"只有想不到的需求,没有做不到的!"
关于vsftpd虚拟用户的的配置可以参考
vsftp 虚拟用户设置
本文主要讲解
对虚拟用户来源IP的限制。废话少说,转入正题。
首先说明,官方的vsftpd软件是没有这个功能的。需要打patch或者直接下载打了patch的vsftpd源码包。下载地址如下:
http://vsftpd.devnet.ru/
这个地址到目前为止(2009.12.07已经被河蟹掉了,只能通过代理才能访问)该站点不是vsftpd的官方网站,因此更新速度没有官网的速度快,但也不会滞后很长的时间,大概会滞后3个月左右,不过这个速度也就够了。本文以最新的patch版本2.1.2(2009.06.18)为例介绍安装配置。
下载打了补丁的vsftpd2.1.2
通过
http://vsftpd.devnet.ru/eng/
站点查看当前最新的
版本。Last build 2.1.2 (ext.1)
我这个地址是通过网页代理下载的,linux下的wget无法下载,只能通过浏览器下载
编译vsftpd
# tar -xvzf vsftpd-2.1.2.tar.gz -C ../src
# cd vsftpd-2.1.2
编辑 "builddefs.h" 来指定编译时的配置 (如 tcp_wrappers、ssl等)。通过将undef修改为define可以开启某些模块,如下我开启了ssl模块
# vi builddefs.h
#define VSF_BUILDDEFS_H
#undef VSF_BUILD_TCPWRAPPERS
#define VSF_BUILD_PAM
#define VSF_BUILD_SSL
#endif /* VSF_BUILDDEFS_H */
编译安装
# make
# ls -l vsftpd
-rwxr-xr-x 1 root root 126808 Dec 7 11:57 vsftpd
注意:如果系统为64位,需要修改vsf_findlib.sh文件如下:
# crypt library.
if find_func pam_start sysdeputil.o; then
locate_library /lib/libpam.so.0 && echo "/lib/libpam.so.0";
locate_library /usr/lib/libpam.so && echo "-lpam";
# HP-UX ends shared libraries with .sl
locate_library /usr/lib/libpam.sl && echo "-lpam";
# AIX ends shared libraries with .a
locate_library /usr/lib/libpam.a && echo "-lpam";
else
locate_library /lib/libcrypt.so && echo "-lcrypt";
locate_library /usr/lib/libcrypt.so && echo "-lcrypt";
fi
# Look for libcap (capabilities)
if locate_library /lib/libcap.so.1; then
echo "/lib/libcap.so.1";
elif locate_library /lib/libcap.so.2; then
echo "/lib/libcap.so.2";
else
locate_library /usr/lib/libcap.so && echo "-lcap";
locate_library /lib/libcap.so && echo "-lcap";
fi
需要将/lib/ 修改为/lib64/ 重新make就不会有报错信息了。
安装vsftpd
这里的安装我利用移花接木的方法,先用yum安装rpm包的vsftp,然后将编译完成的带有扩展包的vsftpd二进制文件覆盖rpm包的二进制文件即可,如果需要的话可以将man page也一同复制。如下操作
# yum install vsftpd -y
# rpm -ql vsftpd
/etc/pam.d/vsftpd
/etc/rc.d/init.d/vsftpd
/etc/vsftpd
/etc/vsftpd/ftpusers
/etc/vsftpd/user_list
/etc/vsftpd/vsftpd.conf
/etc/vsftpd/vsftpd_conf_migrate.sh
/usr/sbin/vsftpd
/usr/share/doc/vsftpd-2.0.5
/usr/share/doc/vsftpd-2.0.5/vsftpd.xinetd
/usr/share/man/man5/vsftpd.conf.5.gz
/usr/share/man/man8/vsftpd.8.gz
/var/ftp
/var/ftp/pub
将编译出来的vsftpd覆盖掉 /usr/sbin/vsftpd 文件,然后删除相应的man page文件,将含有扩展信息的man page复制过去:
# cp vsftpd /usr/sbin/vsftpd
# rm /usr/share/man/man5/vsftpd.conf.5.gz /usr/share/man/man8/vsftpd.8.gz
# cp vsftpd.conf.5 /usr/share/man/man5/
# cp vsftpd.8 /usr/share/man/man8/
配置虚拟用户
# vi /etc/vsftpd/vsftpd.conf
# User Config #
#========================#
anonymous_enable=NO
local_enable=YES
#=======================#
# Permissions Config #
#=======================#
write_enable=YES
local_umask=022
anon_upload_enable=NO
anon_mkdir_write_enable=NO
#chown_uploads=NO
#chown_username=root
userlist_enable=YES
chroot_local_user=YES
#chroot_list_enable=YES
#chroot_list_file=/etc/vsftpd/chroot_list
#ls_recurse_enable=YES
tcp_wrappers=YES
#=================#
# Log File Config #
#=================#
dual_log_enable=YES
xferlog_enable=YES
xferlog_std_format=YES
xferlog_file=/var/log/xferlog.log
vsftpd_log_file=/var/log/vsftpd.log
use_localtime=YES
#===========================#
# Transport Config #
#===========================#
#idle_session_timeout=600
#data_connection_timeout=120
#nopriv_user=ftpsecure
async_abor_enable=YES
#ascii_upload_enable=YES
#ascii_download_enable=YES
#============================#
# Welcome information Config #
#============================#
#ftpd_banner=Welcome to blah FTP service.
