1.本地用戶家目錄的修改
[root@server pub]# vim /etc/vsftpd/vsftpd.conf
35 local_root=/ftp_westos/
[root@server pub]# systemctl restart vsftpd.service
客戶端:
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> ls
lftp [email protected]:~> exit
修改後:
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> ls
-rw-r--r-- 1 0 0 0 Jan 23 06:15 westosfile1
-rw-r--r-- 1 0 0 0 Jan 23 06:15 westosfile2
-rw-r--r-- 1 0 0 0 Jan 23 06:15 westosfile3
lftp [email protected]:~> exit
2.更改本地用戶上傳文件的權限
##更改本地用戶上傳文件的權限
[root@server pub]# vim /etc/vsftpd/vsftpd.conf
43 local_umask=077
[root@server pub]# systemctl restart vsftpd.service
客戶端
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> ls
lftp [email protected]:~> put /etc/passwd
2243 bytes transferred
lftp [email protected]:~> ls
-rw-r--r-- 1 1000 1000 2243 Jan 23 08:16 passwd
lftp [email protected]:~> exit
修改後:
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> ls
-rw-r--r-- 1 1000 1000 2243 Jan 23 08:16 passwd
lftp [email protected]:~> put /etc/group
959 bytes transferred
lftp [email protected]:~> ls
-rw------- 1 1000 1000 959 Jan 23 08:17 group
-rw-r--r-- 1 1000 1000 2243 Jan 23 08:16 passwd
lftp [email protected]:~> exit
3.限制本地用戶瀏覽根目錄
##限制本地用戶瀏覽根目錄:
[root@server pub]# vim /etc/vsftpd/vsftpd.conf
chroot_local_user=YES
[root@server pub]# systemctl restart vsftpd.service
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> cd /
cd ok, cwd=/
lftp [email protected]:/> ls
lrwxrwxrwx 1 0 0 7 May 07 2014 bin -> usr/bin
dr-xr-xr-x 4 0 0 4096 Jul 10 2014 boot
drwxr-xr-x 18 0 0 2920 Jan 23 03:18 dev
drwxr-xr-x 134 0 0 8192 Jan 23 07:11 etc
drwxr-xr-x 2 0 0 60 Jan 23 06:15 ftp_westos
drwxr-xr-x 4 0 0 33 Jan 23 07:11 home
lrwxrwxrwx 1 0 0 7 May 07 2014 lib -> usr/lib
lrwxrwxrwx 1 0 0 9 May 07 2014 lib64 -> usr/lib64
drwxr-xr-x 2 0 0 6 Mar 13 2014 media
drwxr-xr-x 2 0 0 6 Mar 13 2014 mnt
drwxr-xr-x 3 0 0 15 Jul 10 2014 opt
dr-xr-xr-x 162 0 0 0 Jan 23 03:01 proc
dr-xr-x--- 15 0 0 4096 Jan 23 08:16 root
drwxr-xr-x 35 0 0 1140 Jan 23 03:25 run
lrwxrwxrwx 1 0 0 8 May 07 2014 sbin -> usr/sbin
drwxr-xr-x 2 0 0 6 Mar 13 2014 srv
dr-xr-xr-x 13 0 0 0 Jan 23 03:01 sys
drwxrwxrwt 12 0 0 4096 Jan 23 08:04 tmp
drwxr-xr-x 13 0 0 4096 May 07 2014 usr
drwxr-xr-x 23 0 0 4096 Jan 23 03:25 var
lftp [email protected]:/> exit
##配置文件後
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> cd /
cd: Login failed: 500 OOPS: vsftpd: refusing to run with writable root inside chroot()
lftp [email protected]:~> exit
##本地文件系統權限過大,更改本地文件系統權限
[root@server pub]# chmod u-w /home/*
##再次測試
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> cd /
cd ok, cwd=/
lftp [email protected]:/> ls
-rw------- 1 1000 1000 959 Jan 23 08:17 group
-rw-r--r-- 1 1000 1000 2243 Jan 23 08:16 passwd
lftp [email protected]:/> cd /
lftp [email protected]:/> ls
-rw------- 1 1000 1000 959 Jan 23 08:17 group
-rw-r--r-- 1 1000 1000 2243 Jan 23 08:16 passwd
lftp [email protected]:/> exit
##可以看到,student用戶被鎖定在自己的家目錄中,不能切換到根目錄
4.限制是否可以切換家目錄的黑白名單
##限制是否可以切換家目錄的黑白名單
##黑名單
[root@server pub]# vim /etc/vsftpd/vsftpd.conf
37 chroot_local_user=NO
38 chroot_list_enable=YES
39 chroot_list_file=/etc/vsftpd/chroot_list
