FTP服务搭建
vsftpd配置使用
概述
vsftpd 是Linus上非常安全好用的ftp服务,只需要简单的安装后就可以搭建起ftp服务;
该服务主要的配置文件就是vsftpd.conf ,在deepin/uos系统中的绝对路径是:
/etc/vsftpd.conf
安装
# 只需要简单的进行安装配置即可,前提是你开启了开发者模式我们才能通过终端安装软件
sudo apt install vsftpd
# 如果提示没有找到对应安装包,则可能是没有进行仓库的更新连接,执行如下命令即可
sudo apt update
服务的启停配置
# 启动服务
service vsftpd start
# 停止服务
service vsftpd stop
# 重启服务
service vsftpd restart
# 查看服务状态
service vsftpd status
#执行后结果如下:active则表示正常运行,如果失败了则可以通过提示信息查询对应问题
babyfengfjx@babyfengfjx:~$ service vsftpd status
● vsftpd.service - vsftpd FTP server
Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2021-10-09 16:22:48 CST; 1s ago
Process: 18334 ExecStartPre=/bin/mkdir -p /var/run/vsftpd/empty (code=exited, status=0/SUCCESS)
Main PID: 18335 (vsftpd)
Tasks: 1 (limit: 4915)
Memory: 568.0K
CGroup: /system.slice/vsftpd.service
└─18335 /usr/sbin/vsftpd /etc/vsftpd.conf
配置文件展示
在使用该服务过程中,主要就是这些配置文件该如何配置,很多同学在实际配置过程中很难一次配置成功,这里就给出一个实际可用的配置参数以供参考
配置文件路径:/etc/vsftpd.conf
配置过程中尽量是将匿名登录关闭,使用本地用户登录,以确保安全。
# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
#
# Run standalone? vsftpd can run either from an inetd or as a standalone
# daemon started from an initscript.
listen=YES
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
listen_ipv6=NO
#
# Allow anonymous FTP? (Disabled by default).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# If enabled, vsftpd will display directory listings with the time
# in your local time zone. The default is to display GMT. The
# times returned by the MDTM FTP command are also affected by this
# option.
use_localtime=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may restrict local users to their home directories. See the FAQ for
# the possible risks in this before using chroot_local_user or
# chroot_list_enable below.
# chroot_local_user=YES
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
# chroot_local_user=YES
# chroot_list_enable=YES
# (default follows)
# chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# Customization
#
# Some of vsftpd's settings don't fit the filesystem layout by
# default.
#
# This option should be the name of a directory which is empty. Also, the
# directory should not be writable by the ftp user. This directory is used
# as a secure chroot() jail at times vsftpd does not require filesystem
# access.
secure_chroot_dir=/var/run/vsftpd/empty
#
# This string is the name of the PAM service vsftpd will use.
pam_service_name=vsftpd
#
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO
#
# Uncomment this to indicate that vsftpd use a utf8 filesystem.
#utf8_filesystem=YES
实际开启的配置项如下:
按照如下简单的配置就可以通过本地用户进行访问了
listen=YES
listen_ipv6=NO
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO
遇到的问题
- 无法配置指定根目录,也就是任何本地账户登录后的目录都是根目录,无法自定义配置指定目录,配置后也不生效;
- 在添加新用户配置成nologin时,是无法正常使用该类用户进行访问的;
- 添加的新用户,需要先登录一次后,方可使用该账号访问ftp;
SFTP服务搭建
群组配置---服务端
sudo groupadd sftp
cat /etc/group # 确认组新建成功
sudo vim /etc/group #修改 sftp:x:1002:
sudo useradd -g sftp -s /bin/false mysftp
sudo passwd mysftp # 设置新密码为服务器访问密码
