vsftpd

FTP两种工作模式

主动模式:FTP服务器主动向客户端发起连接请求

被动模式:FTP服务器等待客户端发起连接请求(FTP的默认工作模式)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
yum install vsftpd
Loaded plugins: langpacks, product-id, subscription-manager
………………省略部分输出信息………………
===============================================================================
Package Arch Version Repository Size
===============================================================================
Installing:
vsftpd x86_64 3.0.2-9.el7 rhel 166 k
Transaction Summary
===============================================================================
Install 1 Package
Total download size: 166 k
Installed size: 343 k
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : vsftpd-3.0.2-9.el7.x86_64 1/1 
Verifying : vsftpd-3.0.2-9.el7.x86_64 1/1 
Installed:
vsftpd.x86_64 0:3.0.2-9.el7 
Complete!

iptables -F
service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

mv /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf_bak
grep -v "#" /etc/vsftpd/vsftpd.conf_bak > /etc/vsftpd/vsftpd.conf
cat /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

vsftpd服务参数

参数作用
listen=[YES|NO]是否以独立运行的方式监听服务
listen_address=IP地址设置要监听的IP地址
listen_port=21设置FTP服务的监听端口
download_enable=[YES|NO]是否允许下载文件
userlist_enable=[YES|NO]-userlist_deny=[YES|NO]设置用户列表为“允许”还是“禁止”操作
max_clients=0最大客户端连接数,0为不限制
max_per_ip=0同一IP地址的最大连接数,0为不限制
anonymous_enable=[YES|NO]是否允许匿名用户访问
anon_upload_enable=[YES|NO]是否允许匿名用户上传文件
anon_umask=022匿名用户上传文件的umask值
anon_root=/var/ftp匿名用户的FTP根目录
anon_mkdir_write_enable=[YES|NO]是否允许匿名用户创建目录
anon_other_write_enable=[YES|NO]是否开放匿名用户的其他写入权限(包括重命名、删除等操作权限)
anon_max_rate=0匿名用户的最大传输速率(字节/秒),0为不限制
local_enable=[YES|NO]是否允许本地用户登录FTP
local_umask=022本地用户上传文件的umask值
local_root=/var/ftp本地用户的FTP根目录
chroot_local_user=[YES|NO]是否将用户权限禁锢在FTP目录,以确保安全
local_max_rate=0本地用户最大传输速率(字节/秒),0为不限制

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
yum install ftp
Loaded plugins: langpacks, product-id, subscription-manager
………………省略部分输出信息………………
Installing:
 ftp x86_64 0.17-66.el7 rhel 61 k
Transaction Summary
===============================================================================
Install 1 Package
Total download size: 61 k
Installed size: 96 k
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : ftp-0.17-66.el7.x86_64 1/1 
  Verifying : ftp-0.17-66.el7.x86_64 1/1
Installed:
  ftp.x86_64 0:0.17-66.el7
Complete!

可以向匿名用户开放的权限

参数作用
anonymous_enable=YES允许匿名访问模式
anon_umask=022匿名用户上传文件的umask值
anon_upload_enable=YES允许匿名用户上传文件
anon_mkdir_write_enable=YES允许匿名用户创建目录
anon_other_write_enable=YES允许匿名用户修改目录名称或删除目录

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
vim /etc/vsftpd/vsftpd.conf
1 anonymous_enable=YES
2 anon_umask=022
3 anon_upload_enable=YES
4 anon_mkdir_write_enable=YES
5 anon_other_write_enable=YES
6 local_enable=YES
7 write_enable=YES
8 local_umask=022
9 dirmessage_enable=YES
10 xferlog_enable=YES
11 connect_from_port_20=YES
12 xferlog_std_format=YES
13 listen=NO
14 listen_ipv6=YES
15 pam_service_name=vsftpd
16 userlist_enable=YES
17 tcp_wrappers=YES

restart vsftpd
systemctl enable vsftpd
ln -s '/usr/lib/systemd/system/vsftpd.service' '/etc/systemd/system/multi-user.
target.wants/vsftpd.service

ftp 192.168.10.10
Connected to 192.168.10.10 (192.168.10.10).
220 (vsFTPd 3.0.2)
Name (192.168.10.10:root): anonymous
331 Please specify the password.
Password:此处按下回车键即可
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub
250 Directory successfully changed.
ftp> mkdir files
550 Permission denied.

ls -ld /var/ftp/pub
drwxr-xr-x. 3 root root 16 Jul 13 14:38 /var/ftp/pub

chown -Rf ftp /var/ftp/pub
ls -ld /var/ftp/pub
drwxr-xr-x. 3 ftp root 16 Jul 13 14:38 /var/ftp/pub

ftp 192.168.10.10
Connected to 192.168.10.10 (192.168.10.10).
220 (vsFTPd 3.0.2)
Name (192.168.10.10:root): anonymous
331 Please specify the password.
Password:此处按下回车键即可
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub
250 Directory successfully changed.
ftp> mkdir files
550 Create directory operation failed.

