vfstp服务
Posted fyjpeng
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了vfstp服务相关的知识,希望对你有一定的参考价值。
运行环境
- linux服务端(172.16.104.132)
## vsftpd安装
[root@vm3 etc]# yum -y install vsftpd
## 关闭防火墙
[root@vm3 etc]# systemctl stop firewalld
## 修改selinux
[root@vm3 etc]# setenforce 0
[root@vm3 etc]# getenforce
Permissive
- linux客户端
## samba软件安装
## cifs文件系统挂载工具
[root@vm1 mnt]# yum -y install ftp
## 关闭防火墙
[root@vm1 etc]# systemctl stop firewalld
## 修改selinux
[root@vm1 mnt]# setenforce 0
[root@vm1 mnt]# getenforce
Permissive
1.搭建匿名访问vsftp服务
1.1 linux服务端
- 1.配置/etc/vsftpd/vsftpd.conf
[root@vm3 vsftpd]# vim vsftpd.conf
anonymous_enable=YES //启用匿名访问
local_enable=NO //关闭本地访问
write_enable=YES //允许写操作
local_umask=022 //设定上传文件遮罩码
anon_upload_enable=YES //允许匿名上传文件
anon_mkdir_write_enable=YES //允许匿名创建文件
anon_other_write_enable=YES //允许匿名删除文件
dirmessage_enable=YES //设置目录标语功能
xferlog_enable=YES //设置日志记录功能
connect_from_port_20=YES //开启端口20进行数据连接(主动模)
xferlog_std_format=YES //设置日志标准格式
listen=YES //修改为YES
listen_ipv6=NO
pam_service_name=vsftpd
userlist_enable=YES //是否启用控制用户登录的列表文件
- 2./var/vsftpd/pub提供匿名访问的目录
[root@vm3 ftp]# pwd
/var/ftp
[root@vm3 ftp]# chmod o+w pub/ //便于测试,给予other写权限
[root@vm3 ftp]# ll -d pub/
drwxr-xrwx. 3 root root 26 Oct 14 21:25 pub/
[root@vm3 ftp]# ll pub/
total 0
drwxr-xr-x. 2 root root 6 Oct 14 21:25 a
-rw-r--r--. 1 root root 0 Oct 14 20:50 abc
- 3.启动加载vsftpd服务
[root@vm3 vsftpd]# systemctl start vsftpd
[root@vm3 vsftpd]# systemctl reload vsftpd
1.2 linux客户端测试
- 测试ftp 172.16.104.132
[root@vm2 ~]# ftp 172.16.104.132
Connected to 172.16.104.132 (172.16.104.132).
220 (vsFTPd 3.0.3)
Name (172.16.104.132:root): anonymous //账户为anonymous
331 Please specify the password.
Password: //直接回车,不需要密码
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd //查询当前目录在/下
257 "/" is the current directory
ftp> ls
227 Entering Passive Mode (172,16,104,132,46,198).
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 17 Oct 14 12:50 pub
226 Directory send OK.
ftp> cd pub && ls //允许访问服务端/var/ftp/pub目录
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (172,16,104,132,132,14).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 0 Oct 14 12:50 abc
226 Directory send OK.
ftp> get abc //下载pub/abc文件到当前目录,可以通过lcd指定下载路径
local: abc remote: abc
227 Entering Passive Mode (172,16,104,132,201,161).
150 Opening BINARY mode data connection for abc (0 bytes).
226 Transfer complete.
ftp> put anaconda-ks.cfg //上传当前目录下anaconda-ks.cfg文件
local: anaconda-ks.cfg remote: anaconda-ks.cfg
227 Entering Passive Mode (172,16,104,132,134,130).
150 Ok to send data.
226 Transfer complete.
1203 bytes sent in 0.000779 secs (1544.29 Kbytes/sec)
