虚拟用户的VSFTPD服务器

实验拓扑图

需求描述

1，添加三个FTP虚拟用户devadm、sales、saleadm 2，设置用户访问及文件权限控制： 开放匿名访问，任何用户可以从/var/ftp/soft/目录下载资料 用户devadm可以对/var/ftp/soft/目录进行管理 用户sales可以从/var/market/目录下载资料 用户saleadm可以对/var/market/目录进行管理 所有上传的文件，均去除非属主位的写（w）权限 对服务器中没有明确授权的其他目录，均禁止以上用户访问 3，下载、上传流量及带宽控制： 最多允许150个并发用户连接，每IP并发连接数不超过5个 匿名用户及sales用户的下载带宽限制为100KB/秒 devadm、saleadm用户的下载、上传带宽限制为500KB/秒

实现思路

注意虚拟FTP用户数据库的建立过程 通过配置项anon_max_rate限制传输速率 通过配置项anon_root设置匿名FTP用户的默认主目录 通过配置项local_root为个别虚拟用户设置主目录

实验步骤

一，FTP服务器配置

1，配置静态IP [root@ftpserver ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 # Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE] DEVICE=eth0 BOOTPROTO=static ONBOOT=yes HWADDR=00:0c:29:c5:42:b1 IPADDR=192.168.1.10 NETMASK=255.255.255.0 [root@ftpserver ~]# service network restart Shutting down interface eth0:  [  OK  ] Shutting down loopback interface:  [  OK  ] Bringing up loopback interface:  [  OK  ] Bringing up interface eth0:  [  OK  ] [root@ftpserver ~]# chkconfig network on

2，安装所需软件 [root@ftpserver ~]# rpm -q vsftpd package vsftpd is not installed [root@ftpserver ~]# mount /dev/cdrom /media/ mount: block device /dev/cdrom is write-protected, mounting read-only [root@ftpserver ~]# rpm -ivh /media/Server/vsftpd-2.0.5-16.el5.i386.rpm warning: /media/Server/vsftpd-2.0.5-16.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186 Preparing...                ########################################### [100%]    1:vsftpd                 ########################################### [100%] [root@ftpserver ~]# rpm -ivh /media/Server/db4-utils-4.3.29-10.el5.i386.rpm    //建立数据库文件需要用到db_load命令工具 warning: /media/Server/db4-utils-4.3.29-10.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186 Preparing...                ########################################### [100%]    1:db4-utils              ########################################### [100%]

3，建立虚拟用户数据库 [root@ftpserver ~]# vi /etc/vsftpd/vusers.list devadm 123 sales 456 saleadm 789 [root@ftpserver ~]# cd /etc/vsftpd/ [root@ftpserver vsftpd]# db_load -T -t hash -f vusers.list vusers.db  //在db_load 命令中，“  -f  ”选项用于指定用户名/密码列表文件，”-T“ 选项允许非Berkeley DB的应用程序使用从文本格式转换的DB数据文件，“ -t hash ”选项指定读取数据文件的基本方法。 [root@ftpserver vsftpd]# file vusers.db vusers.db: Berkeley DB (Hash, version 8, native byte-order) [root@ftpserver vsftpd]# chmod 600 /etc/vsftpd/vusers.*   //降低文件权限以提高安全性

4，建立映射用户及FTP目录 [root@ftpserver ~]# mkdir /var/ftp/soft [root@ftpserver ~]# cat /etc/*.conf > /var/ftp/soft/test.list [root@ftpserver ~]# cat /etc/* > /var/ftp/soft/etc.file [root@ftpserver ~]# chown ftp /var/ftp/soft/ [root@ftpserver ~]# chmod o+w /var/ftp/soft/ [root@ftpserver ~]# ls -ld /var/ftp/soft/ drwxr-xrwx 2 ftp root 4096 01-16 23:25 /var/ftp/soft [root@ftpserver ~]# useradd -d /var/market/ -s /sbin/nologin virtual [root@ftpserver ~]# chmod 755 /var/market/fangan.file [root@ftpserver ~]# ls -ld /var/market/ drwxrwxr-x 3 virtual virtual 4096 01-16 23:39 /var/market/ [root@ftpserver ~]# ls -lh /boot/ >/var/market

