维金病毒的最新处理方法!
2007-01-12 07:52
302 查看
一.FTP 基本配置。
1. [root@michael ~]# rpm -qa | grep vsftpd
vsftpd-2.0.1-5.EL4.5
[root@michael ~]# rpm -qa | grep vsftpd*
vsftpd-2.0.1-5.EL4.5
2. [root@michael ~]# vi /etc/vsftpd/vsftpd.conf
# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
3. [root@michael ~]# grep -v "#" /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022t
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
pam_service_name=vsftpd
userlist_enable=YES
listen=YES
tcp_wrappers=YES
4. [root@michael ~]# head -5 /etc/vsftpd.ftpusers <The file user deny login vsftpd server>
# Users that are not allowed to login via ftp
root
bin
daemon
adm
5.[root@michael ~]# head /etc/vsftpd.user_list <The file user deny login vsftpd server too>
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd.ftpusers
# for users that are denied.
root
bin
daemon
adm
注意:要是想让这两个文件中的指定的那个用户login vsftpd server ,那么,就要在这两个文件中del relevant user, del one file in the user is nologin vsftpd server.
重点:file “/etc/vsftpd/vsftpd.conf “ and “/etc/vsftpd.user_list”是配合来用的。
One : vsftpd.conf relevant config.
“Userlist_enable=YES” User_list file in the user nologin vsftpd server. NO in user_list file in the user can login vsftpd server.
“Userlist_enable=NO” User_list file in the user can longin vsftpd server. But(但是)to del file vsftd.ftpusers in as (一样) the user. No in user_list file in the user no can login vsftpd server.
6. [root@michael ~]# ls -l /var/ftp <anonymous user login vsftpd the lord directory>
total 8
drwxr-xr-x 2 root root 4096 May 24 2006 pub
7. [root@michael ~]# chkconfig --list vsftpd
vsftpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@michael ~]# chkconfig --level 35 vsftpd on
[root@michael ~]# chkconfig --level 35 vsftpd on
[root@michael ~]# chkconfig --list vsftpd
vsftpd 0:off 1:off 2:off 3:on 4:off 5:on 6:off
[root@michael ~]# service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
[root@michael ~]# service vsftpd status
vsftpd (pid 3643) is running...
8.test user login ftp server.
“Anonymous user login”
[root@michael ~]# ftp 192.168.5.1
Connected to 192.168.5.1.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.5.1:root): ftp/anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> ls
227 Entering Passive Mode (192,168,5,1,201,214)
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 May 24 2006 pub
226 Directory send OK.
ftp>
“loacduser login ftp server”
[root@michael ~]# ftp 192.168.5.1
Connected to 192.168.5.1.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.5.1:root): abc
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,5,1,186,149)
150 Here comes the directory listing.
226 Directory send OK.
ftp> ll
?Invalid command
ftp> ls -al
227 Entering Passive Mode (192,168,5,1,66,115)
150 Here comes the directory listing.
drwx------ 3 500 500 4096 Jul 30 10:13 .
drwxr-xr-x 5 0 0 4096 Jul 30 14:50 ..
-rw------- 1 500 500 10 Jul 30 10:13 .bash_history
-rw-r--r-- 1 500 500 24 Jul 30 10:10 .bash_logout
-rw-r--r-- 1 500 500 191 Jul 30 10:10 .bash_profile
-rw-r--r-- 1 500 500 124 Jul 30 10:10 .bashrc
-rw-r--r-- 1 500 500 383 Jul 30 10:10 .emacs
-rw-r--r-- 1 500 500 120 Jul 30 10:10 .gtkrc
drwxr-xr-x 3 500 500 4096 Jul 30 10:10 .kde
-rw-r--r-- 1 500 500 658 Jul 30 10:10 .zshrc
226 Directory send OK.
ftp> pwd
257 "/home/abc"
