| 源代码包安装配置高可用性vsftp Vsftp(Very Secure FTP)是一种在Unix/Linux中非常安全且快速稳定的FTP服务器,目前已经被许多大型站点所采用,如ftp.redhat.com, ftp.kde.org, ftp.gnome.org.等。 Vsftpd的实现有三种方式: 1、匿名用户形式:在默认安装的情况下,系统只提供匿名用户访问 2、本地用户形式:以/etc/passwd中的用户名为认证方式 3、虚拟用户形式:支持将用户名和口令保存在数据库文件或数据库服务器中。相对于FTP的本地用户形式来说,虚拟用户只是FTP服务器的专有用户,虚拟用户只能访问FTP服务器所提供的资源,这大大增强系统本身的安全性。相对于匿名用户而言,虚拟用户需要用户名和密码才能获取FTP服务器中的文件,增加了对用户和下载的可管理性。对于需要提供下载服务,但又不希望所有人都可以匿名下载;既需要对下载用户进行管理,又考虑到主机安全和管理方便的FTP站点来说,虚拟用户是一种极好的解决方案。 一、安装 1.下载最新的稳定版vsftpd- 2.0.3.tar.gz 2.卸载原有的rpm的vsftpd rpm -e vsftpd 3.tar xvzf vsftpd- 2.0.3.tar.gz 4.cd vsftpd- 2.0.3 # vi builddefs.h \\编辑builddefs.h 文件,文件内容如下: #ifndef VSF_BUILDDEFS_H #define VSF_BUILDDEFS_H #undef VSF_BUILD_TCPWRAPPERS #define VSF_BUILD_PAM #undef VSF_BUILD_SSL #endif /* VSF_BUILDDEFS_H */ 将以上undef的都改为define,支持tcp_wrappers,支持PAM认证方式,支持SSL 5.make 6.useradd -s /sbin/nologin nobody 7.mkdir /usr/share/empty 8.mkdir /var/ftp 9.useradd -d /var/ftp -s /sbin/nologin ftp 10.chown root.root /var/ftp 11.chmod og-w /var/ftp 说明:如果你象我一样原来有rpm的vsftp,只是卸载了,可以省略6-11步,如果原来没有安装vsftp,请按部就班。请记住,如果你不想让用户 在本地登陆,那么你需要把他的登陆SHELL设置成/sbin/nologin,比如以上的nobody和ftp我就设置成/sbin/nologin 12.make install 13.vi /etc/xinetd.d/vsftpd 把disable=yes改成no,保存退出。然后service xinetd restart,OK!新装的vsftp已经可以工作了! 说明:默认安装的vsftpd是以xinetd的方式启动的。你需要上述操作,一会儿,我们再来讲把它改成独立启动的服务。 14.ftp 127.0.0.1 输入用户名ftp,密码直接回车,OK!已经可以连接了!输入quit退出。然后重新ftp 127.0.0.1,输入本地用户和密码,却提示login faild!why?原来少一个本地用户认证的pam文件。 15.cp RedHat/vsftpd.pam /etc/pam.d/ftp(注意,没有这一步将不能使用本地用户登录!) 16.cp vsftpd.conf /etc/vsftpd.conf(现在,默认还是只能匿名用户登录)17.vi /etc/vsftpd.conf 把anonmous_enable=YES改成NO(禁掉匿名链接,不安全) 把local_enable=YES前的注释去掉(打开本地用户连接的权限) 把write_enable=YES前的注释去掉(打开本地用户的写权限) 把local_umask=022前的注释去掉 service xinetd restart 18.再次测试 ftp 127.0.0.1 使用ftp用户空密码登录,将出现login faild 使用本地用户登录,OK!已经成功了!上传文件,也OK! 二、高级配置 1.使用独立服务 a.vi /etc/xinetd.d/vsftpd把disable=no还改成yes,不再需要它了! b.vi /etc/vsftpd.conf在结尾加上listen=YES c.service xinetd restart d./usr/local/sbin/vsftpd /etc/vsftpd.conf & OK!现在vsftp已经是独立启动的服务了! 2.使用非常规的端口(2121) a.vi /etc/vsftpd.conf 添加listen_port=2121,保存退出 b.killall -9 vsftpd c./usr/local/sbin/vsftpd /etc/vsftpd.conf & OK!现在用ftp 127.0.0.1将提示你连接被拒绝了(ftp:connect:Connetion refuesd)!然后ftp 127.0.0.1 2121输入用户名和密码,OK!可以登录! 3.实现不同用户不同权限(虚拟用户) 现在我们就来实现三个用户的不同权限: (a).upload用户,可以上传下载,可以新建文件夹,但不能删除文件和文件夹,不能重命名原有文件和文件夹; (b).download用户,只能下载; (c).admin用户,管理员,可以上传,可以下载,可以新建文件夹,可以删除和更改文件和文件夹名。这些用户都不能登录系统,并且用ftp连接时锁定在自己的家目录中不能进入系统文件夹。 a.vi logins.txt upload ******* #upload用户的密码 download ******* admin **************** :wq //保存退出 说明,此文本文件的格式是:单数行为用户名,偶数行为密码 b.db_load -T -t hash -f logins.txt /etc/vsftpd_login.db c.chmod 600 /etc/vsftpd_login.db d.cd vsftpd-2.0.3/EXAMPLE;cp VIRYUAL_USERS/vsftpd.pam /etc/pam.d/ftp.vu (进入你的解包的源码目录,把虚拟用户的认证文件拷贝到/etc/pam.d/下) e.#useradd -d /home/ftpsite virtual #chmod 700 /home/ftpsite #su - virtual #vi /homt/ftpsite/test.file(建立虚拟用户所要访问的ftp目录并设置仅virtual用户访问的权限和创建一个供下载实验的文件) f.vi /etc/vsftpd.conf在此文件中插入下面的配置语句 guest_enable=YES(启用虚拟用户) guest_username=virtual(将虚拟用户映射为本地virtual用户) pam_service_name=ftp.vu(指定PAM配置文件为ftp.vu) user_config_dir=/etc/vsftpd_user_conf(指定不同虚拟用户配置文件的存放路径) 保存退出 g.mkdir /etc/vsftpd_user_conf h.