linux installation vsftpd

Linux installation vsftpd

Install vsftpd as an attachment upload and download service

Article directory

• linux installation vsftpd
• 1. What is vsftpd?
• 2. Usage steps
• • 1.Installation
  • 2.Configuration
  • 3. Possible problems
  • • The first situation: selinux ftp settings
    • Second case: It may be the cause of the firewall
    • The third situation: pam.d setting problem
  • 4. Suggestions
• Summarize

1. What is vsftpd?

vsftpd is the name of a server running on UNIX-like operating systems, such as Linux, BSD, Solaris, HP-UX and IRIX. It supports many features that other FTP servers do not support.

2. Usage steps

1.Installation

Check whether FTP has been installed on the server

rpm -qa | grep vsftpd

If it already exists, uninstall it first

yum remove vsftpd

This is a new server here, so I installed vsftpd directly.

yum install vsftpd -y

Installation successful

2. Configuration

Set user information and permissions
Explain this command
Add a user named qingdgj who belongs to the root group
By default, you enter the /home/ftp directory when logging in.
Cannot log in through shell, can only log in through ftp

useradd -g root -d /home/ftp-s /sbin/nologin qingdgj

Set a password for this user

passwd qingdgj

The entered password will not be displayed on the page.

Set folder permissions (note user name)

Modify configuration file

vim /etc/vsftpd/vsftpd.conf

Here is an explanation

#Configuration information needs to modify the server IP and port number
#Whether anonymous users are allowed to access
anonymous_enable=NO
#Whether local users are allowed to log in to FTP
local_enable=YES
#Whether the logged-in user is allowed to have write permission, the default value is YES.
write_enable=YES
#umask value of files uploaded by anonymous users
local_umask=022
dirmessage_enable=YES
#Whether to enable upload/download logging. If enabled, upload and download information will be completely recorded in the file defined by xferlog_file.
xferlog_enable=YES
#Port monitoring
port_enable=YES
#Specify FTP to use port 20 for data transmission. The default value is YES.
connect_from_port_20=YES
#If this option is enabled, all FTP requests and responses will be recorded in the log. The default log file is /var/log/vsftpd.log.
#When this option is enabled, xferlog_std_format cannot be activated. This option helps with debugging. The default value is NO.
xferlog_std_format=YES
#Set whether to enable ASCII mode to upload data. The default value is NO.
ascii_upload_enable=YES
#Set whether to enable ASCII mode to download data. The default value is NO.
ascii_download_enable=YES
ls_recurse_enable=YES
#Set the port that the FTP server listens for when establishing a connection. The default value is 21.
listen=YES
#Set the port that the FTP server listens for when establishing a connection. The default value is 21.
listen_port=xxx port number
pam_service_name=vsftpd
## Set the user list to "allow" or "deny" operation. When userlist_deny=NO is set in /etc/vsftpd.conf, only the users specified in /etc/vsftpd.user_list are allowed to access the FTP server.
userlist_deny=NO
#Set the user list to "allow" or "forbid" the operation
userlist_enable=YES
##Set user list
userlist_file=/etc/vsftpd/user_list
#passive mode switch
pasv_enable=YES
#Passive mode minimum port
pasv_min_port=xxx port number
#Maximum port in passive mode
pasv_max_port=xxx port number
#Local in public network ip
pasv_address=server ip
pasv_addr_resolve=YES
#Maximum transfer rate of anonymous users (bytes/second), 0 means no limit
anon_max_rate=512000
#Maximum transmission rate of local users (bytes/second), 0 means no limit
local_max_rate=512000
#Allow ip changes to prevent 425 Security: Bad IP connecting.
pasv_promiscuous=YES

After the configuration is modified, start the ftp service

systemctl start vsftpd.service

View ftp service status

Use the ftp tool to connect and you can successfully connect and upload and download files.

3. Possible problems

-------------------------------------------------- ---------------
Command: USER qingdgj
Response: 331 Please specify the password.
Command: PASS ***********
Response: 530 Login incorrect.
Error: Fatal error: Unable to connect to server
-------------------------------------------------- ----------

The first situation: selinux ftp settings

Here centos6 and centos7 are different
If selinux is enabled, set it
#View the related configuration of ftp in selinux
sestatus -b | grep ftp
If ftp_home_dir off is displayed, it needs to be turned on
#selinux setting (centos7 setting method is given here)
sudo setsebool -P tftp_home_dir 1
If you don’t want to set it, you can also turn off selinux

Second case: It may be the cause of the firewall

You can choose to close the firewall or open the corresponding port
# ftp passive mode port
firewall-cmd --zone=public --add-port=start port-end port/tcp --permanent
# ftp login port
firewall-cmd --zone=public --add-port=xxx port/tcp --permanent
#Purchased cloud server
If it is an Alibaba Cloud or Tencent Cloud server, you need to enable the corresponding rules in the security group.

The third situation: pam.d setting problem

In the previous ftp configuration, the attribute pam_service_name=vsftpd was set
vim /etc/pam.d/vsftpd
We just need to change pam_shells.so to pam_nologin.so

4. Suggestions

It is recommended to back up the original configuration file when modifying it to prevent problems caused by improper operation.
Here is an original configuration (version 3.0.2)

# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
# When SELinux is enforcing check for SE bool ftp_home_dir
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/xferlog
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can be used as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognize asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customize the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
#chroot)
#chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=NO
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
# Make sure, that one of the listen options is commented !!
listen_ipv6=YES

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

Summary

 It is easy to encounter some minor problems when installing the ftp service. The above are some of the more common situations.
hope that it can help us. Thank you for reading.