Shulou(Shulou.com)06/01 Report--

Editor to share with you the FTP software VSFTP configuration file example analysis, I believe that most people do not know much about it, so share this article for your reference, I hope you will learn a lot after reading this article, let's go to know it!

Vsftpd.conf is the configuration file of vsftpd, which is used to control the functions of vsftpd. By default, its location is / etc/vsftpd.conf or / etc/vsftpd/vsftpd.conf.

However, you can also specify to another directory by modifying the configuration line. This is useful because you may want to use some advanced inetd features, such as xinetd, to invoke different configuration files on a machine with multiple virtual hosts.

Format

The format of vsftpd.conf is very simple, with each line either a comment or an instruction. The comment line starts with # and is ignored. The format of the instruction line is as follows:

Configuration item = parameter valu

It is important that there are no spaces in this format.

By default, each configuration item occupies an edit line in the configuration file and can be modified.

Boolean option

The Boolean option for the parameter value can be: YES or NO

Allow_anon_ssl

This can only be enabled if ss1_enable is activated. If set to YES, anonymous users will allow secure SSL connections to the server.

Default value: NO

Anon_mkdir_write_enable

If set to YES, anonymous users will allow new directories to be created in the specified environment. For this to take effect, the configuration write_enable must be activated and anonymous users must have write permission in their parent directory.

Default value: NO

Anon_other_write_enable

If set to YES, anonymous users are granted greater write permissions, such as deletion and renaming. This is generally not recommended unless you want to fully authorize it. You can also cooperate with cmds_allowed to achieve control, so that you can achieve the function of file continuation.

Default value: NO

Anon_upload_enable

If set to YES, anonymous users are allowed to upload files in the specified environment. If this is to take effect, the configuration write_enable must be activated. And anonymous users must have write permission in the relevant directory.

Default value: NO

Anon_world_readable_only

When enabled, anonymous users are only allowed to download fully readable files, which allows ftp users to have ownership of the files, especially in the case of uploads.

Default value: YES

Anonymous_enable

Controls whether anonymous users are allowed to log in. If allowed, both "ftp" and "anonymous" will be treated as "anonymous" and will be allowed to log in.

Default value: YES

Ascii_download_enable

When enabled, the user will transfer the file in ASCII mode when downloading.

Default value: NO

Ascii_upload_enable

When enabled, the user will transfer the file in ASCII mode when uploading.

Default value: NO

Async_abor_enable

When enabled, a special FTP command "async ABOR" will be allowed. Only abnormal FTP clients need to use this. Moreover, this feature is difficult to operate, so

The default is to turn it off. However, some clients hang up when they cancel a transfer, so you have to enable this feature to avoid this situation.

Default value: NO

Background

When enabled, and VSFTPD is started in "listen" mode (note: standalone mode), VSFTPD will put the listening process in the background. However, when you access VSFTPD, the console is immediately returned to SHELL.

Default value: NO

Check_shell

Note: this option is only valid for VSFTPD with non-PAM structures. If turned off, VSFTPD will not check / etc/shells to determine if a locally logged-in user has an available SHELL.

Default value: YES

Chmod_enable

When enabled, the SITE CHMOD command is allowed. Note that this can only be used for local users. Anonymous users must never use SITE CHMOD.

Default value: YES

Chown_uploads

If enabled, the owner of the file uploaded by an anonymous user will become the user specified in chown_username. This is useful for managing FTP and may also be good for security.

Default value: NO

Chroot_list_enable

If activated, you need to provide a list of users, and the users in the table will be placed in their home directory and locked under the virtual root after logging in. (note: after entering FTP, PWD, you can see that the current directory is "/", which is the virtual root. Is the root of the FTP, not the root of the FTP server system. If chroot_local_user is set to YES, its meaning will change a little.

In this case, the users in this list will not be locked under the virtual root.

By default, the list file is / etc/vsftpd.chroot_list, but you can also change the default value by modifying chroot_list_file.

Default value: NO

Chroot_local_user

If set to YES, the local user will be locked (by default) under the virtual root and placed in his home directory after login.

Warning:

This configuration item has a sense of security, especially if the user has upload permission or can use SHELL. Under the premise that you are sure, then enable it.

Note that this security implication is not limited to VSFTPD, but is widely used in all FTP software that wants to lock users under virtual roots.

Default value: NO

Connect_from_port_20

This is used to control whether the server uses the 20 port number for data transmission. For security reasons, some customers insist on enabling. On the contrary, turning off this item will make VSFTPD more popular.

Default: NO (but in the sample configuration file, enabled, that is, YES)

Deny_email_enable

If activated, you need to provide an E-MAIL table of passwords for anonymous users (note: we all know that anonymous users use email addresses as passwords) to block anonymous users logging in with these passwords.

By default, the list file is / etc/vsftpd.banner_emails, but you can also change the default value by setting banned_email_file.

Default value: NO

Dirlist_enable

If set to NO, all list commands (such as ls) will be returned with a "permission denied" prompt.

Default value: YES

Dirmessage_enable

If enabled, users of the FTP server will display a message when they enter a new directory for the first time. By default, the .message file is found in this directory, but you can also

Change the default value by changing the message_file.

Default: NO (but it is enabled in the configuration sample file)

Download_enable

If set to NO, the download request will return "permission denied".

Default value: YES

Dual_log_enable

If enabled, the two LOG files are generated separately, and the default is / var/log/xferlog and / var/log/vsftpd.log. The former is LOG in wu-ftpd format, which can be analyzed by general tools.

The latter is VSFTPD's proprietary LOG format.

Default value: NO

Force_dot_files

If activated, even if the client does not use the "a" flag, (in FTP) to. The initial files and directories are displayed in the list of directory resources. But put "." And ".." It won't show. (note: under LINUX

The current directory and parent directory will not be'.' Or'.' Mode display).

Default value: NO

Force_local_data_ssl

It can only be enabled after ssl_enable is activated. If enabled, all non-anonymous users will be forced to log in using secure SSL to send and receive data on the data line.

Default value: YES

Force_local_logins_ssl

It can only be enabled after ssl_enable is activated. If enabled, all non-anonymous users will be forced to log in using secure SSL to send passwords.

Default value: YES

Guest_enable

If enabled, all non-anonymous users will be treated as "tourists" when they log in, and their names will be mapped to the names specified in guest_username.

Default value: NO

Hide_ids

If enabled, information for all users and groups in the directory resource list will be displayed as "ftp".

Default value: NO

Listen

If enabled, VSFTPD will run in stand-alone mode (standalone), which means that it can be started without relying on inetd or something like that. Run VSFTPD directly

Once, and then VSFTPD listens and handles connection requests on its own.

Default value: NO

Listen_ipv6

Similar to the function of the listen parameter, but with one difference, when enabled, VSFTPD listens for IPV6 sockets instead of IPV4. This setting and the listen setting are mutually exclusive.

Default value: NO

Local_enable

Used to control whether local users are allowed to log in. If enabled, the accounts of normal users in / etc/passwd will be used to log in.

Default value: NO

Log_ftp_protocol

When enabled, if xferlog_std_format is not activated, all FTP requests and feedback will be recorded. This is often used for debugging.

Default value: NO

Ls_recurse_enable

If enabled, "ls-R" will be allowed. This is to avoid a little bit of security risk. Because within a large site, using this command at the top of the directory consumes a lot of resources.

Default value: NO

No_anon_password

If enabled, VSFTPD will not ask anonymous users for passwords. Anonymous users will log in directly.

Default value: NO

No_log_lock

When enabled, VSFTPD will not lock the LOG file when it is written. This item is generally not enabled. It is useful for some workspace operating system problems, such as when Solaris / Veritas file systems coexist.

Because it sometimes looks dead (unresponsive) when trying to lock the LOG file. (note: I don't quite understand this either. Therefore, the translation may not be close to the original intention. The original text is as follows: It exists to workaround

Operating system bugs such as the Solaris / Veritas filesystem combination

Which has been observed to sometimes exhibit hangs trying to lock log files.)

Default value: NO

One_process_model

If your LINUX core is 2.4, you may be able to use a different security mode, that is, only one process is used for a connection. It's just a gimmick, but it can improve the performance of FTP. Please make sure you need it before you enable it, and please also make sure your

Whether there will be a large number of people visiting the site at the same time.

Default value: NO

Passwd_chroot_enable (Note: this paragraph is speechless.)

If enabled, along with

.BR chroot_local_user

, then a chroot () jail location may be specified on a per-user basis. Each

User's jail is derived from their home directory string in / etc/passwd. The

Occurrence of /. / in the home directory string denotes that the jail is at that

Particular location in the path.

Default value: NO

Pasv_enable

If you don't want to get a data connection passively, please set it to NO.

Default value: YES

Pasv_promiscuous

If you want to turn off the passive mode security check, which ensures that the data connection originates from the same IP address, set it to YES. Use it only if you know what you are doing. )

Reasonable usage is in some secure tunnel configuration environment, or when FXP is better supported (only enabled).

Default value: NO

Port_enable

If you want to close the data connection through the port, please close it.

Default value: YES

Port_promiscuous

If you want to turn off the port security check (which ensures that the external (outgoing) data line only goes to the client), turn it off. Do it after confirmation!

Default value: NO

Run_as_launching_user

If you want a user to start VSFTPD, you can set it to YES. It is useful when the ROOT user cannot start VSFTPD. (note: it should not be said that the ROOT user does not have permission to start VSFTPD.

It is because of something else, such as security restrictions, that you cannot start VSFTPD directly as ROOT). Strong warning! Do not enable this item unless you know exactly what you are doing. Initiating this item at will will result in

Very serious security issues, especially when VSFTPD does not or cannot use virtual root technology to restrict file access (or even VSFTPD is started by ROOT). A stupid alternative is to enable deny_file and set it to {/ *, *.. *}, etc.

However, its reliability can not be compared with virtual roots, nor can it be relied upon.

If this is enabled, restrictions on other configuration items will also take effect. For example, non-anonymous login requests, transfer of ownership of uploaded files, ports 20 for connections and listening ports less than 1024 will not work. Other configuration items may also be affected.

Default value: NO

Secure_email_list_enable

Enable it if you want to accept only anonymous users who log in at the specified E-MAIL address. This is generally used to access resources with lower security levels with lower security restrictions when it is not necessary to use virtual users. If it is enabled, anonymous users unless

Use the E-MAIL specified in email_password_file as the password, otherwise you cannot log in. The format of this file is one password line, and there are no extra spaces. (note: whitespace, translated into spaces, I don't know if it's correct.)

The default file name is: / etc/vsftpd.email_passwords.

Default value: NO

Session_support

This will configure whether to let VSFTPD try to manage the login session. If VSFTPD manages the session, it tries and updates utmp and wtmp. It also opens a pam session (pam_session) and does not close it until LOGOUT, if PAM is used for authentication.

If you don't need session logging, or if you want VSFTPD to run fewer processes, or make it more popular, you can turn it off.

Note: utmp and wtmp are supported only in environments with PAM.

Default value: NO

Setproctitle_enable

If enabled, VSFTPD displays session state information in the list of system processes. In other words, the process name will become the action currently being performed by the VSFTPD session (wait, download, etc.). For security purposes, you can turn this off.

Default value: NO

Ssl_enable

If enabled, vsftpd enables openSSL to support secure connections through SSL. This setting is used to control connections (including login) and data lines. At the same time, your client should also support SSL.

Note: carefully enabling this .VSFTPD does not guarantee the security of the OpenSSL library. To enable this, you must make sure that the OpenSSL library you installed is secure.

Default value: NO

Ssl_sslv2

You need to activate ssl_enable to enable it. If enabled, connections to the SSL V2 protocol will be allowed. TLS V1 connections will be preferred.

Default value: NO

Ssl_sslv3

You need to activate ssl_enable to enable it. If enabled, connections to the SSL V3 protocol will be allowed. TLS V1 connections will be preferred.

Default value: NO

Ssl_tlsv1

You need to activate ssl_enable to enable it. If enabled, connections to the TLS V1 protocol will be allowed. TLS V1 connections will be preferred.

Default value: YES

Syslog_enable

If enabled, the log tool that the system log will output to / var/log/vsftpd.log.FTPD instead of vsftpd's log will not work.

Default value: NO

Tcp_wrappers

If enabled, vsftpd will be supported by tcp_wrappers. Incoming (incoming) connections will be fed back by tcp_wrappers access control. If tcp_wrappers is set

VSFTPD_LOAD_CONF environment variable, then vsftpd will attempt to call the configuration specified by this variable.

Default value: NO

Text_userdb_names

By default, the numeric ID is displayed in the user and group area in the file list. You can edit this parameter to change it to text using numeric ID. To ensure FTP performance, default

In this case, this item is turned off.

Default value: NO

Tilde_user_enable

If enabled, vsftpd will attempt to resolve a pathname similar to ~ chris/pics (a "~" (tilde) followed by a user name). Note that vsftpd sometimes parses the pathnames "~" and "~ /" all the time (in this case, ~ is resolved to the internal login directory).

~ the user path (~ user paths) is parsed only when the / etc/passwd file is found under the current virtual root.

Default value: NO

Use_localtime

If enabled, vsftpd displays your local time when displaying a list of directory resources. The default is to display GMT (Greenwich mean time). Displaying the time through the MDTM FTP command will also be affected by this setting.

Default value: NO

Use_sendfile

An internal setting to test the benefits of using sendfile () system calls on your platform (benefit).

Default: YES

Userlist_deny

This setting can be verified after userlist_enable is activated. If you set it to NO, only users explicitly listed in userlist_file can log in.

If the login is denied, the user will be rejected by the system before being asked for a password.

Default value: YES

Userlist_enable

If enabled, vsftpd will read the user list in userlist_file. If users try to log in with the user name in the file, they will be rejected by the system before they are asked for their password.

This will prevent plaintext passwords from being sent. See userlist_deny.

Default value: NO

Virtual_use_local_privs

If enabled, the virtual user will have the same permissions as the local user. By default, virtual users have the same permissions as anonymous users, who tend to have more restrictions (especially write permissions).

Default value: NO

Write_enable

This determines whether some FTP commands are allowed to change the file system. These commands are STOR, DELE, RNFR, RNTO, MKD, RMD, APPE and SITE.

Default value: NO

Xferlog_enable

If enabled, an log file will record the upload and download information in detail. By default, this file is / var/log/vsftpd.log, but you can also specify its default location by changing vsftpd_log_file.

Default: NO (but this is enabled in the sample configuration file)

Xferlog_std_format

If enabled, the log file will be written in the standard xferlog format (the format used by wu-ftpd) so that you can use existing statistical analysis tools for analysis. But the default format is more readable. By default, the log file is in / var/log/xferlog.

However, you can specify a new path by modifying the xferlog_file.

Default value: NO

Numeric option

The following are the digital configuration items. These items must be set to non-negative integers. To facilitate umask settings, octal numbers are allowed to be entered, in which case the number must start with 0.

Accept_timeout

Timeout, in seconds, sets the maximum time for a remote user to attempt to establish a connection when establishing a connection passively.

Default value: 60

Anon_max_rate

For anonymous users, set the maximum allowable transfer rate in bytes per second.

Default value: 0 (unlimited)

Anon_umask

Set permissions for files created by anonymous users. Note: if you want to enter an octal value, the 0 is different from the decimal 0.

Default value: 077

Connect_timeout

Time out. Unit: seconds. Is the maximum time that a remote user must respond to an PORT type data connection.

Default value: 60

Data_connection_timeout

Timeout, in seconds. Sets the maximum time for data transmission delay. When the time is up, the remote user will be disconnected.

Default value: 300

File_open_mode

Set permissions for uploaded files. If the file you want to upload can be executed, the umask should be changed to 0777.

Default value: 0666

Ftp_data_port

Set the connection port in PORT mode (as long as connect_from_port_20 is activated).

Default value: 20

Idle_session_timeout

Time out. Unit: seconds. Sets the maximum time a remote client can take between entering FTP commands. When the time is up, the remote customer will be disconnected.

Default value: 300

Listen_port

If vsftpd is in stand-alone mode, this port setting will listen for FTP connection requests.

Default value: 21

Local_max_rate

Set the maximum transmission speed for local authenticated users, in bytes per second.

Default value: 0 (unlimited)

Local_umask

Set permissions for files created by local users. Note: if you want to enter an octal value, the 0 is different from the decimal 0.

Default value: 077

Max_clients

If vsftpd is running in stand-alone mode, the maximum number of clients allowed to connect is set here. Later, the client will get an error message.

Default value: 0 (unlimited)

Max_per_ip

If vsftpd is running in stand-alone mode, the maximum access client that allows one IP address is set here. If the maximum limit is exceeded, you will get an error message.

Default value: 0 (unlimited)

Pasv_max_port

Specifies the maximum port assigned to the passive mode data connection. Can be used to specify a smaller scope to match the firewall.

Default value: 0 (use any port)

Pasv_min_port

Specifies the minimum port assigned to a passive mode data connection. Can be used to specify a smaller scope to match the firewall.

Default value: 0 (use any port)

Trans_chunk_size

You don't usually need to change this setting. But you can also try to change to, for example, 8192 to reduce the impact of bandwidth restrictions.

Default value: 0 (let vsftpd choose)

STRING configuration item

The following are the STRING configuration items

Anon_root

Set up a directory that vsftpd will try to enter after anonymous users log in. Skip it if you fail.

Default value: none

Banned_email_file

After deny_email_enable starts, anonymous users who log in with the E-MAIL password specified in this file will be denied.

Default value: / etc/vsftpd.banned_emails

Banner_file

Set a text to display the text content after the user logs in. If you set ftpd_banner,ftpd_banner, it will not work.

Default value: none

Chown_username

Change the owner of files uploaded by anonymous users. Chown_uploads needs to be set.

Default value: ROOT

Chroot_list_file

This item provides a list of local users, and the users in the table will be placed under the virtual root and locked in the home directory after logging in. This requires the chroot_list_enable item to be enabled.

If the chroot_local_user item is enabled, the list becomes a list of users who do not lock the users in the list under the virtual root.

Default value: / etc/vsftpd.chroot_list

Cmds_allowed

Specify the available FTP commands (post login. Com) separated by commas. USER, PASS and QUIT is always available).

Other commands will be blocked. This is a powerful means of locking down a FTP server. For example: cmds_allowed=PASV,RETR,QUIT (only files can be retrieved)

Cmds_allowed=ABOR,APPE,CWD,CDUP,FEAT,LIST,MKD,MDTM,PASS,PASV,PWD,QUIT,RETR,REST

STOR,STRU,TYPE,USER (commands for resuming upload and downloading breakpoints are supported).

Detailed reference: http://www.nsftools.com/tips/RawFTP.htm

Default value: none

Deny_file

This can set a file name or directory name style to prevent access to them under any circumstances. Instead of hiding them, it rejects any attempt to do something about them (download, change the directory layer

And other influential operations). This setting is simple and will not be used for strict access control-file system permissions will take precedence. However, this setting is useful for determining virtual user settings.

In particular, if a file can be accessed by multiple user names (perhaps through a soft connection or a hard connection), all access names should be denied.

It is recommended that you set some important security policies for using file system permissions to achieve higher security. Such as deny_file= {* .mp3,*.mov,.private}

Default value: none

Dsa_cert_file

This setting specifies the location of the DSA certificate for SSL encrypted connections.

Default value: none (one RSA certificate is sufficient)

Email_password_file

After secure_email_list_enable is set, this setting can be used to provide an alternate file.

Default value: / etc/vsftpd.email_passwords

Ftp_username

This is the user name used to control anonymous FTP. The user's home directory is the root of the anonymous FTP area.

Default value: ftp

Ftpd_banner

There will be a welcome interface when a connection is accessed for the first time.

Default: none (the default interface will be displayed)

Guest_username

See related settings guest_enable. This setting sets the name that visitors will be mapped when they enter.

Default: ftp

Hide_file

Set a file name or directory name list, and the resources in this list will be hidden, regardless of whether there are hidden attributes or not. But if the user knows it exists,

Will be able to have full access to it. Resources in hide_file and resources that conform to the regular expressions specified by hide_file will be hidden. Vsftpd's

Regular expressions are simple, such as hide_file= {* .mp3, .hidden, hide*,h?}

Default value: none

Listen_address

If vsftpd is running in stand-alone mode, the default listening address of the local interface will be replaced by this setting.

A digital address is required.

Default value: none

Listen_address6

If vsftpd is running in stand-alone mode, specify a listening address for IPV6 (if listen_ipv6 is enabled).

An address in IPV6 format is required.

Default value: none

Local_root

After setting up a local (non-anonymous) user to log in, vsftpd tries to get him into a directory. If it fails, skip it.

Default value: none

Message_file

When entering a new directory, the file is looked up and the contents of the file are displayed to the remote user. Dirmessage_enable needs to be enabled.

Default value: .message

Nopriv_user

This is the name of vsftpd as a completely unprivileged user. This is a dedicated user, even more than nobody. User nobody is often used to do important things on some machines.

Default value: nobody

Pam_service_name

Set the name of the PAM service that vsftpd will use.

Default value: ftp

Pasv_address

When using the PASV command, vsftpd uses this address for feedback. A digital IP address is required.

Default value: none (the address will be taken from the socket of the incoming connection)

Rsa_cert_file

This setting specifies the location of the RSA certificate required for the SSL encrypted connection.

Default value: / usr/share/ssl/certs/vsftpd.pem

Secure_chroot_dir

This setting specifies an empty directory that does not allow ftp user to write. Directories are used by secure virtual roots when vsftpd does not want the file system to be accessed.

Default value: / usr/share/empty

Ssl_ciphers

This setting selects the SSL password used by vsftpd for encrypted SSL connections. See ciphers for more information.

Default value: DES-CBC3-SHA

User_config_dir

This powerful setting allows you to override some of the configuration items specified in the man page (based on individual users). The usage is very simple, it is best to combine with examples. If you put user_config_dir

Change to / etc/vsftpd_user_conf, then log in as chris and vsftpd will invoke the configuration file / etc/vsftpd_user_conf/chris.

Default value: none

User_sub_token

This setting will create a home directory for each virtual user based on a template. For example, if the real user's home directory is specified as / home/virtual/$USER via guest_username

And user_sub_token is set to $USER, then the virtual user fred will be locked under / home/virtual/fred after logging in.

Default value: none

Userlist_file

When userlist_enable is activated, the system will go here to call the file.

Default value: / etc/vsftpd.user_list

Vsftpd_log_file

This takes effect only if xferlog_enable is set and xferlog_std_format is not set. This is the name of the generated log file in vsftpd format.

Dual_log_enable and this setting cannot be enabled at the same time. If you enable syslog_enable, then this file will not be generated, but only a system log.

Default value: / var/log/vsftpd.log

Xferlog_file

This setting sets the file name of the generated log in wu-ftpd format. It will not take effect until xferlog_enable and xferlog_std_format are enabled.

However, it cannot be enabled at the same time as dual_log_enable.

Default value: / var/log/xferlog

= =

The meaning of FTP Digital Code

110 restart tag reply.

How long will the service be ready?

125 data link port is open, ready for transmission.

150 file status is normal, open the data connection port.

The 200 command was executed successfully.

202 command execution failed.

211 system status or system request response.

The status of the 212 directory.

The status of the 213 file.

214 message for help.

215 name system type.

The new online service ready.

221 the control port of the service is closed and can be logged out.

225 data link is on, but there is no transmission action.

226 the data connection port was closed and the requested file operation was successful.

Enter passive mode.

230 users log in.

250 the requested file operation is complete.

257 displays the current path name.

331 the user name is correct and a password is required.

332 account information is required when logging in.

350 the requested operation requires a further command.

421 unable to provide service, close the control link.

425 unable to open the data link.

426 shut down the online and terminate the transmission.

450 the requested operation was not performed.

451 command termination: there is a local error.

452 Command not executed: insufficient disk space.

The 500 format is incorrect and the command is not recognized.

501 parameter syntax error.

502 command execution failed.

503 commands in the wrong order.

The 504 command received incorrect parameters.

530 did not log in.

532 account login is required to store documents.

550 the requested operation was not performed.

551 the requested command is terminated with an unknown type.

552 the requested file terminates and the storage bit overflows.

553 the requested command was not executed and the name is incorrect.

The above is all the contents of the article "sample Analysis of FTP Software VSFTP configuration File". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.