使用vsftpd服务传输文件

文件传输协议

为了解决在复杂多样的设备之间的文件传输问题
FTP是一种基于客户端/服务器模式的文件传输协议，默认使用20、21号端口
端口20（数据端口）用于进行数据传输（目录列表，数据）
端口21（命令端口）用于接收客户端发出的相关FTP命令与参数
FTP服务器普遍部署于内网中，特点：容易搭建、方便管理
有些FTP客户端工具支持文件的多点下载以及断电续传技术

FTP协议传输拓扑图：
FTP服务器是按照FTP协议在互联网上提供文件存储和访问服务的主机
FTP客户端是向服务器发送连接请求，以建立数据传输链路的主机
FTP协议有两种工作模式：

主动模式：FTP服务器主动向客户端发起连接请求

被动模式：FTP服务器等待客户端发起连接请求（FTP的默认工作模式）

防火墙一般是用于过滤从外网进入内网的流量，即有时候需将FTP的工作模式设置为主动模式才可传输数据
vsftpd（very secure ftp daemon，非常安全的FTP守护进程）是一款运行在Linux操作系统上的FTP服务程序，特点：安全开源免费，具有很高的安全性、传输速度以及支持虚拟用户验证等其它FTP服务程序不具备的特点

安装vsftpd服务程序

yum安装vsftpd服务程序

1	# yum install -y vsftpd

清空iptables防火墙的默认策略，保存当前状态

iptables防火墙工具默认禁止了FTP传输协议的端口，此操作可避免配置vsftpd服务程序时被默认的防火墙策略影响

1
2
3

# iptables -F
# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

查看vsftpd服务程序的主配置文件（/etc/vsftpd/vsftpd.conf）

# cat -n /etc/vsftpd/vsftpd.conf
     1	# Example config file /etc/vsftpd/vsftpd.conf
     2	#
     3	# The default compiled in settings are fairly paranoid. This sample file
     4	# loosens things up a bit, to make the ftp daemon more usable.
     5	# Please see vsftpd.conf.5 for all compiled in defaults.
     6	#
     7	# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
     8	# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
     9	# capabilities.
    10	#
    11	# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
    12	anonymous_enable=YES
    13	#
    14	# Uncomment this to allow local users to log in.
    15	# When SELinux is enforcing check for SE bool ftp_home_dir
    16	local_enable=YES
    17	#
    18	# Uncomment this to enable any form of FTP write command.
    19	write_enable=YES
    20	#
    21	# Default umask for local users is 077. You may wish to change this to 022,
    22	# if your users expect that (022 is used by most other ftpd's)
    23	local_umask=022
    24	#
    25	# Uncomment this to allow the anonymous FTP user to upload files. This only
    26	# has an effect if the above global write enable is activated. Also, you will
    27	# obviously need to create a directory writable by the FTP user.
    28	# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
    29	#anon_upload_enable=YES
    30	#
    31	# Uncomment this if you want the anonymous FTP user to be able to create
    32	# new directories.
    33	#anon_mkdir_write_enable=YES
    34	#
    35	# Activate directory messages - messages given to remote users when they
    36	# go into a certain directory.
    37	dirmessage_enable=YES
    38	#
    39	# Activate logging of uploads/downloads.
    40	xferlog_enable=YES
    41	#
    42	# Make sure PORT transfer connections originate from port 20 (ftp-data).
    43	connect_from_port_20=YES
    44	#
    45	# If you want, you can arrange for uploaded anonymous files to be owned by
    46	# a different user. Note! Using "root" for uploaded files is not
    47	# recommended!
    48	#chown_uploads=YES
    49	#chown_username=whoever
    50	#
    51	# You may override where the log file goes if you like. The default is shown
    52	# below.
    53	#xferlog_file=/var/log/xferlog
    54	#
    55	# If you want, you can have your log file in standard ftpd xferlog format.
    56	# Note that the default log file location is /var/log/xferlog in this case.
    57	xferlog_std_format=YES
    58	#
    59	# You may change the default value for timing out an idle session.
    60	#idle_session_timeout=600
    61	#
    62	# You may change the default value for timing out a data connection.
    63	#data_connection_timeout=120
    64	#
    65	# It is recommended that you define on your system a unique user which the
