一、安裝並啟動服務
1 [root@node01 ~]# systemctl status vsftpd.service 2 ● vsftpd.service - Vsftpd ftp daemon 3 Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; disabled; vendor preset: disabled) 4 Active: active (running) since Sat 2018-07-21 05:39:53 CST; 13s ago 5 Process: 2958 ExecStart=/usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf (code=exited, status=0/SUCCESS) 6 Main PID: 2959 (vsftpd) 7 CGroup: /system.slice/vsftpd.service 8 └─2959 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf 9 10 Jul 21 05:39:53 node01 systemd[1]: Starting Vsftpd ftp daemon... 11 Jul 21 05:39:53 node01 systemd[1]: Started Vsftpd ftp daemon. 12 [root@node01 ~]# ss -tnlp|grep 21 13 LISTEN 0 32 :::21 :::* users:(("vsftpd",pid=2959,fd=3)) 14 [root@node01 ~]#
二、匿名用戶訪問
默認情況下,啟動服務可以通過匿名用戶直接登錄,但是不允許上傳文件
1 [root@node02 ~]# lftp 192.168.0.10 2 lftp 192.168.0.10:~> dir 3 drwxr-xr-x 2 0 0 6 Aug 03 2017 pub 4 lftp 192.168.0.10:/> cd pub/ 5 lftp 192.168.0.10:/pub> dir 6 lftp 192.168.0.10:/pub> put /etc/passwd 7 put: Access failed: 550 Permission denied. (passwd) 8 lftp 192.168.0.10:/pub> put /etc/fstab 9 put: Access failed: 550 Permission denied. (fstab) 10 lftp 192.168.0.10:/pub>
默認情況vsftp中允許上傳的配置是關閉狀態,將以下兩項設置為YES,注釋的打開,另外保證write_enable=YES
anonymous_enable=YES
anon_upload_enable=YES
write_enable=YES
[root@node01 vsftpd]# grep -E "anonymous_enable|anon_upload_enable|write_enable" vsftpd.conf anonymous_enable=YES write_enable=YES anon_upload_enable=YES [root@node01 vsftpd]# systemctl restart vsftpd.service [root@node01 vsftpd]#
接下來再次測試:
1 [root@node02 ~]# lftp 192.168.0.10 2 lftp 192.168.0.10:~> ls 3 drwxr-xr-x 2 0 0 6 Aug 03 2017 pub 4 drwxr-xr-x 2 0 0 6 Jul 20 23:05 upload 5 lftp 192.168.0.10:/> lcd 6 lcd ok, local cwd=/root 7 lftp 192.168.0.10:/> lcd /etc/ 8 lcd ok, local cwd=/etc 9 lftp 192.168.0.10:/> cd pub/ 10 lftp 192.168.0.10:/pub> put passwd 11 put: Access failed: 553 Could not create file. (passwd) 12 lftp 192.168.0.10:/pub> cd .. 13 lftp 192.168.0.10:/> dir 14 drwxr-xr-x 2 0 0 6 Aug 03 2017 pub 15 drwxr-xr-x 2 0 0 6 Jul 20 23:05 upload 16 lftp 192.168.0.10:/> cd upload/ 17 lftp 192.168.0.10:/upload> put fstab 18 put: Access failed: 553 Could not create file. (fstab) 19 lftp 192.168.0.10:/upload>
發現仍然無法上傳文件,為什么修改了對應項目還是無法上傳呢?這里我們來看一下vsftp的上傳目錄下的權限
1 [root@node01 ~]# ls -ld /var/ftp/ 2 drwxr-xr-x 4 root root 29 Jul 21 07:05 /var/ftp/ 3 [root@node01 ~]# cd /var/ftp/ 4 [root@node01 ftp]# ls -ald 5 drwxr-xr-x 4 root root 29 Jul 21 07:05 . 6 [root@node01 ftp]# ls -al 7 total 4 8 drwxr-xr-x 4 root root 29 Jul 21 07:05 . 9 drwxr-xr-x. 20 root root 4096 Jul 21 05:35 .. 10 drwxr-xr-x 2 root root 6 Aug 3 2017 pub 11 drwxr-xr-x 2 root root 6 Jul 21 07:05 upload 12 [root@node01 ftp]#