ftp> delete abc //删除文件abc
250 Delete operation successful.
ftp> rmdir a //删除目录a
250 Remove directory operation successful.
ftp> ls
227 Entering Passive Mode (172,16,104,132,54,32).
150 Here comes the directory listing.
-rw------- 1 14 50 1203 Oct 14 13:29 anaconda-ks.cfg
- 查看服务端/var/ftp/pub目录
[root@vm3 pub]# ll
total 4
-rw-------. 1 ftp ftp 1203 Oct 14 21:29 anaconda-ks.cfg
## 上传文件的权限被改变,,,可以在配置中加anon_umask=022,设置上传文件的遮罩码
## 同时原来的a目录,abc文件被删除
2. 搭建本地用户访问vsftpd服务
-
这种方式不是很安全,可能会泄露本地账户和密码
-
添加本地用户
## ftptest没有家目录
[root@vm3 pub]# useradd -M ftptest
[root@vm3 pub]# echo "123456" | passwd --stdin ftptest
[root@vm3 pub]# cat /etc/passwd | grep ftptest
ftptest:x:1003:1003::/home/ftptest:/bin/bash
## ftp1有家目录/opt/ftp1
[root@vm3 pub]# useradd -d /opt/ftp1 ftp1
[root@vm3 pub]# echo "123456" | passwd --stdin ftp1
Changing password for user ftp1.
passwd: all authentication tokens updated successfully.
[root@vm3 pub]# id ftp1
uid=1004(ftp1) gid=1004(ftp1) groups=1004(ftp1)
2.1 本地用户访问-----越界
服务端配置
- 1.配置vsftpd.conf
[root@vm3 vsftpd]# vim vsftpd.conf
local_enable=YES //开启本地用户访问
write_enable=YES //可写
local_umask=022 //上传文件遮罩码022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
listen_ipv6=NO
pam_service_name=vsftpd
userlist_enable=YES
- 2.加载配置,重启服务
[root@vm3 vsftpd]# systemctl restart vsftpd
客户端测试
- 1.访问测试
## 本地用户ftptest访问失败,原因是该用户没有家目录
[root@vm2 ~]# ftp 172.16.104.132
Connected to 172.16.104.132 (172.16.104.132).
220 (vsFTPd 3.0.3)
Name (172.16.104.132:root): ftptest
331 Please specify the password.
Password:
500 OOPS: cannot change directory:/home/ftptest
Login failed.
421 Service not available, remote server has closed connection
ftp> ls
Not connected.
ftp>
##本地用户ftp1访问成功,默认工作路径是其家目录
[root@vm2 ~]# ftp 172.16.104.132
Connected to 172.16.104.132 (172.16.104.132).
220 (vsFTPd 3.0.3)
Name (172.16.104.132:root): ftp1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/opt/ftp1" is the current directory
- 2.权限测试
[root@vm2 ~]# ftp 172.16.104.132
Connected to 172.16.104.132 (172.16.104.132).
220 (vsFTPd 3.0.3)
Name (172.16.104.132:root): ftp1
331 Please specify the password.
Password:
230 Login successful.
....................
ftp> pwd
257 "/opt/ftp1" is the current directory
ftp> ls
227 Entering Passive Mode (172,16,104,132,182,149).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 0 Oct 14 14:42 hello
226 Directory send OK.
ftp> mkdir 123 //有写权限
257 "/opt/ftp1/123" created
ftp> get hello //可下载
local: hello remote: hello
227 Entering Passive Mode (172,16,104,132,126,9).
150 Opening BINARY mode data connection for hello (0 bytes).
226 Transfer complete.
ftp> put anaconda-ks.cfg //可上传
local: anaconda-ks.cfg remote: anaconda-ks.cfg
227 Entering Passive Mode (172,16,104,132,109,100).
150 Ok to send data.
226 Transfer complete.
1203 bytes sent in 0.000146 secs (8239.73 Kbytes/sec)
ftp> delete hello //可删除
250 Delete operation successful.
ftp> ls
227 Entering Passive Mode (172,16,104,132,167,162).
150 Here comes the directory listing.
drwxr-xr-x 2 1004 1004 6 Oct 14 14:44 123
-rw-r--r-- 1 1004 1004 1203 Oct 14 14:44 anaconda-ks.cfg
226 Directory send OK.
##服务端ftp1家目录,上传文件遮罩码022
[root@vm3 opt]# ll ftp1/
total 4
drwxr-xr-x. 2 ftp1 ftp1 6 Oct 14 22:44 123
-rw-r--r--. 1 ftp1 ftp1 1203 Oct 14 22:44 anaconda-ks.cfg
[root@vm3 opt]# ll -d ftp1
drwx------. 3 ftp1 ftp1 96 Oct 14 22:44 ftp1 //默认600
- 3.越界测试
## 可以从工作目录越界到根目录并查看,虽然说没有操作权限但正常来说这是不可取的
[root@vm2 ~]# ftp 172.16.104.132
Connected to 172.16.104.132 (172.16.104.132).
