安装vsftpd
yum -y install vsftpd添加FTP用户
方式1、添加只允许通过ftp访问的用户
useradd -d /home/ftp ftp_user #-d指定用户登录时的启始目录方式2、允许用户登录操作系统
usermod -d /home/ftp -s /bin/bash ftp_user #-s指定用户登入后所使用的shell设置用户登录密码
passwd ftp_pwd修改配置文件(文件位置/etc/vsftpd/vsftpd.conf,修改时注意用户权限)
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO #是否允许匿名登录
# Uncomment this to allow local users to log in.
# When SELinux is enforcing check for SE bool ftp_home_dir
local_enable=YES #是否允许本地用户登录
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES #是有有写权限
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
# 多数情况下,希望限制ftp用户只能在其主目录下活动,需要配置如下三个属性
chroot_local_user=YES #默认值NO,是否将所有用户限制在主目录,当为NO时,ftp用户可以向上切换目录
chroot_list_enable=YES #是否启用例外用户名单
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list #例外用户名单,限制主目录属性跟chroot_local_user相反
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
# Make sure, that one of the listen options is commented !!#IPv4和IPv6只能监听其中之一
listen_ipv6=NO
userlist_enable=YES # 开启“名单列表”限制功能
userlist_deny=NO # 设置“名单列表”为“白名单”,仅指定列表中的用户允许使用FTP登录
userlist_file=/etc/vsftpd/user_list # “名单列表”对应的文件
pasv_min_port=30001 #传输端口
pasv_max_port=31000 #传输端口主动模式与被动模式
主动模式-连接过程
客户端与服务器的21端口建立连接
客户端开放一个随机高位端口端口(1024以上),用于接收数据
客户端发送PORT主动模式命令给服务器21端口,其中PORT命令包括客户端用于接收数据的端口号
服务器通过20端口和客户端的新开放端口进行连接,并给客户端发送数据
被动模式-连接过程
客户端与服务器的21端口建立连接
客户端发送PASV被动模式命令给服务器21端口
服务器打开一个随机高位端口用于传输数据(1024以上),并通知客户端
客户端连接到服务器新开放的端口进行数据传输
由于linux服务器有防火墙限制,被动模式时,传输端口不确定,导致防火墙开放端口不确定,所以在配置中指定被动模式时端口上下限,然后配置防火墙规则
iptables -I INPUT -p tcp --dport 30001:31000 -j ACCEPT
iptables -I OUTPUT -p tcp --dport 30001:31000 -j ACCEPT配置被动模式,可以直接方便通过ftp客户端软件连接。
好用的linux问题网站:https://unix.stackexchange.com/
补充问题:
2023-03-25:ftp时报错:421 Service not available
解决方案:/etc/hosts.allow中添加允许访问的vsftpd:xxx.xxx.xxx.xxx
