安装 vsftpd 服务端 ;ftp 客户端
[root@c7 ~]# yum install vsftpd ftp
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
epel/x86_64/metalink | 8.7 kB 00:00:00
* base: mirrors.aliyun.com
* epel: mirrors.neusoft.edu.cn
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
base | 3.6 kB 00:00:00
docker-ce-stable | 3.5 kB 00:00:00
epel | 4.7 kB 00:00:00
extras | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
(1/2): epel/x86_64/updateinfo | 1.0 MB 00:00:00
(2/2): epel/x86_64/primary_db | 6.9 MB 00:00:01
Resolving Dependencies
--> Running transaction check
---> Package ftp.x86_64 0:0.17-67.el7 will be installed
---> Package vsftpd.x86_64 0:3.0.2-28.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
===================================================================================
Package Arch Version Repository Size
===================================================================================
Installing:
ftp x86_64 0.17-67.el7 base 61 k
vsftpd x86_64 3.0.2-28.el7 base 172 k
Transaction Summary
===================================================================================
Install 2 Packages
Total download size: 232 k
Installed size: 449 k
Is this ok [y/d/N]: y
Is this ok [y/d/N]: y
Downloading packages:
(1/2): ftp-0.17-67.el7.x86_64.rpm | 61 kB 00:00:00
(2/2): vsftpd-3.0.2-28.el7.x86_64.rpm | 172 kB 00:00:01
-----------------------------------------------------------------------------------
Total 209 kB/s | 232 kB 00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : ftp-0.17-67.el7.x86_64 1/2
Installing : vsftpd-3.0.2-28.el7.x86_64 2/2
Verifying : vsftpd-3.0.2-28.el7.x86_64 1/2
Verifying : ftp-0.17-67.el7.x86_64 2/2
Installed:
ftp.x86_64 0:0.17-67.el7 vsftpd.x86_64 0:3.0.2-28.el7
Complete!
[root@c7 ~]# systemctl start vsftpd.service
[root@c7 ~]# ftp localhost # 使用ftp客户端链接本地 ftp 服务
Trying ::1...
Connected to localhost (::1).
220 (vsFTPd 3.0.2)
Name (localhost:root): ftp
331 Please specify the password.
Password: # 可以不输入
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit # 退出
221 Goodbye.
[root@c7 ~]# ls /var/ftp/ # 匿名默认的登录的路径
pub
[root@c7 ~]# echo 123456 | passwd --stdin user # 标准输出 设置 user 的密码
Changing password for user user.
passwd: all authentication tokens updated successfully.
[root@c7 ~]# ftp localhost
Trying ::1...
Connected to localhost (::1).
220 (vsFTPd 3.0.2)
Name (localhost:root): user # 既可以匿名登录 也可以用本地用户登录
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.
配置文件: /etc/vsftpd/vsftpd.conf
1 # Example config file /etc/vsftpd/vsftpd.conf
2 #
3 # The default compiled in settings are fairly paranoid. This sample file
4 # loosens things up a bit, to make the ftp daemon more usable.
5 # Please see vsftpd.conf.5 for all compiled in defaults.
6 #
7 # READ THIS: This example file is NOT an exhaustive list of vsftpd options.
8 # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
9 # capabilities.
10 #
11 # Allow anonymous FTP? (Beware - allowed by default if you comment this out).
12 anonymous_enable=YES # 允许匿名登录ftp YES 必须大写
13 #
14 # Uncomment this to allow local users to log in.
15 # When SELinux is enforcing check for SE bool ftp_home_dir
16 local_enable=YES # 是否支持本地用户
17 #
18 # Uncomment this to enable any form of FTP write command.
19 write_enable=YES # 是否允许本地用户写入
20 #
21 # Default umask for local users is 077. You may wish to change this to 022,
22 # if your users expect that (022 is used by most other ftpd's)
23 local_umask=022
24 #
25 # Uncomment this to allow the anonymous FTP user to upload files. This only
26 # has an effect if the above global write enable is activated. Also, you will
27 # obviously need to create a directory writable by the FTP user.
28 # When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
29 #anon_upload_enable=YES
30 #
31 # Uncomment this if you want the anonymous FTP user to be able to create
32 # new directories.
33 #anon_mkdir_write_enable=YES
34 #
35 # Activate directory messages - messages given to remote users when they
36 # go into a certain directory.
37 dirmessage_enable=YES
38 #
39 # Activate logging of uploads/downloads.
40 xferlog_enable=YES
41 #
42 # Make sure PORT transfer connections originate from port 20 (ftp-data).
43 connect_from_port_20=YES
45 # If you want, you can arrange for uploaded anonymous files to be owned by
46 # a different user. Note! Using "root" for uploaded files is not
47 # recommended!
