• vsftpd安装,以及配置ssl


    转载请注明出处:http://www.cnblogs.com/blazer/p/4969711.html

    环境:CentOs6.4 64bit

    安装非常容易,麻烦在配置与创建用户,该博文主要用于记录增加和删除虚拟帐户的shell脚本以及记录安装时的配置参数,以供之后方便于管理与使用。

    1.先检查是否安装了vsftpd,如果有安装则删除

    rpm -qa|grep vsftpd
    rpm -e --nodeps xxx

    2.安装vsftpd

    yum -y install vsftpd

    3.启动测试

    service vsftpd start
    service vsftpd status
    service vsftpd stop

    4.进入vsftpd的配置目录

    whereis vsftpd
    cd /etc/vsftpd/

    5.修改默认的配置文件

    先备份

    mv vsftpd.conf vsftpd.conf.bak

    再修改

    vi /etc/vsftpd/vsftpd.conf
    # Example config file /etc/vsftpd/vsftpd.conf
    #
    # The default compiled in settings are fairly paranoid. This sample file
    # loosens things up a bit, to make the ftp daemon more usable.
    # Please see vsftpd.conf.5 for all compiled in defaults.
    #
    # READ THIS: This example file is NOT an exhaustive list of vsftpd options.
    # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
    # capabilities.
    #
    # Allow anonymous FTP? (Beware - allowed by default if you comment this out).
    #anonymous_enable=YES
    anonymous_enable=NO
    #
    # Uncomment this to allow local users to log in.
    local_enable=YES
    #
    # Uncomment this to enable any form of FTP write command.
    write_enable=YES
    #
    # Default umask for local users is 077. You may wish to change this to 022,
    # if your users expect that (022 is used by most other ftpd's)
    local_umask=022
    #
    # Uncomment this to allow the anonymous FTP user to upload files. This only
    # has an effect if the above global write enable is activated. Also, you will
    # obviously need to create a directory writable by the FTP user.
    #anon_upload_enable=YES
    #
    # Uncomment this if you want the anonymous FTP user to be able to create
    # new directories.
    #anon_mkdir_write_enable=YES
    #
    # Activate directory messages - messages given to remote users when they
    # go into a certain directory.
    dirmessage_enable=YES
    #
    # The target log file can be vsftpd_log_file or xferlog_file.
    # This depends on setting xferlog_std_format parameter
    xferlog_enable=YES
    #
    # Make sure PORT transfer connections originate from port 20 (ftp-data).
    connect_from_port_20=YES
    #
    # If you want, you can arrange for uploaded anonymous files to be owned by
    # a different user. Note! Using "root" for uploaded files is not
    # recommended!
    #chown_uploads=YES
    #chown_username=whoever
    #
    # The name of log file when xferlog_enable=YES and xferlog_std_format=YES
    # WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log
    #xferlog_file=/var/log/xferlog
    #
    # Switches between logging into vsftpd_log_file and xferlog_file files.
    # NO writes to vsftpd_log_file, YES to xferlog_file
    xferlog_std_format=YES
    #
    # You may change the default value for timing out an idle session.
    idle_session_timeout=600
    #
    # You may change the default value for timing out a data connection.
    data_connection_timeout=120
    
