0 About this document 1 vsftpd Brief 2 VSFTPD installation 2.1 RHL9 VSFTPD-1.1.3-8.I386.RPM package installation 2.2 vsftpd-1.2.0.tar.gz installation 3 VSFTPD file structure 4 vsftpd startup Settings with stop 5 VSFTPD 5.1 Connection options 5.1.1 Listening address and control port 5.1.2 FTP mode 5.2 Performance and Load Control 5.2.1 Timeout Option 5.2.2 Load Control 5.3 User Options 5.3 .1 Anonymous User 5.3.2 Local User 5.3.3 Virtual User 5.4 Security Measures 5.4.1 User Login Control 5.4.2 Directory Access Control 5.4.3 File Operation Control 5.4.4 Address Permissions Settings 5.5 Tips 5.6 Log Settings 5.7 Other Settings 6 VSFTPD Applications 6.1 Allow anonymous User Upload File 6.2 Restricting User At Home Directory 6.3 Configuring High Security Level Anonymous FTP Server 6.4 Based on IP Address Virtual FTP Server 6.5 Virtual User Configuration 6.5.1 VSFTPD Virtual User Description 6.5. 2 User creation and directory setting 6.5.3 Configuration file setting 6.5.3.1 Basic setting 6.5.3.2 Permissions Settings 6.5.3.3 Other Configuration of Virtual User 6.5.3.4 Virtual User Personal Directory Setting 6.5.4 Mysql Save Virtual User
-------------------------------------------
0, about this document
This document is a personal learning. Allow everyone to read, extracted, reference. More welcome to point out. The content of the document is mainly from vsftpd self documents, personal learning experience and network information. If there is a class, it is normal,:).
This document is based on Redhat Linux 9 and VSFTPD-1.1.3-8. If there are different versions, there is a special text description.
1, vsftpd brief description
If you ask which FTP server is the safest? Then in UNIX and Linux, the first pushed is VSFTP (Very Secure FTP Daemon, very secure FTP server). As the name suggests, the starting point of VSFTPD design is security. At the same time, with the continuous upgrade of the version, VSFTPD has also made great progress in performance and stability. Some large sites such as Redhat, SUSE, Debian, GNU, GNOME, KDE are VsFTPD as their FTP server. Everyone can go to http://vsftpd.beasts.org/ to understand its latest situation.
2, VSFTPD installation
2.1, rhl9 vsftpd-.1.1.3-8.i386.rpm package installation
The installation of VSFTPD is simple. In RHL9, "Main Menu" - "System Settings" - "Add / Remove Applications" - select FTP Server, or perform the following command in the character interface, or execute the following command in the character interface. RPM-IVH vSFTPD-1.1.3-8.i386.rpm
2.2, vsftpd-1.2.0.tar.gz installation
(1) Preparation conditions
"Nobody" users are required in the VSFTPD default configuration. Add this user in the system, if the user already exists, the userAdd command has the corresponding prompt. [Root @ hpe45 root] # UserAdd Nobody UserAdd: User NoBody Exists
The "/ usr / share / empty" directory is required in the VSFTPD default configuration. In the system this directory, if the directory already exists, the mkdir command has the corresponding prompt. [Root @ hpe45 root] # mkdir / usr / share / empty / mkdir: cannot Create Directory '/ usr / share / empty': File Existsvsftpd provides an anonymous FTP service, you need "FTP" users and a valid anonymous directory. [Root @ HPE45 root] # mkdir / var / ftp / [root @ hpe45 root] # UserAdd -d / var / ftp ftp Next action is useful for FTP users already exist. [Root @ hpe45 root] # chown root.root / var / ftp [root @ HPE45 root] # chmod og-w / var / ftp
(2) Compiling vsftpd
Download to the / root directory from the official site, do the following command: [root @ hpe45 root] # tar zxvf vsftpd-1.2.0.tar.gz [root @ hpe45 root] # cd vsftpd-1.2.0 [root @ HPE45 vsftpd- 1.2.0] # Make
(3) Installing the Compilation VSFTPD
Perform "make install" will compile the compiled binaries, the manual, etc. to the corresponding directory. On RHL9, you may need to manually perform the following copy: [Root @ hpe45 vsftpd-1.2.0] # cp vsftpd / usr / local / sbin / vsftpd [root @ HPE45 vsftpd-1.2.0] # cp vsftpd.conf.5 / USR / local / share / man / man5 [root @ hpe45 vsftpd-1.2.0] # cp vsftpd.8 / usr / local / share / man / man8 In addition, "make install" does not copy a simple configuration file, it is recommended to do the following Command: [root @ hpe45 vsftpd-1.2.0] # cp vsftpd.conf / etc / etc
⑷⑷ Set PAM for local users
If the local user is allowed to log in to VSFTPD, do the following: [Root @ HPE45 vSFTPD-1.2.0] # cp redhat / vsftpd.pam /etc/pam.dppp
3, VSFTPD file structure
The file structure of VSFTPD is very simple, mainly including: / usr / sbin / vsftpd --- vsftpd main program /etc/rc.d/init.d/vsftpd ---- Startup script / etc / vsftpd / vsftpd .conf ---- Main profile /etc/pam.d/vsftpd ---- PAM authentication file /etc/vsftpd.ftpusers ---- Disable users list files /etc/vsftpd.user_list in VSFTPD --- - Disable or allow users list file / var / ftp ---- Anonymous User Protory / VAR / FTP / PUB ---- Anonymous User Directory In addition, there are some documentation and manual files.
