CentOS6.3如果在安装的时候所有安装选项都打勾的话就含有单间vsftpd必备的软件：vsftpd、pam*、db4*

检查是否安装：

[root@centos6 ~]# rpm -qa | grep vsftpd
vsftpd-2.2.-.el6_4..x86_64

[root@centos6 ~]# rpm -qa | grep db4
db4-4.7.-.el6_4.x86_64
db4-java-4.7.-.el6_4.x86_64
db4-utils-4.7.-.el6_4.x86_64
db4-devel-static-4.7.-.el6_4.x86_64
db4-cxx-4.7.-.el6_4.x86_64
compat-db43-4.3.-.el6.x86_64
db4-devel-4.7.-.el6_4.x86_64
compat-db42-4.2.-.el6.x86_64
db4-tcl-4.7.-.el6_4.x86_64
[root@centos6 ~]# rpm -qa | grep pam
pam_krb5-2.3.-.el6.x86_64
pam-devel-1.1.-.el6.x86_64
nss-pam-ldapd-0.7.-.el6.x86_64
pam_passwdqc-1.0.-.el6.x86_64
gnome-keyring-pam-2.28.-.el6_3.x86_64
pam_pkcs11-0.6.-12.1.el6.x86_64
pam_ssh_agent_auth-0.9.-.el6.x86_64
pam-1.1.-.el6.x86_64
fprintd-pam-0.1-.git04fd09cfa.el6.x86_64
pam_ldap--.el6.x86_64

如果没有安装则选择：yum install vsftpd pam* db4* -y

下面我们开始配置我们的ftp：

一、建立系统账户

1.建立Vsftpd服务的宿主用户：

[root@centos6 ~]# useradd vsftpd -s /sbin/nologin

2.建立Vsftpd虚拟宿主用户：

[root@centos6 ~]# useradd ftp -s /sbin/nologin

二、配置vsftpd的配置文件/etc/vsftpd/vsftpd.conf

1.备份配置文件

[root@centos6 ~]# cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.backup

2.修改配置文件

[root@centos6 ~]# vi /etc/vsftpd/vsftpd.conf

# Example config file /etc/vsftpd/vsftpd.conf

The default compiled in settings are fairly paranoid. This sample file

loosens things up a bit, to make the ftp daemon more usable.

Please see vsftpd.conf. for all compiled in defaults.

READ THIS: This example file is NOT an exhaustive list of vsftpd options.

Please read the vsftpd.conf. manual page to get a full idea of vsftpd's

capabilities.

Allow anonymous FTP? (Beware - allowed by default if you comment this out).

anonymous_enable=NO

Uncomment this to allow local users to log in.

local_enable=YES

Uncomment this to enable any form of FTP write command.

write_enable=YES

Default umask for local users is . You may wish to change this to ,

if your users expect that ( is used by most other ftpd's)

local_umask=

Uncomment this to allow the anonymous FTP user to upload files. This only

has an effect if the above global write enable is activated. Also, you will

obviously need to create a directory writable by the FTP user.

anon_upload_enable=NO

Uncomment this if you want the anonymous FTP user to be able to create

new directories.

anon_mkdir_write_enable=NO

Activate directory messages - messages given to remote users when they

go into a certain directory.

dirmessage_enable=YES

The target log file can be vsftpd_log_file or xferlog_file.

This depends on setting xferlog_std_format parameter

xferlog_enable=YES

Make sure PORT transfer connections originate from port (ftp-data).

connect_from_port_20=YES

If you want, you can arrange for uploaded anonymous files to be owned by

a different user. Note! Using "root" for uploaded files is not

recommended!

chown_uploads=NO
#chown_username=whoever

The name of log file when xferlog_enable=YES and xferlog_std_format=YES

WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log

xferlog_file=/var/log/vsftpd.log

Switches between logging into vsftpd_log_file and xferlog_file files.

NO writes to vsftpd_log_file, YES to xferlog_file

xferlog_std_format=YES

You may change the default value for timing out an idle session.

