CentOS 6 & 7 安装配置 VSFTP 虚拟用户访问 包括目录权限配置

  • 内容
  • 评论
  • 相关

vsftp
centos 6安装配置vsftp虚拟用户访问 绝对成功包括目录权限配置
第一步:安装vsftp pam db4

yum install vsftpd pam* db4* -y

centos 7 只需要安装VSFTPD就可以了

yum install vsftpd -y

使用命令将vsftp配置为系统服务

chkconfig vsftpd on

第二步:配置vsftpd服务的宿主

useradd vsftpdadmin -s /sbin/nologin

这个vsftpdadmin只是用来替换root的,并不需要登录
第三步:建立ftp虚拟宿主帐户

useradd ftpuser -s /sbin/nologin

这ftpuser只个虚拟帐户的宿主,本身是不用登录的
//使用系统默认的ftp用户则可以跳过这一步
第四步:配置vsftpd.conf
更改配置前最好备份一下然后再改

cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.bakup
vim /etc/vsftpd/vsftpd.conf

配置文件详情


# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
# 不允许匿名访问
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
# When SELinux is enforcing check for SE bool ftp_home_dir
# 设定本地用户可以访问。注:如使用虚拟宿主用户,在该项目设定为NO的情况下所有虚拟用户将无法访问
# 注意:SELinux开启的情况下,请使用 setsebool -P ftp_home_dir 1,打开目录访问权限
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
# 允许写入
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
# 新建的目录 权限是755,文件的权限是 644
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
# 开启目录标语
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
# 开启日志
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
# 设定数据连接端口20
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/xferlog
# 日志保存路径
xferlog_file=/var/log/xferlog
dual_log_enable=YES
vsftpd_log_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
# 设定vsftpd的服务日志保存路径
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
# 支持异步传输功能
async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
# 支持ASCII模式
ascii_upload_enable=NO
ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
# 禁止本地用户登出自己的FTP主目录
chroot_local_user=YES
# 使用户不能离开主目录
chroot_list_enable=NO
# (default follows)
# 锁定登录用户只能家目录的位置用户列表
chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
# Make sure, that one of the listen options is commented !!
listen_ipv6=NO

# PAM认证文件名。PAM将根据/etc/pam.d/vsftpd进行认证
pam_service_name=vsftpd
# 拒绝登录用户名单,本地用户不能登录,只有虚拟用户可以登录
userlist_enable=YES
# 限制主机对VSFTP服务器的访问
tcp_wrappers=YES

#自定义配置
# 只允许在文件中的用户登录FTP服务器
userlist_deny=NO
# 用户列表
userlist_file=/etc/vsftpd/chroot_list
# 设定启用虚拟用户功能
guest_enable=YES
# 指定虚拟用户的宿主用户,若按步骤走则修改成guest_username=ftpuser
guest_username=ftpuser
# 设定虚拟用户的权限符合他们的宿主用户
virtual_use_local_privs=YES
# 设定虚拟用户个人Vsftp的配置文件存放路径
user_config_dir=/etc/vsftpd/vuser_conf/users
# 开启PASV模式
pasv_enable=YES
# 最小端口号
pasv_min_port=40000
# 最大端口号
pasv_max_port=40080
pasv_promiscuous=YES
# 修改FTP端口为10021
listen_port=10021
allow_writeable_chroot=YES

:wq 保存

解释:chroot_local_user=YES将所有用户限定在主目录内,chroot_list_enable=YES表示要启用chroot_list_file, 因为chroot_local_user=YES,即全体用户都被“限定在主目录内”,所以总是作为“例外列表”的chroot_list_file这时列出的是那些“不会被限制在主目录下”的用户。
即chroot_list文件为白名单模式
chroot_local_user与chroot_list_enable详解请参阅
vsftpd 配置:chroot_local_user与chroot_list_enable详解

第五步:建立日志文件
//日志文件

touch /var/log/vsftpd.log

//属于vsftpdadmin这个宿主

chown vsftpdadmin.vsftpdadmin /var/log/vsftpd.log

第六步:建立虚拟用户文件

mkdir /etc/vsftpd/vuser_conf
mkdir /etc/vsftpd/vuser_conf/passwdb/
touch /etc/vsftpd/vuser_conf/passwdb/user_passwd.txt

第七步:建立虚拟用户

vim /etc/vsftpd/vuser_conf/passwdb/user_passwd.txt
Pandausr //用户名
12345678 //密码

注意:第一行用户名,第二行是上一行用户名的密码,其他人的以此类推

vim /etc/vsftpd/chroot_list
#加入需要锁定登录用户只能家目录的位置然后将帐户输入一行一个,保存就可以了
Pandausr //用户名

第八步:生成数据库

db_load -T -t hash -f /etc/vsftpd/vuser_conf/passwdb/user_passwd.txt /etc/vsftpd/vuser_conf/passwdb/user_passwd.db

注意每次添加或者删除一个用户时都要执行生成数据库,否则将无法登录访问
//备份旧数据库

mv /etc/vsftpd/vuser_conf/passwdb/user_passwd.db /etc/vsftpd/vuser_conf/passwdb/user_passwd.db.bak

//重新生成数据库

db_load -T -t hash -f /etc/vsftpd/vuser_conf/passwdb/user_passwd.txt /etc/vsftpd/vuser_conf/passwdb/user_passwd.db

第九步:设置数据库文件的访问权限

chmod 600 /etc/vsftpd/vuser_conf/passwdb/user_passwd.db
chmod 600 /etc/vsftpd/vuser_conf/passwdb/user_passwd.txt