48 #chown_uploads=YES
49 #chown_username=whoever
50 #
51 # You may override where the log file goes if you like. The default is shown
52 # below.
53 #xferlog_file=/var/log/xferlog
54 #
55 # If you want, you can have your log file in standard ftpd xferlog format.
56 # Note that the default log file location is /var/log/xferlog in this case.
57 xferlog_std_format=YES
58 #
59 # You may change the default value for timing out an idle session.
60 #idle_session_timeout=600
61 #
62 # You may change the default value for timing out a data connection.
63 #data_connection_timeout=120
64 #
65 # It is recommended that you define on your system a unique user which the
66 # ftp server can use as a totally isolated and unprivileged user.
67 #nopriv_user=ftpsecure
68 #
69 # Enable this and the server will recognise asynchronous ABOR requests. Not
70 # recommended for security (the code is non-trivial). Not enabling it,
71 # however, may confuse older FTP clients.
72 #async_abor_enable=YES
73 #
74 # By default the server will pretend to allow ASCII mode but in fact ignore
75 # the request. Turn on the below options to have the server actually do ASCII
76 # mangling on files when in ASCII mode. The vsftpd.conf(5) man page explains
77 # the behaviour when these options are disabled.
78 # Beware that on some FTP servers, ASCII support allows a denial of service
79 # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
80 # predicted this attack and has always been safe, reporting the size of the
81 # raw file.
82 # ASCII mangling is a horrible feature of the protocol.
83 #ascii_upload_enable=YES
84 #ascii_download_enable=YES
85 #
86 # You may fully customise the login banner string:
87 #ftpd_banner=Welcome to blah FTP service.
88 #
89 # You may specify a file of disallowed anonymous e-mail addresses. Apparently
90 # useful for combatting certain DoS attacks.
91 #deny_email_enable=YES
92 # (default follows)
93 #banned_email_file=/etc/vsftpd/banned_emails
94 #
95 # You may specify an explicit list of local users to chroot() to their home
96 # directory. If chroot_local_user is YES, then this list becomes a list of
97 # users to NOT chroot().
98 # (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
99 # the user does not have write access to the top level directory within the
100 # chroot)
101 #chroot_local_user=YES
102 #chroot_list_enable=YES
103 # (default follows)
104 #chroot_list_file=/etc/vsftpd/chroot_list
105 #
106 # You may activate the "-R" option to the builtin ls. This is disabled by
107 # default to avoid remote users being able to cause excessive I/O on large
108 # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
109 # the presence of the "-R" option, so there is a strong case for enabling it.
110 #ls_recurse_enable=YES
111 #
112 # When "listen" directive is enabled, vsftpd runs in standalone mode and
113 # listens on IPv4 sockets. This directive cannot be used in conjunction
114 # with the listen_ipv6 directive.
115 listen=NO
116 #
117 # This directive enables listening on IPv6 sockets. By default, listening
118 # on the IPv6 "any" address (::) will accept connections from both IPv6
119 # and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
120 # sockets. If you want that (perhaps because you want to listen on specific
121 # addresses) then you must run two copies of vsftpd with two configuration
122 # files.
123 # Make sure, that one of the listen options is commented !!
124 listen_ipv6=YES
125
126 pam_service_name=vsftpd
127 userlist_enable=YES # 是否开启用户黑白名单
128 tcp_wrappers=YES
查看SELinux的参数配置:
[root@c7 ~]# getsebool -a
abrt_anon_write --> off
abrt_handle_event --> off
abrt_upload_watch_anon_write --> on
antivirus_can_scan_system --> off
antivirus_use_jit --> off
auditadm_exec_content --> on
authlogin_nsswitch_use_ldap --> off
authlogin_radius --> off
authlogin_yubikey --> off
awstats_purge_apache_log_files --> off
boinc_execmem --> on
cdrecord_read_content --> off
cluster_can_network_connect --> off
cluster_manage_all_files --> off
cluster_use_execmem --> off
cobbler_anon_write --> off
cobbler_can_network_connect --> off
