vsftpd安裝，以及配置ssl

轉載請注明出處：http://www.cnblogs.com/blazer/p/4969711.html

環境：CentOs6.4 64bit

 

安裝非常容易，麻煩在配置與創建用戶，該博文主要用於記錄增加和刪除虛擬帳戶的shell腳本以及記錄安裝時的配置參數，以供之后方便於管理與使用。

 

1.先檢查是否安裝了vsftpd，如果有安裝則刪除

rpm -qa|grep vsftpd
rpm -e --nodeps xxx

 

2.安裝vsftpd

yum -y install vsftpd

 

3.啟動測試

service vsftpd start
service vsftpd status
service vsftpd stop

 

4.進入vsftpd的配置目錄

whereis vsftpd
cd /etc/vsftpd/

 

5.修改默認的配置文件

先備份

mv vsftpd.conf vsftpd.conf.bak

再修改

vi /etc/vsftpd/vsftpd.conf

# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
#anonymous_enable=YES
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# The target log file can be vsftpd_log_file or xferlog_file.
# This depends on setting xferlog_std_format parameter
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# The name of log file when xferlog_enable=YES and xferlog_std_format=YES
# WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log
#xferlog_file=/var/log/xferlog
#
# Switches between logging into vsftpd_log_file and xferlog_file files.
# NO writes to vsftpd_log_file, YES to xferlog_file
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
data_connection_timeout=120

max_clients=20
max_per_ip=5

#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_local_user=NO
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd with two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES

# append

pam_service_name=vsftpd
userlist_enable=NO
tcp_wrappers=YES
user_config_dir=/etc/vsftpd/upload_user_config

 

 

重要配置說明：

1.

#是否可以瀏覽非主目錄的內容，NO表示不可以

chroot_local_user＝NO

#這行必須要有, 否則文件vsftpd.chroot_list不會起作用

chroot_list_enable=YES 

chroot_list_file=/etc/vsftpd/chroot_list

2.

當創建虛擬帳戶時，需要給每個帳號都配置好權限，因此這些配置文件與帳號同名，生成在user_config_dir=/etc/vsftpd/upload_user_config（vsftpd.conf中）這個目錄下。

此處只是配置指向該目錄，並沒有創建，在之后的步驟中會創建該目錄。

 

 

6.修改pam.d

mv /etc/pam.d/vsftpd /etc/pam.d/vsftpd.bak

vi /etc/pam.d/vsftpd

#%PAM-1.0
# 32-bit
#auth required /lib/security/pam_userdb.so db=/etc/vsftpd/login
#account required /lib/security/pam_userdb.so db=/etc/vsftpd/login
# 64-bit
auth sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/login
account sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/login

 

7.增加帳戶

mkdir -p /etc/vsftpd/upload/hyy
adduser -d /etc/vsftpd/upload/hyy -g ftp -s /sbin/nologin hyy
chown -R hyy:ftp /etc/vsftpd/upload/hyy
chmod -R 700 /etc/vsftpd/upload/hyy

 

8.配置帳號密碼文件 設置權限只有root讀寫

touch /etc/vsftpd/vuser
chmod 600 /etc/vsftpd/vuser

vi /etc/vsftpd/vuser

hyy
hyy
hd_user
hd_user

奇數行是賬戶名

偶數行是密碼

需要新增則往下增加

 

9.生成pam校驗數據庫文件

db_load -T -t hash -f /etc/vsftpd/vuser /etc/vsftpd/login.db

 

10.配置用戶權限

mkdir -p /etc/vsftpd/upload_user_config

vi /etc/vsftpd/upload_user_config/hyy

#有上傳/下載/修改權限
anon_world_readable_only=NO
write_enable=YES
anon_mkdir_write_enable=YES
anon_upload_enable=YES
anon_other_write_enable=YES
local_root=/etc/vsftpd/upload/hyy

 

注意：此處配置的local_root，是配置該帳戶訪問的根路徑，每個帳戶訪問自己的目錄，如果需要交叉訪問，請自行修改目錄權限以及根目錄，不在本文體現。

 

從第6步之后增加新的ftp帳戶，已經封裝好2個shell，一個是新增，一個是刪除

 

1.公共函數

vi common.sh 

function delLineByStr(){
    path=$1
    str=$2

    count=1
    row=-1
    for line in `cat $path`
    do
        if [[ "$line" == "$str" ]];then
            row=$count
            break
        fi
        ((count+=1))
    done

    if [[ "$row" == "-1" ]];then
        return
    fi
    sed -i "${row}d" $path
}

function delLineByStr2Count(){
    path=$1
    str=$2

    count=1
    row=-1
    for line in `cat $path`
    do
        if [[ "$line" == "$str" && $(($count % 2)) != 0 ]];then
            row=$count
            break
        fi
        ((count+=1))
    done

    if [[ "$row" == "-1" ]];then
        return
    fi
    sed -i "${row}d" $path
    sed -i "${row}d" $path
}

2.新增ftp帳戶

vi adduser.sh

# 2015-11-16 BlazerHe

if [[ "" == "$1" || "" == "$2" ]];then
    echo "參數不正確，必須有2個參數，第一個參數是帳戶名，第二個參數是密碼"
    echo "執行示例 : sh adduser.sh \$username \$password"
    exit -1
fi

echo "=======================================開始執行======================================="

