时间:2023-02-20 11:06:01 | 来源:建站知识
时间:2023-02-20 11:06:01 来源:建站知识
FTP文件服务器: 前面我们学习了dhcp服务和dns服务,本章,我们一起来学习一个文件服务器--FTPvsftp安装[root@localhost ~]# dnf -y install vsftpd ftpvsftp开机启动[root@localhost ~]# systemctl enable vsftpdCreated symlink from /etc/systemd/system/multi-user.target.wants/vsftpd.service to /usr/lib/systemd/system/vsftpd.service.启动vsftp服务[root@localhost ~]# systemctl start vsftpd验证启动[root@localhost ~]# lsof -i :21COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEvsftpd 1951 root 4u IPv6 32837 0t0 TCP *:ftp (LISTEN)
# Example config file /etc/vsftpd/vsftpd.conf## The default compiled in settings are fairly paranoid. This sample file# loosens things up a bit, to make the ftp daemon more usable.# Please see vsftpd.conf.5 for all compiled in defaults.## READ THIS: This example file is NOT an exhaustive list of vsftpd options.# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's# capabilities.##匿名用户访问,YES是允许,NO是拒绝# Allow anonymous FTP? (Beware - allowed by default if you comment this out).anonymous_enable=NO## Uncomment this to allow local users to log in.# 本地用户登录,YES是允许,NO是拒绝.默认访问的是本地用户家目录,如果你开启了selinux# 请设置开启布尔值ftp_home_dir为ON# When SELinux is enforcing check for SE bool ftp_home_dirlocal_enable=YES##允许本地用户上传# Uncomment this to enable any form of FTP write command.write_enable=YES## Default umask for local users is 077. You may wish to change this to 022,# 上传的权限是022,使用的是umask权限。对应的目录是755,文件是644# if your users expect that (022 is used by most other ftpd's)local_umask=022## Uncomment this to allow the anonymous FTP user to upload files. This only# has an effect if the above global write enable is activated. Also, you will# obviously need to create a directory writable by the FTP user.# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access# 开启匿名用户上传功能,默认是拒绝的#anon_upload_enable=YES## Uncomment this if you want the anonymous FTP user to be able to create# new directories.# 开启匿名用户创建文件或文件夹权限#anon_mkdir_write_enable=YES## Activate directory messages - messages given to remote users when they# go into a certain directory.# 开启目录欢迎消息,一般对命令行登陆有效dirmessage_enable=YES## Activate logging of uploads/downloads.# 开启上传和下载日志记录功能xferlog_enable=YES##使用标准模式# Make sure PORT transfer connections originate from port 20 (ftp-data).connect_from_port_20=YES## If you want, you can arrange for uploaded anonymous files to be owned by# a different user. Note! Using "root" for uploaded files is not# recommended!# 声明匿名用户上传文件的所有者# 允许更改匿名用户上传文件的所有者#chown_uploads=YES#所有者为whoever#chown_username=whoever## You may override where the log file goes if you like. The default is shown# below.# 日志文件路径#xferlog_file=/var/log/xferlog## If you want, you can have your log file in standard ftpd xferlog format.# Note that the default log file location is /var/log/xferlog in this case.# 日志文件采用标准格斯xferlog_std_format=YES## You may change the default value for timing out an idle session.# 会话超时时间#idle_session_timeout=600## You may change the default value for timing out a data connection.# 数据传输超时时间#data_connection_timeout=120## It is recommended that you define on your system a unique user which the# ftp server can use as a totally isolated and unprivileged user.