    max_clients=20
    max_per_ip=5
    
    #
    # It is recommended that you define on your system a unique user which the
    # ftp server can use as a totally isolated and unprivileged user.
    #nopriv_user=ftpsecure
    #
    # Enable this and the server will recognise asynchronous ABOR requests. Not
    # recommended for security (the code is non-trivial). Not enabling it,
    # however, may confuse older FTP clients.
    #async_abor_enable=YES
    #
    # By default the server will pretend to allow ASCII mode but in fact ignore
    # the request. Turn on the below options to have the server actually do ASCII
    # mangling on files when in ASCII mode.
    # Beware that on some FTP servers, ASCII support allows a denial of service
    # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
    # predicted this attack and has always been safe, reporting the size of the
    # raw file.
    # ASCII mangling is a horrible feature of the protocol.
    #ascii_upload_enable=YES
    #ascii_download_enable=YES
    #
    # You may fully customise the login banner string:
    #ftpd_banner=Welcome to blah FTP service.
    #
    # You may specify a file of disallowed anonymous e-mail addresses. Apparently
    # useful for combatting certain DoS attacks.
    #deny_email_enable=YES
    # (default follows)
    #banned_email_file=/etc/vsftpd/banned_emails
    #
    # You may specify an explicit list of local users to chroot() to their home
    # directory. If chroot_local_user is YES, then this list becomes a list of
    # users to NOT chroot().
    chroot_local_user=NO
    chroot_list_enable=YES
    # (default follows)
    chroot_list_file=/etc/vsftpd/chroot_list
    #
    # You may activate the "-R" option to the builtin ls. This is disabled by
    # default to avoid remote users being able to cause excessive I/O on large
    # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
    # the presence of the "-R" option, so there is a strong case for enabling it.
    #ls_recurse_enable=YES
    #
    # When "listen" directive is enabled, vsftpd runs in standalone mode and
    # listens on IPv4 sockets. This directive cannot be used in conjunction
    # with the listen_ipv6 directive.
    listen=YES
    #
    # This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
    # sockets, you must run two copies of vsftpd with two configuration files.
    # Make sure, that one of the listen options is commented !!
    #listen_ipv6=YES
    
    # append
    
    pam_service_name=vsftpd
    userlist_enable=NO
    tcp_wrappers=YES
    user_config_dir=/etc/vsftpd/upload_user_config
    

    重要配置说明:

    1.

    #是否可以浏览非主目录的内容,NO表示不可以

    chroot_local_user=NO

    #这行必须要有, 否则文件vsftpd.chroot_list不会起作用

    chroot_list_enable=YES 

    chroot_list_file=/etc/vsftpd/chroot_list

    2.

    当创建虚拟帐户时,需要给每个帐号都配置好权限,因此这些配置文件与帐号同名,生成在user_config_dir=/etc/vsftpd/upload_user_config(vsftpd.conf中)这个目录下。

    此处只是配置指向该目录,并没有创建,在之后的步骤中会创建该目录。

    6.修改pam.d

    mv /etc/pam.d/vsftpd /etc/pam.d/vsftpd.bak
    vi /etc/pam.d/vsftpd
    #%PAM-1.0
    # 32-bit
    #auth required /lib/security/pam_userdb.so db=/etc/vsftpd/login
    #account required /lib/security/pam_userdb.so db=/etc/vsftpd/login
    # 64-bit
    auth sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/login
    account sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/login
    

    7.增加帐户

    mkdir -p /etc/vsftpd/upload/hyy
    adduser -d /etc/vsftpd/upload/hyy -g ftp -s /sbin/nologin hyy
    chown -R hyy:ftp /etc/vsftpd/upload/hyy
    chmod -R 700 /etc/vsftpd/upload/hyy

    8.配置帐号密码文件 设置权限只有root读写

    touch /etc/vsftpd/vuser
    chmod 600 /etc/vsftpd/vuser
    vi /etc/vsftpd/vuser
    hyy
    hyy
    hd_user
    hd_user

    奇数行是账户名

    偶数行是密码

    需要新增则往下增加

    9.生成pam校验数据库文件

    db_load -T -t hash -f /etc/vsftpd/vuser /etc/vsftpd/login.db

    10.配置用户权限

    mkdir -p /etc/vsftpd/upload_user_config
    vi /etc/vsftpd/upload_user_config/hyy
    #有上传/下载/修改权限
    anon_world_readable_only=NO
    write_enable=YES
    anon_mkdir_write_enable=YES
    anon_upload_enable=YES
    anon_other_write_enable=YES
    local_root=/etc/vsftpd/upload/hyy
    

