Linux FTP安装 vsftp版(服务器架设篇)

FTP文件服务器在家庭/公司的局域网中有很大的作用,可以很方便的使多个人使用不同的电脑,手机,平板交换文件。FTP作为文件服务器使我们不必在自己电脑上保持文件了,只需将文件放在服务器上,一个人保存,其余的同一局域网的用户都可以立即拿到。

虽然基于SSH的SFTP可以方便的实现服务器与每个人的终端电脑间完全相同的FTP文件交换而且不需要再安装FTP服务端软件,但是从服务器的安全性,文件访问权限可控性,灵活性上来讲,还是略微没有自己安装专业的FTP软件来的好。

FTP介绍

FTP服务器(File Transfer Protocol Server)是在互联网上提供文件存储和访问服务的计算机,它们依照FTP协议提供服务。
FTP(File Transfer Protocol: 文件传输协议)

作用: Internet 上用来传送文件的协议

常见FTP服务器:

  • windows/windows:
    • 自带的FTP server
  • Linux:
    • ProFTPD:(Professional FTP daemon)一个Unix平台上或是类Unix平台上(如Linux, FreeBSD等)的FTP服务器程序。
    • VSFTP是一个基于GPL发布的类Unix系统上使用的FTP服务器软件,它的全称是Very Secure FTP。

安装VSFTP

环境 版本
RHEL/CentOS 7.x

安装

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# yum安装vsftp
[root@thinkcent thinktik]# yum install vsftpd
# 启动
[root@thinkcent thinktik]# systemctl start vsftpd.service
# 开机自启动
[root@thinkcent thinktik]# systemctl enable vsftpd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/vsftpd.service to /usr/lib/systemd/system/vsftpd.service.
# 查看vsftp状态 Active: active (running) 正在运行
[root@thinkcent thinktik]# systemctl status vsftpd.service
● vsftpd.service - Vsftpd ftp daemon
Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2018-07-14 23:21:43 CST; 14s ago
Main PID: 9889 (vsftpd)
CGroup: /system.slice/vsftpd.service
└─9889 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf

Jul 14 23:21:43 thinkcent systemd[1]: Starting Vsftpd ftp daemon...
Jul 14 23:21:43 thinkcent systemd[1]: Started Vsftpd ftp daemon.

防火墙设置

1
2
3
4
5
6
7
# 防火墙放行ftp
[root@thinkcent thinktik]# firewall-cmd --permanent --zone=public --add-service=ftp
success
[root@thinkcent thinktik]# firewall-cmd --reload
success
# SeLinux放行
[root@thinkcent thinktik]# setsebool -P ftpd_full_access on

验证

我们可以使用fileZilla/Xftp软件在匿名模式下验证效果,登陆成功代表可以了

到这里基本上VsFtp就安装完成了,如果要高级的功能,可以继续往下看

配置vsftp

匿名/普通用户

vsftp安装后,匿名用户和linux上的普通用户即可登陆使用了,配置/etc/vsftpd/vsftpd.conf也可更加精细化配置。具体的配置请自行百度,不再做重点讲解。我不是很喜欢使用匿名用户登录,虽然最方便但是安全性也是最低,毕竟不需要账号密码就可以使用,在局域网使用网倒还是勉强可以;对于linux普通登陆的方式,我也不是很推荐,安全性的确是比匿名用户高了很多,但是linux普通用户多了管理文件权限起来很麻烦,没必要因为N个linux普通用户就出现N个ftp可登陆账号,而且这种方式设置不专业,用户登录后可以访问很多非用户目录下的文件夹和文件,总之这两种方法没有下面介绍的虚拟用户方式好,不信大家可以自己验证。

虚拟用户

我们的目的:所有的普通linux无法登入ftp,只有虚拟ftp用户可以,并且限定在/ext_files/ftp_data/文件夹下,除外也没法访问任何其他Linux路径文件

建立虚拟用户账号密码文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# 进入vsftp配置文件夹下
[root@thinkcent /]# cd /etc/vsftpd/
# 建立文件
[root@thinkcent vsftpd]# vim virtual_users

#填入虚拟用户和密码后保存
# 第一行是用户名第二行是密码
thinkftp
Secure_123@ftp

#用virtual_users在该文件夹下生成虚拟用户账号密码数据库文件
[root@thinkcent vsftpd]# db_load -T -t hash -f /etc/vsftpd/virtual_users /etc/vsftpd/virtual_users.db