[root@server pub]# systemctl restart vsftpd.service
[root@server pub]# ls /etc/vsftpd/chroot_list
ls: cannot access /etc/vsftpd/chroot_list: No such file or directory
[root@server pub]# touch /etc/vsftpd/chroot_list ##本來沒有這個列表,需要新建
[root@server pub]# vim /etc/vsftpd/chroot_list
[root@server pub]# cat /etc/vsftpd/chroot_list ##即改即生效
student
客戶端:
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> cd /
cd ok, cwd=/
lftp [email protected]:/> ls ##student不可切換
-rw------- 1 1000 1000 959 Jan 23 08:17 group
-rw-r--r-- 1 1000 1000 2243 Jan 23 08:16 passwd
lftp [email protected]:/> exit
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos
Password:
lftp [email protected]:~> cd /
cd ok, cwd=/
lftp [email protected]:/> ls ##westos可以切換
lrwxrwxrwx 1 0 0 7 May 07 2014 bin -> usr/bin
dr-xr-xr-x 4 0 0 4096 Jul 10 2014 boot
drwxr-xr-x 18 0 0 2920 Jan 23 03:18 dev
drwxr-xr-x 134 0 0 8192 Jan 23 08:31 etc
drwxr-xr-x 2 0 0 60 Jan 23 06:15 ftp_westos
drwxr-xr-x 4 0 0 33 Jan 23 07:11 home
lrwxrwxrwx 1 0 0 7 May 07 2014 lib -> usr/lib
lrwxrwxrwx 1 0 0 9 May 07 2014 lib64 -> usr/lib64
drwxr-xr-x 2 0 0 6 Mar 13 2014 media
drwxr-xr-x 2 0 0 6 Mar 13 2014 mnt
drwxr-xr-x 3 0 0 15 Jul 10 2014 opt
dr-xr-xr-x 161 0 0 0 Jan 23 03:01 proc
dr-xr-x--- 15 0 0 4096 Jan 23 08:30 root
drwxr-xr-x 35 0 0 1140 Jan 23 03:25 run
lrwxrwxrwx 1 0 0 8 May 07 2014 sbin -> usr/sbin
drwxr-xr-x 2 0 0 6 Mar 13 2014 srv
dr-xr-xr-x 13 0 0 0 Jan 23 03:01 sys
drwxrwxrwt 12 0 0 4096 Jan 23 08:04 tmp
drwxr-xr-x 13 0 0 4096 May 07 2014 usr
drwxr-xr-x 23 0 0 4096 Jan 23 03:25 var
lftp [email protected]:/> exit
#設定白名單
[root@server pub]# vim /etc/vsftpd/vsftpd.conf
37 chroot_local_user=YES
38 chroot_list_enable=YES
39 chroot_list_file=/etc/vsftpd/chroot_list
[root@server pub]# systemctl restart vsftpd.service
[root@server pub]# vim /etc/vsftpd/chroot_list
[root@server pub]# cat /etc/vsftpd/chroot_list
student
客戶端:
客戶端的student用戶在白名單中,可以正常切換根目錄:
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> cd /
cd ok, cwd=/
lftp [email protected]:/> ls
lrwxrwxrwx 1 0 0 7 May 07 2014 bin -> usr/bin
dr-xr-xr-x 4 0 0 4096 Jul 10 2014 boot
drwxr-xr-x 18 0 0 2920 Jan 23 03:18 dev
drwxr-xr-x 134 0 0 8192 Jan 23 08:31 etc
drwxr-xr-x 2 0 0 60 Jan 23 06:15 ftp_westos
drwxr-xr-x 4 0 0 33 Jan 23 07:11 home
lrwxrwxrwx 1 0 0 7 May 07 2014 lib -> usr/lib
lrwxrwxrwx 1 0 0 9 May 07 2014 lib64 -> usr/lib64
drwxr-xr-x 2 0 0 6 Mar 13 2014 media
drwxr-xr-x 2 0 0 6 Mar 13 2014 mnt
drwxr-xr-x 3 0 0 15 Jul 10 2014 opt
dr-xr-xr-x 162 0 0 0 Jan 23 03:01 proc
dr-xr-x--- 15 0 0 4096 Jan 23 08:40 root
drwxr-xr-x 35 0 0 1140 Jan 23 03:25 run
lrwxrwxrwx 1 0 0 8 May 07 2014 sbin -> usr/sbin
drwxr-xr-x 2 0 0 6 Mar 13 2014 srv
dr-xr-xr-x 13 0 0 0 Jan 23 03:01 sys
drwxrwxrwt 12 0 0 4096 Jan 23 08:04 tmp
drwxr-xr-x 13 0 0 4096 May 07 2014 usr
drwxr-xr-x 23 0 0 4096 Jan 23 03:25 var
lftp [email protected]:/> exit
##白名單之外的westos被限制
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos
Password:
lftp [email protected]:~> cd /
cd ok, cwd=/
lftp [email protected]:/> ls
lftp [email protected]:~> exit
5.用戶登陸黑白名單
##正常的:
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> ls
