Talking about VSFTPD Settings Speakers: A Water Speech Time: 2004-05-14 12:13:25 This is the wrong place when I learn vsftpd in front of my forefront, my guidelines, guys, vsftpd application 0 About this document 1 vsftpd Brief description 2 VSFTPD installation 2.1 RHL9 VSFTPD-1.1.3-8.I386.2.0.0.2.2 vsftpd-1.2.0.tar.gz installation 3 VSFTPD file structure 4 VSFTPD startup and stop 5 vsftpd settings Option 5.1 Connection Options 5.1.1 Listening Address and Control Port 5.1.2 FTP Mode and Data Port 5.1.3 ASCII Mode 5.2 Performance and Load Control 5.2.1 Timeout Option 5.2.2 Load Control 5.3 User Options 5.3.1 Anonymous User 5.3. 2 Local users 5.3.3 Virtual users 5.4 Security Measures 5.4.1 User Login Control 5.4.2 Directory Access Control 5.4.3 File Operation Control 5.4.4 New Press File Right Settings 5.5 Tips 5.6 Log Settings 5.7 Other Settings 6 VSFTPD Applications 6.1 Allow anonymous User Upload File 6.2 Limiting User In Home Directory 6.3 Configuring High Security Level Anonymous FTP Server 6.4 Virtual FTP Server Based on IP Address 6.5 Virtual User Configuration 6.5.1 VSFTPD Virtual User Introduction 6.5.2 User Creation and Directory Settings 6.5.3 Settings 6.5.3.1 Basic Settings 6.5.3.2 Permission Settings 6.5.3.3 Other Configurations for Virtual Users 6.5.3.4 Virtual User Personal Directory Settings 6.5.4 Mysql Save Virtual Users ------------ -------------------------------- 0, this document is a personal learning. Allow everyone to read, extracted, reference. More welcome to point out. The content of the document is mainly from vsftpd self documents, personal learning experience and network information. If there is a class, it is normal,:). This document is based on Redhat Linux 9 and VSFTPD-1.1.3-8. If there are different versions, there is a special text description. 1, vsftpd brief description If you ask which FTP server is the safest? Then in UNIX and Linux, the first pushed is VSFTP (Very Secure FTP Daemon, very secure FTP server). As the name suggests, the starting point of VSFTPD design is security. At the same time, with the continuous upgrade of the version, VSFTPD has also made great progress in performance and stability. Some large sites such as Redhat, SUSE, Debian, GNU, GNOME, KDE are VsFTPD as their FTP server. Everyone can go to http://vsftpd.beasts.org/ to understand its latest situation. 2, VSFTPD installation 2.1, rhl9 vsftpd-.1.1.3-8.i386. The installation of VSFTPD installation is simple. In RHL9, "Main Menu" - "System Settings" - "Add / Remove Applications" - select FTP Server, or perform the following command in the character interface, or execute the following command in the character interface. RPM -IVH vSFTPD-1.1.3-8.i386.rpm 2.2, VSFTPD-1.2.0.tar.gz installation (1) Preparations The "Nobody" user is required in the VSFTPD default configuration. Add this user in the system, if the user already exists, the userAdd command has the corresponding prompt. [Root @ HPE45 root] # User Add Nobody UserAdd: User Nobody Exists VSFTPD The "/ usr / share / empty" directory is required in the default configuration.
