实验拓扑图
需求描述
1,添加三个FTP虚拟用户devadm、sales、saleadm 2,设置用户访问及文件权限控制: 开放匿名访问,任何用户可以从/var/ftp/soft/目录下载资料 用户devadm可以对/var/ftp/soft/目录进行管理 用户sales可以从/var/market/目录下载资料 用户saleadm可以对/var/market/目录进行管理 所有上传的文件,均去除非属主位的写(w)权限 对服务器中没有明确授权的其他目录,均禁止以上用户访问 3,下载、上传流量及带宽控制: 最多允许150个并发用户连接,每IP并发连接数不超过5个 匿名用户及sales用户的下载带宽限制为100KB/秒 devadm、saleadm用户的下载、上传带宽限制为500KB/秒
实现思路
注意虚拟FTP用户数据库的建立过程 通过配置项anon_max_rate限制传输速率 通过配置项anon_root设置匿名FTP用户的默认主目录 通过配置项local_root为个别虚拟用户设置主目录
实验步骤
一,FTP服务器配置
1,配置静态IP [root@ftpserver ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 # Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE] DEVICE=eth0 BOOTPROTO=static ONBOOT=yes HWADDR=00:0c:29:c5:42:b1 IPADDR=192.168.1.10 NETMASK=255.255.255.0 [root@ftpserver ~]# service network restart Shutting down interface eth0: [ OK ] Shutting down loopback interface: [ OK ] Bringing up loopback interface: [ OK ] Bringing up interface eth0: [ OK ] [root@ftpserver ~]# chkconfig network on
2,安装所需软件 [root@ftpserver ~]# rpm -q vsftpd package vsftpd is not installed [root@ftpserver ~]# mount /dev/cdrom /media/ mount: block device /dev/cdrom is write-protected, mounting read-only [root@ftpserver ~]# rpm -ivh /media/Server/vsftpd-2.0.5-16.el5.i386.rpm warning: /media/Server/vsftpd-2.0.5-16.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186 Preparing... ########################################### [100%] 1:vsftpd ########################################### [100%] [root@ftpserver ~]# rpm -ivh /media/Server/db4-utils-4.3.29-10.el5.i386.rpm //建立数据库文件需要用到db_load命令工具 warning: /media/Server/db4-utils-4.3.29-10.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186 Preparing... ########################################### [100%] 1:db4-utils ########################################### [100%]
3,建立虚拟用户数据库 [root@ftpserver ~]# vi /etc/vsftpd/vusers.list devadm 123 sales 456 saleadm 789 [root@ftpserver ~]# cd /etc/vsftpd/ [root@ftpserver vsftpd]# db_load -T -t hash -f vusers.list vusers.db //在db_load 命令中,“ -f ”选项用于指定用户名/密码列表文件,”-T“ 选项允许非Berkeley DB的应用程序使用从文本格式转换的DB数据文件,“ -t hash ”选项指定读取数据文件的基本方法。 [root@ftpserver vsftpd]# file vusers.db vusers.db: Berkeley DB (Hash, version 8, native byte-order) [root@ftpserver vsftpd]# chmod 600 /etc/vsftpd/vusers.* //降低文件权限以提高安全性
4,建立映射用户及FTP目录 [root@ftpserver ~]# mkdir /var/ftp/soft [root@ftpserver ~]# cat /etc/*.conf > /var/ftp/soft/test.list [root@ftpserver ~]# cat /etc/* > /var/ftp/soft/etc.file [root@ftpserver ~]# chown ftp /var/ftp/soft/ [root@ftpserver ~]# chmod o+w /var/ftp/soft/ [root@ftpserver ~]# ls -ld /var/ftp/soft/ drwxr-xrwx 2 ftp root 4096 01-16 23:25 /var/ftp/soft [root@ftpserver ~]# useradd -d /var/market/ -s /sbin/nologin virtual [root@ftpserver ~]# chmod 755 /var/market/fangan.file [root@ftpserver ~]# ls -ld /var/market/ drwxrwxr-x 3 virtual virtual 4096 01-16 23:39 /var/market/ [root@ftpserver ~]# ls -lh /boot/ >/var/market
5,设置用于虚拟用户的PAM文件 [root@ftpserver vsftpd]# cat /etc/pam.d/vsftpd.vu auth required pam_userdb.so db=/etc/vsftpd/vusers account required pam_userdb.so db=/etc/vsftpd/vusers
6,修改vsftpd.conf配置文件,添加虚拟用户支持及其他的要求 [root@ftpserver ~]# cat /etc/vsftpd/vsftpd.conf anonymous_enable=YES //允许匿名用户访问 local_enable=YES //使用虚拟用户需要启用本地用户 write_enable=YES anon_root=/var/ftp/soft //设置匿名用户的FTP根目录 chroot_local_user=YES //将用户禁锢于其宿主目录中 anon_umask=022 //设置虚拟用户所上传的默认权限掩码 guest_enable=YES //启用用户映射功能 guest_username=virtual //将映射用户指定为virtual dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES listen=YES pam_service_name=vsftpd.vu //修改使用的PAM文件位置 userlist_enable=YES tcp_wrappers=YES user_config_dir=/etc/vsftpd/vusers_dir //指定用户配置目录位置 max_clients=150 max_per_ip=5 anon_max_rate=102400
7,为各虚拟用户建立单独的配置文件,分别赋予权限 [root@ftpserver ~]# mkdir /etc/vsftpd/vusers_dir [root@ftpserver ~]# cd /etc/vsftpd/vusers_dir/ [root@ftpserver vusers_dir]# vim devadm local_root=/var/ftp/soft //指定其宿主目录 anon_upload_enable=YES //上传文件 anon_mkdir_write_enable=YES //创建目录 anon_other_write_enable=YES //删除文件目录 anon_max_rate=512000 //上传,下载最大带宽 [root@ftpserver vusers_dir]# vim saleadm anon_upload_enable=YES //上传文件 anon_mkdir_write_enable=YES //创建目录 anon_other_write_enable=YES //删除文件目录 anon_max_rate=512000 //上传,下载最大带宽 [root@ftpserver vusers_dir]# touch sales //为sales用户建立空配置文件(无额外权限设置)
