vfstp服务

Posted fyjpeng

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了vfstp服务相关的知识,希望对你有一定的参考价值。

运行环境

  • linux服务端(172.16.104.132)
## vsftpd安装
[root@vm3 etc]# yum -y install vsftpd 

## 关闭防火墙
[root@vm3 etc]# systemctl stop firewalld

## 修改selinux
[root@vm3 etc]# setenforce 0
[root@vm3 etc]# getenforce 
Permissive
  • linux客户端
## samba软件安装
## cifs文件系统挂载工具
[root@vm1 mnt]# yum -y install ftp

## 关闭防火墙
[root@vm1 etc]# systemctl stop firewalld

## 修改selinux
[root@vm1 mnt]# setenforce 0
[root@vm1 mnt]# getenforce 
Permissive

1.搭建匿名访问vsftp服务

1.1 linux服务端

  • 1.配置/etc/vsftpd/vsftpd.conf
[root@vm3 vsftpd]# vim vsftpd.conf
anonymous_enable=YES                    //启用匿名访问
local_enable=NO                         //关闭本地访问
write_enable=YES                        //允许写操作
local_umask=022                         //设定上传文件遮罩码
anon_upload_enable=YES                  //允许匿名上传文件
anon_mkdir_write_enable=YES             //允许匿名创建文件
anon_other_write_enable=YES              //允许匿名删除文件

dirmessage_enable=YES                   //设置目录标语功能
xferlog_enable=YES                      //设置日志记录功能
connect_from_port_20=YES                //开启端口20进行数据连接(主动模)
xferlog_std_format=YES                  //设置日志标准格式
listen=YES                              //修改为YES
listen_ipv6=NO

pam_service_name=vsftpd
userlist_enable=YES                     //是否启用控制用户登录的列表文件
  • 2./var/vsftpd/pub提供匿名访问的目录
[root@vm3 ftp]# pwd
/var/ftp
[root@vm3 ftp]# chmod o+w pub/        //便于测试,给予other写权限
[root@vm3 ftp]# ll -d pub/
drwxr-xrwx. 3 root root 26 Oct 14 21:25 pub/
[root@vm3 ftp]# ll pub/
total 0
drwxr-xr-x. 2 root root 6 Oct 14 21:25 a
-rw-r--r--. 1 root root 0 Oct 14 20:50 abc
  • 3.启动加载vsftpd服务
[root@vm3 vsftpd]# systemctl start vsftpd
[root@vm3 vsftpd]# systemctl reload vsftpd

1.2 linux客户端测试

  • 测试ftp 172.16.104.132
[root@vm2 ~]# ftp 172.16.104.132
Connected to 172.16.104.132 (172.16.104.132).
220 (vsFTPd 3.0.3)
Name (172.16.104.132:root): anonymous             //账户为anonymous
331 Please specify the password.
Password:                                         //直接回车,不需要密码
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd                                          //查询当前目录在/下
257 "/" is the current directory
ftp> ls
227 Entering Passive Mode (172,16,104,132,46,198).
150 Here comes the directory listing.
drwxr-xr-x    2 0        0              17 Oct 14 12:50 pub
226 Directory send OK.
ftp> cd pub && ls                                //允许访问服务端/var/ftp/pub目录
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (172,16,104,132,132,14).
150 Here comes the directory listing.
-rw-r--r--    1 0        0               0 Oct 14 12:50 abc
226 Directory send OK.
ftp> get abc                        //下载pub/abc文件到当前目录,可以通过lcd指定下载路径
local: abc remote: abc
227 Entering Passive Mode (172,16,104,132,201,161).
150 Opening BINARY mode data connection for abc (0 bytes).
226 Transfer complete.
ftp> put anaconda-ks.cfg           //上传当前目录下anaconda-ks.cfg文件
local: anaconda-ks.cfg remote: anaconda-ks.cfg
227 Entering Passive Mode (172,16,104,132,134,130).
150 Ok to send data.
226 Transfer complete.
1203 bytes sent in 0.000779 secs (1544.29 Kbytes/sec)
ftp> delete abc                                 //删除文件abc
250 Delete operation successful.
ftp> rmdir a                                    //删除目录a
250 Remove directory operation successful.
ftp> ls
227 Entering Passive Mode (172,16,104,132,54,32).
150 Here comes the directory listing.
-rw-------    1 14       50           1203 Oct 14 13:29 anaconda-ks.cfg