-rw------- 1 1000 1000 959 Jan 23 08:17 group
-rw-r--r-- 1 1000 1000 2243 Jan 23 08:16 passwd
lftp [email protected]:~> exit
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos
Password:
lftp [email protected]:~> ls
lftp [email protected]:~> exit
##永久黑名單
[root@server pub]# cd /etc/vsftpd/
[root@server vsftpd]# ls
chroot_list ftpusers user_list vsftpd.conf vsftpd_conf_migrate.sh
[root@server vsftpd]# vim ftpusers
[root@server vsftpd]# tail -n 1 ftpusers
student
配置永久黑名單後:
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> ls
ls: Login failed: 530 Login incorrect.
lftp [email protected]:~> exit
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos
Password:
lftp [email protected]:~> ls
lftp [email protected]:~> exit
##臨時黑名單(先去掉永久黑名單的student)
[root@server vsftpd]# vim user_list
[root@server vsftpd]# tail -n 1 user_list
student
修改後
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos
Password:
lftp [email protected]:~> ls
lftp [email protected]:~> exit
[kiosk@foundation22 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> ls
ls: Login failed: 530 Permission denied.
lftp [email protected]:~> exit
6.把臨時黑名單變成白名單
[root@server vsftpd]# vim /etc/vsftpd/vsftpd.conf
148 userlist_enable=YES
149 userlist_deny=NO
[root@server vsftpd]#systemctl restart vsftpd.service
更改後:
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u student
Password:
lftp [email protected]:~> ls
-rw------- 1 1000 1000 959 Jan 23 08:17 group
-rw-r--r-- 1 1000 1000 2243 Jan 23 08:16 passwd
lftp [email protected]:~> exit
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos
Password:
lftp [email protected]:~> ls
ls: Login failed: 530 Permission denied.
lftp [email protected]:~> exit
7.虛擬用戶的設定
##爲了更安全##
#服務端配置
[root@server ~]# cd /etc/vsftpd/ ##切換目錄到vsftpd服務配置文件夾
[root@server vsftpd]# ls
ftpusers user_list vsftpd.conf vsftpd_conf_migrate.sh
[root@server vsftpd]# vim userfile ##新建文件,文件名任意
[root@server vsftpd]# cat userfile ##可以看到文件中設定的用戶和密碼的內容
westos1
123
westos2
123
westos3 ##注意不要亂加空格
123
##對剛纔新建的文件進行哈希加密
[root@server vsftpd]# db_load -T -t hash -f /etc/vsftpd/userfile /etc/vsftpd/userfile.db
[root@server vsftpd]# ls ##可以看到加密後的文件userfile.db
ftpusers userfile userfile.db user_list vsftpd.conf vsftpd_conf_migrate.sh
[root@server vsftpd]# cat userfile.db
^Aa^U^F ^B�L4^A^A�L�G��
��^B�L4^A^A�L�G��s3^A123^Awestos1^A^B^B�
^A^Aэh^^A^A^A123^Awestos2 ##可以看到文件被哈希加密的結果
[root@server vsftpd]# vim /etc/pam.d/userauth ##在pam認證配置目錄下新建一個文件,文件名任意
[root@server vsftpd]# cat /etc/pam.d/userauth ##可以看到新建文件的內容
account required pam_userdb.so db=/etc/vsftpd/userfile
auth required pam_userdb.so db=/etc/vsftpd/userfile
#用戶|密碼 ##需要 ##指定認證插件 ##此處的文件名不加後綴.db 系統會自行補齊
[root@server vsftpd]# vim /etc/vsftpd/vsftpd.conf ##編輯vsftpd主配置文件
147 pam_service_name=userauth ##指定認證訪問的文件用戶名單
##上面的文件指定後,原來真實存在的用戶就不能登陸了,解決的辦法是把兩個文件合成一個文件,即把原有的用戶也添加到文件夾中
148 guest_enable=YES ##開啓虛擬用戶可以登陸服務
149 guest_username=ftp ##指定虛擬用戶登陸ftp的用戶名
[root@server vsftpd]# systemctl restart vsftpd.service ##重啓服務,使配置生效
#客戶端:
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos1
Password:
lftp [email protected]:~> ls
ls: Login failed: 530 Login incorrect.
