The most detailed vsftpd configuration file ever
- 2020-05-15 03:15:38
- OfStack
As a secure FTP server, vsftpd has many options. The following is a list of configuration files for vsftpd, all of which are based on the vsftpd.conf configuration file. A complete Chinese description of vsftpd.conf will be provided in this article. Learning this article will help you get a feel for the vsftpd configuration file, but you'll need to develop specific configuration methods for each situation.
Configuration file for vsftpd
|
/etc/vsftpd/vsftpd.conf |
主配置文件 |
|
/usr/sbin/vsftpd |
Vsftpd的主程序 |
|
/etc/rc.d/init.d/vsftpd |
启动脚本 |
|
/etc/pam.d/vsftpd |
PAM认证文件(此文件中file=/etc/vsftpd/ftpusers字段,指明阻止访问的用户来自/etc/vsftpd/ftpusers文件中的用户) |
|
/etc/vsftpd/ftpusers |
禁止使用vsftpd的用户列表文件。记录不允许访问FTP服务器的用户名单,管理员可以把1些对系统安全有威胁的用户账号记录在此文件中,以免用户从FTP登录后获得大于上传下载操作的权利,而对系统造成损坏。(注意:linux-4中此文件在/etc/目录下) |
|
/etc/vsftpd/user_list |
禁止或允许使用vsftpd的用户列表文件。这个文件中指定的用户缺省情况(即在/etc/vsftpd/vsftpd.conf中设置userlist_deny=YES)下也不能访问FTP服务器,在设置了userlist_deny=NO时,仅允许user_list中指定的用户访问FTP服务器。(注意:linux-4中此文件在/etc/目录下) |
|
/var/ftp |
匿名用户主目录;本地用户主目录为:/home/用户主目录,即登录后进入自己家目录 |
|
/var/ftp/pub |
匿名用户的下载目录,此目录需赋权根chmod 1777 pub(1为特殊权限,使上载后无法删除) |
|
/etc/logrotate.d/vsftpd.log |
Vsftpd的日志文件 |
vsftpd master configuration file/etc vsftpd/vsftpd conf that backup before (modified)
Like most configuration files on an Linux system, the vsftpd configuration file begins with a # comment.
# Whether to allow anonymous login FTP Server, which is set to YES allow
# Users can use a user name ftp or anonymous for ftp Login, password is user's E-mail Address.
# If anonymous access is not allowed, set to NO
anonymous_enable=YES
# Whether to allow local users ( namely linux User accounts in the system ) The login FTP Server, which is set to YES allow
# The local user logs in to the user's home directory, while the anonymous user logs in to the anonymous user's download directory /var/ftp/pub
# If only anonymous users are allowed access, add before # Comment out to block local user access FTP The server
local_enable=YES
# Whether to allow local users on FTP Server files have write permissions, which are set to YES allow
write_enable=YES
# Mask, the default local user mask is 077
# You can set the local user's file mask as the default 022 , you can also set it to other values based on personal preference
#local_umask=022
# Whether anonymous users are allowed to upload files must be global write_enable=YES . The default is YES
#anon_upload_enable=YES
# Allows anonymous users to create new folders
#anon_mkdir_write_enable=YES
# Whether to activate the directory welcome message function
# When a user with CMD When mode first accesses a directory on the server, FTP The server will display the welcome message