In the system this directory, if the directory already exists, the mkdir command has the corresponding prompt. [Root @ hpe45 root] # mkdir / usr / share / empty / mkdir: cannot Create Directory '/ usr / share / empty': File Exists VSFTPD When providing anonymous FTP service, you need "FTP" users and a valid anonymous directory. [Root @ HPE45 root] # mkdir / var / ftp / [root @ hpe45 root] # UserAdd -d / var / ftp ftp Next action is useful for FTP users already exist. [root @ hpe45 root] # chown root.root / var / ftp [root @ hpe45 root] # chmod og-w / var / ftp (2) Compile vsftpd Download from the official site to the / root directory, perform the following command: [Root @ HPE45 Root] # tar zxvf vsftpd-1.2.0.tar.gz [root @ hpe45 root] # cd vsftpd-1.2.0 [root @ HPE45 vsftpd-1.2.0] # MAKE (3) Installation Compile VSFTPD Execute "Make Install" Copy the compiled binary file, manual, etc. to the corresponding directory. On RHL9, you may need to manually perform the following copy: [Root @ hpe45 vsftpd-1.2.0] # cp vsftpd / usr / local / sbin / vsftpd [root @ HPE45 vsftpd-1.2.0] # cp vsftpd.conf.5 / USR / local / share / man / man5 [root @ hpe45 vsftpd-1.2.0] # cp vsftpd.8 / usr / local / share / man / man8 In addition, "make install" does not copy a simple configuration file, it is recommended to do the following Command: [root @ hpe45 vsftpd-1.2.0] # cp vsftpd.conf / etc ⑷ For local users Set PAM If the local user is allowed to log in to VSFTPD, do the following: [Root @ HPE45 vsftpd-1.2.0] # CP Redhat / vsftpd.pam /etc/pam.d/ftp 3 Init.d / vsftpd ---- Startup script /etc/vsftpd/vsftpd.conf ---- Main configuration file /etc/pam.d/vsftpd ---- PAM authentication file /etc/vsftpd.ftpusers --- - For users list files /etc/vsftpd.user_list --- disable or allow VSFTPD for users list file / var / ftp ---- Anonymous User Home Directory / VAR / FTP / PUB ---- Anonymous In addition, there are some documentation and manual files. Also vsftpd log files are located in /etc/logrotate.d/vsftpd.log. 4, VSFTPD starts and stop VSFTPD can be run separately, such as httpd, named the server of the server, this is the default mode in the RHL9; can also be run in Xinetd, this is RHL7.x, 8 The default mode. The specific operation mode is determined by the parameter Listen.
From the RHL's VSFTPD, you can also see the progressive development of VSFTPD. When the Listen parameter value is YES, the default value in RHL9, VSFTPD runs separately, we can use script /etc/rc.d/init.d/vsftpd to start, close, and restart VSFTPD. The command is as follows: /etc/rc.d/init.d/vsftpd start | stop | restart If you say on RHL9, you also want to use XineTd to start the way the VSFTPD is running, then you must first put the listen parameter in the vsftpd.conf configuration file. Value is changed to NO. Secondly, to generate a /etc/xinetd.d/vsftpd file, as follows: service vsftpd {disable = no socket_type = stream wait = no user = root server = / usr / sbin / vsftpd port = 21 log_on_success = PID HOST DURATION log_on_failure = Host} Start or stop VSFTPD by modifying the disable value as NO or YES and restarting xinetd. Since the individual mode of VSFTPD has sufficient ability, the applications discussed in later 6 are run in separate mode, not xinetd. Note: You can also perform the VSFTPD directly to start the FTP service, use the "kill" command when turning off. [Root @ hpe45 root] # / usr / local / sbin / vsftpd & 5, setting options for VSFTPD Options VSFTPD Profile /etc/vsftpd/vsftpd.conf is a text file. The row starting with the "#" character is a comment line. Each option is set to a row, the format is "option = value", pay attention to the "=" number and cannot leave a blank character. In addition to this primary configuration file, you can set a personal configuration file to a particular user, and the details are specified. The VSFTPD.conf file configured in the VSFTPD package is relatively simple, and very mad (document claims :-)). We can make some settings according to the actual situation to make VSFTPD more available. 5.1 Connection Options This section is mainly some options related to establishing an FTP link. 5.1.1 Listening Address and Control Port Listen_Address = IP Address This parameter is valid in the STANDALONE mode in VSFTPD. This parameter defines which IP address on the host, which provides an FTP service on which IP address is available. This parameter is not required for hosts with only one IP address. For multiple access hosts, this parameter is not set, listen to all IP addresses. The default is nothing. Listen_Port = port_value Specifies the port number (control port) of the FTP server listening, the default is 21. This option takes effect in Standalone mode. 5.1.2, FTP mode and data port FTP are divided into two categories, port ftp, and PASV FTP, Port FTP is a general form of FTP. These two FTPs are the same when establishing a control connection, which is the control link to the client first and the FTP server (default 21), and transmits the transfer operation command through this link. Their difference is to use the way of data transfer ports (FTP-DATA). Port FTP specifies the port used by the FTP server, the default value of 20. The PASV FTP determines the port of the data transfer by the FTP client.
