本篇随笔将讲解FTP服务的原理以及vsfptd这个最常用的FTP服务程序的安装与配置...

一、FTP服务原理

FTP(File Transfer Protocol)是一个非常古老并且应用十分广泛的文件传输协议，FTP协议是现今使用最为广泛的网络文件共享协议之一，我们现在也一直有在用着FTP协议来进行各种文件的传输，FTP为我们提供了一种可靠的方式在网络上进行文件的共享

FTP是C/S架构的服务，拥有一个服务器端和一个客户端，FTP底层通过TCP协议来作为传输协议，所以FTP协议是一种可靠的文件传输方式，FTP提供了两个端口号，20和21号端口，20号是数据接口，提供数据之间的传输，21号是命令接口，提供命令之间的传输

FTP服务端与客户端连接一般有两种模式：主动模式(Active Mode)和被动模式(Passive Mode)

①主动模式的原理如下图所示：

主动模式下，客户端首先会向服务器端的21号端口发出一个连接命令，请求与服务器端建立连接，此时服务器端响应回去给客户端，并要求客户端发送一个用于传送数据的端口，该端口号要 > 1023 ，此时服务器端的20号端口就会与该数据端口主动建立连接，客户端与服务器端进行数据的传送

②被动模式的原理如下图所示：

与主动模式不同的是，在被动模式下，客户端也是首先与服务器端的21端口建立连接，此时后服务器端会开启一个 > 1023 号的数据传送端口，并返回给客户端，这个时候客户端也会开启一个 > 1023 的端口，然后客户端会主动的去跟服务器端的数据传输端口建立连接，两者之间来进行数据的传送

所以说，主动模式与被动模式的区别就在于究竟是服务器端的20端口主动发起于客户端建立连接，还是服务器端开放一个随机端口，等待客户端与其主动建立连接。在我们的生产环境中，通常还是使用的是被动连接的模式，因为我们的服务器端都有配置防火墙，而防火墙对于内网连接外网的端口一般是放行的，而外网来连接内网的端口则一般是有限制的，所以我们这时如果使用主动模式连接的话，端口可能被防火墙拦截，从而不能提供我们的FTP服务

二、vsfptd的安装

在Linux下，我们应用最广泛的FTP服务程序是 vsftpd (Very Secure FTP Daemon),从名字我们也可以看出，其提供了非常安全的FTP服务。vsftpd 是一个 UNIX 类操作系统上运行的服务器的名字，它可以运行在诸如 Linux, BSD, Solaris, HP-UX 以及 IRIX 上面。它支持很多其他的 FTP 服务器不支持的特征。例如：

①非常高的安全性需求　　②带宽限制　　③创建虚拟用户的可能性　　④高速　　...

可以说 vsftpd 给我们提供了一个快速的、稳定的且相当安全的FTP服务

在CentOS下默认没有安装 vsftpd 这个FTP程序，我们通过 yum install vsfptd 来进行安装

复制代码 [root@xiaoluo ~]# yum install -y vsftpd Loaded plugins: fastestmirror, refresh-packagekit, security Loading mirror speeds from cached hostfile

base: ftp.nsysu.edu.tw
extras: ftp.nsysu.edu.tw
updates: ftp.twaren.net Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package vsftpd.x86_64 0:2.2.2-11.el6_4.1 will be installed --> Finished Dependency Resolution

Dependencies Resolved

Package Arch Version Repository Size

Installing: vsftpd x86_64 2.2.2-11.el6_4.1 updates 151 k

Transaction Summary

Install 1 Package(s)

Total download size: 151 k Installed size: 331 k Downloading Packages: vsftpd-2.2.2-11.el6_4.1.x86_64.rpm | 151 kB 00:01
Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : vsftpd-2.2.2-11.el6_4.1.x86_64 1/1 Verifying : vsftpd-2.2.2-11.el6_4.1.x86_64 1/1

Installed: vsftpd.x86_64 0:2.2.2-11.el6_4.1

Complete! 复制代码

这样我们就安装好了我们的 vsftpd 服务程序了，在安装好后我们可以来看一下 vsftpd 这个程序的一些配置文件，其所有的配置文件都保存在了 /etc/vsftpd/ 这个目录下

