vsftp配置指南
安装vsftpd:
sudo yum install vsftpd
sudo kwrite /etc/vsftpd/vsftpd.conf
命令解释:
listen=<YES/NO> :设置为YES时vsftpd以独立运行方式启动,设置为NO时以xinetd方式启动(xinetd是管理守护进程的,将服务集中管理,可以减少大量服务的资源消耗)
listen_port=<port> :设置控制连接的监听端口号,默认为21
listen_address=<ip address> :将在绑定到指定IP地址运行,适合多网卡
connect_from_port_20=<YES/NO> :若为YES,则强迫FTP-DATA的数据传送使用port 20,默认YES
pasv_enable=<YES/NO> :是否使用被动模式的数据连接,如果客户机在防火墙后,请开启为YES
pasv_min_port=<n>
pasv_max_port=<m> :设置被动模式后的数据连接端口范围在n和m之间,建议为50000-60000端口
message_file=<filename> :设置使用者进入某个目录时显示的文件内容,默认为 .message
dirmessage_enable=<YES/NO> :设置使用者进入某个目录时是否显示由message_file指定的文件内容
ftpd_banner=<message> :设置用户连接服务器后的显示信息,就是欢迎信息
banner_file=<filename> :设置用户连接服务器后的显示信息存放在指定的filename文件中
connect_timeout=<n> :如果客户机连接服务器超过N秒,则强制断线,默认60
accept_timeout=<n> :当使用者以被动模式进行数据传输时,服务器发出passive port指令等待客户机超过N秒,则强制断线,默认60
accept_connection_timeout=<n> :设置空闲的数据连接在N秒后中断,默认120
data_connection_timeout=<n> : 设置空闲的用户会话在N秒后中断,默认300
max_clients=<n> : 在独立启动时限制服务器的连接数,0表示无限制
max_per_ip=<n> :在独立启动时限制客户机每IP的连接数,0表示无限制(不知道是否跟多线程下载有没干系)
local_enable=<YES/NO> :设置是否支持本地用户帐号访问
guest_enable=<YES/NO> :设置是否支持虚拟用户帐号访问
write_enable=<YES/NO> :是否开放本地用户的写权限
local_umask=<nnn> :设置本地用户上传的文件的生成掩码,默认为077
local_max_rate<n> :设置本地用户最大的传输速率,单位为bytes/sec,值为0表示不限制
local_root=<file> :设置本地用户登陆后的目录,默认为本地用户的主目录
chroot_local_user=<YES/NO> :当为YES时,所有本地用户可以执行chroot
chroot_list_enable=<YES/NO>
chroot_list_file=<filename> :当chroot_local_user=NO 且 chroot_list_enable=YES时,只有filename文件指定的用户可以执行chroot
anonymous_enable=<YES/NO> :设置是否支持匿名用户访问
anon_max_rate=<n> :设置匿名用户的最大传输速率,单位为B/s,值为0表示不限制
anon_world_readable_only=<YES/NO> 是否开放匿名用户的浏览权限
anon_upload_enable=<YES/NO> 设置是否允许匿名用户上传
anon_mkdir_write_enable=<YES/NO> :设置是否允许匿名用户创建目录
anon_other_write_enable=<YES/NO> :设置是否允许匿名用户其他的写权限(注意,这个在安全上比较重要,一般不建议开,不过关闭会不支持续传)
anon_umask=<nnn> :设置匿名用户上传的文件的生成掩码,默认为077
==匿名用户==
先备份
<pre>sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.old
如果不小心搞坏了,下面提供原文件内容
# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
# When SELinux is enforcing check for SE bool ftp_home_dir
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/xferlog
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
#chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=NO
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
# Make sure, that one of the listen options is commented !!
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
开始配制
将
#chown_uploads=YES
#chown_username=whoever
改为以下内容
chown_uploads=YES
#更改上传文件的属主
chown_username=root
#文件属主是谁(一般设定为root)
anon_umask=022
#匿名用户的权力
anon_root=/home/cc/AAA
#匿名用户根目录(注:AAA文件夹的三个权限均需要设定为Can View Content)
将
#chroot_local_user=YES
改为
chroot_local_user=YES
#将本地用户限制在根目录以内,不允许漂移(看到根目录的上一级甚至上上一级文件夹)
local_root=/home/cc/AAA
#本地用户根目录
虚拟用户:
在文件末尾添加
secure_chroot_dir=/var/run/vsftpd
#我比较喜欢用/home/cc/BBB,因为/var/run/vsftpd每次启动前都要新建(如果关机了的话),很麻烦
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
guest_enable=YES
guest_username=vsftpd
virtual_use_local_privs=YES
user_config_dir=/etc/vsftpd_user_conf
vsftpd_log_file=/var/log/vsftpd.log
注:如果出现500 OOPS: priv_sock_get_cmd,那么请加上seccomp_sandbox=NO,为了避免这个问题,还是先加上为好
保存关闭
配制本地用户和虚拟用户同时登陆(注意:先认证虚拟用户,不然即使所有required都改成sufficient,虚拟用户也不能登录!!!)
