1 Overview
In order to share resources, ftp servers need to be built. This paper will automatically install the ftp server through scripts and configure it. At the same time, it will create the ftp login account and create two folders as public folders to provide common access paths for all users.
2 Conceptual Interpretation and Notices
2.1 chroot_list description
chroot_list_file=/etc/vsftpd/chroot_list
If set to
chroot_local_user=YES
Chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
So, all users added to the file vsftpd.chroot_list are unrestricted users
That is, you can browse the higher directory of its home directory.
So, if you don't want a user to be able to browse the contents of the directory above his home directory, you can set it as above and then not add that user to the file vsftpd.chroot_list (at this time, users in the file can browse directories outside his home directory).
Or, set it as follows
chroot_local_user=NO
Chroot_list_enable = YES (this line must have, otherwise the file vsftpd.chroot_list will not work)
chroot_list_file=/etc/vsftpd.chroot_list
Then add all users who don't want to have the permission to browse directories above their home directory to the file vsftpd.chroot_list (at this point, users in the file can't browse directories outside their home directory).
2.2 selinux
If the service has been installed and the firewall port 21 has been opened, but it is still inaccessible, it may be the effect of selinux. It is recommended to open the following options
getsebool -a | grep ftp
setsebool -P tftp_home_dir=1
2.3 Listener Port Problem
If it appears on the server, it can login with ftp localhost, but it can't be accessed by resource manager on window s computer, that is, ftp ip can't be accessed. But service on centOS 7 is normal. The configuration file has some problems. It may be that both ipv4 and ipv6 ports are monitored at the same time, which results in service exception recommendation that only ipv4 ports should be monitored in the configuration file, not ipv6 ports. It is not supported to monitor ipv4 and ipv6 in the configuration file at the same time.
# Do not configure the statement listen_ipv6=YES
The restart service with simultaneous configurations for monitoring ipv4 and ipv6 is reported as follows
[root@localhost ~]#service vsftpd restart Shutting down vsftpd: [ OK ] Starting vsftpd for vsftpd: 500 OOPS: run two copies of vsftpd for IPv4 and IPv6 [FAILED]
2.4 vsftpd configuration file description
vsftpd.ftpusers: located in / etc directory. It specifies which user accounts cannot access FTP servers, such as root.
vsftpd.user_list: located in / etc directory. The user account in this file can't access the FTP server by default, only if the userlist_enable=NO option is enabled in the vsftpd.conf configuration file.
vsftpd.conf: In the / etc/vsftpd directory. Configuration of FTP servers from customized user login control, user rights control, timeout settings, server function options, server performance options, server response messages, etc.
(1) User login control
anonymous_enable=YES, allowing anonymous users to log in.
no_anon_password=YES, no password is required for anonymous users to log in.
local_enable=YES, allowing local users to log in.
deny_email_enable=YES, you can create a file to hold some anonymous e-mail blacklists to prevent these people from using Dos attacks.
banned_email_file=/etc/vsftpd.banned_emails, when the deny_email_enable function is enabled, the required e-mail blacklist save path (default is/etc/vsftpd.banned_emails).
(2) User Rights Control
write_enable=YES, open global upload permission.
local_umask=022, and the umash of uploaded files of local users is set to 022 (the default is 077, which can be changed to 022).
anon_upload_enable=YES, which allows anonymous users to upload permissions. Obviously, you must enable write_enable=YES to use this. At the same time, we must also create a directory that allows ftp users to read and write (as mentioned earlier, ftp is a mapping user account for anonymous users).
anon_mkdir_write_enable=YES, allowing anonymous users the right to create directories.
chown_uploads=YES, with this option enabled, the owner of anonymous upload files will be changed to another user account. Note that it is not recommended to designate root account as the owner of anonymous upload files!
Chown_username = who ever, when chown_uploads=YES is enabled, the designated primary user account, where the whoever will naturally be replaced by the appropriate user account.
chroot_list_enable=YES, you can use a list to specify which local users can only be active in their own directory. If chroot_local_user=YES, the users specified in this list are unrestricted.
chroot_list_file=/etc/vsftpd.chroot_list, if chroot_local_user=YES, specifies the save path for the list (chroot_local_user) (default is / etc/vsftpd.chroot_list).
nopriv_user=ftpsecure, specifying a secure user account to allow FTP servers to be fully isolated and privileged independent users. This is the recommended option for vsftpd system.
async_abor_enable=YES, it is strongly recommended not to enable this option, otherwise it may lead to errors!