    66	# ftp server can use as a totally isolated and unprivileged user.
    67	#nopriv_user=ftpsecure
    68	#
    69	# Enable this and the server will recognise asynchronous ABOR requests. Not
    70	# recommended for security (the code is non-trivial). Not enabling it,
    71	# however, may confuse older FTP clients.
    72	#async_abor_enable=YES
    73	#
    74	# By default the server will pretend to allow ASCII mode but in fact ignore
    75	# the request. Turn on the below options to have the server actually do ASCII
    76	# mangling on files when in ASCII mode.
    77	# Beware that on some FTP servers, ASCII support allows a denial of service
    78	# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
    79	# predicted this attack and has always been safe, reporting the size of the
    80	# raw file.
    81	# ASCII mangling is a horrible feature of the protocol.
    82	#ascii_upload_enable=YES
    83	#ascii_download_enable=YES
    84	#
    85	# You may fully customise the login banner string:
    86	#ftpd_banner=Welcome to blah FTP service.
    87	#
    88	# You may specify a file of disallowed anonymous e-mail addresses. Apparently
    89	# useful for combatting certain DoS attacks.
    90	#deny_email_enable=YES
    91	# (default follows)
    92	#banned_email_file=/etc/vsftpd/banned_emails
    93	#
    94	# You may specify an explicit list of local users to chroot() to their home
    95	# directory. If chroot_local_user is YES, then this list becomes a list of
    96	# users to NOT chroot().
    97	# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
    98	# the user does not have write access to the top level directory within the
    99	# chroot)
   100	#chroot_local_user=YES
   101	#chroot_list_enable=YES
   102	# (default follows)
   103	#chroot_list_file=/etc/vsftpd/chroot_list
   104	#
   105	# You may activate the "-R" option to the builtin ls. This is disabled by
   106	# default to avoid remote users being able to cause excessive I/O on large
   107	# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
   108	# the presence of the "-R" option, so there is a strong case for enabling it.
   109	#ls_recurse_enable=YES
   110	#
   111	# When "listen" directive is enabled, vsftpd runs in standalone mode and
   112	# listens on IPv4 sockets. This directive cannot be used in conjunction
   113	# with the listen_ipv6 directive.
   114	listen=NO
   115	#
   116	# This directive enables listening on IPv6 sockets. By default, listening
   117	# on the IPv6 "any" address (::) will accept connections from both IPv6
   118	# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
   119	# sockets. If you want that (perhaps because you want to listen on specific
   120	# addresses) then you must run two copies of vsftpd with two configuration
   121	# files.
   122	# Make sure, that one of the listen options is commented !!
   123	listen_ipv6=YES
   124	
   125	pam_service_name=vsftpd
   126	userlist_enable=YES
   127	tcp_wrappers=YES

备份vsftpd的主配置文件并将注释信息去掉

# mv /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf_bak
# grep -v "#" /etc/vsftpd/vsftpd.conf_bak > /etc/vsftpd/vsftpd.conf
# cat /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

Vsftpd服务程序的三种认证模式

vsftpd作为更加安全的文件传输的服务程序，允许用户以三种认证模式登录到FTP服务器上

匿名开放模式：是一种最不安全的认证模式，任何人都可以无需密码验证而直接登录到FTP服务器

本地用户模式：是通过Linux系统本地的账户密码信息进行认证的模式，相较于匿名开放模式更安全，而且配置起来也很简单。但是如果被黑客破解了账户的信息，就可以畅通无阻地登录FTP服务器，从而完全控制整台服务器

虚拟用户模式：是这三种模式中最安全的一种认证模式，它需要为FTP服务单独建立用户数据库文件，虚拟出用来进行口令验证的账户信息，而这些账户信息在服务器系统中实际上是不存在的，仅供FTP服务程序进行认证使用。这样，即使黑客破解了账户信息也无法登录服务器，从而有效降低了破坏范围和影响

