F proftpd ~AƹWAo vsftpd ]O@ӫܦn FTP AnIo򻡩OH] vsftpd WOyvery secure FTP daemonzNAҥHLoiӴNOHwʬҶqӵoioӮM󪺡Cvsftpd bwʪҶqWADnwFy{Ǫv, privilegezӳ]pA]ڭ̪AȦb Linux WB@ɳ|o@ PIDAӳo PID O֦̪A]NOAoӪAȪ PID bڭ̪ Linux WO㦳YǡyvzCU@oӪAȪ PID ݾ֦̪ŤӰAҦp root vApG PID dz]pW|}Aϱo PID QJIܡAJI̱N㦳 PID vA]NO root IҥHAӵoiM󳣷|ɶqNAȨo PID vCAϱoӪAȧYϤp߳QJIFAJI̤]Lko즳Ītκ޲zvAo˷|ڭ̪tθwաC
@
FWov]p~A vsftpd ]Q chroot oӳn骺UAnJ̶ȯ@ǸnؿʡAӵLkϥ Linux tΥ\Cҿת chroot oӨơḀDn\NOyܮڥؿҦb ( change root directory )zFI|ҨӻApGzQnϥΪ̵nJ A AȫABOOb /tmp/pub ؿUAíϥΪ̨ϥ A AȮɳub /tmp/pub ؿUAϥΡy chroot /tmp/pub command zN /tmp/pub ܦ A AȪڥؿy/zFIp@ӡAϥΪ̴NLk} /tmp/pub AU@ڭ A AȪ PID ٬OQJIɡASYAJI٬Oȯb /tmp/pub ̭]Ӷ]hӤwAӵLkϥ Linux \CoӮɭԡA۵Mڭ̪tΤ]N|wաI
@
vsftpd OWӳ]p@Ӹw FTP AnAL㦳USIG
@
• vsftpd OH@먭ҰʪAȡAҥH Linux tΪϥvCA Linux tΪM`N۹諸CFC~A vsftpd Q chroot() oӨ祃iﴫڥؿʧ@AϱotΤu㤣|Q vsftpd oAȩһ~ΡF
• ݭn㦳v vsftpd OH@SWh{ ( parent process ) ұ AӤWh{Ǩɦv\wgQ۷CAåHvT Linux tάǡF
• ҦӦ clients ݡAQnϥγoWh{ǩҴѪv vsftpd OݨDAQyiHnDzӳBzAݭngL۷{תT{AiQθӤWh{Ǫ\CҦp chown(), Login nDʧ@F
• ~AW쪺Wh{ǤA̵Mϥ chroot() \ӭϥΪ̪vC
@
ѩ㦳o˪SIAҥH vsftpd |ܪw@ǫI
@
t~An[] vsftpd eA٬Oбzonw FTP DʳsuBQʳsuH port 21, 20 oӫOqDPƳqD¦@w{ת{ѳA|eiJpAҥHA٬O^e Wu FTP @i`ANeݧ~noIڳo̰]zwg㦳 FTP ѤFAҥHUNӶi vsftpd w˻P]waI

---

H RPM w
@
bثes Red Hat 9 Dn FTP AnNO vsftpd oӪNIҥHziHXи̭ vsftpd ӪH RPM w˧YiIpGz Linux distribution S vsftpd ܡASYAڭ̤]iHϥΩU Tarball 觋Ӧw˧oI
@


---

H Tarball w
@
nH Tarball wˡAMoU Tarball ɮפFIvsftpd xUIG
ftp://vsftpd.beasts.org/users/cevans/
ziHۦMۤvwӦwˡCڳo̥H 1.2.0 o@Ӧw vsftpd bڪ Mandrake 9.0 WI(GpGO Red Hat tΡA쥻N vsftpd FAҥHϥ RPM wˤnIܩLS vsftpd RPM ɮת distribution NiHϥ Tarball I)
@

