redhat linux 9.0 VSFTP configuration Daquan 2004-04-23 15:18 pm Author: The author is from: Linux knowledge base is set out: http: //www.linuxhero.com/docs Address: Unknown I occasionally found on a website in Taiwan , I convert traditional characters to Simplified words 3.2 VSFTP-Safety and efficacy FTP Server 3.2.1 VSFTP Overview FTP, File Transfer Protocol, this is the communication protocol for file transfer, which is generally most commonly used to transfer files. Readers When using redhat9, the reader may feel that FTP Server has some changes: First, FTP Server only has VSFTP, the original wuftp is not placed; the second is that vsftp is independent from xinetd, and Move the set file from /etc/vsftpd.conf to /etc/vsftpd/vsftpd.conf. Why do you change this? It can be imagined that VSFTP has independently operated capacity, does not require Xinetd to do a further control, and Similar to Sendmail, HTTPD, SSH, Samba, etc., set files into / etc Off-in / etc. FTP is divided into two categories, one is port ftp, which is a general ftp; the other is Pasvftp, which is as follows: Port FTP This is a general form of FTP, first establish a control channel, the default value is Port 21, also That is to establish an online connection with Port 21, and the instruction is reached through this online. Second, the data transfer channel will be established by the FTP Server terminal. The default is 20, that is, it is built with the Port 20, and transmits the port 20 for data transmission. PASV FTP is similar to Port FTP, first establish a control channel, the default value is Port 21, which is to establish online with Port 21 and underline the instruction. Second, a request for data transmission is made by the Client side, including the number of data transfer ports. What are the differences between these? The data transfer port in Port FTP is specified by FTP Server, and the PASV FTP data transfer port is determined by the FTP Client. Usually we use the PASV FTP, under the environment with the firewall, through the communication of the client and Server, determines the port of the data. 3.2.2 Example 3.2.1. Direct Launch VSFTP Services This example is the set of redhat's preset example and launch VSFTP directly. [root @ relay vsftpd] # / sbin / service vsftpd start starting vsftpd for vsftpd: ok] 3.2.2. Replacement Port Services: Replace the preset Port 21 to 2121 For security, or in port to distinguish FTP service, we may change the FTP port to the port other than 21, then refer to the following steps.
. Step1 modify /etc/vsftpd/vsftpd.conf new bottom line listen_port = 2121 Step2 restart vsftpd [root @ home vsftpd] # / sbin / service vsftpd restart Shutting down vsftpd:. OK] Starting vsftpd for vsftpd: OK] 3.2 .3. Specific user peter, John Do not change the preset directory of the directory user as / home / username, if we do not want the user to switch to the last directory / home when the user can be switched, then refer to the following steps. Step1. The bottom three lines modification /etc/vsftpd/vsftpd.conf # chroot_list_enable = YES # (default follows) # chroot_list_file = / etc / vsftpd.chroot_list to chroot_list_enable = YES # (default follows) chroot_list_file = / etc / vsftpd / chroot_list Step2 a new file:. / etc / vsftpd / chroot_list content increased two lines: peter john Step3 restart vsftpd [root @ home vsftpd] # / sbin / service vsftpd restart Shutting down vsftpd:. OK] starting vsftpd for vsftpd: OK] If Peter wants to switch to a directory other than the root directory, the following warning will appear: FTP> CD / Home 550 failed to change Directory. 3.2.4. Cancel Anonymous login If the reader's host does not want the user to log in anonymous, then Refer to the following steps. . Step1 /etc/vsftpd/vsftpd.conf modification to the anonymous_enable = YES anonymous_enable = NO Step2 restart vsftpd [root @ home vsftpd] # / sbin / service vsftpd restart Shutting down vsftpd:. OK] Starting vsftpd for vsftpd: OK ] 3.2.5. Arranging the welcome discourse If we want the user to see the welcome discourse, it may include the description of the host, or a directory, refer to the following steps. First determine if there is a line of DirMessage_enable = YES RedHat9 in /etc/vsftpd/vsftpd.conf.
Then, in each directory, the new name is newly named .Message, then there is a user Test1, and there is a directory name ABC in the root of this user, first we are in / home / test1 Under the next. Message, the content is as follows: Hello ~ Welcome to the home directory this is for test only ... then adds. Message, the content is as follows: Welcome to Abc's Directory this Is Subdir ... So, when the user test1 logins, you will see the following message: 230- Hello ~ Welcome to the Home Directory 230- 230- this is for test only ... 230- If it is switched to the ABC directory, The following message appears: 250- Welcome to Abc's Directory 250-250- This is Subdir ... 3.2.6. For each online, we will only see a name as a separate process VSFTPD's Process is operated, but if readers want each online, they can be rendered in standalone processs, and the following steps can be performed.
