美文网首页iOS开发锦集
linux Centos 6.5 FTP服务原理及vsfptd的

linux Centos 6.5 FTP服务原理及vsfptd的

作者: _palm | 来源:发表于2016-03-31 13:11 被阅读369次

    今天第一次真正折腾CentOS,虽然都是linux分支版本,但是总还是有些不同的,折腾中,从下面这篇文章获益不少,随记录备份下来,有据可查。

    在此感谢作者的详细笔录!

    source: <a>http://www.cnblogs.com/itjiandan/p/3495183.html</a>

    本篇随笔将讲解FTP服务的原理以及vsfptd这个最常用的FTP服务程序的安装与配置...

    一、FTP服务原理
    FTP(File Transfer Protocol)是一个非常古老并且应用十分广泛的文件传输协议,FTP协议是现今使用最为广泛的网络文件共享协议之一,我们现在也一直有在用着FTP协议来进行各种文件的传输,FTP为我们提供了一种可靠的方式在网络上进行文件的共享
    FTP是C/S架构的服务,拥有一个服务器端和一个客户端,FTP底层通过TCP协议来作为传输协议,所以FTP协议是一种可靠的文件传输方式,FTP提供了两个端口号,20和21号端口,20号是数据接口,提供数据之间的传输,21号是命令接口,提供命令之间的传输
    FTP服务端与客户端连接一般有两种模式:主动模式(Active Mode)和被动模式(Passive Mode)
    主动模式的原理如下图所示:


    主动模式下,客户端首先会向服务器端的 21号端口发出一个连接命令,请求与服务器端建立连接,此时服务器端响应回去给客户端,并要求客户端发送一个用于传送数据的端口,该端口号要 > 1023 ,此时服务器端的20号端口就会与该数据端口主动建立连接,客户端与服务器端进行数据的传送
    被动模式的原理如下图所示:

    与主动模式不同的是,在被动模式下,客 户端也是首先与服务器端的21端口建立连接,此时后服务器端会开启一个 > 1023 号的数据传送端口,并返回给客户端,这个时候客户端也会开启一个 > 1023 的端口,然后客户端会主动的去跟服务器端的数据传输端口建立连接,两者之间来进行数据的传送
    所以说,主动模式与被动模式的区别就在 于究竟是服务器端的20端口主动发起于客户端建立连接,还是服务器端开放一个随机端口,等待客户端与其主动建立连接。在我们的生产环境中,通常还是使用的 是被动连接的模式,因为我们的服务器端都有配置防火墙,而防火墙对于内网连接外网的端口一般是放行的,而外网来连接内网的端口则一般是有限制的,所以我们 这时如果使用主动模式连接的话,端口可能被防火墙拦截,从而不能提供我们的FTP服务
    二、vsfptd的安装
    在Linux下,我们应用最广泛的FTP服务程序是 vsftpd (Very Secure FTP Daemon),从名字我们也可以看出,其提供了非常安全的FTP服务。vsftpd 是一个 UNIX 类操作系统上运行的服务器的名字,它可以运行在诸如 Linux, BSD, Solaris, HP-UX 以及 IRIX 上面。它支持很多其他的 FTP 服务器不支持的特征。例如:
    ①非常高的安全性需求  ②带宽限制  ③创建虚拟用户的可能性  ④高速  ...
    可以说 vsftpd 给我们提供了一个快速的、稳定的且相当安全的FTP服务
    在CentOS下默认没有安装 vsftpd 这个FTP程序,我们通过 yum install vsfptd 来进行安装

    [root@xiaoluo ~]# yum install -y vsftpd
    Loaded plugins: fastestmirror, refresh-packagekit, security
    Loading mirror speeds from cached hostfile
     * base: ftp.nsysu.edu.tw
     * extras: ftp.nsysu.edu.tw
     * updates: ftp.twaren.net
    Setting up Install Process
    Resolving Dependencies
    --> Running transaction check
    ---> Package vsftpd.x86_64 0:2.2.2-11.el6_4.1 will be installed
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ================================================================================
     Package        Arch           Version                    Repository       Size
    ================================================================================
    Installing:
     vsftpd         x86_64         2.2.2-11.el6_4.1           updates         151 k
    