1. UPYG [root@test root]# wget \ > ftp://vsftpd.beasts.org/users/cevans/vsftpd-1.2.0.tar.gz [root@test root]# cd /usr/local/src [root@test root]# tar -zxvf /root/vsftpd-1.2.0.tar.gz [root@test root]# cd vsftpd-1.2.0/ # boӥؿU INSTALL P README аȥݳI @ 2. }lsĶPw # vsftpd w]w˪|G # Ҧiɩmb /usr/local/sbin ̭F # man page mb /usr/local/man/man5 P /usr/local/man/man8 # Y super daemon xinetd ɡA|ƻs@Ұɮר /etc/xinetd.d hI [root@test vsftpd-1.2.0]# make # sĶL{i঳ warning TAunO Error NiHzLI [root@test vsftpd-1.2.0]# make install [root@test vsftpd-1.2.0]# cp vsftpd.conf /etc # N PAM {ҼҲյLihtθ̭I [root@test vsftpd-1.2.0]# cp RedHat/vsftpd.pam /etc/pam.d/vsftpd # إ ftp oӨϥΪ̥HΥLaؿG # YӴNsb ftp oӨϥΪ̡ANݭnisWI [root@test vsftpd-1.2.0]# useradd -M ftp -d /var/ftp [root@test vsftpd-1.2.0]# mkdir -p /var/ftp [root@test vsftpd-1.2.0]# chown root:root /var/ftp [root@test vsftpd-1.2.0]# chmod 755 /var/ftp # إ vsftpd ݭnSؿ [root@test vsftpd-1.2.0]# mkdir -p /usr/share/empty @ 3. pGݭnɡG # pGQn vsftp ɡAiHo˰ [root@test vsftpd-1.2.0]# rm /usr/local/sbin/vsftpd [root@test vsftpd-1.2.0]# rm /usr/local/man/man5/vsftpd.conf.5 [root@test vsftpd-1.2.0]# rm /usr/local/man/man8/vsftpd.8 [root@test vsftpd-1.2.0]# rm /etc/xinetd.d/vsftpd [root@test vsftpd-1.2.0]# rm /etc/vsftpd.conf # ]w˥uw˳oXɮצӤwIҥHաA vsftpd uOwI @ 4. աG # T{@U xinetd.d SDAG [root@test root]# vi /etc/xinetd.d/vsftpd service ftp {         socket_type             = stream         wait                    = no         user                    = root         server                  = /usr/local/sbin/vsftpd         log_on_success          += DURATION USERID         log_on_failure          += USERID         nice                    = 10      disable                 = no } [root@test root]# /etc/rc.d/init.d/xinetd restart [root@test root]# ftp localhost ftp localhost Connected to localhost. 220 (vsFTPd 1.2.0) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (localhost:root): anonymous # o˴N vsftpd wgiHTҰʤFAL]ڭ٨S]wn # /etc/vsftpd.conf AҥH|LknJDISYA # @U]wnN OK FI

@
w˪L{uO²ALA vsftpd.conf oɮשmaIb RPM P Tarball hi঳I@ˡAݭnLSOdNOIҦp Red Hat 9 w]mb /etc/vsftpd/vsftpd.conf A Tarball hw]mb /etc/vsftpd.conf ̭I

b Server ݪ]wZeA] vsftpd ]wɴXGiHu@ӡANO vsftpd.conf oɮפFCUڭ̴Nӽͤ@; vsftpd M󵲺cPp]ws vsftpd.conf oӳ]wɧaI ^_^
@


---

vsftpd M󵲺c
@
vsftpd M󵲺c²A]wɻPɹbOhALצpAڭ٬OonAѤ@UG
@
• /etc/vsftpd.conf /etc/vsftpd/vsftpd.confGoӴNO vsftpd Dn]wɤFI]O@Uڭ̭n]wDnػCboӳ]wɸ̭AҦ]wسOHyѼ=]wzӳ]wA`N@UASťճIܩ vsftpd.conf ԲӻAb vsftpd.conf ̭Nwg۷MFApGٷQnL䴩AiHϥΡyman 5 vsftpd.confzӬd\I

