Of Stack

Centos6.9 Methods to install vsftpd and configure multiple users

  • 2020-06-19 12:20:41
  • OfStack

This article introduces the es1EN6.9 method to install vsftpd and configure multi-user. It is Shared as follows:

1. Install vsftpd 


# The installation vsftpd
yum -y install vsftpd
# Set boot up 
chkconfig vsftpd on
# View service status 
service vsftpd status
# The default is off, as shown below 
# vsftpd is stopped

2. Modify the system and keep FTP 


# Add the group 
groupadd -g 1002 vsftpd
# Create a user group directory 
mkdir -p /home/vsftpd
# Add user 
useradd -c "FTP User" -d /home/vsftpd/vsftpd -g vsftpd -s /sbin/nologin -u 1002 vsftpd
useradd -c "FTP User" -d /home/vsftpd/test -g vsftpd -s /sbin/nologin test
# Set the password ( Format: passswd  The user name ) Enter the password enter. Enter the password enter again 
passwd vsftpd
# Creates the specified access directory 
mkdir -p /data/vsftpd
# Change the permissions 
chown vsftpd:vsftpd /data/vsftpd
chmod -R 775 /data/vsftpd

You can view the new users that have been added 


cat /etc/passwd
# The following 
# vsftpd:x:1002:1002:FTP User:/home/vsftpd/vsftpd:/sbin/nologin
# test:x:1003:1002:FTP User:/home/vsftpd/test:/sbin/nologin

Say the difference between /bin/false and /sbin/nologin

1, /bin/false does nothing but return an error status and exit immediately. Set the user's shell to /bin/false and the user will be unable to log in without prompting.

2. /sbin/nologin will politely display one message to the user and refuse the user to log in :This account is currently not available.

3. There are some software, such as ftp server software. For local non-virtual accounts, only users with valid shell can use ftp service. At this point, you can use /sbin/nologin to enable users not only to log in to the system, but also to use a number of system services, such as ftp. /bin/false does not, and this is one of the important differences between the two

3. Modify the configuration file 


# Back up the original file 
mv /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.txt
# Generate a new configuration file 
touch /etc/vsftpd/vsftpd.conf
# Edit configuration file 
vim /etc/vsftpd/vsftpd.conf