    Transaction Summary
    ================================================================================
    Install       1 Package(s)
    
    Total download size: 151 k
    Installed size: 331 k
    Downloading Packages:
    vsftpd-2.2.2-11.el6_4.1.x86_64.rpm                       | 151 kB     00:01     
    Running rpm_check_debug
    Running Transaction Test
    Transaction Test Succeeded
    Running Transaction
      Installing : vsftpd-2.2.2-11.el6_4.1.x86_64                               1/1 
      Verifying  : vsftpd-2.2.2-11.el6_4.1.x86_64                               1/1 
    
    Installed:
      vsftpd.x86_64 0:2.2.2-11.el6_4.1                                              
    
    Complete!
    

    这样我们就安装好了我们的 vsftpd 服务程序了,在安装好后我们可以来看一下 vsftpd 这个程序的一些配置文件,其所有的配置文件都保存在了 /etc/vsftpd/ 这个目录下

    [root@xiaoluo ~]# cd /etc/vsftpd/
    [root@xiaoluo vsftpd]# ls -l
    total 20
    -rw-------. 1 root root  125 Mar  1 18:16 ftpusers
    -rw-------. 1 root root  361 Mar  1 18:16 user_list
    -rw-------. 1 root root 4599 Mar  1 18:16 vsftpd.conf
    -rwxr--r--. 1 root root  338 Mar  1 18:16 vsftpd_conf_migrate.sh
    

    里面一共有四个配置文 件,vsftpd.conf 是我们的主配置文件,ftpusers是我们的黑名单用户配置文件,通常我们的系统用户还有根用户都是放在这个配置文件里面 的,因为这些用户的权限很大,如果使用ftp服务可能造成一些问题,user_list是我们的用户列表文件,我们可以通过在主配置文件里设置该用户是黑 名单用户还是白名单拥有,最后一个是我们的ftp服务迁移脚本
    我们的 vsftpd 程序安装好后,我们可以看到在 /var 目录下有个 ftp 文件夹,这个文件夹就是我们的ftp共享文件夹

    [root@xiaoluo vsftpd]# cd /var/ftp/
    [root@xiaoluo ftp]# lspub
    

    三、FTP用户以及如何进行文件共享
    vsftpd是通过使用用户来作为管理单位的,想要访问某个ftp的共享文件,必须要以某一特定的用户身份登陆,我们可以配置一下几种类型的用户:
    ①正常用户(系统用户)
    正常用户就是我们操作系统的系统用户,一般我们安装的各种服务都能通过系统用户登录来使用其所提供的服务
    首先我们启动我们的 vsftpd 这个服务,这里我们先通过 CentOS提供的一个图形界面工具来使用我们现在的系统用户登陆我们的 ftp

    [root@xiaoluo ftp]# service vsftpd startStarting vsftpd for vsftpd: [ OK ]
    
        

    输入我们的当前系统用户名及密码就能登陆上去了,我们使用系统用户登陆上去后,其默认打开的文件夹是我们的用户的家目录,只要是该用户有访问权限的文件及文件夹,该用户都能进行访问


    ②匿名用户 (anonymous)
    我们所有的FTP服务都支持的一种用户登录方式,我们可以不输入任何信息就能登陆进来



    我们看到,我们在没有输入任何信息也能够登陆上我们的ftp,这就是以匿名用户登录的方式。
    在默认情况下,在vsftpd安装的时候会创建一个 ftp 系统用户,这个用户就是用来进行匿名登陆的用户,ftp匿名用户默认登陆到的目录是 /var/ftp/ 目录,没有任何访问限制权限的文件都能提供给匿名用户进行共享

    [root@xiaoluo ftp]# cat /etc/passwd | grep ftpftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
    

