CentOS安装vsftpd并建立ftp服务
参考:http://blog.sina.com.cn/s/blog_4a55c0c50100i1ok.html
一、安装vdftpd
|
1 |
yum install vsftpd |
二、配置vsftpd
1、修改/etc/vsftpd/vsftpd.conf
|
1 2 3 4 5 6 7 8 9 10 11 12 |
#【a】开启匿名登录 # Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=YES #【b】允许修改root目录 # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). chroot_list_enable=YES #【c】与user_list文件的关联 userlist_enable=YES |
2、修改/etc/vsftpd/user_list文件
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
# 全部注释(未注释的用户被拒绝访问,不给输密码的机会) # vsftpd userlist # If userlist_deny=NO, only allow users in this file # If userlist_deny=YES (default), never allow users in this file, and # do not even prompt for a password. # Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers # for users that are denied. #root #bin #daemon #adm #lp #sync #shutdown #halt #mail #news #uucp #operator #games #nobody |
3、修改/etc/vsftpd/ftpusers文件
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# 全部注释(未注释的用户将无法登陆) # Users that are not allowed to login via ftp #root #bin #daemon #adm #lp #sync #shutdown #halt #mail #news #uucp #operator #games #nobody |
三、关闭selinux(否则无法列出目录)(有了新的未验证的解决办法,见五)
|
1 2 3 4 5 6 7 8 9 |
vim /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. #SELINUX=enforcing SELINUX=disabled |
四、重启服务并添加该服务到自动启动项
|
1 2 |
service vsftpd restart chkconfig --level 35 vsftpd on |
五、在开启selinux的情况下使用ftp(修改selinux中ftp相关bool值)
1.查看selinux关于ftp的bool值
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
[root@i Desktop]# getsebool -a|grep ftp allow_ftpd_anon_write --> off allow_ftpd_full_access --> off allow_ftpd_use_cifs --> off allow_ftpd_use_nfs --> off ftp_home_dir --> off ftpd_connect_db --> off ftpd_use_fusefs --> off ftpd_use_passive_mode --> off httpd_enable_ftp_server --> off tftp_anon_write --> off tftp_use_cifs --> off tftp_use_nfs --> off |
2.修改selinux bool
|
1 2 3 4 5 6 7 8 9 10 |
经过尝试发现,打开ftp_home_dir或者 ftpd_disable_trans。都可以达到在enforcing级别下,允许FTP正常登录的效果。 setsebool -P ftpd_disable_trans 1 或者 setsebool -P ftp_home_dir 1 #【确保!】 allow_ftpd_full_access on service vsftpd restart 加-P是保存选项,每次重启时不必重新执行这个命令了。最后别忘了在/etc/sysconfig/selinux中,修改SELINUX=enforcing。 |
六、限制ftp用户于自己的home目录
参见参考博客吧 好困,去睡觉
七、使用被动模式
当1024以上端口不可用时,需要采用被动模式连接ftp
因端口不可用产生的报错:
|
1 2 3 4 5 |
ftp> cd / 250 Directory successfully changed. ftp> dir 200 PORT command successful. Consider using PASV. 425 Failed to establish connection. |
使用被动模式:
|
1 2 3 4 5 6 7 8 9 10 |
ftp> dir 200 PORT command successful. Consider using PASV. 425 Failed to establish connection. ftp> passive Passive mode on. ftp> dir 227 Entering Passive Mode (). 150 Here comes the directory listing. drwxr-xr-x 4 0 0 4096 Mar 04 07:05 app …… |
打完收工