PASV FTP This approach is mainly to consider communication with the server with the server (the client has a data transfer port), which determines the data transfer port between the two. For convenience. Port_enable = YES | No If you want to cancel the PORT mode when a data connection is canceled, set this option to NO. The default is YES. ConnetC_From_Port_20 = YES | NO Control Whether to use 20 ports (FTP-DATA) when performing data transfer in Port mode. YES uses, NO is not used. The default is NO, but this parameter is set to YES in the vsftpd.conf file comes with RHL. FTP_DATA_PORT = Port Number Sets the FTP Data Transfer Port (FTP-DATA) value. The default is 20. This parameter is used for Port FTP mode. Port_promiscuous = yes | no default is NO. Cancel the Port security check when you are YES. This check ensures that the outgoing data can only be connected to the client. Carefully open this option. PASV_ENABLE = YES | NO YES, allows data transfer to use PASV mode. NO, it is not allowed to use PASV mode. The default is YES. PASV_MIN_PORT = Port Number PASV_MAX_PORT = Port Number Setting In PASV mode, establish a data transfer can use the lower bound and upper bound of the Port range, 0 represent any. The default is 0. Set the port range within a relatively high range, such as 50000-60000, will help improve security. PASV_PROMISCUOSUS = YES | No This option is activated, the security check of the PASV mode will be turned off. This check ensures that the data connection and control connection are from the same IP address. Carefully open this option. The only reasonable usage of this option is to exist in an organization consisting of a secure tunnel scheme. The default is NO. PASV_ADDRESS = This option is a digital IP address, which is a response to the PASV command. The default value is None, that is, the address is obtained from the incoming connection socket (Incoming Connectd Socket). 5.1.3 ASCII mode By default, VSFTPD is forbidden to use ASCII transmission mode. Even if the FTP client uses the ASC command, specify the ASC command on the VSFTPD surface, and use binary mode when actually transferring files. The following option controls whether the VSFTPD uses the ASCII transfer mode. ASCII_UPLOAD_ENABLE = YES | NO Control Whether to allow Upload files using ASCII mode, YES allows, NO is not allowed, default is NO. ASCII_DOWNLOAD_ENABLE = YES | NO Control Allows download files using ASCII mode, YES allows, NO is not allowed, default is NO. 5.2, Performance and Load Control 5.2.1, Timeout Options Idle_Session_Timeout = Idle (True) The timeout time of the user session, if it exceeds the input of the data or the input of the instructions, it will force the line. The unit is second, the default is 300. Data_connection_timeout = timeout time of idle data connection. The default is 300 seconds. Accept_timeout = NUMERICAL VALUE accepts the timeout setting for the establishment of an online unit in seconds. The default is 60. Connect_timeout = Numeric Value The timeout setting of the data online response to the port mode, in seconds. The default is 60.
The above two options for the client will automatically interrupt the connection after 1 minute, and automatically activate the connection after 1 minute. 5.2.2 Load Control MAX_CLIENTS = Numeric Value This parameter is valid in the STANDALONE mode in VSFTPD. This parameter defines the maximum number of concurrent connections of the FTP server. When this connection is exceeded, the server rejects the client connection. The default is 0, indicating that the maximum number of connections is not limited. Max_per_ip = Numeric Value This parameter is valid in the STANDALONE mode in VSFTPD. This parameter defines the maximum number of concurrent connections per IP address. More than this number will refuse to connect. The settings for this option will affect multiple process download software like Internet Express. The default is 0, indicating that it is not limited. Anon_max_rate = value Sets the maximum data transfer speed Value of anonymous users, in Bytes / S. By default. Local_max_rate = value Sets the user's maximum data transfer speed Value, in Bytes / S. By default. This option takes effect on all users. In addition, this option can also be used in the user's personal profile to specify the maximum data transfer rate available to a particular user. The steps are as follows: 1 Specify the directory where the user personal profile is specified in vsftpd.conf, such as user_config_dir = / etc / vsftpd / userconf 2 Generate the / etc / vsftpd / userconf directory. 3 User Personal Profile is in this directory, files with the same name as a specific user, such as / etc / vsftpd / userconf / xiaowang 4 Set the local_max_rate parameter in the user's personal configuration file, such as: local_max_rate = 80000 above setting FTP User XIaowang's maximum data transfer speed is 80kBytes / s. VSFTPD is about 80% to 120% for speed control. For example, we limit the maximum speed of 100kBytes / S, but the actual speed may be between 80kBytes / s to 120kBytes / s. Of course, if the line bandwidth is insufficient, the rate will naturally be lower than this limit. 5.3 User Options VSFTPD users are divided into three categories: anonymous users, local users (LOCAL users), and virtual users (GUST). 5.3.1, Anonymous User Anonymous_enable = YES | No Control Allows Anonymous User Login, YES Allow, NO is not allowed, the default value is YES. FTP_USERNAME = The system user name used by anonymous users. By default, this parameter does not appear in the configuration file, the value is FTP. NO_ANON_PASSWORD = YES | NO Controls if you need a password when you log in, Yes doesn't need, NO needs. The default is NO. DENY_EMAIL_ENABLE = YES | NO This parameter default value is NO. When the value is YES, the anonymous user who is registered using the E-mail address listed in the file in the file. That is, when an anonymous user is logged in using the E-mail listed in the BANNED_EMAIL_FILE file, it is rejected. Obviously, this is valid for some DOS attacks.