@
• /etc/pam.d/vsftpd P /etc/ftpusers /etc/vsftpd.ftpusersGoӻP Wu FTP OۦP@ΰաIQ pam ҲըӶi樭T{ʧ@I򪾹Dϥ /etc/vsftpd.ftpusers /etc/ftpusers OH /etc/pam.d/vsftpd eYiI

[root@test root]# vi /etc/pam.d/vsftpd #%PAM-1.0 auth       required     pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed auth       required     pam_stack.so service=system-auth auth       required     pam_shells.so account    required     pam_stack.so service=system-auth session    required     pam_stack.so service=system-auth

WrOP@A`Nr@AiHo{ file="ɦW" ɦWNOyϥΪ̵Lkϥ vsftpd zDn]wɮoI
@
• /etc/vsftpd.chroot_listGoɮפo|ϥΨABPΤᦳIڭ̦b vsftpd.conf ̭]wnFΤ᪺ϥΪ̨SQ chroot ۤvaؿU(]NOϥΪ̵nJᤣuۤvaؿA٥iHLؿ)ALAYǨϥΪ̱zQLLk}aؿɡAw]b /etc/vsftpd.chroot_list oɮ׸̭ANiHNӨϥΪ̭bۤvaؿFI@@ӱbC

@
• /etc/vsftp.banned_emailsGoɮ׻PΦWnJAL]o|ΨIz\ΦW (anonymous) nJz FTP DALo\Y email address nJANiHN email address gJoɮ׸̭hI

