0 GP
[Linux][CentOS 5.5] 4.FTP 服務設定與連線存取限制
作者:game2002│2011-03-02 22:26:45│巴幣:0│人氣:3566
4. FTP 服務設定與連線存取限制
FTP Server 端設定 (IP:192.168.11.7)
1. 安裝 ftp 相關套件
[root@station7 ~]# yum install "*ftp*"
Package ftp-0.17-35.el5.i386 already installed and latest version
Package lftp-3.7.11-4.el5_5.3.i386 already installed and latest version
Package vsftpd-2.0.5-16.el5_5.1.i386 already installed and latest version
Package 1:gftp-2.0.18-3.2.2.i386 already installed and latest version
Package tftp-0.49-2.el5.centos.i386 already installed and latest version
Package tftp-server-0.49-2.el5.centos.i386 already installed and latest version
Nothing to do
將ftp 預設為開機啟動
[root@station7 ~]# chkconfig vsftpd on
2. 測試本地端登入:
[root@station7 ~]# /etc/init.d/vsftpd restart
Shutting down vsftpd: [FAILED]
Starting vsftpd for vsftpd: [ OK ]
[root@station7 ~]# chkconfig vsftpd on
[root@station7 ~]# ftp localhost
Connected to localhost.localdomain.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (localhost:root): ftp
331 Please specify the password.
Password: Enter
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,132,227)
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 May 25 2010 pub
226 Directory send OK.
ftp> bye
221 Goodbye.
(本地端的目錄位於 /var/ftp/)
3. 測試一般使用者登錄本機:
編輯 vsftp 設定檔
[root@station7 ~]# nano /etc/vsftpd/vsftpd.conf
local_enable=YES (把 # 註解拿掉即可)
write_enable=YES (把 # 註解拿掉即可)
[root@station7 ~]# ftp localhost
Connected to localhost.localdomain.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (localhost:root): hhh
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bye
221 Goodbye.
解除SELinux 對使用者在ftp 的家目錄存取的限制
Note:假如一般使用者無法登入ftp,請確認 /var/log/message 的SELinux 訊息。
(這個步驟非常重要,沒有執行就會出問題!)
[root@station7 ~]# setsebool -P ftp_home_dir=1
[root@station7 ~]# getsebool -a | grep ftp
ftp_home_dir --> on
4. 限制一般使用者只能在家目錄內存取檔案:
[root@station7 ~]# nano /etc/vsftpd/vsftpd.conf
chroot_local_user=YES (在設定檔中加入這一行)
5. 設定 vsftp 的存取控制 (這邊針對192.168.11.0/24 的機器開放存取)
存取控制有兩種方法,任選其一就行。
方法1:
[root@station3 ~]# ldd /usr/sbin/vsftpd | grep libwrap (先確認vsftp 有無支援tcp wrapper)
libwrap.so.0 => /lib/libwrap.so.0 (0x00c24000) (有出現libwrap 就表示有支援)
[root@station7 ~]# nano /etc/hosts.allow
vsftpd: 192.168.11.0/255.255.255.0
(要注意在/etc/hosts.allow 裡面, 0/24 要寫成 0/255.255.255.0)
[root@station7 ~]# nano /etc/hosts.deny
vsftpd: ALL
方法2:
[root@station7 ~]# iptables -I INPUT -i eth0 -p tcp -s 192.168.11.0/24 --dport 21 -j ACCEPT
[root@station7 ~]# iptables -A INPUT -i eth0 -p tcp --dport 21 -j REJECT
[root@station7 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 192.168.11.0/24 0.0.0.0/0 tcp dpt:21
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@station7 ~]# /etc/init.d/iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
6. 重新啟動 vsftpd 服務
[root@station7 ~]# /etc/init.d/vsftpd restart
正在關閉 vsftpd: [ 確定 ]
正在啟動 vsftpd 中的 vsftpd: [ 確定 ]
使用Client 端 (IP:192.168.11.8) 登入FTP Server端測試
[root@station8 ~]# ftp 192.168.11.7
Connected to 192.168.11.7.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.11.7:root): hhh
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,11,7,49,55)
150 Here comes the directory listing.
drwxr-xr-x 2 500 500 1024 Dec 30 03:43 Desktop
-rw-rw-r-- 1 500 500 0 Mar 02 14:49 aaaa
226 Directory send OK.
ftp> bye
221 Goodbye.
note: 如果client 端無法連線,表示找不到通往主機host,
那有可能是被Server端的防火牆(iptables)擋住,解決方法如下:
連線至 Server 端主機
[root@station7 ~]# iptables -F
[root@station7 ~]# iptables -X
[root@station7 ~]# iptables -Z
[root@station7 ~]# iptables -Z -t nat
[root@station7 ~]# iptables -X -t nat
[root@station7 ~]# iptables -Z -t nat
[root@station7 ~]# iptables -F -t mangle
[root@station7 ~]# iptables -X -t mangle
[root@station7 ~]# iptables -Z -t mangle
(上面落落長就是將防火牆的規則清除乾淨!)
[root@station7 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@station7 ~]# /etc/init.d/iptables save (記的要儲存防火牆的規則!)
正在儲存防火牆規則到 /etc/sysconfig/iptables: [ 確定 ]
引用網址:https://home.gamer.com.tw/TrackBack.php?sn=1247039
All rights reserved. 版權所有,保留一切權利