5，设置用于虚拟用户的PAM文件 [root@ftpserver vsftpd]# cat /etc/pam.d/vsftpd.vu auth      required pam_userdb.so db=/etc/vsftpd/vusers account   required pam_userdb.so db=/etc/vsftpd/vusers

6，修改vsftpd.conf配置文件，添加虚拟用户支持及其他的要求 [root@ftpserver ~]# cat /etc/vsftpd/vsftpd.conf anonymous_enable=YES                           //允许匿名用户访问 local_enable=YES                                       //使用虚拟用户需要启用本地用户 write_enable=YES anon_root=/var/ftp/soft                           //设置匿名用户的FTP根目录 chroot_local_user=YES                              //将用户禁锢于其宿主目录中 anon_umask=022                                       //设置虚拟用户所上传的默认权限掩码 guest_enable=YES                                     //启用用户映射功能 guest_username=virtual                           //将映射用户指定为virtual dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES listen=YES pam_service_name=vsftpd.vu                 //修改使用的PAM文件位置 userlist_enable=YES tcp_wrappers=YES user_config_dir=/etc/vsftpd/vusers_dir   //指定用户配置目录位置 max_clients=150 max_per_ip=5 anon_max_rate=102400

7，为各虚拟用户建立单独的配置文件，分别赋予权限 [root@ftpserver ~]# mkdir /etc/vsftpd/vusers_dir [root@ftpserver ~]# cd /etc/vsftpd/vusers_dir/ [root@ftpserver vusers_dir]# vim devadm local_root=/var/ftp/soft                    //指定其宿主目录 anon_upload_enable=YES                //上传文件 anon_mkdir_write_enable=YES       //创建目录 anon_other_write_enable=YES       //删除文件目录 anon_max_rate=512000                  //上传，下载最大带宽 [root@ftpserver vusers_dir]# vim  saleadm anon_upload_enable=YES               //上传文件  anon_mkdir_write_enable=YES     //创建目录  anon_other_write_enable=YES     //删除文件目录 anon_max_rate=512000                  //上传，下载最大带宽 [root@ftpserver vusers_dir]# touch sales      //为sales用户建立空配置文件（无额外权限设置）

8,重新启动vsftpd服务 [root@ftp ~]# service vsftpd restart [root@ftp ~]# chkconfig vsftpd on

二，客户端验证

匿名用户测试 [root@tao ~]# ftp 192.168.1.10 Connected to 192.168.1.10. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (192.168.1.10:root): ftp 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd   257 "/"     ftp> ls 227 Entering Passive Mode (192,168,1,10,183,58) 150 Here comes the directory listing. -rw-r--r--    1 0        0          108363 Jan 16 17:12 test.list 226 Directory send OK. ftp> get test.list local: test.list remote: test.list 227 Entering Passive Mode (192,168,1,10,122,108) 150 Opening BINARY mode data connection for test.list (108363 bytes). 226 File send OK. 108363 bytes received in 0.43 seconds (2.4e+02 Kbytes/s)