    那么我们的FTP为什么可以以匿名用户来进行登陆呢?其主要就是因为 vsftpd.conf 这个配置文件所配置的

    [root@xiaoluo ftp]# cat /etc/vsftpd/vsftpd.conf 
    # Example config file /etc/vsftpd/vsftpd.conf
    #
    # The default compiled in settings are fairly paranoid. This sample file
    # loosens things up a bit, to make the ftp daemon more usable.
    # Please see vsftpd.conf.5 for all compiled in defaults.
    #
    # READ THIS: This example file is NOT an exhaustive list of vsftpd options.
    # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
    # capabilities.
    #
    # Allow anonymous FTP? (Beware - allowed by default if you comment this out).
    anonymous_enable=YES  // 允许匿名用户进行登陆
    #
    # Uncomment this to allow local users to log in.
    local_enable=YES
    #
    # Uncomment this to enable any form of FTP write command.
    write_enable=YES
    #
    # Default umask for local users is 077. You may wish to change this to 022,
    # if your users expect that (022 is used by most other ftpd's)
    local_umask=022
    #
    # Uncomment this to allow the anonymous FTP user to upload files. This only
    # has an effect if the above global write enable is activated. Also, you will
    # obviously need to create a directory writable by the FTP user.
    #anon_upload_enable=YES
    #
    # Uncomment this if you want the anonymous FTP user to be able to create
    # new directories.
    #anon_mkdir_write_enable=YES
    #
    # Activate directory messages - messages given to remote users when they
    # go into a certain directory.
    dirmessage_enable=YES
    #
    # The target log file can be vsftpd_log_file or xferlog_file.
    # This depends on setting xferlog_std_format parameter
    xferlog_enable=YES
    #
    # Make sure PORT transfer connections originate from port 20 (ftp-data).
    connect_from_port_20=YES
    #
    # If you want, you can arrange for uploaded anonymous files to be owned by
    # a different user. Note! Using "root" for uploaded files is not
    # recommended!
    #chown_uploads=YES
    #chown_username=whoever
    #
    # The name of log file when xferlog_enable=YES and xferlog_std_format=YES
    # WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log
    #xferlog_file=/var/log/xferlog
    #
    # Switches between logging into vsftpd_log_file and xferlog_file files.
    # NO writes to vsftpd_log_file, YES to xferlog_file
    xferlog_std_format=YES
    #
    # You may change the default value for timing out an idle session.
    #idle_session_timeout=600
    #
    # You may change the default value for timing out a data connection.
    #data_connection_timeout=120
    #
    # It is recommended that you define on your system a unique user which the
    # ftp server can use as a totally isolated and unprivileged user.
    #nopriv_user=ftpsecure
    #
    # Enable this and the server will recognise asynchronous ABOR requests. Not
    # recommended for security (the code is non-trivial). Not enabling it,
    # however, may confuse older FTP clients.
    #async_abor_enable=YES
    #
    # By default the server will pretend to allow ASCII mode but in fact ignore
    # the request. Turn on the below options to have the server actually do ASCII
    # mangling on files when in ASCII mode.
    # Beware that on some FTP servers, ASCII support allows a denial of service
    # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
    # predicted this attack and has always been safe, reporting the size of the
    # raw file.
    # ASCII mangling is a horrible feature of the protocol.
    #ascii_upload_enable=YES
    #ascii_download_enable=YES
    #
    # You may fully customise the login banner string:
    #ftpd_banner=Welcome to blah FTP service.
    #
    # You may specify a file of disallowed anonymous e-mail addresses. Apparently
    # useful for combatting certain DoS attacks.
    #deny_email_enable=YES
    # (default follows)
    #banned_email_file=/etc/vsftpd/banned_emails
    #
    # You may specify an explicit list of local users to chroot() to their home
    # directory. If chroot_local_user is YES, then this list becomes a list of
    # users to NOT chroot().
    #chroot_local_user=YES
    #chroot_list_enable=YES
    # (default follows)
    #chroot_list_file=/etc/vsftpd/chroot_list
    #
    # You may activate the "-R" option to the builtin ls. This is disabled by
    # default to avoid remote users being able to cause excessive I/O on large
    # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
    # the presence of the "-R" option, so there is a strong case for enabling it.
    #ls_recurse_enable=YES
    #
    # When "listen" directive is enabled, vsftpd runs in standalone mode and
    # listens on IPv4 sockets. This directive cannot be used in conjunction
    # with the listen_ipv6 directive.
    listen=YES
    #
    # This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
    # sockets, you must run two copies of vsftpd with two configuration files.
    # Make sure, that one of the listen options is commented !!
    #listen_ipv6=YES
    