安装ftp——Linux系统中以命令行界面的方式来管理FTP传输服务的客户端工具

1	# yum install -y ftp

匿名访问模式

开放匿名用户的上传、下载文件的权限，以及让匿名用户创建、删除、更名文件的权限

# vim /etc/vsftpd/vsftpd.conf
anonymous_enable=YES  #允许匿名访问模式
anon_umask=022   #匿名用户上传文件的umask值
anon_upload_enable=YES  #允许匿名用户上传文件
anon_mkdir_write_enable=YES  #允许匿名用户创建目录
anon_other_write_enable=YES  #允许匿名用户修改目录名称或删除目录
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

重启vsftpd，并加入开机启动项

1
2
3

# systemctl restart vsftpd
# systemctl enable vsftpd
ln -s '/usr/lib/systemd/system/vsftpd.service' '/etc/systemd/system/multi-user.target.wants/vsftpd.service'

尝试创建一个新的目录文件，以检验是否拥有写入权限，发现创建失败

匿名开放认证模式下，其账号为：anonymous或ftp，密码为空
默认的访问目录是 /var/ftp

# ftp 192.168.40.131
Connected to 192.168.40.131 (192.168.40.131).
220 (vsFTPd 3.0.2)
Name (192.168.40.131:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub
250 Directory successfully changed.
ftp> mkdir files
550 Create directory operation failed.
ftp> exit

查看目录的写入权限，修改目录的所有者为ftp，再次尝试还是失败

# ls -ld /var/ftp/pub
drwxr-xr-x. 2 root root 6 Mar  7  2014 /var/ftp/pub
# chown -Rf ftp /var/ftp/pub
# ls -ld /var/ftp/pub
drwxr-xr-x. 2 ftp root 6 Mar  7  2014 /var/ftp/pub
# ftp 192.168.40.131
Connected to 192.168.40.131 (192.168.40.131).
220 (vsFTPd 3.0.2)
Name (192.168.40.131:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub
250 Directory successfully changed.
ftp> mkdir files
550 Create directory operation failed.
ftp> exit

修改SElinux中与ftp有关的策略规则，并用-p参数使其永久生效，再次尝试后顺利写入文件

# getsebool -a | grep ftp
ftp_home_dir --> off
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off
# setsebool -P ftpd_full_access=on
# ftp 192.168.40.131
Connected to 192.168.40.131 (192.168.40.131).
220 (vsFTPd 3.0.2)
Name (192.168.40.131:root): anonumous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub
250 Directory successfully changed.
ftp> mkdir files
257 "/pub/files" created
ftp> exit
221 Goodbye.

本地用户模式

关闭匿名开放模式，开启本地用户模式

# vim /etc/vsftpd/vsftpd.conf
anonymous_enable=NO #禁止匿名访问模式
local_enable=YES  #允许本地用户模式
write_enable=YES  #设置可写权限
local_umask=022  #本地用户模式创建的umask值
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
#userlist_deny=YES  #启用“禁止用户名单”，名单文件为ftpusers和user_list
userlist_enable=YES  #开启用户作用名单文件功能
tcp_wrappers=YES

重启vsftpd服务程序【并加入开机启动项】

1 2	# systemctl restart vsftpd # systemctl enable vsftpd

为实现root管理员登录FTP服务器，需删除“用户名单”文件（ftpusers和user_list）里的root用户名

vsftpd服务程序为了保证服务器的安全性，默认禁止了root管理员和大多数系统用户的登录行为，这可有效避免黑客通过FTP服务对root管理员密码进行暴力破解

vsftpd服务程序目录中的ftpusers和user_list这两个文件的功能——只要里面写有某个用户的名字，就不再允许这个用户登录到FTP服务器上

# vim /etc/vsftpd/user_list
  1 # vsftpd userlist
  2 # If userlist_deny=NO, only allow users in this file
  3 # If userlist_deny=YES (default), never allow users in this file, and
  4 # do not even prompt for a password.
  5 # Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
  6 # for users that are denied.
  7 bin
  8 daemon
  9 adm
 10 lp
 11 sync
 12 shutdown
 13 halt
 14 mail
 15 news
 16 uucp
 17 operator
 18 games
 19 nobody
# vim /etc/vsftpd/ftpusers
  1 # Users that are not allowed to login via ftp
  2 bin
  3 daemon
  4 adm
  5 lp
  6 sync
  7 shutdown
  8 halt
  9 mail
 10 news
 11 uucp
 12 operator
 13 games
 14 nobody