复制代码 [root@xiaoluo ~]# cd /etc/vsftpd/ [root@xiaoluo vsftpd]# ls -l total 20 -rw-------. 1 root root 125 Mar 1 18:16 ftpusers -rw-------. 1 root root 361 Mar 1 18:16 user_list -rw-------. 1 root root 4599 Mar 1 18:16 vsftpd.conf -rwxr--r--. 1 root root 338 Mar 1 18:16 vsftpd_conf_migrate.sh 复制代码里面一共有四个配置文件，vsftpd.conf 是我们的主配置文件，ftpusers是我们的黑名单用户配置文件，通常我们的系统用户还有根用户都是放在这个配置文件里面的，因为这些用户的权限很大，如果使用ftp服务可能造成一些问题，user_list是我们的用户列表文件，我们可以通过在主配置文件里设置该用户是黑名单用户还是白名单拥有，最后一个是我们的ftp服务迁移脚本

我们的 vsftpd 程序安装好后，我们可以看到在 /var 目录下有个 ftp 文件夹，这个文件夹就是我们的ftp共享文件夹

[root@xiaoluo vsftpd]# cd /var/ftp/ [root@xiaoluo ftp]# ls pub 三、FTP用户以及如何进行文件共享

vsftpd是通过使用用户来作为管理单位的，想要访问某个ftp的共享文件，必须要以某一特定的用户身份登陆，我们可以配置一下几种类型的用户：

①正常用户(系统用户)

正常用户就是我们操作系统的系统用户，一般我们安装的各种服务都能通过系统用户登录来使用其所提供的服务

首先我们启动我们的 vsftpd 这个服务，这里我们先通过 CentOS提供的一个图形界面工具来使用我们现在的系统用户登陆我们的 ftp

[root@xiaoluo ftp]# service vsftpd start Starting vsftpd for vsftpd: [ OK ]

输入我们的当前系统用户名及密码就能登陆上去了，我们使用系统用户登陆上去后，其默认打开的文件夹是我们的用户的家目录，只要是该用户有访问权限的文件及文件夹，该用户都能进行访问

②匿名用户 (anonymous)

我们所有的FTP服务都支持的一种用户登录方式，我们可以不输入任何信息就能登陆进来

我们看到，我们在没有输入任何信息也能够登陆上我们的ftp，这就是以匿名用户登录的方式。

在默认情况下，在vsftpd安装的时候会创建一个 ftp 系统用户，这个用户就是用来进行匿名登陆的用户，ftp匿名用户默认登陆到的目录是 /var/ftp/ 目录，没有任何访问限制权限的文件都能提供给匿名用户进行共享

[root@xiaoluo ftp]# cat /etc/passwd | grep ftp ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin 那么我们的FTP为什么可以以匿名用户来进行登陆呢？其主要就是因为 vsftpd.conf 这个配置文件所配置的

复制代码 [root@xiaoluo ftp]# cat /etc/vsftpd/vsftpd.conf

Example config file /etc/vsftpd/vsftpd.conf

The default compiled in settings are fairly paranoid. This sample file

loosens things up a bit, to make the ftp daemon more usable.

Please see vsftpd.conf.5 for all compiled in defaults.

READ THIS: This example file is NOT an exhaustive list of vsftpd options.

Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's

capabilities.

Allow anonymous FTP? (Beware - allowed by default if you comment this out).

anonymous_enable=YES　　// 允许匿名用户进行登陆

Uncomment this to allow local users to log in.

local_enable=YES

Uncomment this to enable any form of FTP write command.

write_enable=YES

Default umask for local users is 077. You may wish to change this to 022,

if your users expect that (022 is used by most other ftpd's)

local_umask=022

Uncomment this to allow the anonymous FTP user to upload files. This only

has an effect if the above global write enable is activated. Also, you will

obviously need to create a directory writable by the FTP user.

anon_upload_enable=YES

Uncomment this if you want the anonymous FTP user to be able to create

new directories.

anon_mkdir_write_enable=YES

Activate directory messages - messages given to remote users when they

go into a certain directory.

dirmessage_enable=YES

The target log file can be vsftpd_log_file or xferlog_file.