. Step1 modify /etc/vsftpd/vsftpd.conf new bottom line setproctitle_enable = YES Step2 restart vsftpd [root @ home vsftpd] # / sbin / service vsftpd restart Shutting down vsftpd:. OK] Starting vsftpd for vsftpd: OK] use PS-EF instructions can be seen in the case of different users, as shown below: [Root @ Home vsftpd] # ps -ef | grep ftp root 2090 1 0 16:41 PTS / 0 00:00:00 vsftpd : Listener Nobody 2120 2090 0 17:18? 00:00:00 vSftpd: 192.168.10.244: connection test1 2122 2120 0 17:18? 00:00:00 vsftpd: 192.168.10.244/test1: idle nobody 2124 2090 0 17: 19 00:00:00 vSftpd: 192.168.10.244: connection test2 2126 2124 0 17:19 00:00:00 vsftpd: 192.168.10.244/test2: idle root 2129 1343 0 17:20 PTS / 0 00:00: 00 grep ftp [root @ Home vsftpd] # 3.2.7. Limit the speed of the transfer file: the user's user's maximum speed is 200kBytes / s, the highest speed of the anonymous login can use to 50kBytes / s step1. Modify / etc /vsftpd/vsftpd.conf bottom two lines anon_max_rate = 50000 local_max_rate = 200000 Step2 new restart vsftpd [root @ home vsftpd] # / sbin / service vsftpd restart Shutting down vsftpd:. OK] starting vsftpd for vsftpd: OK] in this The unit of edge is bytes / s, where Anon_max_rate is limited to the user of anonymous login, and Local_max_Rate The use of this unit is limited. VSFTPD is limited to the speed limit, which is between 80% and 120%, that is, we limit the maximum speed of 100kBytes / s, but the actual speed may be between 80kBytes / s to 120kBytes / s, of course, if it is less than When the value will be lower than this limit. 3.2.8. For different users, different speeds: assuming that the highest speed of Test1 can use is 250kBytes / S, the highest speed that TEST2 can use is 500kBytes / s.
Step1. Modify / Etc/vsftpd/vsftpd.conf Added User_config_dir = / etc / vsftpd / userconf step2. Add a directory: / etc / vsftpd / userconf mkdir / etc / vsftpd / userconf step3. In / etc / vsftpd / UserConf Add a file with a file named TEST1 to add a line: local_max_rate = 250000 step4. Add a file with Test2 under / etc / vsftpd / userconf to add a line: local_max_rate = 500000 step5. Restart vsftpd [root @ Home vsftpd] # / sbin / service vsftpd: ok] Starting vsftpd for vsftpd: ok] 3.2.9-1. Building a FTP server under a firewall, using port ftp mode: Preset FTP Port: 21 and FTP Data Port: 20 After starting VSFTPD, the following two lines are performed, only port 21 and port 20 are open, others are closed. Iptables -a INPUT -P TCP -M MULTIPORT - DPORT 21, 20 -J Accept iptables -a INPUT -P TCP -J REJECT --REJECT-WITH TCP-RESET 3.2.9-2. Built a firewall FTP Server, use Port FTP Mode: FTP Port: 2020 Step1. Perform the following two lines of instructions, only allowed port 2121 and Port 2020 to open, others close. Iptables -a INPUT -P TCP -M MULTIPORT - DPORT 2121, 2020 -J ACCEPT IPTABLES -A INPUT -P TCP -J REJECT --REJECT-WITH TCP-RESET STEP2. Modification /etc/vsftpd/vsftpd.conf added Under the lower two lines listen_port = 2121 ftp_data_port = 2020 step3. Restart vsftpd [root @ Home vsftpd] # / sbin / service vsftpd restart shutting down vsftpd: ok] starting vsftpd for vsftpd: ok] At this point, 8, 9 two In an example, the online way of FTP Client (such as CUTEFTP) cannot select Passive Mode, otherwise the data is unable to build. That is, readers can connect to FTP Server, but when executing LS, GET, etc., they cannot operate. 3.2.10. Built FTP Server under a firewall, use the Pass FTP Mode: FTP Port: 2121, and FTP Data Port from 9981 to 9986. Step1. Perform the following two lines, only allowed port 2121 and ports 9981-9990 to be open, others closed.
