CentOS 7 FTPサーバ設定

Contents

1 ftpサーバーの設定

ftpサーバーの設定

インストール

# yum -y install vsftpd

1	# yum -y install vsftpd

確認

# rpm -ql vsftpd | grep ^/etc
/etc/logrotate.d/vsftpd
/etc/pam.d/vsftpd
/etc/vsftpd
/etc/vsftpd/ftpusers
/etc/vsftpd/user_list
/etc/vsftpd/vsftpd.conf
/etc/vsftpd/vsftpd_conf_migrate.sh

# rpm -ql vsftpd | grep ^/etc

/etc/logrotate.d/vsftpd

/etc/pam.d/vsftpd

/etc/vsftpd

/etc/vsftpd/ftpusers

/etc/vsftpd/user_list

/etc/vsftpd/vsftpd.conf

/etc/vsftpd/vsftpd_conf_migrate.sh

設定

# vi /etc/vsftpd/vsftpd.conf
    11  # Allow anonymous FTP? (Beware - allowed by default if you comment this out).
    12  anonymous_enable=NO

    匿名FTP（AnonymousFTP)を禁止にする

    13  #
    14  # Uncomment this to allow local users to log in.
    15  # When SELinux is enforcing check for SE bool ftp_home_dir
    16  local_enable=YES
    17  #
    18  # Uncomment this to enable any form of FTP write command.
    19  write_enable=YES
    20  #
    21  # Default umask for local users is 077. You may wish to change this to 022,
    22  # if your users expect that (022 is used by most other ftpd's)
    23  local_umask=022
    24  #
    25  # Uncomment this to allow the anonymous FTP user to upload files. This only
    26  # has an effect if the above global write enable is activated. Also, you will
    27  # obviously need to create a directory writable by the FTP user.
    28  # When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
    29  #anon_upload_enable=YES
    30  #
    31  # Uncomment this if you want the anonymous FTP user to be able to create
    32  # new directories.
    33  #anon_mkdir_write_enable=YES
    34  #
    35  # Activate directory messages - messages given to remote users when they
    36  # go into a certain directory.
    37  dirmessage_enable=YES
    38  #
    39  # Activate logging of uploads/downloads.
    40  xferlog_enable=YES
    41  #
    42  # Make sure PORT transfer connections originate from port 20 (ftp-data).
    43  connect_from_port_20=YES
    44  #
    45  # If you want, you can arrange for uploaded anonymous files to be owned by
    46  # a different user. Note! Using "root" for uploaded files is not
    47  # recommended!
    48  #chown_uploads=YES
    49  #chown_username=whoever
    50  #
    51  # You may override where the log file goes if you like. The default is shown
    52  # below.
    53  #xferlog_file=/var/log/xferlog
    54  #
    55  # If you want, you can have your log file in standard ftpd xferlog format.
    56  # Note that the default log file location is /var/log/xferlog in this case.
    57  xferlog_std_format=YES
    58  #
    59  # You may change the default value for timing out an idle session.
    60  #idle_session_timeout=600
    61  #
    62  # You may change the default value for timing out a data connection.
    63  #data_connection_timeout=120
    64  #
    65  # It is recommended that you define on your system a unique user which the
    66  # ftp server can use as a totally isolated and unprivileged user.
    67  #nopriv_user=ftpsecure
    68  #
    69  # Enable this and the server will recognise asynchronous ABOR requests. Not
    70  # recommended for security (the code is non-trivial). Not enabling it,
    71  # however, may confuse older FTP clients.
    72  #async_abor_enable=YES
    73  #
    74  # By default the server will pretend to allow ASCII mode but in fact ignore
    75  # the request. Turn on the below options to have the server actually do ASCII
    76  # mangling on files when in ASCII mode.
    77  # Beware that on some FTP servers, ASCII support allows a denial of service
    78  # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
    79  # predicted this attack and has always been safe, reporting the size of the
    80  # raw file.
    81  # ASCII mangling is a horrible feature of the protocol.
    82  ascii_upload_enable=YES
    83  ascii_download_enable=YES

    アスキーモードでの転送を許可
    82・83行目の先頭の「#」を削除します

    84  #
    85  # You may fully customise the login banner string:
    86  #ftpd_banner=Welcome to blah FTP service.
    87  #
    88  # You may specify a file of disallowed anonymous e-mail addresses. Apparently
    89  # useful for combatting certain DoS attacks.
    90  #deny_email_enable=YES
    91  # (default follows)
    92  #banned_email_file=/etc/vsftpd/banned_emails
    93  #
    94  # You may specify an explicit list of local users to chroot() to their home
    95  # directory. If chroot_local_user is YES, then this list becomes a list of
    96  # users to NOT chroot().
    97  # (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
    98  # the user does not have write access to the top level directory within the
    99  # chroot)
   100  chroot_local_user=YES
   101  chroot_list_enable=YES
   102  # (default follows)
   103  chroot_list_file=/etc/vsftpd/chroot_list