This depends on setting xferlog_std_format parameter

xferlog_enable=YES

Make sure PORT transfer connections originate from port 20 (ftp-data).

connect_from_port_20=YES

If you want, you can arrange for uploaded anonymous files to be owned by

a different user. Note! Using "root" for uploaded files is not

recommended!

chown_uploads=YES

chown_username=whoever

The name of log file when xferlog_enable=YES and xferlog_std_format=YES

WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log

xferlog_file=/var/log/xferlog

Switches between logging into vsftpd_log_file and xferlog_file files.

NO writes to vsftpd_log_file, YES to xferlog_file

xferlog_std_format=YES

You may change the default value for timing out an idle session.

idle_session_timeout=600

You may change the default value for timing out a data connection.

data_connection_timeout=120

It is recommended that you define on your system a unique user which the

ftp server can use as a totally isolated and unprivileged user.

nopriv_user=ftpsecure

Enable this and the server will recognise asynchronous ABOR requests. Not

recommended for security (the code is non-trivial). Not enabling it,

however, may confuse older FTP clients.

async_abor_enable=YES

By default the server will pretend to allow ASCII mode but in fact ignore

the request. Turn on the below options to have the server actually do ASCII

mangling on files when in ASCII mode.

Beware that on some FTP servers, ASCII support allows a denial of service

attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd

predicted this attack and has always been safe, reporting the size of the

raw file.

ASCII mangling is a horrible feature of the protocol.

ascii_upload_enable=YES

ascii_download_enable=YES

You may fully customise the login banner string:

ftpd_banner=Welcome to blah FTP service.

You may specify a file of disallowed anonymous e-mail addresses. Apparently

useful for combatting certain DoS attacks.

deny_email_enable=YES

(default follows)

banned_email_file=/etc/vsftpd/banned_emails

You may specify an explicit list of local users to chroot() to their home

directory. If chroot_local_user is YES, then this list becomes a list of

users to NOT chroot().

chroot_local_user=YES

chroot_list_enable=YES

(default follows)

chroot_list_file=/etc/vsftpd/chroot_list

You may activate the "-R" option to the builtin ls. This is disabled by

default to avoid remote users being able to cause excessive I/O on large

sites. However, some broken FTP clients such as "ncftp" and "mirror" assume

the presence of the "-R" option, so there is a strong case for enabling it.

ls_recurse_enable=YES

When "listen" directive is enabled, vsftpd runs in standalone mode and

listens on IPv4 sockets. This directive cannot be used in conjunction

with the listen_ipv6 directive.

listen=YES

This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6

sockets, you must run two copies of vsftpd with two configuration files.

Make sure, that one of the listen options is commented !!

listen_ipv6=YES

pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES 复制代码我们看到，配置文件里的 anonymous_enable=YES 就是允许我们的匿名用户登录，如果将其设置成NO，这样匿名用户就不能登陆上了

③虚拟用户(ftp-only)

这些用户就是专门创建只为使用ftp的用户，一般用的较少

我们登陆FTP，不仅可以使用CentOS提供的GUI界面，还可以使用我们的命令行下的工具进行登陆，这里我们使用的是 lftp，同样我们也需要先对其进行安装

复制代码 [root@xiaoluo ~]# yum install -y lftp Loaded plugins: fastestmirror, refresh-packagekit, security Loading mirror speeds from cached hostfile

base: ftp.nsysu.edu.tw
extras: ftp.nsysu.edu.tw
updates: ftp.twaren.net Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package lftp.x86_64 0:4.0.9-1.el6 will be installed --> Finished Dependency Resolution

Dependencies Resolved

Package Arch Version Repository Size

Installing: lftp x86_64 4.0.9-1.el6 base 753 k

Transaction Summary

Install 1 Package(s)

