實驗拓撲圖
需求描述
1,添加三個FTP虛擬用戶devadm、sales、saleadm 2,設置用戶訪問及文件權限控制: 開放匿名訪問,任何用戶可以從/var/ftp/soft/目錄下載資料 用戶devadm可以對/var/ftp/soft/目錄進行管理 用戶sales可以從/var/market/目錄下載資料 用戶saleadm可以對/var/market/目錄進行管理 所有上傳的文件,均去除非屬主位的寫(w)權限 對服務器中沒有明確授權的其他目錄,均禁止以上用戶訪問 3,下載、上傳流量及帶寬控制: 最多允許150個併發用戶連接,每IP併發連接數不超過5個 匿名用戶及sales用戶的下載帶寬限制爲100KB/秒 devadm、saleadm用戶的下載、上傳帶寬限制爲500KB/秒
實現思路
注意虛擬FTP用戶數據庫的建立過程 通過配置項anon_max_rate限制傳輸速率 通過配置項anon_root設置匿名FTP用戶的默認主目錄 通過配置項local_root爲個別虛擬用戶設置主目錄
實驗步驟
一,FTP服務器配置
1,配置靜態IP [root@ftpserver ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 # Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE] DEVICE=eth0 BOOTPROTO=static ONBOOT=yes HWADDR=00:0c:29:c5:42:b1 IPADDR=192.168.1.10 NETMASK=255.255.255.0 [root@ftpserver ~]# service network restart Shutting down interface eth0: [ OK ] Shutting down loopback interface: [ OK ] Bringing up loopback interface: [ OK ] Bringing up interface eth0: [ OK ] [root@ftpserver ~]# chkconfig network on
2,安裝所需軟件 [root@ftpserver ~]# rpm -q vsftpd package vsftpd is not installed [root@ftpserver ~]# mount /dev/cdrom /media/ mount: block device /dev/cdrom is write-protected, mounting read-only [root@ftpserver ~]# rpm -ivh /media/Server/vsftpd-2.0.5-16.el5.i386.rpm warning: /media/Server/vsftpd-2.0.5-16.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186 Preparing... ########################################### [100%] 1:vsftpd ########################################### [100%] [root@ftpserver ~]# rpm -ivh /media/Server/db4-utils-4.3.29-10.el5.i386.rpm //建立數據庫文件需要用到db_load命令工具 warning: /media/Server/db4-utils-4.3.29-10.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186 Preparing... ########################################### [100%] 1:db4-utils ########################################### [100%]
3,建立虛擬用戶數據庫 [root@ftpserver ~]# vi /etc/vsftpd/vusers.list devadm 123 sales 456 saleadm 789 [root@ftpserver ~]# cd /etc/vsftpd/ [root@ftpserver vsftpd]# db_load -T -t hash -f vusers.list vusers.db //在db_load 命令中,“ -f ”選項用於指定用戶名/密碼列表文件,”-T“ 選項允許非Berkeley DB的應用程序使用從文本格式轉換的DB數據文件,“ -t hash ”選項指定讀取數據文件的基本方法。 [root@ftpserver vsftpd]# file vusers.db vusers.db: Berkeley DB (Hash, version 8, native byte-order) [root@ftpserver vsftpd]# chmod 600 /etc/vsftpd/vusers.* //降低文件權限以提高安全性
4,建立映射用戶及FTP目錄 [root@ftpserver ~]# mkdir /var/ftp/soft [root@ftpserver ~]# cat /etc/*.conf > /var/ftp/soft/test.list [root@ftpserver ~]# cat /etc/* > /var/ftp/soft/etc.file [root@ftpserver ~]# chown ftp /var/ftp/soft/ [root@ftpserver ~]# chmod o+w /var/ftp/soft/ [root@ftpserver ~]# ls -ld /var/ftp/soft/ drwxr-xrwx 2 ftp root 4096 01-16 23:25 /var/ftp/soft [root@ftpserver ~]# useradd -d /var/market/ -s /sbin/nologin virtual [root@ftpserver ~]# chmod 755 /var/market/fangan.file [root@ftpserver ~]# ls -ld /var/market/ drwxrwxr-x 3 virtual virtual 4096 01-16 23:39 /var/market/ [root@ftpserver ~]# ls -lh /boot/ >/var/market
