FTP服务器的配置过程
FTP服务器需要的软件包：vsftpd-2.0.1-5.i386.rpm
FTP服务器的配置文件：/etc/vsftpd/vsftpd.conf
FTP的守护进程：
1、安装软件包：
[root@cisco RPMS]# rpm -ivh vsftpd-2.0.1-5.i386.rpm
warning: vsftpd-2.0.1-5.i386.rpm: V3 DSA signature: NOKEY, key ID db42a60e
Preparing...                ########################################### [100%]
   1:vsftpd                 ########################################### [100%]
2、看一下默认服务器的配置：
[root@cisco pub]# grep -v "^#" /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
 
pam_service_name=vsftpd
userlist_enable=YES
listen=YES
tcp_wrappers=YES
[root@cisco pub]#
3、FTP默认允许匿名用户登陆，演示匿名用户登陆
所有匿名用户都登录到相同的目录中
/var/ftp
4、/etc/vsftpd.ftpusers文件里面的用户不能登陆 FTP服务器，可以设置/etc/pam.d/vsftpd 让文
件中的用户登陆 FTP服务器，将里面的 sense=deny改成 sense=allow 即可
5、/etc/vsftpd.user_list 文件也可以对用户进行限制，并且更加灵活，如果和/etc/vsftpd.ftpusers
文件里面的用户产生冲突，/etc/vsftpd.ftpusers 文件生效，这个文件的更改需要该配置文件， 
userlist_enable=YES
userlist_deny=YES 
表示文件里面的用户不能登陆 FTP服务器
userlist_enable=YES
userlist_deny=NO 
表示只允许 vsftpd.user_list 文件中的用户登录
6、将本地用户登陆 FTP服务器后的目录锁定：
在 vsftpd.conf文件中添加设置项
chroot_local_user=YES
演示过程：没有添加前：
[root@localhost ~]# ftp 192.168.20.1
Connected to 192.168.20.1. 220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.20.1:root): cisco
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/cisco"
ftp> cd /etc
250 Directory successfully changed.
ftp> get passwd
local: passwd remote: passwd
227 Entering Passive Mode (192,168,20,1,194,117)
150 Opening BINARY mode data connection for passwd (1458 bytes).
226 File send OK.
1458 bytes received in 0.0032 seconds (4.4e+02 Kbytes/s)
ftp> bye
221 Goodbye.
[root@localhost ~]# cd /root
[root@localhost ~]# ls
aa  anaconda-ks.cfg  file1  files  install.log  install.log.syslog   passwd
显然不安全，添加后可以看到不能够切换目录
[root@localhost ~]# ftp 192.168.20.1
Connected to 192.168.20.1.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.20.1:root): cisco
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> cd /etc
550 Failed to change directory.
ftp> bye
221 Goodbye. 7、vsftpd 虚拟用户帐号的设置步骤：
1）建立虚拟用户口令库文件
[root@cisco ~]# vi login.txt
[root@cisco ~]# cat login.txt
mike
123
john
456
2）生成 vsftpd 的认证文件
[root@cisco ~]# rpm -qa |grep db4
db4-4.2.52-7.1
db4-utils-4.2.52-7.1
db4-tcl-4.2.52-7.1
db4-java-4.2.52-7.1
[root@cisco ~]# db_load -T -t hash -f /root/login.txt /etc/vsftpd/vsftpd_login.db
3）建立虚拟用户所需的 PAM 配置文件
[root@cisco ~]# vi /etc/pam.d/vsftpd.vu
auth       required     /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_lo
gin
 
account       required     /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
~
4）建立虚拟用户所要访问的目录并设置相应权限
[root@cisco ~]# useradd vuser
[root@cisco ~]# passwd vuser
Changing password for user vuser.
New UNIX password:
BAD PASSWORD: it is too simplistic/systematic
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@cisco ~]# ls -l /home/vuser/
total 0
[root@cisco ~]# cd /home
[root@cisco home]# ls -l
total 16
drwx------    2 cisco cisco 4096 Jun    9 11:49 cisco
drwx------  2 vuser vuser 4096 Jun 10 17:03 vuser
5）设置 vsftpd.conf 配置文件
pam_service_name=vsftpd.vu
guest_enable=YES
guest_username=vuser
6）设置用户的配置文件，赋予不同的权限
在 vsftpd 的主配置文件中添加：
user_config_dir=/etc/vsftpd_user_conf 创建这个目录：
[root@cisco home]# mkdir /etc/vsftpd_user_conf
[root@cisco home]# cd /etc/vsftpd_user_conf/
[root@cisco vsftpd_user_conf]# vi mike
[root@cisco vsftpd_user_conf]# cat mike
anon_world_readable_only=NO
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
[root@cisco vsftpd_user_conf]# cat john
anon_world_readable_only=NO
anon_upload_enable=NO
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
演示：
[root@cisco vsftpd_user_conf]# ftp 192.168.20.1
Connected to 192.168.20.1.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.20.1:root): mike
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,20,1,161,93)
150 Here comes the directory listing.
-rw-r--r--    1 0        0               4 Jun 10 09:12 1
226 Directory send OK.
ftp> put mike
local: mike remote: mike
227 Entering Passive Mode (192,168,20,1,240,52)
150 Ok to send data.
226 File receive OK.
107 bytes sent in 7.9e-05 seconds (1.3e+03 Kbytes/s)
ftp> ls
227 Entering Passive Mode (192,168,20,1,172,142)
150 Here comes the directory listing.
-rw-r--r--    1 0        0               4 Jun 10 09:12 1
-rw-------    1 501      501           107 Jun 10 09:29 mike
226 Directory send OK. ftp> bye
221 Goodbye.
[root@cisco vsftpd_user_conf]# ftp 192.168.20.1
Connected to 192.168.20.1.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.20.1:root): john
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,20,1,91,149)
150 Here comes the directory listing.
-rw-r--r--    1 0        0               4 Jun 10 09:12 1
-rw-------    1 501      501           107 Jun 10 09:29 mike
226 Directory send OK.
ftp> put john
local: john remote: john
227 Entering Passive Mode (192,168,20,1,96,249)
550 Permission denied.
ftp> bye
221 Goodbye.
 
 

本文出自 “旺气博客” 博客，请务必保留此出处http://wqmsl.blog.51cto.com/847418/174246

本文出自 51CTO.COM技术博客