lftp [email protected]:~> exit
kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos2
Password:
lftp [email protected]:~> ls
ls: Login failed: 530 Login incorrect.
kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos3
Password:
lftp [email protected]:~> ls
ls: Login failed: 530 Login incorrect.
lftp [email protected]:~> exit
##可以看到,虛擬用戶登陸不成功
##配置ftp虛擬用戶之後
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos1
Password:
lftp [email protected]:~> ls
drwxrwxr-x 2 0 50 60 Jan 23 07:28 pub
drwxr-xr-x 2 0 0 6 Jan 23 03:32 qwert
lftp [email protected]:/> exit
[kiosk@foundation68 ~]$ lftp 172.25.254.222 -u westos2
Password:
lftp [email protected]:~> ls
drwxrwxr-x 2 0 50 60 Jan 23 07:28 pub
drwxr-xr-x 2 0 0 6 Jan 23 03:32 qwert
lftp [email protected]:/> exit
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos3
Password:
lftp [email protected]:~> ls
drwxrwxr-x 2 0 50 60 Jan 23 07:28 pub
drwxr-xr-x 2 0 0 6 Jan 23 03:32 qwert
lftp [email protected]:/> exit
8.虛擬用戶個人家目錄
##服務端配置
[root@server vsftpd]# mkdir /var/ftpuserdir/westos{1..3} -p
##新建每個用戶的家目錄,家目錄名與用戶名一致(後面$USER可用),-p使不存在的目錄遞歸創建
[root@server vsftpd]# vim /etc/vsftpd/vsftpd.conf ##配置vsftpd主文件
150 local_root=/var/ftpuserdir/$USER ##指定用戶的家目錄爲上述創建的與用戶名一致的目錄
151 user_sub_token=$USER ##$USER是shell中的變量,指定vsftpd服務中的變量與其一致
[root@server vsftpd]# echo $USER ##可以看到$USER代指當前用戶
root
[root@server vsftpd]# su - student
[student@server ~]$ echo $USER
student
[student@server ~]$ logout
[root@server vsftpd]# systemctl restart vsftpd.service ##重啓服務
[root@server vsftpd]# mkdir /var/ftpuserdir/westos{1..3}/pub ##在家目錄中新建目錄
[root@server vsftpd]# mkdir /var/ftpuserdir/westos1/westos1file
[root@server vsftpd]# mkdir /var/ftpuserdir/westos2/westos2file
[root@server vsftpd]# mkdir /var/ftpuserdir/westos3/westos3file
##客戶端
##配置後在客戶端可以看到每個虛擬用戶都在自己的家目錄中
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos1
Password:
lftp [email protected]:~> ls
drwxr-xr-x 2 0 0 6 Jan 24 02:29 pub
drwxr-xr-x 2 0 0 6 Jan 24 02:30 westos1file
lftp [email protected]:/> exit
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos2
Password:
lftp [email protected]:~> ls
drwxr-xr-x 2 0 0 6 Jan 24 02:29 pub
drwxr-xr-x 2 0 0 6 Jan 24 02:30 westos2file
lftp [email protected]:/> exit
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos3
Password:
lftp [email protected]:~> ls
drwxr-xr-x 2 0 0 6 Jan 24 02:29 pub
drwxr-xr-x 2 0 0 6 Jan 24 02:30 westos3file
lftp [email protected]:/> exit
9.虛擬用戶配置獨立
##服務端配置
[root@server vsftpd]# vim /etc/vsftpd/vsftpd.conf
31 local_enable=YES
34 #write_enable=YES ##註釋影響配置結果的參數
51 #anon_upload_enable=YES
154 user_config_dir=/etc/vsftpd/userconf ##指定獨立用戶配置目錄
[root@server vsftpd]# systemctl restart vsftpd.service
[root@server vsftpd]# mkdir -p /etc/vsftpd/userconf ##目錄本來沒有,需要新建
[root@server vsftpd]# vim /etc/vsftpd/userconf/westos1 ##在目錄下新建文件(與用戶名相同)