# By default, the welcome message goes through this directory .message File acquired
# This file holds the custom welcome message created by the user
#dirmessage_enable=YES
# Whether to have the system automatically maintain the uploaded and downloaded log files
# By default, the log file is /var/log/vsftpd.log, You can also go through the following xferlog_file Option to set it
# The default value is NO
xferlog_enable=YES
# Make sure PORT transfer connections originate from port 20 (ftp-data).
# Whether set FTP The server will be enabled FTP Data port connection request
# ftp-data Data transmission, 21 Control port for connection
connect_from_port_20=YES
# Sets whether the owner of the uploaded file is allowed to change, with the following 1 Two Settings are used together
# Note that it is not recommended root User uploads file
#chown_uploads=YES
# Set the owner of the uploaded file you want to change, and enter if needed 1 System user names
# You can change all the files you upload root Belong to the Lord. whoever : anyone
#chown_username=whoever
# Set up system maintenance records FTP Server uploads and downloads log files
# /var/log/vsftpd.log It's the default, but you can also set something else
#xferlog_file=/var/log/vsftpd.log
# Whether by standard xferlog The format for writing transfer log files
# The default is /var/log/xferlog Can also be passed xferlog_file Option to set it
# The default value is NO
#xferlog_std_format=YES
# The following is the additional configuration, and adding the appropriate options will enable the appropriate Settings
# Whether to generate two similar log files
# The default in /var/log/xferlog and /var/log/vsftpd.log directory
# The former is wu_ftpd Type of transfer log, which can be analyzed using standard logging tools; The latter is vsftpd Type of log
#dual_log_enable
# Whether to export the original to /var/log/vsftpd.log Log, output to the system log
#syslog_enable
# Set the data transfer interrupt interval time. This statement indicates that the idle user session interrupt time is 600 seconds
# That is, when the data transmission ends, the user connects FTP The time of the server should not exceed 600 Seconds. This value can be modified according to the actual situation
#idle_session_timeout=600
# Sets the data connection timeout, which means the data connection timeout is 120 Second, it can be modified according to the actual situation
#data_connection_timeout=120
# run vsftpd Required non-privileged system users, the default is nobody
#nopriv_user=ftpsecure
# Whether asynchronous is recognized or not ABOR The request.
# if FTP client Will be issued" async ABOR "This setting needs to be enabled for this command
# while 1 This setting is usually not secure, so it is usually cancelled
#async_abor_enable=YES
# Whether or not to ASCII Way to transmit data. By default, the server ignores it ASCII Mode request.
# Enabling this option will allow the server to ASCII Mode data transmission
# However, this may lead to the "SIZE /big/file" method-induced DoS attack
#ascii_upload_enable=YES
#ascii_download_enable=YES
# The login FTP Welcome message displayed on the server
# If necessary, create a name in the directory where you want to change the directory welcome information .message The file and write the welcome message after saving
#ftpd_banner=Welcome to blah FTP service.
# Blacklist Settings. If you hate something email address , you can use this setting to cancel his login privileges
# You can put something special email address Resist.
#deny_email_enable=YES
# When the above deny_email_enable=YES , you can use this setting to specify which email addresses are not logon vsftpd The server
# This file needs to be created by the user himself. 1 line 1 a email address Can be
#banned_email_file=/etc/vsftpd/banned_emails
# The user login FTP Does the server have access to files other than its own directory
# Set to YES When users are locked in their own home Directory, vsftpd In the following chroot_list_file Location search for option values chroot_list file
# This must be matched with the following Settings
#chroot_list_enable=YES
# Users who are listed in this file will not be able to switch to a directory other than their own after logging in
# In favor of FTP Server security management and privacy protection. This file should be created by yourself
#chroot_list_file=/etc/vsftpd/chroot_list
# Whether recursive queries are allowed. The default is off to prevent remote users from causing too much I/O
#ls_recurse_enable=YES
# Whether listening is allowed.
# If I set it to YES , vsftpd Will run in standalone mode by vsftpd Monitor and handle yourself IPv4 Port connection request
listen=YES
# Set whether to support IPV6 . If you want to listen simultaneously IPv4 and IPv6 Port,
# Two must be run vsftpd , using two sets of configuration files
# And make sure there are 1 Three listening options are commented out
#listen_ipv6=YES
# Set up the PAM The profile name used by the authentication service provided by the plug-in module, i.e /etc/pam.d/vsftpd file
# This file file=/etc/vsftpd/ftpusers Field, it says PAM The account content that the module can block comes from the file /etc/vsftpd/ftpusers In the
#pam_service_name=vsftpd
# Whether to allow ftpusers User login in file FTP Server, by default NO
# If this is set to YES , user_list The user in the file is allowed to log in FTP The server
# And if you set it at the same time userlist_deny=YES , user_list Users in the file will not be allowed to log in FTP The server doesn't even have a password prompt
#userlist_enable=YES/NO
# Sets whether to drag user_list User login in file FTP Server, by default YES
#userlist_deny=YES/NO
# Whether to use tcp_wrappers As the host access control mode.
# tcp_wrappers Can be implemented linux Access control based on host address for network services in a system
# in /etc In the directory hosts.allow and hosts.deny Two files are used for setup tcp_wrappers Access control
# The former set to allow access to records, and the latter set to deny access to records.
# If you want to restrict some host pairs FTP The server 192.168.57.2 Anonymous access to edit /etc/hosts.allow Add the following two lines to the file:
# vsftpd:192.168.57.1:DENY and vsftpd:192.168.57.9:DENY
# That limit IP for 192.168.57.1/192.168.57.9 The host access IP for 192.168.57.2 the FTP The server
# At this time FTP The server can PING Yes, but no connection
tcp_wrappers=YESThe following sections go a step further in explaining some of the restrictions and permission control options.