5,設置用於虛擬用戶的PAM文件 [root@ftpserver vsftpd]# cat /etc/pam.d/vsftpd.vu auth required pam_userdb.so db=/etc/vsftpd/vusers account required pam_userdb.so db=/etc/vsftpd/vusers
6,修改vsftpd.conf配置文件,添加虛擬用戶支持及其他的要求 [root@ftpserver ~]# cat /etc/vsftpd/vsftpd.conf anonymous_enable=YES //允許匿名用戶訪問 local_enable=YES //使用虛擬用戶需要啓用本地用戶 write_enable=YES anon_root=/var/ftp/soft //設置匿名用戶的FTP根目錄 chroot_local_user=YES //將用戶禁錮於其宿主目錄中 anon_umask=022 //設置虛擬用戶所上傳的默認權限掩碼 guest_enable=YES //啓用用戶映射功能 guest_username=virtual //將映射用戶指定爲virtual dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES listen=YES pam_service_name=vsftpd.vu //修改使用的PAM文件位置 userlist_enable=YES tcp_wrappers=YES user_config_dir=/etc/vsftpd/vusers_dir //指定用戶配置目錄位置 max_clients=150 max_per_ip=5 anon_max_rate=102400
7,爲各虛擬用戶建立單獨的配置文件,分別賦予權限 [root@ftpserver ~]# mkdir /etc/vsftpd/vusers_dir [root@ftpserver ~]# cd /etc/vsftpd/vusers_dir/ [root@ftpserver vusers_dir]# vim devadm local_root=/var/ftp/soft //指定其宿主目錄 anon_upload_enable=YES //上傳文件 anon_mkdir_write_enable=YES //創建目錄 anon_other_write_enable=YES //刪除文件目錄 anon_max_rate=512000 //上傳,下載最大帶寬 [root@ftpserver vusers_dir]# vim saleadm anon_upload_enable=YES //上傳文件 anon_mkdir_write_enable=YES //創建目錄 anon_other_write_enable=YES //刪除文件目錄 anon_max_rate=512000 //上傳,下載最大帶寬 [root@ftpserver vusers_dir]# touch sales //爲sales用戶建立空配置文件(無額外權限設置)
8,重新啓動vsftpd服務 [root@ftp ~]# service vsftpd restart [root@ftp ~]# chkconfig vsftpd on
二,客戶端驗證
匿名用戶測試 [root@tao ~]# ftp 192.168.1.10 Connected to 192.168.1.10. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (192.168.1.10:root): ftp 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 "/" ftp> ls 227 Entering Passive Mode (192,168,1,10,183,58) 150 Here comes the directory listing. -rw-r--r-- 1 0 0 108363 Jan 16 17:12 test.list 226 Directory send OK. ftp> get test.list local: test.list remote: test.list 227 Entering Passive Mode (192,168,1,10,122,108) 150 Opening BINARY mode data connection for test.list (108363 bytes). 226 File send OK. 108363 bytes received in 0.43 seconds (2.4e+02 Kbytes/s)
用wget命令可以測試下載速度
devadm虛擬用戶測試 [root@tao ~]# ftp 192.168.1.10 Connected to 192.168.1.10. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (192.168.1.10:root): devadm 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 "/" ftp> ls 227 Entering Passive Mode (192,168,1,10,46,28) 150 Here comes the directory listing. -rw-r--r-- 1 0 0 108363 Jan 16 17:12 test.list 226 Directory send OK. ftp> put install.log //上傳文件 local: install.log remote: install.log 227 Entering Passive Mode (192,168,1,10,78,163) 150 Ok to send data. 226 File receive OK. 26383 bytes sent in 0.0039 seconds (6.6e+03 Kbytes/s) ftp> mkdir aaa //創建目錄 257 "/aaa" created ftp> mkdir bbb //創建目錄 257 "/bbb" created ftp> rmdir aaa //刪除目錄 250 Remove directory operation successful. ftp> ls 227 Entering Passive Mode (192,168,1,10,48,7) 150 Here comes the directory listing. drwxr-xr-x 2 501 501 4096 Jan 16 18:43 bbb -rw-r--r-- 1 501 501 26383 Jan 16 18:42 install.log -rw-r--r-- 1 0 0 108363 Jan 16 17:12 test.list 226 Directory send OK. ftp> get test.list local: test.list remote: test.list 227 Entering Passive Mode (192,168,1,10,158,196) 150 Opening BINARY mode data connection for test.list (108363 bytes). 226 File send OK. 108363 bytes received in 0.1 seconds (1.1e+03 Kbytes/s)
用wget命令可以測試下載速度
sales虛擬用戶測試 [root@tao ~]# ftp 192.168.1.10 Connected to 192.168.1.10. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (192.168.1.10:root): sales 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (192,168,1,10,103,148) 150 Here comes the directory listing. -rw-r--r-- 1 0 0 427 Jan 16 15:41 fangan.file -rw-r--r-- 1 501 501 26383 Jan 16 17:17 install.log 226 Directory send OK. ftp> pwd 257 "/" ftp> put aa.txt local: aa.txt remote: aa.txt 227 Entering Passive Mode (192,168,1,10,222,26) 550 Permission denied. 上傳拒絕 ftp> get fangan.file local: fangan.file remote: fangan.file 227 Entering Passive Mode (192,168,1,10,113,187) 150 Opening BINARY mode data connection for fangan.file (427 bytes). 226 File send OK. 427 bytes received in 0.00019 seconds (2.2e+03 Kbytes/s) ftp> quit 221 Goodbye.
saleadm虛擬用戶測試 [root@tao ~]# ls aa.txt Desktop fangan.file install.log test.list yp.conf anaconda-ks.cfg etcconf.list ftpconfig.tar.bz2 install.log.syslog vutest.list yum.conf [root@tao ~]# ftp 192.168.1.10 Connected to 192.168.1.10. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (192.168.1.10:root): saleadm 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 "/" ftp> ls 227 Entering Passive Mode (192,168,1,10,184,75) 150 Here comes the directory listing. -rw-r--r-- 1 0 0 427 Jan 16 15:41 fangan.file -rw-r--r-- 1 501 501 26383 Jan 16 17:17 install.log 226 Directory send OK. ftp> put aa.txt //上傳文件 local: aa.txt remote: aa.txt 227 Entering Passive Mode (192,168,1,10,123,252) 150 Ok to send data. 226 File receive OK. ftp> mkdir saleadm //創建目錄 257 "/saleadm" created ftp> ls 227 Entering Passive Mode (192,168,1,10,62,152) 150 Here comes the directory listing. -rw-r--r-- 1 501 501 0 Jan 16 18:53 aa.txt -rw-r--r-- 1 0 0 427 Jan 16 15:41 fangan.file -rw-r--r-- 1 501 501 26383 Jan 16 17:17 install.log drwxr-xr-x 2 501 501 4096 Jan 16 18:54 saleadm 226 Directory send OK. ftp> delete install.log //刪除文件 250 Delete operation successful. ftp> ls 227 Entering Passive Mode (192,168,1,10,211,68) 150 Here comes the directory listing. -rw-r--r-- 1 501 501 0 Jan 16 18:53 aa.txt -rw-r--r-- 1 0 0 427 Jan 16 15:41 fangan.file drwxr-xr-x 2 501 501 4096 Jan 16 18:54 saleadm 226 Directory send OK.