sudo kwrite /etc/pam.d/vsftpd
将里面内容替换为:
#%PAM-1.0
auth sufficient pam_mysql.so user=vsftpd passwd=ftpdpass host=localhost db=vsftpd table=accounts usercolumn=username passwdcolumn=pass crypt=2
account sufficient pam_mysql.so user=vsftpd passwd=ftpdpass host=localhost db=vsftpd table=accounts usercolumn=username passwdcolumn=pass crypt=2
session optional pam_keyinit.so force revoke
#session sufficient pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
#auth sufficient pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
#auth sufficient pam_shells.so
auth include password-auth
account include password-auth
session required pam_loginuid.so
session include password-auth
配制mysql
安装mysql
sudo yum install mariadb pam_mysql mysql-server phpmyadmin
然后设置一下密码等项目:
sudo service mysqld start
sudo mysql_secure_installation
/bin/mysql_secure_installation:行379: find_mysql_client: 未找到命令
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
(直接敲回车)
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
下面来配制虚拟用户:
mysql -u root -p
CREATE DATABASE vsftpd;
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON vsftpd.* TO 'vsftpd'@'localhost' IDENTIFIED BY 'ftpdpass';
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON vsftpd.* TO 'vsftpd'@'localhost.localdomain' IDENTIFIED BY 'ftpdpass';
FLUSH PRIVILEGES;
USE vsftpd;
CREATE TABLE `accounts` (
`id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY ,
`username` VARCHAR( 30 ) NOT NULL ,
`pass` VARCHAR( 50 ) NOT NULL ,
UNIQUE (
`username`
)
) ENGINE = MYISAM ;
INSERT INTO accounts (username, pass) VALUES('testuser', PASSWORD('secret'));
quit;
sudo groupadd nogroup
sudo useradd --home /home/vsftpd --gid nogroup -m --shell /bin/false vsftpd
配制quota(磁盘配额):
安装quota
sudo yum install quota
sudo kwrite /etc/fstab
将/etc/fstab中根分区的记录的第4个字段改成defaults,usrquota,这样这条记录看起来类似这样:
#
# /etc/fstab
# Created by anaconda on Wed Aug 21 21:35:05 2013
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/fedora-root / ext4 defaults,usrquota 1 1
UUID=4fedd1e3-da24-4796-99ee-55818d6d19c2 /boot ext4 defaults 1 2
/dev/mapper/fedora-home /home ext4 defaults,usrquota 1 2
/dev/mapper/fedora-swap swap swap defaults 0 0
接着重启系统后输入下列命令:
sudo quotacheck -acu -fm #检查启用了配额的文件系统,并为每个文件系统建立一个当前磁盘用来的表
sudo quotacheck -avu -fm #生成每个启用了配额的文件系统的当前磁盘用量表
sudo edquota vsftpd #为用户vsftpd设置磁盘配额(为虚拟用户设置磁盘配额,但这是个总量,没法具体对单个用户设置磁盘配额,所以可以说用处不大,这里只是说明一下并不是无法对虚拟用户进行磁盘配额设置)
这时系统会在默认文本编辑器(vi)中打开配额文件,显示类似这样:
Disk quotas for user ftpuser (uid 501):
Filesystem blocks soft hard inodes soft hard
/dev/hda5 0 0 0 0 0 0
按下i键,使用方向键移动,并将的0改成1(默认单位为KB)
/dev/hda5 0 0 1 0 0 0
按ctrl+c退出编辑
注:
第一列是启用了配额的文件系统的名称。第二列显示了用户当前使用的块数,单位为KB。随后的两列用来设置用户在该文件系统上的软硬块限度。inodes 列显示了用户当前使用的i节点数量。最后两列用来设置用户在该文件系统上的软硬i节点限度.硬限是用户或组群可以使用的磁盘空间的绝对最大值。达到了该限度后,磁盘空间就不能再被用户或组群使用了。软限定义可被使用的最大磁盘空间量。和硬限不同的是,软限可以在一段时期内被超过。这段时期被称为过渡期(grace period)。过渡期可以用秒钟、分钟、小时、天数、周数、或月数表示。如果以上值中的任何一个被设置为 0,那个限度就不会被设置.按你的需要修改后存盘推出.