發現上傳目錄和目錄下的子目錄屬主和屬組都是root,而我們匿名用戶被映射成ftp用戶,pub、upload目錄對於用戶ftp用戶都沒有任何寫入權限,所以上傳文件會報錯,這里修改upload目錄屬主
1 [root@node01 ftp]# chown ftp upload 2 [root@node01 ftp]# ll 3 total 0 4 drwxr-xr-x 2 root root 6 Aug 3 2017 pub 5 drwxr-xr-x 2 ftp root 6 Jul 21 07:05 upload 6 [root@node01 ftp]#
再測試上傳文件
1 lftp 192.168.0.10:/upload> bye 2 [root@node02 ~]# lftp 192.168.0.10 3 lftp 192.168.0.10:~> ls 4 drwxr-xr-x 2 0 0 6 Aug 03 2017 pub 5 drwxr-xr-x 2 14 0 6 Jul 20 23:05 upload 6 lftp 192.168.0.10:/> cd upload 7 lftp 192.168.0.10:/upload> lcd /etc/ 8 lcd ok, local cwd=/etc 9 lftp 192.168.0.10:/upload> put passwd 10 1080 bytes transferred 11 lftp 192.168.0.10:/upload> put fstab 12 501 bytes transferred 13 lftp 192.168.0.10:/upload> exit 14 [root@node02 ~]# lftp 192.168.0.10 15 lftp 192.168.0.10:~> lcd /etc 16 lcd ok, local cwd=/etc 17 lftp 192.168.0.10:~> cd pub/ 18 lftp 192.168.0.10:/pub> put passwd 19 put: Access failed: 553 Could not create file. (passwd) 20 lftp 192.168.0.10:/pub> put fstab 21 put: Access failed: 553 Could not create file. (fstab) 22 lftp 192.168.0.10:/pub> exit 23 [root@node02 ~]#
發現upload可以上傳,pub目錄仍然無法上傳
1 [root@node01 ~]# cd /var/ftp/ 2 [root@node01 ftp]# ls -la 3 total 4 4 drwxr-xr-x 4 root root 29 Jul 21 07:05 . 5 drwxr-xr-x. 20 root root 4096 Jul 21 05:35 .. 6 drwxr-xr-x 2 root root 6 Aug 3 2017 pub 7 drwxr-xr-x 2 ftp root 31 Jul 21 07:22 upload 8 [root@node01 ftp]# cd upload/ 9 [root@node01 upload]# ls -lh 10 total 8.0K 11 -rw------- 1 ftp ftp 501 Jul 21 07:22 fstab 12 -rw------- 1 ftp ftp 1.1K Jul 21 07:22 passwd 13 [root@node01 upload]#
上傳之后的目錄fstab、passwd權限為600,進一步驗證創建目錄和文件
1 [root@node02 ~]# lftp 192.168.0.10 2 lftp 192.168.0.10:~> ls 3 drwxr-xr-x 2 0 0 6 Aug 03 2017 pub 4 drwxr-xr-x 2 14 0 31 Jul 20 23:22 upload 5 lftp 192.168.0.10:/> cd upload/ 6 lftp 192.168.0.10:/upload> ls -l 7 -rw------- 1 14 50 501 Jul 20 23:22 fstab 8 -rw------- 1 14 50 1080 Jul 20 23:22 passwd 9 lftp 192.168.0.10:/upload> mkdir ftpdir 10 mkdir: Access failed: 550 Permission denied. (ftpdir) 11 lftp 192.168.0.10:/upload> touch ftpfile 12 Unknown command `touch'. 13 lftp 192.168.0.10:/upload> ls -lh 14 -rw------- 1 14 50 501 Jul 20 23:22 fstab 15 -rw------- 1 14 50 1080 Jul 20 23:22 passwd 16 lftp 192.168.0.10:/upload>
發現在upload目錄下無法創建文件和目錄,提示沒有權限,接下來解決無法創建目錄(文件)的問題,在vsftp中有一個配置選項 "anon_mkdir_write_enable=YES",默認是注釋,去掉注釋重啟vsftp服務,重新測試創建目錄