@
• /usr/local/sbin/vsftpd /usr/sbin/vsftpdGoNO vsftpd DnɫInháA vsftpd uo@ӰɦӤwڡI

@
• /var/ftpGoӬO vsftpd w]ΦW̵nJڥؿI

@
jPWNuoXɮ׻ݭn`NӤwOI
@


---

vsftpd.conf ]wȻ
@
vsftpd.conf O vsftpd Dn]wɮסAbo̧ڭ̬ӻ@U` vsftpd.conf ̭Uӳ]wѼƧaI
@

D]w connect_from_port_20=YES (NO) @ٰOo wu ftp g峹쪺ADʳsu ftp-data ܡH @oӳ]wئbҰʥDʳsu port 20 I listen_port=21 @ϥΪ vsftpd ROqD port number ]wApGzQnϥΫD @W ftp portAboӳ]wحקaI dirmessage_enable=YES (NO) @ϥΪ̶iJYӥؿɡA|ܸӥؿݭn`NeAܪ @ɮ׹w]O .message AMAiHϥΩU]wبӭ׭qI message_file=.message @ dirmessage_enable=YES ɡAiH]woӶب vsftpd  @MɮרܰTIz]iH]wLɦWI listen=YES (NO) @Y]w YES vsftpd OH standalone 觋ӱҰʪI pasv_enable=YES (NO) @ҰʳQʦsu(passive mode)A@wn]w YES աI use_localtime=YES (NO) @O_ϥΥDɶHIw]ϥ GMT ɶ(Lªv)A|xW @ɶ 8 pɡA@ӻAij]w YES aI write_enable=YES (NO) @O_\ϥΪ̨㦳gJvHIo]ARPקﵥ\I connect_timeout=60 @OApG client ճsڭ̪ vsftpd ROqDWL 60 A @hݡAj_uC accept_timeout=60 @ϥΪ̥HQʦ PASV ӶiƶǿɡApGDҥ passive port  @õ client WL60 ANLj_uIziHק 60 oӼƭȡC data_connection_timeout=300 @pG client P Server ƶǰeb 300 Lkǰe\A @ Client suN|Qڭ̪ vsftpd j篑I idle_session_timeout=300 @pGϥΪ̦b 300 SROʧ@AjuI max_clients=0 @pG vsftpd OH stand alone 觋ҰʪAoӳ]wإiH]w @P@ɶA̦hh client iHPɳsW vsftpd IH max_per_ip=0 @PW max_clients Ao̬OP@ IP P@ɶi\hֳsuH pasv_max_port=0 pasv_min_port=0 @WӬOP passive mode ϥΪ port number ApGzQnϥ @65400 65410 o 11 port ӶiQʦƪsAiHo˳]w @pasv_max_port=65410 H pasv_min_port=65400 ftpd_banner=@Ǥr @ϥΪ̵LkQsWڭ̪DAҦpsuƶqwgWL max_clients  @]wFA client eN|ܡy@ǤrzrˡAziHק @ ΤnJ̪]w guest_enable=YES (NO) @Yoӭȳ]w YES ɡAD anonymous nJbA|Q @] guest (X) I local_enable=YES (NO) @oӳ]wȥn YES ɡAb /etc/passwd b~H @Τ᪺觋nJڭ̪ vsftpd DI local_max_rate=0 @Τ᪺ǿt׭A쬰 bytes/secondA 0 C chroot_local_user=YES (NO) @NϥΪ̭bۤvaؿ(chroot)Ioӳ]wb vsftpd  @w]O NOA]Uӳ]wتUI @ҥHݭnҰʥLI chroot_list_enable=YES (NO) @O_ҥαNYǹΤ᭭bL̪aؿHIw]O NO A @LApGzQnYǨϥΪ̵Lk}L̪aؿɡA @iHҼ{Noӳ]w YES AåBWUӳ]w chroot_list_file=/etc/vsftpd.chroot_list @pG chroot_list_enable=YES NiH]woӶؤFIḼiHWw @@ӹΤ|QbۤvaؿӵLk}I(chroot) @@@ӱbYiI userlist_deny=YES (NO) @Y]wȬ YES ɡAhϥΪ̱bQCJYɮ׮ɡAbɮפ @ϥΪ̱NLknJ vsftpd AIɮɦWPUC]wئC userlist_file=/etc/vsftpd.user_list @YW userlist_deny=YES ɡAhoɮ״NγBFIboɮפ @bLkϥ vsftpd I @ ΦW̵nJ]w anonymous_enable=YES (NO) @]w\ anonymous nJڭ̪ vsftpd DIw]O YES AUҦ @]wݭnNoӳ]w anonymous_enable=YES ~|ͮġI anon_world_readable_only=YES (NO) @Ȥ\ anonymous 㦳UiŪɮתvAw]O YESC anon_other_write_enable=YES (NO) @O_\ anonymous 㦳gJvHw]O NOIpGn]w YESA @} anonymous gJؿݭnվvA vsftpd PID @֦̥iHgJ~I anon_mkdir_write_enable=YES (NO) @O_ anonymous 㦳إߥؿvHw]ȬO NOIpGn]w YESA @ anony_other_write_enable ]w YES I anon_upload_enable=YES (NO) @O_ anonymous 㦳WǸƪ\Aw]O NOApGn]w YES A @h anon_other_write_enable=YES ]wC deny_email_enable=YES (NO) @NYǯS email address צA anonymous nJI @pGH anonymous nJDɡAO|nDJKXܡHKXOnz @Jz email address ܡHpGAܰQY email address A @NiHϥγoӳ]wӱNLnJvIݻPUӳ]wذtXG banned_email_file=/etc/vsftpd.banned_emails @pG deny_email_enable=YES ɡAiHQγoӳ]wبӳWw @email address inJڭ̪ vsftpd IbW]wɮפA @@J@ email address YiI no_anon_password=YES (NO) @]w YES ɡA anonymous N|LKXBJA @ӪiJ vsftpd AIҥH@w]O NO I anon_max_rate=0 @oӳ]wȫ᭱ƭȳ쬰 bytes/ A anonymous ǿtסA @pGO 0 h(ѳ̤jWeҭ)ApGzQ anonymous Ȧ  @30 KB/s tסAiH]wyanon_max_rate=30000z anon_umask=077 @ anonymous vIpGO 077 h anonymous ǰeLӪɮ @v|O -rw------- I @ tΦw]wȡG ascii_download_enable=YES (NO) @pG]w YES A client NiHϥ ASCII 榡UɮסC @@ӻAѩҰʤFoӳ]wإi|ɭP DoS A]w]ONOC ascii_upload_enable=YES (NO) @PW@ӳ]wAuOoӳ]wwWǦӨIw]O NOC async_abor_enable=YES (NO) @pGz FTP client |UF "async ABOR" oӫOɡAoӳ]w~ݭnҥ @@ӻAѩoӳ]wäwAҥHq`ONLI check_shell=YES (NO) @pGzQ֦_Ǫ shell ϥΪ(b /etc/passwd shell ) @iHϥ vsftpd ܡAoӳ]wiH]w NO I one_process_model=YES (NO) @oӳ]wؤMI@I]w YES ɡAܨCӫإߪsu @|֦@ process btdAiHW[ vsftpd įCLA @DztΤwAӥBwtƤA_heӺɨtθ귽I @@ij]w NO աI tcp_wrappers=YES (NO) @Mڭ̳ߺD䴩 TCP Wrappers աIҥH]w YES aI xferlog_enable=YES (NO) @]w YES ɡAϥΪ̤WǻPUɮ׳|Q_ӡCOɮ @PU@ӳ]wئG xferlog_file=/var/log/vsftpd.log @pGW@ xferlog_enable=YES ܡAo̴NiH]wFI @oӬOnɪɦWաI xferlog_std_format=YES (NO) @O_]w wu ftp ۦPnɮ榡HIw] NO A]nɷ|eŪI @LApGzϥ wu ftp nɪRnAo̤~ݭn]w YES nopriv_user=nobody @ڭ̪ vsftpd w]H nobody @@AȰ̪vC] nobody v @۷CA]YϳQJIAJI̶ȯo nobody vI pam_service_name=vsftpd @oӬO pam ҲժW١Aڭ̩mb /etc/pam.d/vsftpd YOoөNNI