开放不同用户的不同权限 echo "anon_world_readable_only=NO">/etc/vsftpd_user_conf/download(开放 download用户的下载权限——只能下载;注意这个不地方不要写成YES,否则将不能列出文件和目录) cp /etc/vsftpd_user_conf/download /etc/vsftpd_user_conf/upload vi /etc/vsftpd_user_conf/upload,添加下列行 write_enable=YES (增加写权限) anon_upload_enable=YES(增加上传权限) anon_mkdir_write_enable=YES (增加创建目录的权限) cp /etc/vsftpd_user_conf/upload /etc/vsftpd_user_conf/admin 增加一行: anno_other_writer_enable=YES(增加管理员用户的删除/重命名的权限) i.测试 killall -9 vsftpd;/usr/local/sbin/vsftpd /etc/vsftpd.conf & ftp 127.0.0.1 2121 以用户名download和你设置的密码登录,ls,可以看到文件,下载,成功!put一个文件,提示 Permission denied。rename test.file同样权限被拒绝;delete test.file同样不成功! 输入quit退出,以upload用户登录,OK!可以上传,下载,mkdir lsf,提示“/lsf" created;rename lsf lsf1提示Permission denied,删除文件同样不成功! 输入quit退出,以admin用户登录,可以有上述所有权限,然后rmdir lsf,提示Remove directory o[eration successful;delete test.file提示Delete operation successful!OK,大功告成了! 三、附配制文件 注意:每行的等号前后都不要有空格,否则启动时会出现错误,举个例子,假如我在listen=YES后多了个空格,那我启动时就出现如下错误: 500 OOPS: bad bool value in config file for: listen /etc/vsftpd.conf文件的内容 # Example config file /etc/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=NO # # Uncomment this to allow local users to log in. local_enable=YES # # Uncomment this to enable any form of FTP write command. write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. anon_upload_enable=NO # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. anon_mkdir_write_enable=NO # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # Activate logging of uploads/downloads. xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #chown_username=whoever # # You may override where the log file goes if you like. The default is shown # below. #xferlog_file=/var/log/vsftpd.log # # If you want, you can have your log file in standard ftpd xferlog format #xferlog_std_format=YES # # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that turning on ascii_download_enable enables malicious remote parties # to consume your I/O resources, by issuing the command "SIZE /big/file" in # ASCII mode. # These ASCII options are split into upload and download because you may wish # to enable ASCII uploads (to prevent uploaded scripts etc. from breaking), # without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be # on the client anyway.. ascii_upload_enable=YES ascii_download_enable=YES # # You may fully customise the login banner string: ftpd_banner=Welcome to Serv-U FTP serser. #(一个真实的慌言:em02:) # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd.banned_emails # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). chroot_list_enable=YES # (default follows) chroot_list_file=/etc/vsftpd.chroot_list # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES chroot_local_user=YES listen_port=2121 listen=yes guest_enable=YES guest_username=virtual pasv_min_port=30000 pasv_max_port=30999 pam_service_name=ftp.vu anon_world_readable_only=NO user_config_dir=/etc/vsftpd_user_conf /etc/vsftpd_user_conf/download的内容 anon_world_readable_only=NO /etc/vsftpd_user_conf/upload的内容 anon_world_readable_only=NO write_enable=YES anon_upload_enable=YES anon_mkdir_write_enable=YES /etc/vsftpd_user_conf/admin的内容 anon_world_readable_only=NO write_enable=YES anon_upload_enable=YES anon_other_write_enable=YES anon_mkdir_write_enable=YES 自启动脚本,在/etc/rc.local中加入/usr/local/sbin/vsftpd /etc/vsftpd.conf & |
|小黑屋|最新主题|手机版|微赢网络技术论坛
( 苏ICP备08020429号 )
GMT+8, 2024-9-30 03:29 , Processed in 0.152366 second(s), 12 queries , Gzip On, MemCache On.
Powered by Discuz! X3.5
© 2001-2023 Discuz! Team.