#idle_session_timeout=

You may change the default value for timing out a data connection.

#data_connection_timeout=

It is recommended that you define on your system a unique user which the

ftp server can use as a totally isolated and unprivileged user.

nopriv_user=vsftpd

Enable this and the server will recognise asynchronous ABOR requests. Not

recommended for security (the code is non-trivial). Not enabling it,

however, may confuse older FTP clients.

async_abor_enable=YES

By default the server will pretend to allow ASCII mode but in fact ignore

the request. Turn on the below options to have the server actually do ASCII

mangling on files when in ASCII mode.

Beware that on some FTP servers, ASCII support allows a denial of service

attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd

predicted this attack and has always been safe, reporting the size of the

raw file.

ASCII mangling is a horrible feature of the protocol.

ascii_upload_enable=YES
ascii_download_enable=YES

You may fully customise the login banner string:

ftpd_banner=Welcome to blah FTP service.

You may specify a file of disallowed anonymous e-mail addresses. Apparently

useful for combatting certain DoS attacks.

#deny_email_enable=YES

(default follows)

#banned_email_file=/etc/vsftpd/banned_emails

You may specify an explicit list of local users to chroot() to their home

directory. If chroot_local_user is YES, then this list becomes a list of

users to NOT chroot().

#chroot_local_user=YES
chroot_list_enable=NO

(default follows)

#chroot_list_file=/etc/vsftpd/chroot_list

You may activate the "-R" option to the builtin ls. This is disabled by

default to avoid remote users being able to cause excessive I/O on large

sites. However, some broken FTP clients such as "ncftp" and "mirror" assume

the presence of the "-R" option, so there is a strong case for enabling it.

ls_recurse_enable=NO

When "listen" directive is enabled, vsftpd runs in standalone mode and

listens on IPv4 sockets. This directive cannot be used in conjunction

with the listen_ipv6 directive.

listen=YES

This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6

sockets, you must run two copies of vsftpd with two configuration files.

Make sure, that one of the listen options is commented !!

#listen_ipv6=YES
pam_service_name=vsftpd
pasv_enable=YES
pasv_min_port=
pasv_max_port=
userlist_enable=YES
tcp_wrappers=YES
guest_enable=YES
guest_username=ftp
virtual_use_local_privs=YES
user_config_dir=/etc/vsftpd/vconf
use_localtime=YES

3.建立vsftpd日志文件，并更该属主为vsftpd的服务宿主用户：

[root@centos6 ~]# touch /var/log/vsftpd.log
[root@centos6 ~]# chown vsftpd.vsftpd /var/log/vsftpd.log
[root@centos6 ~]#

4.建立虚拟用户配置文件存放路径：

[root@centos6 ~]# mkdir /etc/vsftpd/vconf/

三、建立生成虚拟用户数据库文件

1.先建立虚拟用户名单文件：

[root@centos6 ~]# touch /etc/vsftpd/virtusers

建立虚拟用户名单文件，这个文件用来记录vsftpd虚拟用户的用户名和口令的数据文件，这里为其命名为virtusers。为避免文件混乱，我将这个名单文件就放置在/etc/vsftpd/下。

2.编辑虚拟用户名单文件：

[root@centos6 ~]# vi /etc/vsftpd/virtuser
admin
admin123456

编辑这个虚拟用户名单文件，在其中加入用户的用户名和口令信息。格式很简单：“一行用户名，一行口令”。

3.生成虚拟用户数据文件：

[root@centos6 ~]# db_load -T -t hash -f /etc/vsftpd/virtusers /etc/vsftpd/virtusers.db

四.设定PAM验证文件，并指定虚拟用户数据库文件进行读取

1.备份/etc/pam.d/vsftpd

[root@centos6 ~]# cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd.backup

2.编辑vsftpd的PAM验证配置文件，加入如下两行

#%PAM-1.0
auth sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/virtusers　　　　#如果是32bit机器，此处为lib
account sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/virtusers