用wget命令可以测试下载速度

devadm虚拟用户测试 [root@tao ~]# ftp 192.168.1.10 Connected to 192.168.1.10. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (192.168.1.10:root): devadm 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 "/" ftp> ls 227 Entering Passive Mode (192,168,1,10,46,28) 150 Here comes the directory listing. -rw-r--r--    1 0        0          108363 Jan 16 17:12 test.list 226 Directory send OK. ftp> put install.log                            //上传文件 local: install.log remote: install.log 227 Entering Passive Mode (192,168,1,10,78,163) 150 Ok to send data. 226 File receive OK. 26383 bytes sent in 0.0039 seconds (6.6e+03 Kbytes/s) ftp> mkdir aaa                                    //创建目录 257 "/aaa" created ftp> mkdir bbb                                   //创建目录 257 "/bbb" created ftp> rmdir aaa                                     //删除目录 250 Remove directory operation successful. ftp> ls 227 Entering Passive Mode (192,168,1,10,48,7) 150 Here comes the directory listing. drwxr-xr-x    2 501      501          4096 Jan 16 18:43 bbb -rw-r--r--    1 501      501         26383 Jan 16 18:42 install.log -rw-r--r--    1 0        0          108363 Jan 16 17:12 test.list 226 Directory send OK. ftp> get test.list local: test.list remote: test.list 227 Entering Passive Mode (192,168,1,10,158,196) 150 Opening BINARY mode data connection for test.list (108363 bytes). 226 File send OK. 108363 bytes received in 0.1 seconds (1.1e+03 Kbytes/s)

用wget命令可以测试下载速度

sales虚拟用户测试 [root@tao ~]# ftp 192.168.1.10 Connected to 192.168.1.10. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (192.168.1.10:root): sales 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (192,168,1,10,103,148) 150 Here comes the directory listing. -rw-r--r--    1 0        0             427 Jan 16 15:41 fangan.file -rw-r--r--    1 501      501         26383 Jan 16 17:17 install.log 226 Directory send OK. ftp> pwd  257 "/" ftp> put aa.txt local: aa.txt remote: aa.txt 227 Entering Passive Mode (192,168,1,10,222,26) 550 Permission denied.      上传拒绝 ftp> get fangan.file local: fangan.file remote: fangan.file 227 Entering Passive Mode (192,168,1,10,113,187) 150 Opening BINARY mode data connection for fangan.file (427 bytes). 226 File send OK. 427 bytes received in 0.00019 seconds (2.2e+03 Kbytes/s) ftp> quit 221 Goodbye.

saleadm虚拟用户测试 [root@tao ~]# ls aa.txt           Desktop       fangan.file        install.log         test.list    yp.conf anaconda-ks.cfg  etcconf.list  ftpconfig.tar.bz2  install.log.syslog  vutest.list  yum.conf [root@tao ~]# ftp 192.168.1.10 Connected to 192.168.1.10. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (192.168.1.10:root): saleadm 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 "/" ftp> ls 227 Entering Passive Mode (192,168,1,10,184,75) 150 Here comes the directory listing. -rw-r--r--    1 0        0             427 Jan 16 15:41 fangan.file -rw-r--r--    1 501      501         26383 Jan 16 17:17 install.log 226 Directory send OK. ftp> put aa.txt                      //上传文件 local: aa.txt remote: aa.txt 227 Entering Passive Mode (192,168,1,10,123,252) 150 Ok to send data. 226 File receive OK. ftp> mkdir saleadm             //创建目录 257 "/saleadm" created ftp> ls 227 Entering Passive Mode (192,168,1,10,62,152) 150 Here comes the directory listing. -rw-r--r--    1 501      501             0 Jan 16 18:53 aa.txt -rw-r--r--    1 0        0             427 Jan 16 15:41 fangan.file -rw-r--r--    1 501      501         26383 Jan 16 17:17 install.log drwxr-xr-x    2 501      501          4096 Jan 16 18:54 saleadm 226 Directory send OK. ftp> delete install.log         //删除文件 250 Delete operation successful. ftp> ls 227 Entering Passive Mode (192,168,1,10,211,68) 150 Here comes the directory listing. -rw-r--r--    1 501      501             0 Jan 16 18:53 aa.txt -rw-r--r--    1 0        0             427 Jan 16 15:41 fangan.file drwxr-xr-x    2 501      501          4096 Jan 16 18:54 saleadm 226 Directory send OK.