   カレントディレクトリーより上位のディレクトリに移動できるユーザを設定します。
   100・101・103行目の先頭の「#」を削除します
   103行目は上位ディレクトリに移動できるユーザーを登録するファイル名を設定します。

   104  #
   105  # You may activate the "-R" option to the builtin ls. This is disabled by
   106  # default to avoid remote users being able to cause excessive I/O on large
   107  # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
   108  # the presence of the "-R" option, so there is a strong case for enabling it.
   109  ls_recurse_enable=YES

   ファイル転送時ディレクトリを一括で転送可能にします。
   109行目の先頭「#」を削除します

   111  # When "listen" directive is enabled, vsftpd runs in standalone mode and
   112  # listens on IPv4 sockets. This directive cannot be used in conjunction
   113  # with the listen_ipv6 directive.
   114  listen=YES

   IPv4のftpポートをListenにします。
   「YES」に変更

   116  # This directive enables listening on IPv6 sockets. By default, listening
   117  # on the IPv6 "any" address (::) will accept connections from both IPv6
   118  # and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
   119  # sockets. If you want that (perhaps because you want to listen on specific
   120  # addresses) then you must run two copies of vsftpd with two configuration
   121  # files.
   122  # Make sure, that one of the listen options is commented !!
   123  listen_ipv6=NO

   IPv6を使用しないときには、IPv6を無効にします
   123行目の設定を「NO」に変更します

   124
   125  pam_service_name=vsftpd
   126  userlist_enable=YES
   127  tcp_wrappers=YES
   128  allow_writeable_chroot=YES

   chrootを有効にした場合に一般ユーザーのftp接続を可能にする
   128行目に「allow_writeable_chroot=YES」を追加する
   chroot環境のときに有効になる

   ※ FTPの接続可否ユーザーの管理
      「userlist_enable=YES」を設定した場合は、ファイル内のユーザーを許可せず、パスワードの入力を要求しません。
      「userlist_enable=NO」を設定した場合は、ファイル内のユーザーのみを許可します。
      ファイルは「/etc/vsftpd/user_list」です。

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

# vi /etc/vsftpd/vsftpd.conf

11 # Allow anonymous FTP? (Beware - allowed by default if you comment this out).

12 anonymous_enable=NO

匿名FTP（AnonymousFTP)を禁止にする

13 #

14 # Uncomment this to allow local users to log in.

15 # When SELinux is enforcing check for SE bool ftp_home_dir

16 local_enable=YES

17 #

18 # Uncomment this to enable any form of FTP write command.

19 write_enable=YES

20 #

21 # Default umask for local users is 077. You may wish to change this to 022,

22 # if your users expect that (022 is used by most other ftpd's)

23 local_umask=022

24 #

25 # Uncomment this to allow the anonymous FTP user to upload files. This only

26 # has an effect if the above global write enable is activated. Also, you will

27 # obviously need to create a directory writable by the FTP user.

28 # When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access

29 #anon_upload_enable=YES

30 #

31 # Uncomment this if you want the anonymous FTP user to be able to create

32 # new directories.

33 #anon_mkdir_write_enable=YES

34 #

35 # Activate directory messages - messages given to remote users when they

36 # go into a certain directory.

37 dirmessage_enable=YES

38 #

39 # Activate logging of uploads/downloads.

40 xferlog_enable=YES

41 #

42 # Make sure PORT transfer connections originate from port 20 (ftp-data).

43 connect_from_port_20=YES

44 #

45 # If you want, you can arrange for uploaded anonymous files to be owned by

46 # a different user. Note! Using "root" for uploaded files is not

47 # recommended!

48 #chown_uploads=YES

49 #chown_username=whoever

50 #

51 # You may override where the log file goes if you like. The default is shown

52 # below.

53 #xferlog_file=/var/log/xferlog

54 #

55 # If you want, you can have your log file in standard ftpd xferlog format.

56 # Note that the default log file location is /var/log/xferlog in this case.

57 xferlog_std_format=YES

58 #

59 # You may change the default value for timing out an idle session.

60 #idle_session_timeout=600

61 #

62 # You may change the default value for timing out a data connection.