1 [root@node01 vsftpd]# grep "anon_mkdir_write_enable=YES" /etc/vsftpd/vsftpd.conf 2 anon_mkdir_write_enable=YES 3 [root@node01 vsftpd]# 4 [root@node01 vsftpd]# systemctl restart vsftpd.service 5 [root@node02 ~]# lftp 192.168.0.10 6 lftp 192.168.0.10:~> cd upload/ 7 lftp 192.168.0.10:/upload> ls -la 8 drwxr-xr-x 2 14 0 31 Jul 20 23:22 . 9 drwxr-xr-x 4 0 0 29 Jul 20 23:05 .. 10 -rw------- 1 14 50 501 Jul 20 23:22 fstab 11 -rw------- 1 14 50 1080 Jul 20 23:22 passwd 12 lftp 192.168.0.10:/upload> mkdir ftpdir 13 mkdir ok, `ftpdir' created 14 lftp 192.168.0.10:/upload> 15 lftp 192.168.0.10:/upload> ls -la 16 drwxr-xr-x 3 14 0 44 Jul 20 23:41 . 17 drwxr-xr-x 4 0 0 29 Jul 20 23:05 .. 18 -rw------- 1 14 50 501 Jul 20 23:22 fstab 19 drwx------ 2 14 50 6 Jul 20 23:41 ftpdir 20 -rw------- 1 14 50 1080 Jul 20 23:22 passwd 21 lftp 192.168.0.10:/upload>
調整參數之后可以創建目錄,接下來測試刪除目錄操作
1 lftp 192.168.0.10:/upload> ls -l 2 -rw------- 1 14 50 501 Jul 20 23:22 fstab 3 drwx------ 2 14 50 6 Jul 20 23:41 ftpdir 4 -rw------- 1 14 50 1080 Jul 20 23:22 passwd 5 lftp 192.168.0.10:/upload> rm fstab 6 rm: Access failed: 550 Permission denied. (fstab) 7 lftp 192.168.0.10:/upload> rm passwd 8 rm: Access failed: 550 Permission denied. (passwd) 9 lftp 192.168.0.10:/upload>
在vftpd中有一個參數"anon_other_write_enable " 用來控制刪除和重命名權限的,我們添加之后重啟vsftp服務,再進行驗證
1 [root@node01 vsftpd]# grep "anon_other_write_enable=YES" /etc/vsftpd/vsftpd.conf 2 anon_other_write_enable=YES 3 [root@node01 vsftpd]# systemctl restart vsftpd.service 4 [root@node01 vsftpd]# 5 lftp 192.168.0.10:/upload> exit 6 [root@node02 ~]# lftp 192.168.0.10 7 lftp 192.168.0.10:~> cd upload/ 8 lftp 192.168.0.10:/upload> ls -la 9 drwxr-xr-x 3 14 0 44 Jul 20 23:41 . 10 drwxr-xr-x 4 0 0 29 Jul 20 23:05 .. 11 -rw------- 1 14 50 501 Jul 20 23:22 fstab 12 drwx------ 2 14 50 6 Jul 20 23:41 ftpdir 13 -rw------- 1 14 50 1080 Jul 20 23:22 passwd 14 lftp 192.168.0.10:/upload> rm fstab 15 rm ok, `fstab' removed 16 lftp 192.168.0.10:/upload> rm passwd 17 rm ok, `passwd' removed 18 lftp 192.168.0.10:/upload> ls -la 19 drwxr-xr-x 3 14 0 19 Jul 20 23:52 . 20 drwxr-xr-x 4 0 0 29 Jul 20 23:05 .. 21 drwx------ 2 14 50 6 Jul 20 23:41 ftpdir 22 lftp 192.168.0.10:/upload>
確實可以刪除文件,再演示重命名文件
1 lftp 192.168.0.10:/upload> ls -al 2 drwxr-xr-x 3 14 0 20 Jul 20 23:53 . 3 drwxr-xr-x 4 0 0 29 Jul 20 23:05 .. 4 drwx------ 2 14 50 6 Jul 20 23:41 testdir 5 lftp 192.168.0.10:/upload> mv testdir ftpdir 6 rename successful 7 lftp 192.168.0.10:/upload> ls -al 8 drwxr-xr-x 3 14 0 19 Jul 20 23:54 . 9 drwxr-xr-x 4 0 0 29 Jul 20 23:05 .. 10 drwx------ 2 14 50 6 Jul 20 23:41 ftpdir 11 lftp 192.168.0.10:/upload>
三、本地用戶訪問vsftp