Also vsftpd log files are located in /etc/logrotate.d/vsftpd.log.
4, VSFTPD start and stop
VSFTPD can operate separately, such as HTTPD, NAMED, running mode, which is the default manner in RHL9 in RHL9; you can also run in Xinetd, which is the default mode in RHL7.x, 8. The specific operation mode is determined by the parameter Listen. From the RHL's VSFTPD, you can also see the progressive development of VSFTPD. When the Listen parameter value is YES, the default value in RHL9, VSFTPD runs separately, we can use script /etc/rc.d/init.d/vsftpd to start, close, and restart VSFTPD. The command is as follows: /etc/rc.d/init.d/vsftpd start | stop | restart
If you say on RHL9, you also want to use Xinetd to start the way the VSFTPD is running, then you must first change the ListentEn parameter value in the vsftpd.conf configuration file to NO. Secondly, to generate a /etc/xinetd.d/vsftpd file, as follows: service vsftpd {disable = no socket_type = stream wait = no user = root server = / usr / sbin / vsftpd port = 21 log_on_success = PID HOST DURATION log_on_failure = Host} Start or stop VSFTPD by modifying the disable value as NO or YES and restarting xinetd.
Since the individual mode of VSFTPD has sufficient ability, the applications discussed in later 6 are run in separate mode, not xinetd.
Note: You can also perform the VSFTPD directly to start the FTP service, use the "kill" command when turning off. [Root @ HPE45 root] # / usr / local / sbin / vsftpd &
5, VSFTPD setting options
VSFTPD profile /etc/vsftpd/vsftpd.conf is a text file. The row starting with the "#" character is a comment line. Each option is set to a row, the format is "option = value", pay attention to the "=" number and cannot leave a blank character. In addition to this primary configuration file, you can set a personal configuration file to a particular user, and the details are specified. The VSFTPD.conf file configured in the VSFTPD package is relatively simple, and very mad (document claims :-)). We can make some settings according to the actual situation to make VSFTPD more available.
5.1, connection options
This section is mainly some options related to establishing an FTP link.
5.1.1 Listening Address and Control Port
Listen_address = IP Address This parameter is valid in the STANDALONE mode in VSFTPD. This parameter defines which IP address on the host, which provides an FTP service on which IP address is available. This parameter is not required for hosts with only one IP address. For multiple access hosts, this parameter is not set, listen to all IP addresses. The default is nothing.
Listen_Port = port_value Specifies the port number (control port) of the FTP server listening, the default is 21. This option takes effect in Standalone mode.
5.1.2, FTP mode and data port
FTP is divided into two categories, Port FTP and PASV FTP, Port FTP is a general form of FTP. These two FTPs are the same when establishing a control connection, which is the control link to the client first and the FTP server (default 21), and transmits the transfer operation command through this link. Their difference is to use the way of data transfer ports (FTP-DATA). Port FTP specifies the port used by the FTP server, the default value of 20. The PASV FTP determines the port of the data transfer by the FTP client. PASV FTP This approach is mainly to consider communication with the server with the server (the client has a data transfer port), which determines the data transfer port between the two. For convenience. Port_enable = YES | No If you want to cancel the PORT mode when a data connection is canceled, set this option to NO. The default is YES.