#deny_email_enable=YES
#banned_email_file=/etc/vsftpd/banned_emails
dirmessage_enable=NO
#=======================#
# Port Config #
#=======================#
connect_from_port_20=YES
listen=YES
ftp_data_port=20
pasv_min_port=1024
pasv_max_port=10000
#pasv_enable=NO
#listen_ipv6=YES
#============#
# pam module #
#============#
pam_service_name=vsftpd
#=============================#
# Virutal User Config #
#=============================#
#设定启用虚拟用户功能。
guest_enable=YES
#指定虚拟用户的宿主用户
guest_username=ftp
#设定虚拟用户的权限符合他们的宿主用户
virtual_use_local_privs=YES
# 设定虚拟用户个人Vsftp的配置文件存放路径。
# 也就是说,这个被指定的目录里,将存放每个
# Vsftp虚拟用户个性的配置文件,一个需要注意的
# 地方就是这些配置文件名必须和虚拟用户名相同。
# 比如说vsftpd.conf的配置文件,你复制到这个目
# 录下,你要mv一下,配置成虚拟用户的名称
user_config_dir=/etc/vsftpd/vconf
#===================#
# SSL FTP #
#===================#
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
rsa_cert_file=/etc/vsftpd/vsftpd.pem
#==========================#
# 限制用户只能从某个IP连接 #
#==========================#
users_access_ip=/etc/vsftpd/vsftpd.users_ip
编辑vsftp.pam文件配置虚拟用户验证
# vi /etc/pam.d/vsftpd
auth sufficient /lib/security/pam_userdb.so db=/etc/vsftpd/virtusers
account sufficient /lib/security/pam_userdb.so db=/etc/vsftpd/virtusers
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include system-auth
account include system-auth
session include system-auth
session required pam_loginuid.so
创建虚拟账户
# vi /etc/vsftpd/vconf/denis
local_root=/data/share
write_enable=NO
noya
# vi /etc/vsftpd/vconf/noya
local_root=/data/share
write_enable=YES
cmds_allowed=ABOR,CWD,LIST,MDTM,MKD,NLST,PASS,PASV,PORT,PWD,QUIT,RNFR,RNTO,SIZE,
STOR,TYPE,USER,REST,CDUP,HELP,MODE,NOOP,REIN,STAT,STOU,STRU,SYST,FEAT,RENAME
file_open_mode=0444
sean
# vi /etc/vsftpd/vconf/sean
local_root=/data/share
write_enable=YES
cmds_allowed=ABOR,CWD,LIST,MDTM,MKD,NLST,PASS,PASV,PORT,PWD,QUIT,RNFR,RNTO,SIZE,
STOR,TYPE,USER,REST,CDUP,HELP,MODE,NOOP,REIN,STAT,STOU,STRU,SYST,FEAT,RENAME
file_open_mode=0444
注:noya和sean可以上传/重命名文件,但不能删除和读取文件。denis可以下载文件但不能修改和上传文件。
配置虚拟用户密码
noya
neImsikio!ttnz4gm3xM
denis
Zpsgd4dDynfk7pgulwd.