    pam_service_name=vsftpd
    userlist_enable=YES
    tcp_wrappers=YES
    

    我们看到,配置文件里的 anonymous_enable=YES 就是允许我们的匿名用户登录,如果将其设置成NO,这样匿名用户就不能登陆上了
    ③虚拟用户(ftp-only)
    这些用户就是专门创建只为使用ftp的用户,一般用的较少

    我们登陆FTP,不仅可以使用CentOS提供的GUI界面,还可以使用我们的命令行下的工具进行登陆,这里我们使用的是 lftp,同样我们也需要先对其进行安装

    [root@xiaoluo ~]# yum install -y lftp
    Loaded plugins: fastestmirror, refresh-packagekit, security
    Loading mirror speeds from cached hostfile
     * base: ftp.nsysu.edu.tw
     * extras: ftp.nsysu.edu.tw
     * updates: ftp.twaren.net
    Setting up Install Process
    Resolving Dependencies
    --> Running transaction check
    ---> Package lftp.x86_64 0:4.0.9-1.el6 will be installed
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ================================================================================
     Package         Arch              Version                Repository       Size
    ================================================================================
    Installing:
     lftp            x86_64            4.0.9-1.el6            base            753 k
    
    Transaction Summary
    ================================================================================
    Install       1 Package(s)
    
    Total download size: 753 k
    Installed size: 2.5 M
    Downloading Packages:
    lftp-4.0.9-1.el6.x86_64.rpm                              | 753 kB     00:10     
    Running rpm_check_debug
    Running Transaction Test
    Transaction Test Succeeded
    Running Transaction
      Installing : lftp-4.0.9-1.el6.x86_64                                      1/1 
      Verifying  : lftp-4.0.9-1.el6.x86_64                                      1/1 
    
    Installed:
      lftp.x86_64 0:4.0.9-1.el6                                                     
    
    Complete!
    

    这样我们就可以使用 lftp 来登陆我们的ftp了
    ①直接使用 lftp 127.0.0.1 进行登陆

    [root@xiaoluo ~]# lftp 127.0.0.1
    lftp 127.0.0.1:~> pwd 
    ftp://127.0.0.1
    lftp 127.0.0.1:~> ls
    drwxr-xr-x 2 0 0 4096 Mar 01 10:16 pub
    

    这种登陆是以匿名用户登录上ftp,我们可以看到登陆进去后的目录是 /var/pub 这个共享目录
    ②使用 lftp -u xiaoluo 127.0.0.1 进行登陆

    [root@xiaoluo ~]# lftp -u xiaoluo 127.0.0.1
    Password: 
    lftp xiaoluo@127.0.0.1:~> pwd     
    ftp://xiaoluo@127.0.0.1
    lftp xiaoluo@127.0.0.1:~> ls
    drwxr-xr-x    2 500      500          4096 May 26 05:22 Desktop
    drwxr-xr-x    3 500      500          4096 May 19 16:10 Documents
    drwxr-xr-x    2 500      500          4096 May 13 17:36 Downloads
    drwxr-xr-x    2 500      500          4096 May 13 17:36 Music
    drwxr-xr-x    2 500      500          4096 May 13 17:36 Pictures
    drwxr-xr-x    2 500      500          4096 May 13 17:36 Public
    drwxr-xr-x    2 500      500          4096 May 13 17:36 Templates
    drwxr-xr-x    2 500      500          4096 May 13 17:36 Videos
    

    PS:关闭SELinux 防火墙(高版本的发行版有开启安全);否则无权操作 suvim /etc/selinux/config

    找到"SELINUX=enforcing " 改成"SELINUX=disabled" ;完后执行以下操作:

    1 |  >setenforce  0  //或者重启生效
    

    我们也可以通过 -u 指定我们以系统用户的方式登陆ftp,系统用户登录上以后,默认登陆的文件夹就是我们用户的根目录
    四、用户通过ftp进行文件上传、下载操作
    ①正常用户的上传、下载操作
    我们通过lftp命令还可以进行文件的上传、下载操作,分别使用 put 和 get 命令
    例如我现在在 xiaoluo 这个用户的家目录下创建一个 xiaoluo.txt 文件,然后我们通过 get 命令将其从ftp上下载下来

    [xiaoluo@xiaoluo ~]$ touch xiaoluo.txt
    [xiaoluo@xiaoluo ~]$ ls
    Desktop    Downloads  Pictures  Templates  xiaoluo.txt
    Documents  Music      Public    Videos
    [xiaoluo@xiaoluo ~]$ su -
    Password: 
    [root@xiaoluo ~]# lftp -u xiaoluo 127.0.0.1
    Password: 
    lftp xiaoluo@127.0.0.1:~> ls      
    drwxr-xr-x    2 500      500          4096 May 26 05:22 Desktop
    drwxr-xr-x    3 500      500          4096 May 19 16:10 Documents
    drwxr-xr-x    2 500      500          4096 May 13 17:36 Downloads
    drwxr-xr-x    2 500      500          4096 May 13 17:36 Music
    drwxr-xr-x    2 500      500          4096 May 13 17:36 Pictures
    drwxr-xr-x    2 500      500          4096 May 13 17:36 Public
    drwxr-xr-x    2 500      500          4096 May 13 17:36 Templates
    drwxr-xr-x    2 500      500          4096 May 13 17:36 Videos
    -rw-rw-r--    1 500      500             0 Jun 08 16:20 xiaoluo.txt
    lftp xiaoluo@127.0.0.1:~> get xiaoluo.txt 
    lftp xiaoluo@127.0.0.1:~> exit                     
    [root@xiaoluo ~]# ls
    anaconda-ks.cfg  Desktop  install.log  install.log.syslog  xiaoluo.txt
    

    我们看到,刚才我们通过登陆 xiaoluo这个用户,然后在其家目录下创建了一个 xiaoluo.txt 的文件,然后我们切换到了 root 目录下,首先登陆我们的 lftp ,然后通过 get 命令将该文件下载下来,这时我们就可以发现root用户的家目录下就有了刚才下载下来的 xiaoluo.txt 文件的
    注意:】我当前root用户是在哪个目录下通过 lftp 登陆的,在下载文件时就会下载到该目录下
    同时我们也可以使用 put 命令来上传文件到ftp上

    [root@xiaoluo ~]# touch root.txt
    [root@xiaoluo ~]# ls
    anaconda-ks.cfg  install.log         root.txt
    Desktop          install.log.syslog  xiaoluo.txt
    [root@xiaoluo ~]# lftp -u xiaoluo 127.0.0.1
    Password: 
    lftp xiaoluo@127.0.0.1:~> put root.txt 
    lftp xiaoluo@127.0.0.1:~> ls                
    drwxr-xr-x    2 500      500          4096 May 26 05:22 Desktop
    drwxr-xr-x    3 500      500          4096 May 19 16:10 Documents
    drwxr-xr-x    2 500      500          4096 May 13 17:36 Downloads
    drwxr-xr-x    2 500      500          4096 May 13 17:36 Music
    drwxr-xr-x    2 500      500          4096 May 13 17:36 Pictures
    drwxr-xr-x    2 500      500          4096 May 13 17:36 Public
    drwxr-xr-x    2 500      500          4096 May 13 17:36 Templates
    drwxr-xr-x    2 500      500          4096 May 13 17:36 Videos
    -rw-r--r--    1 500      500             0 Jun 08 16:26 root.txt
    -rw-rw-r--    1 500      500             0 Jun 08 16:20 xiaoluo.txt
    lftp xiaoluo@127.0.0.1:~> exit
    [root@xiaoluo ~]# cd /home/xiaoluo/
    [root@xiaoluo xiaoluo]# ls
    Desktop    Downloads  Pictures  root.txt   Videos
    Documents  Music      Public    Templates  xiaoluo.txt
    