ConnetC_From_Port_20 = YES | NO Control Whether to use 20 ports (FTP-DATA) when performing data transfer in Port mode. YES uses, NO is not used. The default is NO, but this parameter is set to YES in the vsftpd.conf file comes with RHL.
FTP_DATA_PORT = Port Number Sets the FTP Data Transfer Port (FTP-DATA) value. The default is 20. This parameter is used for Port FTP mode.
Port_promiscuous = yes | no default is NO. Cancel the Port security check when you are YES. This check ensures that the outgoing data can only be connected to the client. Carefully open this option.
PASV_ENABLE = YES | NO YES, allows data transfer to use PASV mode. NO, it is not allowed to use PASV mode. The default is YES.
PASV_MIN_PORT = Port Number PASV_MAX_PORT = Port Number Setting In PASV mode, establish a data transfer can use the lower bound and upper bound of the Port range, 0 represent any. The default is 0. Set the port range within a relatively high range, such as 50000-60000, will help improve security.
PASV_PROMISCUOSUS = YES | No This option is activated, the security check of the PASV mode will be turned off. This check ensures that the data connection and control connection are from the same IP address. Carefully open this option. The only reasonable usage of this option is to exist in an organization consisting of a secure tunnel scheme. The default is NO.
PASV_ADDRESS = This option is a digital IP address, which is a response to the PASV command. The default value is None, that is, the address is obtained from the incoming connection socket (Incoming Connectd Socket).
5.1.3 ASCII mode
By default, VSFTPD is prohibited from using ASCII transmission mode. Even if the FTP client uses the ASC command, specify the ASC command on the VSFTPD surface, and use binary mode when actually transferring files. The following option controls whether the VSFTPD uses the ASCII transfer mode.
ASCII_UPLOAD_ENABLE = YES | NO Control Whether to allow Upload files using ASCII mode, YES allows, NO is not allowed, default is NO.
ASCII_DOWNLOAD_ENABLE = YES | NO Control Allows download files using ASCII mode, YES allows, NO is not allowed, default is NO.
5.2, performance and load control
5.2.1, timeout option
iDle_session_timeout = Idle (in a daze) user session timeout, if it exceeds the transfer of data or instructions exceeds this time, it will force the line. The unit is second, the default is 300. Data_connection_timeout = timeout time of idle data connection. The default is 300 seconds.
Accept_timeout = NUMERICAL VALUE accepts the timeout setting for the establishment of an online unit in seconds. The default is 60.
Connect_timeout = Numeric Value The timeout setting of the data online response to the port mode, in seconds. The default is 60. The above two options for the client will automatically interrupt the connection after 1 minute, and automatically activate the connection after 1 minute.
5.2.2 Load Control
MAX_CLIENTS = Numeric Value This parameter is valid in the STANDALONE mode in VSFTPD. This parameter defines the maximum number of concurrent connections of the FTP server. When this connection is exceeded, the server rejects the client connection. The default is 0, indicating that the maximum number of connections is not limited. Max_per_ip = Numeric Value This parameter is valid in the STANDALONE mode in VSFTPD. This parameter defines the maximum number of concurrent connections per IP address. More than this number will refuse to connect. The settings for this option will affect multiple process download software like Internet Express. The default is 0, indicating that it is not limited.
Anon_max_rate = value Sets the maximum data transfer speed Value of anonymous users, in Bytes / S. By default.
Local_max_rate = value Sets the user's maximum data transfer speed Value, in Bytes / S. By default. This option takes effect on all users. In addition, this option can also be used in the user's personal profile to specify the maximum data transfer rate available to a particular user. The steps are as follows: 1 Specify the directory where the user personal profile is specified in vsftpd.conf, such as user_config_dir = / etc / vsftpd / userconf 2 Generate the / etc / vsftpd / userconf directory. 3 User Personal Profile is in this directory, files with the same name as a specific user, such as / etc / vsftpd / userconf / xiaowang 4 Set the local_max_rate parameter in the user's personal configuration file, such as: local_max_rate = 80000 above setting FTP User XIaowang's maximum data transfer speed is 80kBytes / s.
VSFTPD is about 80% to 120% for speed control. For example, we limit the maximum speed of 100kBytes / S, but the actual speed may be between 80kBytes / s to 120kBytes / s. Of course, if the line bandwidth is insufficient, the rate will naturally be lower than this limit.