63 #data_connection_timeout=120

64 #

65 # It is recommended that you define on your system a unique user which the

66 # ftp server can use as a totally isolated and unprivileged user.

67 #nopriv_user=ftpsecure

68 #

69 # Enable this and the server will recognise asynchronous ABOR requests. Not

70 # recommended for security (the code is non-trivial). Not enabling it,

71 # however, may confuse older FTP clients.

72 #async_abor_enable=YES

73 #

74 # By default the server will pretend to allow ASCII mode but in fact ignore

75 # the request. Turn on the below options to have the server actually do ASCII

76 # mangling on files when in ASCII mode.

77 # Beware that on some FTP servers, ASCII support allows a denial of service

78 # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd

79 # predicted this attack and has always been safe, reporting the size of the

80 # raw file.

81 # ASCII mangling is a horrible feature of the protocol.

82 ascii_upload_enable=YES

83 ascii_download_enable=YES

アスキーモードでの転送を許可

82・83行目の先頭の「#」を削除します

84 #

85 # You may fully customise the login banner string:

86 #ftpd_banner=Welcome to blah FTP service.

87 #

88 # You may specify a file of disallowed anonymous e-mail addresses. Apparently

89 # useful for combatting certain DoS attacks.

90 #deny_email_enable=YES

91 # (default follows)

92 #banned_email_file=/etc/vsftpd/banned_emails

93 #

94 # You may specify an explicit list of local users to chroot() to their home

95 # directory. If chroot_local_user is YES, then this list becomes a list of

96 # users to NOT chroot().

97 # (Warning! chroot'ing can be very dangerous. If using chroot, make sure that

98 # the user does not have write access to the top level directory within the

99 # chroot)

100 chroot_local_user=YES

101 chroot_list_enable=YES

102 # (default follows)

103 chroot_list_file=/etc/vsftpd/chroot_list

カレントディレクトリーより上位のディレクトリに移動できるユーザを設定します。

100・101・103行目の先頭の「#」を削除します

103行目は上位ディレクトリに移動できるユーザーを登録するファイル名を設定します。

104 #

105 # You may activate the "-R" option to the builtin ls. This is disabled by

106 # default to avoid remote users being able to cause excessive I/O on large

107 # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume

108 # the presence of the "-R" option, so there is a strong case for enabling it.

109 ls_recurse_enable=YES

ファイル転送時ディレクトリを一括で転送可能にします。

109行目の先頭「#」を削除します

111 # When "listen" directive is enabled, vsftpd runs in standalone mode and

112 # listens on IPv4 sockets. This directive cannot be used in conjunction

113 # with the listen_ipv6 directive.

114 listen=YES

IPv4のftpポートをListenにします。

「YES」に変更

116 # This directive enables listening on IPv6 sockets. By default, listening

117 # on the IPv6 "any" address (::) will accept connections from both IPv6

118 # and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6

119 # sockets. If you want that (perhaps because you want to listen on specific

120 # addresses) then you must run two copies of vsftpd with two configuration

121 # files.

122 # Make sure, that one of the listen options is commented !!

123 listen_ipv6=NO

IPv6を使用しないときには、IPv6を無効にします

123行目の設定を「NO」に変更します

124

125 pam_service_name=vsftpd

126 userlist_enable=YES

127 tcp_wrappers=YES

128 allow_writeable_chroot=YES

chrootを有効にした場合に一般ユーザーのftp接続を可能にする

128行目に「allow_writeable_chroot=YES」を追加する

chroot環境のときに有効になる

※ FTPの接続可否ユーザーの管理

「userlist_enable=YES」を設定した場合は、ファイル内のユーザーを許可せず、パスワードの入力を要求しません。

「userlist_enable=NO」を設定した場合は、ファイル内のユーザーのみを許可します。

ファイルは「/etc/vsftpd/user_list」です。

接続

windows7 コマンドプロンプト起動

C:\Users\user01>ftp
ftp> open 192.168.22.104
192.168.22.104 に接続しました。
220 (vsFTPd 3.0.2)
ユーザー (192.168.22.104:(none)): ngftp
530 Permission denied.
ログインできませんでした。
ftp> close
221 Goodbye.
ftp> open 192.168.22.104
192.168.22.104 に接続しました。
220 (vsFTPd 3.0.2)
ユーザー (192.168.22.104:(none)): okftp
331 Please specify the password.
パスワード:
230 Login successful.
ftp> pwd
257 "/"
ftp> close
221 Goodbye.
ftp> quit