保存退出:
输入:wq,回车
注:冒号要输上!!!
对Selinux设置,不然匿名用户无法登陆
sudo setsebool -P ftpd_full_access 1
把/home/cc后两个权限设置为Can View Content,不然虚拟用户无法登陆
sudo mkdir /var/run/vsftpd
sudo service mysqld start
sudo service vsftpd start
注:quota的两个命令
启动:sudo quotaon -auvg
关闭:sudo quotaoff -auvg
下载filezilla(ftp服务器客户端)
sudo yum install filezilla
打开filezilla输入你的ip地址,账户,密码(你可以尝试一下匿名(除了ip地址外不用输任何东西,直接敲回车),本地用户,虚拟用户(账户名testuser,密码secret))
注:如果用满了,只要删除掉响应用户上传的文件然后执行:
sudo quotacheck -avu -fm
就可以用了
注:日志文件,ubuntu是/var/log/auth.log,fedora是/var/log/secure
不推荐ubuntu,因为ubuntu无法同让quota开启并且让虚拟用户与本地用户同时认证成功。
注:配制好的文件
# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
# When SELinux is enforcing check for SE bool ftp_home_dir
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
chown_uploads=YES
chown_username=root
anon_umask=022
anon_root=/home/cc/AAA
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/xferlog
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
nopriv_user=vsftpd
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
chroot_local_user=YES
local_root=/home/cc/AAA
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=NO
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
# Make sure, that one of the listen options is commented !!
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
secure_chroot_dir=/var/run/vsftpd
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
guest_enable=YES
guest_username=vsftpd
virtual_use_local_privs=YES
user_config_dir=/etc/vsftpd_user_conf
vsftpd_log_file=/var/log/vsftpd.log
seccomp_sandbox=NO
其他内容:
Quota:
如果你设置了软限,那么还要设置过渡期时间:
使用edquota -t来设置过渡期(grace period) 和另一个 edquota 命令相似,这个命令也会在文本编辑器中打开当前的文件系统配额:
Grace period before enforcing soft limits for users:
Time units may be: days, hours, minutes, or seconds
Filesystem Block grace period Inode grace period
/dev/hda5 7days 7days
保存退出
显示欢迎信息
在 vsftpd.conf 末尾输入:
dirmessage_enable=YES
然后编辑各用户home目录下的.message
vi .message
qii@ubuntu:~$ cat .message
欢迎来到vsftpd
qii@ubuntu:~$ ftp localhost
Connected to localhost.
220 (vsFTPd 2.2.2)
Name (localhost:qii): qii
331 Please specify the password.
Password:
230-欢迎来到vsftpd
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
若是匿名用户,就放到
/var/ftp
限制下载速度
单位是字节,所以需要换算。比如我想让匿名用户和vsFTP上的用户都以80KB下载,所以这个数字应该是1024x80=81920
anon_max_rate=数字 #匿名用户下载速度
local_max_rate=数字 #普通用户下载速度
限制连接数
前者为服务器最大支持连接数,后者为每个ip允许最多连接数。
max_clients=数字
max_per_ip=数字
错误提示分别是
qii@ubuntu:~$ ftp localhost
Connected to localhost.
421 There are too many connected users, please try later.
qii@ubuntu:~$ ftp localhost
Connected to localhost.
421 There are too many connections from your internet address.
账号登录
/etc/ftpusers文件
该文件内的用户一律禁止ftp连接,默认列表包括了root, daemon, nobody等。需要禁止某个用户,添加进来便是。
userlist_file 文件
vsftpd自订的列表,跟/etc/ftpusers类似,具体文件名和路径是由用户自己指定的。这边设成 /etc/vsftpd.user_list
添加配置文件字段:
userlist_enable=YES
userlist_deny=YES
userlist_file=/etc/vsftpd.user_list
限制一切,开放特定
上述2个方法都是限制列表文件中的用户,如果要反过来,限制一切用户登录,只允许列表文件中的用户,用 userlist_file,这样:
userlist_enable=YES
userlist_deny=NO
root登录
之所以限制root这类账号登录就是托上面几个文件,要是你非要用系统账号登录,如上所述,将列表文件中的特定用户名删除便是。
Chroot
限制所有
限制登录用户访问其他目录,改之前登录显示的路径比如是 ~ ,改之后则是 /。
效果是像这样的。
注:我的本地用户(local user为yeshuai,home directory为/home/yeshuai)
root@ubuntu:~# ftp localhost
Connected to localhost.