5.3 User Options
VSFTPD users are divided into three categories: anonymous users, local users (LOCAL users), and virtual users (GUEST).
5.3.1, anonymous users
Anonymous_enable = yes | no control allows anonymous user to log in, YES allows, NO is not allowed, the default value is YES.
FTP_USERNAME = The system user name used by anonymous users. By default, this parameter does not appear in the configuration file, the value is FTP.
NO_ANON_PASSWORD = YES | NO Controls if you need a password when you log in, Yes does not need, NO needs. The default is NO. DENY_EMAIL_ENABLE = YES | NO This parameter default value is NO. When the value is YES, the anonymous user who is registered using the E-mail address listed in the file in the file. That is, when an anonymous user is logged in using the E-mail listed in the BANNED_EMAIL_FILE file, it is rejected. Obviously, this is valid for some DOS attacks. When this parameter takes effect, you need to add BANNED_EMAIL_FILE parameters banned_email_file = / etc / vsftpd.banned_emails Specify files that contain the rejected E-mail address, the default file is /etc/vsftpd. partned_emails.
Anon_root = Set the root directory of anonymous users, that is, after anonymous user logins, is positioned to this directory. There is no such thing in the main configuration file, the default value is / var / ftp /.
Anon_world_readable_only = yes | No control only allows anonymous users to download read documents. YES, only allows an anonymous user to download readable files. NO allows anonymous users to browse the file system of the entire server. The default is YES.
Anon_upload_enable = YES | NO Control Whether to allow anonymous users to upload files, YES allows, NO is not allowed, the default is no value, that is, NO. In addition to this parameter, anonymous users have to upload files, requiring two conditions: 1. Write_enable parameter is YES; II. On the file system, FTP anonymous users have write permissions to a directory.
Anon_mkdir_write_enable = YES | NO Control Whether to allow anonymous users to create a new directory, YES allows, NO is not allowed, the default is no value, that is, NO. Of course, on the file system, FTP anonymous users must have write permissions to the upper part of the new directory.
Anon_other_write_enable = yes | NO Control An anonymous user has other privileges except for uploading and creating a new directory, such as deletion, rename, and so on. YES has, no no, the default is NO.
Chown_uploads = YES | No modifies the ownership of the file uploaded by anonymous users. YES, the ownership of the file uploaded by anonymous users will be changed to another different user, and the user is specified by the chown_username parameter. This option defaults to NO.
Chown_username = Whoever Specifies users who have an anonymous user upload file ownership. This parameter is in connection with Chown_uploads. Root users are not recommended.
5.3.2, local users
In users using FTP services, in addition to an anonymous users, there is a user who has an account on the host of the FTP server. Such users are local users (Local users), which is equivalent to REAL users in other FTP servers.
Local_enable = YES | NO The user of the system where the VSFTPD is located can log in to VSFTPD. The default is YES.
Local_root = Defines the root directory of all local users. When local users log in, they will be replaced to this directory. The default is nothing.
User_config_dir = Defines the directory where the user's personal profile is located. The user's personal profile is the same name file in this directory. The format of a personal profile is the same as the vsftpd.conf format. For example, user_config_dir = / etc / vsftpd / userconf is defined, and there is user XIAowang, Lisi on the host, and we can add two files for xiaowang, Lisi in user_config_dir. When the user Lisi login, VSFTPD reads the set value in the file in the file in User_Config_Dir, and is applied to the user LISI. The default is nothing. 5.3.3, virtual users
Guest_enable = YES | No is started with this feature, all non-anonymous login people are treated as guest. The default is turned off.
Guest_username = Defines the username of the guest user of VSFTPD in the system. The default is FTP.
5.4, safety measures
5.4.1, user login control
PAM_SERVICE_NAME = VSFTPD indicates that the PAM configuration file name used when VSFTPD performs PAM authentication, the default value is VSFTPD, the default PAM configuration file is /etc/pam.d/vsftpd.
/etc/vsftpd.ftpusers vsftpd disables the user who lists the user in this file to log in to the FTP server. This mechanism is set by default in /etc/pam.d/vsftpd.