ftp> quit
221 Goodbye.
9.Config ftp loacl user login ftp serer 锁定在自已的目录中。
方法1:
[root@michael ~]# ftp 192.168.5.1
Connected to 192.168.5.1.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.5.1:root): abc
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/abc"
ftp> cd /
250 Directory successfully changed.
ftp> pwd'^H
?Invalid command
ftp> pwd
257 "/"
ftp>
[root@michael ~]# vi /etc/vsftpd/vsftpd.conf
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES
chroot_local_user=YES <config file in add >
"/etc/vsftpd/vsftpd.conf" 111L, 4166C written
[root@michael ~]# service vsftpd restart
Shutting down vsftpd: [FAILED]
Starting vsftpd for vsftpd: [ OK ]
[root@michael ~]# service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
[root@michael ~]# ftp 192.168.5.1
Connected to 192.168.5.1.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.5.1:root): abc
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,5,1,144,252)
150 Here comes the directory listing.
226 Directory send OK.
ftp> pwd
257 "/"
ftp> cd /home
550 Failed to change directory.
ftp> pwd
257 "/“
ftp>
方法2:
[root@michael etc]# vi /etc/vsftpd/vsftpd.conf
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_local_user=YES (“add”
chroot_list_enable=YES “del #”
# (default follows)
chroot_list_file=/etc/vsftpd.chroot_list “del#” create flie /etc/vsftpd.chroot_list .The in add relevant user” )
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
pam_service_name=vsftpd
"/etc/vsftpd/vsftpd.conf" 111L, 4164C 96,1 95%
[root@michael etc]# vi /etc/vsftpd.chroot_list
abc1
~
~
~"/etc/vsftpd.chroot_list" 1L, 5C
[root@michael ~]# ftp 192.168.5.1
Connected to 192.168.5.1.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.5.1:root): abc
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> quit
221 Goodbye.
[root@michael ~]# ftp 192.168.5.1
Connected to 192.168.5.1.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.5.1:root): abc1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/abc1"
ftp> quit
221 Goodbye.
[root@michael ~]#
[root@michael ~]# vi /etc/vsftpd/vsftpd.conf
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
pam_service_name=vsftpd
"/etc/vsftpd/vsftpd.conf" 111L, 4165C written
[root@michael ~]# service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
[root@michael ~]# ftp 192.168.5.1
Connected to 192.168.5.1.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.5.1:root): abc
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/abc"
ftp> quit
221 Goodbye.
[root@michael ~]# ftp 192.168.5.1
Connected to 192.168.5.1.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.5.1:root): abc1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> qui
重点讲说:方法2
“Chroot_local_user=YES”
“chroot_list_enable=YES “
Vsftpd.chroot_list in the user no isolation(隔离).
No vsftpd.chroot_list in the user isolation,
“#Chroot_local_user=YES”
“Chroot_list_enable=YES”
Vsftp.chroot_list in the user isolation.
No vsftpd.chroot_list in the user no isolation.
二.FTP SERVER 虚拟用户配置。
1.建立虚拟用户口令库文件。
[root@michael ~]# vi logins.txt
aaa
422135Sa
bbb
422135Sa
~"logins.txt" [New] 5L, 27C written
[root@michael ~]# ls
Desktop anaconda-ks.cfg install.log install.log.syslog logins.txt
2.生成vsftpd的认证文件。
root@michael ~]# db_load -T -t hash -f logins.txt /etc/vsftpd/vsftpd_login.db
[root@michael ~]# file /etc/vsftpd/vsftpd_login.db
/etc/vsftpd/vsftpd_login.db: Berkeley DB (Hash, version 8, native byte-order)
[root@michael ~]# rm logins.txt
rm: remove regular file `logins.txt'? y
[root@michael ~]# ls
Desktop anaconda-ks.cfg install.log install.log.syslog
[root@michael ~]# chmod 600 /etc/vsftpd/vsftpd_login.db
[root@michael ~]# ll /etc/vsftpd/vsftpd_login.db
-rw------- 1 root root 12288 Aug 4 02:56 /etc/vsftpd/vsftpd_login.db
3 建立虚拟用户所要的PAM配置文件。名称为《vsftp.vu》
[root@michael ~]# vi /etc/pam.d/vsftpd.vu
auth required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
