vsftpd安装，以及配置ssl

转载请注明出处：http://www.cnblogs.com/blazer/p/4969711.html

环境：CentOs6.4 64bit

 

安装非常容易，麻烦在配置与创建用户，该博文主要用于记录增加和删除虚拟帐户的shell脚本以及记录安装时的配置参数，以供之后方便于管理与使用。

 

1.先检查是否安装了vsftpd，如果有安装则删除

rpm -qa|grep vsftpd
rpm -e --nodeps xxx

 

2.安装vsftpd

yum -y install vsftpd

 

3.启动测试

service vsftpd start
service vsftpd status
service vsftpd stop

 

4.进入vsftpd的配置目录

whereis vsftpd
cd /etc/vsftpd/

 

5.修改默认的配置文件

先备份

mv vsftpd.conf vsftpd.conf.bak

再修改

vi /etc/vsftpd/vsftpd.conf

# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
#anonymous_enable=YES
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# The target log file can be vsftpd_log_file or xferlog_file.
# This depends on setting xferlog_std_format parameter
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# The name of log file when xferlog_enable=YES and xferlog_std_format=YES
# WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log
#xferlog_file=/var/log/xferlog
#
# Switches between logging into vsftpd_log_file and xferlog_file files.
# NO writes to vsftpd_log_file, YES to xferlog_file
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
data_connection_timeout=120

max_clients=20
max_per_ip=5

#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_local_user=NO
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd with two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES

# append

pam_service_name=vsftpd
userlist_enable=NO
tcp_wrappers=YES
user_config_dir=/etc/vsftpd/upload_user_config

 

 

重要配置说明：

1.

#是否可以浏览非主目录的内容，NO表示不可以

chroot_local_user＝NO

#这行必须要有, 否则文件vsftpd.chroot_list不会起作用

chroot_list_enable=YES 

chroot_list_file=/etc/vsftpd/chroot_list

2.

当创建虚拟帐户时，需要给每个帐号都配置好权限，因此这些配置文件与帐号同名，生成在user_config_dir=/etc/vsftpd/upload_user_config（vsftpd.conf中）这个目录下。

此处只是配置指向该目录，并没有创建，在之后的步骤中会创建该目录。

 

 

6.修改pam.d

mv /etc/pam.d/vsftpd /etc/pam.d/vsftpd.bak

vi /etc/pam.d/vsftpd

#%PAM-1.0
# 32-bit
#auth required /lib/security/pam_userdb.so db=/etc/vsftpd/login
#account required /lib/security/pam_userdb.so db=/etc/vsftpd/login
# 64-bit
auth sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/login
account sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/login

 

7.增加帐户

mkdir -p /etc/vsftpd/upload/hyy
adduser -d /etc/vsftpd/upload/hyy -g ftp -s /sbin/nologin hyy
chown -R hyy:ftp /etc/vsftpd/upload/hyy
chmod -R 700 /etc/vsftpd/upload/hyy

 

8.配置帐号密码文件 设置权限只有root读写

touch /etc/vsftpd/vuser
chmod 600 /etc/vsftpd/vuser

vi /etc/vsftpd/vuser

hyy
hyy
hd_user
hd_user

奇数行是账户名

偶数行是密码

需要新增则往下增加

 

9.生成pam校验数据库文件

db_load -T -t hash -f /etc/vsftpd/vuser /etc/vsftpd/login.db

 

10.配置用户权限

mkdir -p /etc/vsftpd/upload_user_config

vi /etc/vsftpd/upload_user_config/hyy

#有上传/下载/修改权限
anon_world_readable_only=NO
write_enable=YES
anon_mkdir_write_enable=YES
anon_upload_enable=YES
anon_other_write_enable=YES
local_root=/etc/vsftpd/upload/hyy

 

注意：此处配置的local_root，是配置该帐户访问的根路径，每个帐户访问自己的目录，如果需要交叉访问，请自行修改目录权限以及根目录，不在本文体现。

 

从第6步之后增加新的ftp帐户，已经封装好2个shell，一个是新增，一个是删除

 

1.公共函数

vi common.sh 

function delLineByStr(){
    path=$1
    str=$2

    count=1
    row=-1
    for line in `cat $path`
    do
        if [[ "$line" == "$str" ]];then
            row=$count
            break
        fi
        ((count+=1))
    done

    if [[ "$row" == "-1" ]];then
        return
    fi
    sed -i "${row}d" $path
}

function delLineByStr2Count(){
    path=$1
    str=$2

    count=1
    row=-1
    for line in `cat $path`
    do
        if [[ "$line" == "$str" && $(($count % 2)) != 0 ]];then
            row=$count
            break
        fi
        ((count+=1))
    done

    if [[ "$row" == "-1" ]];then
        return
    fi
    sed -i "${row}d" $path
    sed -i "${row}d" $path
}

2.新增ftp帐户

vi adduser.sh

# 2015-11-16 BlazerHe

if [[ "" == "$1" || "" == "$2" ]];then
    echo "参数不正确，必须有2个参数，第一个参数是帐户名，第二个参数是密码"
    echo "执行示例 : sh adduser.sh \$username \$password"
    exit -1
fi

echo "=======================================开始执行======================================="