cobbler_use_cifs --> off
cobbler_use_nfs --> off
collectd_tcp_network_connect --> off
condor_tcp_network_connect --> off
conman_can_network --> off
conman_use_nfs --> off
container_connect_any --> off
container_manage_cgroup --> off
container_use_cephfs --> off
cron_can_relabel --> off
cron_system_cronjob_use_shares --> off
cron_userdomain_transition --> on
cups_execmem --> off
cvs_read_shadow --> off
daemons_dump_core --> off
daemons_enable_cluster_mode --> off
daemons_use_tcp_wrapper --> off
daemons_use_tty --> off
dbadm_exec_content --> on
dbadm_manage_user_files --> off
dbadm_read_user_files --> off
deny_execmem --> off
deny_ptrace --> off
dhcpc_exec_iptables --> off
dhcpd_use_ldap --> off
domain_can_mmap_files --> on
domain_can_write_kmsg --> off
domain_fd_use --> on
domain_kernel_load_modules --> off
entropyd_use_audio --> on
exim_can_connect_db --> off
exim_manage_user_files --> off
exim_read_user_files --> off
fcron_crond --> off
fenced_can_network_connect --> off
fenced_can_ssh --> off
fips_mode --> on
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
ganesha_use_fusefs --> off
git_cgi_enable_homedirs --> off
git_cgi_use_cifs --> off
git_cgi_use_nfs --> off
git_session_bind_all_unreserved_ports --> off
git_session_users --> off
git_system_enable_homedirs --> off
git_system_use_cifs --> off
git_system_use_nfs --> off
gitosis_can_sendmail --> off
glance_api_can_network --> off
glance_use_execmem --> off
glance_use_fusefs --> off
global_ssp --> off
gluster_anon_write --> off
gluster_export_all_ro --> off
gluster_export_all_rw --> on
gluster_use_execmem --> off
gpg_web_anon_write --> off
gssd_read_tmp --> on
guest_exec_content --> on
haproxy_connect_any --> off
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off
icecast_use_any_tcp_ports --> off
irc_use_any_tcp_ports --> off
irssi_use_full_network --> off
kdumpgui_run_bootloader --> off
keepalived_connect_any --> off
kerberos_enabled --> on
ksmtuned_use_cifs --> off
ksmtuned_use_nfs --> off
logadm_exec_content --> on
logging_syslogd_can_sendmail --> off
logging_syslogd_run_nagios_plugins --> off
logging_syslogd_use_tty --> on
login_console_enabled --> on
logrotate_read_inside_containers --> off
logrotate_use_nfs --> off
logwatch_can_network_connect_mail --> off
lsmd_plugin_connect_any --> off
mailman_use_fusefs --> off
mcelog_client --> off
mcelog_exec_scripts --> on
mcelog_foreground --> off
mcelog_server --> off
minidlna_read_generic_user_content --> off
mmap_low_allowed --> off
mock_enable_homedirs --> off
mount_anyfile --> on
mozilla_plugin_bind_unreserved_ports --> off
mozilla_plugin_can_network_connect --> off
mozilla_plugin_use_bluejeans --> off
mozilla_plugin_use_gps --> off
mozilla_plugin_use_spice --> off
mozilla_read_content --> off
mpd_enable_homedirs --> off
mpd_use_cifs --> off
mpd_use_nfs --> off
mplayer_execstack --> off
mysql_connect_any --> off
nagios_run_pnp4nagios --> off
nagios_run_sudo --> off
nagios_use_nfs --> off
named_tcp_bind_http_port --> off
named_write_master_zones --> off
neutron_can_network --> off
nfs_export_all_ro --> on
nfs_export_all_rw --> on
nfsd_anon_write --> off
nis_enabled --> off
nscd_use_shm --> on
openshift_use_nfs --> off
openvpn_can_network_connect --> on
openvpn_enable_homedirs --> on
openvpn_run_unconfined --> off
pcp_bind_all_unreserved_ports --> off
pcp_read_generic_logs --> off
piranha_lvs_can_network_connect --> off
polipo_connect_all_unreserved --> off
polipo_session_bind_all_unreserved_ports --> off
polipo_session_users --> off
polipo_use_cifs --> off
polipo_use_nfs --> off
polyinstantiation_enabled --> off
postfix_local_write_mail_spool --> on
postgresql_can_rsync --> off
postgresql_selinux_transmit_client_label --> off
postgresql_selinux_unconfined_dbadm --> on
postgresql_selinux_users_ddl --> on
pppd_can_insmod --> off
pppd_for_user --> off
privoxy_connect_any --> on
prosody_bind_http_port --> off
puppetagent_manage_all_files --> off
puppetmaster_use_db --> off
racoon_read_shadow --> off
radius_use_jit --> off
redis_enable_notify --> off
rpcd_use_fusefs --> off
rsync_anon_write --> off
rsync_client --> off