When this parameter takes effect, you need to add BANNED_EMAIL_FILE parameters banned_email_file = / etc / vsftpd.banned_emails Specify files that contain the rejected E-mail address, the default file is /etc/vsftpd. partned_emails. Anon_root = Set the root directory of anonymous users, that is, after anonymous user logins, is positioned to this directory. There is no such thing in the main configuration file, the default value is / var / ftp /. Anon_world_readable_only = yes | No control only allows anonymous users to download read documents. YES, only allows an anonymous user to download readable files. NO allows anonymous users to browse the file system of the entire server. The default is YES. Anon_upload_enable = YES | NO Control Whether to allow anonymous users to upload files, YES allows, NO is not allowed, the default is no value, that is, NO. In addition to this parameter, anonymous users have to upload files, requiring two conditions: 1. Write_enable parameter is YES; II. On the file system, FTP anonymous users have write permissions to a directory. Anon_mkdir_write_enable = YES | NO Control Whether to allow anonymous users to create a new directory, YES allows, NO is not allowed, the default is no value, that is, NO. Of course, on the file system, FTP anonymous users must have write permissions to the upper part of the new directory. Anon_other_write_enable = yes | NO Control An anonymous user has other privileges except for uploading and creating a new directory, such as deletion, rename, and so on. YES has, no no, the default is NO. Chown_uploads = YES | No modifies the ownership of the file uploaded by anonymous users. YES, the ownership of the file uploaded by anonymous users will be changed to another different user, and the user is specified by the chown_username parameter. This option defaults to NO. Chown_username = Whoever Specifies users who have an anonymous user upload file ownership. This parameter is in connection with Chown_uploads. Root users are not recommended. 5.3.2, local users In users using FTP services, in addition to anonymous users, there is a user who has an account on the host of the FTP server. Such users are local users (Local users), which is equivalent to REAL users in other FTP servers. Local_enable = YES | NO The user of the system where the VSFTPD is located can log in to VSFTPD. The default is YES. Local_root = Defines the root directory of all local users. When local users log in, they will be replaced to this directory. The default is nothing. User_config_dir = Defines the directory where the user's personal profile is located. The user's personal profile is the same name file in this directory. The format of a personal profile is the same as the vsftpd.conf format. For example, user_config_dir = / etc / vsftpd / userconf is defined, and there is user XIAowang, Lisi on the host, and we can add two files for xiaowang, Lisi in user_config_dir. When the user Lisi login, VSFTPD reads the set value in the file in the file in User_Config_Dir, and is applied to the user LISI. The default is nothing. 5.3.3, Virtual User Guest_enable = YES | NO If this feature is started, all non-anonymous login people are treated as guest. The default is turned off.
