今天上午闲来没事,登录了很久没有登录过的Ubuntu,想找点事做做。玩啥呢?FTP吧。
首先查了一下资料,在linux下面比较流行、安全的FTP服务主要是vsftpd。
于是,不管了,直接终端输入
apt-get vsftpd
安装还挺快的,大概也就十几秒吧。
安装完以后,直接浏览器输入:
ftp://192.168.1.61
然后弹出来一个页面,让我输入一个用户名和密码。那我就输入一个系统里面有的用户呗,比如我就是用huangyiwei这个用户登录的,输入好了用户名和相应的密码后,就能浏览huangyiwei这个用户的home目录了。
到此,实现了FTP最简单的功能了。那何为“比较安全”呢?呵呵,这就要用到/etc/vsftp.conf文件了。废话不多说,现看看这个文件里面有什么东西把。
# Example config file /etc/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # # Run standalone? vsftpd can run either from an inetd or as a standalone # daemon started from an initscript. listen=YES # # Run standalone with IPv6? # Like the listen parameter, except vsftpd will listen on an IPv6 socket # instead of an IPv4 one. This parameter and the listen parameter are mutually # exclusive. #listen_ipv6=YES # # Allow anonymous FTP? (Disabled by default) anonymous_enable=NO # # Uncomment this to allow local users to log in. local_enable=YES # # Uncomment this to enable any form of FTP write command. #write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) #local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. #anon_upload_enable=YES # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # If enabled, vsftpd will display directory listings with the time # in your local time zone. The default is to display GMT. The # times returned by the MDTM FTP command are also affected by this # option. use_localtime=YES # # Activate logging of uploads/downloads. xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #chown_username=whoever # # You may override where the log file goes if you like. The default is shown # below. #xferlog_file=/var/log/vsftpd.log # # If you want, you can have your log file in standard ftpd xferlog format. # Note that the default log file location is /var/log/xferlog in this case. #xferlog_std_format=YES # # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. #ascii_upload_enable=YES #ascii_download_enable=YES # # You may fully customise the login banner string: #ftpd_banner=Welcome to blah FTP service. # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd.banned_emails # # You may restrict local users to their home directories. See the FAQ for # the possible risks in this before using chroot_local_user or # chroot_list_enable below. #chroot_local_user=YES # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). #chroot_local_user=YES #chroot_list_enable=YES # (default follows) #chroot_list_file=/etc/vsftpd.chroot_list # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # # Debian customization # # Some of vsftpd's settings don't fit the Debian filesystem layout by # default. These settings are more Debian-friendly. # # This option should be the name of a directory which is empty. Also, the # directory should not be writable by the ftp user. This directory is used # as a secure chroot() jail at times vsftpd does not require filesystem # access. secure_chroot_dir=/var/run/vsftpd/empty # # This string is the name of the PAM service vsftpd will use. pam_service_name=vsftpd # # This option specifies the location of the RSA certificate to use for SSL # encrypted connections. rsa_cert_file=/etc/ssl/private/vsftpd.pem
是不是看的很刺激,至少对我这个英语不好的人来说,至少是这样的。玩嘛,那就要好好的玩,玩的尽兴一点才是。于是,硬着头皮,慢慢的看看这个文件,其实有些地方还是挺好理解的。
结合一下实际,在结合以下Google,总结如下:
1.
匿名服务器的连接(独立的服务器)
Anonymous_enable=yes
(允许匿名登陆)
Dirmessage_enable=yes (切换目录时,显示目录下.message的内容)
Local_umask=022
(FTP上本地的文件权限,默认是077)
Connect_form_port_20=yes (启用FTP数据端口的数据连接)*
Xferlog_enable=yes
(激活上传和下传的日志)