1 anon_upload_enable=YES #配置允許該用戶上傳文件
[root@server vsftpd]# systemctl restart vsftpd.service ##重啓服務
[root@server vsftpd]# ls -ld /var/ftpuserdir/westos*/*
drwxr-xr-x 2 root root 6 Jan 23 21:29 /var/ftpuserdir/westos1/pub
drwxr-xr-x 2 root root 6 Jan 23 21:30 /var/ftpuserdir/westos1/westos1file
drwxr-xr-x 2 root root 6 Jan 23 21:29 /var/ftpuserdir/westos2/pub
drwxr-xr-x 2 root root 6 Jan 23 21:30 /var/ftpuserdir/westos2/westos2file
drwxr-xr-x 2 root root 6 Jan 23 21:29 /var/ftpuserdir/westos3/pub
drwxr-xr-x 2 root root 6 Jan 23 21:30 /var/ftpuserdir/westos3/westos3file
[root@server vsftpd]# chmod 775 /var/ftpuserdir/westos*/pub ##給所有組可寫的權限
[root@server vsftpd]# ls -ld /var/ftpuserdir/westos*/*
drwxrwxr-x 2 root root 6 Jan 23 21:29 /var/ftpuserdir/westos1/pub
drwxr-xr-x 2 root root 6 Jan 23 21:30 /var/ftpuserdir/westos1/westos1file
drwxrwxr-x 2 root root 6 Jan 23 21:29 /var/ftpuserdir/westos2/pub
drwxr-xr-x 2 root root 6 Jan 23 21:30 /var/ftpuserdir/westos2/westos2file
drwxrwxr-x 2 root root 6 Jan 23 21:29 /var/ftpuserdir/westos3/pub
drwxr-xr-x 2 root root 6 Jan 23 21:30 /var/ftpuserdir/westos3/westos3file
[root@server vsftpd]# chgrp ftp /var/ftpuserdir/westos*/pub ##更改用戶組爲ftp
[root@server vsftpd]# ls -ld /var/ftpuserdir/westos*/*
drwxrwxr-x 2 root ftp 6 Jan 23 21:29 /var/ftpuserdir/westos1/pub
drwxr-xr-x 2 root root 6 Jan 23 21:30 /var/ftpuserdir/westos1/westos1file
drwxrwxr-x 2 root ftp 6 Jan 23 21:29 /var/ftpuserdir/westos2/pub
drwxr-xr-x 2 root root 6 Jan 23 21:30 /var/ftpuserdir/westos2/westos2file
drwxrwxr-x 2 root ftp 6 Jan 23 21:29 /var/ftpuserdir/westos3/pub
drwxr-xr-x 2 root root 6 Jan 23 21:30 /var/ftpuserdir/westos3/westos3file
##客戶端;
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos1
Password:
lftp [email protected]:~> ls
drwxr-xr-x 2 0 0 6 Jan 24 02:29 pub
drwxr-xr-x 2 0 0 6 Jan 24 02:30 westos1file
lftp [email protected]:/> cd pub/
lftp [email protected]:/pub> put /etc/passwd
put: Access failed: 553 Could not create file. (passwd)
lftp [email protected]:/pub> exit
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos2
Password:
lftp [email protected]:~> cd pub/
lftp [email protected]:/pub> put /etc/passwd
put: Access failed: 553 Could not create file. (passwd)
lftp [email protected]:/pub> exit
##配置後:
[kiosk@foundation68 ~]$ lftp 172.25.68.100 -u westos1
Password:
lftp [email protected]:~> cd pub/
lftp [email protected]:/pub> put /etc/passwd
2243 bytes transferred
lftp [email protected]:/pub> exit
[kiosk@foundation68 ~]$ lftp 172.25.254.222 -u westos2
Password:
lftp [email protected]:~> ls
drwxrwxr-x 2 0 50 19 Jan 24 03:16 pub
drwxr-xr-x 2 0 0 6 Jan 24 02:30 westos2file
lftp [email protected]:/> cd pub/
lftp [email protected]:/pub> put /etc/passwd
put: Access failed: 550 Permission denied. (passwd)
lftp [email protected]:/pub> exit
可以看到我們在配置目錄 /etc/vsftpd/userconf/下新建了一個文件westos1,所以只有westos1能上傳