getsebool -a | grep ftp
ftp_home_dir --> off
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off

setsebool -P ftpd_full_access=on

ftp 192.168.10.10
Connected to 192.168.10.10 (192.168.10.10).
220 (vsFTPd 3.0.2)
Name (192.168.10.10:root): anonymous
331 Please specify the password.
Password:此处按下回车键即可
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub
250 Directory successfully changed.
ftp> mkdir files
257 "/pub/files" created
ftp> rename files database
350 Ready for RNTO.
250 Rename successful.
ftp> rmdir database
250 Remove directory operation successful.
ftp> exit
221 Goodbye.

本地用户模式

参数作用
anonymous_enable=NO禁止匿名访问模式
local_enable=YES允许本地用户模式
write_enable=YES设置可写权限
local_umask=022本地用户模式创建文件的umask值
userlist_enable=YES启用“禁止用户名单”,名单文件为ftpusers和user_list
userlist_deny=YES开启用户作用名单文件功能

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
vim /etc/vsftpd/vsftpd.conf
1 anonymous_enable=NO
2 local_enable=YES
3 write_enable=YES
4 local_umask=022
5 dirmessage_enable=YES
6 xferlog_enable=YES
7 connect_from_port_20=YES
8 xferlog_std_format=YES
9 listen=NO
10 listen_ipv6=YES
11 pam_service_name=vsftpd
12 userlist_enable=YES
13 tcp_wrappers=YES

systemctl restart vsftpd
systemctl enable vsftpd

ln -s '/usr/lib/systemd/system/vsftpd.service' '/etc/systemd/system/multi-user.
target.wants/vsftpd.service

ftp 192.168.10.10
Connected to 192.168.10.10 (192.168.10.10).
220 (vsFTPd 3.0.2)
Name (192.168.10.10:root): root
530 Permission denied.
Login failed.
ftp>

cat /etc/vsftpd/user_list 
1 # vsftpd userlist
2 # If userlist_deny=NO, only allow users in this file
3 # If userlist_deny=YES (default), never allow users in this file, and
4 # do not even prompt for a password.
5 # Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
6 # for users that are denied.
7 root
8 bin
9 daemon
10 adm
11 lp
12 sync
13 shutdown
14 halt
15 mail
16 news
17 uucp
18 operator
19 games
20 nobody

cat /etc/vsftpd/ftpusers 
# Users that are not allowed to login via ftp
1 root
2 bin
3 daemon
4 adm
5 lp
6 sync
7 shutdown
8 halt
9 mail
10 news
11 uucp
12 operator
13 games
14 nobody

ftp 192.168.10.10 
Connected to 192.168.10.10 (192.168.10.10).
220 (vsFTPd 3.0.2)
Name (192.168.10.10:root): linuxprobe
331 Please specify the password.
Password:此处输入该用户的密码
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> mkdir files
550 Create directory operation failed.

getsebool -a | grep ftp
ftp_home_dir --> off
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off

setsebool -P ftpd_full_access=on

ftp 192.168.10.10
Connected to 192.168.10.10 (192.168.10.10).
220 (vsFTPd 3.0.2)
Name (192.168.10.10:root): linuxprobe
331 Please specify the password.
Password:此处输入该用户的密码
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> mkdir files
257 "/home/linuxprobe/files" created
ftp> rename files database
350 Ready for RNTO.
250 Rename successful.
ftp> rmdir database
250 Remove directory operation successful.
ftp> exit
221 Goodbye.

#虚拟用户模式
cd /etc/vsftpd/
[root@linuxprobe vsftpd]# vim vuser.list
zhangsan
redhat
lisi
redhat

db_load -T -t hash -f vuser.list vuser.db
file vuser.db
vuser.db: Berkeley DB (Hash, version 9, native byte-order)
chmod 600 vuser.db
rm -f vuser.list

useradd -d /var/ftproot -s /sbin/nologin virtual
ls -ld /var/ftproot/
drwx------. 3 virtual virtual 74 Jul 14 17:50 /var/ftproot/
chmod -Rf 755 /var/ftproot/

vim /etc/pam.d/vsftpd.vu
auth       required     pam_userdb.so db=/etc/vsftpd/vuser
account    required     pam_userdb.so db=/etc/vsftpd/vuser

利用PAM文件进行认证

参数作用
anonymous_enable=NO禁止匿名开放模式
local_enable=YES允许本地用户模式
guest_enable=YES开启虚拟用户模式
guest_username=virtual指定虚拟用户账户
pam_service_name=vsftpd.vu指定PAM文件
allow_writeable_chroot=YES允许对禁锢的FTP根目录执行写入操作,而且不拒绝用户的登录请求

