CentOS7安装配置Vsftpd服务器（yum方式安装）

Vsftpd服务器安装配置

Vsftpd匿名用户配置

Vsftpd系统用户配置

Vsftpd虚拟用户配置

Vsftpd服务器安装配置

Vsftpd服务器端安装有两种方法：一是基于YUM方式安装；二是基于源码编译安装，最终实现效果完全一样，本文采用YUM安装Vsftpd，具体步骤如下：

1）在shell命令行执行如下命令（安装前要保证主机可以ping通linux）

yum install vsftpd* -y

2）Vsftpd.conf配置文件详解：

# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
# 开启匿名用户访问
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
# When SELinux is enforcing check for SE bool ftp_home_dir
# 启动本地系统用户访问
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
# 本地系统用户写入权限
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
# 本地用户创建文件及目录默认权限掩码
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
# 打印目录显示信息，通常用于用户第一次访问目录时，信息提示
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
# 启用上传/下载日志记录
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
# 使用20端口进行数据传输
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/xferlog
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
# 日志文件将根据xferlog的标准格式写入
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode. The vsftpd.conf(5) man page explains
# the behaviour when these options are disabled.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
#chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
# vsftpd以独立模式运行并侦听IPv4套接字。如果为NO，则Vsftpd不以独立的服务启动，通过Xinetd服务。建议改为YES
listen=YES
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
# Make sure, that one of the listen options is commented !!
# 不启动IPv6监听。确保其中一个侦听选项已被注释！！如果您想要这样做（可能是因为您想要监听特定地址），那么您必须使用两个配置文件运行两个vsftpd副本。
listen_ipv6=NO# 登录FTP服务器，依据/etc/pam.d/vsftpd中的内容进行认证
pam_service_name=vsftpd
# vsftpd.user_list和ftpusers配置文件里用户禁止访问FTP
userlist_enable=YES
# 设置Vsftpd与tcp wrapper结合进行主机的访问控制，Vsftpd服务器检查/etc/hosts.allow和/etc/hosts.deny中的设置来决定请求连接的主机，是否允许访问该FTP服务器
tcp_wrappers=YES

3）Vsftpd安装后查看配置文件路径、启动Vsftpd服务及查看进程是否启动

rpm -ql vsftpd | more
systemctl restart vsftpd.service
ps -ef | grep vsftpd

4）启动Vsftpd服务后，通过Windows客户端资源管理器访问Vsftpd服务器端

ftp://IP地址/

FTP默认为主动模式，设置为被动模式的方法如下：

pasv_enable=YES
pasv_min_port=60000
pasv_max_port=60100

Vsftpd匿名用户配置

Vsftpd 默认以匿名用户访问，匿名用户默认访问的 FTP 服务器发布端路径为 /var/ftp/pub ，匿名用户只有查看权限，无法创建、删除、修改。如需关闭 FTP 匿名用户访问，需修改配置文件 /etc/vsftpd/vsftpd.conf ，将 anonymous_enable=YES 修改为 anonymous_enable=NO 下，重启Vsftpd服务即可。

如果允许匿名用户能够上传、下载、删除文件，需在 /etc/vsftpd/vsftpd.conf 配置文件中加入以下代码，详解如下：

# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
# 开启匿名用户访问
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
# When SELinux is enforcing check for SE bool ftp_home_dir
# 启动本地系统用户访问
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
# 本地系统用户写入权限
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
# 本地用户创建文件及目录默认权限掩码
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
#允许匿名用户上传文件
anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#允许匿名用户创建文件
anon_mkdir_write_enable=YES
#
#允许匿名用户其他写入权限
anon_other_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
# 打印目录显示信息，通常用于用户第一次访问目录时，信息提示
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
# 启用上传/下载日志记录
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
# 使用20端口进行数据传输
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/xferlog
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
# 日志文件将根据xferlog的标准格式写入
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode. The vsftpd.conf(5) man page explains
# the behaviour when these options are disabled.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
#chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
# vsftpd以独立模式运行并侦听IPv4套接字。如果为NO，则Vsftpd不以独立的服务启动，通过Xinetd服务。建议改为YES
listen=YES
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
# Make sure, that one of the listen options is commented !!
# 不启动IPv6监听。确保其中一个侦听选项已被注释！！如果您想要这样做（可能是因为您想要监听特定地址），那么您必须使用两个配置文件运行两个vsftpd副本。
listen_ipv6=NO# 登录FTP服务器，依据/etc/pam.d/vsftpd中的内容进行认证
pam_service_name=vsftpd
# vsftpd.user_list和ftpusers配置文件里用户禁止访问FTP
userlist_enable=YES
# 设置Vsftpd与tcp wrapper结合进行主机的访问控制，Vsftpd服务器检查/etc/hosts.allow和/etc/hosts.deny中的设置来决定请求连接的主机，是否允许访问该FTP服务器
tcp_wrappers=YES

由于默认Vsftpd匿名用户有两种：anonymous、ftp，所以匿名用户如果需要上传文件、删除及修改等权限，需要 Vsftpd 用户对 /etc/ftp/pub 目录有写入权限，使用 chown 和 chmod 任意一种命令均可设置权限，具体设置命令如下：

cd /var/ftp
chown -R ftp pub/
chmod 777 pub/

做到这里，执行 ls 命令时，出现425错误，需要关闭 Windows 的防火墙。尝试去创建文件，但是都提示 550 错误。查阅发现是SELinux(Security-Enhanced Linux----是美国国家安全局对于强制访问控制的实现, 是Linux 上最杰出的新安全子系统。)安装机制搞的鬼。只要disable SELinux就可以了。

vim /etc/selinux/config

不想重启就执行以下命令：

setenforce 0

如上 Vsftpd.conf 配置完毕，同时权限设置完毕，重启 Vsftpd 服务即可，通过 Windows 客户端访问，能够上传文件、删除文件、创建目录等操作。

systemctl restart vsftpd.service

使用 cmd 打开，用 ftp 用户登录，没有密码，直接回车即可。

使用 cmd put上传文件时，如果出现 553 错误，则 vim /etc/vsftpd/vsftpd.conf ，将 ocal_umask=022 改为 ocal_umask=002。因为当你设置为775时, 文件夹是被设置为7+(7-2)+(5-2)=753，你需要将locla_umask设置为002, 然后再重新指定文件夹的权限为775才可以解决这个问题。修改完之后需要重新启动 Vsftpd 服务。

