VSFTP的黑白名单

实验拓扑图

1，配置静态IP [root@ftp ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 # Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE] DEVICE=eth0 BOOTPROTO=static ONBOOT=yes HWADDR=00:0c:29:ae:0f:02 IPADDR=192.168.1.10 NETMASK=255.255.255.0 [root@ftp ~]# service network restart [root@ftp ~]# chkconfig network on 2，安装vsftpd软件 [root@ftp ~]# rpm -q vsftpd vsftpd-2.0.5-16.el5 3，调整匿名上传目录权限，并准备下载测试文件 [root@ftp ~]# chown ftp /var/ftp/pub/ [root@ftp ~]# ls -ld /var/ftp/pub/ drwxr-xr-x 3 ftp root 4096 01-13 23:01 /var/ftp/pub/ [root@ftp ~]# tar jcf /var/ftp/ftpconfig.tar.bz2 /etc/vsftpd/ 4，新建测试用户 [root@ftp ~]# useradd u1 [root@ftp ~]# useradd u2 [root@ftp ~]# useradd laya [root@ftp ~]# passwd  u1 [root@ftp ~]# passwd  u2 [root@ftp ~]# passwd  u3 5,修改vsftpd.conf配置文件开放本地用户 [root@ftp ~]# cat /etc/vsftpd/vsftpd.conf anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 chroot_local_user=YES dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES listen=YES pam_service_name=vsftpd userlist_enable=NO      当userlist_enable=NO时不考虑黑/白名单，既不对用户的访问造成影响。 tcp_wrappers=YES 6，重新启动vsftpd服务 [root@ftp ~]# service vsftpd restart [root@ftp ~]# chkconfig vsftpd on 7,XP1客户端测试

C:\>ftp 192.168.1.10 Connected to 192.168.1.10. 220 (vsFTPd 2.0.5) User (192.168.1.10:(none)): u1 331 Please specify the password. Password: 230 Login successful. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. u1 226 Directory send OK. ftp: 收到 4 字节，用时 0.00Seconds 4000.00Kbytes/sec. ftp> bye 221 Goodbye.

C:\>ftp 192.168.1.10 Connected to 192.168.1.10. 220 (vsFTPd 2.0.5) User (192.168.1.10:(none)): u2 331 Please specify the password. Password: 230 Login successful. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. u2 226 Directory send OK. ftp: 收到 4 字节，用时 0.00Seconds 4000.00Kbytes/sec. ftp> bye 221 Goodbye.

C:\>ftp 192.168.1.10 Connected to 192.168.1.10. 220 (vsFTPd 2.0.5) User (192.168.1.10:(none)): laya 331 Please specify the password. Password: 230 Login successful. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. 226 Directory send OK. ftp> bye 221 Goodbye.

注意放入/etc/vsftpd/ftpusers中的用户默认为黑名单（既不管怎样这里的用户都不可访问，但对虚拟用户名不起作用）， 但不影响其他用户的访问，如u1,u2,laya。 [root@ftp ~]# cat /etc/vsftpd/ftpusers # Users that are not allowed to login via ftp root bin daemon adm lp sync shutdown halt mail news uucp operator games nobody 8，更改/etc/vsftpd/user_list配置文件，把u1,u2加入 [root@ftp ~]# vim /etc/vsftpd/user_list # vsftpd userlist # If userlist_deny=NO, only allow users in this file # If userlist_deny=YES (default), never allow users in this file, and # do not even prompt for a password. # Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers # for users that are denied.另外对虚拟用户名也起作用 root bin daemon adm lp sync shutdown halt mail news uucp operator games nobody u1 u2

a, 修改vsftpd.conf配置文件 [root@ftp ~]# cat /etc/vsftpd/vsftpd.conf |grep -v "^#" | grep -v "^$" anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES listen=YES pam_service_name=vsftpd userlist_enable=YES userlist_deny=NO tcp_wrappers=YES

重新启动vsftpd服务 [root@ftp ~]# service vsftpd restart [root@ftp ~]# chkconfig vsftpd on

XP1客户端测试

C:\>ftp 192.168.1.10 Connected to 192.168.1.10. 220 (vsFTPd 2.0.5) User (192.168.1.10:(none)): u1 331 Please specify the password. Password: 230 Login successful. ftp> bye 221 Goodbye.

C:\>ftp 192.168.1.10 Connected to 192.168.1.10. 220 (vsFTPd 2.0.5) User (192.168.1.10:(none)): u2 331 Please specify the password. Password: 230 Login successful. ftp> bye 221 Goodbye.

C:\>ftp 192.168.1.10 Connected to 192.168.1.10. 220 (vsFTPd 2.0.5) User (192.168.1.10:(none)): laya 530 Permission denied. Login failed. ftp>

b，修改vsftpd.conf配置文件

[root@ftp ~]# cat /etc/vsftpd/vsftpd.conf |grep -v "^#" | grep -v "^$" anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES listen=YES pam_service_name=vsftpd userlist_enable=YES userlist_deny=YES                    //（此时本行也可以不写，效果相同） tcp_wrappers=YES

重新启动vsftpd服务 [root@ftp ~]# service vsftpd restart [root@ftp ~]# chkconfig vsftpd on

XP1客户端测试

C:\>ftp 192.168.1.10 Connected to 192.168.1.10. 220 (vsFTPd 2.0.5) User (192.168.1.10:(none)): u1 530 Permission denied. Login failed. ftp> bye 221 Goodbye.

C:\>ftp 192.168.1.10 Connected to 192.168.1.10. 220 (vsFTPd 2.0.5) User (192.168.1.10:(none)): u2 530 Permission denied. Login failed. ftp> bye 221 Goodbye.

C:\>ftp 192.168.1.10 Connected to 192.168.1.10. 220 (vsFTPd 2.0.5) User (192.168.1.10:(none)): laya 331 Please specify the password. Password: 230 Login successful. ftp> pwd 257 "/home/laya" ftp> mkdir aa 257 "/home/laya/aa" created ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. aa 226 Directory send OK. ftp: 收到 4 字节，用时 0.00Seconds 4000.00Kbytes/sec. ftp>

注：

 a,当userlist_enable=YES  userlist_deny=NO 则只有/etc/vsftpd/user_list中用户可以访问，既u1,u2可以访问 （前提/etc/vsftpd/ftpusers 中没有这两个用户），其他用户如laya不可访问

b,当只有userlist_enable=YES 仅etc/vsftpd/user_list中用户不可访问，等价于userlist_enable=YES  userlist_deny=YES  此时u1,u2不可访问，但laya可以。