UserList_enable = YES | NO This option is activated, and VSFTPD reads the user list in the file specified by the userlist_file parameter. When the user in the list logs in to the FTP server, the user is disabled before prompting the password. That is, after the username is entered, VSFTPD finds the user name, and VSFTPD directly disables the user, and will no longer perform subsequent steps such as inquiry password. The default is NO.
UserList_file = / etc / vsftpd.user_list Indicates that the userList_enable option takes effect, and the file containing the user list is read. The default is /etc/vsftpd.user_list.
UserList_deny = yes | No Decide Prohibition or only allows users to log in to the FTP server in userList_file specified files. This option takes effect after the userlist_enable option is started. Yes, default, user login in the file, and no prompts for the input passwords to these users. NO, only allows users in the file to log in to the FTP server. TCP_WrapPERS = YES | NO Use the TCP_WrapPers remote access control mechanism in VSFTPD, the default value is YES.
5.4.2, directory access control
Chroot_list_enable = YES | No Locks some users in their own directory. That is, when these users are logged in, they cannot go to other directories of the system, and can only be under their own directory (and their subdirectory). The specific user is listed in the file specified by the chroot_list_file parameter. The default is NO.
Chroot_list_file = / etc / vsftpd / chroot_list points to the list file of the user locked in the own directory. The file format is a row of users. Usually the file is / etc / vsftpd / chroot_list. This option is not set by default.
Chroot_local_Users = YES | NO Locks local users in their own directory. When this is activated, the role of chroot_list_enable and chroot_local_users parameters will change, and the user in the file specified by chroot_list_file will not be locked in their own directory. After this parameter is activated, it may bring a secure conflict, especially when the user has uploaded, Shell Access, etc. Therefore, this parameter can only be opened if it is only understood. The default is NO. PASSWD_CHROOT_ENABLE When this option is activated, with the chroot_local_user option, the CHROOT () container location can be specified on the basis of each user. Each user's container is derived from the own directory field of each user in / etc / passwd. The default is NO.
5.4.3, file operation control
Hide_ids = yes | no hides the owner and group information of the file. YES, when the user uses instructions such as "ls -al", the owner and group information of all files in the directory list are displayed as FTP. The default is NO.
Ls_recurse_enable = yes | no yes, allowing the "LS -R" instruction to be used. This option has a small security risk because "LS -R" will consume a lot of system resources in a large FTP site. The default is NO.
Write_enable = YES | NO Control allows any of the FTPs that can modify the file system, such as Stor, Dele, RNFR, RNTO, MKD, RMD, APPE, and Site. The default is NO, but this option is opened in the coming simple configuration file.
Secure_chroot_dir = This option points to an empty directory, and FTP users have no write permissions for this directory. This directory will be restricted in this directory when VSFTPD does not need to access a file system. The default directory is / usr / share / empty.
5.4.4, new file permission setting
Anon_umask = UMASK value for anonymous user adds files. The default is 077.
FILE_OPEN_MODE = Permissions to upload files, the same value as CHMOD. If you want to upload the files can be executed, set this value to 0777. The default is 0666.
Local_umask = UMASK value when the local user added files. The default is 077. However, most of the other FTP servers use 022. If your user wants, you can modify it to 022. This item is set to 022 in the own configuration file.
5.5, prompt information
ftpd_banner = login banner string This parameter defines the login banner string. Users can modify themselves. The preset value is not. When the ftpd_banner is set, the original welcoming word will be replaced.
Banner_File = / Directory / vsftpd_banner_file This item specifies a text file that when the user logins, the content of this file is displayed, usually a welcome discourse or a description. The default is nothing. Compared to ftpd_banner, Banner_File is the form of a text file, while ftpd_banner is a string format. The banner_file option will replace the ftpd_banner option.
DirMessage_enable = YES | MO Control whether to enable the directory prompt information. YES is enabled, NO is not enabled, the default value is YES. After this feature is enabled, when the user enters a directory, check if the document specified in this directory is displayed. If there is, this document will appear, usually this file will place a welcome discourse, or Description of the directory. Message_file = This option is only active only in the DirMessage_enable option. The default is .Message.
5.6, log settings
Xferlog_enable = YES | NO Controls Do you enable a log file for detailed record upload and download. The log file is specified by the XFerLog_File option. The default is NO, but this option is activated in the simple profile.
XFerLog_File = This option sets the file name of the record transfer log. The default is /Var/log/vsftpd.log.