8,重新启动vsftpd服务 [root@ftp ~]# service vsftpd restart [root@ftp ~]# chkconfig vsftpd on
二,客户端验证
匿名用户测试 [root@tao ~]# ftp 192.168.1.10 Connected to 192.168.1.10. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (192.168.1.10:root): ftp 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 "/" ftp> ls 227 Entering Passive Mode (192,168,1,10,183,58) 150 Here comes the directory listing. -rw-r--r-- 1 0 0 108363 Jan 16 17:12 test.list 226 Directory send OK. ftp> get test.list local: test.list remote: test.list 227 Entering Passive Mode (192,168,1,10,122,108) 150 Opening BINARY mode data connection for test.list (108363 bytes). 226 File send OK. 108363 bytes received in 0.43 seconds (2.4e+02 Kbytes/s)
用wget命令可以测试下载速度
devadm虚拟用户测试 [root@tao ~]# ftp 192.168.1.10 Connected to 192.168.1.10. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (192.168.1.10:root): devadm 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 "/" ftp> ls 227 Entering Passive Mode (192,168,1,10,46,28) 150 Here comes the directory listing. -rw-r--r-- 1 0 0 108363 Jan 16 17:12 test.list 226 Directory send OK. ftp> put install.log //上传文件 local: install.log remote: install.log 227 Entering Passive Mode (192,168,1,10,78,163) 150 Ok to send data. 226 File receive OK. 26383 bytes sent in 0.0039 seconds (6.6e+03 Kbytes/s) ftp> mkdir aaa //创建目录 257 "/aaa" created ftp> mkdir bbb //创建目录 257 "/bbb" created ftp> rmdir aaa //删除目录 250 Remove directory operation successful. ftp> ls 227 Entering Passive Mode (192,168,1,10,48,7) 150 Here comes the directory listing. drwxr-xr-x 2 501 501 4096 Jan 16 18:43 bbb -rw-r--r-- 1 501 501 26383 Jan 16 18:42 install.log -rw-r--r-- 1 0 0 108363 Jan 16 17:12 test.list 226 Directory send OK. ftp> get test.list local: test.list remote: test.list 227 Entering Passive Mode (192,168,1,10,158,196) 150 Opening BINARY mode data connection for test.list (108363 bytes). 226 File send OK. 108363 bytes received in 0.1 seconds (1.1e+03 Kbytes/s)
用wget命令可以测试下载速度
sales虚拟用户测试 [root@tao ~]# ftp 192.168.1.10 Connected to 192.168.1.10. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (192.168.1.10:root): sales 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (192,168,1,10,103,148) 150 Here comes the directory listing. -rw-r--r-- 1 0 0 427 Jan 16 15:41 fangan.file -rw-r--r-- 1 501 501 26383 Jan 16 17:17 install.log 226 Directory send OK. ftp> pwd 257 "/" ftp> put aa.txt local: aa.txt remote: aa.txt 227 Entering Passive Mode (192,168,1,10,222,26) 550 Permission denied. 上传拒绝 ftp> get fangan.file local: fangan.file remote: fangan.file 227 Entering Passive Mode (192,168,1,10,113,187) 150 Opening BINARY mode data connection for fangan.file (427 bytes). 226 File send OK. 427 bytes received in 0.00019 seconds (2.2e+03 Kbytes/s) ftp> quit 221 Goodbye.
saleadm虚拟用户测试 [root@tao ~]# ls aa.txt Desktop fangan.file install.log test.list yp.conf anaconda-ks.cfg etcconf.list ftpconfig.tar.bz2 install.log.syslog vutest.list yum.conf [root@tao ~]# ftp 192.168.1.10 Connected to 192.168.1.10. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (192.168.1.10:root): saleadm 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 "/" ftp> ls 227 Entering Passive Mode (192,168,1,10,184,75) 150 Here comes the directory listing. -rw-r--r-- 1 0 0 427 Jan 16 15:41 fangan.file -rw-r--r-- 1 501 501 26383 Jan 16 17:17 install.log 226 Directory send OK. ftp> put aa.txt //上传文件 local: aa.txt remote: aa.txt 227 Entering Passive Mode (192,168,1,10,123,252) 150 Ok to send data. 226 File receive OK. ftp> mkdir saleadm //创建目录 257 "/saleadm" created ftp> ls 227 Entering Passive Mode (192,168,1,10,62,152) 150 Here comes the directory listing. -rw-r--r-- 1 501 501 0 Jan 16 18:53 aa.txt -rw-r--r-- 1 0 0 427 Jan 16 15:41 fangan.file -rw-r--r-- 1 501 501 26383 Jan 16 17:17 install.log drwxr-xr-x 2 501 501 4096 Jan 16 18:54 saleadm 226 Directory send OK. ftp> delete install.log //删除文件 250 Delete operation successful. ftp> ls 227 Entering Passive Mode (192,168,1,10,211,68) 150 Here comes the directory listing. -rw-r--r-- 1 501 501 0 Jan 16 18:53 aa.txt -rw-r--r-- 1 0 0 427 Jan 16 15:41 fangan.file drwxr-xr-x 2 501 501 4096 Jan 16 18:54 saleadm 226 Directory send OK.