Shulou(Shulou.com)06/02 Report--

1. Default configuration:

1 > allow anonymous and local users to log in.

Anonymous_enable=YES

Local_enable=YES

2 > the login name used by anonymous users is ftp or anonymous, and the password is empty. Anonymous users cannot leave the anonymous user's home directory / var/ftp, and can only download but not upload.

3 > the login name of the local user is the local user name, and the password is the password of the local user. Local users can read and write in their own home directory. Local users can leave their own directory and switch to other directories with permission to access. Upload / download if permission permits.

Write_enable=YES

4 > Local users written in the file / etc/vsftpd.ftpusers are prohibited from logging in.

two。 Anonymous user (anonymous) Settings

Anonymous_enable=YES/NO (YES)

Controls whether anonymous users are allowed to log in. YES allows anonymous login and NO disallows it. The default is YES.

Write_enable=YES/NO (YES)

Whether the login user is allowed to have write permission. It is a global setting, and the default value is YES.

No_anon_password=YES/NO (NO)

If this feature is enabled, the password will not be asked when anonymous login is used. The default is NO.

Ftp_username=ftp

Defines the user name for anonymous login. The default is ftp.

Anon_root=/var/ftp

The directory you log in to when you log in anonymously. The default is / var/ftp. Note that the ftp directory cannot be a permission attribute of 777, that is, the home directory of an anonymous user cannot have 777 permissions.

Anon_upload_enable=YES/NO (NO)

If set to YES, anonymous logins are allowed to upload files (not directories), which is valid only when write_enable=YES. Of course, anonymous users must have the right to write to the upper directory. The default is NO.

Anon_world_readable_only=YES/NO (YES)

If set to YES, anonymous logins are allowed to download readable files (which can be downloaded locally and cannot be opened directly in the FTP server). The default is YES.

Anon_mkdir_write_enable=YES/NO (NO)

If set to YES, anonymous logins are allowed to add directories, which is valid only when write_enable=YES. Of course, anonymous users must have the right to write to the upper directory. The default is NO.

Anon_other_write_enable=YES/NO (NO)

If set to YES, more anonymous logins are allowed to upload or create permissions outside the directory, such as deletion or renaming. (if anon_upload_enable=NO, anonymous users cannot upload files, but can delete or rename existing files; if anon_mkdir_write_enable=NO, anonymous users cannot upload or create new folders, but can delete or rename existing folders. The default value is NO.

Chown_uploads=YES/NO (NO)

Sets whether to change the owner of files (not directories) uploaded by anonymous users. The default is NO.

Chown_username=username

Sets the owner name of the file (not a directory) uploaded by anonymous users. It is not recommended to set it to root.

Anon_umask=077

Sets the umask value for anonymous logins when adding or uploading files. If the default value is 077, the corresponding permission for the new archive is 700.

Deny_email_enable=YES/NO (NO)

To enable this feature, you must provide a file / etc/vsftpd/banner_emails with the content email address. If you log in anonymously, you will be asked to enter email address. If the entered email address is in this file, you will not be allowed to enter it. The default is NO.

Banned_email_file=/etc/vsftpd/banner_emails

This file is used to enter email address, and this file is used only when deny_email_enable=YES is used. If you log in anonymously, you will be asked to enter email address. If the entered email address is in this file, you will not be allowed to enter it.

3. Local user Settings

Local_enable=YES/NO (YES)

Controls whether local users are allowed to log in. YES allows local users to log in, NO disallows it. The default is YES.

Local_root=/home/username

When a local user logs in, it will be changed to the defined directory. The default value is the home directory of each user.

Write_enable=YES/NO (YES)

Whether the login user is allowed to have write permission. It is a global setting, and the default value is YES.

Local_umask=022

The umask value when the local user adds the profile. The default value is 077.

File_open_mode=0755

The file permissions of local users after uploading files are the same as those used by chmod. The default value is 0666.

4. Welcome language setting

Dirmessage_enable=YES/NO (YES)

If this option is enabled, the first time the user enters a directory, he will check if there is a .message file in the directory, and if so, the contents of the file will appear, usually with a welcome message or a description of the directory. The default is on.

Message_file=.message

Set up a directory message file that can be written to the information to be displayed. The default value is .message.

Banner_file=/etc/vsftpd/banner

When the user logs in, the contents of the file in which this setting is located will be displayed, usually as a welcome message or description. The default value is none. If you have more welcome information, use this configuration item.