  • 查看服务端/var/ftp/pub目录
[root@vm3 pub]# ll
total 4
-rw-------. 1 ftp ftp 1203 Oct 14 21:29 anaconda-ks.cfg
## 上传文件的权限被改变,,,可以在配置中加anon_umask=022,设置上传文件的遮罩码
## 同时原来的a目录,abc文件被删除

2. 搭建本地用户访问vsftpd服务

  • 这种方式不是很安全,可能会泄露本地账户和密码

  • 添加本地用户

## ftptest没有家目录
[root@vm3 pub]# useradd -M ftptest
[root@vm3 pub]# echo "123456" | passwd --stdin ftptest
[root@vm3 pub]# cat /etc/passwd | grep ftptest
ftptest:x:1003:1003::/home/ftptest:/bin/bash

## ftp1有家目录/opt/ftp1
[root@vm3 pub]# useradd -d /opt/ftp1 ftp1
[root@vm3 pub]# echo "123456" | passwd --stdin ftp1
Changing password for user ftp1.
passwd: all authentication tokens updated successfully.
[root@vm3 pub]# id ftp1
uid=1004(ftp1) gid=1004(ftp1) groups=1004(ftp1)

2.1 本地用户访问-----越界

服务端配置

  • 1.配置vsftpd.conf
[root@vm3 vsftpd]# vim vsftpd.conf
local_enable=YES            //开启本地用户访问
write_enable=YES            //可写
local_umask=022             //上传文件遮罩码022

dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
listen_ipv6=NO

pam_service_name=vsftpd
userlist_enable=YES
  • 2.加载配置,重启服务
[root@vm3 vsftpd]# systemctl restart vsftpd

客户端测试

  • 1.访问测试
## 本地用户ftptest访问失败,原因是该用户没有家目录
[root@vm2 ~]# ftp 172.16.104.132
Connected to 172.16.104.132 (172.16.104.132).
220 (vsFTPd 3.0.3)
Name (172.16.104.132:root): ftptest
331 Please specify the password.
Password:
500 OOPS: cannot change directory:/home/ftptest
Login failed.
421 Service not available, remote server has closed connection
ftp> ls
Not connected.
ftp> 

##本地用户ftp1访问成功,默认工作路径是其家目录
[root@vm2 ~]# ftp 172.16.104.132
Connected to 172.16.104.132 (172.16.104.132).
220 (vsFTPd 3.0.3)
Name (172.16.104.132:root): ftp1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/opt/ftp1" is the current directory
  • 2.权限测试
[root@vm2 ~]# ftp 172.16.104.132
Connected to 172.16.104.132 (172.16.104.132).
220 (vsFTPd 3.0.3)
Name (172.16.104.132:root): ftp1
331 Please specify the password.
Password:
230 Login successful.
....................
ftp> pwd
257 "/opt/ftp1" is the current directory
ftp> ls
227 Entering Passive Mode (172,16,104,132,182,149).
150 Here comes the directory listing.
-rw-r--r--    1 0        0               0 Oct 14 14:42 hello
226 Directory send OK.
ftp> mkdir 123                                     //有写权限
257 "/opt/ftp1/123" created
ftp> get hello                                      //可下载
local: hello remote: hello
227 Entering Passive Mode (172,16,104,132,126,9).
150 Opening BINARY mode data connection for hello (0 bytes).
226 Transfer complete.
ftp> put anaconda-ks.cfg                             //可上传
local: anaconda-ks.cfg remote: anaconda-ks.cfg
227 Entering Passive Mode (172,16,104,132,109,100).
150 Ok to send data.
226 Transfer complete.
1203 bytes sent in 0.000146 secs (8239.73 Kbytes/sec)
ftp> delete hello                                   //可删除
250 Delete operation successful.
ftp> ls
227 Entering Passive Mode (172,16,104,132,167,162).
150 Here comes the directory listing.
drwxr-xr-x    2 1004     1004            6 Oct 14 14:44 123
-rw-r--r--    1 1004     1004         1203 Oct 14 14:44 anaconda-ks.cfg
226 Directory send OK.