    我在root家目录下创建了 root.txt 这个文件,然后通过 xiaoluo 这个用户上传到了 ftp 上,这时我们切换到xiaoluo的家目录下,发现该文件已经上传上去了
    注意:】我们在使用ftp进行文件上传、下载操作时,要确保该用户对目录具有读写的权限!!!
    ②匿名用户上传、下载操作
    我们匿名用户登陆ftp以后默认对共享文件夹只有读的权限,即只能从共享目录里进行文件的下载操作

    [root@xiaoluo ~]# cd /var/ftp/pub/
    [root@xiaoluo pub]# touch xiaoluo.txt
    [root@xiaoluo pub]# ls
    xiaoluo.txt
    [root@xiaoluo pub]# cd
    [root@xiaoluo ~]# lftp 127.0.0.1
    lftp 127.0.0.1:~> cd pub/
    lftp 127.0.0.1:/pub> ls
    -rw-r--r--    1 0        0               0 Jun 08 16:39 xiaoluo.txt
    lftp 127.0.0.1:/pub> get xiaoluo.txt 
    lftp 127.0.0.1:/pub> exit
    [root@xiaoluo ~]# ls
    anaconda-ks.cfg  Desktop  install.log  install.log.syslog  xiaoluo.txt
    

    那么我们要如何通过设置来实现文件的上传操作呢?
    (1) 修改vsftpd主配置文件开启匿名用户上传的功能
    anonymous_enable=YES  --开启匿名用户访问(默认)
    anon_upload_enable=YES  --打开匿名用户文件上传功能
    anon_mkdir_write_enable=YES  --打开匿名用户创建文件夹功能

    [root@xiaoluo ~]# vim /etc/vsftpd/vsftpd.conf 
    
    # Example config file /etc/vsftpd/vsftpd.conf
    #
    # The default compiled in settings are fairly paranoid. This sample file
    # loosens things up a bit, to make the ftp daemon more usable.
    # Please see vsftpd.conf.5 for all compiled in defaults.
    #
    # READ THIS: This example file is NOT an exhaustive list of vsftpd options.
    # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
    # capabilities.
    #
    # Allow anonymous FTP? (Beware - allowed by default if you comment this out).
    anonymous_enable=YES
    #
    # Uncomment this to allow local users to log in.
    local_enable=YES
    #
    # Uncomment this to enable any form of FTP write command.
    write_enable=YES
    #
    # Default umask for local users is 077. You may wish to change this to 022,
    # if your users expect that (022 is used by most other ftpd's)
    local_umask=022
    #
    # Uncomment this to allow the anonymous FTP user to upload files. This only
    # has an effect if the above global write enable is activated. Also, you will
    # obviously need to create a directory writable by the FTP user.
    anon_upload_enable=YES
    #
    # Uncomment this if you want the anonymous FTP user to be able to create
    # new directories.
    anon_mkdir_write_enable=YES
    #
    # Activate directory messages - messages given to remote users when they
    # go into a certain directory.
    dirmessage_enable=YES
    #
    # The target log file can be vsftpd_log_file or xferlog_file.
    # This depends on setting xferlog_std_format parameter
    xferlog_enable=YES
    #
    # Make sure PORT transfer connections originate from port 20 (ftp-data).
    connect_from_port_20=YES
    #
    # If you want, you can arrange for uploaded anonymous files to be owned by
    # a different user. Note! Using "root" for uploaded files is not
    # recommended!
    #chown_uploads=YES
    #chown_username=whoever
    #
    # The name of log file when xferlog_enable=YES and xferlog_std_format=YES
    # WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log
    #xferlog_file=/var/log/xferlog
    #
    # Switches between logging into vsftpd_log_file and xferlog_file files.
    # NO writes to vsftpd_log_file, YES to xferlog_file
    xferlog_std_format=YES
    #
    # You may change the default value for timing out an idle session.
    #idle_session_timeout=600
    #
    # You may change the default value for timing out a data connection.
    #data_connection_timeout=120
    #
    # It is recommended that you define on your system a unique user which the
    # ftp server can use as a totally isolated and unprivileged user.
    #nopriv_user=ftpsecure
    #
    # Enable this and the server will recognise asynchronous ABOR requests. Not
    # recommended for security (the code is non-trivial). Not enabling it,
    # however, may confuse older FTP clients.
    #async_abor_enable=YES
    #
    # By default the server will pretend to allow ASCII mode but in fact ignore
    # the request. Turn on the below options to have the server actually do ASCII
    # mangling on files when in ASCII mode.
    # Beware that on some FTP servers, ASCII support allows a denial of service
    # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
    # predicted this attack and has always been safe, reporting the size of the
    # raw file.
    # ASCII mangling is a horrible feature of the protocol.
    #ascii_upload_enable=YES
    #ascii_download_enable=YES
    #
    # You may fully customise the login banner string:
    #ftpd_banner=Welcome to blah FTP service.
    #
    # You may specify a file of disallowed anonymous e-mail addresses. Apparently
    # useful for combatting certain DoS attacks.
    #deny_email_enable=YES
    # (default follows)
    #banned_email_file=/etc/vsftpd/banned_emails
    #
    # You may specify an explicit list of local users to chroot() to their home
    # directory. If chroot_local_user is YES, then this list becomes a list of
    # users to NOT chroot().
    #chroot_local_user=YES
    #chroot_list_enable=YES
    # (default follows)
    #chroot_list_file=/etc/vsftpd/chroot_list
    #
    # You may activate the "-R" option to the builtin ls. This is disabled by
    # default to avoid remote users being able to cause excessive I/O on large
    # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
    # the presence of the "-R" option, so there is a strong case for enabling it.
    #ls_recurse_enable=YES
    #
    # When "listen" directive is enabled, vsftpd runs in standalone mode and
    # listens on IPv4 sockets. This directive cannot be used in conjunction
    # with the listen_ipv6 directive.
    listen=YES
    #
    # This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
    # sockets, you must run two copies of vsftpd with two configuration files.
    # Make sure, that one of the listen options is commented !!
    #listen_ipv6=YES
    