第十步:修改/etc/pam.d/vsftpd内容

vim /etc/pam.d/vsftpd

//紧接着%PAM-1.0下面添加

#%PAM-1.0
auth sufficient pam_userdb.so db=/etc/vsftpd/vuser_conf/passwdb/user_passwd
account sufficient pam_userdb.so db=/etc/vsftpd/vuser_conf/passwdb/user_passwd

以上两条是手动添加的,内容是对虚拟用户的安全和帐户权限进行验证。
这里的auth是指对用户的用户名口令进行验证。
这里的accout是指对用户的帐户有哪些权限哪些限制进行验证。
其后的sufficient表示充分条件,也就是说,一旦在这里通过了验证,那么也就不用经过下面剩下的验证步骤了。相反,如果没有通过的话,也不会被系统立即挡之门外,因为sufficient的失败不决定整个验证的失败,意味着用户还必须将经历剩下来的验证审核。
再后面的pam_userdb.so表示该条审核将调用pam_userdb.so这个库函数进行。
最后的db=/etc/vsftpd/vconf/vuser_passwd则指定了验证库函数将到这个指定的数据库中调用数据进行验证。

session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include password-auth
account include password-auth
session required pam_loginuid.so
session include password-auth

第十步:创建用户的配置文件
注意:用户配置文件的名字要和创建的“虚拟用户”名字对应

mkdir /etc/vsftpd/vuser_conf/users
touch /etc/vsftpd/vuser_conf/users/Pandausr
vim /etc/vsftpd//vuser_conf/users/Pandausr

输入:

# 虚拟用户的个人目录路径,目录文件夹,虚拟用户宿主ftpuser要有权限读写。
local_root=/home/share
anonymous_enable=NO
# LNMP一键安装的,为网站配置FTP功能
#guest_username=www
guest_username=ftpuser
write_enable=YES
# 配置上传后的文件权限
local_umask=022
# 配置上传后的文件权限
anon_umask=022
# 配置上传后的文件权限
file_open_mode=0644
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
idle_session_timeout=600
data_connection_timeout=300
max_clients=10
max_per_ip=5
# 本地用户的最大传输速度,单位是Byts/s,我设定的是10M
local_max_rate=1048576

注意:/home/share目录权限为755,复制完成后,看看第一行和最后一行有没有丢失字符。如果有丢失,后面会报错。

附加:常见错误

    1. 错误 :500 OOPS: vsftpd: refusing to run with writable root inside chroot () 解决方法:

在终端输入命令:

chmod a-w /home/share

或者在/etc/vsftpd/vsftpd.conf最后一行添加

allow_writeable_chroot=YES

 

  • 错误 :500 OOPS: cannot change directory:/ 解决方法:

 

在终端输入命令:

setsebool ftp_home_dir 1 //CentOS 7.2开始已无此参数
service vsftpd restart

 

  • 错误:530 Permission denied.

 

在/etc/vsftpd/chroot_list 里添加 ftp用户
以及查看/home目录是否有宿主用户名文件夹.

 

  • 错误:500 OOPS: unrecognised variable in config file: cal_root

 

就是上面说了。复制的时候丢失了字符 vim /etc/vsftpd/vconf/Pandausr 检查是否和上面一样,一般最前面的2个字符丢失,如果上述无效,检查下是否有此文件夹,文件夹不存在也会报这样的错误。 如果大家,还有什么错误,可以再下面提出来

 

  • centos6.5 vsftp 500 OOPS: cannot change directory:/home/ftp

 

CentOS6.5,是RH派系的。我把vsftpd安装配置好了,以为大功告成,但客户端访问提示如下错误: 500 OOPS: cannot change directory:/home/ftp 原因是他的CentOS系统安装了SELinux,因为默认下是没有开启FTP的支持,所以访问时都被阻止了。
//查看SELinux设置

getsebool -a |grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_connect_db --> off
ftpd_use_fusefs --> off
ftpd_use_passive_mode --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_use_cifs --> off
tftp_use_nfs --> off

解决方法:
//使用setsebool命令开启
//根据需要打开为OFF的选项
//setsebool使用-P参数,无需每次开机都输入这个命令

setsebool -P ftp_home_dir 1
setsebool -P allow_ftpd_full_access 1
setsebool -P ftpd_use_passive_mode 1

//再次查看当前状态是否是on的状态

getsebool -a|grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> on
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on //此处已经为on状态了
ftpd_connect_db --> off
ftpd_use_fusefs --> off
ftpd_use_passive_mode --> on
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_use_cifs --> off
tftp_use_nfs --> off

Centos7下的SELinux配置

setsebool -P ftp_home_dir 1 //CentOS 7.2开始已无此参数
setsebool -P ftpd_full_access 1
setsebool -P ftpd_use_passive_mode 1
getsebool -a|grep ftp
ftp_home_dir --> on
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> on
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> on
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off
service vsftpd restart

有关selinux的配置
如关闭,仅仅警告,强制等等 需要编辑/etc/sysconfig/selinux 默认是强制

vim /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# 关闭SELinux把enforcing替换为disabled
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

临时关闭SELinux

setenforce 0

个人建议不要关闭SELinux

CentOS 7 防火墙设置

vim /lib/firewalld/services/ftp.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>FTP</short>
<description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
<port protocol="tcp" port="20"/>
<!-- <port protocol="tcp" port="20"/> -->
<port protocol="tcp" port="10021"/>
<port protocol="tcp" port="40000"/>
<module name="nf_conntrack_ftp"/>
</service>

firewall-cmd --rel
firewall-cmd --permanent --add-service=ftp 

评论

0条评论

发表评论

电子邮件地址不会被公开。 必填项已用*标注