Total download size: 753 k Installed size: 2.5 M Downloading Packages: lftp-4.0.9-1.el6.x86_64.rpm | 753 kB 00:10
Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : lftp-4.0.9-1.el6.x86_64 1/1 Verifying : lftp-4.0.9-1.el6.x86_64 1/1

Installed: lftp.x86_64 0:4.0.9-1.el6

Complete! 复制代码这样我们就可以使用 lftp 来登陆我们的ftp了

①直接使用 lftp 127.0.0.1 进行登陆

[root@xiaoluo ~]# lftp 127.0.0.1 lftp 127.0.0.1:~> pwd
ftp://127.0.0.1 lftp 127.0.0.1:~> ls drwxr-xr-x 2 0 0 4096 Mar 01 10:16 pub 这种登陆是以匿名用户登录上ftp，我们可以看到登陆进去后的目录是 /var/pub 这个共享目录

②使用 lftp -u xiaoluo 127.0.0.1 进行登陆

复制代码 [root@xiaoluo ~]# lftp -u xiaoluo 127.0.0.1 Password: lftp xiaoluo@127.0.0.1:~> pwd
ftp://xiaoluo@127.0.0.1 lftp xiaoluo@127.0.0.1:~> ls drwxr-xr-x 2 500 500 4096 May 26 05:22 Desktop drwxr-xr-x 3 500 500 4096 May 19 16:10 Documents drwxr-xr-x 2 500 500 4096 May 13 17:36 Downloads drwxr-xr-x 2 500 500 4096 May 13 17:36 Music drwxr-xr-x 2 500 500 4096 May 13 17:36 Pictures drwxr-xr-x 2 500 500 4096 May 13 17:36 Public drwxr-xr-x 2 500 500 4096 May 13 17:36 Templates drwxr-xr-x 2 500 500 4096 May 13 17:36 Videos 复制代码

我们也可以通过 -u 指定我们以系统用户的方式登陆ftp，系统用户登录上以后，默认登陆的文件夹就是我们用户的根目录

四、用户通过ftp进行文件上传、下载操作

①正常用户的上传、下载操作

我们通过lftp命令还可以进行文件的上传、下载操作，分别使用 put 和 get 命令

例如我现在在 xiaoluo 这个用户的家目录下创建一个 xiaoluo.txt 文件，然后我们通过 get 命令将其从ftp上下载下来

复制代码 [xiaoluo@xiaoluo ~]$ touch xiaoluo.txt [xiaoluo@xiaoluo ~]$ ls Desktop Downloads Pictures Templates xiaoluo.txt Documents Music Public Videos [xiaoluo@xiaoluo ~]$ su - Password: [root@xiaoluo ~]# lftp -u xiaoluo 127.0.0.1 Password: lftp xiaoluo@127.0.0.1:~> ls
drwxr-xr-x 2 500 500 4096 May 26 05:22 Desktop drwxr-xr-x 3 500 500 4096 May 19 16:10 Documents drwxr-xr-x 2 500 500 4096 May 13 17:36 Downloads drwxr-xr-x 2 500 500 4096 May 13 17:36 Music drwxr-xr-x 2 500 500 4096 May 13 17:36 Pictures drwxr-xr-x 2 500 500 4096 May 13 17:36 Public drwxr-xr-x 2 500 500 4096 May 13 17:36 Templates drwxr-xr-x 2 500 500 4096 May 13 17:36 Videos -rw-rw-r-- 1 500 500 0 Jun 08 16:20 xiaoluo.txt lftp xiaoluo@127.0.0.1:~> get xiaoluo.txt lftp xiaoluo@127.0.0.1:~> exit
[root@xiaoluo ~]# ls anaconda-ks.cfg Desktop install.log install.log.syslog xiaoluo.txt 复制代码我们看到，刚才我们通过登陆xiaoluo这个用户，然后在其家目录下创建了一个 xiaoluo.txt 的文件，然后我们切换到了 root 目录下，首先登陆我们的 lftp ，然后通过 get 命令将该文件下载下来，这时我们就可以发现root用户的家目录下就有了刚才下载下来的 xiaoluo.txt 文件的