account repuired /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
~
~"/etc/pam.d/vsftpd.vu" [New] 2L, 143C written
[root@michael ~]# cat /etc/pam.d/vsftpd.vu
auth required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
account repuired /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
4.建立虚拟用户及要访问的目录并设置相关的权限。
root@michael ~]# useradd -d /home/ftpsite virtual
[root@michael ~]# chmod 700 /home/ftpsite
[root@michael ~]# cd
[root@michael ~]# cd /home
[root@michael home]# ls
abc abc1 ftpsite fung
[root@michael home]# ll
total 16
drwx------ 3 abc abc 4096 Jul 30 18:13 abc
drwx------ 3 abc1 abc1 4096 Jul 30 18:15 abc1
drwx------ 3 virtual virtual 4096 Aug 4 03:10 ftpsite
drwx------ 3 fung fung 4096 Jul 30 22:50 fung
5.设置vsftpd.conf config file
root@michael ~]# vi /etc/vsftpd/vsftpd.conf
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
guest_enable=YES “add”
guest_username=virtual ‘add”
pam_service_name=vsftpd.vu “在vsftpd 后面加上 .vu”
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES
"/etc/vsftpd/vsftpd.conf" 115L, 4248C written
[root@michael ~]# service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
6. Test vsftpd in the 虚拟用户账号。
root@michael ~]# touch /home/ftpsite/file
[root@michael ~]# chown virtual:virtual /home/ftpsite/file
[root@michael ~]# cd /home
[root@michael home]# ll
total 16
drwx------ 3 abc abc 4096 Jul 30 18:13 abc
drwx------ 3 abc1 abc1 4096 Jul 30 18:15 abc1
drwx------ 3 virtual virtual 4096 Aug 4 03:18 ftpsite
drwx------ 3 fung fung 4096 Jul 30 22:50 fung
[root@michael home]# cd ftpsite/
[root@michael ftpsite]# ls
file
[root@michael ftpsite]# ll
total 0
-rw-r--r-- 1 virtual virtual 0 Aug 4 03:18 file
[root@michael ftpsite]# ftp 192.168.5.1
Connected to 192.168.5.1.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.5.1:root):aaa
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
7.为虚拟用户设置不同的权限。
root@michael ~]# vi /etc/vsftpd/vsftpd.conf
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
guest_enable=YES
guest_username=feng
pam_service_name=vsftpd.vu
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES
user_config_dir=/etc/vsftpd_user_conf (“add,”此项)
"/etc/vsftpd/vsftpd.conf" 115L, 4243C written
[root@michael ~]# service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
注意:”/etc/vsftpd_user_conf “directory is save virtual user the config file.
[root@michael ~]# mkdir /etc/vsftpd_user_conf
[root@michael ~]# ls /etc/vsftpd_user_conf/
[root@michael ~]# ll /etc/vsftpd_user_conf/
total 0
[root@michael ~]#
root@michael ~]# vi /etc/vsftpd_user_conf/aaa
anon_world_readable_only=NO (表示用户可以游览FTP目录和下载文件)。
anon_upload_enable=YES (表示用户能上传文件)
anon_mkdir_write_enable=YES (表示用户可以建立和DEL目录的)
anon_other_write_enable=YES (表示用户可以为文件改名和DEL文件)
~
~
"/etc/vsftpd_user_conf/mike" [New] 4L, 107C written
[root@michael ~]# ftp 192.168.5.1
Connected to 192.168.5.1.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.5.1:root): aaa
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> ls
227 Entering Passive Mode (192,168,5,1,47,245)
150 Here comes the directory listing.
-rwx------ 1 503 503 0 Aug 03 19:45 file
226 Directory send OK.
ftp> ll
?Invalid command
ftp> ls -al
227 Entering Passive Mode (192,168,5,1,226,99)
150 Here comes the directory listing.
drwx------ 3 503 503 4096 Aug 03 19:45 .
drwx------ 3 503 503 4096 Aug 03 19:45 ..
-rwx------ 1 503 503 24 Aug 03 19:42 .bash_logout
-rwx------ 1 503 503 191 Aug 03 19:42 .bash_profile
-rwx------ 1 503 503 124 Aug 03 19:42 .bashrc
-rwx------ 1 503 503 383 Aug 03 19:42 .emacs
-rwx------ 1 503 503 120 Aug 03 19:42 .gtkrc
drwx------ 3 503 503 4096 Aug 03 19:42 .kde
-rwx------ 1 503 503 658 Aug 03 19:42 .zshrc
-rwx------ 1 503 503 0 Aug 03 19:45 file
226 Directory send OK.
ftp> quit
221 Goodbye.
重点:IN “/etc/vsftpd_user_conf” directory in virtual user can add his(自己) the config file,config file name is his the user name.