###################################### 定义变量
vsftpHome=/etc/vsftpd
vsftpData=/bigdata1/ftp
uName=$1
uPass=$2

echo "=====系统参数1:vsftpHome:${vsftpHome}"
echo "=====系统参数2:vsftpData:${vsftpData}"
echo ""

###################################### 创建帐号和目录并授权${vsftpData}/${uName}
mkdir -p ${vsftpData}/${uName}

echo "1.新增nologin帐户${uName}"
adduser -d ${vsftpData}/${uName} -g ftp -s /sbin/nologin ${uName}

echo "2.创建目录并授权${vsftpData}/${uName}"
chown -R ${uName}:ftp ${vsftpData}/${uName}
chmod -R 700 ${vsftpData}/${uName}


###################################### 增加到vuser，用于生成db
echo "3.将帐户${uName}写入vuser"
echo ${uName} >> ${vsftpHome}/vuser
echo ${uPass} >> ${vsftpHome}/vuser


###################################### 根据vuser里的账户密码生成db
echo "4.重新生成login.db"
db_load -T -t hash -f ${vsftpHome}/vuser ${vsftpHome}/login.db


###################################### 将帐户设置成只允许访问配置的目录，将账户名添加到chroot_list
echo "5.将帐户${uName}写入chroot_list"
echo ${uName} >> ${vsftpHome}/chroot_list


###################################### 创建配置文件并增加配置信息/etc/vsftpd/upload_user_config/${uName}
configDir=${vsftpHome}/upload_user_config/${uName}

echo "6.生成配置文件$configDir"
touch ${configDir}

echo "#只有下载权限" >> ${configDir}
echo "anon_world_readable_only=NO" >> ${configDir}
echo "local_root=${vsftpData}/${uName}" >> ${configDir}
echo "" >> ${configDir}


echo "7.重启服务"
service vsftpd restart 


echo "==================结果：创建帐号成功，账户名：${uName}，密码：${uPass}"
echo "=======================================执行结束======================================="

3.删除ftp帐户

vi deluser.sh

# 2015-11-16 BlazerHe

. ./common.sh

if [[ "" == "$1" ]];then
    echo "参数不正确，必须有1个参数，第一个参数是帐户名"
    echo "执行示例 : sh deluser.sh \$username \$password"
    exit -1
fi

echo "=======================================开始执行======================================="

#####################################
vsftpHome=/etc/vsftpd
vsftpData=/bigdata1/ftp
uName=$1
# uPass=$2

echo "=====系统参数1:vsftpHome:${vsftpHome}"
echo "=====系统参数2:vsftpData:${vsftpData}"
echo ""


echo "1.删除帐户${uName}"
userdel ${uName}


echo "2.删除帐户路径${vsftpData}/${uName}"
rm -rf ${vsftpData}/${uName}


echo "3.删除vuser里的信息"
# sed -i '/'"${uName}"'/d' ${vsftpHome}/vuser
# sed -i '/'"${uPass}"'/d' ${vsftpHome}/vuser
$(delLineByStr2Count ${vsftpHome}/vuser ${uName})


echo "4.重新生成login.db"
db_load -T -t hash -f ${vsftpHome}/vuser ${vsftpHome}/login.db


echo "5.删除chroot_list里的信息"
# sed -i '/'"${uName}"'/d' ${vsftpHome}/chroot_list
$(delLineByStr ${vsftpHome}/chroot_list ${uName})

configDir=${vsftpHome}/upload_user_config/${uName}
echo "6.删除文件$configDir"
rm -rf ${configDir}


echo "7.重启服务..."
service vsftpd restart


echo "==================结果：删除帐户${uName}成功"
echo "=======================================执行结束======================================="

说明：vsftpData变量为ftp配置该帐户访问的根路径

 

使用：

新增用户

sh adduser.sh test1 test1

删除用户

sh deluser.sh test1

 

题外话，ftp客户端使用

yum -y install ftp

ftp 127.0.0.1

然后输入配置的帐户密码即可。

具体的操作还需要贵客help一下！

 

常见错误：vsftpd登录，提示 vsftpd 500 OOPS: chroot

原因有可能是防火墙引起的，需要关闭防火墙

1. chkconfig iptables off

2. service iptables stop

3. setenforce 0 或者 修改/etc/sysconfig/selinux文件里面的SELINUX的值改为：SELINUX=disabled

 

 

后续深入：

为vsftpd配置ssl，这里选择openssl

 

1.查看是否支持ssl

ldd `which vsftpd`|grep ssl

 

2.省略安装openssl，centos自带了，直接生成ssl密钥文件并复制到/etc/ssl/certs目录下。

openssl req -new -x509 -nodes -out vsftpd.pem -keyout vsftpd.pem

cp vsftpd.pem /etc/ssl/certs/vsftpd.pem

chmod 400 /etc/ssl/certs/vsftpd.pem

 

3.修改配置文件

vi vsftpd.conf

# ssl config
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
force_anon_logins_ssl=YES
force_anon_data_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_private_key_file=/etc/ssl/certs/vsftpd.pem
pasv_max_port=65535
pasv_min_port=64000

 

4.加入如上配置之后，重启服务

service vsftpd restart

 

完毕！linux的ftp工具不支持TSL，可以使用支持TSL的客户端工具，如FileZilla进行测试。

 

OK了！！！