注:個人對偏向於底層基本上拿來就用的應用,傾向於使用安裝包,直接yum或者rpm安裝;而對於應用層面控制較多或者需要大范圍維護的,傾向於直接使用tar.gz版本。
對於linux下的ftp服務器,實際上有很多的實現,只不過較廣泛的在使用的是vsftpd,它是UNIX下一個GPL FTP服務器,全稱very secure FTP daemon,官網https://security.appspot.com/vsftpd.html。
1、安裝vsftpd,yum install vsftpd
安裝完成后,可以執行which vsftpd檢查是否安裝成功,同時會在/etc/vsftpd下創建三個配置文件,如下:
[root@elk1 vsftpd]# ll
總用量 20
-rw-------. 1 root root 125 8月 3 2017 ftpusers # 指定哪些用戶不能訪問FTP服務器,這里的用戶包括root在內的一些重要用戶。
-rw-------. 1 root root 361 8月 3 2017 user_list # 指定的用戶是否可以訪問ftp服務器,通過vsftpd.conf文件中的userlist_deny的配置來決定配置中的用戶是否可以訪問,userlist_enable=YES ,userlist_deny=YES ,userlist_file=/etc/vsftpd/user_list 這三個配置允許文件中的用戶訪問FTP。
-rw-------. 1 root root 5135 6月 8 11:32 vsftpd.conf # 主配置文件
注:vsftpd雖然共享linux的用戶,但是做了更加精細化二次安全防護,避免常見的脆弱性安全問題,所以如果希望讓root用戶訪問,需要在ftpusers中注釋掉root。
2、安裝完成后,默認情況下,直接service vsftpd start就可以啟動ftp服務,這就是最傻瓜的方式,全部是使用默認設置,但是在實際中,我們一般需要對配置進行修改滿足我們的特定管理要求。比如:
- 指定根目錄,而非默認的/pub。
- 指定是否啟用匿名訪問,允許哪些用戶訪問哪些目錄。
- 設置用戶是否可以創建目錄,如果不存在的話。
一般來說,對於公有的ftp服務器,需要隔離不同用戶的訪問權限,一個公司/BU內部的話,一般一個用戶,根據目錄進行划分就足夠,在管理和便利之間權衡。
這里,我們假設ftp目錄為/usr/local/app/yidoo/ebs-k3c,同時在其下創建一個file目錄,允許ftpadmin/123456用戶讀寫file下的所有文件,但是不允許創建新的目錄。匿名用戶可以讀file下的文件,但是不能寫。
- 首先創建一個專用於ftp的用戶ftpadmin。
[root@elk1 vsftpd]# useradd ftpadmin -s /sbin/nologin [root@elk1 vsftpd]# passwd ftpadmin 更改用戶 ftpadmin 的密碼 。 新的 密碼: 無效的密碼: 密碼少於 8 個字符 重新輸入新的 密碼: passwd:所有的身份驗證令牌已經成功更新。 [root@elk1 vsftpd]#
此時,就可以使用ftpadmin訪問ftp服務器了,如下:
2. vsftpd的根目錄是通過兩個參數控制,local_root控制非匿名用戶登錄時vsftpd進入的目錄,anon_root則是匿名用戶登錄時vsftpd進入的目錄,這兩個參數都沒有默認值,不過筆者測下來是/pub。所以,如果要更改ftp目錄的話,設置這兩個參數即可。
vim /etc/vsftpd/vsftpd.conf
local_root=/usr/local/app/yidoo/ebs-k3c
anon_root=/usr/local/app/yidoo/ebs-k3c
3. 設置匿名用戶可讀/不可寫,登錄用戶可寫、不可創建目錄、不可訪問指定的ftp目錄外的其他目錄。默認情況下,ftp用戶登錄之后,可以cd到其他目錄,比如我們上面創建的ftpadmin可以切換到/etc目錄。
- anonymous_enable=true #啟用匿名用戶登錄,默認啟用
- anon_world_readable_only=true #允許匿名用戶下載,默認啟用
- local_enable=true,默認false,這個默認值感覺不合適
- write_enable=true
- # 下面三個配置主要用於控制細粒度的訪問權限
- chroot_list_enable=NO #設置是否啟用chroot_list_file配置項指定的用戶列表文件。默認值為NO。 YES為啟用 NO禁用,默認禁用
- chroot_local_user=YES #是否將所有用戶限制在主目錄下,也就是切換到和主目錄平級的其他目錄或者干脆不相關目錄,如上文說的切換到/etc目錄,YES為啟用 NO禁用.(該項默認值是NO,即在安裝vsftpd后不做配置的話,ftp用戶是可以向上切換到根目錄之外的)
- chroot_list_file=/etc/vsftpd/chroot_list #設置是否限制在主目錄下的用戶名單,至於是限制名單還是排除名單,這取決於chroot_local_user的值,我們可以這樣記憶: chroot_local_user總是一個全局性的設定,其為YES時,全部用戶被鎖定於主目錄,其為NO時,全部用戶不被鎖定於主目錄。那么我們勢必需要在全局設定下能做出一些“微調”,即,我們總是需要一種“例外機制",所以當chroot_list_enable=YES時,表示我們“需要例外”。而”例外“的含義總是有一個上下文的,即,當”全部用戶被鎖定於主目錄“時(即chroot_local_user=YES),"例外"就是:不被鎖定的用戶是哪些;當"全部用戶不被鎖定於主目錄"時(即chroot_local_user=NO),"例外"“就是:要被鎖定的用戶是哪些。這樣解釋和記憶兩者之間的關系就很清晰了!