    注意:此处配置的local_root,是配置该帐户访问的根路径,每个帐户访问自己的目录,如果需要交叉访问,请自行修改目录权限以及根目录,不在本文体现。

    从第6步之后增加新的ftp帐户,已经封装好2个shell,一个是新增,一个是删除

    1.公共函数

    vi common.sh 
    function delLineByStr(){
        path=$1
        str=$2
    
        count=1
        row=-1
        for line in `cat $path`
        do
            if [[ "$line" == "$str" ]];then
                row=$count
                break
            fi
            ((count+=1))
        done
    
        if [[ "$row" == "-1" ]];then
            return
        fi
        sed -i "${row}d" $path
    }
    
    function delLineByStr2Count(){
        path=$1
        str=$2
    
        count=1
        row=-1
        for line in `cat $path`
        do
            if [[ "$line" == "$str" && $(($count % 2)) != 0 ]];then
                row=$count
                break
            fi
            ((count+=1))
        done
    
        if [[ "$row" == "-1" ]];then
            return
        fi
        sed -i "${row}d" $path
        sed -i "${row}d" $path
    }

    2.新增ftp帐户

    vi adduser.sh
    # 2015-11-16 BlazerHe
    
    if [[ "" == "$1" || "" == "$2" ]];then
        echo "参数不正确,必须有2个参数,第一个参数是帐户名,第二个参数是密码"
        echo "执行示例 : sh adduser.sh \$username \$password"
        exit -1
    fi
    
    echo "=======================================开始执行======================================="
    
    ###################################### 定义变量
    vsftpHome=/etc/vsftpd
    vsftpData=/bigdata1/ftp
    uName=$1
    uPass=$2
    
    echo "=====系统参数1:vsftpHome:${vsftpHome}"
    echo "=====系统参数2:vsftpData:${vsftpData}"
    echo ""
    
    ###################################### 创建帐号和目录并授权${vsftpData}/${uName}
    mkdir -p ${vsftpData}/${uName}
    
    echo "1.新增nologin帐户${uName}"
    adduser -d ${vsftpData}/${uName} -g ftp -s /sbin/nologin ${uName}
    
    echo "2.创建目录并授权${vsftpData}/${uName}"
    chown -R ${uName}:ftp ${vsftpData}/${uName}
    chmod -R 700 ${vsftpData}/${uName}
    
    
    ###################################### 增加到vuser,用于生成db
    echo "3.将帐户${uName}写入vuser"
    echo ${uName} >> ${vsftpHome}/vuser
    echo ${uPass} >> ${vsftpHome}/vuser
    
    
    ###################################### 根据vuser里的账户密码生成db
    echo "4.重新生成login.db"
    db_load -T -t hash -f ${vsftpHome}/vuser ${vsftpHome}/login.db
    
    
    ###################################### 将帐户设置成只允许访问配置的目录,将账户名添加到chroot_list
    echo "5.将帐户${uName}写入chroot_list"
    echo ${uName} >> ${vsftpHome}/chroot_list
    
    
    ###################################### 创建配置文件并增加配置信息/etc/vsftpd/upload_user_config/${uName}
    configDir=${vsftpHome}/upload_user_config/${uName}
    
    echo "6.生成配置文件$configDir"
    touch ${configDir}
    
    echo "#只有下载权限" >> ${configDir}
    echo "anon_world_readable_only=NO" >> ${configDir}
    echo "local_root=${vsftpData}/${uName}" >> ${configDir}
    echo "" >> ${configDir}
    
    
    echo "7.重启服务"
    service vsftpd restart 
    
    
    echo "==================结果:创建帐号成功,账户名:${uName},密码:${uPass}"
    echo "=======================================执行结束======================================="

    3.删除ftp帐户

    vi deluser.sh
    # 2015-11-16 BlazerHe
    
    . ./common.sh
    
    if [[ "" == "$1" ]];then
        echo "参数不正确,必须有1个参数,第一个参数是帐户名"
        echo "执行示例 : sh deluser.sh \$username \$password"
        exit -1
    fi
    
    echo "=======================================开始执行======================================="
    