1 lftp 192.168.0.10:/upload> exit 2 [root@node02 ~]# lftp -u ftpuser,ftp123 192.168.0.10 3 lftp ftpuser@192.168.0.10:~> pwd 4 ftp://ftpuser:ftp123@192.168.0.10 5 lftp ftpuser@192.168.0.10:~> ls -l 6 lftp ftpuser@192.168.0.10:~> mkdir ftpuser 7 mkdir ok, `ftpuser' created 8 lftp ftpuser@192.168.0.10:~> ls -lh 9 drwxr-xr-x 2 1000 1000 6 Jul 21 01:12 ftpuser 10 lftp ftpuser@192.168.0.10:~> lcd /etc/ 11 lcd ok, local cwd=/etc 12 lftp ftpuser@192.168.0.10:~> put passwd 13 1080 bytes transferred 14 lftp ftpuser@192.168.0.10:~> put issu 15 put: /etc/issu: No such file or directory 16 lftp ftpuser@192.168.0.10:~> put issue 17 23 bytes transferred 18 lftp ftpuser@192.168.0.10:~> ls -lh 19 drwxr-xr-x 2 1000 1000 6 Jul 21 01:12 ftpuser 20 -rw-r--r-- 1 1000 1000 23 Jul 21 01:13 issue 21 -rw-r--r-- 1 1000 1000 1080 Jul 21 01:12 passwd 22 lftp ftpuser@192.168.0.10:~>
本地用戶上傳文件默認權限為644(-rw-r--r--),目錄為755(drwxr-x-r-x),控制本地用戶訪問和上傳文件(目錄)的參數為:
local_enable=YES (控制所有非匿名用戶訪問)
local_umask=022 (控制上傳文件和目錄之后的權限的掩碼)
一般登錄vsftp之后進入某個目錄時,可以設置一個提示信息,對某個目錄進行相關說明,這里可以通過dirmessage參數進行。
這里我們在upload目錄中填創建一個.message文件,寫入提示內容
1 [root@node01 upload]# pwd 2 /var/ftp/upload 3 [root@node01 upload]# cat .message 4 this is upload dir,pls do not delete files or dir on operation 5 [root@node01 upload]#
重新登錄進行測試:
1 [root@node02 ~]# ftp 192.168.0.10 2 Connected to 192.168.0.10 (192.168.0.10). 3 220 (vsFTPd 3.0.2) 4 Name (192.168.0.10:root): anonymous 5 331 Please specify the password. 6 Password: 7 230 Login successful. 8 Remote system type is UNIX. 9 Using binary mode to transfer files. 10 ftp> dir 11 227 Entering Passive Mode (192,168,0,10,45,41). 12 150 Here comes the directory listing. 13 drwxr-xr-x 2 0 0 6 Aug 03 2017 pub 14 drwxr-xr-x 3 14 0 34 Jul 21 01:33 upload 15 226 Directory send OK. 16 ftp> cd upload 17 250-this is upload dir,pls do not delete files or dir on operation 18 250 Directory successfully changed. 19 ftp> pwd 20 257 "/upload" 21 ftp>
所以,dirmessage_enable=YES
用戶第一次進入目錄時,vsftp會查看.message文件,並將其內容顯示給用戶
也可以使用message_file指定文件路徑,而不是使用默認的.message
上面是對某個目錄進行說明,也可以在登錄vsftp服務器時給出提示信息。
這里給出的參數是“ftpd_banner=Welcome to blah FTP service”,默認是注釋掉,直接去掉注釋,然后重啟vsftpd服務
1 [root@node02 ~]# ftp 192.168.0.10 2 Connected to 192.168.0.10 (192.168.0.10). 3 220 Welcome to blah FTP service. 4 Name (192.168.0.10:root):
紅色提示信息即為設置的banner
四、控制用戶登錄后鎖定在自己家目錄下
鎖定所有登錄的本地用戶在自己家目錄下,定義參數"chroot_local_user=YES ",為了可以上傳確保參數 “allow_writeable_chroot=YES”;
[root@node01 vsftpd]# grep "chroot_local_user=YES" /etc/vsftpd/vsftpd.conf chroot_local_user=YES [root@node01 vsftpd]# systemctl restart vsftpd [root@node01 vsftpd]#
測試登錄
[root@node02 ~]# ftp 192.168.0.10 Connected to 192.168.0.10 (192.168.0.10). 220 (vsFTPd 3.0.2) Name (192.168.0.10:root): ftpuser 331 Please specify the password. Password: 500 OOPS: vsftpd: refusing to run with writable root inside chroot() Login failed. 421 Service not available, remote server has closed connection ftp>
發現登錄失敗,這里提示下,本地用戶家目錄必須沒有寫(w)權限