Ftpd_banner=Welcome to BOB's FTP server

The string used here to define the welcome discourse, banner_file is the form of the file, and ftpd_banner is the form of the string. Default is none.

5. Controls whether the user is allowed to switch to the parent directory

In the default configuration, local users can use the cd command to change to another directory after logging in to FTP, which will bring security risks to the system. Users can be controlled to switch directories through the following three configuration files.

Chroot_list_enable=YES/NO (NO)

Sets whether to enable the user list file specified by the chroot_list_file configuration item. The default is NO.

Chroot_list_file=/etc/vsftpd.chroot_list

Lets you specify a user list file that controls which users can switch to the parent directory of the user's home directory.

Chroot_local_user=YES/NO (NO)

Lets you specify whether users in the user list file are allowed to switch to the parent directory. The default is NO.

The following effects can be achieved through collocation:

① when chroot_list_enable=YES,chroot_local_user=YES, users listed in the / etc/vsftpd.chroot_list file can change to another directory; users who are not listed in the file cannot change to another directory.

② when chroot_list_enable=YES,chroot_local_user=NO, users listed in the / etc/vsftpd.chroot_list file cannot change to another directory; users who are not listed in the file can change to another directory.

③ when chroot_list_enable=NO,chroot_local_user=YES, all users cannot change to another directory.

④ when chroot_list_enable=NO,chroot_local_user=NO, all users can change to another directory.

6. Data transfer mode settings

When FTP transmits data, it can use binary mode or ASCII mode to upload or download data.

Ascii_upload_enable=YES/NO (NO)

Sets whether to enable ASCII mode to upload data. The default is NO.

Ascii_download_enable=YES/NO (NO)

Sets whether to enable ASCII mode to download data. The default is NO.

7. Access control settings

There are two control modes: one to control host access and the other to control user access.

① controls host access:

Tcp_wrappers=YES/NO (YES)

Sets whether vsftpd is combined with tcp wrapper for host access control. The default is YES. If enabled, the vsftpd server checks the settings in / etc/hosts.allow and / etc/hosts.deny to determine whether the host requesting the connection is allowed to access the FTP server. These two files can act as a simple firewall.

For example, to allow only users from 192.168.0.1-192.168.0.254 to connect to the FTP server, add the following to the / etc/hosts.allow file:

Vsftpd:192.168.0. : allow

All:all: deny

② controls user access:

Access control for users can be achieved through the vsftpd.user_list and ftpusers files in the / etc directory.

Userlist_file=/etc/vsftpd.user_list

A file that controls user access to FTP, with the user name written in it. One user name for one line.

Userlist_enable=YES/NO (NO)

Whether to enable vsftpd.user_list files.

Userlist_deny=YES/NO (YES)

Determines whether users in the vsftpd.user_list file can access the FTP server. If set to YES, users in the vsftpd.user_list file are not allowed to access FTP, and if set to NO, only users in the vsftpd.user_list file can access FTP.

The / etc/vsftpd/ftpusers file is specifically used to define the list of users who are not allowed to access the FTP server (Note: if userlist_enable=YES,userlist_deny=NO, if there is a user in both vsftpd.user_list and ftpusers, then that user cannot access FTP, that is, ftpusers has a high priority). By default, vsftpd.user_list and ftpusers, these two files have been preset with internal accounts that are not allowed to access the FTP server. If the system does not have these two files, then create these two files and add users to them.

8. Access rate settin

Anon_max_rate=0

Sets the maximum transmission speed used by anonymous loggers, which means that there is no speed limit. The default value is 0.

Local_max_rate=0

The maximum transmission speed used by local users, which means that there is no limit to the transmission speed. The default value is 0.

9. Timeout settin

Accept_timeout=60

Sets the timeout for establishing a FTP connection, in seconds. The default value is 60.

Connect_timeout=60

The timeout (in seconds) for establishing a data connection in PORT mode. The default value is 60.

Data_connection_timeout=120

Sets the timeout, in seconds, for establishing an FTP data connection. The default value is 120.

Idle_session_timeout=300

If you set how long no action is taken on the FTP server, the FTP connection will be disconnected in seconds. The default value is 300.

10. Log file settings

Xferlog_enable= YES/NO (YES)

Whether to enable upload / download logging. If enabled, the uploaded and downloaded information will be fully recorded in the file defined by xferlog_file. It is on by default.

Xferlog_file=/var/log/vsftpd.log

Set the log file name and path. The default value is / var/log/vsftpd.log.

Xferlog_std_format=YES/NO (NO)

If enabled, the log file will be written in the standard format of xferlog, just like wu-ftpd. The default value is off.

Log_ftp_protocol=YES | NO (NO)

If this option is enabled, all FTP requests and responses will be logged, and the default log file is / var/log/vsftpd.log. Xferlog_std_format cannot be activated when this option is enabled. This option is useful for debugging. The default is NO.

11. Define user Profil

In vsftpd, you can define user profiles to enable different users to use different configurations.

User_config_dir=/etc/vsftpd/userconf

Set the directory where the user profile is located. When the configuration item is set, after the user logs in to the server, the system will go to the / etc/vsftpd/userconf directory, read the same file as the current user name, and further configure the current user according to the configuration commands in the file.

For example, if user_config_dir=/etc/vsftpd/userconf is defined and there is a consumer test1,test2 on the host, then we will add two files named test1 and test2 to the user_config_dir directory. If you log in with test1, you will read the settings in the test1 file under user_config_dir. The default value is none. By using the user profile, the access speed of different users can be controlled, and local_max_rate=XX can be defined in each user profile.

Working mode and port setting of 12.FTP

FTP works in two ways: PORT FTP (active mode) and PASV FTP (passive mode)

Listen_port=21

Sets the port on which the FTP server is listening to establish a connection, with a default value of 21.

Connect_from_port_20=YES/NO

Specifies that FTP uses port 20 for data transmission, and the default value is YES.

Ftp_data_port=20

Set the port used by FTP data connection in PORT mode. The default value is 20.

Pasv_enable=YES/NO (YES)

If set to YES, PASV working mode is used; if set to NO, PORT mode is used. The default value is YES, even if you work in PASV mode.

Pasv_max_port=0

In PASV mode, the largest port in the range of ports that a data connection can use, with 0 representing any port. The default value is 0.

Pasv_min_port=0

In PASV mode, the smallest port in the range of ports that a data connection can use, with 0 representing any port. The default value is 0.

13. Connection-related settings

Listen=YES/NO (YES)

Sets whether the vsftpd server is running in standalone mode. Running in standalone mode is a better way, and listen must be set to YES, which is the default. It is not recommended to change, there are many configuration commands related to server operation, which need to be valid in this mode. If set to NO, vsftpd is not run as a separate service, but will be controlled by the xinetd service, and its function will be limited.

Max_clients=0

Set the maximum number of connections allowed by vsftpd. The default value is 0, which means there is no limit. If set to 100, 100 connections are allowed at the same time, and the excess will be rejected. It works only when running in standalone mode.

Max_per_ip=0

Sets the number of simultaneous connections that each IP allows to establish with the FTP server. The default value is 0, which means there are no restrictions. It works only when running in standalone mode.

Listen_address=IP address

Sets the FTP server to listen for users' FTP requests at the specified IP address. If not, all IP addresses bound to the server are listened on. It works only when running in standalone mode.

Setproctitle_enable=YES/NO (NO)

Sets whether each connection to the FTP server is represented by a different process. The default value is NO, and ps aux is used at this time | grep ftp will only have one vsftpd process. If set to YES, each connection will have a vsftpd process.

14. Virtual user Settings

Virtual users use PAM authentication.

Pam_service_name=vsftpd

Sets the name used by PAM, with a default value of / etc/pam.d/vsftpd.

Guest_enable= YES/NO (NO)

Enable virtual users. The default is NO.

Guest_username=ftp

This is used to map virtual users. The default is ftp.

Virtual_use_local_privs=YES/NO (NO)

When this parameter is activated (YES), the virtual user uses the same permissions as the local user. When this parameter is off (NO), the virtual user uses the same permissions as the anonymous user. This parameter is off by default (NO).

15. Other settin

Text_userdb_names= YES/NO (NO)

Sets whether to display UID, GID, or specific user and group names when executing commands such as ls-la. The default value is NO, which is displayed in UID and GID. If you want to display the user name and group name, set it to YES.

Ls_recurse_enable=YES/NO (NO)

If this feature is enabled, the login is allowed to use the ls-R directive (you can view the files in the subdirectory under the current directory). The default is NO.

Hide_ids=YES/NO (NO)

If this feature is enabled, all file owners and groups are ftp, that is, users log in to use instructions such as ls-al, and the file owners and groups they see are ftp. The default value is off.

Download_enable=YES/NO (YES)

If set to NO, all files cannot be downloaded locally and folders are not affected. The default is YES.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.