Xferlog_std_format = yes | no control log file uses XFerlog's standard format, just like WU-FTPD. Using the XFerlog format, you can reuse the existing transmission statistics generators. However, the default log format is more readable. This option is activated in the default value of NO, but this option is activated in the profile.
LOG_FTP_PROTOCOL = YES | NO When this option is activated, all FTP requests and responses are recorded in the log. When this option is provided, XferLog_STD_FORMAT cannot be activated. This option helps debugging. The default is NO.
5.7, other settings
SetPROCTITE_ENABLE = YES | NO YES, VSFTPD will display the status of each session (session) in the system process list. That is, the process report will display what each VSFTPD session is doing (hang, download, etc.), such as using PS-EF | GREP FTP. For security purposes, you can consider closing this option. NO, the process report only shows a vsftpd process in operation. The default is NO.
TEXT_USERDB_NAMES = YES | NO When the user logs in, the user and group information field of the directory list, the user's UID is the owner's UID, not the name of the file owner. This feature is turned on if you want the owner's name. The default is NO.
User_localtime = yes | No defaults to NO. YES, VSFTPD Displays the time when the directory list is used. The default is to display the GMT time. Similarly, the time value returned by the ftp command "MDTM" is also affected by this option.
Check_shell = yes | no This option takes effect only for VSFTPDs that do not use the PAM. When this option is turned off, VSFTPD does not check the / etc / shells file to find a valid user shell when logging in. Default is YES.
NOPRIV_USER = Specify a user when VSFTPD does not want any permissions, use this user identity. This user is preferably a dedicated user, not user Nobody. In most machines, Nobody users are used in a lot of important things. The default is Nobody.
PAM_SERVICE_NAME = Indicates that VSFTPD uses the PAM configuration file name when verifying the service with the PAM. The default is FTP.
6, VSFTPD application
This section describes the specific application methods of VSFTPD.
6.1, allow anonymous user upload files
Vsftpd.conf modify file or add the following options: write_enable = YES anon_world_readable_only = NO anon_upload_enable = YES anon_mkdir_write_enable = YES then created for anonymous users to upload files directory, and set permissions: # mkdir / var / ftp / incoming # chmod o w / var / ftp / incoming Due to an anonymous user (FTP) upload file, you need to operate the incoming directory, and INCOMING is all, anonymous users (FTP) are other users for incoming, so add other users (O The write authority.
6.2, restrict users in their own directory
In the default configuration, local users can switch to the directory other than their own directory for browsing, and upload and download within the permission range, which is undoubtedly an unsafe factor. We can set Chroot, allowing local users to log in to access their own directory, and cannot access other directories. The related options have three: chroot_local_user, chroot_list_enable, chroot_list_file. Limit users have two practices in their own directory: 1. Limit all local users in their own directory chroot_local_user = YES this approach, may cause some security conflicts. See the previous chroot_local_user option description. 2, restriction part of the local user in your own directory chroot_local_user = no chroot_list_enable = yes chroot_list_file = / etc / vsftpd.chroot_list to add the local username to be restricted in the /etc/vsftpd.chroot_list file. Pay attention to a username.
6.3, configure the anonymous FTP server of high security level
The simple profile comes with the vsftpd has claimed that it is paranoid. Here, see if it is more paranoid, :). Some options have used security settings by default, and it will not be written here.
# Only anonymous access is allowed, do not allow local users to access anonymous_enable = yes local_enable = no
# Use ftpd_banner to replace vsftpd default welcome words, leak-free information FTPD_BANNER = Welcome to this ftp server # only let the anonymous user browse readable files, can not browse the entire system Anon_World_Readable_only = YES # owner and group information of the file, The owner and group of the files seen by anonymous users have all changed to ftp hide_ids = yes
# 取 写 权 权 限 = = _
# Use a separate mode and specify the listening IP address listen_address = IP address # to control the connection, there is timeout, then, according to the specific situation. Connect_From_Port_20 = YES PASV_MIN_PORT = 50000 PASV_MAX_PORT = 60000 # Control and miss the number of concurrently, this is, which is determined according to the user. MAX_CLIENTS = Numeric value max_per_ip = numerical value # Limited download speed, how much is the specific limit, is determined by the user, 80kb / s, is also very fast. Anon_max_rate = 80000 # Enable detailed logging format Xferlog_enable = YES
6.4, virtual FTP server based on IP address
Assume that the server has two IP addresses, 192.168.0.1 and 192.168.0.2. VSFTPD is built on 192.168.0.1, now we provide a virtual FTP server on 192.168.0.2. How to use multiple IP addresses on one server, please refer to the relevant documentation.