共享目录---服务端
sudo mkdir -p /data/sftp/mysftp
sudo usermod -d /data/sftp/mysftp mysftp
配置文件修改---服务端
sudo vim /etc/ssh/sshd_config
Subsystem sftp /usr/libexec/openssh/sftp-server # 该行原本配置,需要手动注释掉
并在文件最后面添加如下几行内容然后保存
Subsystem sftp internal-sftp
Match Group sftp
ChrootDirectory /data/sftp/%u
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
目录授权与新建---服务端
sudo chown root:sftp /data/sftp/mysftp
sudo chmod 755 /data/sftp/mysftp
sudo mkdir /data/sftp/mysftp/upload
sudo chown mysftp:sftp /data/sftp/mysftp/upload
sudo chmod 755 /data/sftp/mysftp/upload
重启服务---服务端
sudo systemctl restart sshd.service # 重启服务时如果提示服务不存在,则先添加如下服务
systemctl enable ssh.service
# 再执行:
sudo systemctl restart sshd.service
访问服务器---客户端
进入文件管理器或我的电脑
输入---例如sftp://10.20.32.** (根据实际服务端IP输入,并键如账号密码,即可访问)
NFS服务搭建
服务端
工具安装
sudo apt-get install nfs-kernel-server # 安装 NFS服务器端
创建共享文件夹
sudo mkdir /home/deepin-server/nfs # 路径可以根据自己需要设置
sudo chmod -R 777 /home/deepin-server/nfs # 设置共享目录权限
修改配置文件
vim /etc/exports
-
配置文件虽然只有一句,但是其中还是有很多讲究;
-
共享文件可执行权限有:
-
ro 只读访问
-
rw 读写访问
-
sync 所有数据在请求时写入共享
-
hide 在NFS共享目录中不共享其子目录
-
no_hide 共享NFS目录的子目录
-
all_squash 共享文件的UID和GID映射匿名用户anonymous,适合公用目录。
-
no_all_squash 保留共享文件的UID和GID(默认)
-
root_squash root用户的所有请求映射成如anonymous用户一样的权限(默认)
-
no_root_squas root用户具有根目录的完全管理访问权限
-
ip配置一般需要进行限定,最好不要使用* ,不然存在安全问题,可以限定具体ip或者ip段才能挂载。
vim /etc/exports
# 配置文件修改如下:
deepin-server@deepin-server-PC:~$ cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
/home/deepin-server/nfs 10.20.*(rw)#此处ip只做了部分限制,圆括号里面就是配置权限的。
启动服务
systemctl start rpcbind nfs-server
查看服务状态
服务在running态即可
deepin-server@deepin-server-PC:~$ sudo systemctl status rpcbind nfs-server
● rpcbind.service - RPC bind portmap service
Loaded: loaded (/lib/systemd/system/rpcbind.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2022-01-05 11:53:19 CST; 1h 56min ago
Docs: man:rpcbind(8)
Main PID: 19304 (rpcbind)
Tasks: 1 (limit: 19660)
Memory: 608.0K
CGroup: /system.slice/rpcbind.service
└─19304 /sbin/rpcbind -f -w
1月 05 11:53:19 deepin-server-PC systemd[1]: Starting RPC bind portmap service...
1月 05 11:53:19 deepin-server-PC systemd[1]: Started RPC bind portmap service.
● nfs-server.service - NFS server and services
Loaded: loaded (/lib/systemd/system/nfs-server.service; enabled; vendor preset: enabled)
Active: active (exited) since Wed 2022-01-05 11:53:21 CST; 1h 56min ago
Process: 19319 ExecStartPre=/usr/sbin/exportfs -r (code=exited, status=0/SUCCESS)
Process: 19320 ExecStart=/usr/sbin/rpc.nfsd $RPCNFSDARGS (code=exited, status=0/SUCCESS)
Main PID: 19320 (code=exited, status=0/SUCCESS)
1月 05 11:53:20 deepin-server-PC systemd[1]: Starting NFS server and services...
1月 05 11:53:20 deepin-server-PC exportfs[19319]: exportfs: /etc/exports [1]: Neither 'subtree_check' or 'no_subtree_check' specified for export "10.20.*:/home/deepin-server/Documents/NFS文件目录for-test".
1月 05 11:53:20 deepin-server-PC exportfs[19319]: Assuming default behaviour ('no_subtree_check').