# FTP子进程管理用户#nopriv_user=ftpsecure## Enable this and the server will recognise asynchronous ABOR requests. Not# recommended for security (the code is non-trivial). Not enabling it,# however, may confuse older FTP clients.# 是否允许客户端发起“async ABOR”请求,该操作是不安全的默认禁止。#async_abor_enable=YES## By default the server will pretend to allow ASCII mode but in fact ignore# the request. Turn on the below options to have the server actually do ASCII# mangling on files when in ASCII mode. The vsftpd.conf(5) man page explains# the behaviour when these options are disabled.# Beware that on some FTP servers, ASCII support allows a denial of service# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd# predicted this attack and has always been safe, reporting the size of the# raw file.# ASCII mangling is a horrible feature of the protocol.# 该选项用于指定是否允许上传时以ASCII模式传输数据#ascii_upload_enable=YES#该选项用于指定是否允许下载时以ASCII模式传输数据#ascii_download_enable=YES## You may fully customise the login banner string:# FTP文本界面登陆欢迎词#ftpd_banner=Welcome to blah FTP service.## You may specify a file of disallowed anonymous e-mail addresses. Apparently# useful for combatting certain DoS attacks.# 是否开启拒绝的Email功能#deny_email_enable=YES# (default follows)# 指定保存被拒接的Email地址的文件#banned_email_file=/etc/vsftpd/banned_emails## You may specify an explicit list of local users to chroot() to their home# directory. If chroot_local_user is YES, then this list becomes a list of# users to NOT chroot().# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that# the user does not have write access to the top level directory within the# chroot)# 是否开启对本地用户chroot的限制,YES为默认所有用户都不能切出家目录,NO代表默认用户都可以切出家目录# 设置方法类似于:YES拒绝所有,允许个别 NO 允许所有拒绝个别#chroot_local_user=YES#开启特例列表#chroot_list_enable=YES# (default follows)# 如果chroot_local_user的值是YES则该文件中的用户是可以切出家目录,如果是NO,该文件中的用户则不能切出家目录# 一行一个用户。#chroot_list_file=/etc/vsftpd/chroot_list## You may activate the "-R" option to the builtin ls. This is disabled by# default to avoid remote users being able to cause excessive I/O on large# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume# the presence of the "-R" option, so there is a strong case for enabling it.# 是否开启ls 递归查询功能 ls -R#ls_recurse_enable=YES## When "listen" directive is enabled, vsftpd runs in standalone mode and# listens on IPv4 sockets. This directive cannot be used in conjunction# with the listen_ipv6 directive.# 是否开启ftp独立模式在IPV4listen=NO## This directive enables listening on IPv6 sockets. By default, listening# on the IPv6 "any" address (::) will accept connections from both IPv6# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6# sockets. If you want that (perhaps because you want to listen on specific# addresses) then you must run two copies of vsftpd with two configuration# files.# Make sure, that one of the listen options is commented !!# 是否开启ftp独立模式在ipv6listen_ipv6=YES#启用pam模块验证pam_service_name=vsftpd#是否开启userlist功能.#是否启用用户列表功能userlist_enable=YES
通过配置文件的分析,VSFTP不允许匿名访问,本地用户可以下载和上传。如果允许匿名用户登录的话需要将anonymous_enable=YES,然后重新启动服务文本界面匿名登陆[root@localhost ~]# ftp 192.168.11.16Connected to 192.168.11.16 (192.168.11.16).220 (vsFTPd 3.0.3)Name (192.168.11.16:root): ftp #用户名可以是ftp也可以是anonymous331 Please specify the password.Password: #密码为空230 Login successful. #显示登陆成功Remote system type is UNIX.Using binary mode to transfer files.ftp> ls227 Entering Passive Mode (192,168,11,16,90,35).150 Here comes the directory listing.drwxr-xr-x 2 0 0 6 May 14 2019 pub226 Directory send OK.