查看完整版本: Centos 下建置 vsftpd virtual user 虛擬用戶


virage 2012-4-23 18:24

Centos 下建置 vsftpd virtual user 虛擬用戶

<p class="MsoNormal"><span style="font-family:細明體">使用虛擬化主要是方便管理和增加<span lang="EN-US">Server</span>的安全性。在未虛擬化的情況下,若使用<span lang="EN-US">ftp</span>的<span lang="EN-US">user</span>過多,</span><span style="font-family: 細明體; ">那勢必會造成</span><span style="font-family: 細明體; " lang="EN-US">Server</span><span style="font-family: 細明體; ">在安全性上的重大隱憂。</span></p><p class="MsoNormal"><span style="font-family: 細明體; "><br></span></p><p class="MsoNormal"><span style="font-family: 細明體; ">而在虛擬化後的</span><span style="font-family: 細明體; " lang="EN-US">vsftp</span><span style="font-family: 細明體; ">可靈活的設定</span><span style="font-family: 細明體; " lang="EN-US">FTP</span><span style="font-family: 細明體; ">虛擬用戶的權限,</span><span style="font-family: 細明體; ">降低因</span><span style="font-family: 細明體; " lang="EN-US">user</span><span style="font-family: 細明體; ">過多造成的安全性問題。</span></p><p class="MsoNormal"><span style="font-family: 細明體; "><br></span></p><p class="MsoNormal">在這裡,Vsftp的虛擬用戶支持,也就是說,這些Vsftp用戶不再必須是系統用戶了,而且用戶路徑的定義、配置可以更加個性化,從而使得Vsftp也更加功能強大。而在這當中,PAM再次扮演了關鍵的角色。</p>
<p class="MsoNormal"><span lang="EN-US">&nbsp;</span></p>
<p class="MsoNormal"><b><span style="font-family:細明體">環境<span lang="EN-US">:<o:p></o:p></span></span></b></p>
<p class="MsoNormal"><span lang="EN-US">Centos 5.6<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">vsftpd-2.0.5-21.el5</span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US">一.安裝:<br>1.安裝Vsftpd服務相關套件:<br><span class="apple-style-span"><span lang="EN-US"></span></span><span class="apple-style-span"><span lang="EN-US"><font color="#006400"># yum -y install vsftpd*</font></span></span></span></p><p class="MsoNormal"><span lang="EN-US"><span class="apple-style-span"><span lang="EN-US"><br></span></span></span></p><p class="MsoNormal"><span lang="EN-US"><span class="apple-style-span"><span lang="EN-US">2.確認安裝PAM服務相關套件:<br><font color="#006400"># yum -y install pam pam-devel</font></span></span></span></p><p class="MsoNormal"><span lang="EN-US"><span class="apple-style-span"><span lang="EN-US"><br></span></span></span></p><p class="MsoNormal"><span lang="EN-US"><span class="apple-style-span"><span lang="EN-US">3.安裝DB4套件包:<br>這裡要特別安裝一個db4的包,用來支持文件數據庫。<br><font color="#006400"># yum -y install db4*</font></span></span></span></p><p class="MsoNormal"><span lang="EN-US"><span class="apple-style-span"><span lang="EN-US"><font color="#006400"><br></font>Dependencies Resolved<br>=============================================================================<br>Package&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Arch&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Version&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Repository&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Size<br>=============================================================================<br>Installing:<br>db4-devel&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; i386&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4.3.29-10.el5 &nbsp; &nbsp; base&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2.0 M<br>db4-java&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; i386 &nbsp; &nbsp; &nbsp;&nbsp;4.3.29-10.el5&nbsp; &nbsp; &nbsp;base&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1.7 M<br>db4-tcl&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; i386 &nbsp; &nbsp; &nbsp;&nbsp;4.3.29-10.el5&nbsp; &nbsp; &nbsp;base&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1.0 M<br>db4-utils&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; i386 &nbsp; &nbsp; &nbsp;&nbsp;4.3.29-10.el5&nbsp; &nbsp; &nbsp;base&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 119 kTransaction Summary<br>=============================================================================<br>Install&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4 Package(s)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>Update&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 Package(s)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>Remove&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 Package(s) &nbsp; &nbsp;&nbsp;</span></span></span></p><p class="MsoNormal"><span lang="EN-US"><span class="apple-style-span"><span lang="EN-US"><br></span></span></span></p><p class="MsoNormal"><span lang="EN-US"><span class="apple-style-span"><span lang="EN-US">二.系統帳戶<br>1.建立Vsftpd服務的宿主用戶:</span></span></span></p><p class="MsoNormal"><span lang="EN-US"><span class="apple-style-span"><span lang="EN-US"></span></span></span></p><p class="MsoNormal">預設<span lang="EN-US">vsftpd</span>的宿主帳號為<span lang="EN-US">root</span>,但由於安全性的考量,這邊不使用預設帳號。<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal">因此在這邊建立一個新的宿主帳號為 vsftpd,用來做為<span lang="EN-US">vsftp</span>的宿主帳號。但由於不給<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal">此帳號登入的必要,所以設定為不可登入的系統帳號。</p><p class="MsoNormal"><font color="#006400">#&nbsp;useradd vsftpd -s /sbin/nologin</font></p><p class="MsoNormal"><br></p><p class="MsoNormal">2.建立Vsftpd虛擬宿主用戶:</p><p class="MsoNormal"></p><p class="MsoNormal"><span lang="EN-US"></span>由於虛擬帳號並不屬於系統帳號,也就是說虛擬帳號在系統中是不存在的。所謂<span lang="EN-US">vsftp<o:p></o:p></span></p>
