这两天在LINUX下架设了FTP服务器,具体步骤和大家分享一下

我的LINUX发行版本是fedora14, FTP采用vsftpd RPM包形式!

1、安装RPM包

#yum install vsftpd

这样安装比较方便,不用用户太多的配置

在安好该服务之后,用户可以通过修改/etc/rc.d来设置让其是否开机自动运行

也可以通过setup 设置系统服务

2、现在我们看一下vsftpd的配置文件,其存储在/etc/vsftpd/vsftpd.conf

# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
#是否允许匿名用户登陆FTP 服务器
#
# Uncomment this to allow local users to log in.
local_enable=YES
#是否允许本地用户登陆FTP 服务器,其能正常登陆还需要看pam的配置情况
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#仅仅表示vsftpd接受写命令,能为操作成功还需要看权限设置情况,但设为NO之后,客户端将不能上传文件
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
#初始的权限值
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#匿名用户允许上传文件
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
#表示匿名用户可以创建子目录
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
#用户进入目录后的提示信息,保存在.messages方件中
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
#启用日志功能,其默认的存储路径为:/var/log/vsftpd.log,后面有专门的设置参数
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
#是否一值使用20,
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#此处就为设置日志存放位置
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=YES
#日志采用标准模式
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
#如果在600秒内没有请求,则断开,目的是为了减轻服务器的负担
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
#数据连接的超时值为120秒,无响应没断开
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#处于非特权状态,默认是nobody
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#支持异步命令
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#表示上传和下载允许ASCII模式,容易被DOS攻击,默认是NO
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#要显示的欢迎信息,可以隐藏服务器的相关信息,如果是文件后面可以根上信息文件的地址
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
#拒绝使用邮件帐号作为匿名用户的登陆密码,
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#目的是为了使自动工具失效
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#允许转到上及目录
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#ls -R 列出整个目录数的内容。是否充许,默认不允许,因为这样会加大服务器的负载,防止恶意攻击
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd with two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES
#
#以独立方式启用,但ipv4,ipv6不能在同一设置中同时设为yes
#
pam_service_name=vsftpd
#pam 认证  /etc/pam.d/
userlist_enable=YES
#表示拒拒绝在以下文件中的用户
tcp_wrappers=YES
#
 

3、上面是vsftpd服务器的配置文件,下面我们来具体的操作

3.1首先是匿名用户的设置:

在安好之后,匿名用户默认是允许登陆的,其取决于配置文件中的:

#anonymous_enable=YES
但是匿名用户默认情况下没有上传功能的。下面修改配置文件中的

#write_enable=YES       //增加写功能
#anon_upload_enable =YES  //允许上传

这样在配置文件中已经是充许匿名用户上传文件了,为什么还是不能呢,则肯定是用户权限不足,所以需要修改用户权限,假如有一文件夹upload,我们用以下命令使其享有权限

#chown  ftp.ftp upload  //此时一般况下,就可以上传,但有些地方安全级别过高,由于SELINUX的阻止,不能上传,这时用户只需要修改自己的SELINUX的设置就可以了

匿名用户可以上传文件了,但是一般情况下,用户不能删除文件,如要开放其功能,则加入以下配置

#anon_other_write_enable=YES  充许另外的写命令,包括删除命令

#anon_mkdir_write_enable=YES 充许创建子目录(这些可以根据服务器具体的用途开放相应的功能)
 

3.2虚拟用户的配置

vsftpd的本地用户本身是操作系统的用户,除了可以登陆FTP服务器之处,还可以登陆操作系统。而虚拟用户则是FTP服务的专用用户,虚拟用户只能访问FTP服务器资源。对于只需要通过FTP对系统有读写权限,而不需要其他系统资源的用户或情况来说,采用虚拟用户是最合适的

vsftpd的虚拟用户彩用单独的用户名/口令保存方式,与操作系统帐号分开存放,可提高系统的安全性。vsftpd可以采用数据库文件来保存用户/口令。下面我们简单的配置一下

首先我们需要一个用户认证数据库我们可以使用如下命令

#vi ftpusr.txt

   其中的内容按行存储,单行为用户名,双行为密码

 如 lopn1 
       123456
       lopn2
       abcdef                               

     

# db_load -T -t hash -f ./ftpuser.txt /etc/vsftpd/ftpusr.db  生成ftpusr.db认证数据库

#chmod 600 /etc/vsftpd/ftpuser.db

 注:进行此操作之前必须要确保本机db环境以安装,可以使用

# rpm -qa | grep db4
或#yum install db4

之后建立pam认证文件

#vi /etc/pam.d/vsftpd_login

录入以下两行内容

auth required /lib/security/pam_userdb.so db = /etc/vsftpd/ftpusr.db
account required /lib/security/pam_userdb.so db = /etc/vsftpd/ftpusr.db
 

然后为虚拟用户新建一个本地帐号

# useradd -d /home/ftpsite =s /sbin/nologin ftp_virt  此含义为:新建一个ftp_virt帐号,主目录为/home/ftpsite 不能登陆系统


修改配置文件:
# guest_enable = YES   表示启用虚拟用户帐号
# guest_username = ftp_virt  表示虚拟用户账号对应的系统帐号
#pam_service_name=vsftpd_login
#此时系统用户不能登陆,因为认证文件只认证虚拟用户
 

此时虚拟用户就可以登陆了!

 3.3虚拟用户权限设置

#virtual_use_local_privs = YES  使虚拟用户的权限由本地用户的权限来决定

我们也可以为虚拟用户分别设置权限,此处只做简单的介绍,我们为每个虚拟设置不同的主目录

在配置文件中加入
  user_config_dir = /etc/vsftpd   用户的认证配置


#cd /home/ftpsite
#mkdir lopn1
#mkdir lopn2
#chown ftp_virt lopn1
#chown ftp_virt lopn2
#vi /etc/vsftpd/usr1  
录入: local_root = /home/ftpsite/lopn1
#vi /etc/vsftpd/usr2
录入:local_root = /home/ftpsite/lopn2
#

这样虚拟用户也就配置好了!

4、注:1、每一次修改都应该重新启动服务,才能使配置生效

             2、在使用的时候,在本机测试正常,但从其他电脑无法方法,也有可以是由于防火墙的阻止,可以用以下命令清除防火墙规则:
#iptables -F