Aliyun builds FTP server with vsftpd based on CentOS
- 2020-05-12 06:38:00
- OfStack
Recently, we need to set up FTP server on a cloud server of aliyun. In this blog post, we share some configuration we made according to the actual requirements.
ftp USES vsftpd.
vsftpd is one of the most popular FTP server programs in the Linux distribution. It is small and light, safe and easy to use.
The name vsftpd stands for "very secure FTP daemon", and security was a top priority for its developer, Chris Evans. At the beginning of the FTP server design and development, high security was a goal.
The preparatory work
Install vsftpd
yum install vsftpd
Set the vsftpd ftp service to start on startup
chkconfig vsftpd on
Open the vsftpd configuration file
vi /etc/vsftpd/vsftpd.conf
Requirements and configuration
1. Do not allow anonymous access
anonymous_enable=NO
2. Login verification for FTP users using a local account
2.1 allow FTP user login verification using a local account
local_enable=YES
2.2 create a local account for the FTP login
Add user ftpuser, home directory is /home/ftp, disable access to SSH.
useradd -d /home/ftp -g ftp -s /sbin/nologin ftpuser -p password
This command is referenced from the CentOS 6.2 ftp configuration.
useradd command reference documentation: useradd for Linux
2.3 only the newly created ftpuser is allowed to log on to FTP
vi /etc/vsftpd/vsftpd.conf
userlist_enable=YES
userlist_deny=NO
vi /etc/vsftpd/user_list
Comment all accounts and add ftpuser
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
#root
#bin
#daemon
#adm
#lp
#sync
#shutdown
#halt
#mail
#news
#uucp
#operator
#games
#nobody
ftpuser
Once configured, you can remotely log in and upload files using the FTP client, which will be saved in the home directory of ftpuser, which is /home/ftp.
3. FTP downloads are not allowed
vi /etc/vsftpd/vsftpd.conf
download_enable=NO
4. Only the specified IP is allowed to connect
4.1 installation tcp_wrappers
yum -y install tcp_wrappers
4.2 check whether tcp_wrappers is set to YES
vi /etc/vsftpd/vsftpd.conf
tcp_wrappers=YES
4.3 add back IP allowed
vi /etc/hosts.allow
vsftpd: allowed IP address
4.4 reject all other IP
vi /etc/hosts.deny
vsftpd:ALL