Vsftpd基礎知識
ftp主動方式:PORT方式
FTP協定最初定義的方式
用戶端通過向伺服器發送PORT指令,告訴伺服器該用戶端用于傳輸資料的臨時端口号
當需要傳送資料時,伺服器通過TCP端口20與用戶端臨時端口建立資料傳輸通道,完成資料傳輸
在建立資料連接配接的過程中,由伺服器主動發起連接配接
ftp被動方式:PASV方式
用戶端向伺服器發送PASV指令,告訴伺服器進入被動方式,伺服器選擇臨時端口告知用戶端
當需要傳輸資料時,用戶端主動與伺服器的臨時端口建立資料傳輸通道,完成資料傳輸
整個過程,伺服器總是被動接受用戶端的資料連接配接
ftp消息号
125 資料連接配接打開,傳輸開始
200 指令OK
226 資料傳輸完畢
331 使用者名OK
425 不能打開資料連接配接
426 資料連接配接關閉,傳輸被中斷
452 錯誤寫檔案
500 文法錯誤,不可識别的指令
vsftpd軟體包
主程式 /usr/sbin/vsftpd
服務名 vsftpd
使用者控制清單
/etc/vsftpd/ftpusers
/etc/vsftpd/user_list
主配置檔案
/etc/vsftpd/vsftpd.conf
安裝和啟動vsftpd
[[email protected] ~]# yum install -y vsftpd
[[email protected] ~]# rpm -qi vsftpd
Name : vsftpd
Version : 3.0.2
Release : 25.el7
Architecture: x86_64
Install Date: Wed 08 May 2019 08:01:07 AM EDT
Group : System Environment/Daemons
Size : 361335
License : GPLv2 with exceptions
Signature : RSA/SHA256, Mon 12 Nov 2018 09:48:54 AM EST, Key ID 24c6a8a7f4a80eb5
Source RPM : vsftpd-3.0.2-25.el7.src.rpm
Build Date : Tue 30 Oct 2018 03:45:10 PM EDT
Build Host : x86-01.bsys.centos.org
Relocations : (not relocatable)
Packager : CentOS BuildSystem <http://bugs.centos.org>
Vendor : CentOS
URL : https://security.appspot.com/vsftpd.html
Summary : Very Secure Ftp Daemon
Description :
vsftpd is a Very Secure FTP daemon. It was written completely from
scratch.
[[email protected] ~]# systemctl start vsftpd
[[email protected] ~]# netstat -tunlp | grep vsftpd
tcp6 0 0 :::21 :::* LISTEN 3557/vsftpd
[[email protected] ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.20.0.131 netmask 255.255.255.0 broadcast 172.20.0.255
inet6 fe80::3e66:b2a:5133:93d1 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:b0:6e:59 txqueuelen 1000 (Ethernet)
RX packets 13167 bytes 9232182 (8.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7360 bytes 724005 (707.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 69 bytes 6065 (5.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 69 bytes 6065 (5.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
複制檔案到預設目錄下
[[email protected] ~]# cd /var/ftp/pub
[[email protected] pub]# cp /etc/fstab ./
檢視預設配置檔案
[[email protected] ~]# grep -v ^# /etc/vsftpd/vsftpd.conf | grep -v ^$
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
關閉匿名登入
[[email protected] ~]# vim /etc/vsftpd/vsftpd.conf
[[email protected] ~]# grep ^anonymous /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
[[email protected] ~]# systemctl restart vsftpd
測試ftp連接配接
[[email protected] ~]# useradd test01
[[email protected] ~]# echo "redhat" | passwd --stdin test01
Changing password for user test01.
passwd: all authentication tokens updated successfully.
[[email protected] ~]# ftp 172.20.0.131
Connected to 172.20.0.131 (172.20.0.131).
220 (vsFTPd 3.0.2)
Name (172.20.0.131:root): test01
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/test01"
ftp> help
Commands may be abbreviated. Commands are:
! debug mdir sendport site
$ dir mget put size
account disconnect mkdir pwd status
append exit mls quit struct
ascii form mode quote system
bell get modtime recv sunique
binary glob mput reget tenex
bye hash newer rstatus tick
case help nmap rhelp trace
cd idle nlist rename type
cdup image ntrans reset user
chmod lcd open restart umask
close ls prompt rmdir verbose
cr macdef passive runique ?
delete mdelete proxy send
ftp> status
Connected to 172.20.0.131.
No proxy connection.
Mode: stream; Type: binary; Form: non-print; Structure: file
Verbose: on; Bell: off; Prompting: on; Globbing: on
Store unique: off; Receive unique: off
Case: off; CR stripping: on
Ntrans: off
Nmap: off
Hash mark printing: off; Use of PORT cmds: on
Tick counter printing: off
ftp> exit
221 Goodbye.
測試匿名使用者連接配接
[[email protected] pub]# ftp 172.20.0.131
Connected to 172.20.0.131 (172.20.0.131).
220 (vsFTPd 3.0.2)
Name (172.20.0.131:root): ftp
331 Please specify the password.
Password:
230 Login successful.
調整匿名使用者權限
[[email protected] pub]# ll
total 4
-rw-r--r-- 1 root root 465 May 8 08:08 fstab
[[email protected] pub]# grep ^anon /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
[[email protected] ~]# vim /etc/vsftpd/vsftpd.conf
[[email protected] ~]# grep ^anon_ /etc/vsftpd/vsftpd.conf
anon_other_write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
[[email protected] pub]# systemctl restart vsftpd
設定連接配接顯示智語
[[email protected] ~]# vim /etc/vsftpd/vsftpd.conf
[[email protected] ~]# grep ^banner /etc/vsftpd/vsftpd.conf
banner_file=/var/vsftpd_banner_file
[[email protected] ~]# systemctl start vsftpd
[[email protected] ~]# vim /var/vsftpd_banner_file
[[email protected] ~]# cat /var/vsftpd_banner_file
###################
hello world !
###################
[[email protected] ~]# ftp 127.0.0.1
Connected to 127.0.0.1 (127.0.0.1).
220-###################
220-hello world !
220-###################
220
Name (127.0.0.1:root):
配置基于本地使用者的通路控制
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd.user_list
使用檔案/etc/vsftpd.user_list中指定的本地使用者不能通路ftp伺服器,而其他本地使用者可以通路ftp伺服器
chroot選項
預設配置中,本地使用者可以切換到家目錄以外的目錄浏覽,并在權限許可的範圍進行下載下傳和上傳,比較不安全。
具體選項
chroot_local_user
chroot_list_enable
chroot_list_file