例如:aaa bbb
Vi /etc/vsftpd_user_conf/aaa……….
Vi /etc/vsftpd_user_conf/bbb……..
[root@michael ~]# ftp 192.168.5.1
Connected to 192.168.5.1.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.5.1:root): abc
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> quit
221 Goodbye.
[root@michael ~]# ftp 192.168.5.1
Connected to 192.168.5.1.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.5.1:root): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,5,1,55,75)
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 May 24 2006 pub
226 Directory send OK.
ftp> quit
221 Goodbye.
注意:启用了虚拟用以后,只有虚拟用户和匿名用户可以LOGIN FTP SERVER。其它用户都不能LOGIN FTP SERVER。
8.一些典型的FTP SERVER 设置
Max_clients =0 “FTP 允许客户端的最大连接数,0 表示不限制”
Max_per_ip=0 “同一IP地址允许客户最大的连接数,0表示不限制“
Loacl_max_rate=0 “本地用户最大的传输速率,0表示不限制“
Anon_max_rate=0 “匿名用户最大的传输速率,0表示不限制“
本文出自 “michaelfung_专栏” 博客,转载请与作者联系!
1. [root@michael ~]# rpm -qa | grep vsftpd
vsftpd-2.0.1-5.EL4.5
[root@michael ~]# rpm -qa | grep vsftpd*
vsftpd-2.0.1-5.EL4.5
2. [root@michael ~]# vi /etc/vsftpd/vsftpd.conf
# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
3. [root@michael ~]# grep -v "#" /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022t
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
pam_service_name=vsftpd
userlist_enable=YES
listen=YES
tcp_wrappers=YES
4. [root@michael ~]# head -5 /etc/vsftpd.ftpusers <The file user deny login vsftpd server>
# Users that are not allowed to login via ftp
root
bin
daemon
adm
5.[root@michael ~]# head /etc/vsftpd.user_list <The file user deny login vsftpd server too>
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd.ftpusers
# for users that are denied.
root
bin
daemon
adm
注意:要是想让这两个文件中的指定的那个用户login vsftpd server ,那么,就要在这两个文件中del relevant user, del one file in the user is nologin vsftpd server.
重点:file “/etc/vsftpd/vsftpd.conf “ and “/etc/vsftpd.user_list”是配合来用的。
One : vsftpd.conf relevant config.
“Userlist_enable=YES” User_list file in the user nologin vsftpd server. NO in user_list file in the user can login vsftpd server.
“Userlist_enable=NO” User_list file in the user can longin vsftpd server. But(但是)to del file vsftd.ftpusers in as (一样) the user. No in user_list file in the user no can login vsftpd server.
6. [root@michael ~]# ls -l /var/ftp <anonymous user login vsftpd the lord directory>
total 8
drwxr-xr-x 2 root root 4096 May 24 2006 pub
7. [root@michael ~]# chkconfig --list vsftpd
vsftpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@michael ~]# chkconfig --level 35 vsftpd on
[root@michael ~]# chkconfig --level 35 vsftpd on
[root@michael ~]# chkconfig --list vsftpd
vsftpd 0:off 1:off 2:off 3:on 4:off 5:on 6:off
[root@michael ~]# service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
[root@michael ~]# service vsftpd status
vsftpd (pid 3643) is running...
8.test user login ftp server.
“Anonymous user login”
[root@michael ~]# ftp 192.168.5.1
Connected to 192.168.5.1.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.5.1:root): ftp/anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> ls
227 Entering Passive Mode (192,168,5,1,201,214)
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 May 24 2006 pub
226 Directory send OK.
ftp>
“loacduser login ftp server”
[root@michael ~]# ftp 192.168.5.1
Connected to 192.168.5.1.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.5.1:root): abc
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,5,1,186,149)
150 Here comes the directory listing.
226 Directory send OK.
ftp> ll
?Invalid command
ftp> ls -al
227 Entering Passive Mode (192,168,5,1,66,115)
150 Here comes the directory listing.
drwx------ 3 500 500 4096 Jul 30 10:13 .
drwxr-xr-x 5 0 0 4096 Jul 30 14:50 ..