1月 05 11:53:20 deepin-server-PC exportfs[19319]: NOTE: this default has changed since nfs-utils version 1.0.x
1月 05 11:53:21 deepin-server-PC systemd[1]: Started NFS server and services.
deepin-server@deepin-server-PC:~$
至此服务端算是配置完成了。
客户端配置
客户端主要就是挂载操作,不过挂载nfs的时候同样需要安装客户端软件
客户端安装
sudo apt-get install nfs-common
查看服务端nfs共享信息
showmount -e 10.20.13.152
babyfengfjx@babyfengfjx:~$ showmount -e 10.20.13.152
Export list for 10.20.13.152:
/home/deepin-server/Documents/NFS文件目录for-test 10.20.*
babyfengfjx@babyfengfjx:~$
客户端创建挂载目录
随便在本地客户端创建一个目录作为NFS挂载目录即可
sudo mkdir /home/babyfengfjx/Documents/nfsfile/
客户端挂载
将服务端的NFS共享目录,挂载到本地客户端对应目录即可
sudo mount -t nfs 10.20.13.152:/home/deepin-server/Documents/NFS文件目录for-test /home/babyfengfjx/Documents/nfsfile/
查看并传输文件
上述操作完成后,此时就可以在客户端对应目录使用NFS存储了,上传新建文件均可以随心所欲。
开机自动挂载
-
写入fstab方法并不推荐,如果NFS挂载失败可能会影响设备正常启动
写入fstab进行开机自动挂载
echo "10.20.13.152:/home/deepin-server/Documents/NFS文件目录for-test /home/babyfengfjx/Documents/nfsfile/ nfs4 defaults 0 0" >> /etc/fstab
mount -av
通过配置开机自运行脚本
原理如下:
新建 /etc/rc.local 文件
-
这种方法的原理是系统开机后会自动启动 rc-local 服务;
-
rc-local 服务启动后就会自动执行 /etc 目录下的 rc.local 脚本;
-
该方法的优点就是不存在第一种方法的三个缺点,脚本执行失败不会出现黑屏弹窗、sleep 不会造成开机黑屏以及 执行脚本的用户是 root 用户。
主要步骤:
1、新建 /etc/rc.local 文件
2、粘贴以下模板
#!/bin/sh -e
# rc.local
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
# In order to enable or disable this script just change the execution
# bits.
# By default this script does nothing.
# 下面脚本是我配置的开机自动启动一个python脚本的
nohup python3 /home/babyfengfjx/Documents/typora_documents/TestScripts/01.LitterScript/02.bbsmonitor/bbsmonitor.py >bbs.log 2>&1 &
# 因为该命令本身就是会以root权限执行,所以不用加sudo
sleep 5;mount -t nfs 10.20.13.152:/home/deepin-server/Documents/NFS文件目录for-test /home/babyfengfjx/Documents/nfsfile/
exit 0
3、在 exit 0 上方插入你需要自启的命令(一行一个)后保存文件
4、给脚本加上 755 权限
sudo chmod +755 /etc/rc.local
5、调试脚本(可选)
sudo /etc/rc.local # 使用 sudo 模拟 root 用户开机自启 /etc/rc.local 文件
如果第 5 步模拟启动脚本没有报错,那我们就可以重启电脑看看是否可以成功实现脚本开机自启。重启进入系统后我们可以通过 systemctl status rc-local.service 查看 rc-local 的运行状态,如果结果显示的是 active (exited) 则说明你的脚本已经成功执行,反之如果结果显示 failed,那么你需要检查一下脚本是否哪里有问题。
2]、这里提供可能导致脚本无法正常启动的原因:
1、执行脚本的用户不一致
由于 rc.local 开机自启的时候是以 root 用户执行的,这里很多人会忽略了一个问题,很多情况下你的命令是必须要普通用户执行的。比如 conky 和虚拟机(用户A建立的VBox和VM Ware虚拟机用户B无法访问)等。
假设用户 lolimay 在终端用 VBoxHeadless -s aikuai & 后台启动了虚拟机名 aikuai,那么我们在 rc.local 文件应该用下面这种方式写:
su - lolimay -c "VBoxHeadless -s aikuai &" # 以 lolimay 用户执行该命令
2、多余的 sudo
前面已经提到 rc.local 开机时是以 root 用户启动的,所以写在 rc.local 文件中命令不需要带有 sudo 前缀(实际上就算你带有了 sudo 前缀也不会产生错误)。
3]、最佳实践
个人建议每当往 rc.local 文件中添加了一个需要自启的命令时,可以先用 sudo /etc/rc.local 命令模拟一下看看是否能够执行成功(如果执行失败也能够直观地看到出错的原因),这样能够有效减少你重启电脑来调试的次数。