Guest_username = Defines the username of the guest user of VSFTPD in the system. The default is FTP. 5.4, Safety Measures 5.4.1, User Login Control PAM_SERVICE_NAME = VSFTPD Indicates the PAM configuration file name used when VSFTPD performs PAM authentication, the default value is VSFTPD, the default PAM configuration file is /etc/pam.d/vsftpd. /Etc/vsftpd.ftpusers vsftpd disables the user who lists the user in this file to log in to the FTP server. This mechanism is set by default in /etc/pam.d/vsftpd. UserList_enable = YES | NO This option is activated, and VSFTPD reads the user list in the file specified by the userlist_file parameter. When the user in the list logs in to the FTP server, the user is disabled before prompting the password. That is, after the username is entered, VSFTPD finds the user name, and VSFTPD directly disables the user, and will no longer perform subsequent steps such as inquiry password. The default is NO. UserList_file = / etc / vsftpd.user_list Indicates that the userList_enable option takes effect, and the file containing the user list is read. The default is /etc/vsftpd.user_list. UserList_deny = yes | No Decide Prohibition or only allows users to log in to the FTP server in userList_file specified files. This option takes effect after the userlist_enable option is started. Yes, default, user login in the file, and no prompts for the input passwords to these users. NO, only allows users in the file to log in to the FTP server. TCP_WrapPERS = YES | NO Use the TCP_WrapPers remote access control mechanism in VSFTPD, the default value is YES. 5.4.2, directory access control chroot_list_enable = YES | No Lock Some users in their own directory. That is, when these users are logged in, they cannot go to other directories of the system, and can only be under their own directory (and their subdirectory). The specific user is listed in the file specified by the chroot_list_file parameter. The default is NO. Chroot_list_file = / etc / vsftpd / chroot_list points to the list file of the user locked in the own directory. The file format is a row of users. Usually the file is / etc / vsftpd / chroot_list. This option is not set by default. Chroot_local_Users = YES | NO Locks local users in their own directory. When this is activated, the role of chroot_list_enable and chroot_local_users parameters will change, and the user in the file specified by chroot_list_file will not be locked in their own directory. After this parameter is activated, it may bring a secure conflict, especially when the user has uploaded, Shell Access, etc. Therefore, this parameter can only be opened if it is only understood. The default is NO. PASSWD_CHROOT_ENABLE When this option is activated, with the chroot_local_user option, the CHROOT () container location can be specified on the basis of each user. Each user's container is derived from the own directory field of each user in / etc / passwd. The default is NO. 5.4.3, File Operation Control Hide_IDS = YES | NO Hide the owner and group information of the file. YES, when the user uses instructions such as "ls -al", the owner and group information of all files in the directory list are displayed as FTP. The default is NO. Ls_recurse_enable = yes | no yes, allowing the "LS -R" instruction to be used.
This option has a small security risk because "LS -R" will consume a lot of system resources in a large FTP site. The default is NO. Write_enable = YES | NO Control allows any of the FTPs that can modify the file system, such as Stor, Dele, RNFR, RNTO, MKD, RMD, APPE, and Site. The default is NO, but this option is opened in the coming simple configuration file. Secure_chroot_dir = This option points to an empty directory, and FTP users have no write permissions for this directory. This directory will be restricted in this directory when VSFTPD does not need to access a file system. The default directory is / usr / share / empty. 5.4.4, new file permission setting Anon_umask = UMASK value for anonymous user adds files. The default is 077. FILE_OPEN_MODE = Permissions to upload files, the same value as CHMOD. If you want to upload the files can be executed, set this value to 0777. The default is 0666. Local_umask = UMASK value when the local user added files. The default is 077. However, most of the other FTP servers use 022. If your user wants, you can modify it to 022. This item is set to 022 in the own configuration file. 5.5, prompt information ftpd_banner = login banner string This parameter defines the login banner string (Login welcome string). Users can modify themselves. The preset value is not. When the ftpd_banner is set, the original welcoming word will be replaced. Banner_File = / Directory / vsftpd_banner_file This item specifies a text file that when the user logins, the content of this file is displayed, usually a welcome discourse or a description. The default is nothing. Compared to ftpd_banner, Banner_File is the form of a text file, while ftpd_banner is a string format. The banner_file option will replace the ftpd_banner option. DirMessage_enable = YES | MO Control whether to enable the directory prompt information. YES is enabled, NO is not enabled, the default value is YES. After this feature is enabled, when the user enters a directory, check if the document specified in this directory is displayed. If there is, this document will appear, usually this file will place a welcome discourse, or Description of the directory. Message_file = This option is only active only in the DirMessage_enable option. The default is .Message. 5.6, log settings xferlog_enable = yes | no control Enable a log file for detailed record upload and download. The log file is specified by the XFerLog_File option. The default is NO, but this option is activated in the simple profile. XFerLog_File = This option sets the file name of the record transfer log. The default is /Var/log/vsftpd.log. Xferlog_std_format = yes | no control log file uses XFerlog's standard format, just like WU-FTPD. Using the XFerlog format, you can reuse the existing transmission statistics generators. However, the default log format is more readable. This option is activated in the default value of NO, but this option is activated in the profile. LOG_FTP_PROTOCOL = YES | NO When this option is activated, all FTP requests and responses are recorded in the log.
