我的博客已迁移到xdoujiang.com请去那边和我交流
一、基础环境
1、版本
cat /etc/debian_version
7.8
2、内核
uname -r
3.2.0-4-amd64
3、vsftpd版本
vsftpd: version 2.3.5
4、ip(eth0)
192.168.1.124
5、proftpd官网
vsftpd.beasts.org
6、需求
只允许fileftp用户连接并登录ftp并锁定在自定义的家目录中 其他系统(匿名)用户不能登录ftp,监听在本机的eth0地址
二、安装配置vsftpd服务端
1、apt方式安装
apt-get -y install vsftpd
2、创建ftp目录
mkdir /opt/ftp -p
3、创建ftp账户并修改密码
1)添加fileftp用户
useradd -s /bin/false -d /opt/ftp fileftp
2)设置密码
echo fileftp:redhat|chpasswd
4、修改配置
1)备份下配置
cp /etc/vsftpd.conf /etc/vsftpd.conf.bak
cp /etc/ftpusers /etc/ftpusers.bak
cp /etc/shells /etc/shells.bak
2)cat /etc/vsftpd.conf
listen_port=21
listen_address=192.168.1.124
listen=YES
local_enable=YES
write_enable=YES
local_umask=022
xferlog_enable=YES
dual_log_enable=YES
xferlog_file=/var/log/xferlog.log
vsftpd_log_file=/var/log/vsftpd.log
xferlog_std_format=YES
chroot_local_user=YES
pam_service_name=vsftpd
anonymous_enable=NO
local_root=/opt/ftp
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO
3)配置只能fileftp可以登录ftp服务
cat /etc/passwd|grep -v "fileftp"|awk -F: '{print $1}' > /etc/ftpusers
4)查看下
cat /etc/ftpusers
root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
proxy
www-data
backup
list
irc
gnats
nobody
libuuid
sshd
jimmy
messagebus
ftp
5)ftp会检查/etc/shells文件,因为上面添加用户时使用的shell是/bin/false
echo "/bin/false" >> /etc/shells
6)查看下
cat /etc/shells
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash
/bin/false
7)如果没有这个文件 就新建1个文件
echo "fileftp" > /etc/vsftpd.user_list
5、配置说明
listen_port=21 #监听端口
listen_address=192.168.1.124 #监听地址
listen=YES #使用standalone方式启动服务
local_enable=YES #使用系统用户登录
write_enable=YES #允许上传
local_umask=022 #本地用户文件属性
xferlog_enable=YES #开启日志
xferlog_file=/var/log/xferlog.log #日志存放地方
xferlog_std_format=YES #以标准xferlog的格式输出日志
vsftpd_log_file=/var/log/vsftpd.log #日志存放地方
dual_log_enable=YES #启用双份日志
chroot_local_user=YES #限制在家目录中
pam_service_name=vsftpd #使用pam认证,具体配置看/etc/pam.d/vsftpd
anonymous_enable=NO #不允许匿名用户登录
local_root=/opt/ftp #登录的ftp账户的家目录在/opt/ftp
userlist_enable=YES #启用vsftpd.user_list文件
userlist_file=/etc/vsftpd.user_list #具体配置文件存放路径
userlist_deny=NO #在vsftpd.user_list中的用户才可以连接ftp
6、重启vsftpd服务
/etc/init.d/vsftpd restart
Stopping FTP server: vsftpd.
Starting FTP server: vsftpd.
7、查看端口
netstat -tupnl|grep 21
tcp 0 0 192.168.1.124:21 0.0.0.0:* LISTEN 5713/vsftpd
8、查看进程
ps -ef |grep vsftpd
root 5713 1 0 10:09 ? 00:00:00 /usr/sbin/vsftpd
三、测试
1、安装lftp客户端
apt-get -y install lftp
2、创建fileftp传输目录
mkdir /opt/ftp/fileftp -p && cd /opt/ftp/ && chown fileftp.fileftp fileftp -R
3、测试登陆(linux下)
lftp fileftp:'redhat'@192.168.1.124
lftp jimmy:'redhat'@192.168.1.124
lftp root:'redhat'@192.168.1.124
lftp 192.168.1.124
4、查看日志(从1台ip为192.168.1.120测试的)
Sat Aug 1 12:33:38 2015 [pid 2] CONNECT: Client "192.168.1.120"
Sat Aug 1 12:33:38 2015 [pid 1] [fileftp] OK LOGIN: Client "192.168.1.120"
PS:查看到只有fileftp登录成功,root和jimmy和匿名用户都登录失败
5、工具测试
四、配置ssl
1、安装包
apt-get -y install openssl
2、创建一个证书(时间365天)并填写相关一些信息
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -out /etc/ssl/certs/vsftpd.pem -keyout /etc/ssl/certs/vsftpd.pem
Generating a 2048 bit RSA private key
..........+++
.............+++
writing new private key to '/etc/ssl/certs/vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:shanghai
Locality Name (eg, city) []:shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:aaa
Organizational Unit Name (eg, section) []:aaa
Common Name (e.g. server FQDN or YOUR name) []:aaa
Email Address []:
3、修改权限
chmod 0400 /etc/ssl/certs/vsftpd.pem
4、ssl具体配置/etc/vsftpd.conf最后添加
ssl_enable=YES
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
ssl_sslv2=YES
ssl_sslv3=YES
ssl_tlsv1=YES
5、配置说明
ssl_enable=YES #开启vsftpd对ssl协议的支持
ssl_sslv2=YES #支持SSL v2 protocol
ssl_sslv3=YES #支持SSL v3 protocol
ssl_tlsv1=YES #支持TSL v1
rsa_cert_file=/etc/ssl/certs/vsftpd.pem #存放证书地方
6、重启服务
/etc/init.d/vsftpd restart
Stopping FTP server: vsftpd.
Starting FTP server: vsftpd.
7、测试
1)lftp fileftp:'redhat'@192.168.1.124
ls: Fatal error: Certificate verification: Not trusted
解决在/etc/lftp.conf文件中添加1行到最后
set ssl:verify-certificate no
再登录一次就OK了
2)查看日志
Sat Aug 1 13:52:23 2015 [pid 2] CONNECT: Client "192.168.1.124"
Sat Aug 1 13:52:23 2015 [pid 2] DEBUG: Client "192.168.1.124", "Connection terminated without SSL shutdown - buggy client?"
Sat Aug 1 13:56:25 2015 [pid 2] CONNECT: Client "192.168.1.120"
Sat Aug 1 13:56:25 2015 [pid 1] [fileftp] OK LOGIN: Client "192.168.1.120"
8、工具测试(flashfxp)
五、参考文章
http://rajaseelan.com/2011/12/18/lftp-fatal-error-certificate-verification-not-trusted/