Centos6.9 Methods to install vsftpd and configure multiple users
- 2020-06-19 12:20:41
- OfStack
This article introduces the es1EN6.9 method to install vsftpd and configure multi-user. It is Shared as follows:
1. Install vsftpd
# The installation vsftpd
yum -y install vsftpd
# Set boot up
chkconfig vsftpd on
# View service status
service vsftpd status
# The default is off, as shown below
# vsftpd is stopped
2. Modify the system and keep FTP
# Add the group
groupadd -g 1002 vsftpd
# Create a user group directory
mkdir -p /home/vsftpd
# Add user
useradd -c "FTP User" -d /home/vsftpd/vsftpd -g vsftpd -s /sbin/nologin -u 1002 vsftpd
useradd -c "FTP User" -d /home/vsftpd/test -g vsftpd -s /sbin/nologin test
# Set the password ( Format: passswd The user name ) Enter the password enter. Enter the password enter again
passwd vsftpd
# Creates the specified access directory
mkdir -p /data/vsftpd
# Change the permissions
chown vsftpd:vsftpd /data/vsftpd
chmod -R 775 /data/vsftpd
You can view the new users that have been added
cat /etc/passwd
# The following
# vsftpd:x:1002:1002:FTP User:/home/vsftpd/vsftpd:/sbin/nologin
# test:x:1003:1002:FTP User:/home/vsftpd/test:/sbin/nologin
Say the difference between /bin/false and /sbin/nologin
1, /bin/false does nothing but return an error status and exit immediately. Set the user's shell to /bin/false and the user will be unable to log in without prompting.
2. /sbin/nologin will politely display one message to the user and refuse the user to log in :This account is currently not available.
3. There are some software, such as ftp server software. For local non-virtual accounts, only users with valid shell can use ftp service. At this point, you can use /sbin/nologin to enable users not only to log in to the system, but also to use a number of system services, such as ftp. /bin/false does not, and this is one of the important differences between the two
3. Modify the configuration file
# Back up the original file
mv /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.txt
# Generate a new configuration file
touch /etc/vsftpd/vsftpd.conf
# Edit configuration file
vim /etc/vsftpd/vsftpd.conf
Paste in the following configuration
# Example config file /etc/vsftpd/vsftpd.conf
#
# if vsftpd In independent mode, this is where it will listen for incoming FTP The port to connect to.
listen_port=21
#
# Login directory
local_root=/data/vsftpd
#
# Whether anonymous users are allowed to log in
anonymous_enable=NO
#
# Set local user access. Note: If using virtual host user, set as in this project NO All virtual users will not be able to access
local_enable=YES
#
# Settings allow write operations ( Upload and delete ) By default, YES
write_enable=YES
#
# Whether to use local time
#use_localtime=YES
#
# This parameter in VSFTPD Use a separate (standalone) It works in mode. This parameter is defined FTP The maximum number of concurrent connections to the server, beyond which the server rejects the client connection. Default value: 0 (Unlimited).
#max_clients=5
#
# This parameter in VSFTPD Use a separate (standalone) It works in mode. This parameter defines each IP Maximum number of concurrent connections at the address. Any more than this will deny the connection. The setting of this option will affect multi-process download software such as The Internet Express. The default value is 0 , means not limited.
#max_per_ip=3
#
# Secret code
local_umask=002
#
# Whether anonymity is allowed FTP Users upload files.
#anon_upload_enable=NO
#
# Whether anonymity is allowed FTP Users can create new directories
#anon_mkdir_write_enable=NO
#
# Activate directory message - A message sent when a remote user enters a directory.
dirmessage_enable=YES
#
# Set to yes , the user uploads and downloads the file will be recorded, the location of the file and xferlog_file=/var/log/vsftpd/xferlog
xferlog_enable=YES
#
# in vsftpd_log_file and xferlog_file Switch login file information between files, NO write vsftpd_log_file, YES write xferlog_file
xferlog_std_format=YES
#
# Set up the other 1 a vsftpd The diary file can also not be set
dual_log_enable=YES
xferlog_file=/var/log/vsftpd/xferlog
#
# Set the log directory
vsftpd_log_file=/var/log/vsftpd/vsftpd.log
#
# The port style connects the originating port (as long as the name is incorrect) connect_from_port_20 Enabled), default values: 20
connect_from_port_20=YES
#
# Whether to change the ownership of files uploaded by anonymous users. YES , the ownership of files uploaded by anonymous users will be changed to separate 1 Owned by three different users, users by chown_username Parameter is specified. This option defaults to NO .
#chown_uploads=YES
#
# Specifies the user who has ownership of the file uploaded by the anonymous user
#chown_username=whoever
#
# Remote client set up with PASV Timeout (in seconds) for connections for style data connections , Default value: 60 .
#accept_timeout=60
#
# The timeout in seconds that the remote client responded to our port-style data connection. Default value: 60 .
#connect_timeout=60
#
# Remote clients may be in FTP The maximum time (in seconds) taken between commands. If the timeout is triggered, the remote client will be started. Default value: 300
#idle_session_timeout=300
#
# Timeout, in seconds, is roughly the maximum time allowed for data to be stopped without progress. If the timeout is triggered, the remote client will be started. Default value: 300
#data_connection_timeout=300
#
# Create permissions to upload files. Umasks Applies to the top of this value. If the file you are uploading is executable, you may want to change it to 0777 . Default value: 0666
#file_open_mode=002
#
# The maximum data transfer rate (in bytes) allowed by the local authenticated user. Default value: 0 (Unlimited)
#local_max_rate=0
#
# It is recommended that you define it on the system 1 A wei 1 The user, ftp The server can be used as a completely separate and unprivileged user.
