虛擬用戶的VSFTPD服務器

實驗拓撲圖

需求描述

1，添加三個FTP虛擬用戶devadm、sales、saleadm 2，設置用戶訪問及文件權限控制： 開放匿名訪問，任何用戶可以從/var/ftp/soft/目錄下載資料 用戶devadm可以對/var/ftp/soft/目錄進行管理 用戶sales可以從/var/market/目錄下載資料 用戶saleadm可以對/var/market/目錄進行管理 所有上傳的文件，均去除非屬主位的寫（w）權限 對服務器中沒有明確授權的其他目錄，均禁止以上用戶訪問 3，下載、上傳流量及帶寬控制： 最多允許150個併發用戶連接，每IP併發連接數不超過5個 匿名用戶及sales用戶的下載帶寬限制爲100KB/秒 devadm、saleadm用戶的下載、上傳帶寬限制爲500KB/秒

實現思路

注意虛擬FTP用戶數據庫的建立過程 通過配置項anon_max_rate限制傳輸速率 通過配置項anon_root設置匿名FTP用戶的默認主目錄 通過配置項local_root爲個別虛擬用戶設置主目錄

實驗步驟

一，FTP服務器配置

1，配置靜態IP [root@ftpserver ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 # Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE] DEVICE=eth0 BOOTPROTO=static ONBOOT=yes HWADDR=00:0c:29:c5:42:b1 IPADDR=192.168.1.10 NETMASK=255.255.255.0 [root@ftpserver ~]# service network restart Shutting down interface eth0:  [  OK  ] Shutting down loopback interface:  [  OK  ] Bringing up loopback interface:  [  OK  ] Bringing up interface eth0:  [  OK  ] [root@ftpserver ~]# chkconfig network on

2，安裝所需軟件 [root@ftpserver ~]# rpm -q vsftpd package vsftpd is not installed [root@ftpserver ~]# mount /dev/cdrom /media/ mount: block device /dev/cdrom is write-protected, mounting read-only [root@ftpserver ~]# rpm -ivh /media/Server/vsftpd-2.0.5-16.el5.i386.rpm warning: /media/Server/vsftpd-2.0.5-16.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186 Preparing...                ########################################### [100%]    1:vsftpd                 ########################################### [100%] [root@ftpserver ~]# rpm -ivh /media/Server/db4-utils-4.3.29-10.el5.i386.rpm    //建立數據庫文件需要用到db_load命令工具 warning: /media/Server/db4-utils-4.3.29-10.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186 Preparing...                ########################################### [100%]    1:db4-utils              ########################################### [100%]

3，建立虛擬用戶數據庫 [root@ftpserver ~]# vi /etc/vsftpd/vusers.list devadm 123 sales 456 saleadm 789 [root@ftpserver ~]# cd /etc/vsftpd/ [root@ftpserver vsftpd]# db_load -T -t hash -f vusers.list vusers.db  //在db_load 命令中，“  -f  ”選項用於指定用戶名/密碼列表文件，”-T“ 選項允許非Berkeley DB的應用程序使用從文本格式轉換的DB數據文件，“ -t hash ”選項指定讀取數據文件的基本方法。 [root@ftpserver vsftpd]# file vusers.db vusers.db: Berkeley DB (Hash, version 8, native byte-order) [root@ftpserver vsftpd]# chmod 600 /etc/vsftpd/vusers.*   //降低文件權限以提高安全性

4，建立映射用戶及FTP目錄 [root@ftpserver ~]# mkdir /var/ftp/soft [root@ftpserver ~]# cat /etc/*.conf > /var/ftp/soft/test.list [root@ftpserver ~]# cat /etc/* > /var/ftp/soft/etc.file [root@ftpserver ~]# chown ftp /var/ftp/soft/ [root@ftpserver ~]# chmod o+w /var/ftp/soft/ [root@ftpserver ~]# ls -ld /var/ftp/soft/ drwxr-xrwx 2 ftp root 4096 01-16 23:25 /var/ftp/soft [root@ftpserver ~]# useradd -d /var/market/ -s /sbin/nologin virtual [root@ftpserver ~]# chmod 755 /var/market/fangan.file [root@ftpserver ~]# ls -ld /var/market/ drwxrwxr-x 3 virtual virtual 4096 01-16 23:39 /var/market/ [root@ftpserver ~]# ls -lh /boot/ >/var/market