@
WoǬO۷` vsftpd ]wѼơA٦ܦhѼƧڨSCXӡAziHϥ man 5 vsftpd.conf d\ILA򥻤WWoǰѼƤwgڭ̳]w vsftpd oI
@


---

²檺 vsftpd.conf ]w
@
pGzih]w vsftpd ܡAiHϥΫ²檺]wȨӳWz FTP ACUNO Red Hat 9 w] vsftpd ]wȡAziHϥγo˪]wȨӱҰʱz FTP AYiCo˪]wȦXӥγBG
@
• b /etc/vsftpd.ftpusers ̭ϥΪ̱bLkϥ vsftpd I
• } anonymous P Τ nJ vsftpd F
• ΤnJDɡAiHܥ㦳nJvؿ(S chroot )F
• ϥ port 20 @Dʳsuɪ ftp-data ǰefF
• Q /etc/hosts.allow(deny) Ӻ޲znJvF
• Client W/Uɮ׮ɡAӸT|Ob /var/log/vsftpd.log ̭F
• L]www]ȨӳWd(pQʦ port number )C
@

[root@test root]# vi /etc/xinetd.d/vsftpd service ftp {         socket_type             = stream         wait                    = no         user                    = root         server                  = /usr/local/sbin/vsftpd         server_args             = /etc/vsftpd.conf # WoӽШ̷ӱzDҨӳ]wIרO server_args г]wz # vsftpd.conf ҦbؿɦW(tؿW)I         log_on_success          += DURATION USERID         log_on_failure          += USERID         nice                    = 10         disable                 = no } [root@test root]# vi /etc/vsftpd/vsftpd.conf  # ( /etc/vsftpd.conf) # DPwʪ]w use_localtime=YES dirmessage_enable=YES connect_from_port_20=YES xferlog_enable=YES xferlog_std_format=YES pam_service_name=vsftpd tcp_wrappers=YES # anonymous ]w anonymous_enable=YES # real user ]w local_enable=YES write_enable=YES local_umask=022 userlist_enable=YES # HW]wȪNqЩe½ vsftpd.conf ]wȪNq `hݡI [root@test root]# /etc/rc.d/init.d/xinetd restart