Paste in the following configuration 


# Example config file /etc/vsftpd/vsftpd.conf
#
#  if vsftpd In independent mode, this is where it will listen for incoming FTP The port to connect to. 
listen_port=21
#
#  Login directory 
local_root=/data/vsftpd
#
#  Whether anonymous users are allowed to log in 
anonymous_enable=NO
#
#  Set local user access. Note: If using virtual host user, set as in this project NO All virtual users will not be able to access 
local_enable=YES
#
#  Settings allow write operations ( Upload and delete ) By default, YES
write_enable=YES
#
#  Whether to use local time 
#use_localtime=YES
#
#  This parameter in VSFTPD Use a separate (standalone) It works in mode. This parameter is defined FTP The maximum number of concurrent connections to the server, beyond which the server rejects the client connection. Default value: 0 (Unlimited). 
#max_clients=5
#
#  This parameter in VSFTPD Use a separate (standalone) It works in mode. This parameter defines each IP Maximum number of concurrent connections at the address. Any more than this will deny the connection. The setting of this option will affect multi-process download software such as The Internet Express. The default value is 0 , means not limited. 
#max_per_ip=3
#
#  Secret code 
local_umask=002
#
#  Whether anonymity is allowed FTP Users upload files. 
#anon_upload_enable=NO
#
#  Whether anonymity is allowed FTP Users can create new directories 
#anon_mkdir_write_enable=NO
#
#  Activate directory message  -  A message sent when a remote user enters a directory. 
dirmessage_enable=YES
#
#  Set to yes , the user uploads and downloads the file will be recorded, the location of the file and xferlog_file=/var/log/vsftpd/xferlog
xferlog_enable=YES
#
#  in vsftpd_log_file and xferlog_file Switch login file information between files, NO  write  vsftpd_log_file, YES  write  xferlog_file
xferlog_std_format=YES
#
#  Set up the other 1 a vsftpd The diary file can also not be set 
dual_log_enable=YES
xferlog_file=/var/log/vsftpd/xferlog
#
#  Set the log directory 
vsftpd_log_file=/var/log/vsftpd/vsftpd.log
#
#  The port style connects the originating port (as long as the name is incorrect)  connect_from_port_20  Enabled), default values: 20
connect_from_port_20=YES
#
#  Whether to change the ownership of files uploaded by anonymous users. YES , the ownership of files uploaded by anonymous users will be changed to separate 1 Owned by three different users, users by chown_username Parameter is specified. This option defaults to NO .  
#chown_uploads=YES
#
#  Specifies the user who has ownership of the file uploaded by the anonymous user 
#chown_username=whoever
#
#  Remote client set up with PASV Timeout (in seconds) for connections for style data connections , Default value: 60 . 
#accept_timeout=60
#
#  The timeout in seconds that the remote client responded to our port-style data connection. Default value: 60 . 
#connect_timeout=60
#
#  Remote clients may be in FTP The maximum time (in seconds) taken between commands. If the timeout is triggered, the remote client will be started. Default value: 300
#idle_session_timeout=300
#
#  Timeout, in seconds, is roughly the maximum time allowed for data to be stopped without progress. If the timeout is triggered, the remote client will be started. Default value: 300
#data_connection_timeout=300
#
#  Create permissions to upload files. Umasks Applies to the top of this value. If the file you are uploading is executable, you may want to change it to 0777 . Default value: 0666
#file_open_mode=002
#
#  The maximum data transfer rate (in bytes) allowed by the local authenticated user. Default value: 0 (Unlimited) 
#local_max_rate=0
#
#  It is recommended that you define it on the system 1 A wei 1 The user, ftp The server can be used as a completely separate and unprivileged user. 
#nopriv_user=ftpsecure
#
#  Whether to start the asynchronous transfer function 
#async_abor_enable=YES
#
#  Whether to enable ASCII function 
ascii_upload_enable=YES
ascii_download_enable=YES
#
#  Customize the string that the login displays 
#ftpd_banner=Welcome to blah FTP service.
#
#  Specify plain text as the welcome word to display when the user logs in 1 Let the user know about Ben FTP The directory architecture of the server 
#banner_file=/etc/vsftpd/welcome.txt
#
#  You can specify 1 A file with an anonymous email address that is not allowed.   Obviously helps to fight some DoS Attack. 
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
#  Lock some users in their own directories. That is, when these users log in, they can not go to other directories of the system, only in their own directory ( And its subdirectories ) Under. 
#  when chroot_local_user=YES . chroot_list_enable=YES When, chroot_list_file Users in the directory are not allowed chroot In your home directory. 
#  when chroot_local_user=YES . chroot_list_enable=NO When, chroot_list_file All the users in the directory are given chroot In your home directory 
chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list