sean
Pvs6bcofmqdngy5Mz^bq
生成数据库文件
# db_load -T -t hash -f /etc/vsftpd/virtusers /etc/vsftpd/virtusers.db
(db_load 命令需要安装 db4-utils 软件包)
限制虚拟用户来源IP
# vi /etc/vsftpd/vsftpd.users_ip
denis 192.168.104.0/24 192.168.106.0/24
wills 192.168.104.0/24 192.168.106.0/24
启动vsftpd,验证配置
附录:
man vsftpd.conf
ADDITIONAL OPTIONS IN EXTENDED BUILD
add_default_rule, anon_delete_enable, anon_max_rate_rx, anon_max_rate_tx, anon_rxtx_rate, bind_retries, chown_by_ip, chown_group, convert_charset_enable, double_377,local_charset, local_max_rate_rx, local_max_rate_tx,local_rxtx_rate,pasv_addr_rules,remote_charset, tpm_allow_anon_root_access, users_access_ip
add_default_rule
Only applies if loaded rules-file defined in option pasv_addr_rules. If set to YES, added next rule: 0.0.0.0 0.0.0.0/0 0.0.0.0 remote_charset anonymous_enable anon_upload_enable anon_mkdir_write_enable anon_other_write_enable anon_delete_enable
Default: NO
anon_delete_enable
If set to YES, anonymous users will be permitted to delete files. This option work with anon_other_write_enable option.
Default: YES
anon_max_rate_rx
The maximum upload data transfer rate permitted, in bytes per second, for anonymous clients if defined anon_rxtx_rate.
Default: 0 (unlimited)
anon_rxtx_rate
If set to YES, you can define speed for upload and download diferently by parameters anon_max_rate_rx and anon_max_rate_tx.
Default: NO
bind_retries
The number of tryes to bind incoming data connection.
Default: 10
chown_by_ip
If enabled, all anonymously uploaded files will have the ownership changed to the user IP. This options available if defined chown_uploads.
Default: NO
convert_charset_enable
If set to YES, useds internal charset convertion tables for translate chars between local charset ( local_charset ) and remote charset ( remote_charset ).
Default: NO
double_377
If set to NO, switch off telnet specific character 377.
Default: YES
local_charset
This option is defined local system charset. This option can be: NONE, UTF8 (UTF-8), WIN1251 (1251 or CP1251), KOI8R (878 or CP878), KOI8U (878U or CP878U), IBM866 (866 or CP866), ISO-8859-5 (ISO5), ISO-8859-1 (LATIN1 or ISO1), ISO-8859-15 (LATIN9 or ISO15), WIN1252 (1252 or CP1252), ISO-8859-2 (LATIN2 or ISO2), ISO-8859-16 (ISO16) or WIN1250 (1250 or CP1250)
Default: NONE
local_max_rate_rx
The maximum upload data transfer rate permitted, in bytes per second, for local authenticated users if defined local_rxtx_rate.
Default: 0 (unlimited)
local_max_rate_tx
The maximum download data transfer rate permitted, in bytes per second, for local authenticated users if defined
local_rxtx_rate.
Default: 0 (unlimited)
local_rxtx_rate
If set to YES, you can define speed for upload and download diferently by parameters local_max_rate_rx and local_max_rate_tx.
Default: NO
pasv_addr_rules
Use this option for load rules file. The file can be next format:
[remote_charset] [anonymous_enable [anon_upload_enable [anon_mkdir_write_enable
[anon_other_write_enable [anon_delete_enable]]]]]
If passive_address defined as 0.0.0.0 then value getting from option pasv_address.
Default: /etc/vsftpd/pasv_rules
remote_charset
This option is define remote client charset. Available values as for local_charset.
Default: NONE
tpm_allow_anon_root_access
If enabled, then anonymous user can write to writable root on server in two process model.
Default: NO
users_access_ip
Use this option for load users access rules. The file can be next format:
[...]
If remote_address defined as 0.0.0.0 then user can't access to ftp.
If user not defined in this file it is considered, that it has rights to access.
==================================END=======================
原 创文章,转载请注明: 转自 http://salogs.com
近期评论