Xferlog_std_format=yes (使用标准的日志格式)
Ftpd_banner=XXXXX
(欢迎信息)
Pam_service_name=vsftpd (验证方式)*
Listen=yes (独立的VSFTPD服务器)*
功
能:只能连接FTP服务器,不能上传和下传
注:其中所有和日志欢迎信息相关连的都是可选项,打了星号的无论什么帐户都要添加,是属于FTP的基本
选项
2. 开启匿名FTP服务器上传权限,在配置文件中添加以下的信息即可:
Anon_upload_enable=yes
(开放上传权限)
Anon_mkdir_write_enable=yes (可创建目录的同时可以在此目录中上传文件)
Write_enable=yes
(开放本地用户写的权限)
Anon_other_write_enable=yes (匿名帐号可以有删除的权限)
3. 开启匿名服务器下传的权限,在配置文件中添加如下信息即可:
Anon_world_readable_only=no
注:
要注意文件夹的属性,匿名帐户是其它(other)用户要开启它的读写执行的权限。(R)读-----下传 (W)写----上传
(X)执行----如果不开FTP的目录都进不去
4.普通用户FTP服务器的连接(独立服务器),在配置文件中添加如下信息即可:
Local_enble=yes
(本地帐户能够登陆)
Write_enable=no (本地帐户登陆后无权删除和修改文件)
功能:可以用本地帐户登陆vsftpd服务
器,有下载上传的权限
注:在禁止匿名登陆的信息后匿名服务器照样可以登陆但不可以上传下传
5. 用户登陆限制进其它的目录,只能进它的主目录。
设置所有的本地用户都执行chroot:
Chroot_local_user=yes
(本地所有帐户都只能在自家目录)
设置指定用户执行chroot:
Chroot_list_enable=yes
(文件中的名单可以调用)
Chroot_list_file=/任意指定的路径/vsftpd.chroot_list
注
意:vsftpd.chroot_list 是没有创建的需要自己添加,要想控制帐号就直接在文件中加帐号即可
6. 限制本地用户访问FTP
Userlist_enable=yes (用userlistlai 来限制用户访问)
Userlist_deny=no
(名单中的人不允许访问)
Userlist_file=/指定文件存放的路径/ (文件放置的路径)
注:开启
userlist_enable=yes匿名帐号不能登陆
7. 安全选项
Idle_session_timeout=600(秒) (用户会话空闲后10分钟)
Data_connection_timeout=120(秒)
(将数据连接空闲2分钟断)
Accept_timeout=60(秒) (将客户端空闲1分钟后断)
Connect_timeout=60(秒)
(中断1分钟后又重新连接)
Local_max_rate=50000(bite) (本地用户传输率50K)
Anon_max_rate=30000(bite)
(匿名用户传输率30K)
Pasv_min_port=50000 (将客户端的数据连接端口改在
Pasv_max_port=60000
50000—60000之间)
Max_clients=200 (FTP的最大连接数)
Max_per_ip=4
(每IP的最大连接数)
Listen_port=5555 (从5555端口进行数据连接)
8. 查看谁登陆了FTP,并杀死它的进程
ps –xf |grep ftp
kill 进程号
Google真是个好东西,真不知道要是没她该怎么办。废话不多说,言归正题。看了上面那些解释,可能有人还是没什么感觉。那好,我就说说我做这个FTP服务器的流程吧。虽然我是菜鸟(可能菜鸟都算不上),但是如果能抛砖引玉,那还是很好的。
流程如下:
1、安装vsftpd服务(貌似这是一句废话)。
2、在vsftp.conf文件末尾加上如下内容:
anon_world_readable_only=No#匿名用户对他的默认文件夹具有只读权限 anon_root=/home/ftp#匿名用户的默认文件夹 user_config_dir=/etc/vsftpd.userconfig#正常登录的用户的配置 rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key#这个是什么意思我也不是很清楚,还望高人指点……
还是附上我自己的完整的配置吧,如下:
# Example config file /etc/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # # Run standalone? vsftpd can run either from an inetd or as a standalone # daemon started from an initscript. listen=YES # # Run standalone with IPv6? # Like the listen parameter, except vsftpd will listen on an IPv6 socket # instead of an IPv4 one. This parameter and the listen parameter are mutually # exclusive. #listen_ipv6=YES # # Allow anonymous FTP? (Disabled by default) anonymous_enable=YES # # Uncomment this to allow local users to log in. local_enable=YES # # Uncomment this to enable any form of FTP write command. write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. #anon_upload_enable=YES # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # If enabled, vsftpd will display directory listings with the time # in your local time zone. The default is to display GMT. The # times returned by the MDTM FTP command are also affected by this # option. use_localtime=YES # # Activate logging of uploads/downloads. xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #chown_username=whoever # # You may override where the log file goes if you like. The default is shown # below. xferlog_file=/var/log/vsftpd.log # # If you want, you can have your log file in standard ftpd xferlog format. # Note that the default log file location is /var/log/xferlog in this case. xferlog_std_format=YES # # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. #ascii_upload_enable=YES #ascii_download_enable=YES # # You may fully customise the login