5，設置用於虛擬用戶的PAM文件 [root@ftpserver vsftpd]# cat /etc/pam.d/vsftpd.vu auth      required pam_userdb.so db=/etc/vsftpd/vusers account   required pam_userdb.so db=/etc/vsftpd/vusers

6，修改vsftpd.conf配置文件，添加虛擬用戶支持及其他的要求 [root@ftpserver ~]# cat /etc/vsftpd/vsftpd.conf anonymous_enable=YES                           //允許匿名用戶訪問 local_enable=YES                                       //使用虛擬用戶需要啓用本地用戶 write_enable=YES anon_root=/var/ftp/soft                           //設置匿名用戶的FTP根目錄 chroot_local_user=YES                              //將用戶禁錮於其宿主目錄中 anon_umask=022                                       //設置虛擬用戶所上傳的默認權限掩碼 guest_enable=YES                                     //啓用用戶映射功能 guest_username=virtual                           //將映射用戶指定爲virtual dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES listen=YES pam_service_name=vsftpd.vu                 //修改使用的PAM文件位置 userlist_enable=YES tcp_wrappers=YES user_config_dir=/etc/vsftpd/vusers_dir   //指定用戶配置目錄位置 max_clients=150 max_per_ip=5 anon_max_rate=102400

7，爲各虛擬用戶建立單獨的配置文件，分別賦予權限 [root@ftpserver ~]# mkdir /etc/vsftpd/vusers_dir [root@ftpserver ~]# cd /etc/vsftpd/vusers_dir/ [root@ftpserver vusers_dir]# vim devadm local_root=/var/ftp/soft                    //指定其宿主目錄 anon_upload_enable=YES                //上傳文件 anon_mkdir_write_enable=YES       //創建目錄 anon_other_write_enable=YES       //刪除文件目錄 anon_max_rate=512000                  //上傳，下載最大帶寬 [root@ftpserver vusers_dir]# vim  saleadm anon_upload_enable=YES               //上傳文件  anon_mkdir_write_enable=YES     //創建目錄  anon_other_write_enable=YES     //刪除文件目錄 anon_max_rate=512000                  //上傳，下載最大帶寬 [root@ftpserver vusers_dir]# touch sales      //爲sales用戶建立空配置文件（無額外權限設置）

8,重新啓動vsftpd服務 [root@ftp ~]# service vsftpd restart [root@ftp ~]# chkconfig vsftpd on

二，客戶端驗證

匿名用戶測試 [root@tao ~]# ftp 192.168.1.10 Connected to 192.168.1.10. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (192.168.1.10:root): ftp 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd   257 "/"     ftp> ls 227 Entering Passive Mode (192,168,1,10,183,58) 150 Here comes the directory listing. -rw-r--r--    1 0        0          108363 Jan 16 17:12 test.list 226 Directory send OK. ftp> get test.list local: test.list remote: test.list 227 Entering Passive Mode (192,168,1,10,122,108) 150 Opening BINARY mode data connection for test.list (108363 bytes). 226 File send OK. 108363 bytes received in 0.43 seconds (2.4e+02 Kbytes/s)

