CentOS搭建VSFTP

阅读原文时间：2024年10月16日阅读：1

1、先看看有没有安装

rpm -qa | grep vsftpd

如果没有提示，说明没有安装。接下来，我们安装一个ftp。

2、yum安装vsftpd：

yum -y install vsftpd

安装完之后看看生成的配置文件：

[root@bxcsweb ~]# ll /etc/vsftpd/
总用量
-rw------- root root 10月 : ftpusers
-rw------- root root 10月 : user_list
-rw------- root root 10月 : vsftpd.conf
-rwxr--r-- root root 10月 : vsftpd_conf_migrate.sh

3、配置vsftpd：

先说匿名浏览的公共FTP：

编辑vsftpd.conf：

vim /etc/vsftpd/vsftpd.conf

先在最后加上一行：

anon_root=/path/to/vsftpd

这一行指定了我们的vsftpd的目录。如果我们的ftp是一个内网公共的，这样配完之后，重启一下服务：

[root@bxcsweb ftp]# service vsftpd restart
关闭 vsftpd： [确定]
为 vsftpd 启动 vsftpd： [确定]

然后去浏览器就可以匿名浏览了。

然后说说分权限的ftp配置：

编辑vsftpd.conf：

# Example config file /etc/vsftpd/vsftpd.conf

The default compiled in settings are fairly paranoid. This sample file

loosens things up a bit, to make the ftp daemon more usable.

Please see vsftpd.conf. for all compiled in defaults.

READ THIS: This example file is NOT an exhaustive list of vsftpd options.

Please read the vsftpd.conf. manual page to get a full idea of vsftpd's

capabilities.

Allow anonymous FTP? (Beware - allowed by default if you comment this out).

anonymous_enable=NO

Uncomment this to allow local users to log in.

local_enable=YES

Uncomment this to enable any form of FTP write command.

write_enable=YES

Default umask for local users is . You may wish to change this to ,

if your users expect that ( is used by most other ftpd's)

local_umask=022

Uncomment this to allow the anonymous FTP user to upload files. This only

has an effect if the above global write enable is activated. Also, you will

obviously need to create a directory writable by the FTP user.

#anon_upload_enable=YES

Uncomment this if you want the anonymous FTP user to be able to create

new directories.

#anon_mkdir_write_enable=YES

Activate directory messages - messages given to remote users when they

go into a certain directory.

dirmessage_enable=YES

The target log file can be vsftpd_log_file or xferlog_file.

This depends on setting xferlog_std_format parameter

xferlog_enable=YES
xferlog_file=/main/var/log/vsftpd.log

Make sure PORT transfer connections originate from port (ftp-data).

connect_from_port_20=YES

If you want, you can arrange for uploaded anonymous files to be owned by

a different user. Note! Using "root" for uploaded files is not

recommended!

#chown_uploads=YES
#chown_username=whoever

The name of log file when xferlog_enable=YES and xferlog_std_format=YES

WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log

#xferlog_file=/var/log/xferlog

Switches between logging into vsftpd_log_file and xferlog_file files.

NO writes to vsftpd_log_file, YES to xferlog_file

xferlog_std_format=YES

You may change the default value for timing out an idle session.

#idle_session_timeout=

You may change the default value for timing out a data connection.

#data_connection_timeout=

It is recommended that you define on your system a unique user which the

ftp server can use as a totally isolated and unprivileged user.

#nopriv_user=ftpsecure

Enable this and the server will recognise asynchronous ABOR requests. Not

recommended for security (the code is non-trivial). Not enabling it,

however, may confuse older FTP clients.

#async_abor_enable=YES

By default the server will pretend to allow ASCII mode but in fact ignore

the request. Turn on the below options to have the server actually do ASCII

mangling on files when in ASCII mode.

Beware that on some FTP servers, ASCII support allows a denial of service

attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd

predicted this attack and has always been safe, reporting the size of the

raw file.

ASCII mangling is a horrible feature of the protocol.

ascii_upload_enable=YES ascii_download_enable=YES

#ftpd_banner=Welcome to blah FTP service.

You may specify a file of disallowed anonymous e-mail addresses. Apparently

useful for combatting certain DoS attacks.

#deny_email_enable=YES

(default follows)

#banned_email_file=/etc/vsftpd/banned_emails

You may specify an explicit list of local users to chroot() to their home

directory. If chroot_local_user is YES, then this list becomes a list of

users to NOT chroot().