When this option is provided, XferLog_STD_FORMAT cannot be activated. This option helps debugging. The default is NO. 5.7, other settings setProctitle_enable = yes | no yes, vsftpd will display the status of each session (session) in the system process list. That is, the process report will display what each VSFTPD session is doing (hang, download, etc.), such as using PS-EF | GREP FTP. For security purposes, you can consider closing this option. NO, the process report only shows a vsftpd process in operation. The default is NO. TEXT_USERDB_NAMES = YES | NO When the user logs in, the user and group information field of the directory list, the user's UID is the owner's UID, not the name of the file owner. This feature is turned on if you want the owner's name. The default is NO. User_localtime = yes | No defaults to NO. YES, VSFTPD Displays the time when the directory list is used. The default is to display the GMT time. Similarly, the time value returned by the ftp command "MDTM" is also affected by this option. Check_shell = yes | no This option takes effect only for VSFTPDs that do not use the PAM. When this option is turned off, VSFTPD does not check the / etc / shells file to find a valid user shell when logging in. Default is YES. NOPRIV_USER = Specify a user when VSFTPD does not want any permissions, use this user identity. This user is preferably a dedicated user, not user Nobody. In most machines, Nobody users are used in a lot of important things. The default is Nobody. PAM_SERVICE_NAME = Indicates that VSFTPD uses the PAM configuration file name when verifying the service with the PAM. The default is FTP. 6. VSFTPD Applications This section describes the specific application of VSFTPD. 6.1, allowing anonymous user upload files to modify or add the following options in the vSftpd.conf file: write_enable = yes anon_world_tenable_only = no anon_upload_enable_enable = yes then create a directory for anonymous user upload files, and set permissions: # mkdir / var / ftp / incoming # chmod o w / var / ftp / incoming Due to an anonymous user (FTP) upload file, you need to operate the Incoming directory, and incoming is all, anonymous users (FTP) are other users for INComing. So the write authority to be added to other users (O). 6.2 Limit users In their own directory in the default configuration, local users can switch to directory other than their own directory for browsing, and upload and download within the permission range, which is undoubtedly an unsafe factor. We can set Chroot, allowing local users to log in to access their own directory, and cannot access other directories. The related options have three: chroot_local_user, chroot_list_enable, chroot_list_file. Limit users have two practices in their own directory: 1. Limit all local users in their own directory chroot_local_user = YES this approach, may cause some security conflicts. See the previous chroot_local_user option description.
2, restriction part of the local user in your own directory chroot_local_user = no chroot_list_enable = yes chroot_list_file = / etc / vsftpd.chroot_list to add the local username to be restricted in the /etc/vsftpd.chroot_list file. Pay attention to a username. 6.3, Configuring a high security level anonymous FTP server vsftpd comes with a simple profile that has claimed to be paranozy, see if it can be more paranoid, :). Some options have used security settings by default, and it will not be written here. # Only anonymous access, no local user access Anonymous_enable = YES local_enable = no # Using ftpd_banner replaces VSFTPD default welcome words, leaks related information ftpd_banner = Welcome To this ftp server # only let anonymous user browse read files, no you can browse the entire system owner and group information anon_world_readable_only = YES # hidden file, the file owner and group of anonymous users see all become ftp hide_ids = YES # cancel write permission write_enable = NO anon_upload_enable = NO anon_mkdir_write_enable = NO anon_other_write_enable = NO # uses a single mode and specifies the listening IP address listen_address = IP address # to control the connection, there is timeout, then according to the specific situation. Connect_From_Port_20 = YES PASV_MIN_PORT = 50000 PASV_MAX_PORT = 60000 # Control and miss the number of concurrently, this is, which is determined according to the user. MAX_CLIENTS = Numeric value max_per_ip = numerical value # Limited download speed, how much is the specific limit, is determined by the user, 80kb / s, is also very fast. Anon_max_rate = 80000 # Enable detailed logging format XferLog_enable = YES 6.4, the virtual FTP server based on the IP address assumes two IP addresses, 192.168.0.1, and 192.168.0.2. VSFTPD is built on 192.168.0.1, now we provide a virtual FTP server on 192.168.0.2. How to use multiple IP addresses on one server, please refer to the relevant documentation. 1. Create the root directory of the virtual FTP server. MKDIR -P / VAR / FTP2 / PUB ensures that the owner and group of / var / ftp2 and / var / ftp2 / pub directory are root, the mask is 755. 2. Add an anonymous user account for the virtual FTP server. The original FTP server uses system user FTP as its anonymous user account. We have to add an FTP2 for virtual FTP servers. UserAdd -d / var / ftp2 -m ftp2 3 creates a configuration file for a virtual FTP server. Copy the original vsftpd.conf as the configuration file of the virtual FTP server and modify the relevant parameters.