banner string: ftpd_banner=Welcome to HuangYiwei FTP service. # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd.banned_emails # # You may restrict local users to their home directories. See the FAQ for # the possible risks in this before using chroot_local_user or # chroot_list_enable below. #chroot_local_user=YES # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). chroot_local_user=YES chroot_list_enable=YES # (default follows) chroot_list_file=/etc/vsftpd.chroot_list # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # # Debian customization # # Some of vsftpd's settings don't fit the Debian filesystem layout by # default. These settings are more Debian-friendly. # # This option should be the name of a directory which is empty. Also, the # directory should not be writable by the ftp user. This directory is used # as a secure chroot() jail at times vsftpd does not require filesystem # access. secure_chroot_dir=/var/run/vsftpd/empty # # This string is the name of the PAM service vsftpd will use. pam_service_name=vsftpd # # This option specifies the location of the RSA certificate to use for SSL # encrypted connections. rsa_cert_file=/etc/ssl/private/vsftpd.pem # # This option specifies the location of the RSA key to use for SSL # encrypted connections. anon_world_readable_only=No anon_root=/home/ftp user_config_dir=/etc/vsftpd.userconfig rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
3、建立配置文件中需要的文件夹vsftpd.userconfig,此文件夹内存放用户的配置文件。比如huangyiwei用户,就用vi建立一个huangyiwei的文件,然后里面写上一些配置。这样做的好处是可以细化对用户的管理。比如在文件里面输入
local_root=/var/huangyiweidir
这样,我用huangyiwei这个用户登录FTP的时候就自动跳转的/var/huangyiweidir这个文件夹里面来了(前提是/var/huangyiweidir必须存在)。到此,有人可能会问,如果我cd到其他目录呢(如果浏览器访问的话,可以使用“回到上一级目录”)?如此一来,引出了下一个问题,怎样不让用户乱飘。
4、是否限定用户只在给他指定的目录下面。
# You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). chroot_local_user=YES chroot_list_enable=YES # (default follows) chroot_list_file=/etc/vsftpd.chroot_list
此段配置所要表达的意思(从上往下):允许用户改变他的根目录,允许改变根目录的用户列表启用,允许改变根目录的用户列表文件。在这个文件中,只用每行记录一个用户的登录名即可。
用户1 用户2 用户3 用户4
有一点需要注意,如果chroot_list_enable=NO,那么这个列表文件中存在的用户将不能改变自己的根目录。
5、还有一个过滤访问用户的功能,它用到了/etc/vsftpd.user_list这个文件。具体如何实现,大家Google去吧,困了,洗澡,睡了。
相关推荐
标题 "PJBlog2 浅浅的黄" 指的是一款基于PJBlog平台的博客主题,这个主题以黄色为主色调,旨在为用户带来明亮、轻松的视觉体验。PJBlog是一个开源的个人博客系统,它允许用户自定义博客的外观和功能,而"浅浅的黄"则...
标题 "PJBlog2 浅浅的蓝" 指的是一款基于PJBlog2平台的网页模板,名为“浅浅的蓝”。PJBlog2是一个开源的博客系统,它为个人或小型团队提供了一个易于使用、功能丰富的发布平台。这款模板以其淡雅的蓝色调为主题,...
浅浅分析浏览器运行原理
【标题】:“七年级道德与法治上册 4.2 深深浅浅话友谊教案 新人教版 教案.doc” 【描述】:“七年级道德与法治上册 4.2 深深浅浅话友谊教案 新人教版 教案.doc” 【标签】:“中学教案” 在中学阶段的道德与法治...
目前已经浅浅学习了的技能知识
今天,我们要探讨的主题是“深深浅浅话友谊”,通过本教案的学习,七年级的学生们将能够更深入地理解友谊的意义,学习如何在现实生活中和网络空间中正确建立和维系友谊。 首先,我们需要明确友谊的特质。友谊是一种...
浅浅蓝调模板" 是一套专门为 Discuz! 论坛系统设计的界面主题,旨在为用户提供清新、简洁且舒适的浏览体验。Discuz! 是一个非常流行的开源社区论坛软件,它提供了强大的用户管理和交互功能,广泛应用于各种类型的...
Mybatis 知识点浅浅笔记 Mybatis 是一个半自动的 ORM 框架,实现数据库的数据与程序对象的映射。它支持 XML 配置和 SQL 映射文件配置,提供了灵活的持久层框架。 XML 配置 Mybatis 的 XML 配置文件用于定义数据库...
【知识点详解】 1. 友谊的特质:在教学活动中提到了友谊的多个重要特质,如忠诚、信任、帮助、亲密无间、关心等。这些特质是构成深厚友谊的基础,表明真正的朋友会在你需要时给予支持,共享快乐和痛苦。...
【知识点一:友谊的特质】 1. 真正的友谊是基于真诚、尊重和信任。在选择朋友时,我们应该倾向于那些品学兼优、待人真诚、尊敬师长、团结同学的人,如题目中的①李林。友谊的基础是诚实、善良,而不是互相欺骗或者...
七年级道德与法治深深浅浅话友谊.pptx
Vue 相关知识点浅浅笔记 一、 Vue 概述 Vue.js 是一个渐进式 JavaScript 前端框架,用于构建用户界面。它具有声明式、响应式的数据绑定和组件化的开发特点。 Vue 基于 MVVM 模式,使用数据驱动的方式,将数据和 ...
《深深浅浅话友谊》这堂课,通过PPT精品课件的形式,为我们深入探讨了友谊的内涵、影响、以及如何在成长的道路上维护和发展这种美好关系。 首先,我们必须认识到朋友对个人成长的巨大影响。从言谈举止到兴趣爱好,...
42深深浅浅话友谊课件-兰山学校-杨峻.ppt
《深深浅浅话友谊》道德与法治七年级上册教案.pdf
最新4.2深深浅浅话友谊_精美学习课件ppt
七年级道德与法治上册《深深浅浅话友谊》教学设计.docx
人教道德与法治七年级上册深深浅浅话友谊PPT教案.pptx