五、虚拟用户配置

1.建立虚拟用户主路径：

[root@centos6 ~]# mkdir /opt/vsftp/

2.建立admin用户的FTP用户目录：

[root@centos6 ~]# mkdir /opt/vsftp/admin/

3.建立虚拟用户配置文件模版：

[root@centos6 ~]# cp /etc/vsftpd/vsftpd.conf.backup /etc/vsftpd/vconf/vconf.tmp

4.定制虚拟用户模版配置文件：

[root@centos6 ~]# vi /etc/vsftpd/vconf/vconf.tmp

一下仅作为各位参考：

local_root=/opt/vsftp/virtuser
#指定虚拟用户的具体主路径。
anonymous_enable=NO
#设定不允许匿名用户访问。
write_enable=YES
#设定允许写操作。
local_umask=
#设定上传文件权限掩码。
anon_upload_enable=NO
#设定不允许匿名用户上传。
anon_mkdir_write_enable=NO
#设定不允许匿名用户建立目录。
idle_session_timeout=
#设定空闲连接超时时间。
data_connection_timeout=
#设定单次连续传输最大时间。
max_clients=
#设定并发客户端访问个数。
max_per_ip=
#设定单个客户端的最大线程数，这个配置主要来照顾Flashget、迅雷等多线程下载软件。
local_max_rate=
#设定该用户的最大传输速率，单位b/s。

这里将原vsftpd.conf配置文件经过简化后保存作为虚拟用户配置文件的模版。这里将并不需要指定太多的配置内容，主要的框架和限制交由 Vsftpd的主配置文件vsftpd.conf来定义，即虚拟用户配置文件当中没有提到的配置项目将参考主配置文件中的设定。而在这里作为虚拟用户的配置文件模版只需要留一些和用户流量控制，访问方式控制的配置项目就可以了。这里的关键项是local_root这个配置，用来指定这个虚拟用户的FTP主路径。

5.更改虚拟用户的主目录的属主为虚拟宿主用户：

[root@centos6 ~]# chown -R ftp.ftp /opt/vsftp/

6.检查权限：

[root@centos6 ~]# ll /opt/vsftp/
total
drwxrwxrwx. ftp ftp Apr : admin

六、给测试用户定制：
1.从虚拟用户模版配置文件复制：

[root@centos6 ~]# cp /etc/vsftpd/vconf/vconf.tmp /etc/vsftpd/vconf/admin

2.针对具体用户进行定制：

[root@centos6 ~]# vi /etc/vsftpd/vconf/admin

local_root=/opt/vsftp/kanecruise
anonymous_enable=NO
write_enable=YES
local_umask=
anon_upload_enable=NO
anon_mkdir_write_enable=NO
idle_session_timeout=
data_connection_timeout=
max_clients=
max_per_ip=
local_max_rate=

七、关闭selinux设置其为disabled

八、配置防火墙

1.实现确定在vsftpd配置文件中加入：

pasv_enable=YES
pasv_min_port=
pasv_max_port=

2.在iptables中加入：

-A INPUT -m state --state NEW -m tcp -p tcp --dport -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport : -j ACCEPT

3.重启iptables

[root@centos6 ~]# /etc/init.d/iptables restart

八、重启服务

[root@centos6 ~]# /etc/init.d/vsftpd restart

九、Windows测试连接、下载、上传

1.cmd下测试

C:\Users\Richard>ftp
ftp> open 10.100.52.215
连接到 10.100.52.215。
Welcome to blah FTP service.
用户(10.100.52.215:(none)): admin
Please specify the password.
密码:
Login successful.
ftp> ls
PORT command successful. Consider using PASV.
Here comes the directory listing.
Android
Books
C#
Database
Java
ModelingTools
Office
VersionControl
Directory send OK.
ftp: 收到 字节，用时 .00秒 .00千字节/秒。
ftp>

2.Windows资源管理器测试，成功。