode, from above, this does not cause the text file to be invalid, with a minimum of few small Defect. 2. About DOS Attack, see China IT Certification Laboratory: http://www.chinaitlab.com/www/special/ciwddos.asp # You May Fully Customise The login banner string: ftpd_banner = Welcome To Mmpire FTP Service. : P: p: P Setting up your FTP server here Welcome words, play your imagination, painting with characters. # You May Specify A file of dispial design. Apparently # useful for combatting ceertain dos attacks. # De Ney_email_enable = YES This email list lists all the mail addresses that are forbidden to access, according to the author, can effectively prevent DOS attacks, When an anonymous user is logged in, it will be required to use the email address as a password, and if used in this list, the server will reject this connection requirement. Note: 1. If set to Yes, then the BanNed_Email_File below needs to be set to point to a file containing all illegal email addresses. 2, I don't know how to implement this feature using the website of vsftpd, but according to me test, some claims need an anonymous user using the email address as the FTP server, actually entering any password, as long as it is not refusing the diagram The entry of the directory can be logged in. 3. In the FTP server of Wu-ftp, SERV-U, the password entered by anonymous user can be detected whether the mail address format is included, that is, whether @ characters are included. More advanced vSFTPD should support, wait for me to know and add again, if you know, please tell me, thank you: mmpire@gmail.com # (Default Follows) # banned_email_file = / etc / vsftpd. network_emails This command must be on One is valid for Yes, which specifies an illegal mailing list file. If a password entered by an anonymous user is listed in this table, the server will refuse to log in.
# You may specify an explicit list of local users to chroot () to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot (). # Chroot_list_enable = YES # (default follows) # CHROOT_LIST_FILE = / etc / vsftpd.chroot_list These two commands must be used with chroot_local_user: 1. When chroot_local_user = no, the user name in the /etc/vsftpd.chroot_list file will be restricted in their own directory, but cannot Access the directory other than your own directory. Local users are generally in the "/ home / username /" directory. 2. When chroot_local_user = yes, the user name is not in the /etc/vsftpd.chroot_list file will be restricted. Note: Anonymous users can only be affected by the above settings in the "/ var / ftp /" directory. Note: By default, there is no VSFTPD.chroot_list file, you need to add it, you can add one by one, Note: The vsftpd server implements the user's directory change operation by calling the chroot () function, not the function of the system directly, so It is said that security can be improved. # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I / O on large # sites. However, some broken FTP clients such as "ncftp" and "Mirror" Assume # the presence of the "-r" option, soled is a strong case for enabling it.ls_recurse_enable = YES Allows the user to display the content in the directory in a recursive mode. Note: The user is more convenient to display the user, the specific command is: LS -R users can view the files and subdirectories in the current directory once again, as well as the documents and subdirectories in the subdirectory ... Obviously, If it is a big FTP server, this process may be very long, very resource, so it is recommended to use small servers. PAM_SERVICE_NAME = VSFTPD Specifies the configuration file of the PAM identification service to vsftpd, refers to the /etc/pam.d/vsftpd file. Note: PAM is an identity authentication mechanism proposed by Sun, which is widely used in a class UNIX system that can be used for user authentication for Telnet, Login, FTP and other services. For details, please see the following article: http://blog.chinaunix.net/Article.php? ArticleID = 12239 & blogid = 60 # userlist_enable = YES related to this option with UserList_Deny and userlist_file, the relationship is very complicated, simple description : 1, the value of userlist_file specifies a file, and store some username by line.
2, first, if UserList_enable = No or comment is commented, then other two are invalid. 3, otherwise, then read UserList_deny, if you are YES, the userlist_file file is a blacklist; if it is NO, it is whitelist (ie, the username in this file cannot be logged in). Note: Note Note Local users. #Nable for Standalone Modelisten = yes Set to Yes if you want to use Standalone mode. The two modes have been talked in front, and they will not be described again. #Nable for Standalone Modelisten = yes Set to Yes if you want to use Standalone mode. The two modes have been talked in front, and they will not be described again. # TCP_WrapPers = YESTCP_WRAPPERS is a digital filtering tool that can be used to implement access control and network records. 1. Control the access to the service provided by inetd is recorded by inetd; 2. Record the service request in the /etc/inetd.conf file; like the following, I don't recommend using INEXTD mode to run the FTP server. Note: The new version of VSFTPD has supported TCP_WrapPers, see "Configuration for a single IP" later. 2. Recommended configuration example
Vsftpd.conf InternetSite profile for application in ①standalone operating modes: # Standalone modelisten = YESmax_clients = 200max_per_ip = 4 # Access rightsanonymous_enable = YESlocal_enable = NOwrite_enable = NOanon_upload_enable = NOanon_mkdir_write_enable = NOanon_other_write_enable = NO # Securityanon_world_readable_only = YESconnect_from_port_20 = YEShide_ids = YESpasv_min_port = 50000pasv_max_port = 60000 # featureSxferlog_enable = YESLS_RECURSE_ENABLE = Noascii_Download_enable = no
Async_abor_enable = yes
# Performanceone_Process_Model = YESIDLE_SESSION_TIMEOUT = 120DATA_CONNECTION_TIMEOUT = 300ACCEPT_TIMEOUT = 60Connect_timeout = 60Anon_max_rate = 50000
2 Configuration for a single IP:
Setting process:
1. Add: tcp_wrappers = yes in profile vsftpd.conf
2, restart the FTP server, single IP configuration function is actually started, try it?
3, add this sentence in the /etc/hosts.allow file: vsftpd: 173.26.100.36: Deny This is the IP address of MSMouse, huh, he can't board the FTP server.
4, this has not fully played the powerful function of the single IP configuration, plus the following: vsftpd: 173.26.100.31: setENV vsftpd_load_conf /etc/vsftpd_mpire.conf meaning here: For from 173.26.100.31 IP sent Connection request, use a specific configuration file, here is specified as a /etc/vsftpd_mmpire.conf file, have you foreseen the powerful use of it? Note: TCP_WrapPers digital filtering tools are used here. When the user tries to log in to the FTP server, the server first calls TCP_WrapPers, TCP_WrapPers can make specific configurations according to the user's IP, the configuration file is in /etc/hosts.allow, pay attention to this is TCP_WrapPers instead of vsftpd. Since the new version of VSFTPD also supports this tool in Standalone mode, there is no advantage.
There are also several configuration examples, here is not described, you can download here:
ftp://vsftpd.beasts.org/users/cevans/untar/vsftpd-2.0.3/example/
5. It is not actually full of useful FTP servers, please advise the wrong missing!