Iptables -a Input -p TCP -M Multiport - Dport 2121, 9981, 9982, 9983, 9984, 9985, 9986, 9987, 9988, 9989, 9990 -J accept iptables -a infut -p tcp -j recom -rect -with tcp-reset Step2. /etc/vsftpd/vsftpd.conf new modifications under four lines listen_port = 2121 pasv_enable = YES pasv_min_port = 9981 pasv_max_port = 9986 Step3. restart vsftpd [root @ home vsftpd] # / sbin / service vsftpd Restart shutting down vsftpd: ok] Starting vsftpd for vsftpd: OK] Be careful here, in this example, FTP Client (such as cuteftp) online way must select Passive Mode, otherwise the data is online. That is, readers can connect to FTP Server, but when executing LS, GET, etc., they cannot operate. 8.2.11. Binding VSFTPD and TCP_WRAPPER If the reader wants to define the source address that allows or rejects directly in /etc/hosts.allow, the following steps can be performed. This is a simple firewall setting. Step1. Determine the setting of TCP_WrapPerts in /etc/vsftpd/vsftpd.conf, as shown below: TCP_WrapPers = YES This is the default value of RedHat9, basically no need to modify. Step2. Restart VSFTPD [root @ Home vsftpd] # / sbin / service vsftpd Restart Shutting Down vsftpd: ok] Starting vsftpd for vsftpd: ok] Step3. Set /etc/hosts.allow, such as 111.22.33.4 and 10.1. 1.1 to 10.1.1.254 Connection, you can make the settings below: VSFTPD: 111.22.33.4 10.1.1.: Allow All: All: DENY 8.2.12. To incorporate vsftpd into xinetd, if readers want to incorporate vsftpd into xinetd Among them, the 7.x version of the preset setting, then the reader can perform the following steps.
Step1. Modify /etc/vsftpd/vsftpd.conf to change listen = yes to listen = no step2. Add a file: /etc/xinetd.d/vsftpd content as follows: service vsftpd {disable = no socket_type = stream wait = no user = root server = / usr / sbin / vsftpd port = 21 log_on_success = PID HOST DURATION log_on_failure = HOST} Step3 restart xinetd [root @ home vsftpd] # / sbin / service xinetd restart Stopping xinetd:. OK] starting xinetd : Ok] 3.2.3 Settings In the example, some omitted settings can be found here, such as the total number of online, online number of the same address, the name of the file owner, etc., I hope the reader After reading, you can make the most suitable settings. The contents of format vsftpd.conf are very simple, each line is a setting. If the blank line or the beginning of the #, it will be ignored. There is only one format of the content, as follows Option = Value, it is to be noted that the equal sign cannot be added to the two sides, otherwise it is incorrect setting. === ASCII setting =============================================================================================================================================================================00 The default is NO. ASCII_UPLOAD_ENABLE controls whether or not uploaded by ASCII mode. The default is NO. === Individual user setting =================== ========= ot_list_enable If this feature is started, all local users can enter the root directory. Data clip, except for users listed in /etc/vsftpd.chroot_list. The default is NO. UserList_enable Usage: YES / NO If this feature is started, the user name in /etc/vsftpd.user_list is read. This feature can fail to ask if you ask a password without the programs that need to be checked. The default is turned off. UserList_deny Usage: YES / No This option is only checked when UserList_enable starts. If this option is set to YES, the user in /etc/vsftpd.user_list will not be able to log in; if set to NO, only the user in /etc/vsftpd.user_list can log in. And this feature can appear an error message before querying the password without the programs of the password.
User_config_dir defines the directory where individual users set files, such as defining user_config_dir = / etc / vsftpd / userconf, and there are user TEST1, TEST2 on the host, then we can add file names TEST1 and TEST2 in user_config_dir's directory. If you are logging in, you will read the settings within this file in User_Config_Dir. The default is nothing. === Wonderful language setting ===================== DirMessage_enable If this option is started, the user will check if the directory is in the directory. There is .Message file, if there is, this file will appear, usually this file will place a welcome discourse or a description of the directory. The default is open. Banner_file When the user logins, the file content is displayed, which is usually a welcome discourse or a description. The default is nothing. FTPD_BANNER This can define a string that welcomes the discourse, compared to banner_file is the form of the file, and ftpd_banner is a string format. Preset is nothing. === Special security setting ===================== ot_local_user If set to YES, then all the users of the machine can switch to the root directory. Data clip. The preset value is NO. Hide_ids If you start this feature, all file owners and groups are ftp, which is the user login to use the LS -AL, and the file owner is FTP. The default is turned off. Ls_recurse_enable If you start this feature, allow the login to use the LS -R instruction. The default is NO. Write_enable Usage: Yes / no This option controls if the FTP instruction allows you to change File System, such as Stor, Dele, RNFR, RNTO, MKD, RMD, APPE, and Site. The preset is closed. SetPROCTITE_ENABLE Usage: YES / No Launches this feature, VSFTPD will presented all online conditions, in other words, the instructions of PS-EF can be seen online. The default is turned off. TCP_WrapPERS Usage: Yes / No If you start, the VSFTPD is combined with TCP Wrapper, that is, you can define an accessible or rejected source address in /etc/hosts.allow and /etc/hosts.deny. PAM_SERVICE_NAME The name used by this defines the name used by PAM, preset is VSFTPD. Secure_chroot_dir This option must specify an empty data clip and any login is not written. When VSFTPD does not require File System, it will limit the user in this data clip.