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
vim /etc/vsftpd/vsftpd.conf
1 anonymous_enable=NO
2 local_enable=YES
3 guest_enable=YES
4 guest_username=virtual
5 allow_writeable_chroot=YES
6 write_enable=YES
7 local_umask=022
8 dirmessage_enable=YES
9 xferlog_enable=YES
10 connect_from_port_20=YES
11 xferlog_std_format=YES
12 listen=NO
13 listen_ipv6=YES
14 pam_service_name=vsftpd.vu
15 userlist_enable=YES
16 tcp_wrappers=YES

mkdir /etc/vsftpd/vusers_dir/
cd /etc/vsftpd/vusers_dir/
touch lisi
vim zhangsan
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES

vim /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
guest_enable=YES
guest_username=virtual
allow_writeable_chroot=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd.vu
userlist_enable=YES
tcp_wrappers=YES
user_config_dir=/etc/vsftpd/vusers_dir

systemctl restart vsftpd
systemctl enable vsftpd

ln -s '/usr/lib/systemd/system/vsftpd.service' '/etc/systemd/system/multi-
user.target.wants/vsftpd.service

getsebool -a | grep ftp
ftp_home_dir –> off
ftpd_anon_write –> off
ftpd_connect_all_unreserved –> off
ftpd_connect_db –> off
ftpd_full_access –> off
ftpd_use_cifs –> off
ftpd_use_fusefs –> off
ftpd_use_nfs –> off
ftpd_use_passive_mode –> off
httpd_can_connect_ftp –> off
httpd_enable_ftp_server –> off
sftpd_anon_write –> off
sftpd_enable_homedirs –> off
sftpd_full_access –> off
sftpd_write_ssh_home –> off
tftp_anon_write –> off
tftp_home_dir –> off

setsebool -P ftpd_full_access=on

ftp 192.168.10.10
Connected to 192.168.10.10 (192.168.10.10).
220 (vsFTPd 3.0.2)
Name (192.168.10.10:root): lisi
331 Please specify the password.
Password:此处输入虚拟用户的密码
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> mkdir files
550 Permission denied.
ftp> exit
221 Goodbye.

ftp 192.168.10.10
Connected to 192.168.10.10 (192.168.10.10).
220 (vsFTPd 3.0.2)
Name (192.168.10.10:root): zhangsan
331 Please specify the password.
Password:此处输入虚拟用户的密码
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> mkdir files
257 "/files" created
ftp> rename files database
350 Ready for RNTO.
250 Rename successful.
ftp> rmdir database
250 Remove directory operation successful.
ftp> exit
221 Goodbye.

yum install tftp-server tftp
Loaded plugins: langpacks, product-id, subscription-manager
………………省略部分输出信息………………
Installing:
 tftp x86_64 5.2-11.el7 rhel 35 k
 tftp-server x86_64 5.2-11.el7 rhel 44 k
Installing for dependencies:
 xinetd x86_64 2:2.3.15-12.el7 rhel 128 k
Transaction Summary
===============================================================================
Install 2 Packages (+1 Dependent package)
Total download size: 207 k
Installed size: 373 k
Is this ok [y/d/N]: y
Downloading packages:
………………省略部分输出信息………………
Installed:
 tftp.x86_64 0:5.2-11.el7 tftp-server.x86_64 0:5.2-11.el7 
Dependency Installed:
 xinetd.x86_64 2:2.3.15-12.el7 
Complete!

vim /etc/xinetd.d/tftp
service tftp
{
        socket_type             = dgram
        protocol                = udp
        wait                    = yes
        user                    = root
        server                  = /usr/sbin/in.tftpd
        server_args             = -s /var/lib/tftpboot
        disable                 = no
        per_source              = 11
        cps                     = 100 2
        flags                   = IPv4

systemctl restart xinetd
systemctl enable xinetd
firewall-cmd --permanent --add-port=69/udp
success

firewall-cmd --reload 
success

tftp命令参数

命令作用
?帮助信息
put上传文件
get下载文件
verbose显示详细的处理信息
status显示当前的状态信息
binary使用二进制进行传输
ascii使用ASCII码进行传输
timeout设置重传的超时时间
quit退出

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
/var/lib/tftpboot/readme.txt
tftp 192.168.10.10
tftp> get readme.txt
tftp> quit

ls
anaconda-ks.cfg   Documents initial-setup-ks.cfg  Pictures readme.txt Videos
Desktop           Downloads Music                 Public   Templates

cat readme.txt 
i love linux

Copyright ©2010-2022 比特日记 All Rights Reserved.

浙ICP备11005866号-12