Cài đặt VSFTPD trên CENTOS 6

Posted: June 29, 2012 in CentOS, Hệ điều hành

Để triển khai dịch vụ FTP trên các máy CentOS, chúng ta có rất nhiều lựa chọn như vsftpd, proftpd, pureftpd

Trên Centos 6, để cài đặt và config vsftpd cho dịch vụ FTP, làm như sau:

Bước 1: Install vsftpd:

[root@localhost /]# yum search vsftpd

[root@localhost /]# yum install vsftpd

Bước 2: Config vsftpd:

File config của vsftpd: /etc/vsftpd/vsftpd.conf. File này được sửa lại như sau:

# Example config file /etc/vsftpd/vsftpd.conf

#

# The default compiled in settings are fairly paranoid. This sample file

# loosens things up a bit, to make the ftp daemon more usable.

# Please see vsftpd.conf.5 for all compiled in defaults.

#

# READ THIS: This example file is NOT an exhaustive list of vsftpd options.

# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd’s

# capabilities.

#

# Allow anonymous FTP? (Beware – allowed by default if you comment this out).

anonymous_enable=NO

#

# Uncomment this to allow local users to log in.

local_enable=YES

#

# Uncomment this to enable any form of FTP write command.

write_enable=YES

#

# Default umask for local users is 077. You may wish to change this to 022,

# if your users expect that (022 is used by most other ftpd’s)

local_umask=022

#

# Uncomment this to allow the anonymous FTP user to upload files. This only

# has an effect if the above global write enable is activated. Also, you will

# obviously need to create a directory writable by the FTP user.

anon_upload_enable=NO

#

# Uncomment this if you want the anonymous FTP user to be able to create

# new directories.

#anon_mkdir_write_enable=YES

#

# Activate directory messages – messages given to remote users when they

# go into a certain directory.

dirmessage_enable=YES

#

# Activate logging of uploads/downloads.

xferlog_enable=YES

#

# Make sure PORT transfer connections originate from port 20 (ftp-data).

connect_from_port_20=YES

#

# If you want, you can arrange for uploaded anonymous files to be owned by

# a different user. Note! Using “root” for uploaded files is not

# recommended!

#chown_uploads=YES

#chown_username=whoever

#

# You may override where the log file goes if you like. The default is shown

# below.

xferlog_file=/var/log/vsftpd.log

#

# If you want, you can have your log file in standard ftpd xferlog format.

# Note that the default log file location is /var/log/xferlog in this case.

#xferlog_std_format=YES

#

# You may change the default value for timing out an idle session.

#idle_session_timeout=600

#

# You may change the default value for timing out a data connection.

#data_connection_timeout=120

#

# It is recommended that you define on your system a unique user which the

# ftp server can use as a totally isolated and unprivileged user.

#nopriv_user=ftpsecure

#

# Enable this and the server will recognise asynchronous ABOR requests. Not

# recommended for security (the code is non-trivial). Not enabling it,

# however, may confuse older FTP clients.

#async_abor_enable=YES

#

# By default the server will pretend to allow ASCII mode but in fact ignore

# the request. Turn on the below options to have the server actually do ASCII

# mangling on files when in ASCII mode.

# Beware that on some FTP servers, ASCII support allows a denial of service

# attack (DoS) via the command “SIZE /big/file” in ASCII mode. vsftpd

# predicted this attack and has always been safe, reporting the size of the

# raw file.

# ASCII mangling is a horrible feature of the protocol.

ascii_upload_enable=YES

ascii_download_enable=YES

#

# You may fully customise the login banner string:

#ftpd_banner=Welcome to FTP service. Be careful with anything you’ll do

ftpd_banner=Welcome to FTP service.Be careful with anything you will do

 