220 (vsFTPd 3.0.3)
Name (172.16.104.132:root): ftp1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/opt/ftp1" is the current directory
ftp> cd / //可以从工作目录切换到/目录
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (172,16,104,132,216,86).
150 Here comes the directory listing.
lrwxrwxrwx 1 0 0 7 May 11 2019 bin -> usr/bin
dr-xr-xr-x 6 0 0 4096 Sep 10 11:02 boot
drwxr-xr-x 20 0 0 3120 Oct 14 10:48 dev
drwxr-xr-x 81 0 0 8192 Oct 14 14:34 etc
ftp> delete abc //但是没有操作权限
550 Delete operation failed.
ftp> mkdir 123
550 Create directory operation failed.
ftp> put anaconda-ks.cfg
local: anaconda-ks.cfg remote: anaconda-ks.cfg
227 Entering Passive Mode (172,16,104,132,98,103).
553 Could not create file.
2.2 本地用户访问--束缚在工作目录
服务端配置
-
- vsftpd.conf
[root@vm3 vsftpd]# vim vsftpd.conf
local_enable=YES
write_enable=YES
local_umask=022
chroot_local_user=YES //禁锢所有的ftp本地用户于其家目录中
## chroot_list_enable=YES //开启禁锢文件列表,与chroot_list_file一起使用
## chroot_list_file=/etc/vsftpd/chroot_list //指定禁锢列表文件路径,在此文件里面的用户将被禁锢在其家目录中
## allow_writeable_chroot=NO //允许被禁锢的用户家目录有写权限
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
listen_ipv6=NO
pam_service_name=vsftpd
userlist_enable=YES
- 2.加载配置,重启服务
[root@vm3 vsftpd]# systemctl restart vsftpd
客户端测试
-500 OOPS: vsftpd: refusing to run with writable root inside chroot()。
报错原因为,受到chroot限制的用户家目录有w权限
解决方法: 1.去除W权限 或者2.设置allow_writeable_chroot=YES
- 1.越界测试
[root@vm2 ~]# ftp 172.16.104.132
Connected to 172.16.104.132 (172.16.104.132).
220 (vsFTPd 3.0.3)
Name (172.16.104.132:root): ftp1
331 Please specify the password.
Password:
500 OOPS: vsftpd: refusing to run with writable root inside chroot()
Login failed.
421 Service not available, remote server has closed connection
ftp>
##设置allow_writeable_chroot=YES 后
[root@vm2 ~]# ftp 172.16.104.132
Connected to 172.16.104.132 (172.16.104.132).
220 (vsFTPd 3.0.3)
Name (172.16.104.132:root): ftp1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/" is the current directory //实际上是在家目录,只不过显示的/
ftp> cd /mnt //不能越界,只能在工作目录
550 Failed to change directory.
ftp> ls
227 Entering Passive Mode (172,16,104,132,241,179).
150 Here comes the directory listing.
226 Directory send OK.
- 2.权限设置
##权限没有发生变化
ftp> mkdir test
257 "/test" created
ftp> put anaconda-ks.cfg
local: anaconda-ks.cfg remote: anaconda-ks.cfg
227 Entering Passive Mode (172,16,104,132,189,111).
150 Ok to send data.
226 Transfer complete.
1203 bytes sent in 0.000274 secs (4390.51 Kbytes/sec)
