|
|
用一天的时间研究了Linux下的ftp软件 vsftp,完完整整的搭建了一个完全简单的ftp服务器,做个总结。vsftpd 是一个很好的FTP服务器软件,vsftpd在安全性方面,主要针对程序的权限(privilege)来设计
两张安全措施:
1:通过降低登陆FTP服务器的pid的权限,使入侵者无法得到有效的管理权限,这样我们的系统就较为安全。
2: vsftpd利用了chroot软件,让用户仅能在一些不重要的目录活动,而无法使用LINUX的系统的全部功能,chroot主要是改变根目录的位置,例如你想让用户登陆A服务,且执行任何指令都是在/tmp/pub目录下,并限制用户使用A服务时只能在/tmp/pub目录下,那么使用chroot /tmp/pub commend就能让/tmp/pub变成A服务的根目录 /,这样用户不能退出/tmp/pub,用户只能在本目录活动。
vsftpd通过tar,make,make install 安装的话,默认会随xinetd(超级服务器)一起启动,就是非独立模式启动,需要修改才能独立模式启动。
#解压
tar -zxf vsftpd-2.0.5.tar.gz
cd ../vsftpd-2.0.5
#vsftpd需要使用nobody来作为运行者,一般已经存在,如果没有添加用户
useradd nobody
#安装时需要/usr/share/empty/
作为临时目录,一般已经存在,如果没有,通过下面命令创建
mkdir -pv /usr/share/empty/
#编译
make
make install
#如果make install没有安装文件,你可以手动执行下面的命令
cp vsftpd /usr/local/sbin/vsftpd
cp vsftpd.conf /etc/vsftpd.conf
cp vsftpd.conf.5 /usr/local/man/man5
cp vsftpd.8 /usr/local/man/man8
cp vsftpd.xinetd /etc/xinetd.d/vsftpd
#重启 xinetd 服务
/etc/rc.d/init.d/xinetd restart
因为是自己编译安装的,所以要在/etc/xinetd.d/vsftpd 里确认 disable=YES
如果改为 NO 再配合 vsftpd.conf里的 listen=YES vsftpd就可以单用户模式启动。
会出现的错误:
500 OOPS: could not bind listening IPv4 socket
1:xinetd 已经启动了,而VSFTPD设置成了单用户模式所以要先停掉xinetd的服务。
service xinetd stop 然后 /usr/local/sbin/vsftpd /etc/vsftpd &
2: vsftpd.conf里的监听端口错误,默认应该为21,如果该成其他的,如
listen_port=2121 登陆ftp就应该为 ftp 127.0.0.1 2121。
用tar命令安装初始安装步骤总结一下。
1.下vsftpd-2.0.5.tar.gz
2.卸载原有的rpm的vsftpd
rpm -e vsftpd
3.tar xvzf vsftpd-2.0.5.tar.gz
4.cd vsftpd-2.0.5
5.maka
6.useradd nobody
7.mkdir /usr/share/empty
8.mkdir /var/ftp
9.useradd -d /var/ftp ftp
10.chown root.root /var/ftp
11.chmod og-w /var/ftp
12. make install
13.vi /etc/xinetd.d/vsftpd
把disable=yes改成no,保存退出。然后service xinetd restart,OK!新装的vsftp已经可以工
作了!
####### 配置文件#########
以下是我配置文档里面的内容
# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES #允许匿名登录
#
# Uncomment this to allow local users to log in.
local_enable=YES #允许本地用户登录
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES #允许任何形式的FTP写命令
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022 #默认本地用户的umask是077,你可能想改成022,如果你的用户期盼那样
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES #允许匿名用户上传文件
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES #允许匿名ftp用户有建立目录的权限
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES #远程用户登录某个特定目录时显示的信息
#
# Activate logging of uploads/downloads.
xferlog_enable=YES #激活记录上传/下载活动
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES #确定传输联接端口从20开始
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
xferlog_file=/var/log/vsftpd.log #你可以随意指定log记录文件的位置和名字.下面的是默认的
#
# If you want, you can have your log file in standard ftpd xferlog format
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600 ##你可以设定默认的空闲超时时间
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120 ##你可以设定默认的数据连接超时时间
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES #可能会将一些老ftp客户端的请求拒之门外
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#你可以用一个列表限定哪些本地用户只能在自己目录下活动.如果chroot_local_user=YES,那么这个列表里指定的用户是不受限制的
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_list_enable=YES
# (default follows)
#指定在自己目录活动的用户
chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
|
|
简体中文
英语
日语
韩语
法语
西班牙语
越南语
泰语
阿拉伯语
俄语
葡萄牙语
德语
意大利语
希腊语
荷兰语
波兰语
保加利亚语
爱沙尼亚语
丹麦语
芬兰语
捷克语
罗马尼亚语
斯洛文尼亚语
瑞典语
匈牙利语
繁体中文
文言文
[复制链接]
发表于 2010-4-9 17:59:55
置顶卡
喧嚣卡
变色卡
千斤顶
发表于 2010-4-21 08:09:51