##服务端ftp1家目录,上传文件遮罩码022
[root@vm3 opt]# ll ftp1/
total 4
drwxr-xr-x. 2 ftp1 ftp1    6 Oct 14 22:44 123
-rw-r--r--. 1 ftp1 ftp1 1203 Oct 14 22:44 anaconda-ks.cfg
[root@vm3 opt]# ll -d ftp1
drwx------. 3 ftp1 ftp1 96 Oct 14 22:44 ftp1      //默认600
  • 3.越界测试
## 可以从工作目录越界到根目录并查看,虽然说没有操作权限但正常来说这是不可取的
[root@vm2 ~]# ftp 172.16.104.132
Connected to 172.16.104.132 (172.16.104.132).
220 (vsFTPd 3.0.3)
Name (172.16.104.132:root): ftp1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd                                        
257 "/opt/ftp1" is the current directory
ftp> cd /                           //可以从工作目录切换到/目录
250 Directory successfully changed. 
ftp> ls
227 Entering Passive Mode (172,16,104,132,216,86).
150 Here comes the directory listing.
lrwxrwxrwx    1 0        0               7 May 11  2019 bin -> usr/bin
dr-xr-xr-x    6 0        0            4096 Sep 10 11:02 boot
drwxr-xr-x   20 0        0            3120 Oct 14 10:48 dev
drwxr-xr-x   81 0        0            8192 Oct 14 14:34 etc
ftp> delete abc                                     //但是没有操作权限
550 Delete operation failed.
ftp> mkdir 123
550 Create directory operation failed.
ftp> put anaconda-ks.cfg 
local: anaconda-ks.cfg remote: anaconda-ks.cfg
227 Entering Passive Mode (172,16,104,132,98,103).
553 Could not create file.

2.2 本地用户访问--束缚在工作目录

服务端配置

    1. vsftpd.conf
[root@vm3 vsftpd]# vim vsftpd.conf
local_enable=YES
write_enable=YES
local_umask=022
chroot_local_user=YES     //禁锢所有的ftp本地用户于其家目录中
## chroot_list_enable=YES    //开启禁锢文件列表,与chroot_list_file一起使用
## chroot_list_file=/etc/vsftpd/chroot_list    //指定禁锢列表文件路径,在此文件里面的用户将被禁锢在其家目录中
## allow_writeable_chroot=NO    //允许被禁锢的用户家目录有写权限

dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
listen_ipv6=NO

pam_service_name=vsftpd
userlist_enable=YES

  • 2.加载配置,重启服务
[root@vm3 vsftpd]# systemctl restart vsftpd

客户端测试

-500 OOPS: vsftpd: refusing to run with writable root inside chroot()。
报错原因为,受到chroot限制的用户家目录有w权限
解决方法: 1.去除W权限 或者2.设置allow_writeable_chroot=YES

  • 1.越界测试
[root@vm2 ~]# ftp 172.16.104.132
Connected to 172.16.104.132 (172.16.104.132).
220 (vsFTPd 3.0.3)
Name (172.16.104.132:root): ftp1
331 Please specify the password.
Password:
500 OOPS: vsftpd: refusing to run with writable root inside chroot()
Login failed.
421 Service not available, remote server has closed connection
ftp> 

##设置allow_writeable_chroot=YES 后
[root@vm2 ~]# ftp 172.16.104.132
Connected to 172.16.104.132 (172.16.104.132).
220 (vsFTPd 3.0.3)
Name (172.16.104.132:root): ftp1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/" is the current directory     //实际上是在家目录,只不过显示的/
ftp> cd /mnt                         //不能越界,只能在工作目录
550 Failed to change directory.
ftp> ls
227 Entering Passive Mode (172,16,104,132,241,179).
150 Here comes the directory listing.
226 Directory send OK.
  • 2.权限设置
##权限没有发生变化
ftp> mkdir test
257 "/test" created
ftp> put anaconda-ks.cfg 
local: anaconda-ks.cfg remote: anaconda-ks.cfg
227 Entering Passive Mode (172,16,104,132,189,111).
150 Ok to send data.
226 Transfer complete.
1203 bytes sent in 0.000274 secs (4390.51 Kbytes/sec)
ftp> ls
227 Entering Passive Mode (172,16,104,132,44,176).
150 Here comes the directory listing.
-rw-r--r--    1 1004     1004         1203 Oct 14 15:47 anaconda-ks.cfg
drwxr-xr-x    2 1004     1004            6 Oct 14 15:46 test
226 Directory send OK.