【注意：】我当前root用户是在哪个目录下通过 lftp 登陆的，在下载文件时就会下载到该目录下

同时我们也可以使用 put 命令来上传文件到ftp上

复制代码 [root@xiaoluo ~]# touch root.txt [root@xiaoluo ~]# ls anaconda-ks.cfg install.log root.txt Desktop install.log.syslog xiaoluo.txt [root@xiaoluo ~]# lftp -u xiaoluo 127.0.0.1 Password: lftp xiaoluo@127.0.0.1:~> put root.txt lftp xiaoluo@127.0.0.1:~> ls
drwxr-xr-x 2 500 500 4096 May 26 05:22 Desktop drwxr-xr-x 3 500 500 4096 May 19 16:10 Documents drwxr-xr-x 2 500 500 4096 May 13 17:36 Downloads drwxr-xr-x 2 500 500 4096 May 13 17:36 Music drwxr-xr-x 2 500 500 4096 May 13 17:36 Pictures drwxr-xr-x 2 500 500 4096 May 13 17:36 Public drwxr-xr-x 2 500 500 4096 May 13 17:36 Templates drwxr-xr-x 2 500 500 4096 May 13 17:36 Videos -rw-r--r-- 1 500 500 0 Jun 08 16:26 root.txt -rw-rw-r-- 1 500 500 0 Jun 08 16:20 xiaoluo.txt lftp xiaoluo@127.0.0.1:~> exit [root@xiaoluo ~]# cd /home/xiaoluo/ [root@xiaoluo xiaoluo]# ls Desktop Downloads Pictures root.txt Videos Documents Music Public Templates xiaoluo.txt 复制代码我在root家目录下创建了 root.txt 这个文件，然后通过 xiaoluo 这个用户上传到了 ftp 上，这时我们切换到xiaoluo的家目录下，发现该文件已经上传上去了

【注意：】我们在使用ftp进行文件上传、下载操作时，要确保该用户对目录具有读写的权限！！！

②匿名用户上传、下载操作

我们匿名用户登陆ftp以后默认对共享文件夹只有读的权限，即只能从共享目录里进行文件的下载操作

复制代码 [root@xiaoluo ~]# cd /var/ftp/pub/ [root@xiaoluo pub]# touch xiaoluo.txt [root@xiaoluo pub]# ls xiaoluo.txt [root@xiaoluo pub]# cd [root@xiaoluo ~]# lftp 127.0.0.1 lftp 127.0.0.1:~> cd pub/ lftp 127.0.0.1:/pub> ls -rw-r--r-- 1 0 0 0 Jun 08 16:39 xiaoluo.txt lftp 127.0.0.1:/pub> get xiaoluo.txt lftp 127.0.0.1:/pub> exit [root@xiaoluo ~]# ls anaconda-ks.cfg Desktop install.log install.log.syslog xiaoluo.txt 复制代码那么我们要如何通过设置来实现文件的上传操作呢？

(1) 修改vsftpd主配置文件开启匿名用户上传的功能：

anonymous_enable=YES　　--开启匿名用户访问(默认)

anon_upload_enable=YES　　--打开匿名用户文件上传功能

anon_mkdir_write_enable=YES　　--打开匿名用户创建文件夹功能

复制代码 [root@xiaoluo ~]# vim /etc/vsftpd/vsftpd.conf

Example config file /etc/vsftpd/vsftpd.conf

The default compiled in settings are fairly paranoid. This sample file

loosens things up a bit, to make the ftp daemon more usable.

Please see vsftpd.conf.5 for all compiled in defaults.

READ THIS: This example file is NOT an exhaustive list of vsftpd options.

Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's

capabilities.

