Vsftpd - un serveur ftp sous linux
Exemples
de fichiers de configuration vsftpd
Redhat
Pour gérer la base: db_load -T -t hash -f
/etc/vsftpd.txt
/etc/vsftpd_login.d
Format fichier vsftpd.txt
user
password
Debian
exemple entrée xinetd.conf pour vsftpd
service ftp
{
id = ftp
protocol = tcp
# disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/vsftpd
per_source = 2
instances = 10
nice = 10
log_on_success += PID HOST DURATION
log_on_failure += HOST
#log_on_success += DURATION USERID
#log_on_failure += USERID
# banner = /etc/banner.msg
}
Fichiers de conf vsftpd :
#
Example config file /etc/vsftpd.conf
# The default compiled
in settings are very paranoid. This sample file
# loosens things up a
bit, to make the ftp daemon more usable.
# Allow anonymous FTP?
anonymous_enable=NO
#
# Uncomment this to
allow local users to log in.
local_enable=YES
# Uncomment this to
enable any form of FTP write command.
write_enable=YES
#
# Default umask for
local users is 077. You may wish to change this to 022,
# if your users expect
that (022 is used by most other ftpd's)
local_umask=022
# Uncomment this to
allow the anonymous FTP user to upload files. This only
# has an effect if the
above global write enable is activated. Also, you will
# obviously need to
create a directory writable by the FTP user.
anon_upload_enable=NO
#
# Uncomment this if you
want the anonymous FTP user to be able to create
# new directories.
anon_mkdir_write_enable=NO
# Activate directory
messages - messages given to remote users when they
# go into a certain
directory.
dirmessage_enable=YES
#
# Activate logging of
uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT
transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
# If you want, you can
arrange for uploaded anonymous files to be owned by
# a different user.
Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
# You may override where
the log file goes if you like. The default is shown
# below.
xferlog_file=/var/log/vsftpd.log
# If you want, you can
have your log file in standard ftpd xferlog format
xferlog_std_format=YES
# You may change the
default value for timing out an idle session.
idle_session_timeout=600
# You may change the
default value for timing out a data connection.
data_connection_timeout=120
# It is recommended that
you define on your system a unique user which the
# ftp server can use as
a totally isolated and unprivileged user.
nopriv_user=ftpsite
# Enable this and the
server will recognise asynchronous ABOR requests. Not
# recommended for
security (the code is non-trivial). Not enabling it,
# however, may confuse
older FTP clients.
async_abor_enable=NO
# By default the server
will pretend to allow ASCII mode but in fact ignore
# the request. Turn on
the below options to have the server actually do ASCII
# mangling on files when
in ASCII mode.
# Beware that turning on
ascii_download_enable enables malicious remote parties
# to consume your I/O
resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options
are split into upload and download because you may wish
# to enable ASCII
uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk
of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
ascii_upload_enable=YES
ascii_download_enable=YES
# You may fully
customise the login banner string:
ftpd_banner=Welcome to
Malek FTP service.
# You may specify a file
of disallowed anonymous e-mail addresses. Apparently
# useful for combatting
certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
# You may specify an
explicit list of local users to chroot() to their home
# directory. If
chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd.chroot_list
# You may activate the
"-R" option to the builtin ls. This is disabled by
# default to avoid
remote users being able to cause excessive I/O on large
# sites. However, some
broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the
"-R" option, so there is a strong case for enabling it.
anon_other_write_enable=NO
chroot_local_user=YES
#guest_enable=YES
#guest_username=ftpsite
#anon_max_rate=200000
#local_max_rate=200000
- Dans cet exemple, on a donc un serveur ftp qui refuse les
connexions
anonymous.
- Les utilisateurs sont chrootés par
défaut, sauf
si l'utilisateur est inscrit dans le fichier /etc/vsftpd.chroot_list
- L'option
local_max_rate=200000
permet
de limiter la vitesse de téléchargement ( en
octets ).
Important
: Lorsque vous ajouez un utilisateur système
pour qu'il ait accès au FTP. Ne lui mettez pas le shell /bin/bash
( par défaut ). Car sinon ce dernier pourra se connecter en
ssh sur la machine.
Lorsque vous ajoutez votre utilisateur via adduser, utilisez l'option --shell
/bin/false pour spécifier le shell
(une entrée /bin/false doit exister dans /etc/shell sinon
l'utilisateur obtiendra une erreur à la connexion) |
Exemple de fichier PAM dans le cas, d'utilisateur virtuel :
auth
sufficient pam_unix.so
account sufficient
pam_unix.so
auth required
/lib/security/pam_userdb.so db=/etc/vsftpd
account required
/lib/security/pam_userdb.so db=/etc/vsftpd
Pour
gérer la base :
db3_load -T
-t hash -f
/etc/vsftpd.txt /etc/vsftpd.db
How-to vsftpd
Retour à la page
d'accueil