4.上述配置修改后,重啟vsftpd,service vsftpd restart
再次明確訪問上述目錄的時候,就會提示無法顯示遠程文件夾,即ftp客戶端是不會知道當前根目錄對應的實際物理目錄的。
5.如果啟用了selinux,則需要禁用,並執行如下,否則在文件上傳的時候會提示vsftp 553 Could not create file。
[root@elk1 vsftpd]# vim /etc/selinux/config [root@elk1 vsftpd]# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # 這兒 # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted [root@elk1 vsftpd]# getsebool -a | grep ftp ftpd_anon_write --> off ftpd_connect_all_unreserved --> off ftpd_connect_db --> off ftpd_full_access --> off ftpd_use_cifs --> off ftpd_use_fusefs --> off ftpd_use_nfs --> off ftpd_use_passive_mode --> off httpd_can_connect_ftp --> off httpd_enable_ftp_server --> off tftp_anon_write --> off tftp_home_dir --> off [root@elk1 vsftpd]# setsebool allow_ftpd_full_access on # 這兒 [root@elk1 vsftpd]# getsebool -a | grep ftp ftpd_anon_write --> off ftpd_connect_all_unreserved --> off ftpd_connect_db --> off ftpd_full_access --> on ftpd_use_cifs --> off ftpd_use_fusefs --> off ftpd_use_nfs --> off ftpd_use_passive_mode --> off httpd_can_connect_ftp --> off httpd_enable_ftp_server --> off tftp_anon_write --> off tftp_home_dir --> off
參考:
vsftpd.conf各配置項官方文檔參考https://security.appspot.com/vsftpd/vsftpd_conf.html(注,可能需要翻牆才能訪問)
配置修改后,啟動時遇到Job for vsftpd.service failed because the control process exited with error code. See "systemctl status vsftpd.service" and "journalctl -xe" for details. http://bbs.51cto.com/thread-1480655-1-1.html 19樓終極解決方法,重裝,於是把配置全部改回默認值,一個個修改看問題出在哪里。
VSFTPD一直提示“用戶身份驗證失敗”:搭建好之后,當日都正常,自從第二天服務器被重啟之后,無論是xftp還是java客戶端登錄就一直提示“用戶身份驗證失敗”,無論是匿名還是使用root賬戶或者ftpadmin賬戶均如此,搜了下網上不少帖子,比如https://yq.aliyun.com/wenzhang/show_11618(但是它僅僅指的是java客戶端訪問),https://bbs.aliyun.com/read/252932.html?pos=6(它講的是通過ssh登錄,並非ftp),均未看到解決。使用命令行下ftp客戶端登錄,如下:
用戶(192.168.230.128:(none)): ftpadmin
331 Please specify the password.
密碼:
500 OOPS: vsftpd: refusing to run with writable root inside chroot()
遠程主機關閉連接。
完整配置如下:
[root@elk1 vsftpd]# cat vsftpd.conf # Example config file /etc/vsftpd/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=YES # # Uncomment this to allow local users to log in. # When SELinux is enforcing check for SE bool ftp_home_dir local_enable=YES # # Uncomment this to enable any form of FTP write command. write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. # When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access anon_upload_enable=YES # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. anon_mkdir_write_enable=YES # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # Activate logging of uploads/downloads. xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #chown_username=whoever # # You may override where the log file goes if you like. The default is shown # below. #xferlog_file=/var/log/xferlog # # If you want, you can have your log file in standard ftpd xferlog format. # Note that the default log file location is /var/log/xferlog in this case. xferlog_std_format=YES # # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. #ascii_upload_enable=YES #ascii_download_enable=YES # # You may fully customise the login banner string: #ftpd_banner=Welcome to blah FTP service. # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd/banned_emails # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). # (Warning! chroot'ing can be very dangerous. If using chroot, make sure that # the user does not have write access to the top level directory within the # chroot) #chroot_local_user=YES #chroot_list_enable=YES # (default follows) # chroot_list_file=/etc/vsftpd/chroot_list # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # # When "listen" directive is enabled, vsftpd runs in standalone mode and # listens on IPv4 sockets. This directive cannot be used in conjunction # with the listen_ipv6 directive. listen=NO # # This directive enables listening on IPv6 sockets. By default, listening # on the IPv6 "any" address (::) will accept connections from both IPv6 # and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6 # sockets. If you want that (perhaps because you want to listen on specific # addresses) then you must run two copies of vsftpd with two configuration # files. # Make sure, that one of the listen options is commented !! listen_ipv6=YES pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES local_root=/usr/local/app/yidoo/ebs-k3c chroot_local_user=YES # chroot_list_enable=false anon_root=/usr/local/app/yidoo/ebs-k3c
當我注釋掉chroot_local_user的時候,也就是不限制用戶切換到主目錄之外就不出錯了。找到具體的錯誤信息解決問題就很簡單了,經查:
這個問題發生在最新的這是由於下面的更新造成的:
- Add stronger checks for the configuration error of running with a writeable root directory inside a chroot(). This may bite people who carelessly turned on chroot_local_user but such is life.
從2.3.5之后,vsftpd增強了安全檢查,如果用戶被限定在了其主目錄下,則該用戶的主目錄不能再具有寫權限了!如果檢查發現還有寫權限,就會報該錯誤。
要修復這個錯誤,可以用命令chmod a-w /home/user去除用戶主目錄的寫權限,注意把目錄替換成你自己的。或者你可以在vsftpd的配置文件中增加下列兩項中的一項:
allow_writeable_chroot=YES
在配置文件中加上上面的配置項之后,無論是xftp還是原生ftp客戶端,均可以正常訪問了。