[root@node01 vsftpd]# ls -ld /home/ftpuser/ drwx------ 4 ftpuser ftpuser 113 Jul 21 09:13 /home/ftpuser/ [root@node01 vsftpd]#
去掉本地用戶寫權限
1 [root@node01 vsftpd]# ls -ld /home/ftpuser/ 2 drwx------ 4 ftpuser ftpuser 113 Jul 21 09:13 /home/ftpuser/ 3 [root@node01 vsftpd]# chmod -w /home/ftpuser/ 4 [root@node01 vsftpd]# ls -ld /home/ftpuser/ 5 dr-x------ 4 ftpuser ftpuser 113 Jul 21 09:13 /home/ftpuser/ 6 [root@node01 vsftpd]#
再進行測試
1 [root@node02 ~]# ftp 192.168.0.10 2 Connected to 192.168.0.10 (192.168.0.10). 3 220 (vsFTPd 3.0.2) 4 Name (192.168.0.10:root): ftpuser 5 331 Please specify the password. 6 Password: 7 230 Login successful. 8 Remote system type is UNIX. 9 Using binary mode to transfer files. 10 ftp> cd /etc/ 11 550 Failed to change directory. 12 ftp> pwd 13 257 "/" 14 ftp>
登錄成功,確實不能切換到其他目錄下,所以參數“chroot_local_user=YES ”對本地所有用戶控制,有沒有多部分用戶進行設置呢?答案是肯定的
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
通過以上兩個個參數設置指定用戶,對chroot_list中設置的用戶有效,另外不能同時使用兩種方式。為了 可以上傳用戶確保參數 "allow_writeable_chroot=YES";
1 [root@node01 vsftpd]# pwd 2 /etc/vsftpd 3 [root@node01 vsftpd]# cat chroot_list 4 user001 5 [root@node01 vsftpd]# useradd user001 6 [root@node01 vsftpd]# passwd user001 7 Changing password for user user001. 8 New password: 9 BAD PASSWORD: The password is shorter than 8 characters 10 Retype new password: 11 passwd: all authentication tokens updated successfully. 12 [root@node01 vsftpd]# !systemc 13 systemctl restart vsftpd 14 [root@node01 vsftpd]# grep "chroot_list" vsftpd.conf 15 chroot_list_enable=YES 16 chroot_list_file=/etc/vsftpd/chroot_list 17 [root@node01 vsftpd]#
分別使用ftpuser 和user001進行測試
1 ftp> exit 2 [root@node02 ~]# ftp 192.168.0.10 3 Connected to 192.168.0.10 (192.168.0.10). 4 220 (vsFTPd 3.0.2) 5 Name (192.168.0.10:root): ftpuser 6 331 Please specify the password. 7 Password: 8 230 Login successful. 9 Remote system type is UNIX. 10 Using binary mode to transfer files. 11 ftp> pwd 12 257 "/home/ftpuser" 13 ftp> cd /etc 14 250 Directory successfully changed. 15 ftp> pwd 16 257 "/etc" 17 ftp> exit 18 221 Goodbye. 19 [root@node02 ~]# ftp 192.168.0.10 20 Connected to 192.168.0.10 (192.168.0.10). 21 220 (vsFTPd 3.0.2) 22 Name (192.168.0.10:root): user001 23 331 Please specify the password. 24 Password: 25 230 Login successful. 26 Remote system type is UNIX. 27 Using binary mode to transfer files. 28 ftp> pwd 29 257 "/" 30 ftp> cd /etc/ 31 550 Failed to change directory. 32 ftp>
user001的家目錄必須是沒有寫的權限。從以上可以發現通過chroot_list定義的用戶user001確實不能切換用戶,ftpuser不在chroot_list文件中,則可以隨意切換到其他目錄
控制用戶是否可以登錄vsftpd,通過黑白名單來控制,黑白名單通過指令userlist_deny=YES|NO來控制
userlist_enable
啟用時,vsftpd將加載一個由userlist_file指令的用戶列表文件(user_list),由此文件中的用戶是否能訪問vsftpd服務取決於userlist_deny指令:
userlist_deny=YES:表示此列表為黑名單
userlist_deny=NO:表示此列表為白名單