Cp /etc/vsftpdpdpdpdpd.conf /etc/vsftpd/vsftpd2.conf Add or modify the following parameters: listen = yes listen_address = 192.168.0.2 ftp_username = ftp2 Note: Because vsftpd default is to listen to all IP addresses, when we set up When IP-based virtual FTP servers, in order to prevent the original FTP server and the virtual FTP server, the original FTP server needs to specify the IP address of the listener. Here, Listen_Address = 192.168.0.1 is set in the original profile. 4, start the virtual FTP server. /etc/rc.d/init.d/vsftpd script At startup, scan all * .conf files in / etc / vsftpd / directory, follow the * .conf file, enable the vsftpd process in turn, each VSFTPD process corresponds A .conf file. That is, the order of the "LS / ETC / VSFTPD /" list is the same as the order in "ps -aux | grep vsftpd". Of course, "PS -AUX | GREP VSFTPD" also shows the configuration files used by VSFTPD, which can also see which FTP server corresponds to which of the VSFTPD processes. If the configuration file is not listed, it is the default vsftpd.conf, then the process is the original FTP server process. Since the configuration file of the virtual FTP server is named vsftpd2.conf file in step 3, we can start or close the original FTP server and the new virtual FTP server with the /etc/rc.d/init.d/vsftpd script simultaneously or closes the original FTP server and the new virtual FTP server. . The following command starts a virtual FTP server: / usr / sbin / vsftpd2.conf & Separate the virtual FTP server, use "PS -AUX | GREP VSFTPD" to detect the process number, then use the Kill instruction to kill the virtual FTP process. 6.5, Virtual User Configuration 6.5.1, VSFTPD Virtual User This section describes that the local user of VSFTPD itself is a system user. In addition to logging in to the FTP server, you can also log in to the system to use other system resources, and VSFTPD virtual users are FTP services. Dedicated users, virtual users can only access FTP server resources. It is very suitable for users or situations that only need to be read from the system through FTP, without requiring other system resources. VSFTPD virtual users use a separate username / password saving method, separated from the system account (passwd / shadow), which greatly enhances the system security. VSFTPD can use a database file to save the user / password, such as Hash; you can also save the user / password in the database server, such as MySQL, etc. VSFTPD verifies the virtual user, uses a PAM mode. Since the username / password of the virtual user is saved separately, VSFTPD needs to read the database file or database server with a system user to complete the verification, which is the guest user, which is like anonymous users. A system user FTP is the same. Of course, guest users can also be considered to be used to map virtual users. Configuring virtual users are divided into numbers: Guest users creation, user / password saving, PAM authentication configuration, vsftpd.conf file settings, etc. Specific configuration methods, refer to the following section. Note: In the following example, it is assumed that there is a virtual user xiaotong and xiaowang. 6.5.2 User Creating and Directory Settings Add VSFTPDGUEST users to the system as a representative of the virtual user in the system.