@
o˱z² FTP ANwg]wFI²檺ܧaIӥB٬۷wOI
@


---

wȦ}ΤnJ]w
@
nFAo̧ڭ̦AϥΨL]wȨӭץڭ̪ vsftpd.conf oӳ]wɡC]} anonymous ӦwAҥHڭ̱N anonymous nJvAåB real user (Τ) nJڭ̪ vsftpd ɡAnp]wOHڪnDpUG
@
• ϥΥxWaɶӤO GMT ɶF
• Ҧb /etc/passwd ̭X{bnJ vsftpd DF
• Otαb (p root A UID p 500 b)ϥ vsftpd F
• ӥBѩ badbird P nogoodbird oӱbϥΪ̤ġAڭnoӨϥΪ̳Qbۤvaؿ(chroot)F
• åBƪǿt׬ 100 Kbytes/secondF
• ϥΪ̶iJ /home oӥؿɡAܡGy@ϥΪ̮aؿzr˦b Client ݪùWF
• ϥΪ̥iHiWǡBUHέקɮ׵ʧ@C
@

1. ¦]w [root@test root]# vi /etc/vsftpd/vsftpd.conf ( /etc/vsftpd.conf) # DPwʪ]w use_localtime=YES dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES pam_service_name=vsftpd tcp_wrappers=YES # anonymous ]w anonymous_enable=NO # Real User ]w local_enable=YES write_enable=YES local_umask=022 chroot_list_enable=YES chroot_list_file=/etc/vsftpd.chroot_list userlist_deny=YES userlist_file=/etc/vsftpd.user_list local_max_rate=100000 # HW]wȪNqЩe½ vsftpd.conf ]wȪNq `hݡI @ 2. Τbۤvaؿ (chroot) ]w [root@test root]# vi /etc/vsftpd.chroot_list badbird nogoodbird # SgoɮפLΤANiH}ۤvaؿA # ӨLؿ̭hsFI @ 3. H PAM ҲխYDZbLknJD]wG [root@test root]# vi /etc/pam.d/vsftpd # |o{o˪ryG auth ..... file=/etc/vsftpd.ftpusers .... # file=.. ᭱ɦWNOH PAM ҲթתbeFI [root@test root]# vi /etc/vsftpd.ftpusers # UCXbNLkϥ vsftpd IP wu ftp /etc/ftpusers ۦP\ root bin daemon adm lp sync shutdown halt mail news uucp operator games nobody @ 4. H userlist_file ׬YDZbnJG # ƹWAoӥ\PW PAM \ۦաIuO PAM O~A # oӳ]wO vsftpd w]ѪNOFI [root@test root]# vi /etc/vsftpd.user_list # oɮת]wPW /etc/vsftpd.ftpusers ۦPYiI root bin daemon adm lp sync shutdown halt mail news uucp operator games nobody @ 5. ]wiJؿɡAܪTG [root@test root]# vi /home/.message @ϥΪ̮aؿ @ 6. sҰ xinetd oI [root@test root]# /etc/rc.d/init.d/xinetd restart

@
W]w̭ܦhƪaA軡 /etc/vsftpd.ftpusers P /etc/vsftpd.user_list NOƪ]wFILAoˬOwաI] PAM ҲլO~{Aӥt@ɮ׫hO vsftpd Ѫ\IOЯSOdNA]ܦhϥΪ̥i|@p߶ȭקF𫟺@ɮסAt@ɮ׫hѰO׭qA|ܳ·гI ^_^Iܩ]OI@ /etc/vsftpd.chroot_list NiHNϥΪ̭bL̦ۤvaؿFI]wWܮeaIaAWɦWP vsftpd.conf ]wI
@
ݹLFWΤ᪺]wAxIp root iHnJ vsftpd DOHIINON /etc/vsftpd.ftpusers P /etc/vsftpd.user_list oɮ׸̭ root NiHաILAHiOijodI
@


