Home>Article>Operation and Maintenance> How to configure ftp server in Linux
1. First use the rpm -qa | grep vsftpd command to check whether ftp has been installed. If ftp is not installed, use yum -y install vsftpd to install it (use apt-get install vsftpd under ubuntu)
2.service vsftpd start / service vsftpd restart
Startup To make FTP start automatically every time you boot, run the command: chkconfig --level 35 vsftpd on
3. Set ftp permissions
vi /etc/vsftpd/vsftpd.conf
Change anonymous_enable=YES to anonymous_enable=NO
ESC to return, enter ":wq" to save and exit
Refresh the firewall
#iptables -F
The main configuration file of vsftpd is:
/etc/vsftpd/vsftpd. conf
Experiment 1:
If I do not allow FTP anonymous login, we can modify the main configuration file of vsftpd to achieve
#vi /etc /vsftpd/vsftpd.conf Change anonymous_enable=YES to anonymous_enable=NO
Experiment 2:
The FTP server in windows can set the welcome message and the maximum number of connections, then What do we set up in the Linux FTP server? What I want to answer is: It’s also possible. We can also implement it with the main configuration file of vsftpd# vi /etc/vsftpd/vsftpd.conf
Add ftpd_banner=welcome to here at the end! This is the welcome message Max_clients= 100 This means that up to 100 users can access it at the same time and just restart vsftpd!
Experiment 3:
If I want to prevent my colleague (lilei) who lent me money and refused to repay it from logging into our FTP site, then I can put User lilei was added to vi /etc/vsftpd.ftpusers
Experiment 4:
In the morning, the general manager said that he would promote a small number of people in the company. After hearing the news, Act quickly. I only allow the general manager to log in to the FTP server. No one else can even think about it. I slap the manager on his horse and restrict others. I can do this: #vi /etc/vsftpd/vsftpd.conf
Add 2 entries to the end,
userlist_deny=NO / People in this list do not deny, others deny (including Anonymous)
userlist_file=/etc/mp /Indicate the path of the list
The vsftpd configuration file uses "#" as the comment character, and the lines starting with "#" and Blank lines will be ignored during parsing, and the remaining lines are treated as configuration command lines. Do not leave spaces around the "=" of each configuration command. For each configuration command, relevant configuration instructions are also listed in the configuration file, and the configuration file can be edited and modified using the vi editor. The method is as follows:
#vi /etc/vsftpd/vsftpd.conf
1. Login and settings for anonymous users
2.设置欢迎信息
用户登录FTP服务器成功后,服务器可向登录用户输出预设置的欢迎信息。
ftpd_banner=Welcome to my FTP server.
//该配置项用于设置比较简短的欢迎信息。若欢迎信息较多,则可使用banner_file配置项。
banner_file=/etc/vsftpd/banner
//设置用户登录时,将要显示输出的文件。该设置项将覆盖ftpd_banner的设置。
dirmessage_enable=YES
//设置是否显示目录消息。若设置为YES,则当用户进入特定目录(比如/var/ftp/Linux)时,将显示该目录中的由message_file配置项指定的文件(.message)中的内容。
message_file=.message //设置目录消息文件。可将显示信息存入该文件。该文件需要放在 相应的目录(比如/var/ftp/linux)下
3.设置用户登录后所在的目录
local_root=/var/ftp
// 设置本地用户登录后所在的目录。默认配置文件中没有设置该项,此时用户登录FTP服务器后,所在的目录为该用户的主目录,对于root用户,则为/root目录。
anon_root=/var/ftp
//设置匿名用户登录后所在的目录。若未指定,则默认为/var/ftp目录。
4.控制用户是否允许切换到上级目录
在默认配置下,用户可以使用“cd..”命名切换到上级目录。比如,若用户登录后所在的目录为/var/ftp,则在“ftp>”命令行 下,执行“cd..”命令后,用户将切换到其上级目录/var,若继续执行该命令,则可进入Linux系统的根目录,从而可以对整个Linux的文件系统 进行操作。
若设置了write_enable=YES,则用户还可对根目录下的文件进行改写操作,会给系统带来极大的安全隐患,因此,必须防止用户切换到Linux的根目录,相关的配置项如下:
chroot_list_enable=YES
// 设置是否启用chroot_list_file配置项指定的用户列表文件。设置为YES则除了列在j/etc/vsftpd/chroot_list文件中的的帐号外,所有登录的用户都可以进入ftp根目录之外的目录。默认NO