#nopriv_user=ftpsecure
#
# Whether to start the asynchronous transfer function
#async_abor_enable=YES
#
# Whether to enable ASCII function
ascii_upload_enable=YES
ascii_download_enable=YES
#
# Customize the string that the login displays
#ftpd_banner=Welcome to blah FTP service.
#
# Specify plain text as the welcome word to display when the user logs in 1 Let the user know about Ben FTP The directory architecture of the server
#banner_file=/etc/vsftpd/welcome.txt
#
# You can specify 1 A file with an anonymous email address that is not allowed. Obviously helps to fight some DoS Attack.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# Lock some users in their own directories. That is, when these users log in, they can not go to other directories of the system, only in their own directory ( And its subdirectories ) Under.
# when chroot_local_user=YES . chroot_list_enable=YES When, chroot_list_file Users in the directory are not allowed chroot In your home directory.
# when chroot_local_user=YES . chroot_list_enable=NO When, chroot_list_file All the users in the directory are given chroot In your home directory
chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list
#
# This option defaults to NO , At this time ftpusers The user in the file is not logged in FTP The server; If this is set as YES , user_list The user in the file is allowed to log in FTP Server, and if set at the same time userlist_deny=YES , user_list Users in the file will not be allowed to log in FTP The server, without even a password prompt, was directly sent FTP Server rejection
userlist_enable=YES
#
# This default is YES Set whether pull is blocked or not user_list The user in the file is logged in FTP The server , Set to NO Only allow user_list The users in it use ftp, Screen the newly created user if you want to use it ftp Must be added to the list file
userlist_deny=NO
#
# when userlist_enable=YES when userlist_deny=YES , where the user cannot log in, when userlist_deny=NO , only the user in this section can log in ftp .
userlist_file=/etc/vsftpd/user_list
#
# When you enable" listen "Command, vsftpd Run in independent mode, and in IPv4 Listens on the socket. This command cannot be associated with listen_ipv6 instruction 1 Use.
listen=YES
#
# This directive allows listening IPv6 The socket. Want to listen to IPv4 and IPv6 Socket, you must run both vsftpd Copy and two configuration files. Please make sure that 1 a listen Options are commented!
#listen_ipv6=YES
#
# Set up the PAM The profile name used by the authentication service provided by the plug-in module , i.e., /etc/pam.d/vsftpd file
pam_service_name=vsftpd
#
# Whether to enable virtual user functionality
#guest_enable=YES
#
# Specify the host user for the virtual user, CentOS It's already built in ftp The user
#guest_username=ftp
#
# The maximum data transfer rate (in bytes) allowed by the anonymous client. Default value: 0 (Unlimited)
#anon_max_rate=0
#
# Created for anonymous user Settings files umask The value of the. Attention! If you want to specify 8 Base value, remember" 0 "Prefix, otherwise the value will be treated as cardinality 10 An integer! Default value: 077
#anon_umask=002
#
# Set up virtual user individuals vsftp the CentOS FTP Service file storage path. Store the virtual user's personality CentOS FTP Service file ( Profile name = Virtual user name )
#user_config_dir=/etc/vsftpd/virtual_conf
#
# If you want to forbid it PASV Method to get a data connection, set to NO .
pasv_enable=YES
#
# Set in PASV In mode, set up data transfer can be used port The lower bound and the upper bound of the range, 0 It's arbitrary. The default value is 0 . Set the port range higher 1 Within the scope of paragraph
pasv_min_port=20000
pasv_max_port=30000
#
# The default value is NO . for YES , will be closed PASV Mode security check. This check ensures that the data connection and control connection are from the same source 1 a IP Address. Turn this option on carefully. This option is only 1 Reasonable usage exists in an organization composed of safe tunnel solutions.
#pasv_promiscuous=YES
#
# If you don't want to use it PORT Method gets a data connection, set to NO .
#port_enable=YES
#
# The default value is NO . If I want to disable it PORT Security check to ensure that outgoing data connections can only be connected to clients, please set to YES .
#port_promiscuous=YES
#
# Indicates server usage tcp_wrappers As a host access control mode, tcp_wrappers Can be implemented linux Network services in the system based on host address access control, in /etc In the directory hosts.allow and hosts.deny Two files are used for Settings tcp_wrappers Access control, the former setting allows access to the record, the latter setting denies access to the record. For example, you want to restrict some host pairs FTP The server 12.36.126.141 Anonymous access, edited /etc/hosts.allow File, such as add two lines of command below: vsftpd:192.168.2.1:DENY and vsftpd:192.168.2.20:DENY That limit IP for 192.168.2.1/192.168.2.20 The host access IP for 12.36.126.141 the FTP Server, at this point FTP Although the server can PING Yes, but unable to connect
tcp_wrappers=YES
#
4. Set FTP user information
# Create an empty file that restricts user access to the directory
touch /etc/vsftpd/chroot_list
# add ftp The user in
vim /etc/vsftpd/user_list
# Comment out the user above and add it after
vsftpd
test
# Create log files
mkdir -p /var/log/vsftpd
touch /var/log/vsftpd/xferlog
touch /var/log/vsftpd/vsftpd.log
5. Open the firewall ports 20000 to 30000
# Check to see if the firewall has ports , Exit the edit if there is, and execute the next sentence if there is not
vim /etc/sysconfig/iptables
# Add the port
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 20000:30000 -j ACCEPT
# save
/etc/init.d/iptables save
# Also note that if it is from Aliyun, you need to log into Aliyun and add direction rules to the security group
# restart iptables service
service iptables restart
Restart the vsftpd service
# stop vsftpd service
service vsftpd stop
# Start the vsftpd service
service vsftpd start
# restart vsftpd service
service vsftpd restart
You can view ftp Whether the port has been occupied, 1 In general, yes 21 port
netstat -lnp|grep 21