---

wȦ}ΦWϥΪ̵nJ]w
@
nFAW@`ͪOȶ} Real User Aoӳ`ڭ̴Nӽͤ@͡AS Real user Ȧ anonymous nJIڷQn\Oo˪G
@
• ϥΥxWaɶAӫD GMT ɶF
• ȶ} anonymous nJF
• ɮ׶ǿ骺t 30 Kbytes/secondF
• \ anonymous Wɮר /var/ftp/upload oӥؿAåB\ anonymous إߥؿF
• ƳsL{ (OROqDI) unWL 60 S^ANj Client _uI
• un anonymous WLQSʧ@ANH_uF
• Qʦsf 65400 65420 oX port number YiF
• ̤jPɤWuHƭ 50 HABP@ IP ӷ̤jsuƶq 5 HF
• \ϥ ASCII 榡WǩΤUI
• \H linux.vbird.org oӺ} email address KXJI
@
OKIo˭np]wOIH
@

1. ¦]w [root@test root]# vi /etc/vsftpd/vsftpd.conf ( /etc/vsftpd.conf) # PDPwʦ]w use_localtime=YES write_enable=YES dirmessage_enable=YES xferlog_enable=YES xferlog_file=/var/log/vsftpd.log data_connection_timeout=60 idle_session_timeout=600 max_clients=50 max_per_ip=5 ascii_upload_enable=NO ascii_download_enable=NO connect_from_port_20=YES pasv_min_port=65400 pasv_max_port=65420 pam_service_name=vsftpd tcp_wrappers=YES nopriv_user=ftp # anonymous ]w anonymous_enable=YES anon_other_write_enable=YES anon_mkdir_write_enable=YES anon_upload_enable=YES deny_email_enable=YES banned_email_file=/etc/vsftpd.banned_emails anon_max_rate=30000 # real user ]w local_enable=NO # HW]wȪNqЩe½ vsftpd.conf ]wȪNq `hݡI @ 2. إߩפ email address ɮ [root@test root]# vi /etc/vsftpd.banned_emails linux.vbird.org # @g@ email WٳI @ 3. إߥiHWǪؿI # ]ڭ̪ nopriv_user ]w ftp AҥHWǪؿ֦̬ ftp [root@test root]# mkdir -p /var/ftp/upload [root@test root]# chown ftp /var/ftp/upload @ 4. sҰ xinetd oI [root@test root]# /etc/rc.d/init.d/xinetd restart

@
gLWAzNiHܲMDF Real user P anonymous b vsftpd ]wFAzNiHܻN[]X@ vsftpd AFOIլݬݧaI ^_^

Client ݨèSn]waADnNO ftp ϥΤFAаѦ wu FTP D]w@`I

wʪ]w譱AMNOPnJHΨoINӽͤ@ͧaI
@


---


@
nҥ vsftpd ۵MNon}񨾤oIҥHzpGQn Internet }z FTP AANܤ֭no@q iptables WhbzWhCG
@

/sbin/iptables -A INPUT -p TCP -i eth0 --dport 21 -j ACCEPT

@
MAziH]wYKAаѦ²@ӳ]w iptables I~Az TCP Wrappers pGQn 192.168.1.2 o IP ӷܡAiHo˰G
@

[root@test root]# vi /etc/hosts.deny vsftpd: 192.168.1.2

@
oӨSDaI ^_^
@


---

Super daemon ޲z
@
Super daemon iHΨӺ޲z Client ݪnJvOAoӭISѰOaI ^_^ Iڭ̦p]wOHI|²檺ҤlnFG]ڭ̪ vsftpd u\P@ IP ӷiH֦ӵnJvAӦP@ɶ̦hiH 200 vsftpd suAWL 200 vsftpd suɡANb Client ݪeܡyܩpAALzrˡAӦp]wH
@

[root@test root]# vi /etc/xinetd.d/vsftpd # vsftpd is the secure FTP server. service ftp {         disable                 = no         socket_type             = stream         wait                    = no         user                    = root         server                  = /usr/local/sbin/vsftpd         server_args             = /etc/vsftpd.conf  # Wo server ]wШ̷ӱzDҨӳ]wI # ܩ server_args hмgJz vsftpd ]wɧɦWYiI         per_source              = 5     # PP@ IP suƥئ         instances               = 200   # P@ɶ̦hsuƥ         no_access               = 192.168.1.3         banner_fail             = /etc/vsftpd.busy_banner # Woɮ״NODLAhb Client ܪeI         log_on_success          += PID HOST DURATION         log_on_failure          += HOST } @ [root@test root]# vi /etc/vsftpd.busy.banner 421 ܩpAALI @ [root@test root]# /etc/rc.d/init.d/xinetd restart