Asii_upload_enable=YES; ascii_download_enable=YES. By default, the server will pretend to accept ASC II mode requests but actually ignore such requests. Enabling the above two options can enable the server to truly implement ASC II mode transmission.
Note: Enabling the ascii_download_enable option can cause malicious remote users to consume a lot of I/O resources of FTP servers with instructions such as "SIZE/big/file" in ASC II mode.
These ASC II mode settings are divided into upload and download options, so that we can allow ASC II mode upload (which can prevent malicious files such as upload scripts from crashing), without the risk of denial of service attacks.
(3) User Connection and Timeout Options
idle_session_timeout=600, you can set the default idle timeout time, users will be kicked out of the server if they do not move beyond that time.
data_connection_timeout=120, setting the default data connection timeout.
(4) Server logs and welcome information
dirmessage_enable=YES, which allows you to configure and display information for directories, displaying the contents of message_file files under each directory.
ftpd_banner=Welcome to blah FTP service, you can customize FTP user login to the server to see the welcome information.
xferlog_enable=YES, enabling record upload/download activity log function.
xferlog_file=/var/log/vsftpd.log, you can customize the save path and file name of the log file, the default is / var/log/vsftpd.log.
anonymous_enable=YES Allows Anonymous Logon local_enable=YES Allows Local Users to Log in
write_enable=YES Open Local User Write Permission
local_umask=022 sets the mask for the local user generated file to 022
# anon_upload_enable=YES This setting allows anonymous users to upload files
# anon_mkdir_write_enable=YES Opens write and directory creation rights for anonymous users
When you switch to a directory, dirmessage_enable=YES displays the contents of. message hidden files in that directory
xferlog_enable=YES Activates Upload and Download Logs
Connection_from_port_20=YES Enables FTP Data Port Connection Request
# Whether or not chown_uploads=YES has upload privileges. Users are specified by the chown_username parameter.
# Chown_username = who ever specifies the user who has permission to upload files. This parameter is combined with chown_uploads.
#xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES uses the standard ftpd xferlog log log format
# idle_session_timeout=600 This setting will be interrupted after the user session is idle for 10 minutes
# data_connection_timeout=120 will be interrupted after 2 minutes of idle data connection
# Asii_upload_enable=YES Enables Upload ASCII Transport
# Asii_download_enable=YES Enables Download ASCII Transport
# ftpd_banner=Welcome to blah FTP service displays messages after setting up a user to connect to the server
# deny_email_enable=NO This parameter defaults to NO. When the value is YES, the banned_e mail_file parameter is rejected to specify the e-mail address listed in the file.
# Banned_e mail_file=/etc/vsftpd.banned_emails specifies the file containing the rejected e-mail address.
# Chrooot_list_enable= YES Sets Local Users to Log in and cannot switch to a directory other than their own directory
#chroot_list_file=/etc/vsftpd.chroot_list
#ls_recurse_enable=YES
pam_service_name=vsftpd sets the name of the configuration file for the PAM authentication service, which is stored in / etc/pam.d./
userlist_enable=YES The user specified in this configuration/etc/vsftpd.user_list cannot access the server. If userlist_deny=No is added, only the user in the / etc/vsftpd.user_list file can access the server, and no other user can access the server. If user list_enable=NO, userlist_deny=YES, specify that the user specified in the file/etc/vsftpd.user_list can not access the server, and other local users can access the server.
listen=YES specifies that VSFTPD is started in a stand-alone mode
tcp_wrappers=YES uses TCP_Wrappers remote access control mechanism in VSFTPD, the default value is YES.
