转载请注明出处:http://www.cnblogs.com/blazer/p/4969711.html
环境:CentOs6.4 64bit
安装非常容易,麻烦在配置与创建用户,该博文主要用于记录增加和删除虚拟帐户的shell脚本以及记录安装时的配置参数,以供之后方便于管理与使用。
1.先检查是否安装了vsftpd,如果有安装则删除
rpm -qa|grep vsftpd rpm -e --nodeps xxx
2.安装vsftpd
yum -y install vsftpd
3.启动测试
service vsftpd start
service vsftpd status
service vsftpd stop
4.进入vsftpd的配置目录
whereis vsftpd cd /etc/vsftpd/
5.修改默认的配置文件
先备份
mv vsftpd.conf vsftpd.conf.bak
再修改
vi /etc/vsftpd/vsftpd.conf
# Example config file /etc/vsftpd/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # Allow anonymous FTP? (Beware - allowed by default if you comment this out). #anonymous_enable=YES anonymous_enable=NO # # Uncomment this to allow local users to log in. local_enable=YES # # Uncomment this to enable any form of FTP write command. write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. #anon_upload_enable=YES # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # The target log file can be vsftpd_log_file or xferlog_file. # This depends on setting xferlog_std_format parameter xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #chown_username=whoever # # The name of log file when xferlog_enable=YES and xferlog_std_format=YES # WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log #xferlog_file=/var/log/xferlog # # Switches between logging into vsftpd_log_file and xferlog_file files. # NO writes to vsftpd_log_file, YES to xferlog_file xferlog_std_format=YES # # You may change the default value for timing out an idle session. idle_session_timeout=600 # # You may change the default value for timing out a data connection. data_connection_timeout=120 max_clients=20 max_per_ip=5 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. #ascii_upload_enable=YES #ascii_download_enable=YES # # You may fully customise the login banner string: #ftpd_banner=Welcome to blah FTP service. # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd/banned_emails # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). chroot_local_user=NO chroot_list_enable=YES # (default follows) chroot_list_file=/etc/vsftpd/chroot_list # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # # When "listen" directive is enabled, vsftpd runs in standalone mode and # listens on IPv4 sockets. This directive cannot be used in conjunction # with the listen_ipv6 directive. listen=YES # # This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6 # sockets, you must run two copies of vsftpd with two configuration files. # Make sure, that one of the listen options is commented !! #listen_ipv6=YES # append pam_service_name=vsftpd userlist_enable=NO tcp_wrappers=YES user_config_dir=/etc/vsftpd/upload_user_config
重要配置说明:
1.
#是否可以浏览非主目录的内容,NO表示不可以
chroot_local_user=NO
#这行必须要有, 否则文件vsftpd.chroot_list不会起作用
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
2.
当创建虚拟帐户时,需要给每个帐号都配置好权限,因此这些配置文件与帐号同名,生成在user_config_dir=/etc/vsftpd/upload_user_config(vsftpd.conf中)这个目录下。
此处只是配置指向该目录,并没有创建,在之后的步骤中会创建该目录。
6.修改pam.d
mv /etc/pam.d/vsftpd /etc/pam.d/vsftpd.bak
vi /etc/pam.d/vsftpd
#%PAM-1.0 # 32-bit #auth required /lib/security/pam_userdb.so db=/etc/vsftpd/login #account required /lib/security/pam_userdb.so db=/etc/vsftpd/login # 64-bit auth sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/login account sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/login
7.增加帐户
mkdir -p /etc/vsftpd/upload/hyy adduser -d /etc/vsftpd/upload/hyy -g ftp -s /sbin/nologin hyy chown -R hyy:ftp /etc/vsftpd/upload/hyy chmod -R 700 /etc/vsftpd/upload/hyy
8.配置帐号密码文件 设置权限只有root读写
touch /etc/vsftpd/vuser chmod 600 /etc/vsftpd/vuser
vi /etc/vsftpd/vuser
hyy
hyy
hd_user
hd_user
奇数行是账户名
偶数行是密码
需要新增则往下增加
9.生成pam校验数据库文件
db_load -T -t hash -f /etc/vsftpd/vuser /etc/vsftpd/login.db
10.配置用户权限
mkdir -p /etc/vsftpd/upload_user_config
vi /etc/vsftpd/upload_user_config/hyy
#有上传/下载/修改权限 anon_world_readable_only=NO write_enable=YES anon_mkdir_write_enable=YES anon_upload_enable=YES anon_other_write_enable=YES local_root=/etc/vsftpd/upload/hyy
注意:此处配置的local_root,是配置该帐户访问的根路径,每个帐户访问自己的目录,如果需要交叉访问,请自行修改目录权限以及根目录,不在本文体现。
从第6步之后增加新的ftp帐户,已经封装好2个shell,一个是新增,一个是删除
1.公共函数
vi common.sh