@
o˳]wNiHաI²檺@ӳ]wʧ@ANiHz vsftpd ܪw@dzI
@


---

DѨM
@
pGo vsftpd DHIXӥi઺ѨM׳G
@
• pGb Client ݤWo{Lksu\AˬdG
1. iptables 𪺳WhAO_}F client ݪ port 21 nJH
2. b /etc/hosts.deny AO_N client nJvצFH
3. b /etc/xinetd.d/vsftpd AO_]w~AɭP client nJvQFH
@
• pG Client wgsW vsftpd AAOoܡy XXX file can't be opend zrˡAˬdG
1. ̥Dn]٬Obb vsftpd.conf ]wFˬdYɮסAOzoSNɮ׳]w_ӡAҥHAˬd vsftpd.conf ̭Ҧ]wɮɦWAϥ touch oӫONɮ׫إ߰_ӧYiI
@
• pG Client wgsW vsftpd AAoLkϥάYӱbnJAˬdG
1. b vsftpd.conf ̭O_]wFϥ pam ҲըbAHΧQ userlist_file Ӻ޲zbH
2. ˬd /etc/vsftpd.ftpusers H /etc/vsftpd.user_list ɮפO_NӱbgJFHI
@
• pG Client LkWɮסAӦpOnH
1. ̥ioͪ]NOb vsftpd.conf ̭ѰO[Woӳ]wywrite_enable=YESzoӳ]wAХ[JF
2. O_ҭnWǪؿyvzAХH chmod chown ӭ׭qF
3. O_ anonymous ]w̭ѰO[WFUTӰѼơG
• anon_other_write_enable=YES
• anon_mkdir_write_enable=YES
• anon_upload_enable=YES
4. O_]]wF email ׾ASN email address gJɮפFIHˬdI
5. O_]wF\ ASCII 榡ǰeA Client ݫoH ASCII ǰeOHЦb client ݥH binary 榡ӶǰeɮסI
@
WOZ`o{~ApG٬OLkѨMzDAбzȥR@UoɮסG/var/log/vsftpd.log P /var/log/messages A̭۷hnơAiHѵzi气I

bLF Wu FTP, ProFTPD H vsFTPD Ao{TӦAUuIաIS@ӯSOnA]UQΪDһILAڭ٬OܪҤVաC
@
• Ҽ{ª FTP ]pAӥBnDwGpGڭ̤nӧOCӥؿyqBW/UҡBw藍PΤΪ̬OXȶi椣Pv]wAȤ anonymous P real user بϥΪ̵nJDܡAWWӬO vsftpd oӦA~I]L]wWu²AӥBbM󪺳]pWSwI

@
• hˤƪ]pAwʭnD礣CGM Wu FTP P Proftpd iHF쪺 FTP A]wO@˪AL Proftpd ]wS Wu FTP ²@ǡAI Apache ؿ޲z]wA~A Proftpd ]iHF챱W/UǤҡByqBw藍Pؿ]w@˪v]pA] Wu FTP w@ǡAҥHAbhˤƪ FTP ]pҶqUAiH Proftpd I

@
• Ҽ{DnDGYǥDӴNOt Wu FTP Ϊ̬O vsftpd P FTP AnAzSQsw˨LAnAϥαz Linux distributions ҴѪ FTP nӬ[]z FTP YiڡIݭnҼ{L FTP n髣CLAаOoNz FTP ns̷sIקKQcNI
@
ƹWA]NOAH vsftpd DnҼ{̾ڡAOpGıo vsftpd Lkz FTP A]pݨDANH Proftpd ӳ]pA̫ApGz]OiH@ڡAϥ Wu FTP NFaI ^_^

• vsftpd xGhttp://vsftpd.beasts.org/
• man 5 vsftpd.conf