1.Vsftpd installation
①Download “vsftpd-3.0.3-33.el8.x86_64.rpm” from the download site to /usr/local/src/ with wget.
[root@Lepard ~]# cd /usr/local/src/ src]# wget ftp://ftp.pbone.net/mirror/ftp.centos.org/8-stream/AppStream/x86_64/os/Packages/vsftpd-3.0.3-33.el8.x86_64.rpm src]# rpm -ivh vsftpd-3.0.3-33.el8.x86_64.rpm |
➁ Edit Vsftpd settings
Save the unedited vsftpd.conf with .bak src]# cp /etc/vsftpd/vsftpd.conf /home/tama/vsftpd.conf.bak src]# vi /etc/vsftpd/vsftpd.conf ■Line 12: Anonymous login prohibited anonymous_enable=NO ■Line 40: Log the transfer record. xferlog_enable=NO ■Lines 82 and 83 uncomment ( Allow transfer in ASCII mode ) ascii_upload_enable=YES ascii_download_enable=YES ■Lines 100, 101: uncomment ( chroot enabled ) chroot_local_user=YES chroot_list_enable=YES ■Line 103, uncomment ( chroot list file specification ) chroot_list_file=/etc/vsftpd/chroot_list ■Line 109, uncomment ( Enables bulk transfer of entire directories. ) ls_recurse_enable=YES ■Line 114 Change ( Enable IPv4 ) listen=YES ■Line 123 Change ( Make IPv6 be ignored. ) listen_ipv6=NO ■### Add to last line ### # Use local time. use_localtime=YES |
➂Add a user to allow access to the directory to the upper level.
src]# vi /etc/vsftpd/chroot_list Create new <General User Name> or src]# echo“<General User Name>” >> /etc/vsftpd/chroot_list |
④ Setting hosts.allow and hosts.deny (IP address restriction)
This setting overrides the hosts.allow setting. This setting overrides hosts.allow, i.e., it will deny everything and allow IP addresses specified in hosts.allow.
/etc/hosts.deny に、Write vsftpd:ALL( Reject all connections ) src]# vi /etc/hosts.deny vsftpd:ALL or src]#echo “vsftpd:ALL” >> /etc/hosts.deny/etc/hosts.allow src]# vi /etc/hosts.allow vsftpd:192.168.11.0/24 (The 192.168.11. part should match your environment.) or src]#echo “vsftpd:192.168.11.0/24” >> /etc/hosts.allow |
⑤Enable and start vsftpd autostart
src]# systemctl enable vsftpd src]# systemctl start vsftpd |
⑥From the windows side, check if you can connect using ffftp
2.Vsftpd SSL/TLS enabled
①Create a self-signed certificate (not necessary if you use a trusted legitimate certificate such as Let’s Encrypt).
src]# cd /etc/pki/tls/certs openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/pki/tls/certs/vsftpd.pem -out /etc/pki/tls/certs/vsftpd.pem /certs/vsftpd.pem -out /etc/pki/tls/certs/vsftpd.pem a:2048 -keyout /etc/pki/tls/ Generating a RSA private key ………………………………………….+++…………………..+++ writing new private key to ‘/etc/pki/tls/certs/vsftpd.pem’You are about to be asked to enter information that will be incorporated into your certificate request What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank.Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:<Name of prefecture> Locality Name (eg, city) [Default City]:<Name of city or town> Organization Name (eg, company) [Default Company Ltd]:<Organization Name> Organizational Unit Name (eg, section) []:<Unit name in the organization> Common Name (eg, your name or your server’s hostname) []:<Organization/Server Name> Email Address []:<Administrator email address> src]# chmod 600 vsftpd.pem |
② Configuring Vsftpd
src]# vi /etc/vsftpd/vsftpd.conf # Add to last line: Enable SSL/TLS rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem ssl_enable=YES force_local_data_ssl=YES force_local_logins_ssl=YES |
src]# systemctl restart vsftpd |
③ If Firewalld is enabled, allow passive ports
src]# vi /etc/vsftpd/vsftpd.conf # Add to last line # Fix passive ports at any range of ports pasv_enable=YES pasv_min_port=60000 pasv_max_port=60100 |
src]# systemctl restart vsftpd |
④ Allow fixed passive ports
src]# firewall-cmd –add-port=60000-60100/tcp –permanent success src]# firewall-cmd –reload success |