通过ls可以列出当前目录下有哪些内容 看到有一个目录叫pubftp> pwd257 "/" 通过pwd命令查看当前路径 注意这里显示的是FTP的根目录ftp> bye221 Goodbye.退出使用bye命令文本界面本地用户登录[root@localhost ~]# ftp 192.168.11.16Connected to 192.168.11.16 (192.168.11.16).220 (vsFTPd 3.0.3)Name (192.168.11.16:root): hello331 Please specify the password.Password:230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp> ls227 Entering Passive Mode (192,168,11,16,130,240).150 Here comes the directory listing.drwxr-xr-x 2 1001 1001 6 Jan 15 08:56 下载drwxr-xr-x 2 1001 1001 6 Jan 15 08:56 公共drwxr-xr-x 2 1001 1001 6 Jan 15 08:56 图片drwxr-xr-x 2 1001 1001 6 Jan 15 08:56 文档drwxr-xr-x 2 1001 1001 6 Jan 15 08:56 桌面drwxr-xr-x 2 1001 1001 6 Jan 15 08:56 模板drwxr-xr-x 2 1001 1001 6 Jan 15 08:56 视频drwxr-xr-x 2 1001 1001 6 Jan 15 08:56 音乐226 Directory send OK.ftp> pwd257 "/home/hello" is the current directory
键入help命令可以查看所有可使用的命令ftp> helpCommands may be abbreviated. Commands are:! debug mdir sendport site$ dir mget put sizeaccount disconnect mkdir pwd statusappend exit mls quit structascii form mode quote systembell get modtime recv suniquebinary glob mput reget tenexbye hash newer rstatus tickcase help nmap rhelp tracecd idle nlist rename typecdup image ntrans reset userchmod lcd open restart umaskclose ls prompt rmdir verbosecr macdef passive runique ?delete mdelete proxy send!+linux命令 执行系统命令!ls /opt 显示linux系统中/opt目录下的内容ftp> !ls /optdhcp dns rhlcd linux系统中的当前目录lcd /root 将linux系统中的当前目录切换到/root下ftp> lcd /rootLocal directory now /rootput 上传命令,mput批量上传命令上传initial-setup-ks.cfg文件到hello家目录下ftp> put initial-setup-ks.cfg local: initial-setup-ks.cfg remote: initial-setup-ks.cfg227 Entering Passive Mode (192,168,11,16,96,132).150 Ok to send data.226 Transfer complete.1803 bytes sent in 0.00135 secs (1333.58 Kbytes/sec)可以看到上传成功了验证一下上传结果ftp> ls227 Entering Passive Mode (192,168,11,16,173,142).150 Here comes the directory listing.-rw-r--r-- 1 1000 1000 1803 Feb 26 07:01 initial-setup-ks.cfgdrwxr-xr-x 2 1000 1000 6 Jan 11 01:37 下载drwxr-xr-x 2 1000 1000 6 Jan 11 01:37 公共drwxr-xr-x 2 1000 1000 6 Jan 11 01:37 图片drwxr-xr-x 2 1000 1000 6 Jan 11 01:37 文档drwxr-xr-x 2 1000 1000 6 Jan 11 01:37 桌面drwxr-xr-x 2 1000 1000 6 Jan 11 01:37 模板drwxr-xr-x 2 1000 1000 6 Jan 11 01:37 视频drwxr-xr-x 2 1000 1000 6 Jan 11 01:37 音乐226 Directory send OK.看见了吧切换linux当前目录到/tmpftp> lcd /tmpLocal directory now /tmpget下载命令,mget批量下载下载initial-setup-ks.cfg到linux系统当前目录/tmpftp> get initial-setup-ks.cfglocal: initial-setup-ks.cfg remote: initial-setup-ks.cfg227 Entering Passive Mode (192,168,11,16,229,134).150 Opening BINARY mode data connection for initial-setup-ks.cfg (1803 bytes).226 Transfer complete.1803 bytes received in 2.9e-05 secs (62172.41 Kbytes/sec)列出linux目录/tmp的内容,看到了下载的文件initial-setup-ks.cfgftp> !ls /tmp/dhcp tracker-extract-files.0initial-setup-ks.cfg VMwareDnDsystemd-private-8e7a99ea89c14ab396d66116970fe04d-chronyd.service-sghHHs vmware-rootsystemd-private-8e7a99ea89c14ab396d66116970fe04d-colord.service-wK7h08 yum_save_tx.2019-02-20.16-10.Z6uXqR.yumtxsystemd-private-8e7a99ea89c14ab396d66116970fe04d-cups.service-cokBro yum_save_tx.2019-02-21.09-03.08zIbU.yumtxsystemd-private-8e7a99ea89c14ab396d66116970fe04d-rtkit-daemon.service-6wt1S0 yum_save_tx.2019-02-22.11-10.prawAT.yumtxftp> close221 Goodbye.ftp> lsNot connected.