Allow anonymous FTP? (Beware - allowed by default if you comment this out).

anonymous_enable=YES

Uncomment this to allow local users to log in.

local_enable=YES

Uncomment this to enable any form of FTP write command.

write_enable=YES

Default umask for local users is 077. You may wish to change this to 022,

if your users expect that (022 is used by most other ftpd's)

local_umask=022

Uncomment this to allow the anonymous FTP user to upload files. This only

has an effect if the above global write enable is activated. Also, you will

obviously need to create a directory writable by the FTP user.

anon_upload_enable=YES

Uncomment this if you want the anonymous FTP user to be able to create

new directories.

anon_mkdir_write_enable=YES

Activate directory messages - messages given to remote users when they

go into a certain directory.

dirmessage_enable=YES

The target log file can be vsftpd_log_file or xferlog_file.

This depends on setting xferlog_std_format parameter

xferlog_enable=YES

Make sure PORT transfer connections originate from port 20 (ftp-data).

connect_from_port_20=YES

If you want, you can arrange for uploaded anonymous files to be owned by

a different user. Note! Using "root" for uploaded files is not

recommended!

chown_uploads=YES

chown_username=whoever

The name of log file when xferlog_enable=YES and xferlog_std_format=YES

WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log

xferlog_file=/var/log/xferlog

Switches between logging into vsftpd_log_file and xferlog_file files.

NO writes to vsftpd_log_file, YES to xferlog_file

xferlog_std_format=YES

You may change the default value for timing out an idle session.

idle_session_timeout=600

You may change the default value for timing out a data connection.

data_connection_timeout=120

It is recommended that you define on your system a unique user which the

ftp server can use as a totally isolated and unprivileged user.

nopriv_user=ftpsecure

Enable this and the server will recognise asynchronous ABOR requests. Not

recommended for security (the code is non-trivial). Not enabling it,

however, may confuse older FTP clients.

async_abor_enable=YES

By default the server will pretend to allow ASCII mode but in fact ignore

the request. Turn on the below options to have the server actually do ASCII

mangling on files when in ASCII mode.

Beware that on some FTP servers, ASCII support allows a denial of service

attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd

predicted this attack and has always been safe, reporting the size of the

raw file.

ASCII mangling is a horrible feature of the protocol.

ascii_upload_enable=YES

ascii_download_enable=YES

You may fully customise the login banner string:

ftpd_banner=Welcome to blah FTP service.

You may specify a file of disallowed anonymous e-mail addresses. Apparently

useful for combatting certain DoS attacks.

deny_email_enable=YES

(default follows)

banned_email_file=/etc/vsftpd/banned_emails

You may specify an explicit list of local users to chroot() to their home

directory. If chroot_local_user is YES, then this list becomes a list of

users to NOT chroot().

chroot_local_user=YES

chroot_list_enable=YES

(default follows)

chroot_list_file=/etc/vsftpd/chroot_list

You may activate the "-R" option to the builtin ls. This is disabled by

default to avoid remote users being able to cause excessive I/O on large

sites. However, some broken FTP clients such as "ncftp" and "mirror" assume

the presence of the "-R" option, so there is a strong case for enabling it.

ls_recurse_enable=YES

When "listen" directive is enabled, vsftpd runs in standalone mode and

listens on IPv4 sockets. This directive cannot be used in conjunction

with the listen_ipv6 directive.

listen=YES

This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6

sockets, you must run two copies of vsftpd with two configuration files.

Make sure, that one of the listen options is commented !!

listen_ipv6=YES

pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES 复制代码 (2) 赋予匿名用户上传使用的文件夹以写的权限

[root@xiaoluo ~]# chmod 2777 /var/ftp/pub/ [root@xiaoluo ~]# ls -ld /var/ftp/pub/ drwxrwsrwx. 2 root root 4096 Jun 9 00:42 /var/ftp/pub/ 此时我们重新启动我们 vsftpd 服务，就可以使用匿名用户来进行文件上传的操作了