<p class="MsoNormal">的虛擬宿主帳號,就是一個提供所有虛擬帳號的宿主帳號。也正因為提供<span lang="EN-US">ftp</span>所有虛<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal">擬帳號,所以此宿主本身的權限也會影響到這些虛擬帳號。</p><p class="MsoNormal"><font color="#006400"># useradd vsftpduser -s /sbin/nologin</font></p><p class="MsoNormal"><br></p><p class="MsoNormal"><span style="font-size:14px;"><span style="color:#f00;"><span style="font-family: 細明體; ">注意<span lang="EN-US">: </span>以上所創建的帳號,可依個人需求自行修改。若不想設定也可直接使用<span lang="EN-US">root</span>權限。</span></span></span></p><p class="MsoNormal"><span style="font-size:14px;"><span style="color:#f00;"><span style="font-family: 細明體; "><br></span></span></span></p><p class="MsoNormal"><span style="font-size:14px;"><span style="color:#f00;"><span style="font-family: 細明體; "><br></span></span></span></p><p class="MsoNormal">三.調整Vsftpd的配置文件:<br>1.編輯配置文件前先備份</p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"># </span></span><span class="apple-style-span"><span lang="EN-US">cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.bak</span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><br></span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US">2.編輯主配置文件Vsftpd.conf</span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US">提供以下設定檔,以便參考。</span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US">[quote]</span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"></span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US">[root@localhost ~]# vim /etc/vsftp/vsftpd.conf</span></span><span class="apple-style-span"><span lang="EN-US"><o:p></o:p></span></span></p>
<p class="MsoNormal"><span lang="EN-US"># Example config file /etc/vsftpd/vsftpd.conf</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># The default compiled in settings are fairly paranoid. This sample file</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># loosens things up a bit, to make the ftp daemon more usable.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># Please see vsftpd.conf.5 for all compiled in defaults.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># READ THIS: This example file is NOT an exhaustive list of vsftpd options.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># capabilities.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># Allow anonymous FTP? (Beware – allowed by default if you comment this out).</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>設定不允許匿名訪問<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">anonymous_enable=NO</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># Uncomment this to allow local users to log in.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>設定本地用戶可以訪問。<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>注意:主要是為虛擬宿主用戶,如果該項目設定為<span lang="EN-US">NO</span>那麼所有虛擬用戶將無法訪問。<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">local_enable=YES</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># Uncomment this to enable any form of FTP write command.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>設定可以進行寫操作。<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">write_enable=YES</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># Default umask for local users is 077. You may wish to change this to 022,</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># if your users expect that (022 is used by most other ftpd's)</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>設定上傳後文件的權限掩碼。<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">local_umask=022</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># Uncomment this to allow the anonymous FTP user to upload files. This only</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># has an effect if the above global write enable is activated. Also, you will</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># obviously need to create a directory writable by the FTP user.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>禁止匿名用戶上傳<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">anon_upload_enable=NO</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># Uncomment this if you want the anonymous FTP user to be able to create</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># new directories.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>匿名用戶不可以建目錄<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">anon_mkdir_write_enable=NO</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>匿名用戶不可以寫入<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">anon_other_write_enable=NO</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># Activate directory messages – messages given to remote users when they</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># go into a certain directory.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>設定開啟目錄標語功能<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">dirmessage_enable=YES</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># The target log file can be vsftpd_log_file or xferlog_file.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># This depends on setting xferlog_std_format parameter</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>設定開啟<span lang="EN-US">LOG</span>記錄<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">xferlog_enable=YES</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># Make sure PORT transfer connections originate from port 20 (ftp-data).