Contos/Linux 安装FTP详解

发表于   |   分类于   |     |   阅读次数

安装FTP

使用yum安装

1
yum -yinstall ftp vsftpd

使用RPM安装

需要安装一下两个包

1
2
3
ftp-0.17-66.el7.x86_64
vsftpd-3.0.2-9.el7.x86_64

另外需要安装db包,用来加密虚拟用户的账户信息(这个包在centos7中默认已经安装了)

1
rpm -qf/usr/bin/db_load libdb-utils-5.3.21-17.el7_0.1.x86_64

配置

创建Ftp文件保存路径

1
mkdir/ftp/open

添加测试文件

1
2
3
echo opentest > /ftp/open/open.txt
touch /ftp/open/anontest.txt

查看配置文件所在路径

1
2
3
4
5
6
7
rpm -qc vsftpd
/etc/logrotate.d/vsftpd
/etc/pam.d/vsftpd
/etc/vsftpd/ftpusers
/etc/vsftpd/user_list
/etc/vsftpd/vsftpd.conf

备份原有配置文件

1
cp vsftpd.conf vsftpd.conf.origin

创建密码明文文件

1
vi /etc/vsftpd/vftpuser.txt

添加如下类容

1
2
3
4
javen
javen123
test
test123

说明:基数行是用户名;偶数行是密码

根据明文创建密码DB文件

1
db_load -T -t hash -f /etc/vsftpd/vftpuser.txt  /etc/vsftpd/vftpuser.db

查看密码数据文件

1
file /etc/vsftpd/vftpuser.db

输出结果如下

1
/etc/vsftpd/vftpuser.db: Berkeley DB (Hash, version 9, native byte-order)

创建vftpd的guest账户

1
useradd -d /ftp/private -s /sbin/nologin vftpuser

编辑生成虚拟用户所需的PAM 配置文件

1
vi /etc/pam.d/vsftpd

再将auth及account的所有配置行行均注释掉,添加如下内容:

1
2
3
auth required /lib/security/pam_userdb.so db=/etc/vsftpd/vftpuser
account required /lib/security/pam_userdb.so db=/etc/vsftpd/vftpuser

如果你是64位系统则添加如下内容:

1
2
3
auth required /lib64/security/pam_userdb.so db=/etc/vsftpd/vftpuser
account required /lib64/security/pam_userdb.so db=/etc/vsftpd/vftpuser

如何查询系统的版本?

1
getconf LONG_BIT

如果没有填写出错将会出现以下异常:

530 Login incorrect错误

查看日志
tail -f /var/log/secure

发现 PAM unable to dlopen(/lib/security/pam_userdb.so): /lib/security/pam_userdb.so: cannot open shared object file: No such file or directory

原来pam_userdb.so在/lib64/security/pam_userdb.so

最终的配置

1
2
3
4
5
6
7
8
9
10
#%PAM-1.0
#session    optional     pam_keyinit.so    force revoke
#auth       required    pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
#auth       required    pam_shells.so
#auth       include     password-auth
#account    include     password-auth
#session    required     pam_loginuid.so
#session    include     password-auth
auth required /lib64/security/pam_userdb.so db=/etc/vsftpd/vftpuser
account required /lib64/security/pam_userdb.so db=/etc/vsftpd/vftpuser

修改vsftpd.conf配置文件

在最后添加

1
2
3
4
5
6
anon_root=/ftp/open
virtual_use_local_privs=YES
guest_enable=YES
guest_username=vftpuser
chroot_local_user=YES
allow_writeable_chroot=YES

详细配置如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
# When SELinux is enforcing check for SE bool ftp_home_dir
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
xferlog_file=/var/log/xferlog
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
#chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
anon_root=/home/ftp/open
virtual_use_local_privs=YES
guest_enable=YES
guest_username=vftpuser
chroot_local_user=YES
allow_writeable_chroot=YES

启动

1
systemctl start vsftpd

查看目前的状态

1
systemctl status vsftpd

测试

1
ftp localhost

输入用户名以及密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[root@iZ94hjirr10Z vsftpd]# ftp localhost
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
220 Welcome to blah FTP service.
Name (localhost:root): javen
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,38,217).
150 Here comes the directory listing.
-rw-r--r--    1 1000     1000        11641 Jul 13 07:22 00_1.jpg
-rw-r--r--    1 1000     1000        13024 Jul 13 07:23 00_2.jpg
-rw-r--r--    1 1000     1000        10989 Jul 13 07:23 00_3.jpg
-rwxrwxrwx    1 1000     1000           10 Jul 05 06:14 ftptest.txt
drwxrwxrwx    2 1000     1000        20480 Jul 16 06:15 images
-rw-r--r--    1 0        0              12 Jul 05 06:13 ss
226 Directory send OK.
ftp> bye
221 Goodbye.

以上是配置的详细教程,有问题请在评论区留言。

Javen wechat
欢迎您扫一扫上面的微信公众号,订阅我的博客!
坚持原创技术分享,您的支持将鼓励我继续创作!