chroot_list_file=/etc/vsftpd/chroot_list
// 用于指定用户列表文件,该文件用于控制哪些用户可以切换到FTP站点根目录的上级目录。
chroot_local_user=YES
// 用于指定用户列表文件中的用户,是否允许切换到上级目录。默认NO
注意:要对本地用户查看效果,需先设置local_root=/var/ftp
具体情况有以下几种:
1)当chroot_list_enable=YES,chroot_local_user=YES时,在/etc/vsftpd/chroot_list文件中列出的用户,可以切换到上级目录;未在文件中列出的用户,不能切换到站点根目录的上级目录。
2)当chroot_list_enable=YES,chroot_local_user=NO时,在/etc/vsftpd/chroot_list文件中列出的用户,不能切换到站点根目录的上级目录;未在文件中列出的用户,可以切换到上级目录。
3)当chroot_list_enable=NO,chroot_local_user=YES时,所有用户均不能切换到上级目录。
4)当chroot_list_enable=NO,chroot_local_user=NO时,所有用户均可以切换到上级目录。
5)当用户不允许切换到上级目录时,登录后FTP站点的根目录“/”是该FTP账户的主目录,即文件的系统的/var/ftp目录。
5.设置访问控制
(1)设置允许或不允许访问的主机(见TBP14)
tcp_wrappers=YES用来设置vsftpd服务器是否与tcp wrapper相结合,进行主机的访问控制。默认设置为YES,vsftpd服务器会检查/etc/hosts.allow和/etc /hosts.deny中的设置,以决定请求连接的主机是否允许访问该FTP服务器。这两个文件可以起到简易的防火墙功能。
比如,若要仅允许192.168.168.1~192.168.168.254的用户,可以访问连接vsftpd服务器,则可在/etc/hosts.allow文件中添加以下内容:
vsftpd:192.168.168.0/255.255.255.0 :allow
all:all:deny
(2) Set users who are allowed or disallowed access
Access control for users is controlled by the /etc/vsftpd/user_list and /etc/vsftpd/ftpusers files. The relevant configuration commands are as follows:
userlist_enable=YES
// Determine whether the /etc/vsftpd/user_list file is enabled and effective. YES takes effect, NO does not take effect.
userlist_deny=YES . If set to YES, users in the /etc/vsftpd/user_list file will not be allowed to access the FTP server; if set to NO, only users in the vsftpd.user_list file can access the FTP server.
6. Set access speedanon_max_rate=0
//Set the maximum transmission speed that anonymous users can use, in b/s. If set to 0, there is no speed limit, which is the default value.
local_max_rate=0
//Set the maximum transmission speed that local users can use. Default is 0, no limit.
7. Define user configuration fileIn the vsftpd server, different users can also use different configurations, which is achieved through user configuration files.
user_config_dir=/etc/vsftpd/userconf //Used to set the directory where the user configuration file is located.
After setting this configuration item, when the user logs in to the FTP server, the system will read the file with the same name as the current user in the /etc/vsftpd/userconf directory, and configure the current user according to the configuration command in the file. Perform further configuration. For example, using user configuration files, you can control the access speed of different users. In each user configuration file, define the local_max_rate configuration to determine the access speed allowed by the user.
8. Connection-related settingslisten=YES
//Set whether the vsftpd server runs in standalone mode. It is better to run in standalone mode. At this time, listen must be set to YES. This is the default value and it is recommended not to change it. Many configuration commands related to server operation require this operating mode to be effective. If set to NO, vsftpd does not run as an independent service and is subject to the management control of the xinetd service, and its functions will be limited.
//Set the maximum number of connections allowed by vsftpd. The default is 0, which means no limit. If set to 150, 150 connections are allowed at the same time, and any excess connections will be refused to establish. Only valid when running in standalone mode.
//Set the number of simultaneous connections allowed to the FTP server for each IP address. Default is 0, no limit. This configuration can usually be set to prevent the same user from establishing too many connections. Only valid when running in standalone mode.