</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>設定連接<span lang="EN-US">PORT</span>為<span lang="EN-US">20</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">connect_from_port_20=YES</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># If you want, you can arrange for uploaded anonymous files to be owned by</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># a different user. Note! Using "root" for uploaded files is not</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># recommended!</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>設定禁止上傳文件更改宿主屬性<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">chown_uploads=NO</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#chown_username=whoever</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># The name of log file when xferlog_enable=YES and xferlog_std_format=YES</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># WARNING – changing this filename affects /etc/logrotate.d/vsftpd.log</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>設定<span lang="EN-US">Vsftpd</span>的服務日誌保存路徑。<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>注意,該文件預設不存在。要手動建立,由於更改了<span lang="EN-US">Vsftpd</span>的宿主帳號,為手動建立的<span lang="EN-US">faq</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>必須修改<span lang="EN-US">LOG</span>的寫入權限,否則服務將啟動失敗<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">xferlog_file=/var/log/vsftpd.log</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># Switches between logging into vsftpd_log_file and xferlog_file files.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># NO writes to vsftpd_log_file, YES to xferlog_file</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>使用標準<span lang="EN-US">log</span>格式<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">xferlog_std_format=YES</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># You may change the default value for timing out an idle session.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># Server</span>與<span lang="EN-US">Client</span>的資料連線已經成功建立<span lang="EN-US">(</span>不論主動還是被動連線<span lang="EN-US">)</span>,<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># Client</span>在時間內都沒有命令動作,強制離線,預設的時間為<span lang="EN-US">600</span>秒<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#idle_session_timeout=600</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># You may change the default value for timing out a data connection.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>簡單來說就是單次最大連續傳輸時間,超過時間而無動作的話就會被強制斷線,預設為<span lang="EN-US">120</span>秒<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#data_connection_timeout=120</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># It is recommended that you define on your system a unique user which the</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># ftp server can use as a totally isolated and unprivileged user.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>設定<span lang="EN-US">Vsftpd</span>服務的宿主帳號為手動建立的<span lang="EN-US">Vsftpd</span>用戶。<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">nopriv_user=vsftpd</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># Enable this and the server will recognise asynchronous ABOR requests. Not</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># recommended for security (the code is non-trivial). Not enabling it,</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># however, may confuse older FTP clients.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>設定支持異步傳輸功能<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">async_abor_enable=YES</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># By default the server will pretend to allow ASCII mode but in fact ignore</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># the request. Turn on the below options to have the server actually do ASCII</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># mangling on files when in ASCII mode.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># Beware that on some FTP servers, ASCII support allows a denial of service</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># predicted this attack and has always been safe, reporting the size of the</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># raw file.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># ASCII mangling is a horrible feature of the protocol.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>設定支持<span lang="EN-US">ASCII</span>模式的上傳和下載功能<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><font color="#0000ff"><span lang="EN-US">ascii_upload_enable=YES</span><span lang="EN-US"><o:p></o:p></span></font></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">ascii_download_enable=YES</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># You may fully customise the login banner string:</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>設定<span lang="EN-US">Vsftpd</span>的登入歡迎辭<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">ftpd_banner=Welcome the Login ADJ of the FTP SERVER.</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># You may specify a file of disallowed anonymous e-mail addresses. Apparently</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># useful for combatting certain DoS attacks.