安装VSFTPD
安装VSFPTD服务器和FTP客户端:
# apt install vsftpd ftp
默认情况下,VSFTPD服务器配置为允许系统用户访问其具有只读访问的主目录。
以下是默认vsftpd配置文件/etc/vsftpd.conf:
listen=NO listen_ipv6=YES anonymous_enable=NO local_enable=YES dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key ssl_enable=NO
如上所述,上面的配置文件只会授予对在“/etc/passwd”文件中列出的任何系统用户的只读访问权限。
使用ftp命令并尝试使用本地系统用户的用户名和密码进行连接:
# ftp localhost Connected to localhost. 220 (vsFTPd 3.0.3) Name (localhost:root): onitroad 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> put FILE.TXT local: FILE.TXT remote: FILE.TXT 200 EPRT command successful. Consider using EPSV. 550 Permission denied.
允许用户写入访问
要具有写访问权限,添加以下配置Write_enable = Yes。
新配置文件示例如下:
listen=NO listen_ipv6=YES anonymous_enable=NO local_enable=YES dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key ssl_enable=NO write_enable=YES
接下来,重新启动VSFTPD使设置生效:
# systemctl restart vsftpd
使用“ftp”命令测试,是否具有写权限:
# ftp localhost Connected to localhost. 220 (vsFTPd 3.0.3) Name (localhost:root): onitroad 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> put FILE.TXT local: FILE.TXT remote: FILE.TXT 200 EPRT command successful. Consider using EPSV. 150 Ok to send data. 226 Transfer complete. ftp> ls 200 EPRT command successful. Consider using EPSV. 150 Here comes the directory listing. -rw------- 1 1000 1000 0 Jun 07 12:45 FILE.TXT 226 Directory send OK.
只允许特定用户访问FTP服务器
在配置文件中添加下面的配置:
userlist_file=/etc/vsftpd.userlist userlist_enable=YES
上面将启用预定义的用户列表,其中在/etc/vsftpd.userlist中列出的用户(每行一个用户名)都被FTP拒绝访问,
而所有其他系统用户都能登录。
让我们创建/etc/vsftpd.userlist用户列表,其中包含用户onitroad:
# echo onitroad > /etc/vsftpd.userlist
重新启动vsftpd服务器:
# systemctl restart vsftpd
使用onitroad登录,可以看到被拒绝访问:
# ftp localhost Connected to localhost. 220 (vsFTPd 3.0.3) Name (localhost:root): onitroad 530 Permission denied. Login failed. ftp>
如果我们想只允许 在“/etc/vsftpd.userlist”中定义的用户登录。
那么在VSFTPD配置文件/etc/vsftpd.conf中添加以下配置选项
userlist_deny=NO。
listen=NO listen_ipv6=YES anonymous_enable=NO local_enable=YES dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key ssl_enable=NO write_enable=YES userlist_file=/etc/vsftpd.userlist userlist_enable=YES userlist_deny=NO
允许匿名访问FTP服务器
让我们创建一个新目录 /var/ftp。该目录将用作匿名用户的根目录。
为了测试,我们在/var/ftp中放置一些测试文件:
# mkdir /var/ftp/ # chmod 555 /var/ftp/ # chown ftp.ftp /var/ftp/ # touch /var/ftp/ANONYMOUS.TXT
在/etc/vsftpd.conf配置文件中,定义匿名主目录并允许匿名访问:
anon_root=/var/ftp anonymous_enable=YES
另外,可以添加no_anon_password=YES选项。允许匿名用户在没有密码的情况下自动登录。
由于我们已经定义了用户列表,我们还必须将“anonymous”用户添加到列表中:
# echo anonymous >> /etc/vsftpd.userlist # cat /etc/vsftpd.userlist onitroad anonymous
重新启动FTP服务器使当前配置生效:
# systemctl restart vsftpd
测试匿名登录:
# ftp localhost Connected to localhost. 220 (vsFTPd 3.0.3) Name (localhost:root): anonymous 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 EPRT command successful. Consider using EPSV. 150 Here comes the directory listing. -rw-r--r-- 1 0 0 0 Jun 07 13:29 ANONYMOUS.TXT 226 Directory send OK. ftp>
启用匿名写访问
接下来让我们允许匿名用户上传文件并创建新目录等。
为此,请在“/var/ftp”目录中创建一个新的目录upload:
# mkdir /var/ftp/upload # chown ftp.ftp /var/ftp/upload/
将以下行添加到VSFTPD配置文件中:
anon_upload_enable=YES anon_other_write_enable=YES anon_mkdir_write_enable=YES
重新启动服务器:
# systemctl restart vsftpd
重新启动后,匿名用户将能够上传文件,创建目录重命名文件:
# ftp localhost Connected to localhost. 220 (vsFTPd 3.0.3) Name (localhost:root): anonymous 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 EPRT command successful. Consider using EPSV. 150 Here comes the directory listing. -rw-r--r-- 1 0 0 0 Jun 07 13:29 ANONYMOUS.TXT drwxr-xr-x 2 108 112 4096 Jun 07 13:57 upload 226 Directory send OK. ftp> cd upload 250 Directory successfully changed. ftp> put FILE.TXT local: FILE.TXT remote: FILE.TXT 200 EPRT command successful. Consider using EPSV. 150 Ok to send data. 226 Transfer complete. ftp> ls 200 EPRT command successful. Consider using EPSV. 150 Here comes the directory listing. -rw------- 1 108 112 0 Jun 07 13:57 FILE.TXT 226 Directory send OK. ftp> rename FILE.TXT NEW.TXT 350 Ready for RNTO. 250 Rename successful. ftp> ls 200 EPRT command successful. Consider using EPSV. 150 Here comes the directory listing. -rw------- 1 108 112 0 Jun 07 13:57 NEW.TXT 226 Directory send OK. ftp>
其他
错误信息:
# ftp localhost Connected to localhost. 220 (vsFTPd 3.0.3) Name (localhost:root): anonymous 500 OOPS: vsftpd: refusing to run with writable root inside chroot() Login failed. ftp>
以上表明“anon_root”目录是可写的。
解决方案是使其是只读的。
例子:
# chmod 555 /var/ftp
或者尝试将以下行添加到VSFTPD配置文件中:
allow_writeable_chroot=YES
日期:2020-07-07 20:56:12 来源:oir作者:oir