可以删除文件，但是不能删除目录！

Vsftpd系统用户配置

Vsftpd匿名用户设置完毕，任何人都可以查看 FTP 服务端的文件、目录，甚至可以修改、删除文件和目录，如何存放私密文件在 FTP 服务器端，并保证文件或目录专属于拥有者呢？Vsftpd系统用户可以实现该需求，解决上诉问题。

实现 Vsftpd 系统用户方式验证，只需在 Linux 系统中创建多个用户即可，创建用户使用 useradd 指令，同时给用户设置密码，即可通过用户和密码登录 FTP，进行文件上传、下载、删除等操作。Vsftpd 系统用户实现方法步骤如下：

1）Linux 系统中创建系统用户 aaa、bbb，分别设置密码为123456。

使用 echo 方式来重置Linux 系统用户密码，--stdin 这个选项用于从标准输入管道读入新的密码。这种方式虽然简单，但是通过history命令可以查到用户的密码，所以不安全。

useradd aaa
useradd bbb
echo 123456 | passwd --stdin aaa
echo 123456 | passwd --stdin bbb

2）修改 vsftpd.conf 配置文件如下：（关闭了匿名用户的所有权限）

# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
# 关闭匿名用户访问
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
# When SELinux is enforcing check for SE bool ftp_home_dir
# 启动本地系统用户访问
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
# 本地系统用户写入权限
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
# 本地用户创建文件及目录默认权限掩码
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
# 打印目录显示信息，通常用于用户第一次访问目录时，信息提示
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
# 启用上传/下载日志记录
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
# 使用20端口进行数据传输
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/xferlog
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
# 日志文件将根据xferlog的标准格式写入
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode. The vsftpd.conf(5) man page explains
# the behaviour when these options are disabled.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
#chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
# vsftpd以独立模式运行并侦听IPv4套接字。如果为NO，则Vsftpd不以独立的服务启动，通过Xinetd服务。建议改为YES
listen=YES
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
# Make sure, that one of the listen options is commented !!
# 不启动IPv6监听。确保其中一个侦听选项已被注释！！如果您想要这样做（可能是因为您想要监听特定地址），那么您必须使用两个配置文件运行两个vsftpd副本。
listen_ipv6=NO# 登录FTP服务器，依据/etc/pam.d/vsftpd中的内容进行认证
pam_service_name=vsftpd
# vsftpd.user_list和ftpusers配置文件里用户禁止访问FTP
userlist_enable=YES
# 设置Vsftpd与tcp wrapper结合进行主机的访问控制，Vsftpd服务器检查/etc/hosts.allow和/etc/hosts.deny中的设置来决定请求连接的主机，是否允许访问该FTP服务器
tcp_wrappers=YES

3）重启 Vsftpd 服务，通过 Windows 资源客户端验证，使用 aaa、bbb 用户登录 FTP 服务器，即可上传文件、删除文件、下载文件，aaa、bbb系统用户上传文件的家目录在 /home/aaa、/home/bbb下。

systemctl restart vsftpd.service

Vsftpd虚拟用户配置

Vsftpd 基于系统用户访问 FTP 服务器，系统用户越多越不利于管理，而且不利于系统安全，为了能更安全使用 Vsftpd，可以使用 Vsftpd 虚拟用户方式。

Vsftpd 虚拟用户原理为虚拟用户没有实际的真实系统用户，而是通过映射到其中一个真实用户以及设置相应的权限来实现访问验证，虚拟用户不能登录 Linux 系统，从而让系统更加的安全。

Vsftpd 虚拟用户企业案例配置步骤如下：

1）安装 Vsftpd 虚拟用户需要用到的软件以及认证模块。

yum install pam* libdb-utils libdb* --skip-broken -y

2）创建虚拟用户临时文件 /etc/vsftpd/ftpusers.txt，新建虚拟用户和密码，其中test1、test2为虚拟用户名，123456为密码，如果有多个用户，依此格式填写即可。

test1
123456
test2
123456

3）生成 Vsftpd 虚拟用户数据库认证文件，设置权限为700。

保存虚拟帐号和密码的文本文件无法被系统帐号直接调用。我们需要使用db_load 命令生成db

数据库文件

db_load -T -t hash -f /etc/vsftpd/ftpusers.txt /etc/vsftpd/vsftpd_login.db
chmod 700 /etc/vsftpd/vsftpd_login.db

选项-T允许应用程序能够将文本文件转译载入进数据库。

-t hash使用hash码加密

-f 指定包含用户名和密码文本文件。此文件格式要示：奇数行用户名、偶数行密码

4）配置 PAM 认证文件，/etc/pam.d/vsftpd 行首加入如下两行代码，其他注释掉：

auth       required pam_userdb.so   db=/etc/vsftpd/vsftpd_login
account    required pam_userdb.so   db=/etc/vsftpd/vsftpd_login

5）Vsftpd 虚拟用户需要映射到一个系统用户，该系统用户不需要密码，也不需要登录，主要用于虚拟用户映射使用，创建用户命令如下：

useradd -s /sbin/nologin ftpuser