复制代码 [root@xiaoluo ~]# service vsftpd restart Shutting down vsftpd: [ OK ] Starting vsftpd for vsftpd: [ OK ] [root@xiaoluo ~]# ls anaconda-ks.cfg Desktop install.log install.log.syslog [root@xiaoluo ~]# touch xiaoluo.txt [root@xiaoluo ~]# ls anaconda-ks.cfg Desktop install.log install.log.syslog xiaoluo.txt [root@xiaoluo ~]# lftp 127.0.0.1 lftp 127.0.0.1:~> cd pub/
lftp 127.0.0.1:/pub> ls lftp 127.0.0.1:/pub> put xiaoluo.txt lftp 127.0.0.1:/pub> exit [root@xiaoluo ~]# cd /var/ftp/pub/ [root@xiaoluo pub]# ls xiaoluo.txt 复制代码我们看到，我们在 root 家目录下创建的 xiaoluo.txt 文件已经通过匿名用户登录上传上去了

jerryandjudy / happylife

FTP安装 #81

Package Arch Version Repository Size

Transaction Summary

Example config file /etc/vsftpd/vsftpd.conf

The default compiled in settings are fairly paranoid. This sample file

loosens things up a bit, to make the ftp daemon more usable.

Please see vsftpd.conf.5 for all compiled in defaults.

READ THIS: This example file is NOT an exhaustive list of vsftpd options.

Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's

capabilities.

Allow anonymous FTP? (Beware - allowed by default if you comment this out).

Uncomment this to allow local users to log in.

Uncomment this to enable any form of FTP write command.

Default umask for local users is 077. You may wish to change this to 022,

if your users expect that (022 is used by most other ftpd's)

Uncomment this to allow the anonymous FTP user to upload files. This only

has an effect if the above global write enable is activated. Also, you will

obviously need to create a directory writable by the FTP user.

anon_upload_enable=YES

Uncomment this if you want the anonymous FTP user to be able to create

new directories.

anon_mkdir_write_enable=YES

Activate directory messages - messages given to remote users when they

go into a certain directory.

The target log file can be vsftpd_log_file or xferlog_file.

This depends on setting xferlog_std_format parameter

Make sure PORT transfer connections originate from port 20 (ftp-data).

If you want, you can arrange for uploaded anonymous files to be owned by

a different user. Note! Using "root" for uploaded files is not

recommended!

chown_uploads=YES

chown_username=whoever

The name of log file when xferlog_enable=YES and xferlog_std_format=YES

WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log

xferlog_file=/var/log/xferlog

Switches between logging into vsftpd_log_file and xferlog_file files.

NO writes to vsftpd_log_file, YES to xferlog_file

You may change the default value for timing out an idle session.

idle_session_timeout=600

You may change the default value for timing out a data connection.

data_connection_timeout=120

It is recommended that you define on your system a unique user which the

ftp server can use as a totally isolated and unprivileged user.

nopriv_user=ftpsecure

Enable this and the server will recognise asynchronous ABOR requests. Not

recommended for security (the code is non-trivial). Not enabling it,

however, may confuse older FTP clients.

async_abor_enable=YES

By default the server will pretend to allow ASCII mode but in fact ignore

the request. Turn on the below options to have the server actually do ASCII

mangling on files when in ASCII mode.

Beware that on some FTP servers, ASCII support allows a denial of service

attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd

predicted this attack and has always been safe, reporting the size of the

raw file.

ASCII mangling is a horrible feature of the protocol.

ascii_upload_enable=YES

ascii_download_enable=YES

You may fully customise the login banner string:

ftpd_banner=Welcome to blah FTP service.

You may specify a file of disallowed anonymous e-mail addresses. Apparently

useful for combatting certain DoS attacks.

deny_email_enable=YES

(default follows)

banned_email_file=/etc/vsftpd/banned_emails

You may specify an explicit list of local users to chroot() to their home

directory. If chroot_local_user is YES, then this list becomes a list of

users to NOT chroot().

chroot_local_user=YES

chroot_list_enable=YES

(default follows)

chroot_list_file=/etc/vsftpd/chroot_list

You may activate the "-R" option to the builtin ls. This is disabled by

default to avoid remote users being able to cause excessive I/O on large

sites. However, some broken FTP clients such as "ncftp" and "mirror" assume

the presence of the "-R" option, so there is a strong case for enabling it.

ls_recurse_enable=YES

When "listen" directive is enabled, vsftpd runs in standalone mode and

listens on IPv4 sockets. This directive cannot be used in conjunction