Default value / usr / share / empty === record file setting ============================== xferlog_enable usage: Yes / no start, upload and download The information will be completely recorded in the file defined under XFerLog_File. Preset is open. The XFerlog_File This option sets the location where the record file is located, the default value is /var/log/vsftpd.log. XferLog_Std_Format If started, the record file will be written as the standard format of XFerlog, like WU-FTPD. The default is closed. === Overhead setting =================================================================================================================== The default is 60. Connect_timeout responds to the timeout setting of the PORT mode, unit is second. The default is 60. Data_Connection_TimeOut Establishs the timeout setting of the data online. The default is 300 seconds. Idle_Session_TimeOut is over timeout, if it exceeds the transfer of data or instructions exceeds this time, it will force the disconnection, and the unit is second. The default is 300. === Rate limit =========================================================================================================================================================== . The default is 0. Local_max_rate The maximum transmission speed of the user can use, the unit is how much per second, 0 indicates an unlimited speed. The preset value is 0. === New Archive Permissions Setting ================== Anon_umask Anonym Numerous Numerical Value when anonymous. The default is 077. FILE_OPEN_MODE Uploads Permissions for the file, the same value as the value used by ChMod. The default is 0666. Local_umask The UMASK value when the file is newer. The default is 077.
=== Port setting ================================================================================================================== . The default is YES. FTP_DATA_PORT Sets the port used by the FTP data. The default is 20. Port of Listen_Port FTP Server. The default is 21. PASV_MAX_PORT Establishing a data connection You can use the upper bound of the Port range, 0 means any. The default is 0. PASV_MIN_PORT Establishing a Data Online You can use the lower bound of the Port range, 0 means any. The default is 0. === Other ===================================================================================================================================================================================================================================================================================00 The default is nothing. Local_enable Usage: Yes / No This feature allows the native user to log in. The default is YES. When the local_root is logged in, it will be replaced to the defined directory. The default is nothing. TEXT_USERDB_NAMES Usage: YES / NO When the user is logged in to query the authentication of the file, the preset will appear the owner's UID, not the name of the owner of the file. This feature is turned on if you want the owner's name. The default is NO. If the PASV_ENABLE is set to NO, it is not allowed to build a data on the mode of the PASV. The default is open. === Replacement file ownership ============================ =============================================================================================================================================================================================================== Users. This option is useful for security and management. The default is NO. Chown_username You can define that the owner of the file will be replaced by the user name when an anonymous login is uploaded. The preset value is root. === Guest setting =================================Nable Usage: YES / NO is to start this feature, all non-anonymous login people are treated as guest. The default is turned off. Guest_username will define the user name of Guest. The default is FTP.
=== anonymous setting ====================================================================================================================================================================================================================================================================================== The default is YES. If NO_ANON_PASSWORD is started, when you use an anonymous login, you will not ask your password. The default is NO. Anon_mkdir_write_enable usage: YES / no if set to YES, anonymous login will be allowed to add a directory, of course, anonymous users must have the right to write on the upper class. The default is NO. Anon_other_write_enable usage: Yes / no If set to YES, anonymous login will be allowed to more than the permission other than the upload and establish a directory, such as deleting or renovation. The default is NO. Anon_upload_enable usage: Yes / no If set to YES, anonymous login will be allowed to upload the directory permissions, of course, anonymous users must have the right to write to the upper part of the directory. The default is NO. Anon_world_readable_only usage: Yes / no If set to YES, anonymous login is allowed to download readable files. The default is YES. FTP_USERNAME Defines the user name of an anonymous login. The default is FTP. Deny_Email_enable If you start this feature, you must provide a file /etc/vsftpd.banner_emails, which is Email Address. If you use an anonymous login, you will be required to enter Email Address. If you entered Email Address, you will not allow online. The default is NO. === Standalone option ================== Listen usage: YES / no is started, the vsftpd will be executed in an independent operation, if it is VSFTPD independently, such as redhat9 The default value must be started; if VSFTPD is included in the xinetd, this feature must be closed, such as redhat8. The default value of RedHat9 is YES. Listen_Address If you use the Standalone mode, use this parameter definition to use this parameter to provide this service. If you only define an IP address, if you define an IP address, this option does not need to use, if you have multiple IP address, which IP can be defined? FTP service is available on Address. If it is not set, all IP Address will provide this service. The default is nothing. If MAX_CLIENTS uses the Standalone mode, you can use this parameter to define the maximum number of total number of products. More than this number will refuse online, 0 means no limit. The default is 0. Max_per_ip If you use the Standalone mode using this parameter, you can use this parameter to define the number of accessible to each IP Address.