3 One-click Installation Script
#!/bin/bash
#
#******************************************************************************
#Author: Sunny
#Date: 2017-09-11
#FileName: install_ftp.sh
#version: 1.0
#Your change info:
#Description: For auto install ftp
#Copyright(C): 2017 All rihts reserved
#*****************************************************************************
#ftp service dir is relative to system dir attribute.for example,if you are use anonmous to login ftp,if you upload some file to ftp,it use defaults user ftp to upload new file,and the new file permisson is 600,so other people could not download the file unless you change the file attribute about other with r permission
time=`date +%Y%m%d%H%M`
#the function is used to install vsftpd generate a new config file and create chroot_list and welcome.txt file
#install ftp server
rpm -q vsftpd &>/dev/null || yum -y install vsftpd &>/dev/null;
#install ftp client,not necessary,but suggest
rpm -q ftp &>/dev/null || yum -y install ftp &>/dev/null;
[ -e /etc/vsftpd/vsftpd.conf ] && mv /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf."$time".bak
[ -e /etc/vsftpd/welcome.txt ] && mv /etc/vsftpd/welcome.txt /etc/vsftpd/welcome.txt."$time".bak
cat >>/etc/vsftpd/vsftpd.conf<<eof
#should not listen both ipv4 and ipv6 port.suggest just only listen ipv4,so listen_ipv6 does not need to config.
#about anonymous
anonymous_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_upload_enable=YES
#about entity user
local_enable=YES
write_enable=YES
local_umask=022
userlist_enable=YES
userlist_deny=YES
userlist_file=/etc/vsftpd/user_list
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
#about server env
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd
tcp_wrappers=YES
use_localtime=yes
#/etc/vsftpd/welcom.txt need be created by manual
banner_file=/etc/vsftpd/welcome.txt
eof
[ -e /etc/vsftpd/chroot_list ] || touch /etc/vsftpd/chroot_list
cat >>/etc/vsftpd/welcome.txt<<eof
Welcome to sunny ftp
eof
#create ftp users without login system pemission
echo "If you don't want to create user ,you can enter number 0 to skip create new ftp user"
read -p "how many ftp users would you want to create(eg:3,means create 3 users total): " usernu
[[ "$usernu" =~ ^[0-9]+$ ]] || { echo your input is no num,user does not create,please check;$usernu=0; }
if [ -z ${usernu:-} ];then
usernu=0
fi
read -p "enter passwd for all new users(default:ftp123): " pass
if [ -z ${pass:-} ];then
pass=ftp123
fi
while [ "$usernu" -gt 0 ];do
read -p "pleas input new username you want to create: " user
if $(id "$user" &>/dev/null);then
echo "$user" is already exist,$user will not be create again
continue
else
useradd -s /sbin/nologin -d /var/ftp/"$user" "$user"
echo "$pass"| passwd --stdin "$user"
echo "$user" >> /etc/vsftpd/chroot_list
let usernu--
fi
done
echo "You will create two dir under /var/ftp for project"
echo "dir share : everyone can do create,delete,upload,download files after one minute once file is upload under share"
echo "dir share_project : it is similar to dir share,but one can delete file under it"
read -p "If you want to make two share dir,enter yes,it will not create if your enter other: " answer
if [ "$answer" = "yes" ];then
[ -e /var/ftp/share ] || mkdir /var/ftp/share
[ -e /var/ftp/share_project ] || mkdir /var/ftp/share_project
grep "/ftp/share1" /etc/crontab &>/dev/null || echo "* * * * * root chmod -R 777 /var/ftp/share">>/etc/crontab
chattr +a /var/ftp/share_project
else
echo "no share dir was created"
fi
#both cent 6 and 7
chkconfig vsftpd on
service vsftpd restart &>/dev/null
#centOS7 can run below cmd to restart and enble service when start system as well
#systemctl restart vsftpd.service
#systemctl enable vsftpd
setenforce 0 &>/dev/null
#if you want to use selinux,your run cmd below to make ftp work normal
#getsebool -a | grep ftp
#setsebool -P tftp_home_dir=1
#setsebool -P tftp_anon_write=1
#setsebool -P ftpd_anon_write=1
netstat -netlp | grep vsftpd &>/dev/null && echo "Your ftp is working,your can use it now" || echo "Your ftp service does not start,Please check"
unset usernu
unset pass
unset time4 Summary
With one-click installation in this article, users can decide whether to create a new ftp user and whether to create a shared folder according to their own needs.