#chroot_local_user=YES
chroot_list_enable=YES

(default follows)

#chroot_list_file=/etc/vsftpd/chroot_list

You may activate the "-R" option to the builtin ls. This is disabled by

default to avoid remote users being able to cause excessive I/O on large

sites. However, some broken FTP clients such as "ncftp" and "mirror" assume

the presence of the "-R" option, so there is a strong case for enabling it.

#ls_recurse_enable=YES

When "listen" directive is enabled, vsftpd runs in standalone mode and

listens on IPv4 sockets. This directive cannot be used in conjunction

with the listen_ipv6 directive.

listen=YES

This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6

sockets, you must run two copies of vsftpd with two configuration files.

Make sure, that one of the listen options is commented !!

#listen_ipv6=YES

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
#之下行是手动添加的
#anon_root=/main/var/ftp 配置分用户权限之后，这个目录就不起作用了
guest_enable=YES
guest_username=ftp
user_config_dir=/etc/vsftpd/vuser_conf

上面配置的具体说明：

anonymous_enable=NO 设定不允许匿名访问
local_enable=YES 设定本地用户可以访问。注：如使用虚拟宿主用户，在该项目设定为NO的情况下所有虚拟用户将无法访问。
chroot_list_enable=YES
xferlog_file=/var/log/vsftpd.log 设定vsftpd的服务日志保存路径。注意，该文件默认不存在。必须要手动touch出来
ascii_upload_enable=YES
ascii_download_enable=YES 设定支持ASCII模式的上传和下载功能。
pam_service_name=vsftpd PAM认证文件名。PAM将根据/etc/pam.d/vsftpd进行认证
以下这些是关于Vsftpd虚拟用户支持的重要配置项目。默认vsftpd.conf中不包含这些设定项目，需要自己手动添加配置。
guest_enable=YES 设定启用虚拟用户功能。
guest_username=ftp 指定虚拟用户的宿主用户。-CentOS中已经有内置的ftp用户了
user_config_dir=/etc/vsftpd/vuser_conf 设定虚拟用户个人vsftp的配置文件存放路径。存放虚拟用户个性的配置文件(配置文件名=虚拟用户名)

然后手动创建上面配的这个日志文件：

touch /main/var/log/vsftpd.log # 创建vsftp的日志文件

然后配置chroot_list：

shell>touch /etc/vsftpd/chroot_list
shell>echo ftp >> /etc/vsftpd/chroot_list

如果没有安装db4和db4-util,运行：

yum install db4 db4-utils

创建用户密码文本/etc/vsftpd/vuser_passwd.txt：

格式是一行用户名，一行密码(我们准备创建两个用户，一个读写权限的admin用户，一个是只读权限的readUser用户)：

hjbFtpAdmin
password4Admin
hjbFtpReadUser
pswd4readUser

利用刚刚安装的db4-util生成虚拟用户认证的db文件

db_load -T -t hash -f /etc/vsftpd/vuser_passwd.txt /etc/vsftpd/vuser_passwd.db

会生成一个文件：

-rw-r--r-- root root 11月 : vuser_passwd.db

然后编辑认证文件/etc/pam.d/vsftpd：

全部注释掉原来语句(出于安全性考虑，我们不要本地用户的认证了，全部使用虚拟用户认证)，再增加以下两句：

auth required pam_userdb.so db=/etc/vsftpd/vuser_passwd
account required pam_userdb.so db=/etc/vsftpd/vuser_passwd

touch，然后vim虚拟用户个性配置文件

vim /etc/vsftpd/vuser_conf/hjbFtpAdmin

内容：

#虚拟用户admin的个性配置文件（可以写、上传、创建目录）
#虚拟用户的根目录
local_root=/main/var/path/to/FTP目录
write_enable=YES
anon_umask=
anon_world_readable_only=NO
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES

再给只读用户创建一个：

vim /etc/vsftpd/vuser_conf/hjbFtpReadUser

内容：

#虚拟用户个性配置文件（只读用户readUser，只能读，不能写、修改、删除）
#虚拟用户的根目录
local_root=/main/var/path/to/FTP目录
write_enable=NO
anon_umask=
anon_world_readable_only=YES
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO

接下来将ftp目录的属主改为“ftp”用户：

chown -R ftp /main/var/path/to/FTP目录

最后，重启服务：

service vsftpd start

分别使用两个用户登录，发现权限是不一样的。

主要参考资料：

http://www.cnblogs.com/xusion/articles/3421239.html

--------------------------------------------------2014.11.27补充：

如果遇到500 can not open xfe…log不能打开日志文件的错误就把日志文件的设置注释掉：

#xferlog_file=/main/var/log/vsftpd.log

这样就会使用默认的日志文件：xferlog_file=/var/log/xferlog

如果上传文件遇到 553 Could not create file xxxx

可能是参数有问题：

[root@localhost main]# sestatus -b| grep ftp
allow_ftpd_anon_write off
allow_ftpd_full_access off
allow_ftpd_use_cifs off
allow_ftpd_use_nfs off
ftp_home_dir off
ftpd_connect_db off
ftpd_use_fusefs off
ftpd_use_passive_mode off
httpd_enable_ftp_server off
tftp_anon_write off
tftp_use_cifs off
tftp_use_nfs off