UserAdd vsftpdguest When the virtual user is logged in, the location is VSFTPDGUEST's own directory / home / vsftpdguest. If you want to let the virtual user log in to other directories such as / var / ftp, modify the VSFTPDGUEST's own directory. 6.5.3, settings 6.5.3.1, basic settings. In the vsftpd.conf configuration file, add the following parameters: guest_enable = yes guest_username = vsftpdguest 6.5.3.2, the permission configuration of the virtual user. VSFTPD-1.2.0 adds a Virtual_USE_LOCAL_PRIVS parameter, when this parameter is activated (YES), the virtual user uses the same permissions as local users. When this parameter is turned off (NO), the virtual user uses the same permissions as anonymous users, which is the processing method for virtual user privileges before VSFTPD-1.2.0. Compared with the two practices, the latter is more strict, especially in the case of writing access. By default, this parameter is closed (NO). When you introduce Virtual_USE_LOCAL_PRIVS = NO, you can configure the virtual user priority before VSFTPD-1.2.0: 1 Control the virtual user browsing directory If you can't browse the directory, you can still do the following two Steps: First, in the configuration file, Anon_World_Readable_only = yes. Second, the permissions of the virtual user directory can only be operated by vsftpdguest: [root @ hpe45 vsftpd] # chown vsftpdguest.vsftpdguest / home / vsftpdguest [root @ hpe45 vsftpd] # chmod 700 / home / vsftpdguest 2 Allow virtual users to upload file Write_enable = YES Anon_upload_enable = yes 3 Allow virtual users to modify file name and delete file Anon_other_write_enable = YES Since the above option is equally valued, the anonymous user is active. If you don't want an anonymous user to have the same permissions, it is best to prohibit anonymous user login. In VSFTPD-1.2.0 when Virtual_Use_local_privs = yes, only write_enable = yes, virtual users can have write permissions. 6.5.3.3, other configurations of virtual users 1 Limit the virtual user in their own directory. Chroot_local_user = no chroot_list_enable = yes chroot_list_file = / etc / vsftpd.chroot_list Add xiaotong and XIaowang in the /etc/vsftpd.chroot_list file. Or, chroot_local_user = yes 2 personal configuration of virtual users. If you want individual virtual users to have their own special configuration, you can also create personal profiles for virtual users.
Add: user_config_dir = / etc / vsftpd / vsftpd_user_conf Generate / etc / vsftpd / vsftpd_user_conf directory, establish files with specific virtual users with specific virtual users in this directory: [root @ hpe45 vsftpd] # mkdir vsftpd_user_conf [root @ HPE45 vsftpd] # cd vsftpd_user_inter_usef [root @ hpe45 vsftpd_user_conf] # touch xiaowang then you can add an option to set a specialized xiaowang effective in the xiaowang file. Note: If you add chroot_local_user = yes in your personal profile, it is invalid. 6.5.3.4, Virtual User Personal Directory Settings You can find that no matter which virtual user, the directory where you log in is / home / vsftpdguest, ie a Guest_username user's own directory. Below, you describe how to build your own directory for each virtual user. One method is to specify a virtual user's own directory using the local_root option in the personal configuration file of the virtual user. Take xiaowang as an example, on the basis of the first step, add: local_root = / home / xiaowang, first / etc / xiaowang file, set the permissions to vsftpdguest: [root @ HPE45 Home] # Mkdir xiaowang [root @ hpe45 home] # chown vsftpdguest.vsftpdguest ./xiaowang 6.5.4, MySQL Save Virtual User This section describes how to save the virtual user's username and password in the MySQL database. This is mainly divided into two parts, one is to save the user and password in the database, and the other is to set the corresponding PAM authentication. To facilitate discussion, do the following assumptions: Database VSFTPDVU, Table Users, Field Name, and Passwd are used to save user names and passwords for virtual users; for security, only VSFTPDGUEST read the users table of the vsftpdvu database. 1. Save the user name / password for the virtual user. This part is done in the MySQL database. First, create a database vsftpdvu as well as Table Users, and insert a virtual user xiaotong, xiaowang. Perform the following command: [Root @ hpe45 vsftpd] #mysql -p mysql> create database vsftpdvu; mysql> use vsftpdvu; mysql> create table users (name char (16) binary, passwd char (16) binary; mysql> Insert Into Users (Name, Passwd) ('xiaotong'); mysql> INSERT INTO USERS (Name, Passwd) Values ('xiaowang', password ('ttmywife')); mysql> quit then, authorize VSFTPDGUEST can only read the UserS table of the vsftpdvu database.
