在本文中,将演示如何安装vsftpd服务,配置为ftps,并为ftp用户配置chroot,将ftp会话限制在各自的/var/www/html/[username]目录中。 |
centos8
需要创建用于访问FTP服务器的用户。执行以下 来创建用户并设置各自的密码,创建用户时使用 -s
选项,让这两个用户禁止 登录:
[root@localhost ~]# useradd -s /sbin/nologin user01 [root@localhost ~]# useradd -s /sbin/nologin user02 [root@localhost ~]# echo '123'|passwd --stdin user01 Changing password for user user01. passwd: all authentication tokens updated successfully. [root@localhost ~]# echo '123'|passwd --stdin user02 Changing password for user user02. passwd: all authentication tokens updated successfully.
上面的用户的shell设置为 /sbin/nologin
之后,需要在 /etc/shells
文件中添加 /sbin/nologin
,否则后面ftp用户登录时提示 Login failed: 530 Login incorrect.
[root@localhost ~]# echo "/sbin/nologin" >> /etc/shells [root@localhost ~]# cat /etc/shells /bin/sh /bin/bash /usr/bin/sh /usr/bin/bash /sbin/nologin
使用下面 安装vsftpd:
[root@localhost ~]# yum -y install vsftpd
为FTP服务器创建一个自签名证书。使用 openssl
命令,执行以下命令来生成自签名证书和私钥:
[root@localhost ~]# openssl req -x509 -nodes -keyout /etc/vsftpd/vsftpd.key -out /etc/vsftpd/vsftpd.pem -days 365 -newkey rsa:2048 Generating a RSA private key ..+++++ ..............................................+++++ writing new private key to '/etc/vsftpd/vsftpd.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Shandong Locality Name (eg, city) [Default City]:QD Organization Name (eg, company) [Default Company Ltd]:Linuxprobe Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:ftp.linuxprobe.com Email Address []:
将上面创建的用户user01和user02添加到 /etc/vsftpd/user_list
文件中,只允许该文件中的用户ftp登录。
[root@localhost vsftpd]# vim /etc/vsftpd/user_list # vsftpd userlist # If userlist_deny=NO, only allow users in this file # If userlist_deny=YES (default), never allow users in this file, and # do not even prompt for a password. # Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers # for users that are denied. root bin daemon adm lp sync shutdown halt mail news uucp operator games nobody user01 user02
下面编辑 /etc/vsftpd/vsftpd.conf
,编辑前需要备份一下配置文件:
[root@localhost vsftpd]# cd /etc/vsftpd/ [root@localhost vsftpd]# cp -p vsftpd.conf vsftpd.conf.back
编辑vsftpd.conf文件,配置文件内容如下:
[root@localhost vsftpd]# vim vsftpd.conf [root@localhost vsftpd]# cat vsftpd.conf | grep -Ev '(^$|^#)' anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES listen=NO listen_ipv6=YES pam_service_name=vsftpd userlist_enable=YES userlist_deny=NO ssl_enable=YES ssl_sslv2=NO ssl_sslv3=NO ssl_tlsv1_2=YES rsa_cert_file=/etc/vsftpd/vsftpd.pem rsa_private_key_file=/etc/vsftpd/vsftpd.key allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES require_ssl_reuse=NO ssl_ciphers=HIGH pasv_min_port=30000 pasv_max_port=31000 debug_ssl=YES chroot_local_user=YES local_root=/var/www/html/$USER allow_writeable_chroot=YES
下面启用服务,并启动服务:
[root@localhost ~]# systemctl enable vsftpd Created symlink /etc/systemd/system/multi-user.target.wants/vsftpd.service ¡ú /usr/lib/systemd/system/vsftpd.service. [root@localhost ~]# systemctl start vsftpd
[root@localhost ~]# firewall-cmd --permanent --add-service=ftp success [root@localhost ~]# firewall-cmd --reload success
下面需要设置一下selinux的boolean值,默认情况下 /var/www/html
目录的安全上下文为 httpd_sys_content_t
,用户使用ftp上传下载可能会出现权限问题,所以下面设置一下和ftp相关的selinux设置:
[root@localhost ~]# setsebool -P ftpd_full_access 1 [root@localhost ~]# getsebool ftpd_full_access ftpd_full_access --> on
在 /var/www/html
目录中创建用户的目录,并设置权限。
[root@localhost ~]# mkdir /var/www/html/user0{1..2} [root@localhost ~]# chown -R user01:apache /var/www/html/user01/ [root@localhost ~]# chown -R user02:apache /var/www/html/user02/
在每个目录中创建一个空文件。你在登录后可以区分用户家目录:
[root@localhost ~]# touch /var/www/html/user01/user01_files [root@localhost ~]# touch /var/www/html/user02/user02_files
下载 lftp
命令行客户端进行连接测试:
[root@localhost ~]# yum -y install lftp
下面使用user01登录:
[root@localhost ~]# lftp user01@localhost Password: lftp user01@localhost:~> ls ls: Fatal error: Certificate verification: Not trusted (01:3E:A2:1B:39:E9:BE:DB:55:1F:C3:71:34:6F:B6:8E:E2:D0:2C:8C)
上面提示错误,因为是自签名证书。可以通过执行以下命令不检查证书:
[root@localhost ~]# echo "set ssl:verify-certificate no" >> /etc/lftp.conf
下面再执行一下lftp命令使用user01登录:
[root@localhost ~]# lftp user01@localhost Password: lftp user01@localhost:~> ls -rw-r--r-- 1 0 0 0 Apr 07 09:42 user01_files
再使用user02登录看一下:
[root@localhost ~]# lftp user02@localhost Password: lftp user02@localhost:~> ls -rw-r--r-- 1 0 0 0 Apr 07 09:42 user02_files
本文介绍了如何设置更安全的ftp - “FTPs”、将ftp用户的主目录限制在/var/www/html目录中、如何使用轻量化ftp命令行工具 - “lftp”。
文章评论 本文章有个评论