可以使用close断开连接,当连接断开希望再次连接直接使用open命令即可ftp> open 192.168.11.16Connected to 192.168.11.16 (192.168.11.16).220 (vsFTPd 3.0.2)Name (192.168.11.16:root): hello331 Please specify the password.Password:230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp> ls227 Entering Passive Mode (192,168,11,16,192,88).150 Here comes the directory listing.-rw-r--r-- 1 1000 1000 1803 Feb 26 07:01 initial-setup-ks.cfgdrwxr-xr-x 2 1000 1000 6 Jan 11 01:37 下载drwxr-xr-x 2 1000 1000 6 Jan 11 01:37 公共drwxr-xr-x 2 1000 1000 6 Jan 11 01:37 图片drwxr-xr-x 2 1000 1000 6 Jan 11 01:37 文档drwxr-xr-x 2 1000 1000 6 Jan 11 01:37 桌面drwxr-xr-x 2 1000 1000 6 Jan 11 01:37 模板drwxr-xr-x 2 1000 1000 6 Jan 11 01:37 视频drwxr-xr-x 2 1000 1000 6 Jan 11 01:37 音乐226 Directory send OK.delete命令可以删除属于自己的文件删除initial-setup-ks.cfg文件ftp> delete initial-setup-ks.cfg250 Delete operation successful.ftp> ls227 Entering Passive Mode (192,168,11,16,168,142).150 Here comes the directory listing.drwxr-xr-x 2 1000 1000 6 Jan 11 01:37 下载drwxr-xr-x 2 1000 1000 6 Jan 11 01:37 公共drwxr-xr-x 2 1000 1000 6 Jan 11 01:37 图片drwxr-xr-x 2 1000 1000 6 Jan 11 01:37 文档drwxr-xr-x 2 1000 1000 6 Jan 11 01:37 桌面drwxr-xr-x 2 1000 1000 6 Jan 11 01:37 模板drwxr-xr-x 2 1000 1000 6 Jan 11 01:37 视频drwxr-xr-x 2 1000 1000 6 Jan 11 01:37 音乐226 Directory send OK.
a、修改配置文件 [root@hello pam.d]# egrep -v "^#" /etc/vsftpd/vsftpd.conf anonymous_enable=YESlocal_enable=YESwrite_enable=YESlocal_umask=022dirmessage_enable=YESxferlog_enable=YESconnect_from_port_20=YESxferlog_std_format=YESchroot_local_user=YESlisten=NOlisten_ipv6=YES#虚拟用户配置选项#pam登陆验证pam_service_name=vftp#允许虚拟用户功能guest_enable=YES#虚拟用户映射到本地用户helloguest_username=hello#这里我通过指令改变了默认设置,允许虚拟用户写allow_writeable_chroot=YES #本地用户的根目录#这里是定义虚拟用户主目录,用户和组必须指定为宿主用户hellolocal_root=/home/hello#允许虚拟用户和本地用户权限一致virtual_use_local_privs=YES#如果虚拟用户和本地用户权限不同,可以通过以下的指令来设置指令,配置文件和登陆名同步即可。#user_config_dir=/etc/vsftpd/vconf.d/b、生成虚拟用户账号密码文件奇数行数账户,偶数行是密码[root@hello ~]# cat /etc/vsftpd/vuservuser01123456vuser02123456使用db_load转成db格式[root@hello ~]# db_load -T -t hash -f /etc/vsftpd/vuser /etc/vsftpd/vuser.db要求权限是600[root@hello ~]# chmod 600 /etc/vsftpd/vuser.dbc、配置pam认证,注意先后顺序[root@hello ~]# cat /etc/pam.d/vftp #虚拟用户登录auth sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/vuseraccount sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/vuser#本地登陆session optional pam_keyinit.so force revokeauth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeedauth required pam_shells.soauth include password-authaccount include password-authsession required pam_loginuid.sosession include password-authd、重启服务生效[root@hello ~]# systemctl restart vsftpd[root@hello ~]# cat /etc/vsftpd/chroot_list vuser01vuser02e、验证登陆[root@hello ~]# ftp 192.168.11.16Connected to 192.168.11.16 (192.168.11.16).220 Welcome to ayitula FTP service.Name (192.168.11.16:root): vuser01331 Please specify the password.Password:230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp> ls227 Entering Passive Mode (192,168,11,16,82,91).150 Here comes the directory listing.226 Transfer done (but failed to open directory).登陆成功了.
关键词:服务,文件