ftp> ls
227 Entering Passive Mode (172,16,104,132,44,176).
150 Here comes the directory listing.
-rw-r--r-- 1 1004 1004 1203 Oct 14 15:47 anaconda-ks.cfg
drwxr-xr-x 2 1004 1004 6 Oct 14 15:46 test
226 Directory send OK.
##服务端查看ftp1家名录
[root@vm3 wisan]# cd /opt/ftp1/
[root@vm3 ftp1]# pwd
/opt/ftp1
[root@vm3 ftp1]# ll
total 4
-rw-r--r--. 1 ftp1 ftp1 1203 Oct 14 23:47 anaconda-ks.cfg
drwxr-xr-x. 2 ftp1 ftp1 6 Oct 14 23:46 test
3. 搭建虚拟用户访问vsftp服务
3.1 服务端配置
- 1.vsftpd.conf
[root@vm3 vsftpd]# vim vsftpd.conf
local_enable=YES //需要开启,虚拟用户要映射到本地用户
write_enable=YES
local_umask=022
chroot_local_user=YES //束缚在家名录
allow_writeable_chroot=YES
anonymous_enable=YES //需要开启,允许虚拟用户访问
anon_umask=022
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
guest_enable=YES //开启虚拟用户
guest_username=ftp2 //映射的本地账户
user_config_dir=/etc/vsftpd/user_dir //设置虚拟用户权限文件的目录,该目录下是虚拟用户名文件,存放有虚拟用户各自权限
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
listen_ipv6=NO
pam_service_name=vsftpd
userlist_enable=YES
- 2.创建映射的本地用户、虚拟用户列表
## 创建ftp2用户
[root@vm3 vsftpd]# useradd -d /opt/ftp2 -s /sbin/nologin ftp2
[root@vm3 vsftpd]# echo "123456" | passwd --stdin ftp2
[root@vm3 vsftpd]# ll -d /opt/ftp2/
drwx------. 2 ftp2 ftp2 62 Oct 15 00:19 /opt/ftp2/
[root@vm3 vsftpd]# chmod 755 /opt/ftp2
[root@vm3 vsftpd]# ll -d /opt/ftp2/
drwxr-xr-x. 2 ftp2 ftp2 62 Oct 15 00:19 /opt/ftp2/
## 创建虚拟用户列表/etc/vsftpd/vir_user.list
[root@vm3 vsftpd]# vim vir_user.list
cat
123456
mouse
123456
[root@vm3 vsftpd]# pwd
/etc/vsftpd
-
- 将虚拟用户列表加密并转为数据库文件(db_load命令)
[root@vm3 vsftpd]# db_load -T -t hash -f /etc/vsftpd/vir_user.list /etc/vsftpd/vir_user.db
[root@vm3 vsftpd]# chmod 600 /etc/vsftpd/vir_user.* //保护文件
[root@vm3 vsftpd]# ll
total 40
-rw-------. 1 root root 125 Apr 24 11:01 ftpusers
-rw-------. 1 root root 361 Apr 24 11:01 user_list
-rw-------. 1 root root 12288 Oct 15 00:28 vir_user.db
-rw-------. 1 root root 24 Oct 15 00:24 vir_user.list
-rw-------. 1 root root 448 Oct 15 00:09 vsftpd.conf
-rw-------. 1 root root 5098 Oct 14 18:52 vsftpd.conf.bak
-rwxr--r--. 1 root root 348 Apr 24 11:01 vsftpd_conf_migrate.sh
- 4.为虚拟用户建立PAM认证
[root@vm3 vsftpd]# cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd.bak //备份
[root@vm3 vsftpd]# vim /etc/pam.d/vsftpd
#%PAM-1.0
auth required pam_userdb.so db=/etc/vsftpd/vir_user //vir_user.db路径(.db要去掉)
account required pam_userdb.so db=/etc/vsftpd/vir_user
- 5.创建虚拟用户权限文件的目录文件
[root@vm3 vsftpd]# mkdir -p /etc/vsftpd/user_dir
[root@vm3 vsftpd]# ll
total 40
-rw-------. 1 root root 125 Apr 24 11:01 ftpusers
drwxr-xr-x. 2 root root 6 Oct 15 00:41 user_dir
-rw-------. 1 root root 361 Apr 24 11:01 user_list
-rw-------. 1 root root 12288 Oct 15 00:28 vir_user.db
-rw-------. 1 root root 24 Oct 15 00:24 vir_user.list
-rw-------. 1 root root 448 Oct 15 00:09 vsftpd.conf
-rw-------. 1 root root 5098 Oct 14 18:52 vsftpd.conf.bak
-rwxr--r--. 1 root root 348 Apr 24 11:01 vsftpd_conf_migrate.sh
- 6.编辑虚拟用户的权限
[root@vm3 vsftpd]# cd user_dir/
[root@vm3 user_dir]# pwd
/etc/vsftpd/user_dir
[root@vm3 user_dir]# touch cat && echo "anon_upload_enable=YES" >> cat
[root@vm3 user_dir]# echo "anon_mkdir_write_enable=YES" >> cat
[root@vm3 user_dir]# touch mouse
[root@vm3 user_dir]# ll
total 4
-rw-r--r--. 1 root root 51 Oct 15 00:46 cat
-rw-r--r--. 1 root root 0 Oct 15 00:46 mouse
[root@vm3 user_dir]# cat cat //虚拟用户cat拥有上传和创建目录权限
anon_upload_enable=YES
anon_mkdir_write_enable=YES
[root@vm3 user_dir]# cat mouse //虚拟用户mouse默认权限,仅下载
- 7.重启加载配置
[root@vm3 vsftpd]# systemctl restart vsftpd
3.2 客户端测试
cat虚拟用户
[root@vm2 ~]# ftp 172.16.104.132
Connected to 172.16.104.132 (172.16.104.132).