##服务端查看ftp1家名录
[root@vm3 wisan]# cd /opt/ftp1/
[root@vm3 ftp1]# pwd
/opt/ftp1
[root@vm3 ftp1]# ll
total 4
-rw-r--r--. 1 ftp1 ftp1 1203 Oct 14 23:47 anaconda-ks.cfg
drwxr-xr-x. 2 ftp1 ftp1    6 Oct 14 23:46 test

3. 搭建虚拟用户访问vsftp服务

3.1 服务端配置

  • 1.vsftpd.conf
[root@vm3 vsftpd]# vim vsftpd.conf
local_enable=YES                        //需要开启,虚拟用户要映射到本地用户
write_enable=YES
local_umask=022
chroot_local_user=YES                   //束缚在家名录
allow_writeable_chroot=YES 

anonymous_enable=YES                    //需要开启,允许虚拟用户访问
anon_umask=022
anon_upload_enable=NO                   
anon_mkdir_write_enable=NO
anon_other_write_enable=NO

guest_enable=YES                        //开启虚拟用户
guest_username=ftp2                     //映射的本地账户
user_config_dir=/etc/vsftpd/user_dir    //设置虚拟用户权限文件的目录,该目录下是虚拟用户名文件,存放有虚拟用户各自权限

dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
listen_ipv6=NO

pam_service_name=vsftpd
userlist_enable=YES

  • 2.创建映射的本地用户、虚拟用户列表
## 创建ftp2用户
[root@vm3 vsftpd]# useradd -d /opt/ftp2 -s /sbin/nologin ftp2
[root@vm3 vsftpd]# echo "123456" | passwd --stdin ftp2
[root@vm3 vsftpd]# ll -d /opt/ftp2/
drwx------. 2 ftp2 ftp2 62 Oct 15 00:19 /opt/ftp2/
[root@vm3 vsftpd]# chmod 755 /opt/ftp2
[root@vm3 vsftpd]# ll -d /opt/ftp2/
drwxr-xr-x. 2 ftp2 ftp2 62 Oct 15 00:19 /opt/ftp2/

## 创建虚拟用户列表/etc/vsftpd/vir_user.list
[root@vm3 vsftpd]# vim vir_user.list
cat
123456
mouse
123456
[root@vm3 vsftpd]# pwd
/etc/vsftpd
    1. 将虚拟用户列表加密并转为数据库文件(db_load命令)
[root@vm3 vsftpd]# db_load -T -t hash -f /etc/vsftpd/vir_user.list /etc/vsftpd/vir_user.db
[root@vm3 vsftpd]# chmod 600 /etc/vsftpd/vir_user.*     //保护文件
[root@vm3 vsftpd]# ll
total 40
-rw-------. 1 root root   125 Apr 24 11:01 ftpusers
-rw-------. 1 root root   361 Apr 24 11:01 user_list
-rw-------. 1 root root 12288 Oct 15 00:28 vir_user.db
-rw-------. 1 root root    24 Oct 15 00:24 vir_user.list
-rw-------. 1 root root   448 Oct 15 00:09 vsftpd.conf
-rw-------. 1 root root  5098 Oct 14 18:52 vsftpd.conf.bak
-rwxr--r--. 1 root root   348 Apr 24 11:01 vsftpd_conf_migrate.sh
  • 4.为虚拟用户建立PAM认证
[root@vm3 vsftpd]# cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd.bak   //备份
[root@vm3 vsftpd]# vim /etc/pam.d/vsftpd
#%PAM-1.0
auth required pam_userdb.so db=/etc/vsftpd/vir_user        //vir_user.db路径(.db要去掉)
account required pam_userdb.so db=/etc/vsftpd/vir_user

  • 5.创建虚拟用户权限文件的目录文件
[root@vm3 vsftpd]# mkdir -p /etc/vsftpd/user_dir
[root@vm3 vsftpd]# ll
total 40
-rw-------. 1 root root   125 Apr 24 11:01 ftpusers
drwxr-xr-x. 2 root root     6 Oct 15 00:41 user_dir
-rw-------. 1 root root   361 Apr 24 11:01 user_list
-rw-------. 1 root root 12288 Oct 15 00:28 vir_user.db
-rw-------. 1 root root    24 Oct 15 00:24 vir_user.list
-rw-------. 1 root root   448 Oct 15 00:09 vsftpd.conf
-rw-------. 1 root root  5098 Oct 14 18:52 vsftpd.conf.bak
-rwxr--r--. 1 root root   348 Apr 24 11:01 vsftpd_conf_migrate.sh