-rw------- 1 500 500 10 Jul 30 10:13 .bash_history
-rw-r--r-- 1 500 500 24 Jul 30 10:10 .bash_logout
-rw-r--r-- 1 500 500 191 Jul 30 10:10 .bash_profile
-rw-r--r-- 1 500 500 124 Jul 30 10:10 .bashrc
-rw-r--r-- 1 500 500 383 Jul 30 10:10 .emacs
-rw-r--r-- 1 500 500 120 Jul 30 10:10 .gtkrc
drwxr-xr-x 3 500 500 4096 Jul 30 10:10 .kde
-rw-r--r-- 1 500 500 658 Jul 30 10:10 .zshrc
226 Directory send OK.
ftp> pwd
257 "/home/abc"
ftp> quit
221 Goodbye.
9.Config ftp loacl user login ftp serer 锁定在自已的目录中。
方法1:
[root@michael ~]# ftp 192.168.5.1
Connected to 192.168.5.1.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.5.1:root): abc
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/abc"
ftp> cd /
250 Directory successfully changed.
ftp> pwd'^H
?Invalid command
ftp> pwd
257 "/"
ftp>
[root@michael ~]# vi /etc/vsftpd/vsftpd.conf
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES
chroot_local_user=YES <config file in add >
"/etc/vsftpd/vsftpd.conf" 111L, 4166C written
[root@michael ~]# service vsftpd restart
Shutting down vsftpd: [FAILED]
Starting vsftpd for vsftpd: [ OK ]
[root@michael ~]# service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
[root@michael ~]# ftp 192.168.5.1
Connected to 192.168.5.1.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.5.1:root): abc
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,5,1,144,252)
150 Here comes the directory listing.
226 Directory send OK.
ftp> pwd
257 "/"
ftp> cd /home
550 Failed to change directory.
ftp> pwd
257 "/“
ftp>
方法2:
[root@michael etc]# vi /etc/vsftpd/vsftpd.conf
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_local_user=YES (“add”
chroot_list_enable=YES “del #”
# (default follows)
chroot_list_file=/etc/vsftpd.chroot_list “del#” create flie /etc/vsftpd.chroot_list .The in add relevant user” )
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
pam_service_name=vsftpd
"/etc/vsftpd/vsftpd.conf" 111L, 4164C 96,1 95%
[root@michael etc]# vi /etc/vsftpd.chroot_list
abc1
~
~
~"/etc/vsftpd.chroot_list" 1L, 5C
[root@michael ~]# ftp 192.168.5.1
Connected to 192.168.5.1.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.5.1:root): abc
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> quit
221 Goodbye.
[root@michael ~]# ftp 192.168.5.1
Connected to 192.168.5.1.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.5.1:root): abc1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/abc1"
ftp> quit
221 Goodbye.
[root@michael ~]#
[root@michael ~]# vi /etc/vsftpd/vsftpd.conf
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
pam_service_name=vsftpd
"/etc/vsftpd/vsftpd.conf" 111L, 4165C written
[root@michael ~]# service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
[root@michael ~]# ftp 192.168.5.1
Connected to 192.168.5.1.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.5.1:root): abc
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/abc"
ftp> quit
221 Goodbye.
[root@michael ~]# ftp 192.168.5.1
Connected to 192.168.5.1.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.5.1:root): abc1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> qui
重点讲说:方法2
“Chroot_local_user=YES”
“chroot_list_enable=YES “
Vsftpd.chroot_list in the user no isolation(隔离).
No vsftpd.chroot_list in the user isolation,
“#Chroot_local_user=YES”
“Chroot_list_enable=YES”
Vsftp.chroot_list in the user isolation.
No vsftpd.chroot_list in the user no isolation.
