linux中ftp服务搭建需要注意的地方
1.配置文件
/etc/vsftpd目录下的vsftpd.conf文件
#Exampleconfigfile/etc/vsftpd/vsftpd.conf # #Thedefaultcompiledinsettingsarefairlyparanoid.Thissamplefile #loosensthingsupabit,tomaketheftpdaemonmoreusable. #Pleaseseevsftpd.conf.5forallcompiledindefaults. # #READTHIS:ThisexamplefileisNOTanexhaustivelistofvsftpdoptions. #Pleasereadthevsftpd.conf.5manualpagetogetafullideaofvsftpd's #capabilities. # #AllowanonymousFTP?(Beware-allowedbydefaultifyoucommentthisout). anonymous_enable=NO # #Uncommentthistoallowlocaluserstologin. local_enable=YES # #UncommentthistoenableanyformofFTPwritecommand. write_enable=YES # #Defaultumaskforlocalusersis077.Youmaywishtochangethisto022, #ifyourusersexpectthat(022isusedbymostotherftpd's) local_umask=022 # #UncommentthistoallowtheanonymousFTPusertouploadfiles.Thisonly #hasaneffectiftheaboveglobalwriteenableisactivated.Also,youwill #obviouslyneedtocreateadirectorywritablebytheFTPuser. #anon_upload_enable=YES # #UncommentthisifyouwanttheanonymousFTPusertobeabletocreate #newdirectories. #anon_mkdir_write_enable=YES # #Activatedirectorymessages-messagesgiventoremoteuserswhenthey #gointoacertaindirectory. dirmessage_enable=YES # #Thetargetlogfilecanbevsftpd_log_fileorxferlog_file. #Thisdependsonsettingxferlog_std_formatparameter xferlog_enable=NO # #MakesurePORTtransferconnectionsoriginatefromport20(ftp-data). connect_from_port_20=YES # #Ifyouwant,youcanarrangeforuploadedanonymousfilestobeownedby #adifferentuser.Note!Using"root"foruploadedfilesisnot #recommended! #chown_uploads=YES #chown_username=whoever # #Thenameoflogfilewhenxferlog_enable=YESandxferlog_std_format=YES #WARNING-changingthisfilenameaffects/etc/logrotate.d/vsftpd.log #xferlog_file=/var/log/xferlog # #Switchesbetweenloggingintovsftpd_log_fileandxferlog_filefiles. #NOwritestovsftpd_log_file,YEStoxferlog_file xferlog_std_format=YES # #Youmaychangethedefaultvaluefortimingoutanidlesession. #idle_session_timeout=600 # #Youmaychangethedefaultvaluefortimingoutadataconnection. #data_connection_timeout=120 # #Itisrecommendedthatyoudefineonyoursystemauniqueuserwhichthe #ftpservercanuseasatotallyisolatedandunprivilegeduser. #nopriv_user=ftpsecure # #EnablethisandtheserverwillrecogniseasynchronousABORrequests.Not #recommendedforsecurity(thecodeisnon-trivial).Notenablingit, #however,mayconfuseolderFTPclients. #async_abor_enable=YES # #BydefaulttheserverwillpretendtoallowASCIImodebutinfactignore #therequest.TurnonthebelowoptionstohavetheserveractuallydoASCII #manglingonfileswheninASCIImode. #BewarethatonsomeFTPservers,ASCIIsupportallowsadenialofservice #attack(DoS)viathecommand"SIZE/big/file"inASCIImode.vsftpd #predictedthisattackandhasalwaysbeensafe,reportingthesizeofthe #rawfile. #ASCIImanglingisahorriblefeatureoftheprotocol. #ascii_upload_enable=YES #ascii_download_enable=YES # #Youmayfullycustomisetheloginbannerstring: #ftpd_banner=WelcometoblahFTPservice. # #Youmayspecifyafileofdisallowedanonymouse-mailaddresses.Apparently #usefulforcombattingcertainDoSattacks. #deny_email_enable=YES #(defaultfollows) #banned_email_file=/etc/vsftpd/banned_emails # #Youmayspecifyanexplicitlistoflocaluserstochroot()totheirhome #directory.Ifchroot_local_userisYES,thenthislistbecomesalistof #userstoNOTchroot(). chroot_local_user=YES #chroot_list_enable=YES #(defaultfollows) #chroot_list_file=/etc/vsftpd/chroot_list # #Youmayactivatethe"-R"optiontothebuiltinls.Thisisdisabledby #defaulttoavoidremoteusersbeingabletocauseexcessiveI/Oonlarge #sites.However,somebrokenFTPclientssuchas"ncftp"and"mirror"assume #thepresenceofthe"-R"option,sothereisastrongcaseforenablingit. #ls_recurse_enable=YES # #When"listen"directiveisenabled,vsftpdrunsinstandalonemodeand #listensonIPv4sockets.Thisdirectivecannotbeusedinconjunction #withthelisten_ipv6directive. listen=YES # #ThisdirectiveenableslisteningonIPv6sockets.TolistenonIPv4andIPv6 #sockets,youmustruntwocopiesofvsftpdwithtwoconfigurationfiles. #Makesure,thatoneofthelistenoptionsiscommented!! #listen_ipv6=YES pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES pasv_enable=YES pasv_min_port=1024 pasv_max_port=1034
2.新建用户
adduser-m-d/home/data/ftp-s/bin/sh-grootftptest3
这个用户的根目录是/home/data/ftp
3.禁止登录
首先,设定用户的shell:/usr/bin/nologin
使用root用户:usermod-s/usr/bin/nologinusername
因为ftp在登录时要检查该用户的shell设定是否正确,如果在/etc/shells中不存在的/usr/bin/nologin,
结果就会出错导致用户无法登录。
打开/etc/shells,添加“/usr/bin/nologin”,即可。