function delLineByStr(){ path=$1 str=$2 count=1 row=-1 for line in `cat $path` do if [[ "$line" == "$str" ]];then row=$count break fi ((count+=1)) done if [[ "$row" == "-1" ]];then return fi sed -i "${row}d" $path } function delLineByStr2Count(){ path=$1 str=$2 count=1 row=-1 for line in `cat $path` do if [[ "$line" == "$str" && $(($count % 2)) != 0 ]];then row=$count break fi ((count+=1)) done if [[ "$row" == "-1" ]];then return fi sed -i "${row}d" $path sed -i "${row}d" $path }
2.新增ftp帐户
vi adduser.sh
# 2015-11-16 BlazerHe if [[ "" == "$1" || "" == "$2" ]];then echo "参数不正确,必须有2个参数,第一个参数是帐户名,第二个参数是密码" echo "执行示例 : sh adduser.sh \$username \$password" exit -1 fi echo "=======================================开始执行=======================================" ###################################### 定义变量 vsftpHome=/etc/vsftpd vsftpData=/bigdata1/ftp uName=$1 uPass=$2 echo "=====系统参数1:vsftpHome:${vsftpHome}" echo "=====系统参数2:vsftpData:${vsftpData}" echo "" ###################################### 创建帐号和目录并授权${vsftpData}/${uName} mkdir -p ${vsftpData}/${uName} echo "1.新增nologin帐户${uName}" adduser -d ${vsftpData}/${uName} -g ftp -s /sbin/nologin ${uName} echo "2.创建目录并授权${vsftpData}/${uName}" chown -R ${uName}:ftp ${vsftpData}/${uName} chmod -R 700 ${vsftpData}/${uName} ###################################### 增加到vuser,用于生成db echo "3.将帐户${uName}写入vuser" echo ${uName} >> ${vsftpHome}/vuser echo ${uPass} >> ${vsftpHome}/vuser ###################################### 根据vuser里的账户密码生成db echo "4.重新生成login.db" db_load -T -t hash -f ${vsftpHome}/vuser ${vsftpHome}/login.db ###################################### 将帐户设置成只允许访问配置的目录,将账户名添加到chroot_list echo "5.将帐户${uName}写入chroot_list" echo ${uName} >> ${vsftpHome}/chroot_list ###################################### 创建配置文件并增加配置信息/etc/vsftpd/upload_user_config/${uName} configDir=${vsftpHome}/upload_user_config/${uName} echo "6.生成配置文件$configDir" touch ${configDir} echo "#只有下载权限" >> ${configDir} echo "anon_world_readable_only=NO" >> ${configDir} echo "local_root=${vsftpData}/${uName}" >> ${configDir} echo "" >> ${configDir} echo "7.重启服务" service vsftpd restart echo "==================结果:创建帐号成功,账户名:${uName},密码:${uPass}" echo "=======================================执行结束======================================="
3.删除ftp帐户
vi deluser.sh
# 2015-11-16 BlazerHe . ./common.sh if [[ "" == "$1" ]];then echo "参数不正确,必须有1个参数,第一个参数是帐户名" echo "执行示例 : sh deluser.sh \$username \$password" exit -1 fi echo "=======================================开始执行=======================================" ##################################### vsftpHome=/etc/vsftpd vsftpData=/bigdata1/ftp uName=$1 # uPass=$2 echo "=====系统参数1:vsftpHome:${vsftpHome}" echo "=====系统参数2:vsftpData:${vsftpData}" echo "" echo "1.删除帐户${uName}" userdel ${uName} echo "2.删除帐户路径${vsftpData}/${uName}" rm -rf ${vsftpData}/${uName} echo "3.删除vuser里的信息" # sed -i '/'"${uName}"'/d' ${vsftpHome}/vuser # sed -i '/'"${uPass}"'/d' ${vsftpHome}/vuser $(delLineByStr2Count ${vsftpHome}/vuser ${uName}) echo "4.重新生成login.db" db_load -T -t hash -f ${vsftpHome}/vuser ${vsftpHome}/login.db echo "5.删除chroot_list里的信息" # sed -i '/'"${uName}"'/d' ${vsftpHome}/chroot_list $(delLineByStr ${vsftpHome}/chroot_list ${uName}) configDir=${vsftpHome}/upload_user_config/${uName} echo "6.删除文件$configDir" rm -rf ${configDir} echo "7.重启服务..." service vsftpd restart echo "==================结果:删除帐户${uName}成功" echo "=======================================执行结束======================================="
说明:vsftpData变量为ftp配置该帐户访问的根路径
使用:
新增用户
sh adduser.sh test1 test1
删除用户
sh deluser.sh test1
题外话,ftp客户端使用
yum -y install ftp
ftp 127.0.0.1
然后输入配置的帐户密码即可。
具体的操作还需要贵客help一下!
常见错误:vsftpd登录,提示 vsftpd 500 OOPS: chroot
原因有可能是防火墙引起的,需要关闭防火墙
1. chkconfig iptables off
2. service iptables stop
3. setenforce 0 或者 修改/etc/sysconfig/selinux文件里面的SELINUX的值改为:SELINUX=disabled
后续深入:
为vsftpd配置ssl,这里选择openssl
1.查看是否支持ssl
ldd `which vsftpd`|grep ssl
2.省略安装openssl,centos自带了,直接生成ssl密钥文件并复制到/etc/ssl/certs目录下。
openssl req -new -x509 -nodes -out vsftpd.pem -keyout vsftpd.pem
cp vsftpd.pem /etc/ssl/certs/vsftpd.pem
chmod 400 /etc/ssl/certs/vsftpd.pem
3.修改配置文件
vi vsftpd.conf
# ssl config ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES force_anon_logins_ssl=YES force_anon_data_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO require_ssl_reuse=NO ssl_ciphers=HIGH rsa_cert_file=/etc/ssl/certs/vsftpd.pem rsa_private_key_file=/etc/ssl/certs/vsftpd.pem pasv_max_port=65535 pasv_min_port=64000
4.加入如上配置之后,重启服务
service vsftpd restart
完毕!linux的ftp工具不支持TSL,可以使用支持TSL的客户端工具,如FileZilla进行测试。
OK了!!!