    #####################################
    vsftpHome=/etc/vsftpd
    vsftpData=/bigdata1/ftp
    uName=$1
    # uPass=$2
    
    echo "=====系统参数1:vsftpHome:${vsftpHome}"
    echo "=====系统参数2:vsftpData:${vsftpData}"
    echo ""
    
    
    echo "1.删除帐户${uName}"
    userdel ${uName}
    
    
    echo "2.删除帐户路径${vsftpData}/${uName}"
    rm -rf ${vsftpData}/${uName}
    
    
    echo "3.删除vuser里的信息"
    # sed -i '/'"${uName}"'/d' ${vsftpHome}/vuser
    # sed -i '/'"${uPass}"'/d' ${vsftpHome}/vuser
    $(delLineByStr2Count ${vsftpHome}/vuser ${uName})
    
    
    echo "4.重新生成login.db"
    db_load -T -t hash -f ${vsftpHome}/vuser ${vsftpHome}/login.db
    
    
    echo "5.删除chroot_list里的信息"
    # sed -i '/'"${uName}"'/d' ${vsftpHome}/chroot_list
    $(delLineByStr ${vsftpHome}/chroot_list ${uName})
    
    configDir=${vsftpHome}/upload_user_config/${uName}
    echo "6.删除文件$configDir"
    rm -rf ${configDir}
    
    
    echo "7.重启服务..."
    service vsftpd restart
    
    
    echo "==================结果:删除帐户${uName}成功"
    echo "=======================================执行结束======================================="
    

    说明:vsftpData变量为ftp配置该帐户访问的根路径

    使用:

    新增用户

    sh adduser.sh test1 test1

    删除用户

    sh deluser.sh test1

    题外话,ftp客户端使用

    yum -y install ftp
    ftp 127.0.0.1

    然后输入配置的帐户密码即可。

    具体的操作还需要贵客help一下!

    常见错误:vsftpd登录,提示 vsftpd 500 OOPS: chroot

    原因有可能是防火墙引起的,需要关闭防火墙

    1. chkconfig iptables off

    2. service iptables stop

    3. setenforce 0 或者 修改/etc/sysconfig/selinux文件里面的SELINUX的值改为:SELINUX=disabled

    后续深入:

    为vsftpd配置ssl,这里选择openssl

    1.查看是否支持ssl

    ldd `which vsftpd`|grep ssl

    2.省略安装openssl,centos自带了,直接生成ssl密钥文件并复制到/etc/ssl/certs目录下。

    openssl req -new -x509 -nodes -out vsftpd.pem -keyout vsftpd.pem
    cp vsftpd.pem /etc/ssl/certs/vsftpd.pem
    chmod 400 /etc/ssl/certs/vsftpd.pem

    3.修改配置文件

    vi vsftpd.conf
    # ssl config
    ssl_enable=YES
    allow_anon_ssl=NO
    force_local_data_ssl=YES
    force_local_logins_ssl=YES
    force_anon_logins_ssl=YES
    force_anon_data_ssl=YES
    ssl_tlsv1=YES
    ssl_sslv2=NO
    ssl_sslv3=NO
    require_ssl_reuse=NO
    ssl_ciphers=HIGH
    rsa_cert_file=/etc/ssl/certs/vsftpd.pem
    rsa_private_key_file=/etc/ssl/certs/vsftpd.pem
    pasv_max_port=65535
    pasv_min_port=64000
    

    4.加入如上配置之后,重启服务

    service vsftpd restart

    完毕!linux的ftp工具不支持TSL,可以使用支持TSL的客户端工具,如FileZilla进行测试。

    OK了!!!

  • 相关阅读:
    Annotation
    bulid tools
    Git&Version Control
    uri&url
    HTTP &RFC
    git创建新分支
    git忽略提交文件
    redis集群搭建
    java中的线程安全是什么:
    Spring事务传播机制与隔离级别
  • 原文地址:https://www.cnblogs.com/blazer/p/4969711.html
Copyright © 2020-2023  润新知