了解如何限制或者限制用户可以在 vsftpd 服务上运行的 ftp 命令。
例如,如何拒绝用户创建或者删除目录。
- vsftpd 服务已安装并使用默认选项进行配置。
目录的创建和删除按预期工作。
# ftp localhost Trying 127.0.0.1... Connected to localhost (127.0.0.1). 220 (vsFTPd 3.0.2) Name (localhost:root): test 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>ftp> mkdir test 257 "/home/test/test" created
ftp> rmdir test 250 Remove directory operation successful. ftp>
- 拒绝用户创建或者删除目录。
在文件 /etc/vsftpd/vsftpd.conf 的末尾添加以下几行。
# tail /etc/vsftpd/vsftpd.conf tcp_wrappers=YES # Allowed commands #cmds_allowed=ABOR,ACCT,ALLO,APPE,CDUP,CWD,DELE,EPRT,EPSV,FEAT,HELP,LIST,MDTM,MODE,NLST,NOOP,OPTS,PASS,PASV,PORT,PWD,QUIT,REIN,REST,RETR,RMD,RNFR,RNTO,SITE,SIZE,SMNT,STAT,STOR,STOU,STRU,SYST,TYPE,USER,XCUP,XCWD,XPWD,XRMD # Explicitly denied commands cmds_denied=RMD,RMDIR,XRMD,MKD,MKDIR,XMKD
- 重启vsftpd服务
# systemctl restart vsftpd
注意:对于 Oracle linux 6 使用
# service vsftpd restart
- 用户不能创建或者删除目录:
# ftp localhost Trying 127.0.0.1... Connected to localhost (127.0.0.1). 220 (vsFTPd 3.0.2) Name (localhost:root): test 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ftp> mkdir test2 550 Permission denied. ftp> ftp> rmdir test 550 Permission denied. ftp>
有关更多信息,请参阅手册页:
# man vsftpd.conf cmds_allowed This option specifies a comma-separated list of allowed FTP commands (post login. USER, PASS and QUIT and others are always allowed pre-login). Other commands are rejected. This is a powerful method of really locking down an FTP server. Example: cmds_allowed=PASV,RETR,QUIT Default: (none) cmds_denied This option specifies a comma-separated list of denied FTP commands (post login. USER, PASS, QUIT and others are always allowed pre-login). If a command appears on both this and cmds_allowed then the denial takes precedence. (Added in v2.1.0).
日期:2020-09-17 00:13:41 来源:oir作者:oir