root用户名登录FTP服务器，执行文件的创建、重命名及删除等命令

# ftp 192.168.40.131
Connected to 192.168.40.131 (192.168.40.131).
220 (vsFTPd 3.0.2)
Name (192.168.40.131:root): root
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> mkdir files
257 "/root/files" created
ftp> rename files database
350 Ready for RNTO.
250 Rename successful.
ftp> rmdir database
250 Remove directory operation successful.
ftp> exit
221 Goodbye.

说明：由于在匿名访问模式中已经开启了SELinux域对FTP服务的允许策略，所以此处可省略

虚拟用户模式

创建用于进行FTP认证的用户数据库文件，奇数行为账户名，偶数行为密码

这里分别创建zhangsan和lisi两个用户，密码均为redhat

# vim /etc/vsftpd/vuser.list
zhangsan
redhat
lisi
redhat

使用db_load命令用哈希（hash）算法将原始的明文信息文件转换成数据库文件，并降低数据库文件的权限，然后再把原始的明文信息文件删除

明文信息既不安全，也不符合让vsftpd服务程序直接加载的格式，因此需转为数据库文件

# cd /etc/vsftpd/
# db_load -T -t hash -f vuser.list vuser.db
# file vuser.db 
vuser.db: Berkeley DB (Hash, version 9, native byte-order)
# chmod 600 vuser.db 
# rm -f vuser.list

创建vsftpd服务程序用于存储文件的根目录以及虚拟用户映射的系统本地用户

将系统本地用户的家目录设置为/var目录（该目录用来存放经常发生改变的数据），同时为了安全起见，将系统本地用户设置为不允许登录FTP服务器，这不会影响虚拟用户登录，且还可避免黑客通过系统本地用户进行登录

# useradd -d /var/ftproot -s /sbin/nologin virtual
# ls -ld /var/ftproot/
drwx------. 3 virtual virtual 74 Aug 13 04:01 /var/ftproot/
# chmod -Rf 755 /var/ftproot/

建立用于支持虚拟用户的PAM文件vsftpd.vu

PAM文件内的“db=”参数为使用db_load命令生成的账户密码数据库文件的路径，不用写数据库文件的后缀

PAM是一组安全机制的模块，系统管理员可以用来轻易地调整服务程序的认证方式，而不必对应用程序进行任何修改

1
2
3

# vim /etc/pam.d/vsftpd.vu
auth       required     pam_userdb.so db=/etc/vsftpd/vuser
account    required     pam_userdb.so db=/etc/vsftpd/vuser

将vsftpd服务程序的主配置文件中的pam_service_name参数（PAM认证文件的名称）修改为vsftpd.vu，并配置相应参数

# vim /etc/vsftpd/vsftpd.conf 
  1 anonymous_enable=NO  #禁止匿名开放模式
  2 local_enable=YES  #允许本地用户模式
  3 guest_enable=YES  #开启虚拟用户模式
  4 guest_username=virtual  #指定虚拟用户账户
  5 allow_writeable_chroot=YES  #允许对禁锢的FTP根目录执行写入操作，且不拒绝用户的登录请求
  6 write_enable=YES
  7 local_umask=022
  8 dirmessage_enable=YES
  9 xferlog_enable=YES
 10 connect_from_port_20=YES
 11 xferlog_std_format=YES
 12 listen=NO
 13 listen_ipv6=YES
 14 pam_service_name=vsftpd.vu  #指定PAM文件
 15 userlist_enable=YES
 16 tcp_wrappers=YES

