VSFTPD配置

1) 安装vsftpd
[root@srv1 ~]# yum install vsftpd -y

2) 启动vsftpd
[root@srv1 ~]# systemctl enable --now vsftpd

3) 将文件放置到/var/ftp/目录下
[root@srv1 ~]# cp test.txt /var/ftp

[root@srv1 ~]# chmod ftp. /var/ftp/text.txt 
4) 匿名账户ftp访问
[root@client ~]# yum install ftp -y

[root@client ~]# ftp srv1.1000cc.net
Connected to srv1.1000cc.net (192.168.10.11).
220 (vsFTPd 3.0.2)
Name (srv1.1000cc.net:root): ftp
331 Please specify the password.
Password:    # 密码为ftp
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,10,11,111,189).
150 Here comes the directory listing.
drwxr-xr-x    2 0        0               6 Oct 30  2018 pub
-rw-r--r--    1 14       50              0 Feb 22 10:50 text.txt
226 Directory send OK.
ftp> get text.txt    # 下载text.txt
local: text.txt remote: text.txt
227 Entering Passive Mode (192,168,10,11,184,117).
150 Opening BINARY mode data connection for text.txt (0 bytes).
226 Transfer complete.
ftp> bye
221 Goodbye.

5) 本地账户ftp访问
[root@client ~]# ftp srv1.1000cc.net
Connected to srv1.1000cc.net (192.168.10.11).
220 (vsFTPd 3.0.2)
Name (srv1.1000cc.net:root): snow
331 Please specify the password.
Password:     # 输入snow账户的密码
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/snow"        # 本地账户默认登录自己的home目录
ftp> put text.txt      # 上传text.txt
local: text.txt remote: text.txt
227 Entering Passive Mode (192,168,10,11,218,202).
150 Ok to send data.
226 Transfer complete.
ftp> bye
221 Goodbye.

1) 配置 vsftpd
[root@srv1 ~]# vim /etc/vsftpd/vsftpd.conf
# 12行,禁止匿名账户登录
anonymous_enable=NO

# 83,84行 允许ascii模式
ascii_upload_enable=YES
ascii_download_enable=YES

# 101,102行 开启chroot
chroot_local_user=YES
chroot_list_enable=YES

# 104行,指定chroot列表
chroot_list_file=/etc/vsftpd/chroot_list

# 110行,取消注释
ls_recurse_enable=YES

# 115行,使用IPv4
listen=YES

# 124行,不使用IPv6
listen_ipv6=NO

# 于文档最后追加以下内容
# 定义chroot目录
local_root=public_ftp
# 使用localtime
use_localtime=YES
# 如果无法登录，则关闭seccomp_sandbox
seccomp_sandbox=NO

2) 配置chroot列表
[root@srv1 ~]# vim etc/vsftpd/chroot_list
# 将允许的账户增加到这个文件中，一个账户一行
snow
gz

[root@srv1 ~]# systemctl restart vsftpd

3) 防火墙设定
[root@srv1 ~]# firewall-cmd --add-service=ftp --permanent
success
[root@srv1 ~]# firewall-cmd --reload
success

4) SELinux设定
[root@srv1 ~]# setsebool -P ftpd_full_access on

1) 生成证书
[root@srv1 ~]# cd /etc/pki/tls/certs
[root@srv1 certs]# openssl req -x509 -nodes -newkey rsa:2048 -keyout vsftpd.pem -out vsftpd.pem -days 365
Generating a 2048 bit RSA private key
.......+++
.............................................................................................
......................................+++
writing new private key to 'vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:1000cc.net
Organizational Unit Name (eg, section) []:tech
Common Name (eg, your name or your server's hostname) []:srv1.1000cc.net
Email Address []:

[root@srv1 certs]# chmod 400 vsftpd.pem
[root@srv1 certs]# cd

2) 配置vsftpd
[root@srv1 ~]# vim /etc/vsftpd/vsftpd.conf
# 于文档最后追加如下内容
# 设定PASV端口范围
pasv_enable=YES
pasv_min_port=21000
pasv_max_port=21010

# 开启TLS
rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem
ssl_enable=YES
ssl_ciphers=HIGH
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

[root@srv1 ~]# systemctl restart vsftpd

3) 配置防火墙
[root@srv1 ~]# firewall-cmd --add-port=21000-21010/tcp --permanent
success
[root@srv1 ~]# firewall-cmd --reload
success

4) 客户端测试
(1) CLI客户端测试
[root@client ~]# yum install lftp -y
[root@client ~]# su - snow
[snow@client ~]$ vim ~/.lftprc
set ftp:ssl-auth TLS
set ftp:ssl-force true
set ftp:ssl-protect-list yes
set ftp:ssl-protect-data yes
set ftp:ssl-protect-fxp yes
set ssl:verify-certificate no

[snow@client ~]$ lftp -u snow srv1.1000cc.net
Password:     # 输入snow账户的密码
lftp snow@srv1.1000cc.net:~> ls
-rw-r--r--    1 1000     1000            0 Feb 22 10:55 text.txt

lftp snow@srv1.1000cc.net:~> bye
[snow@client ~]$ 

(2) GUI客户端-Filezilla测试