#

# You may specify a file of disallowed anonymous e-mail addresses. Apparently

# useful for combatting certain DoS attacks.

#deny_email_enable=YES

# (default follows)

#banned_email_file=/etc/vsftpd/banned_emails

#

# You may specify an explicit list of local users to chroot() to their home

# directory. If chroot_local_user is YES, then this list becomes a list of

# users to NOT chroot().

# (Warning! chroot’ing can be very dangerous. If using chroot, make sure that

# the user does not have write access to the top level directory within the

# chroot)

chroot_local_user=YES

chroot_list_enable=YES

# (default follows)

chroot_list_file=/etc/vsftpd/chroot_list

#

# You may activate the “-R” option to the builtin ls. This is disabled by

# default to avoid remote users being able to cause excessive I/O on large

# sites. However, some broken FTP clients such as “ncftp” and “mirror” assume

# the presence of the “-R” option, so there is a strong case for enabling it.

#ls_recurse_enable=YES

ls_recurse_enable=NO

#

# When “listen” directive is enabled, vsftpd runs in standalone mode and

# listens on IPv4 sockets. This directive cannot be used in conjunction

# with the listen_ipv6 directive.

listen=YES

#

# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6

# sockets, you must run two copies of vsftpd with two configuration files.

# Make sure, that one of the listen options is commented !!

#listen_ipv6=YES

 

pam_service_name=vsftpd

userlist_enable=NO

tcp_wrappers=YES

 

convert_charset_enable=1

local_charset=UTF8

remote_charset=WIN1251

double_377=0

 

#pasv_addr_rules=/etc/vsftpd/vsftpd.pasv_rules

 

anti_bruteforce=1

anti_bruteforce_banner=Bruteforce detected. Server in safe mode.

 

http_enable=no

ftp_enable=yes

http_browse=no

 

http_browse_tpl=/etc/vsftpd/vsftpd-browse.html

http_browse_line_tpl=/etc/vsftpd/vsftpd-browse_line.html

http_error_403_server_tpl=/etc/vsftpd/vsftpd-403-serv.html

http_error_403_tpl=/etc/vsftpd/vsftpd-403.html

http_error_404_tpl=/etc/vsftpd/vsftpd-404.html

 

one_process_model=no

 

local_root=/var/www/html/

use_localtime=YES

Edit file chroot_list để add user được quyền sử dụng vsftpd:

[root@localhost vsftpd]# vi chroot_list

Và add user có quyền truy cập vào FTP server, ví dụ:

thongvv

tuandm

khoanb

và edit file sau:

[root@localhost vsftpd]# vi user_list

Add các user mới vào và comment các user có trong file đó như sau:

# vsftpd userlist

# If userlist_deny=NO, only allow users in this file

# If userlist_deny=YES (default), never allow users in this file, and

# do not even prompt for a password.

# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers

# for users that are denied.

#root

#bin

#daemon

#adm

#lp

#sync

#shutdown

#halt

#mail

#news

#uucp

#operator

#games

#nobody

khoanb

tuandm

thongvv

Bước 3: Start, stop, restart dịch vụ vsftpd:

[root@localhost vsftpd]# /etc/init.d/vsftpd start

[root@localhost vsftpd]# /etc/init.d/vsftpd restart

[root@localhost vsftpd]# /etc/init.d/vsftpd stop

Bước 4: Các lỗi thường gặp:

  • Gặp thông báo: OOPS: cannot change directory:/home/username

Solution: hãy chắn chắn rằng Selinux đã bị disabled, bằng cách như sau:

Config SELINUX=disabled trong /etc/selinux/config:

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

# enforcing – SELinux security policy is enforced.

# permissive – SELinux prints warnings instead of enforcing.

# disabled – No SELinux policy is loaded.

SELINUX=disabled

# SELINUXTYPE= can take one of these two values:

#       targeted – Targeted processes are protected,

#       mls – Multi Level Security protection.

SELINUXTYPE=targeted

Reboot lại hệ thống. Sau khi reboot, sử dụng lệnh sau getenforce để kiểm tra:

$ /usr/sbin/getenforce

Disabled

Nếu không muốn reboot lại máy, có thể dùng lệnh sau:

[root@localhost ~]#setenforce 0

  • Gặp thông báo: OOPS: vsftpd: security: ‘one_process_model’ is anonymous only

Solution: hãy chắn chắn rằng: one_process_model=NO

Tham khảo:

[1] https://security.appspot.com/vsftpd/vsftpd_conf.html

[2] http://sysadmintools.net/tag/vsftpd/

[3] http://linuxmoz.com/centos-disable-selinux/

[4] http://www.linuxtopia.org/online_books/rhel6/rhel_6_selinux/rhel_6_selinux_sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html#

[5] http://hi.baidu.com/196568541/blog/item/fc11c7ee62039c18fdfa3c9b.html

[6] http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/chap-Managing_Confined_Services-File_Transfer_Protocol.html

[7] http://www.server-world.info/en/note?os=CentOS_6&p=ftp&f=1

Hà Nội, ngày 29/06/2012

ledlong

Comments
  1. Aw, this was a really good post. Taking the time and actual effort to make a very good article… but what can I say… I put things off
    a whole lot and don’t manage to get nearly anything done.

  2. I was recommended this blog via my cousin. I’m not certain whether this put up is written by means of him as no one else understand such exact about my difficulty. You are incredible! Thanks!

  3. bao Dien tu says:

    I read this piece of writing fully about the
    difference of newest and earlier technologies, it’s awesome article.

  4. Wow that was odd. I just wrote an incredibly long comment
    but after I clicked submit my comment didn’t appear. Grrrr… well I’m not writing all that over again.

    Anyways, just wanted to say excellent blog!

  5. Pretty great post. I just stumbled upon your weblog and wanted to say
    that I have really enjoyed surfing around your weblog posts.
    In any case I will be subscribing on your feed and I’m hoping you write again soon!

  6. Brain says:

    WOW just what I was looking for. Came here by searching for time &
    attendance software

  7. Greetings! I know this is kinda off topic however I’d figured I’d ask.
    Would you be interested in trading links or maybe guest authoring a
    blog post or vice-versa? My site addresses a lot of the same subjects as yours and I think we could greatly benefit from
    each other. If you’re interested feel free to send me an email.
    I look forward to hearing from you! Fantastic blog by the way!

  8. Nice post. I learn something new and challenging on blogs I
    stumbleupon on a daily basis. It’s always interesting to read through content from other authors and practice something from their web sites.

  9. Fantastic beat ! I would like to apprentice while you amend your web site, how could
    i subscribe for a blog site? The account helped me
    a acceptable deal. I had been tiny bit acquainted of this your
    broadcast offered bright clear idea

  10. Natalia says:

    Good day I am so grateful I found your blog page, I really found you by
    error, while I was searching on Aol for something else, Regardless I am here now and would just like to say thank you for a marvelous post
    and a all round entertaining blog (I also love the theme/design),
    I don’t have time to read it all at the moment but I have saved it
    and also added in your RSS feeds, so when I have time I will be back to
    read much more, Please do keep up the excellent jo.

  11. This blog was… how do I say it? Relevant!! Finally I’ve found something which helped me.
    Thanks a lot!

  12. Kristin says:

    Today, I went to the beachfront with my kids.
    I found a sea shell and gave it to my 4 year old daughter and said
    “You can hear the ocean if you put this to your ear.” She
    placed the shell to her ear and screamed. There
    was a hermit crab inside and it pinched her ear. She never wants to go back!
    LoL I know this is entirely off topic but I had to tell someone!

  13. I like what you guys are up too. This type of clever
    work and reporting! Keep up the fantastic works guys I’ve you guys to my personal blogroll.

  14. imessagez.ru says:

    Link exchange is nothing else however it is simply placing the other person’s webpage link on your page at appropriate place and other person will also do
    same in favor of you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s