In addition to the above basic Settings, we can add more security options in the vsftpd.conf file. Some of the most commonly used are as follows:
Limit the maximum number of connections and transfer rate
In the management of FTP server, it is necessary to control the use of FTP server resources for both local and anonymous users. To avoid the abnormal operation of FTP server due to excessive burden, the following configuration items can be added to control FTP client's use of FTP server resources:
The max_client setting item is used to set the maximum number of client connections allowed by the FTP server. A value of 0 is unrestricted. For example, max_client=100 means that the maximum number of connections for all clients of the FTP server is no more than 100.
The max_per_ip setting item is used to set the maximum number of client connections allowed with the 1IP address. A value of 0 is unrestricted. For example, max_per_ip=5 means that the maximum number of connections established between an FTP client and an FTP server at the same 1IP address is not more than 5.
The local_max_rate setting item is used to set the maximum transfer rate for the local user in B/s units. A value of 0 is unrestricted. For example, local_max_rate= 500,000 means that the maximum local user transfer rate of the FTP server is set to 500KB/s.
The anon_max_rate Settings TAB is used to set the maximum transfer rate for anonymous users in B/s, and a value of 0 is unrestricted. For example, ano_max_rate= 200,000, indicating that the maximum transfer rate for anonymous users of the FTP server is set to 200KB/s.
Specify the user's permission Settings
The vsftpd.user_list file needs to be combined with the configuration items in the vsftpd.conf file to achieve access control for the user account specified in the vsftpd.user_list file:
(1) set the user account that is not allowed to log in
When the vsftpd.conf configuration file includes the following Settings, the user account in the vsftpd.user_list file is not allowed to log in FTP:
userlist_enable=YES
userlist_deny=YES The userlist_enable Settings use the vsftpd.user_list file, and the userlist_deny file is set to YES for the vsftpd.user_list file to set the banned user account.
(2) set the user account that only allows login
When the following Settings are included in the vsftpd.conf configuration file, only the user account in the vsftpd.user_list file can log in FTP:
userlist_enable=YES
userlist_deny=NO The userlist_enable Settings are set using the vsftpd.user_list file, and userlist _deny file is set to NO to indicate that the vsftpd.usre_list file is used to set login-only user accounts. User accounts not included in the file are not allowed to log in FTP.
userlist_deny and userlist_enable options restrict users from logging into FTP server (from userlist_deny option and user_list file 1 can effectively prevent users of root,apache,www and other systems from logging into FTP server, so as to guarantee the hierarchical security of FTP server). The following are the specific forms of the two options and the effects of the two combinations:
|
Userlist_enable=YES |
Ftpusers中用户允许访问 |
|
Userlist_enable=NO |
Ftpusers中用户禁止访问 |
|
Userlist_deny=YES |
Ftpusers中用户禁止访问(登录时可以看到密码输入提示,但仍无法访问) |
|
Userlist_deny=NO |
ftpusers中用户禁止访问 |
|
Userlist_enable=YES 并且 |
Ftpusers中用户禁止访问 |
|
Userlist_enable=YES 并且 |
Ftpusers中用户禁止访问 |
Modify the default port
FTP default server port number is 21, for security purposes, sometimes need to change the default port number, modify/etc/vsftpd/vsftpd conf, add a statement (case) :
listen_port=4449
The statement specifies the port number of the modified FTP server, which should be greater than 4000. Modified access
#ftp 192.168.57.2 4449
Note that you need to add the correct port number, otherwise the connection will not work.
Set up user groups
The importance of FTP users and user groups was mentioned earlier when we introduced vsftpd. Here is mainly a simple explanation of the technical implementation of the user group, as for the specific application, or the specific needs of the specific treatment.