rsync_export_all_ro --> off
rsync_full_access --> off
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_load_libgfapi --> off
samba_portmapper --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_enable_home_dirs --> off
sanlock_use_fusefs --> off
sanlock_use_nfs --> off
sanlock_use_samba --> off
saslauthd_read_shadow --> off
secadm_exec_content --> on
secure_mode --> off
secure_mode_insmod --> off
secure_mode_policyload --> off
selinuxuser_direct_dri_enabled --> on
selinuxuser_execheap --> off
selinuxuser_execmod --> on
selinuxuser_execstack --> on
selinuxuser_mysql_connect_enabled --> off
selinuxuser_ping --> on
selinuxuser_postgresql_connect_enabled --> off
selinuxuser_rw_noexattrfile --> on
selinuxuser_share_music --> off
selinuxuser_tcp_server --> off
selinuxuser_udp_server --> off
selinuxuser_use_ssh_chroot --> off
sge_domain_can_network_connect --> off
sge_use_nfs --> off
smartmon_3ware --> off
smbd_anon_write --> off
spamassassin_can_network --> off
spamd_enable_home_dirs --> on
spamd_update_can_network --> off
squid_connect_any --> on
squid_use_tproxy --> off
ssh_chroot_rw_homedirs --> off
ssh_keysign --> off
ssh_sysadm_login --> off
staff_exec_content --> on
staff_use_svirt --> off
swift_can_network --> off
sysadm_exec_content --> on
telepathy_connect_all_ports --> off
telepathy_tcp_connect_generic_network_ports --> on
tftp_anon_write --> off
tftp_home_dir --> off
tmpreaper_use_cifs --> off
tmpreaper_use_nfs --> off
tmpreaper_use_samba --> off
tomcat_can_network_connect_db --> off
tomcat_read_rpm_db --> off
tomcat_use_execmem --> off
tor_bind_all_unreserved_ports --> off
tor_can_network_relay --> off
unconfined_chrome_sandbox_transition --> on
unconfined_login --> on
unconfined_mozilla_plugin_transition --> on
unprivuser_use_svirt --> off
use_ecryptfs_home_dirs --> off
use_fusefs_home_dirs --> off
use_lpd_server --> off
use_nfs_home_dirs --> off
use_samba_home_dirs --> off
user_exec_content --> on
varnishd_connect_any --> off
virt_read_qemu_ga_data --> off
virt_rw_qemu_ga_data --> off
virt_sandbox_use_all_caps --> on
virt_sandbox_use_audit --> on
virt_sandbox_use_fusefs --> off
virt_sandbox_use_mknod --> off
virt_sandbox_use_netlink --> off
virt_sandbox_use_sys_admin --> off
virt_transition_userdomain --> off
virt_use_comm --> off
virt_use_execmem --> off
virt_use_fusefs --> off
virt_use_glusterd --> off
virt_use_nfs --> on
virt_use_rawip --> off
virt_use_samba --> off
virt_use_sanlock --> off
virt_use_usb --> on
virt_use_xserver --> off
webadm_manage_user_files --> off
webadm_read_user_files --> off
wine_mmap_zero_ignore --> off
xdm_bind_vnc_tcp_port --> off
xdm_exec_bootloader --> off
xdm_sysadm_login --> off
xdm_write_home --> off
xen_use_nfs --> off
xend_run_blktap --> on
xend_run_qemu --> on
xguest_connect_network --> on
xguest_exec_content --> on
xguest_mount_media --> on
xguest_use_bluetooth --> on
xserver_clients_write_xshm --> off
xserver_execmem --> off
xserver_object_manager --> off
zabbix_can_network --> off
zabbix_run_sudo --> off
zarafa_setrlimit --> off
zebra_write_config --> off
zoneminder_anon_write --> off
zoneminder_run_sudo --> off
对于 SELinux的一些设置
[root@c7 ~]# getsebool -a | grep ftpd
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
[root@c7 ~]# setsebool -P ftpd_use_nfs 1 # 开启nfs 服务
[root@c7 ~]# getsebool -a | grep ftpd # 查看是否设置成功
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> on
ftpd_use_passive_mode --> off
[root@c7 ~]# vim /etc/vsftpd/vsftpd.conf
[root@c7 ~]# systemctl restart vsftpd.service
[root@c7 ~]# ftp localhost
Trying ::1...
Connected to localhost (::1).
220 (vsFTPd 3.0.2)
Name (localhost:root): user
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> !ls # 当前用户目录下的文件
1 anaconda-ks.cfg original-ks.cfg
ftp> put anaconda-ks.cfg # 上传
local: anaconda-ks.cfg remote: anaconda-ks.cfg
229 Entering Extended Passive Mode (|||51760|).
550 Permission denied. # 没有权限
ftp> get original-ks.cfg # 下载
local: original-ks.cfg remote: original-ks.cfg
229 Entering Extended Passive Mode (|||10988|).
550 Failed to open file.
ftp> quit
221 Goodbye.
root@c7 ~]# man 5 vsftpd.conf # 查看这个配置的文件的具体配置
[