###################################### 定義變量
vsftpHome=/etc/vsftpd
vsftpData=/bigdata1/ftp
uName=$1
uPass=$2

echo "=====系統參數1:vsftpHome:${vsftpHome}"
echo "=====系統參數2:vsftpData:${vsftpData}"
echo ""

###################################### 創建帳號和目錄並授權${vsftpData}/${uName}
mkdir -p ${vsftpData}/${uName}

echo "1.新增nologin帳戶${uName}"
adduser -d ${vsftpData}/${uName} -g ftp -s /sbin/nologin ${uName}

echo "2.創建目錄並授權${vsftpData}/${uName}"
chown -R ${uName}:ftp ${vsftpData}/${uName}
chmod -R 700 ${vsftpData}/${uName}


###################################### 增加到vuser，用於生成db
echo "3.將帳戶${uName}寫入vuser"
echo ${uName} >> ${vsftpHome}/vuser
echo ${uPass} >> ${vsftpHome}/vuser


###################################### 根據vuser里的賬戶密碼生成db
echo "4.重新生成login.db"
db_load -T -t hash -f ${vsftpHome}/vuser ${vsftpHome}/login.db


###################################### 將帳戶設置成只允許訪問配置的目錄，將賬戶名添加到chroot_list
echo "5.將帳戶${uName}寫入chroot_list"
echo ${uName} >> ${vsftpHome}/chroot_list


###################################### 創建配置文件並增加配置信息/etc/vsftpd/upload_user_config/${uName}
configDir=${vsftpHome}/upload_user_config/${uName}

echo "6.生成配置文件$configDir"
touch ${configDir}

echo "#只有下載權限" >> ${configDir}
echo "anon_world_readable_only=NO" >> ${configDir}
echo "local_root=${vsftpData}/${uName}" >> ${configDir}
echo "" >> ${configDir}


echo "7.重啟服務"
service vsftpd restart 


echo "==================結果：創建帳號成功，賬戶名：${uName}，密碼：${uPass}"
echo "=======================================執行結束======================================="

3.刪除ftp帳戶

vi deluser.sh

# 2015-11-16 BlazerHe

. ./common.sh

if [[ "" == "$1" ]];then
    echo "參數不正確，必須有1個參數，第一個參數是帳戶名"
    echo "執行示例 : sh deluser.sh \$username \$password"
    exit -1
fi

echo "=======================================開始執行======================================="

#####################################
vsftpHome=/etc/vsftpd
vsftpData=/bigdata1/ftp
uName=$1
# uPass=$2

echo "=====系統參數1:vsftpHome:${vsftpHome}"
echo "=====系統參數2:vsftpData:${vsftpData}"
echo ""


echo "1.刪除帳戶${uName}"
userdel ${uName}


echo "2.刪除帳戶路徑${vsftpData}/${uName}"
rm -rf ${vsftpData}/${uName}


echo "3.刪除vuser里的信息"
# sed -i '/'"${uName}"'/d' ${vsftpHome}/vuser
# sed -i '/'"${uPass}"'/d' ${vsftpHome}/vuser
$(delLineByStr2Count ${vsftpHome}/vuser ${uName})


echo "4.重新生成login.db"
db_load -T -t hash -f ${vsftpHome}/vuser ${vsftpHome}/login.db


echo "5.刪除chroot_list里的信息"
# sed -i '/'"${uName}"'/d' ${vsftpHome}/chroot_list
$(delLineByStr ${vsftpHome}/chroot_list ${uName})

configDir=${vsftpHome}/upload_user_config/${uName}
echo "6.刪除文件$configDir"
rm -rf ${configDir}


echo "7.重啟服務..."
service vsftpd restart


echo "==================結果：刪除帳戶${uName}成功"
echo "=======================================執行結束======================================="

說明：vsftpData變量為ftp配置該帳戶訪問的根路徑

 

使用：

新增用戶

sh adduser.sh test1 test1

刪除用戶

sh deluser.sh test1

 

題外話，ftp客戶端使用

yum -y install ftp

ftp 127.0.0.1

然后輸入配置的帳戶密碼即可。

具體的操作還需要貴客help一下！

 

常見錯誤：vsftpd登錄，提示 vsftpd 500 OOPS: chroot

原因有可能是防火牆引起的，需要關閉防火牆

1. chkconfig iptables off

2. service iptables stop

3. setenforce 0 或者 修改/etc/sysconfig/selinux文件里面的SELINUX的值改為：SELINUX=disabled

 

 

后續深入：

為vsftpd配置ssl，這里選擇openssl

 

1.查看是否支持ssl

ldd `which vsftpd`|grep ssl

 

2.省略安裝openssl，centos自帶了，直接生成ssl密鑰文件並復制到/etc/ssl/certs目錄下。

openssl req -new -x509 -nodes -out vsftpd.pem -keyout vsftpd.pem

cp vsftpd.pem /etc/ssl/certs/vsftpd.pem

chmod 400 /etc/ssl/certs/vsftpd.pem

 

3.修改配置文件

vi vsftpd.conf

# ssl config
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
force_anon_logins_ssl=YES
force_anon_data_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_private_key_file=/etc/ssl/certs/vsftpd.pem
pasv_max_port=65535
pasv_min_port=64000

 

4.加入如上配置之后，重啟服務

service vsftpd restart

 

完畢！linux的ftp工具不支持TSL，可以使用支持TSL的客戶端工具，如FileZilla進行測試。

 

OK了！！！