[转]centos6配置vsftp
yum -y install pam*
yum -y install db4*
yum -y install vsftpd*
创建虚拟用户文件:
touch /etc/vsftpd/vir_user
1. 创建virtusers,格式如下:
femart2011
4yR3WnoluSFTCB
2. 生成数据库:
db_load -T -t hash -f /etc/vsftpd/vir_user /etc/vsftpd/vir_user.db
3. 设置数据库文件的访问权限:
chmod 600 /etc/vsftpd/vir_user.db
chmod 600 /etc/vsftpd/vir_user
4. 修改/etc/pam.d/vsftpd内容:
echo "auth required pam_userdb.so db=/etc/vsftpd/vir_user" > /etc/pam.d/vsftpd
echo "account required pam_userdb.so db=/etc/vsftpd/vir_user" >> /etc/pam.d/vsftpd
5. 修改/etc/vsftpd/vsftpd.conf的内容 #主配置文件
touch /var/log/vsftpd.log
mkdir -p /etc/vsftpd/vconf
vim /etc/vsftpd/vsftpd.conf
listen=YES
listen_port=60017
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
anon_upload_enable=NO
anon_mkdir_write_enable=NO
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
chown_uploads=NO
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
nopriv_user=www
async_abor_enable=YES
ascii_upload_enable=YES
ascii_download_enable=YES
ftpd_banner=Welcome to FTP servers
chroot_local_user=YES
pam_service_name=vsftpd
guest_enable=YES
guest_username=www
virtual_use_local_privs=YES
user_config_dir=/etc/vsftpd/vconf
pasv_enable=YES
pasv_min_port=10020
pasv_max_port=10040
6. 创建用户的配置文件
#用户配置文件的名字要和创建的“虚拟用户”名字对应
touch /etc/vsftpd/vconf/femart2011
vim /etc/vsftpd/vconf/femart2011
local_root=/data/httpd/b2c
anonymous_enable=NO
write_enable=YES
local_umask=022
anon_upload_enable=NO
anon_mkdir_write_enable=NO
idle_session_timeout=600
data_connection_timeout=120
max_clients=10
max_per_ip=5
local_max_rate=50000
chown -R www:www /data/httpd/b2c
7、如要创建多个虚拟目录和帐号,需重复操作1、2、3、4、6
相关防火墙操作:
打开port模式使用的20端口和21端口
-A+INPUT+-p+tcp+--dport+21+-j+ACCEPT
-A+INPUT+-p+tcp+--dport+20+-j+ACCEPT
-A+OUTPUT+-p+tcp+--sport+21+-j+ACCEPT
-A+OUTPUT+-p+tcp+--sport+20+-j+ACCEPT
打开pasv模式使用的10020-10040端口(在vsftpd.conf中定义)
-A+INPUT+-p+tcp --dport+10020:10040 -j+ACCEPT
-A+OUTPUT+-p+tcp+--sport+10020:10040+-j+ACCEPT
或直接编辑iptables;
#vi /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Mon Mar 5 17:20:53 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [105:63258]
-A INPUT -p tcp -m tcp --dport 10020:10040 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m tcp --sport 10020:10040 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
COMMIT
# Completed on Mon Mar 5 17:20:53 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [105:63258]
-A INPUT -p tcp -m tcp --dport 10020:10040 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m tcp --sport 10020:10040 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
COMMIT
# Completed on Mon Mar 5 17:20:53 2012
设置selinux的ftp权限
如:setsebool -P allow_ftpd_full_access=on
查看权限:getsebool -a | grep ftp
allow_ftpd_anon_write --> on
allow_ftpd_full_access --> on
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
ftpd_connect_db --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
allow_ftpd_full_access --> on
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
ftpd_connect_db --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
浙公网安备 33010602011771号