#
#  This option defaults to NO ,  At this time ftpusers  The user in the file is not logged in FTP  The server; If this is set as YES  ,  user_list  The user in the file is allowed to log in  FTP  Server, and if set at the same time  userlist_deny=YES  ,  user_list  Users in the file will not be allowed to log in FTP  The server, without even a password prompt, was directly sent FTP Server rejection 
userlist_enable=YES
#
#  This default is YES  Set whether pull is blocked or not user_list  The user in the file is logged in FTP  The server , Set to NO Only allow user_list  The users in it use ftp, Screen the newly created user if you want to use it ftp Must be added to the list file 
userlist_deny=NO
#
#  when userlist_enable=YES when userlist_deny=YES , where the user cannot log in, when userlist_deny=NO , only the user in this section can log in ftp  . 
userlist_file=/etc/vsftpd/user_list
#
#  When you enable" listen "Command, vsftpd Run in independent mode, and in IPv4 Listens on the socket.   This command cannot be associated with listen_ipv6 instruction 1 Use. 
listen=YES
#
#  This directive allows listening IPv6 The socket.   Want to listen to IPv4 and IPv6 Socket, you must run both vsftpd Copy and two configuration files. Please make sure that 1 a listen Options are commented! 
#listen_ipv6=YES
#
#  Set up the  PAM  The profile name used by the authentication service provided by the plug-in module   , i.e., /etc/pam.d/vsftpd  file 
pam_service_name=vsftpd
#
#  Whether to enable virtual user functionality 
#guest_enable=YES
#
#  Specify the host user for the virtual user, CentOS It's already built in ftp The user 
#guest_username=ftp
#
#  The maximum data transfer rate (in bytes) allowed by the anonymous client. Default value: 0 (Unlimited) 
#anon_max_rate=0
#
#  Created for anonymous user Settings files umask The value of the. Attention! If you want to specify 8 Base value, remember" 0 "Prefix, otherwise the value will be treated as cardinality 10 An integer! Default value: 077
#anon_umask=002
#
#  Set up virtual user individuals vsftp the CentOS FTP Service file storage path. Store the virtual user's personality CentOS FTP Service file ( Profile name = Virtual user name )
#user_config_dir=/etc/vsftpd/virtual_conf
#
#  If you want to forbid it PASV Method to get a data connection, set to NO . 
pasv_enable=YES
#
#  Set in PASV In mode, set up data transfer can be used port The lower bound and the upper bound of the range, 0  It's arbitrary. The default value is 0 . Set the port range higher 1 Within the scope of paragraph 
pasv_min_port=20000
pasv_max_port=30000
#
#  The default value is NO . for YES , will be closed PASV Mode security check. This check ensures that the data connection and control connection are from the same source 1 a IP Address. Turn this option on carefully. This option is only 1 Reasonable usage exists in an organization composed of safe tunnel solutions. 
#pasv_promiscuous=YES
#
#  If you don't want to use it PORT Method gets a data connection, set to NO . 
#port_enable=YES
#
#  The default value is NO . If I want to disable it PORT Security check to ensure that outgoing data connections can only be connected to clients, please set to YES . 
#port_promiscuous=YES
#
#  Indicates server usage  tcp_wrappers  As a host access control mode, tcp_wrappers  Can be implemented linux  Network services in the system based on host address access control, in /etc  In the directory hosts.allow  and hosts.deny  Two files are used for Settings tcp_wrappers  Access control, the former setting allows access to the record, the latter setting denies access to the record. For example, you want to restrict some host pairs FTP  The server 12.36.126.141  Anonymous access, edited /etc/hosts.allow  File, such as add two lines of command below: vsftpd:192.168.2.1:DENY  and vsftpd:192.168.2.20:DENY  That limit IP  for 192.168.2.1/192.168.2.20  The host access IP  for 12.36.126.141  the FTP  Server, at this point FTP  Although the server can PING  Yes, but unable to connect 
tcp_wrappers=YES
#

4. Set FTP user information 


# Create an empty file that restricts user access to the directory 
touch /etc/vsftpd/chroot_list

# add ftp The user in 
vim /etc/vsftpd/user_list

# Comment out the user above and add it after 
vsftpd
test

# Create log files 
mkdir -p /var/log/vsftpd
touch /var/log/vsftpd/xferlog
touch /var/log/vsftpd/vsftpd.log

5. Open the firewall ports 20000 to 30000 


#  Check to see if the firewall has ports , Exit the edit if there is, and execute the next sentence if there is not 
vim /etc/sysconfig/iptables

# Add the port 
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 20000:30000 -j ACCEPT

# save 
/etc/init.d/iptables save

# Also note that if it is from Aliyun, you need to log into Aliyun and add direction rules to the security group 

# restart iptables  service 
service iptables restart

Restart the vsftpd service 


# stop vsftpd  service 
service vsftpd stop

# Start the vsftpd  service 
service vsftpd start

# restart vsftpd  service 
service vsftpd restart
 You can view ftp Whether the port has been occupied, 1 In general, yes 21 port 

netstat -lnp|grep 21
Related articles: