Shulou(Shulou.com)06/02 Report--

This article introduces how to install vsftpd and configure multiple users in Centos6.9, which is shared with you as follows:

First, install vsftpd

# install vsftpdyum-y install vsftpd# set boot chkconfig vsftpd on# to check service status service vsftpd status# is off by default, as follows # vsftpd is stopped

II. Modify the system to retain FTP

# add group groupadd-g 1002 vsftpd# create user group directory mkdir-p / home/vsftpd# add user useradd-c "FTP User"-d / home/vsftpd/vsftpd-g vsftpd-s / sbin/nologin-u 1002 vsftpduseradd-c "FTP User"-d / home/vsftpd/test-g vsftpd-s / sbin/nologin test# set password (format: passswd username), enter password enter Enter the password again, enter passwd vsftpd# to create the specified access directory mkdir-p / data/vsftpd# change permissions chown vsftpd:vsftpd / data/vsftpdchmod-R 775 / data/vsftpd

You can view new users who have been added

Cat / etc/passwd# is as follows # vsftpd:x:1002:1002:FTP User:/home/vsftpd/vsftpd:/sbin/nologin# test:x:1003:1002:FTP User:/home/vsftpd/test:/sbin/nologin

Tell me the difference between / bin/false and / sbin/nologin

1. / bin/false does nothing but returns an error status and exits immediately. If the user's shell is set to / bin/false, the user will not be able to log in and will not be prompted.

2. / sbin/nologin politely displays a message to the user and refuses to log in: This account is currently not available.

3. Some software, such as some ftp server software, for local non-virtual accounts, only users can use ftp services if they have a valid shell. At this point, you can use / sbin/nologin users, that is, they cannot log in to the system, and they can also use some system services, such as ftp services. / bin/false is not, which is one of the important differences between the two.

Modify the configuration file

# backup the original file mv / etc/vsftpd/vsftpd.conf / etc/vsftpd/vsftpd.conf.txt# to generate a new configuration file touch / etc/vsftpd/vsftpd.conf# edit the configuration file vim / etc/vsftpd/vsftpd.conf

Paste the following configurations into it

# Example config file / etc/vsftpd/vsftpd.conf## if the vsftpd is in stand-alone mode, this is the port on which it will listen on incoming FTP connections. Whether the listen_port=21## login directory local_root=/data/vsftpd## allows anonymous users to log in anonymous_enable=NO## sets local users to access. Note: if a virtual host user is used, all virtual users will not be able to access the local_enable=YES## setting to allow write operations (upload and delete) if the project is set to NO. The default is whether YESwrite_enable=YES## uses local time # use_localtime=YES## this parameter is valid when VSFTPD uses separate (standalone) mode. This parameter defines the maximum number of concurrent connections for the FTP server, and when this number is exceeded, the server rejects client connections. The default value is 0 (unlimited). # max_clients=5## this parameter is valid when VSFTPD uses a separate (standalone) mode. This parameter defines the maximum number of concurrent connections per IP address. Exceeding this number will reject the connection. The setting of this option will affect multi-process downloads such as Internet Express. The default value is 0, which means there is no limit. Whether the # max_per_ip=3## mask local_umask=002## allows anonymous FTP users to upload files. Whether # anon_upload_enable=NO## allows anonymous FTP users to create new directories # anon_mkdir_write_enable=NO## Activation Directory messages-messages sent when a remote user enters a directory. When dirmessage_enable=YES## is set to yes, both uploading and downloading files will be recorded, recording file location and xferlog_file=/var/log/vsftpd/xferlogxferlog_enable=YES## switching login file information between vsftpd_log_file and xferlog_file files, NO writing vsftpd_log_file, YES writing xferlog_filexferlog_std_format=YES## setting another vsftpd diary file You can also set the port on which the log directory vsftpd_log_file=/var/log/vsftpd/vsftpd.log## port style connection originates without setting dual_log_enable=YESxferlog_file=/var/log/vsftpd/xferlog## (as long as the connect_from_port_20 with the incorrect name is enabled). The default value: whether 20connect_from_port_20=YES## modifies the ownership of files uploaded by anonymous users. YES, the ownership of files uploaded by anonymous users will be owned by a different user, specified by the chown_username parameter. This option defaults to NO. # chown_uploads=YES## specifies the timeout (in seconds) for a user with ownership of files uploaded by anonymous users # chown_username=whoever## remote client to establish a connection to PASV-style data. The default value is 60. # accept_timeout=60## remote client responds to the timeout of our port-style data connection in seconds. Default value: 60. The maximum time (in seconds) that a # connect_timeout=60## remote client may spend between FTP commands. If the timeout is triggered, the remote client will be started. Default value: 300#idle_session_timeout=300## timeout (in seconds), which is about the maximum time that data transfer is allowed to stop without progress. If the timeout is triggered, the remote client will be started. Default value: 300#data_connection_timeout=300## 's permission to create and upload files. Umasks is applied to the top of this value. If the file you want to upload is executable, you may want to change it to 0777. Default value: the maximum big data transfer rate (in bytes) allowed by 0666#file_open_mode=002## locally authenticated users. The default value: 0 (unlimited) # local_max_rate=0## recommends that you define a unique user on the system, and the ftp server can be used as a completely independent and unprivileged user. # nopriv_user=ftpsecure## whether to enable asynchronous transfer function # async_abor_enable=YES## whether to enable ASCII function ascii_upload_enable=YESascii_download_enable=YES## Custom Login display string # ftpd_banner=Welcome to blah FTP service.## specifies a plain text as the welcome word displayed when the user logs in You can also place files that let users know the directory architecture of this FTP server # banner_file=/etc/vsftpd/welcome.txt## you can specify an anonymous email address that is not allowed. Obviously helps to combat some DoS attacks. # deny_email_enable=YES# (default follows) # banned_email_file=/etc/vsftpd/banned_emails## locks some users in their own directory. That is, when these users log in, they cannot go to other directories on the system, but only under their own directories (and their subdirectories). # when chroot_local_user=YES,chroot_list_enable=YES, the users in the chroot_list_file directory are not chroot in the home directory. # when chroot_local_user=YES,chroot_list_enable=NO, all users in the chroot_list_file directory are given chroot_local_user=YESchroot_list_enable=YES# (default follows) chroot_list_file=/etc/vsftpd/chroot_list## by chroot in the home directory. This option defaults to NO, and users in the ftpusers file are prohibited from logging in to the FTP server. If this item is set to YES, the users in the user_list file will be allowed to log in to the FTP server, while if userlist_deny=YES is set at the same time, the users in the user_list file will not be allowed to log on to the FTP server, or even have no password prompt. Userlist_enable=YES## will be rejected by the FTP server directly. This item defaults to YES. Set whether to prevent users in the user_list file from logging on to the FTP server. When set to NO, only users in user_list are allowed to use ftp, which blocks new users. If you want to use ftp, you must add userlist_deny=NO## to this list file when userlist_enable=YES, when userlist_deny=YES, the users in this file cannot log in, when userlist_deny=NO, only the users in this list can log in to ftp. Userlist_file=/etc/vsftpd/user_list## when the "listen" instruction is enabled, vsftpd runs in stand-alone mode and listens on IPv4 sockets. This instruction cannot be used with the listen_ipv6 instruction. Listen=YES## this directive allows you to listen for IPv6 sockets. To monitor IPv4 and IPv6 sockets, you must run two copies of vsftpd and two configuration files. Please make sure that one of the listen options is commented! # listen_ipv6=YES## sets the configuration file name used by the authentication service provided by the PAM plug-in module, that is, whether the / etc/pam.d/vsftpd file pam_service_name=vsftpd## enables the host user of the virtual user specified by the virtual user feature # guest_enable=YES##. There are already built-in ftp users in CentOS that have the maximum big data transfer rate allowed by the # guest_username=ftp## anonymous client (in bytes). The default value: 0 (unlimited) # anon_max_rate=0## sets the value of the umask created by the file for anonymous users. Be careful! If you want to specify an octal value, remember the "0" prefix, otherwise the value will be treated as a cardinality of 10 integers! Default value: 077#anon_umask=002## sets the CentOS FTP service file storage path of the virtual user's personal vsftp. Store the CentOS FTP service file of the virtual user's personality (configuration file name = virtual user name) # user_config_dir=/etc/vsftpd/virtual_conf## if you want to disable the PASV method from obtaining data connections, set it to NO. Pasv_enable=YES## is set in PASV mode to establish the lower and upper bounds of the port range that can be used for data transmission. 0 means arbitrary. The default value is 0. Set the port range to a higher range. The default value of pasv_min_port=20000pasv_max_port=30000## is NO. When YES, the security check for PASV mode is turned off. This check ensures that the data connection and the control connection are from the same IP address. Open this option carefully. The only reasonable use of this option is in an organization consisting of secure tunneling schemes. # pasv_promiscuous=YES## if you do not want to use the PORT method to obtain a data connection, set it to NO. # port_enable=YES## defaults to NO. Set to YES if you want to disable the PORT security check to ensure that the outgoing data connection can only connect to the client. # port_promiscuous=YES## indicates that the server uses tcp_wrappers as the host access control method, and tcp_wrappers can realize the host address-based access control of network services in the linux system. The hosts.allow and hosts.deny files in the / etc directory are used to set the access control of tcp_wrappers. The former sets the allowed access record and the latter sets the denied access record. For example, if you want to restrict anonymous access of some hosts to FTP server 12.36.126.141, edit / etc/hosts.allow file, for example, add two lines of command below: vsftpd:192.168.2.1:DENY and vsftpd:192.168.2.20:DENY indicate that the host is restricted to 192.168.2.1 IP and 192.168.2.20 host access to the FTP server with IP 12.36.126.141, although the FTP server can PING But unable to connect to tcp_wrappers=YES#

4. Set FTP user information

# create an empty file that restricts users' access to the directory touch / etc/vsftpd/chroot_list# add ftp users enter vim / etc/vsftpd/user_list# comment out the above users, and add vsftpdtest# to create the log file mkdir-p / var/log/vsftpdtouch / var/log/vsftpd/xferlogtouch / var/log/vsftpd/vsftpd.log

Open firewall ports 20000 to 30000

# check whether the firewall has a port, and exit editing if so. If not, add the port iptables-An INPUT-p tcp-m state-- state NEW-m tcp-- dport 200000 INPUT 30000-j ACCEPT# save / etc/init.d/iptables save# in vim / etc/sysconfig/iptables#. If it belongs to Aliyun, you need to log in to Aliyun and add direction rules to the security group. # restart iptables service service iptables restart

Restart the vsftpd service

# stop vsftpd service service vsftpd stop# start vsftpd service service vsftpd start# restart vsftpd service service vsftpd restart can check whether the ftp port has been occupied, usually port 21 netstat-lnp | grep 21

The above is the whole content of this article, I hope it will be helpful to your study, and I also hope that you will support it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.