用wget命令可以測試下載速度

devadm虛擬用戶測試 [root@tao ~]# ftp 192.168.1.10 Connected to 192.168.1.10. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (192.168.1.10:root): devadm 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 "/" ftp> ls 227 Entering Passive Mode (192,168,1,10,46,28) 150 Here comes the directory listing. -rw-r--r--    1 0        0          108363 Jan 16 17:12 test.list 226 Directory send OK. ftp> put install.log                            //上傳文件 local: install.log remote: install.log 227 Entering Passive Mode (192,168,1,10,78,163) 150 Ok to send data. 226 File receive OK. 26383 bytes sent in 0.0039 seconds (6.6e+03 Kbytes/s) ftp> mkdir aaa                                    //創建目錄 257 "/aaa" created ftp> mkdir bbb                                   //創建目錄 257 "/bbb" created ftp> rmdir aaa                                     //刪除目錄 250 Remove directory operation successful. ftp> ls 227 Entering Passive Mode (192,168,1,10,48,7) 150 Here comes the directory listing. drwxr-xr-x    2 501      501          4096 Jan 16 18:43 bbb -rw-r--r--    1 501      501         26383 Jan 16 18:42 install.log -rw-r--r--    1 0        0          108363 Jan 16 17:12 test.list 226 Directory send OK. ftp> get test.list local: test.list remote: test.list 227 Entering Passive Mode (192,168,1,10,158,196) 150 Opening BINARY mode data connection for test.list (108363 bytes). 226 File send OK. 108363 bytes received in 0.1 seconds (1.1e+03 Kbytes/s)

用wget命令可以測試下載速度

sales虛擬用戶測試 [root@tao ~]# ftp 192.168.1.10 Connected to 192.168.1.10. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (192.168.1.10:root): sales 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (192,168,1,10,103,148) 150 Here comes the directory listing. -rw-r--r--    1 0        0             427 Jan 16 15:41 fangan.file -rw-r--r--    1 501      501         26383 Jan 16 17:17 install.log 226 Directory send OK. ftp> pwd  257 "/" ftp> put aa.txt local: aa.txt remote: aa.txt 227 Entering Passive Mode (192,168,1,10,222,26) 550 Permission denied.      上傳拒絕 ftp> get fangan.file local: fangan.file remote: fangan.file 227 Entering Passive Mode (192,168,1,10,113,187) 150 Opening BINARY mode data connection for fangan.file (427 bytes). 226 File send OK. 427 bytes received in 0.00019 seconds (2.2e+03 Kbytes/s) ftp> quit 221 Goodbye.

saleadm虛擬用戶測試 [root@tao ~]# ls aa.txt           Desktop       fangan.file        install.log         test.list    yp.conf anaconda-ks.cfg  etcconf.list  ftpconfig.tar.bz2  install.log.syslog  vutest.list  yum.conf [root@tao ~]# ftp 192.168.1.10 Connected to 192.168.1.10. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (192.168.1.10:root): saleadm 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 "/" ftp> ls 227 Entering Passive Mode (192,168,1,10,184,75) 150 Here comes the directory listing. -rw-r--r--    1 0        0             427 Jan 16 15:41 fangan.file -rw-r--r--    1 501      501         26383 Jan 16 17:17 install.log 226 Directory send OK. ftp> put aa.txt                      //上傳文件 local: aa.txt remote: aa.txt 227 Entering Passive Mode (192,168,1,10,123,252) 150 Ok to send data. 226 File receive OK. ftp> mkdir saleadm             //創建目錄 257 "/saleadm" created ftp> ls 227 Entering Passive Mode (192,168,1,10,62,152) 150 Here comes the directory listing. -rw-r--r--    1 501      501             0 Jan 16 18:53 aa.txt -rw-r--r--    1 0        0             427 Jan 16 15:41 fangan.file -rw-r--r--    1 501      501         26383 Jan 16 17:17 install.log drwxr-xr-x    2 501      501          4096 Jan 16 18:54 saleadm 226 Directory send OK. ftp> delete install.log         //刪除文件 250 Delete operation successful. ftp> ls 227 Entering Passive Mode (192,168,1,10,211,68) 150 Here comes the directory listing. -rw-r--r--    1 501      501             0 Jan 16 18:53 aa.txt -rw-r--r--    1 0        0             427 Jan 16 15:41 fangan.file drwxr-xr-x    2 501      501          4096 Jan 16 18:54 saleadm 226 Directory send OK.