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#deny_email_enable=YES</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># (default follows)</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#banned_email_file=/etc/vsftpd/banned_emails</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># You may specify an explicit list of local users to chroot() to their home</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># directory. If chroot_local_user is YES, then this list becomes a list of</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># users to NOT chroot().</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>禁止用戶登出自己的<span lang="EN-US">FTP</span>主目錄<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">chroot_list_enable=NO</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># (default follows)</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#chroot_list_file=/etc/vsftpd/chroot_list</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># You may activate the "-R" option to the builtin ls. This is disabled by</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># default to avoid remote users being able to cause excessive I/O on large</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># sites. However, some broken FTP clients such as "ncftp" and "mirror" assume</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># the presence of the "-R" option, so there is a strong case for enabling it.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>禁止用戶登陸<span lang="EN-US">FTP</span>後使用<span lang="EN-US">"ls -R"</span>的命令。該命令會對<span lang="EN-US">Server</span>性能造成負擔。<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">ls_recurse_enable=NO</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># When "listen" directive is enabled, vsftpd runs in standalone mode and </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># listens on IPv4 sockets. This directive cannot be used in conjunction </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># with the listen_ipv6 directive.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>若設定為<span lang="EN-US">YES</span>表示<span lang="EN-US">vsftpd</span>是以<span lang="EN-US">stand alone</span>來啟動。若是<span lang="EN-US">NO</span>就以<span lang="EN-US">super daemon</span>來啟動<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>所謂<span lang="EN-US">StandAlone</span>模式就是該服務擁有自己的程序。則<span lang="EN-US">SuperDaemon</span>模式,而是由<span lang="EN-US">Xinetd</span>來代替<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>同時<span lang="EN-US">Vsftp</span>服務的許多功能將無法使用。<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">listen=YES</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># vsftp</span>所使用的命令通到<span lang="EN-US">port</span>。此<span lang="EN-US">port</span>可依各人需求更改。<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">listen_port=21</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># sockets, you must run two copies of vsftpd whith two configuration files.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># Make sure, that one of the listen options is commented !!</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>不監聽<span lang="EN-US">ipv6</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">listen_ipv6=NO</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>這個是<span lang="EN-US">pam</span>模組的名稱,<span lang="EN-US">PAM</span>驗證將參考<span lang="EN-US">/etc/pam.d/</span>下的<span lang="EN-US">vsftpd</span>文件配置<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">pam_service_name=vsftpd</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p>&nbsp;</o:p></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># userlist_file</span>中的<span lang="EN-US">User</span>不得使用<span lang="EN-US">FTP</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">userlist_enable=YES</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p>&nbsp;</o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>設定支持<span lang="EN-US">TCP Wrappers</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">tcp_wrappers=YES</font></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p>&nbsp;</o:p></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>不可離開家目錄<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">chroot_local_user=YES</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p>&nbsp;</o:p></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>設定啟用虛擬用戶功能<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">guest_enable=YES</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p>&nbsp;</o:p></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>指定虛擬用戶的宿主用戶<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">guest_username=<span class="apple-style-span">vsftpduser</span></font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p>&nbsp;</o:p></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>設定虛擬用戶的權限和宿主帳號的一樣<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">virtual_use_local_privs=YES</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p>&nbsp;</o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>設定虛擬用戶個人<span lang="EN-US">Vsftp</span>的配置文件存放路徑。<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>需要注意的地方就是這些配置文件名必須和虛擬用戶名相同。