220 (vsFTPd 2.3.2)
Name (localhost:yeshuai): yeshuai
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp> pwd
'''257 "/"'''
看上边,正常情况下,输入pwd时,应该是显示/home/yeshuai.
由于我做了chroot.所以,/home/yeshuai变成 /
chroot_local_user=YES
开放所有,限制特定
可指定一组用户限制
chroot_local_user=NO
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
随后创建列表
sudo vi /etc/vsftpd.chroot_list
一行一个用户名 重启vsftp
sudo service vsftpd restart
限制所有,开放特定
上面的规则是限制 /etc/vsftpd.chroot_list 中的用户,反过来限制一切,只解禁 /etc/vsftpd.chroot_list 的用户。这样:
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
虚拟路径
比如我的ftp的默认目录是/srv/ftp,我想把/mnt/LinG/WinSoft文件夹,映射到/srv/ftp目录中,我就如下操作 命令:
#mount --bind [原有的目录] [新目录]
先创建文件夹
sudo mkdir /srv/ftp/WinSoft
执行mount命令
sudo mount --bind /mnt/LinG/WinSoft /srv/ftp/WinSoft
注:如果自己建立软链接后,匿名用户是无法打开该文件夹的,chmod 777 也不行,如果对本地用户适用chroot后,本地用户也无法打开,具体原因是因为打开后点击:...(用filezilla)会回到上级目录,造成目录漂移,比如我在/home/cc/目录下有QQQ文件夹 然后在 /home/cc/AAA/建立软链接
sudo ln -s /home/cc/QQQ /home/cc/AAA/QQ
这样如果我不限制本地用户,然后用本地用户登录并打开了/home/cc/AAA/QQ,那么回到的上级目录是/home/cc也就是主目录而不是/home/cc/AAA,所以vsftp安全性确实很高,考虑很周到。
限制某个ip或者仅允许某些ip:
在/etc/hosts.allow文件的最后一行加一条“all:all:deny”和"all:deny"规则
因为默认是 全部允许通过的加上这两条命令之后,除了设置sudo kwrite /etc/hosts.allow
中添加vsftpd:192.168.1.0/24 分成256个子网这样就实现了1个ip是一个子网,这样就等于允许某个ip了
vsftpd:192.168.2.0/24: DENY 则是阻止某个ip
注:由于这是/etc/hosts.allow,所以默认是allow,所以不用这样写vsftpd:192.168.1.0/24:allow但是deny得声明,同理/etc/hosts.deny
如果只设置
vsftpd:192.168.1.0/24
all:all:deny
all:deny
那么除了192.168.1.0可以访问,其他都不行,
如果只设置
vsftpd:192.168.2.0/24: DENY (阻止192.168.2.0子网的访问)
vsftpd:192.168.1.0/24 (允许192.168.1.0子网的访问)
那么就是阻止192.168.2.0 ip访问
允许192.168.1.0访问,其实vsftpd:192.168.1.0/24 可以不要
注:如果有多个ip请用逗号(英文逗号)或空格隔开
BTW:如何设置左边任务栏和开始菜单一样宽?
其实很简单,打开文件浏览器dolphin,调到底部处于同一水平线上时,任务栏上方与文件浏览器左上角小图标底端对齐即可
添加cc用户到vbox组中,使之能检测到usb
Users and Groups
设置共享文件夹,使vbox能与win进行文件交换
进入win7,我的电脑,上方有个映射网络驱动器
Processing中文乱码问题
1.在/home/cc/processing-2.0.2/java/lib/fonts下建立个目录 fallback
mkdir /home/cc/processing-2.0.2/java/lib/fonts/fallback/
2.在 fallback 里弄个中文字体
拷贝或链接都可以
ln -s /usr/local/share/fonts/m/msyh.ttf /home/cc/processing-2.0.2/java/lib/fonts/fallback/
3.进入/home/cc/processing-2.0.2/java/lib/fonts/fallback/ 执行 mkfontscale
再把 jre/lib/fonts/fallback/fonts.scale 的内容加到/home/cc/processing-2.0.2/java/lib/fonts/fonts.dir
cd /home/cc/processing-2.0.2/java/lib/fonts/fallback/
mkfontscale
cd ..
cat fallback/fonts.scale >> fonts.dir
最终结果