    pam_service_name=vsftpd
    userlist_enable=YES
    tcp_wrappers=YES
    

    (2) 赋予匿名用户上传使用的文件夹以写的权限

    [root@xiaoluo ~]# chmod **2777** /var/ftp/pub/
    [root@xiaoluo ~]# ls -ld /var/ftp/pub/drwxrwsrwx. 2 root root 4096 Jun 9 00:42 /var/ftp/pub/
    

    此时我们重新启动我们 vsftpd 服务,就可以使用匿名用户来进行文件上传的操作了

    [root@xiaoluo ~]# service vsftpd restart
    Shutting down vsftpd:                                      [  OK  ]
    Starting vsftpd for vsftpd:                                [  OK  ]
    [root@xiaoluo ~]# ls
    anaconda-ks.cfg  Desktop  install.log  install.log.syslog
    [root@xiaoluo ~]# touch xiaoluo.txt
    [root@xiaoluo ~]# ls
    anaconda-ks.cfg  Desktop  install.log  install.log.syslog  xiaoluo.txt
    [root@xiaoluo ~]# lftp 127.0.0.1
    lftp 127.0.0.1:~> cd pub/         
    lftp 127.0.0.1:/pub> ls
    lftp 127.0.0.1:/pub> put xiaoluo.txt 
    lftp 127.0.0.1:/pub> exit
    [root@xiaoluo ~]# cd /var/ftp/pub/
    [root@xiaoluo pub]# ls
    xiaoluo.txt
    

    我们看到,我们在 root 家目录下创建的 xiaoluo.txt 文件已经通过 匿名用户登录上传上去了
    注意:我们不能将匿名用户的家目录的权限设置为777权限,也就是 /var/ftp 这个目录,而只能设置其子目录的权限为 777,因为vsftp认为这样是很不安全的,如果这样设置了,vsftpd将禁止访问匿名用户的家目录

    相关文章

      网友评论

        本文标题:linux Centos 6.5 FTP服务原理及vsfptd的

        本文链接:https://www.haomeiwen.com/subject/svmelttx.html