vsftpd-1.1.3配制实例之一：INTERNET-服务器-IT落伍者

This example shows how you might set up a (possibly large) internet facing

FTP site

The emphasis will be on security and performance

We will see how by integrating vsftpd with xinetd we get a powerful

combination

Step ) Set up your xinetd configuration file

An example xinetd configuration file vsftpdxinetd is supplied

To install it:

cp vsftpdxinetd /etc/xinetdd/vsftpd

Lets look at the important content in this file and see what it does:

disable = no

socket_type = stream

wait = no

This says that the service is active and it is using standard TCP sockets

user = root

server = /usr/local/sbin/vsftpd

The server program /usr/local/sbin/vsftpd is used to handle incoming FTP

requests and the program is started as root (vsftpd will of course quickly

drop as much privilege as possible) NOTE! Make sure that you have the vsftpd

binary installed in /usr/local/sbin (or change the file path in the xinetd

file)

per_source =

instances =

For security the maximum allowed connections from a single IP address is

The total maximum concurrent connections is

no_access =

As an example of how to ban certain sites from connecting will

be denied access

banner_fail = /etc/vsftpdbusy_banner

This is the file to display to users if the connection is refused for whatever

reason (too many users IP banned)

Example of how to populate it:

echo Server busy please try later > /etc/vsftpdbusy_banner

log_on_success += PID HOST DURATION

log_on_failure += HOST

This will log the IP address of all connection attempts successful or not

along with the time If an FTP server is launched for the connection its

process ID and usage duration will be logged too If you are using RedHat

like me this log information will appear in /var/log/secure

Step ) Set up your vsftpd configuration file

An example file is supplied Install it like this:

cp nf /etc

Lets example the contents of the file:

# Access rights

anonymous_enable=YES

local_enable=NO

write_enable=NO

anon_upload_enable=NO

anon_mkdir_write_enable=NO

anon_other_write_enable=NO

This makes sure the FTP server is in anonymousonly mode and that all write

and upload permissions are disabled Note that most of these settings are

the same as the default values anyway but where security is concerned it

is good to be clear

# Security

anon_world_readable_only=YES

connect_from_port_=YES

hide_ids=YES

pasv_min_port=

pasv_max_port=

These settings in order

Make sure only worldreadable files and directories are served

Originates FTP port connections from a secure port so users on the FTP

server cannot try and fake file content

Hide the FTP server user IDs and just display ftp in directory listings

This is also a performance boost

Set a port range for passive connections may enable easier

firewall setup!

# Features

xferlog_enable=YES

ls_recurse_enable=NO

ascii_download_enable=NO

async_abor_enable=YES

In order

Enables recording of transfer stats to /var/log/vsftpdlog

Disables ls R to prevent it being used as a DoS attack Note sites

wanting to be copied via the mirror program might need to enable this

Disables downloading in ASCII mode to prevent it being used as a DoS

attack (ASCII downloads are CPU heavy)

Enables older FTP clients to cancel inprogress transfers

# Performance

one_process_model=YES

idle_session_timeout=

data_connection_timeout=

accept_timeout=

connect_timeout=

anon_max_rate=

In order

Activates a faster one process per connection model Note! To maintain

security this feature is only available on systems with capabilities eg

Linux kernel

Boots off idle users after minutes

Boots off idle downloads after minutes

Boots off hung passive connects after minute

Boots off hung active connects after minute

Limits a single client to ~kbytes / sec download speed

Step ) Restart xinetd

(on RedHat)

/etc/rcd/initd/xinetd restart

If you run into problems check:

) Your /etc/xinetdd directory only has one FTP service