220 (vsFTPd 3.0.3)
Name (172.16.104.132:root): cat
331 Please specify the password.
Password:
230 Login successful. //cat 成功访问
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/" is the current directory
ftp> ls
227 Entering Passive Mode (172,16,104,132,75,120).
150 Here comes the directory listing.
226 Directory send OK.
ftp> cd /mnt //不能越界
550 Failed to change directory.
ftp> mkdir cat //可以创建目录
257 "/cat" created
ftp> put a //可以上传文件
abc anaconda-ks.cfg
ftp> put anaconda-ks.cfg
local: anaconda-ks.cfg remote: anaconda-ks.cfg
227 Entering Passive Mode (172,16,104,132,57,111).
150 Ok to send data.
226 Transfer complete.
1203 bytes sent in 0.000186 secs (6467.74 Kbytes/sec)
ftp> ls
227 Entering Passive Mode (172,16,104,132,229,53).
150 Here comes the directory listing.
-rw-r--r-- 1 1005 1005 1203 Oct 14 16:52 anaconda-ks.cfg
drwxr-xr-x 2 1005 1005 6 Oct 14 16:52 cat
ftp> delete anaconda-ks.cfg //不能删除文件
550 Permission denied.
##查看cat映射的本地用户ftp2家目录
[root@vm3 ftp2]# pwd
/opt/ftp2
[root@vm3 ftp2]# ls
anaconda-ks.cfg cat
[root@vm3 ftp2]# ll
total 4
-rw-r--r--. 1 ftp2 ftp2 1203 Oct 15 00:52 anaconda-ks.cfg
drwxr-xr-x. 2 ftp2 ftp2 6 Oct 15 00:52 cat
mouse虚拟用户
[root@vm2 ~]# ftp 172.16.104.132
Connected to 172.16.104.132 (172.16.104.132).
220 (vsFTPd 3.0.3)
Name (172.16.104.132:root): mouse
331 Please specify the password.
Password:
230 Login successful. //mouse成功访问
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/" is the current directory
ftp> ls
227 Entering Passive Mode (172,16,104,132,153,6).
150 Here comes the directory listing.
-rw-r--r-- 1 1005 1005 1203 Oct 14 16:52 anaconda-ks.cfg
drwxr-xr-x 2 1005 1005 6 Oct 14 16:52 cat
226 Directory send OK.
ftp> get anaconda-ks.cfg //可以下载文件
local: anaconda-ks.cfg remote: anaconda-ks.cfg
227 Entering Passive Mode (172,16,104,132,129,146).
150 Opening BINARY mode data connection for anaconda-ks.cfg (1203 bytes).
226 Transfer complete.
1203 bytes received in 0.0004 secs (3007.50 Kbytes/sec)
ftp> mkdir mouse //不能创建目录
550 Permission denied.
ftp> delete anaconda-ks.cfg //不能删除文件
550 Permission denied.
ftp> put abc //不能上传文件
local: abc remote: abc
227 Entering Passive Mode (172,16,104,132,245,132).
550 Permission denied.
以上是关于vfstp服务的主要内容,如果未能解决你的问题,请参考以下文章
markdown 在Intel Nuc上设置Ubuntu Web服务器,步骤和代码片段
SpringCloud系列四:Eureka 服务发现框架(定义 Eureka 服务端Eureka 服务信息Eureka 发现管理Eureka 安全配置Eureka-HA(高可用) 机制Eur(代码片段