<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">user_config_dir=/etc/vsftpd/vconf</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p>&nbsp;</o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span>指定連接<span lang="EN-US">PORT</span>的範圍,才不會因<span lang="EN-US">PORT</span>亂跳,不好設定防火牆</p><p class="MsoNormal"><font color="#0000ff"><span lang="EN-US"></span></font></p><p class="MsoNormal"><font color="#0000ff">pasv_enable=YES</font></p><p></p><p class="MsoNormal"><font color="#0000ff"><span lang="EN-US">pasv_min_port=65400</span><span lang="EN-US"><o:p></o:p></span></font></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">pasv_max_port=65410</font></span></p><p class="MsoNormal"><span lang="EN-US"><font color="#0000ff"><br></font></span></p><p class="MsoNormal"><span lang="EN-US"># 使用當地時間</span></p><p class="MsoNormal"><span lang="EN-US"><span style="color: rgb(0, 0, 255); ">use_localtime=YES</span></span></p><p></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US">[/quote]</span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><br></span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US">3.建立Vsftpd的日誌文件,並更該屬主為Vsftpd的服務宿主用戶:<br><font color="#0000ff"># chown vsftpd.vsftpd /var/log/vsftpd.log</font></span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><br></span></span></p><p class="MsoNormal"><br></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><br>三.製作虛擬用戶數據庫文件<br>1.先建立虛擬用戶名單文件:<br><font color="#0000ff"># touch /etc/vsftpd/ftp-userlist</font></span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><br>建立了一個虛擬用戶名單文件,這個文件就是來記錄vsftpd虛擬用戶的用戶名和口令的數據文件,我這裡給它命名為ftp-userlist。</span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US">為了避免文件的混亂,我把這個名單文件就放置在/etc/vsftpd/下。</span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><br></span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US">2.編輯虛擬用戶名單文件:<br><font color="#0000ff"># vi /etc/vsftpd/ftp-userlist</font><br>----------------------------<br>adj</span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US">111111</span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US">allen</span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US">111111<br>----------------------------<br>編輯這個虛擬用戶名單文件,在其中加入用戶的用戶名和口令信息。格式很簡單:“一行用戶名,一行口令”。</span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><br></span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US">3.生成虛擬用戶數據文件:</span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><font color="#0000ff"><span class="apple-style-span"><span lang="EN-US"># </span></span><span class="apple-style-span"><span lang="EN-US">db_load -T -t hash -f /etc/vsftpd/ftp-userlist /etc/vsftpd/ftp-userlist.db</span></span></font></span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><br></span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"></span></span></p><p class="MsoNormal"><span style="font-size:14px;"><span style="color:#f00;"><span style="font-family: 細明體; ">注意<span lang="EN-US">:</span>以後如果有增加或減少帳號時請記得要在執行一次「<span lang="EN-US">db_load -T -t hash –f</span>」</span></span></span><span style="font-family: 細明體; color: rgb(255, 0, 0); font-size: 14px; ">要不然設定是不會生效的。</span></p><p class="MsoNormal"><span style="font-family: 細明體; color: rgb(255, 0, 0); font-size: 14px; "><br></span></p><p class="MsoNormal"><span style="font-family: 細明體; color: rgb(255, 0, 0); font-size: 14px; "><br></span></p><p class="MsoNormal">四.設定PAM驗證文件,並指定虛擬用戶數據庫文件進行讀取<br>1.在編輯前做好備份:</p><p class="MsoNormal"><font color="#0000ff"><span class="apple-style-span"><span lang="EN-US"># </span></span><span class="apple-style-span"><span lang="EN-US">cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd.bak</span></span></font></p><p class="MsoNormal"><span style="font-family:細明體"><br></span></p><p class="MsoNormal">2.編輯Vsftpd的PAM驗證配置文件</p><p class="MsoNormal"><br></p><p class="MsoNormal"><span style="font-family:細明體">以下分為<span lang="EN-US">32</span>位元和<span lang="EN-US">64</span>位元的修改方式,請依自己安裝系統的位元來做修改<span lang="EN-US"><o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="font-family:細明體">不論是<span lang="EN-US">32</span>位元或是<span lang="EN-US">64</span>位元,除了新增的兩行外其他的都請註解起來。<span lang="EN-US"><o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="font-family:細明體" lang="EN-US"><br></span></p><p class="MsoNormal"><span style="font-family:細明體" lang="EN-US">32</span><span style="font-family:細明體">位元<span lang="EN-US">:</span></span></p><p></p><p class="MsoNormal"><br></p><p class="MsoNormal">[quote]</p><p class="MsoNormal"></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US">[root@localhost ~]# </span></span><span class="apple-style-span"><span lang="EN-US">&nbsp;vi /etc/pam.d/vsftpd<o:p></o:p></span></span></p>
<p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><span class="apple-style-span"><span lang="EN-US"><font color="Blue">#</font></span></span>%PAM-1.0<o:p></o:p></span></span></p>
<p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><span class="apple-style-span"><span lang="EN-US"><font color="Blue">#</font></span></span>session&nbsp;&nbsp;&nbsp; optional&nbsp;&nbsp;&nbsp;&nbsp; pam_keyinit.so&nbsp;&nbsp;&nbsp; force revoke<o:p></o:p></span></span></p>