1. Create the root directory of the virtual FTP server. MKDIR -P / VAR / FTP2 / PUB ensures that the owner and group of / var / ftp2 and / var / ftp2 / pub directory are root, the mask is 755.
2. Add an anonymous user account for the virtual FTP server. The original FTP server uses system user FTP as its anonymous user account. We have to add an FTP2 for virtual FTP servers. UserAdd -d / var / ftp2 -m ftp2
3. Create a configuration file for a virtual FTP server. Copy the original vsftpd.conf as the configuration file of the virtual FTP server and modify the relevant parameters. Cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd2.conf Add or modify the following parameters: listen = yes listen_address = 192.168.0.2 ftp_username = ftp2
Note: Because VSFTPD is listening to all IP addresses, when we set an IP-based virtual FTP server, in order to prevent the original FTP server and the virtual FTP server, the original FTP server needs to specify the IP address of the listener. Here, Listen_Address = 192.168.0.1 is set in the original profile.
4, start the virtual FTP server.
/etc/rc.d/init.d/vsftpd script At startup, scan all * .conf files in / etc / vsftpd / directory, follow the * .conf file, enable the vsftpd process in turn, each VSFTPD process corresponds A .conf file. That is, the order of the "LS / ETC / VSFTPD /" list is the same as the order in "ps -aux | grep vsftpd". Of course, "PS -AUX | GREP VSFTPD" also shows the configuration files used by VSFTPD, which can also see which FTP server corresponds to which of the VSFTPD processes. If the configuration file is not listed, it is the default vsftpd.conf, then the process is the original FTP server process. Since the configuration file of the virtual FTP server is named vsftpd2.conf file in step 3, we can start or close the original FTP server and the new virtual FTP server with the /etc/rc.d/init.d/vsftpd script simultaneously or closes the original FTP server and the new virtual FTP server. . The following command starts a virtual FTP server: / usr / sbin / vsftpd2.conf & Separate the virtual FTP server, use "PS -AUX | GREP VSFTPD" to detect the process number, then use the Kill instruction to kill the virtual FTP process. 6.5, the configuration of the virtual user
6.5.1 Virtual User Introduction to VSFTPD
The local user of VSFTPD itself is a system of users. In addition to logging in to the FTP server, you can also log in to the system to use other system resources, and VSFTPD virtual users are dedicated users of FTP services, virtual users can only access FTP server resources. It is very suitable for users or situations that only need to be read from the system through FTP, without requiring other system resources. VSFTPD virtual users use a separate username / password saving method, separated from the system account (passwd / shadow), which greatly enhances the system security. VSFTPD can use a database file to save the user / password, such as Hash; you can also save the user / password in the database server, such as MySQL, etc. VSFTPD verifies the virtual user, uses a PAM mode. Since the username / password of the virtual user is saved separately, VSFTPD needs to read the database file or database server with a system user to complete the verification, which is the guest user, which is like anonymous users. A system user FTP is the same. Of course, guest users can also be considered to be used to map virtual users. Configuring virtual users are divided into numbers: Guest users creation, user / password saving, PAM authentication configuration, vsftpd.conf file settings, etc. Specific configuration methods, refer to the following section. Note: In the following example, it is assumed that there is a virtual user xiaotong and xiaowang.
6.5.2 User Creation and Directory Settings
Add VSFTPDGUEST users to the system as the representative of the virtual user in the system.
UserAdd vsftpdguest
When the virtual user is logged in, the location is VSFTPDGUEST home directory / home / vsftpdguest. If you want to let the virtual user log in to other directories such as / var / ftp, modify the VSFTPDGUEST's own directory.
6.5.3, configuration file settings
6.5.3.1, basic settings.
Add the following parameters in the vsftpd.conf configuration file: guest_enable = yes guest_username = vsftpdguest
6.5.3.2, virtual users' permissions configuration.