Note: Before and after setting this value, you can compare the monitoring status of the port through netstat -tnl
accept_timeout=60
connect_timeout=60
// The timeout for establishing a data connection in PORT mode, in seconds.
data_connection_timeout=300
//Set the timeout for establishing FTP data connection, the default is 300 seconds.
idle_session_timeout=600
pam_service_name=vsftpd
//Set the name used in PAM, the default value is vsftpd.
setproctitle_enable=NO|YES
9. FTP working mode and port setting
(1) Introduction to FTP working mode
There are two working modes of FTP, one is PORT FTP and the other is PASV FTP. Here's how it works.
The difference between the two is that the data transmission port of PORT FTP is specified by the FTP server, while PASV FTP is specified by the FTP client, and the port number used for each data connection is different. Because of this, in FTP client software such as CuteFTP, there are two options, PORT and PASV, in the connection type setting items.
When the FTP server is set to PASV working mode, the client must also be set to PASV connection type. If the client connection type is set to PORT, the FTP connection can be established, but when executing commands that require data requests such as ls or get, there will be no response and a final report that the data connection cannot be established.
(2) Port-related configuration
listen_port=21
// Set the listening port for the FTP server to establish a connection. The default value is 21.
Example of connecting to a non-standard port: ftp www.sunflower.org 7000
connect_from_port_20=YES
// The default value is YES, specifying the use of port 20 for FTP data transmission connection. If set to NO, when making a data connection, the port used is specified by ftp_data_port.
ftp_data_port=20
//Set the port used for FTP data connection in PORT mode, the default value is 20.
pasv_enable=YES|NO
//If set to YES, use PASV working mode; if set to NO, use PORT mode. The default is YES, which uses PASV mode.
pasv_max_port=0
//Set the upper limit of the port range that can be used for data connections in PASV working mode. The default value is 0, which means any port.
pasv_mim_port=0
//Set the lower bound of the port range that can be used for data connections in PASV working mode. The default value is 0, which means any port.
10. Set the transmission mode
When FTP transmits data, you can use binary (Binary) mode or ASCII mode to upload or download data.
ascii_download_enable=YES //Set whether to enable ASCII mode download data. The default is NO.
ascii_upload_enable=YES //Set whether to enable ASCII mode to upload data. The default is NO.
11. Set the ownership and permissions of uploaded documents
(1) Set the owner of anonymously uploaded documents
chown_uploads=YES
// Used to set whether to change the owner of documents uploaded by anonymous users. The default is NO. If set to YES, the owner of documents uploaded by anonymous users will be set to the username set by the chown_username configuration item.
chown_username=whoever
//Set the owner name of documents uploaded by anonymous users. Only valid if chown_uploads=YES. It is recommended not to set it as root user. But the system defaults to root
(2) Permission setting for new documents
local_umask=022
//Set the umask for new documents for local users, the default is 022, and the corresponding permission is 755. The umask is 022, and the corresponding binary number is 000 010 010. Invert it to 111 101 101 and convert it into a decimal number, which is the permission value 755, which means that the owner (owner) of the document has read, write, and execute rights and the group it belongs to Have read and execute rights, and other users have read and execute rights. 022 is suitable for most situations and generally does not need to be changed. If set to 077, the corresponding permission is 700.
anon_umask=022 Default 077
file_open_mode=0755 //Set the permission to upload documents. Permissions are in numeric format. Default 0666
12. Log file
xferlog_enable=YES //Whether to enable upload/download logging. The default is NO
xferlog_file=var/log/vsftpd.log //Set the log file name and path. The xferlog_enable option needs to be enabled
xferlog_std_format=YES // Whether the log file uses the standard xferlog log file format (the same format used by wu-ftpd). The default is NO
13. Other settings
text_userdb_names=NO
//Set whether to display UID, GID or specific user name or group name when executing the ls command. The default is NO, which is displayed in UID and GID mode. If you want to display the user name and group name, set it to YES.
ls_recurse_enable=YES
//If set to YES, the "ls -R" command is allowed to be executed, and the default value is NO. This configuration item is commented out in the configuration file. There are some configurations similar to this. When it needs to be enabled, just remove the comment and set it to YES or NO
The above is the detailed content of How to configure ftp server in Linux. For more information, please follow other related articles on the PHP Chinese website!