<p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><span class="apple-style-span"><span lang="EN-US"><font color="Blue">#</font></span></span>auth&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; required&nbsp;&nbsp;&nbsp; pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed<o:p></o:p></span></span></p>
<p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><span class="apple-style-span"><span lang="EN-US"><font color="Blue">#</font></span></span>auth&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; required&nbsp;&nbsp;&nbsp; pam_shells.so<o:p></o:p></span></span></p>
<p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><span class="apple-style-span"><span lang="EN-US"><font color="Blue">#</font></span></span>auth&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; include&nbsp;&nbsp;&nbsp;&nbsp; system-auth<o:p></o:p></span></span></p>
<p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><span class="apple-style-span"><span lang="EN-US"><font color="Blue">#</font></span></span>account&nbsp;&nbsp;&nbsp; include&nbsp;&nbsp;&nbsp;&nbsp; system-auth<o:p></o:p></span></span></p>
<p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><span class="apple-style-span"><span lang="EN-US"><font color="Blue">#</font></span></span>session&nbsp;&nbsp;&nbsp; include&nbsp;&nbsp;&nbsp;&nbsp; system-auth<o:p></o:p></span></span></p>
<p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><span class="apple-style-span"><span lang="EN-US"><font color="Blue">#</font></span></span>session&nbsp;&nbsp;&nbsp; required&nbsp;&nbsp;&nbsp;&nbsp; pam_loginuid.so<o:p></o:p></span></span></p>
<p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US">&nbsp;</span></span></p>
<p class="MsoNormal"><font color="#0000ff"><span class="apple-style-span"><span lang="EN-US">auth&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; required&nbsp;&nbsp;&nbsp; /lib/security/pam_userdb.so&nbsp;&nbsp;&nbsp; db=/etc/vsftpd/<o:p></o:p></span></span>ftp-userlist</font></p><font color="#0000ff">
</font><p class="MsoNormal"><font color="#0000ff"><span class="apple-style-span"><span lang="EN-US">account&nbsp;&nbsp;&nbsp; required&nbsp;&nbsp;&nbsp; /lib/security/pam_userdb.so&nbsp;&nbsp;&nbsp; db=/etc/vsftpd/</span></span>ftp-userlist</font></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US">[/quote]</span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><br></span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><span style="font-family:細明體" lang="EN-US">64</span><span style="font-family:細明體">位元<span lang="EN-US">:</span></span></span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><span style="font-family:細明體"><span lang="EN-US"><br></span></span></span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><span style="font-family:細明體"><span lang="EN-US">[quote]</span></span></span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"></span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US">[root@localhost ~]#&nbsp;</span></span><span class="apple-style-span"><span lang="EN-US">&nbsp;vi /etc/pam.d/vsftpd<o:p></o:p></span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><font color="Blue">#</font>%PAM-1.0<o:p></o:p></span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><span class="apple-style-span"><span lang="EN-US"><font color="Blue">#</font></span></span>session&nbsp;&nbsp;&nbsp; optional&nbsp;&nbsp;&nbsp;&nbsp; pam_keyinit.so&nbsp;&nbsp;&nbsp; force revoke<o:p></o:p></span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><span class="apple-style-span"><span lang="EN-US"><font color="Blue">#</font></span></span>auth&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; required&nbsp;&nbsp;&nbsp; pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed<o:p></o:p></span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><span class="apple-style-span"><span lang="EN-US"><font color="Blue">#</font></span></span>auth&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; required&nbsp;&nbsp;&nbsp; pam_shells.so<o:p></o:p></span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><span class="apple-style-span"><span lang="EN-US"><font color="Blue">#</font></span></span>auth&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; include&nbsp;&nbsp;&nbsp;&nbsp; system-auth<o:p></o:p></span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><span class="apple-style-span"><span lang="EN-US"><font color="Blue">#</font></span></span>account&nbsp;&nbsp;&nbsp; include&nbsp;&nbsp;&nbsp;&nbsp; system-auth<o:p></o:p></span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><span class="apple-style-span"><span lang="EN-US"><font color="Blue">#</font></span></span>session&nbsp;&nbsp;&nbsp; include&nbsp;&nbsp;&nbsp;&nbsp; system-auth<o:p></o:p></span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><span class="apple-style-span"><span lang="EN-US"><font color="Blue">#</font></span></span>session&nbsp;&nbsp;&nbsp; required&nbsp;&nbsp;&nbsp;&nbsp; pam_loginuid.so<o:p></o:p></span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US">&nbsp;</span></span></p><p class="MsoNormal"><font color="#0000ff"><span class="apple-style-span"><span lang="EN-US">auth&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; required&nbsp;&nbsp;&nbsp; /lib64/security/pam_userdb.so&nbsp;&nbsp;&nbsp; db=/etc/vsftpd/<o:p></o:p></span></span>ftp-userlist</font></p><font color="#0000ff"></font><p class="MsoNormal"><font color="#0000ff"><span class="apple-style-span"><span lang="EN-US">account&nbsp;&nbsp;&nbsp; required&nbsp;&nbsp;&nbsp; /lib64/security/pam_userdb.so&nbsp;&nbsp;&nbsp; db=/etc/vsftpd/</span></span>ftp-userlist</font></p><p></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><span style="font-family:細明體"><span lang="EN-US">[/quote]</span></span></span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><span style="font-family:細明體"><span lang="EN-US"><br></span></span></span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><span style="font-family:細明體"><span lang="EN-US"><br></span></span></span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US">五.