二.FTP SERVER 虚拟用户配置。
1.建立虚拟用户口令库文件。
[root@michael ~]# vi logins.txt
aaa
422135Sa
bbb
422135Sa
~"logins.txt" [New] 5L, 27C written
[root@michael ~]# ls
Desktop anaconda-ks.cfg install.log install.log.syslog logins.txt
2.生成vsftpd的认证文件。
root@michael ~]# db_load -T -t hash -f logins.txt /etc/vsftpd/vsftpd_login.db
[root@michael ~]# file /etc/vsftpd/vsftpd_login.db
/etc/vsftpd/vsftpd_login.db: Berkeley DB (Hash, version 8, native byte-order)
[root@michael ~]# rm logins.txt
rm: remove regular file `logins.txt'? y
[root@michael ~]# ls
Desktop anaconda-ks.cfg install.log install.log.syslog
[root@michael ~]# chmod 600 /etc/vsftpd/vsftpd_login.db
[root@michael ~]# ll /etc/vsftpd/vsftpd_login.db
-rw------- 1 root root 12288 Aug 4 02:56 /etc/vsftpd/vsftpd_login.db
3 建立虚拟用户所要的PAM配置文件。名称为《vsftp.vu》
[root@michael ~]# vi /etc/pam.d/vsftpd.vu
auth required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
account repuired /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
~
~"/etc/pam.d/vsftpd.vu" [New] 2L, 143C written
[root@michael ~]# cat /etc/pam.d/vsftpd.vu
auth required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
account repuired /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
4.建立虚拟用户及要访问的目录并设置相关的权限。
root@michael ~]# useradd -d /home/ftpsite virtual
[root@michael ~]# chmod 700 /home/ftpsite
[root@michael ~]# cd
[root@michael ~]# cd /home
[root@michael home]# ls
abc abc1 ftpsite fung
[root@michael home]# ll
total 16
drwx------ 3 abc abc 4096 Jul 30 18:13 abc
drwx------ 3 abc1 abc1 4096 Jul 30 18:15 abc1
drwx------ 3 virtual virtual 4096 Aug 4 03:10 ftpsite
drwx------ 3 fung fung 4096 Jul 30 22:50 fung
5.设置vsftpd.conf config file
root@michael ~]# vi /etc/vsftpd/vsftpd.conf
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
guest_enable=YES “add”
guest_username=virtual ‘add”
pam_service_name=vsftpd.vu “在vsftpd 后面加上 .vu”
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES
"/etc/vsftpd/vsftpd.conf" 115L, 4248C written
[root@michael ~]# service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
6. Test vsftpd in the 虚拟用户账号。
root@michael ~]# touch /home/ftpsite/file
[root@michael ~]# chown virtual:virtual /home/ftpsite/file
[root@michael ~]# cd /home
[root@michael home]# ll
total 16
drwx------ 3 abc abc 4096 Jul 30 18:13 abc
drwx------ 3 abc1 abc1 4096 Jul 30 18:15 abc1
drwx------ 3 virtual virtual 4096 Aug 4 03:18 ftpsite
drwx------ 3 fung fung 4096 Jul 30 22:50 fung
[root@michael home]# cd ftpsite/
[root@michael ftpsite]# ls
file
[root@michael ftpsite]# ll
total 0
-rw-r--r-- 1 virtual virtual 0 Aug 4 03:18 file
[root@michael ftpsite]# ftp 192.168.5.1
Connected to 192.168.5.1.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.5.1:root):aaa
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
7.为虚拟用户设置不同的权限。
root@michael ~]# vi /etc/vsftpd/vsftpd.conf
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
guest_enable=YES
guest_username=feng
pam_service_name=vsftpd.vu
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES
user_config_dir=/etc/vsftpd_user_conf (“add,”此项)
"/etc/vsftpd/vsftpd.conf" 115L, 4243C written
[root@michael ~]# service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
注意:”/etc/vsftpd_user_conf “directory is save virtual user the config file.