改一个：

setsebool allow_ftpd_full_access on

就成了：

[root@localhost main]# sestatus -b| grep ftp
allow_ftpd_anon_write off
allow_ftpd_full_access on
allow_ftpd_use_cifs off
allow_ftpd_use_nfs off
ftp_home_dir off
ftpd_connect_db off
ftpd_use_fusefs off
ftpd_use_passive_mode off
httpd_enable_ftp_server off
tftp_anon_write off
tftp_use_cifs off
tftp_use_nfs off

然后就ok了。

再不行就考虑将ftp文件目录chown 为 ftp

chown -R ftp ftpServerRoot

或者试试直接777（不建议这么做！）

chmod ftpServerRoot

问题解决过程参考了：http://www.ithov.com/linux/130713.shtml

手机扫一扫

移动阅读更方便

你可能感兴趣的文章

CentOS6.3下搭建vsftpd（采用虚拟用户设置）

【路由器】OpenWrt 配置使用

FTP传输

33.vsftpd服务程序--本地用户模式

CentOS 服务ftp（vsftpd）

CentOS搭建VSFTP

The default compiled in settings are fairly paranoid. This sample file

loosens things up a bit, to make the ftp daemon more usable.

Please see vsftpd.conf. for all compiled in defaults.

READ THIS: This example file is NOT an exhaustive list of vsftpd options.

Please read the vsftpd.conf. manual page to get a full idea of vsftpd's

capabilities.

Allow anonymous FTP? (Beware - allowed by default if you comment this out).

Uncomment this to allow local users to log in.

Uncomment this to enable any form of FTP write command.

Default umask for local users is . You may wish to change this to ,

if your users expect that ( is used by most other ftpd's)

Uncomment this to allow the anonymous FTP user to upload files. This only

has an effect if the above global write enable is activated. Also, you will

obviously need to create a directory writable by the FTP user.

Uncomment this if you want the anonymous FTP user to be able to create

new directories.

Activate directory messages - messages given to remote users when they

go into a certain directory.

The target log file can be vsftpd_log_file or xferlog_file.

This depends on setting xferlog_std_format parameter

Make sure PORT transfer connections originate from port (ftp-data).

If you want, you can arrange for uploaded anonymous files to be owned by

a different user. Note! Using "root" for uploaded files is not

recommended!

The name of log file when xferlog_enable=YES and xferlog_std_format=YES

WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log

Switches between logging into vsftpd_log_file and xferlog_file files.

NO writes to vsftpd_log_file, YES to xferlog_file

You may change the default value for timing out an idle session.

You may change the default value for timing out a data connection.

It is recommended that you define on your system a unique user which the

ftp server can use as a totally isolated and unprivileged user.

Enable this and the server will recognise asynchronous ABOR requests. Not

recommended for security (the code is non-trivial). Not enabling it,

however, may confuse older FTP clients.

By default the server will pretend to allow ASCII mode but in fact ignore

the request. Turn on the below options to have the server actually do ASCII

mangling on files when in ASCII mode.

Beware that on some FTP servers, ASCII support allows a denial of service

attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd

predicted this attack and has always been safe, reporting the size of the

raw file.

ASCII mangling is a horrible feature of the protocol.

You may fully customise the login banner string:

You may specify a file of disallowed anonymous e-mail addresses. Apparently

useful for combatting certain DoS attacks.

(default follows)

You may specify an explicit list of local users to chroot() to their home

directory. If chroot_local_user is YES, then this list becomes a list of

users to NOT chroot().

(default follows)

You may activate the "-R" option to the builtin ls. This is disabled by

default to avoid remote users being able to cause excessive I/O on large

sites. However, some broken FTP clients such as "ncftp" and "mirror" assume

the presence of the "-R" option, so there is a strong case for enabling it.

When "listen" directive is enabled, vsftpd runs in standalone mode and

listens on IPv4 sockets. This directive cannot be used in conjunction

with the listen_ipv6 directive.

This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6

sockets, you must run two copies of vsftpd with two configuration files.

Make sure, that one of the listen options is commented !!