  • 6.编辑虚拟用户的权限
[root@vm3 vsftpd]# cd user_dir/
[root@vm3 user_dir]# pwd
/etc/vsftpd/user_dir
[root@vm3 user_dir]# touch cat && echo "anon_upload_enable=YES" >> cat
[root@vm3 user_dir]#  echo "anon_mkdir_write_enable=YES" >> cat
[root@vm3 user_dir]# touch mouse
[root@vm3 user_dir]# ll
total 4
-rw-r--r--. 1 root root 51 Oct 15 00:46 cat
-rw-r--r--. 1 root root  0 Oct 15 00:46 mouse
[root@vm3 user_dir]# cat cat                  //虚拟用户cat拥有上传和创建目录权限
anon_upload_enable=YES
anon_mkdir_write_enable=YES
[root@vm3 user_dir]# cat mouse                //虚拟用户mouse默认权限,仅下载
  • 7.重启加载配置
[root@vm3 vsftpd]# systemctl restart vsftpd

3.2 客户端测试

cat虚拟用户

[root@vm2 ~]# ftp 172.16.104.132
Connected to 172.16.104.132 (172.16.104.132).
220 (vsFTPd 3.0.3)
Name (172.16.104.132:root): cat
331 Please specify the password.
Password:
230 Login successful.                         //cat 成功访问
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/" is the current directory
ftp> ls
227 Entering Passive Mode (172,16,104,132,75,120).
150 Here comes the directory listing.
226 Directory send OK.
ftp> cd /mnt                                //不能越界
550 Failed to change directory.
ftp> mkdir cat                              //可以创建目录
257 "/cat" created
ftp> put a                                  //可以上传文件
abc              anaconda-ks.cfg  
ftp> put anaconda-ks.cfg 
local: anaconda-ks.cfg remote: anaconda-ks.cfg
227 Entering Passive Mode (172,16,104,132,57,111).
150 Ok to send data.
226 Transfer complete.
1203 bytes sent in 0.000186 secs (6467.74 Kbytes/sec)
ftp> ls
227 Entering Passive Mode (172,16,104,132,229,53).
150 Here comes the directory listing.
-rw-r--r--    1 1005     1005         1203 Oct 14 16:52 anaconda-ks.cfg
drwxr-xr-x    2 1005     1005            6 Oct 14 16:52 cat
ftp> delete anaconda-ks.cfg                //不能删除文件
550 Permission denied.


##查看cat映射的本地用户ftp2家目录
[root@vm3 ftp2]# pwd
/opt/ftp2
[root@vm3 ftp2]# ls
anaconda-ks.cfg  cat
[root@vm3 ftp2]# ll
total 4
-rw-r--r--. 1 ftp2 ftp2 1203 Oct 15 00:52 anaconda-ks.cfg
drwxr-xr-x. 2 ftp2 ftp2    6 Oct 15 00:52 cat

mouse虚拟用户

[root@vm2 ~]# ftp 172.16.104.132
Connected to 172.16.104.132 (172.16.104.132).
220 (vsFTPd 3.0.3)
Name (172.16.104.132:root): mouse
331 Please specify the password.
Password:
230 Login successful.                         //mouse成功访问
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/" is the current directory
ftp> ls
227 Entering Passive Mode (172,16,104,132,153,6).
150 Here comes the directory listing.
-rw-r--r--    1 1005     1005         1203 Oct 14 16:52 anaconda-ks.cfg
drwxr-xr-x    2 1005     1005            6 Oct 14 16:52 cat
226 Directory send OK.
ftp> get anaconda-ks.cfg                       //可以下载文件
local: anaconda-ks.cfg remote: anaconda-ks.cfg
227 Entering Passive Mode (172,16,104,132,129,146).
150 Opening BINARY mode data connection for anaconda-ks.cfg (1203 bytes).
226 Transfer complete.
1203 bytes received in 0.0004 secs (3007.50 Kbytes/sec)
ftp> mkdir mouse                              //不能创建目录
550 Permission denied.
ftp> delete anaconda-ks.cfg                   //不能删除文件
550 Permission denied.
ftp> put abc                                  //不能上传文件
local: abc remote: abc
227 Entering Passive Mode (172,16,104,132,245,132).
550 Permission denied.


以上是关于vfstp服务的主要内容,如果未能解决你的问题,请参考以下文章

从片段调用 Google Play 游戏服务

markdown 在Intel Nuc上设置Ubuntu Web服务器,步骤和代码片段

golang代码片段(摘抄)

ForegroundService没有从片段开始?

SpringCloud系列四:Eureka 服务发现框架(定义 Eureka 服务端Eureka 服务信息Eureka 发现管理Eureka 安全配置Eureka-HA(高可用) 机制Eur(代码片段

Apollo Codegen 没有找到生成代码的操作或片段