# 修改生产的数据文件读写权限
[root@thinkcent vsftpd]# chmod 666 virtual_users.db

配置PAM文件,目的是对客户端进行验证

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# 修改该文件
[root@thinkcent vsftpd]# vim /etc/pam.d/vsftpd

#注释全部的默认设置 添加最下面的两行
#%PAM-1.0
#session optional pam_keyinit.so force revoke
#auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
#auth required pam_shells.so
#auth include password-auth
#account include password-auth
#session required pam_loginuid.so
#session include password-auth

auth sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/virtual_users
account sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/virtual_users


建立宿主用户和虚拟用户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#建立宿主用户  文件目录自己可以按自己喜好设置 虚拟用户名vsftp可自取
[root@localhost vsftpd]# useradd -d /ext_files/ftp_data/ vsftp
# 设置文件权限
[root@thinkcent vsftpd]# chown vsftp:vsftp /ext_files/ftp_data/
# 设置该用户没有登录权限保证安全
[root@thinkcent vsftpd]# usermod -s /sbin/nologin vsftp
# 建立虚拟用户文件夹
[root@thinkcent vsftpd]# cd virtual_users_dir/
# 建立一个虚拟用户(其实可以建立多个)
[root@thinkcent vsftpd]# touch thinkftp
[root@thinkcent virtual_users_dir]# ls
thinkftp
#修改文件填入配置
[root@thinkcent virtual_users_dir]# vim thinkftp

# 填入如下内容
virtual_use_local_privs=YES
anon_world_readable_only=NO
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
# 设置虚拟用户的根目录
local_root=/ext_files/ftp_data/


配置SSL

1
2
3
4
5
6
7
8
# 建立ssl目录
mkdir /etc/vsftpd/.sslkey
# 进入ssl目录
cd /etc/vsftpd/.sslkey
# 生成ssl密钥
openssl req -new -x509 -nodes -out vsftpd.pem -keyout vsftpd.pem -days 3650

# 密钥的细节随便填,生产成功后看下面的配置即可

配置vsftp,请参考下面的配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
...

listen_ipv6=YES

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES


# 这里是我加上去的 虚拟用户配置部分
guest_enable=YES
# #填入宿主用户
guest_username=vsftp
# #填土虚拟用户的文件夹路径
user_config_dir=/etc/vsftpd/virtual_users_dir
virtual_use_local_privs=YES
...






提示限定的根目录不能可读,那么我们去掉可读权限
chmod 555 /ext_files/ftp_data/

OK!!

根目录下创建一个777权限的文件夹,就可以保存文件了



继续加上SSl配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# 设置ftp ssl 加强安全 SSL配置部分
# 禁用主动模式
pasv_enable=NO
pasv_min_port=31000
pasv_max_port=31200
ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
force_local_logins_ssl=yes
force_local_data_ssl=yes
# 填入密钥的路径
rsa_cert_file=/etc/vsftpd/.sslkey/vsftpd.pem
#ssl_ciphers=HIGH

如果启动有问题,基本上是Selinux安全限制的问题,设置Selinux放行,一个个权限去试。


配置后重请自行微调,可能有部分文件权限的限制导致的报错,问题应该不大,请自行完善。我有时间进一步完善

速度还不错,37M/S

还有一篇文章总结的不错,建议大家看下(vsftpd 配置:chroot_local_user与chroot_list_enable详解

我附上全部的配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
# 禁止匿名登陆
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
# When SELinux is enforcing check for SE bool ftp_home_dir
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/xferlog
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
chroot_local_user=YES
chroot_list_enable=NO
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=NO
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
# Make sure, that one of the listen options is commented !!
listen_ipv6=YES

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES


# 这里是我加上去的 虚拟用户配置部分
guest_enable=YES
# #填入宿主用户
guest_username=vsftp
# #填土虚拟用户的文件夹路径
user_config_dir=/etc/vsftpd/virtual_users_dir
virtual_use_local_privs=YES


# 设置ftp ssl 加强安全 SSL配置部分
#禁用主动模式
pasv_enable=NO
pasv_min_port=31000
pasv_max_port=31200
ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
force_local_logins_ssl=yes
force_local_data_ssl=yes
rsa_cert_file=/etc/vsftpd/.sslkey/vsftpd.pem
#ssl_ciphers=HIGH