#mkdir -p /home/try Recursively create a new directory
#groupadd try A new set of
#useradd -g try -d /home/try try1 A new user try1 And specify the home directory and the genus group
#useradd -g try -d /home/try try2 A new user try2 And specify the home directory and the genus group
#useradd -g try -d /home/try try3 A new user try3 And specify the home directory and the genus group
#passwd try1 Set the password for the new user
#passwd try2 Set the password for the new user
#passwd try3 Set the password for the new user
#chown try1 /home/try Set the directory owner for the user try1
#chown .try /home/try Set the directory genus group as a group try
#chmod 750 /home/try Set directory access rights try1 For reading, writing, and execution; try2 . try3 For reading, execute Since local users enter their home directory after logging in FTP server, the permissions assigned by try1,try2 try3 to the home directory /home/try are different, so the access permissions through FTP are also different. try2, try3 access rights for download, browse, can not create directory and upload. The different access levels of users in the group are realized, and the hierarchical security management of FTP server is strengthened.
Connection timeout (this section is provided by li Yang)
Configure interrupt times for idle user sessions: the following configuration will be interrupted after the user session is idle for 5 minutes to free the server's resources
Idle_session_timeout=300
Configure the outage time for idle data connections: the following configuration will be interrupted after 1 minute of data idle connections, again to free the server's resources
Data_connection_timeout=60
Configure the time to automatically interrupt and activate the connection when the client is idle: the following configuration will automatically interrupt the connection when the client is idle for 1 minute and automatically activate the connection after 30 seconds
Accept_timeout=60
Connect_timeout=30Next, we'll take a look at vsftpd's logs.
The common vsftpd logging solution
In vsftpd.conf, the following defines how to log:
# Show that FTP The server records uploads and downloads
xferlog_enable=YES
# Indicates that the record of upload and download is written in xferlog_file In the specified file, i.e xferlog_file Option specified in the file
xferlog_std_format=YES
xferlog_file=/var/log/xferlog
# Enable double logging. In the use xferlog File record server upload and download at the same time,
# vsftpd_log_file The specified file, i.e /var/log/vsftpd.log It will also be used to record server transfers
dual_log_enable=YES
vsftpd_log_file=/var/log/vsftpd.logThe two log files of vsftpd are analyzed as follows:
/var/log/xferlog
Example of record content
Tue Sep 11 14:59:03 2007 [pid 3460] CONNECT: Client "127.0.0.1"
Tue Sep 11 14:59:24 2007 [pid 3459] [ftp] OK LOGIN; Client "127.0.0.1",anon password "?"
Analysis and parameter description of the data in the log file /var/log/xferlog
| 记录数据 |
参数名称 |
参数说明 |
| Thu Sep 6 09:07:48 2007 |
当前时间 |
当前服务器本地时间,格式为: DDD MMM dd hh:mm:ss YYY |
| 7 |
传输时间 |
传送文件所用时间,单位为秒 |
| 192.168.57.1 |
远程主机名称/IP |
远程主机名称/IP |
| 4323279 |
文件大小 |
传送文件的大小,单位为byte |
| /home/student/phpMyadmin- 2.11.0-all-languages.tar.gz |
文件名 |
传输文件名,包括路径 |
| b |
传输类型 |
传输方式的类型,包括两种: a以ASCII传输 b以2进制文件传输 |
| � |
特殊处理标志 |
特殊处理的标志位,可能的值包括: _ 不做任何特殊处理 C 文件是压缩格式 U 文件是非压缩格式 T 文件是tar格式 |
| i |
传输方向 |
文件传输方向,包括两种: o 从FTP服务器向客户端传输 i 从客户端向FTP服务器传输 |
| r |
访问模式 |
用户访问模式,包括: a 匿名用户 g 来宾用户 r 真实用户,即系统中的用户 |
| student |
用户名 |
用户名称 |
| ftp |
服务名 |
所使用的服务名称,1般为FTP |
| 0 |
认证方式 |
认证方式,包括: 0 无 1 RFC931认证 |
| * |
认证用户id |
认证用户的id,如果使用*,则表示无法获得该id |
| c |
完成状态 |
传输的状态: c 表示传输已完成 i 表示传输示完成 |
Finally, the common FTP command is introduced, along with the meaning of the FTP numeric code.