[root@michael ~]# mkdir /etc/vsftpd_user_conf
[root@michael ~]# ls /etc/vsftpd_user_conf/
[root@michael ~]# ll /etc/vsftpd_user_conf/
total 0
[root@michael ~]#
root@michael ~]# vi /etc/vsftpd_user_conf/aaa
anon_world_readable_only=NO (表示用户可以游览FTP目录和下载文件)。
anon_upload_enable=YES (表示用户能上传文件)
anon_mkdir_write_enable=YES (表示用户可以建立和DEL目录的)
anon_other_write_enable=YES (表示用户可以为文件改名和DEL文件)
~
~
"/etc/vsftpd_user_conf/mike" [New] 4L, 107C written
[root@michael ~]# ftp 192.168.5.1
Connected to 192.168.5.1.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.5.1:root): aaa
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> ls
227 Entering Passive Mode (192,168,5,1,47,245)
150 Here comes the directory listing.
-rwx------ 1 503 503 0 Aug 03 19:45 file
226 Directory send OK.
ftp> ll
?Invalid command
ftp> ls -al
227 Entering Passive Mode (192,168,5,1,226,99)
150 Here comes the directory listing.
drwx------ 3 503 503 4096 Aug 03 19:45 .
drwx------ 3 503 503 4096 Aug 03 19:45 ..
-rwx------ 1 503 503 24 Aug 03 19:42 .bash_logout
-rwx------ 1 503 503 191 Aug 03 19:42 .bash_profile
-rwx------ 1 503 503 124 Aug 03 19:42 .bashrc
-rwx------ 1 503 503 383 Aug 03 19:42 .emacs
-rwx------ 1 503 503 120 Aug 03 19:42 .gtkrc
drwx------ 3 503 503 4096 Aug 03 19:42 .kde
-rwx------ 1 503 503 658 Aug 03 19:42 .zshrc
-rwx------ 1 503 503 0 Aug 03 19:45 file
226 Directory send OK.
ftp> quit
221 Goodbye.
重点:IN “/etc/vsftpd_user_conf” directory in virtual user can add his(自己) the config file,config file name is his the user name.
例如:aaa bbb
Vi /etc/vsftpd_user_conf/aaa……….
Vi /etc/vsftpd_user_conf/bbb……..
[root@michael ~]# ftp 192.168.5.1
Connected to 192.168.5.1.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.5.1:root): abc
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> quit
221 Goodbye.
[root@michael ~]# ftp 192.168.5.1
Connected to 192.168.5.1.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.5.1:root): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,5,1,55,75)
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 May 24 2006 pub
226 Directory send OK.
ftp> quit
221 Goodbye.
注意:启用了虚拟用以后,只有虚拟用户和匿名用户可以LOGIN FTP SERVER。其它用户都不能LOGIN FTP SERVER。
8.一些典型的FTP SERVER 设置
Max_clients =0 “FTP 允许客户端的最大连接数,0 表示不限制”
Max_per_ip=0 “同一IP地址允许客户最大的连接数,0表示不限制“
Loacl_max_rate=0 “本地用户最大的传输速率,0表示不限制“
Anon_max_rate=0 “匿名用户最大的传输速率,0表示不限制“
本文出自 “michaelfung_专栏” 博客,转载请与作者联系!
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 6 关于数据仓库维度数据处理的方法探究系列——缓慢变化维处理——记录最新记录及上一次历史
- 熊猫烧香病毒原理、清除/删除方法及解决方案(附最新专杀工具下载)[原创]_病毒查杀_脚本之家
- 病毒杀不掉的原因以及处理方法
- 最新iwebshop与ucenter整合成功方法及bug处理
- “MSN 相片” 最新病毒分析报告以及手工清除方法
- 熊猫烧香病毒,熊猫病毒专杀,最新变种清除,删除方法 超强推荐
- 最新Viking(维金)病毒专杀工具,纯VB编写。
- system病毒替换系统“rpcss.dll”文件的处理方法
- WannaCry(永恒之蓝)病毒处理方法
- The method getJspApplicationContext(ServletContext) is undefined for the type JspFactory最新处理方法
- 最新病毒变种sxs.exe及xeklsk.exe(柯南病毒)查杀方法
- 最新勒索软件病毒防范方法及措施
- 无法删除病毒的处理方法
- 不再怕病毒 电脑中毒后的6招处理方法
- 处理无法清除的病毒的方法
- PCH问题处理最新方法
- php函数file_get_contents超时处理的方法(2013最新整理)
- 最新勒索软件病毒防范方法及措施
- 最新Viking(维金)病毒专杀工具,纯VB编写。
- Backdoor.Win32.IRCBot.afm(video.exe)病毒的处理方法