为虚拟用户设置不同的权限，张三允许上传、创建、修改、查看、删除文件，李四只允许查看文件

创建两个以zhangsan和lisi命名的文件，在名为zhangsan的文件中写入允许的相关权限（使用匿名用户的参数）

# mkdir /etc/vsftpd/vusers_dir/
# touch lisi
# vim zhangsan
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES

修改vsftpd主配置文件，添加user_config_dir参数，并重启vsftpd服务

# vim /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
guest_enable=YES
guest_username=virtual
allow_writeable_chroot=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd.vu
userlist_enable=YES
tcp_wrappers=YES
user_config_dir=/etc/vsftpd/vusers_dir  #指定虚拟用户不同权限的配置文件所存放的路径
# systemctl restart vsftpd

设置SELinux域允许策略，并使用虚拟用户模式登录FTP服务器验证

# getsebool -a | grep ftp
ftp_home_dir --> off
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> on
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off
# setsebool -P ftpd_full_access=on

# ftp 192.168.40.131
Connected to 192.168.40.131 (192.168.40.131).
220 (vsFTPd 3.0.2)
Name (192.168.40.131:root): zhangsan
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> mkdir files
257 "/files" created
ftp> rename files database
350 Ready for RNTO.
250 Rename successful.
ftp> rmdir database
250 Remove directory operation successful.
ftp> exit
221 Goodbye.

# ftp 192.168.40.131
Connected to 192.168.40.131 (192.168.40.131).
220 (vsFTPd 3.0.2)
Name (192.168.40.131:root): lisi
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> mkdir files1
550 Permission denied.
ftp> exit
221 Goodbye.

TFTP简单文件传输协议

简单文件传输协议（Trivial File Transfer Protocol，TFTP）是一种基于UDP协议在客户端和服务器之间进行简单文件传输的协议
提供不复杂、开销不大的文件传输服务（可将其当作FTP协议的简化版本）
TFTP的命令功能不如FTP服务强大，甚至不能遍历目录，在安全性方面也弱于FTP服务
TFTP在传输文件时采用的是UDP协议，占用的端口号为69
TFTP不需要客户端的权限认证，减少了无谓的系统和网络带宽消耗，在传输琐碎（trivial）不大的文件时，效率很高
TFTP的根目录为/var/lib/tftpboot

安装TFTP软件包

1	# yum install -y tftp-server tftp

在xinetd服务程序中将TFTP服务开启，即把默认的禁用（disable）参数修改为no

在RHEL 7系统中，TFTP服务是使用xinetd服务程序来管理的。xinetd服务可用来管理多种轻量级的网络服务，且具有强大的日志功能

# vim /etc/xinetd.d/tftp
# default: off
# description: The tftp server serves files using the trivial file transfer \
#       protocol.  The tftp protocol is often used to boot diskless \
#       workstations, download configuration files to network-aware printers, \
#       and to start the installation process for some operating systems.
service tftp
{
        socket_type             = dgram
        protocol                = udp
        wait                    = yes
        user                    = root
        server                  = /usr/sbin/in.tftpd
        server_args             = -s /var/lib/tftpboot
        disable                 = no
        per_source              = 11
        cps                     = 100 2
        flags                   = IPv4
}

重启xinetd服务并加入到开机启动项，然后手动将UDP协议的端口号69加入到防火墙的允许策略

# systemctl restart xinetd
# systemctl enable xinetd
# firewall-cmd --permanent --add-port=69/udp
success
# firewall-cmd --reload
success

tftp命令中可用的参数以及作用

命令	作用
?	帮助信息
put	长传文件
get	下载文件
verbose	显示详细的处理信息
status	显示当前的状态信息
binary	使用二进制进行传输
ascii	使用ASCII码进行传输
timeout	设置重传的超时时间
quit	退出

# echo "i love linux" > /var/lib/tftpboot/readme.txt
# tftp 192.168.40.131
tftp> get readme.txt
tftp> quit
[root@localhost ~]# ls
anaconda-ks.cfg  Desktop  Documents  Downloads  fstab  initial-setup-ks.cfg  Music  Pictures  Public  readme.txt  Templates  Videos
[root@localhost ~]# cat readme.txt 
i love linux

TFTP服务与其他软件相搭配，可组合出一套完整的自动化部署系统方案