Common FTP commands and their functions
| FTP命令 |
功能 |
FTP命令 |
功能 |
|
ls |
显示服务器上的目录 |
ls [remote-dir][local-file] |
显示远程目录remote-dir,并存入本地文件local-file |
|
get remote-file [local-file] |
从服务器下载指定文件到客户端 |
mget remote-files |
下载多个远程文件(mget命令允许用通配符下载多个文件) |
|
put local-file [remote-file] |
从客户端上传指定文件到服务器 |
mput local-file |
将多个文件上传至远程主机(mput命令允许用通配符上传多个文件) |
|
open |
连接FTP服务器 |
mdelete [remote-file] |
删除远程主机文件 |
|
close |
中断与远程服务器的ftp会话(与open对应) |
mkdir dir-name |
在远程主机中创建目录 |
|
open host[port] |
建立指定的ftp服务器连接,可指定连接端口 |
newer file-name |
如果远程主机中file-name的修改时间比本地硬盘同名文件的时间更近,则重传该文件 |
|
cd directory |
改变服务器的工作目录 |
rename [from][to] |
更改远程主机的文件名 |
|
lcd directory |
在客户端上(本地)改变工作目录 |
pwd |
显示远程主机的当前工作目录 |
|
bye |
退出FTP命令状态 |
quit |
同bye,退出ftp会话 |
|
ascii |
设置文件传输方式为ASCII模式 |
reget remote-file [local-file] |
类似于get,但若local-file存在,则从上次传输中断处续传 |
|
binary |
设置文件传输方式为2进制模式 |
rhelp [cmd-name] |
请求获得远程主机的帮助 |
|
![cmd [args]] |
在本地主机中交互shell后退回到ftp环境,如:!ls *.zip |
rstatus [file-name] |
若未指定文件名,则显示远程主机的状态,否则显示文件状态 |
|
accout [password] |
提供登录远程系统成功后访问系统资源所需的密码 |
hash |
每传输1024字节,显示1个hash符号(#) |
|
append local-file [remote-file] |
将本地文件追加到远程系统主机,若未指定远程系统文件名,则使用本地文件名 |
restart marker |
从指定的标志marker处,重新开始get或put,如restart 130 |
|
bye |
退出ftp会话过程 |
rmdir dir-name |
删除远程主机目录 |
|
case |
在使用mget命令时,将远程主机文件名中的大写转为小写字母 |
size file-name |
显示远程主机文件大小,如: size idle 7200 |
|
cd remote-dir |
进入远程主机目录 |
status |
显示当前ftp状态 |
|
cdup |
进入远程主机目录的父目录 |
system |
显示远程主机的操作系统 |
|
delete remote-file |
删除远程主机文件 |
user user-name [password][account] |
向远程主机表明自己的身份,需要密码时,必须输入密码,如:user anonymous my@email |
|
dir [remote-dir][local-file] |
显示远程主机目录,并将结果存入本地文件 |
help [cmd] |
显示ftp内部命令cmd的帮助信息,如help get |
The meaning of FTP numeric code
110 Restart the tag reply.
120 How long is the service ready .
125 Data link port open, ready for transmission.
150 File status is normal, open data connection port.
200 The command was executed successfully.
202 The command failed to execute.
211 System status or system help response.
212 The state of the directory.
213 The status of the file.
214 A message for help.
215 Name the system type.
220 New online service ready .
221 The control connection port of the service is closed and you can log out.
225 Data connection open, but no transfer action.
226 Close the data connection port, the requested file operation was successful.
227 Enter the passive mode .
230 User login.
250 The requested file operation is completed.
257 Displays the current path name.
331 The user name is correct and a password is required.
332 You need account information to log in.
350 The requested operation needs to go in 1 Ministry orders.
421 Unable to provide service. Close control link.
425 Unable to open data link.
426 Close the connection and terminate the transmission.
450 The requested action was not performed.
451 Command to terminate : There are local errors.
452 Unexecuted command : Insufficient disk space.
500 Format error, command not recognized.
501 Parameter syntax error.
502 The command failed to execute.
503 Command sequence error.
504 The command is taking an incorrect parameter.
530 Not login.
532 Saving files requires an account login.
550 The requested operation was not performed.
551 The requested command terminates of unknown type.
552 Requested file terminates, storage bit overflow.
553 Incorrect name of command not executed.