VSFTPD-1.2.0 adds a Virtual_USE_LOCAL_PRIVS parameter, when this parameter is activated (YES), the virtual user uses the same permissions as local users. When this parameter is turned off (NO), the virtual user uses the same permissions as anonymous users, which is the processing method for virtual user privileges before VSFTPD-1.2.0. Compared with the two practices, the latter is more strict, especially in the case of writing access. By default, this parameter is closed (NO). When you introduce Virtual_USE_LOCAL_PRIVS = NO, you can configure the virtual user priority before VSFTPD-1.2.0: 1 Control the virtual user browsing directory If you can't browse the directory, you can still do the following two Steps: First, in the configuration file, Anon_World_Readable_only = yes. Second, the permissions of the virtual user directory can only be operated by vsftpdguest: [root @ hpe45 vsftpd] # chown vsftpdguest.vsftpdguest / home / vsftpdguest [root @ hpe45 vsftpd] # chmod 700 / home / vsftpdguest 2 Allow virtual users to upload file Write_enable = YES Anon_upload_enable = yes 3 Allow virtual users to modify file name and delete file Anon_other_write_enable = YES Since the above option is equally valued, the anonymous user is active. If you don't want an anonymous user to have the same permissions, it is best to prohibit anonymous user login.
In VSFTPD-1.2.0 when Virtual_Use_local_privs = yes, only write_enable = yes, virtual users can have write permissions.
6.5.3.3, other configurations of virtual users
1 Limit the virtual user in their own directory.
Chroot_local_user = no chroot_list_enable = yes chroot_list_file = / etc / vsftpd.chroot_list Add xiaotong and XIaowang in the /etc/vsftpd.chroot_list file. Or, chroot_local_user = yes
2 Personal configuration of virtual users.
If you want individual virtual users to have their own special configuration, you can also create personal profiles for virtual users. Add: user_config_dir = / etc / vsftpd / vsftpd_user_conf Generate / etc / vsftpd / vsftpd_user_conf directory, establish files with specific virtual users with specific virtual users in this directory: [root @ hpe45 vsftpd] # mkdir vsftpd_user_conf [root @ HPE45 vsftpd] # cd vsftpd_user_inter_usef [root @ hpe45 vsftpd_user_conf] # touch xiaowang then you can add an option to set a specialized xiaowang effective in the xiaowang file. Note: If you add chroot_local_user = yes in your personal profile, it is invalid.
6.5.3.4, Virtual User Personal Directory Settings
Everyone can find that no matter which virtual user, the directory where the login is located is / home / vsftpdguest, ie the Guest_username user's own directory. Below, you describe how to build your own directory for each virtual user. One method is to specify a virtual user's own directory using the local_root option in the personal configuration file of the virtual user. Take xiaowang as an example, on the basis of the first step, add: local_root = / home / xiaowang, first / etc / xiaowang file, set the permissions to vsftpdguest: [root @ HPE45 Home] # Mkdir xiaowang [root @ hpe45 home] # chown vsftpdguest.vsftpdguest ./xiaowang6.5.4,mysql Save virtual users
This section describes how to save the username and password of the virtual user in the MySQL database. This is mainly divided into two parts, one is to save the user and password in the database, and the other is to set the corresponding PAM authentication. To facilitate discussion, do the following assumptions: Database VSFTPDVU, Table Users, Field Name, and Passwd are used to save user names and passwords for virtual users; for security, only VSFTPDGUEST read the users table of the vsftpdvu database.
1. Save the user name / password for the virtual user. This part is done in the MySQL database. First, create a database vsftpdvu as well as Table Users, and insert a virtual user xiaotong, xiaowang. Perform the following command: [Root @ hpe45 vsftpd] #mysql -p mysql> create database vsftpdvu; mysql> use vsftpdvu; mysql> create table users (name char (16) binary, passwd char (16) binary; mysql> Insert Into Users (name, passwd) ('xiaotong'); mysql> Insert Into Uses (Name, Passwd) Values ('xiaowang', Password ('TTMYWife')); mysql> quit
Then, authorize that vsftpdguest can only read the Users table of the vsftpdvu database. Perform the following command: [root @ hpe45 vsftpd] # mysql -u root mysql -p mysql> grant select on vsftpdvu.users to vsftpdguest @ localhost iDentified by 'i52serial0'; mysql> quit
If you want to verify that the operation just successfully can perform the following command: [root @ HPE45 vsftpd] #mysql -u vsftpdguest -pi52serial0 vsftpdvu mysql> select * from users; if success, XIaotong, XIaowang, and encrypted passwords will be listed.
