|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
|
我的博客已迁移到xdoujiang.com请去那边和我交流一、基础环境1、版本cat /etc/debian_version 7.82、内核uname -r
3.2.0-4-amd643、vsftpd版本vsftpd: version 2.3.54、ip(eth0)192.168.1.1245、proftpd官网vsftpd.beasts.org6、需求只允许fileftp用户连接并登录ftp并锁定在自定义的家目录中 其他系统(匿名)用户不能登录ftp,监听在本机的eth0地址
二、安装配置vsftpd服务端1、apt方式安装apt-get -y install vsftpd
2、创建ftp目录
mkdir /opt/ftp -p
3、创建ftp账户并修改密码
1)添加fileftp用户useradd -s /bin/false -d /opt/ftp fileftp
2)设置密码echo fileftp:redhat|chpasswd
4、修改配置1)备份下配置cp /etc/vsftpd.conf /etc/vsftpd.conf.bak
cp /etc/ftpusers /etc/ftpusers.bak
cp /etc/shells /etc/shells.bak
2)cat /etc/vsftpd.conf
listen_port=21listen_address=192.168.1.124listen=YESlocal_enable=YESwrite_enable=YESlocal_umask=022xferlog_enable=YESdual_log_enable=YESxferlog_file=/var/log/xferlog.log
vsftpd_log_file=/var/log/vsftpd.log
xferlog_std_format=YESchroot_local_user=YESpam_service_name=vsftpdanonymous_enable=NOlocal_root=/opt/ftp
userlist_enable=YESuserlist_file=/etc/vsftpd.user_list
userlist_deny=NO3)配置只能fileftp可以登录ftp服务
cat /etc/passwd|grep -v "fileftp"|awk -F: '{print $1}' > /etc/ftpusers
4)查看下cat /etc/ftpusers
rootdaemonbinsyssyncgamesmanlpmailnewsuucpproxywww-databackuplistircgnatsnobodylibuuidsshdjimmymessagebusftp5)ftp会检查/etc/shells文件,因为上面添加用户时使用的shell是/bin/false
echo "/bin/false" >> /etc/shells
6)查看下cat /etc/shells
# /etc/shells: valid login shells/bin/sh/bin/dash/bin/bash/bin/rbash/bin/false7)如果没有这个文件 就新建1个文件echo "fileftp" > /etc/vsftpd.user_list
5、配置说明listen_port=21 #监听端口
listen_address=192.168.1.124 #监听地址
listen=YES #使用standalone方式启动服务
local_enable=YES #使用系统用户登录
write_enable=YES #允许上传
local_umask=022 #本地用户文件属性
xferlog_enable=YES #开启日志
xferlog_file=/var/log/xferlog.log #日志存放地方
xferlog_std_format=YES #以标准xferlog的格式输出日志
vsftpd_log_file=/var/log/vsftpd.log #日志存放地方
dual_log_enable=YES #启用双份日志
chroot_local_user=YES #限制在家目录中
pam_service_name=vsftpd #使用pam认证,具体配置看/etc/pam.d/vsftpd
anonymous_enable=NO #不允许匿名用户登录
local_root=/opt/ftp #登录的ftp账户的家目录在/opt/ftp
userlist_enable=YES #启用vsftpd.user_list文件
userlist_file=/etc/vsftpd.user_list #具体配置文件存放路径
userlist_deny=NO #在vsftpd.user_list中的用户才可以连接ftp
6、重启vsftpd服务/etc/init.d/vsftpd restart
Stopping FTP server: vsftpd.Starting FTP server: vsftpd.7、查看端口netstat -tupnl|grep 21
tcp 0 0 192.168.1.124:21 0.0.0.0:* LISTEN 5713/vsftpd 8、查看进程ps -ef |grep vsftpd
root 5713 1 0 10:09 ? 00:00:00 /usr/sbin/vsftpd
三、测试1、安装lftp客户端apt-get -y install lftp
2、创建fileftp传输目录mkdir /opt/ftp/fileftp -p && cd /opt/ftp/ && chown fileftp.fileftp fileftp -R
3、测试登陆(linux下)lftp fileftp:'redhat'@192.168.1.124
lftp jimmy:'redhat'@192.168.1.124
lftp root:'redhat'@192.168.1.124
lftp 192.168.1.1244、查看日志(从1台ip为192.168.1.120测试的)Sat Aug 1 12:33:38 2015 [pid 2] CONNECT: Client "192.168.1.120"
Sat Aug 1 12:33:38 2015 [pid 1] [fileftp] OK LOGIN: Client "192.168.1.120"
PS:查看到只有fileftp登录成功,root和jimmy和匿名用户都登录失败5、工具测试 |
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
四、配置ssl1、安装包apt-get -y install openssl
2、创建一个证书(时间365天)并填写相关一些信息openssl req -x509 -nodes -days 365 -newkey rsa:2048 -out /etc/ssl/certs/vsftpd.pem -keyout /etc/ssl/certs/vsftpd.pem
Generating a 2048 bit RSA private key..........+++.............+++writing new private key to '/etc/ssl/certs/vsftpd.pem'
-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.
-----Country Name (2 letter code) [AU]:CNState or Province Name (full name) [Some-State]:shanghaiLocality Name (eg, city) []:shanghaiOrganization Name (eg, company) [Internet Widgits Pty Ltd]:aaaOrganizational Unit Name (eg, section) []:aaaCommon Name (e.g. server FQDN or YOUR name) []:aaaEmail Address []:3、修改权限chmod 0400 /etc/ssl/certs/vsftpd.pem
4、ssl具体配置/etc/vsftpd.conf最后添加
ssl_enable=YESrsa_cert_file=/etc/ssl/certs/vsftpd.pem
ssl_sslv2=YESssl_sslv3=YESssl_tlsv1=YES5、配置说明ssl_enable=YES #开启vsftpd对ssl协议的支持
ssl_sslv2=YES #支持SSL v2 protocol
ssl_sslv3=YES #支持SSL v3 protocol
ssl_tlsv1=YES #支持TSL v1
rsa_cert_file=/etc/ssl/certs/vsftpd.pem #存放证书地方
6、重启服务/etc/init.d/vsftpd restart
Stopping FTP server: vsftpd.Starting FTP server: vsftpd.7、测试1)lftp fileftp:'redhat'@192.168.1.124
ls: Fatal error: Certificate verification: Not trusted
解决在/etc/lftp.conf文件中添加1行到最后
set ssl:verify-certificate no
再登录一次就OK了2)查看日志Sat Aug 1 13:52:23 2015 [pid 2] CONNECT: Client "192.168.1.124"
Sat Aug 1 13:52:23 2015 [pid 2] DEBUG: Client "192.168.1.124", "Connection terminated without SSL shutdown - buggy client?"
Sat Aug 1 13:56:25 2015 [pid 2] CONNECT: Client "192.168.1.120"
Sat Aug 1 13:56:25 2015 [pid 1] [fileftp] OK LOGIN: Client "192.168.1.120"
8、工具测试(flashfxp) |
|
1
2
|
五、参考文章http://rajaseelan.com/2011/12/18/lftp-fatal-error-certificate-verification-not-trusted/
|
本文转自 xdoujiang 51CTO博客,原文链接:http://blog.51cto.com/7938217/1680797,如需转载请自行联系原作者