虛擬用戶的配置<br>1.<span style="font-family:細明體">建立虛擬帳號<span lang="EN-US">vsftpd.conf</span>存放的資料夾</span>:</span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><font color="#006400"><span class="apple-style-span"><span lang="EN-US"># </span></span><span class="apple-style-span"><span lang="EN-US">mkdir /etc/vsftpd/vconf/</span></span></font></span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><span class="apple-style-span"><span lang="EN-US"><br></span></span></span></span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><span class="apple-style-span"><span lang="EN-US">2.</span></span></span></span>建立測試用戶 adj 的FTP用戶配置文件:</p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"><font color="#006400"># </font></span></span><span class="apple-style-span"><span lang="EN-US"><font color="#006400">&nbsp;vi /etc/vsftpd/vconf/adj</font></span></span></p><p class="MsoNormal">
</p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US">[quote]</span></p><p class="MsoNormal"><span lang="EN-US"># </span>一般<span lang="EN-US">user</span>權限,能下載、上傳和刪除<o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">&nbsp;</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>檔案存放路徑<span lang="EN-US">(</span>若設定的路徑內,沒有指定的資料夾時,請自行建立<span lang="EN-US">)</span></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">local_root=/home/upload/</font></span></p>
<p class="MsoNormal"><span lang="EN-US">&nbsp;</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>設定不允許匿名用戶訪問。<o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">anonymous_enable=NO</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">&nbsp;</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>設定<span lang="EN-US">Vsftpd</span>服務的宿主帳號為手動建立的<span lang="EN-US">Vsftpd</span>用戶。<o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">nopriv_user=vsftpd</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">&nbsp;</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># </span>指定虛擬用戶的宿主用戶<o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">guest_username=vsftpduser</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">&nbsp;</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span>設定是否允許寫操作<o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">write_enable=YES</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">&nbsp;</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span>設定是否允許下載<o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">download_enable=YES</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">&nbsp;</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span>設定上傳文件權限掩碼<o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">local_umask=022</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">&nbsp;</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span>當使用者進入某個目錄時,會顯示該目錄需要注意的內容<o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">dirmessage_enable=YES</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">&nbsp;</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span>當設定為<span lang="EN-US"> YES </span>時,使用者上傳與下載檔案都會被紀錄起來<o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">xferlog_enable=YES</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">&nbsp;</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span>這就是<span lang="EN-US"> ftp-data </span>的埠號<o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">connect_from_port_20=YES</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"># Standard Format</span></p><p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">xferlog_std_format=YES&nbsp;</font></span><span lang="EN-US"><o:p></o:p></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span>若設定為<span lang="EN-US"> YES </span>表示<span lang="EN-US"> vsftpd </span>是以<span lang="EN-US"> standalone </span>的方式來啟動的<o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">listen=YES</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">&nbsp;</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span>這個是<span lang="EN-US"> pam </span>模組的名稱,我們放置在<span lang="EN-US"> /etc/pam.d/vsftpd </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">pam_service_name=vsftpd</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">&nbsp;</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span>是否藉助<span lang="EN-US"> vsftpd </span>的抵擋機制來處理某些不受歡迎的帳號<o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">userlist_enable=YES</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">&nbsp;</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span>支援<span lang="EN-US"> TCP Wrappers </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">tcp_wrappers=YES</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">&nbsp;</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span>限制空閒連接時間<o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">idle_session_timeout=600</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">&nbsp;</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span>設定單次連續傳輸最大時間<o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">data_connection_timeout=120</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">&nbsp;</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span>設定同時客戶端連線數<o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">max_clients=5</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">&nbsp;</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span>限制單一客戶端最大連線數<o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">max_per_ip=10</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">&nbsp;</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span>設定該用戶的最大傳輸速率 單位<span lang="EN-US">b/s</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">local_max_rate=600000</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">&nbsp;</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span>將使用者限制在自己的家目錄之內<span lang="EN-US">(chroot)</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">chroot_local_user=YES</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">&nbsp;</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span>設定匿名是否可讀檔<o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">anon_world_readable_only=NO</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">&nbsp;</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span>是否讓<span lang="EN-US"> anonymous </span>具有上傳資料的功能,預設是<span lang="EN-US"> NO</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">anon_upload_enable=NO</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">&nbsp;</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span>是否讓<span lang="EN-US"> anonymous </span>具有建立目錄的權限?預設值是<span lang="EN-US"> NO</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">anon_mkdir_write_enable=NO</font></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">&nbsp;</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#</span>是否允許<span lang="EN-US"> anonymous </span>具有寫入的權限?預設是<span lang="EN-US"> NO</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><font color="#0000ff">anon_other_write_enable=NO</font></span></p><p></p><p class="MsoNormal">[/quote]</p><p class="MsoNormal"><br></p><p class="MsoNormal"><br></p><p class="MsoNormal">3.更改虛擬用戶的主目錄的屬主為虛擬宿主用戶:</p><p class="MsoNormal"><font color="#006400"># chown -R vsftpduser.vsftpduser /home/upload</font></p><p class="MsoNormal"><br></p><p class="MsoNormal">4.<span style="font-family: 細明體; ">啟動</span><span style="font-family: 細明體; " lang="EN-US">vsftp</span><span style="font-family: 細明體; ">服務</span></p><p class="MsoNormal"><span class="apple-style-span"><span lang="EN-US"># service&nbsp;</span></span><span class="apple-style-span"><span lang="EN-US">vsftpd start</span></span></p><p class="MsoNormal"><span style="font-family: 細明體; "><br></span></p><p class="MsoNormal"></p><p class="MsoNormal"><span lang="EN-US">5. </span>防火牆設定<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal">先啟用防火牆和關閉<span lang="EN-US">SELinux</span>,並加入防火牆規則<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal">請加入以下規則<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal">第一二行為允許<span lang="EN-US">21port</span>連線<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal">第三行因為在<span lang="EN-US">vsftpd.conf</span>有限制<span lang="EN-US">port</span>連線,因此在這邊也要將此範圍的<span lang="EN-US">port</span>打開</p><p class="MsoNormal">[quote]</p><p class="MsoNormal"></p><p class="MsoNormal"><font color="#0000ff"># Allow FTP</font></p><p class="MsoNormal"><font color="#0000ff">iptables -A INPUT -p tcp --dport 20 -j ACCEPT</font></p><p class="MsoNormal"><font color="#0000ff">iptables -A INPUT -p tcp --dport 21 -j ACCEPT</font></p><p class="MsoNormal"><font color="#0000ff">iptables -A INPUT -p tcp --dport 65400:65410 -j ACCEPT</font></p><p></p><p class="MsoNormal">[/quote]</p><p class="MsoNormal"><br></p><p class="MsoNormal"></p><p class="MsoNormal"><span style="font-family:細明體" lang="EN-US"></span><span style="font-family:細明體">6.測試<span lang="EN-US"><o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="font-family:細明體">請用<span lang="EN-US">ftp</span>軟體如 Filezilla Client 連線看是否能正常登入和使用。若是都能登入和使用的話就表示沒問題了。</span></p><p class="MsoNormal"><span style="font-family:細明體"><br></span></p><p class="MsoNormal"><span style="font-family:細明體"><br></span></p><p class="MsoNormal"><font face="細明體">參考資料:</font></p><p class="MsoNormal"><a href="http://blog.faq-book.com/?p=4549" target="_blank">http://blog.faq-book.com/?p=4549</a></p><p class="MsoNormal"><a href="http://www.guan8.net/Java/278735.html" target="_blank">http://www.guan8.net/Java/278735.html</a></p><p></p><p class="MsoNormal"><a href="http://hi.baidu.com/xc_hai/blog/item/bef536133a0b9ac3c2fd7888.html" target="_blank">http://hi.baidu.com/xc_hai/blog/item/bef536133a0b9ac3c2fd7888.html</a></p><p class="MsoNormal"><br></p><p></p><p></p><p></p><p></p><p></p>
頁: [1]
查看完整版本: Centos 下建置 vsftpd virtual user 虛擬用戶