# Example config file /etc/vsftpd/vsftpd.conf4 |: b- D N2 }0 o4 T9 ^* {/ @
#
U: ]( t' m# J6 U4 a: j# The default compiled in settings are fairly paranoid. This sample file; D4 v" v) W1 M ^# ~* d( g1 p
# loosens things up a bit, to make the ftp daemon more usable. ]8 q% n! h1 q/ M! J
# Please see vsftpd.conf.5 for all compiled in defaults.
+ j8 Y4 C9 Z0 @#) k0 Q$ \1 e2 I' K* v' d
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# h$ a: M' u+ L) I4 m0 J# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's4 @& S0 E C& w, B; o. j* d
# capabilities.# w0 H3 a6 C4 c
#
" H. O5 f; c0 f6 C0 g# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
! m5 }) }# r+ h; u, |0 H7 Wanonymous_enable=NO
2 a F6 b3 V; |3 _7 p#( \7 u% [6 W( S. \) p
# Uncomment this to allow local users to log in.8 J5 E: {! V& }4 | ~
# When SELinux is enforcing check for SE bool ftp_home_dir& A. |! d3 k7 }
local_enable=YES
0 J& s" g" r+ B; s#% q' c. x: F& C$ A
# Uncomment this to enable any form of FTP write command.
1 r2 e1 }3 m, r. p0 `% ]* K% Kwrite_enable=YES& |- v$ Y0 T$ n+ u
#
, g8 x: p" }4 B- S2 a# Default umask for local users is 077. You may wish to change this to 022,
' K9 {, B. R. n! V# if your users expect that (022 is used by most other ftpd's)3 m) H# H; {- _5 ]- e. w$ [1 r( t
local_umask=022
( {( P2 u6 k& T#
' S* u0 l/ V7 X/ B0 i: n0 `, i# Uncomment this to allow the anonymous FTP user to upload files. This only
* S2 P! l' `, \6 i7 ]" ?; K6 o! h# has an effect if the above global write enable is activated. Also, you will
0 H3 w. \ {0 j# v$ W# obviously need to create a directory writable by the FTP user." A5 L1 w8 H' o( }3 B
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
# g6 }0 L1 `+ d#anon_upload_enable=YES$ A4 T& y, m: x9 [; m$ V
#
5 C6 x. \/ d" R @5 z# Uncomment this if you want the anonymous FTP user to be able to create$ f9 G W$ M& D- V
# new directories.0 S4 E6 ]' t& s' }1 q6 \
#anon_mkdir_write_enable=YES
# W2 H& E& ?& \7 p0 J# I#+ e4 n* m, |+ I$ `
# Activate directory messages - messages given to remote users when they
3 \0 J2 l9 o" u j6 A# go into a certain directory.
/ O$ w1 K/ y% J& E$ edirmessage_enable=YES+ e& Z4 i" _( z) ?: u( {
#
8 S- X4 c$ X) l- E) R& _7 q" K N1 `# Activate logging of uploads/downloads.
/ J- [( J8 j. C; [+ |( Fxferlog_enable=YES& R; X' l" M% L5 u W' ]
#
2 e. i0 H% E F: x8 G. a& H" a, y# Make sure PORT transfer connections originate from port 20 (ftp-data).5 }0 G) G! K* c1 _. G
connect_from_port_20=YES$ C/ m) C) a! v/ i* k( }
#
) P! K7 m0 D0 i6 a/ A6 X# If you want, you can arrange for uploaded anonymous files to be owned by
. i5 I% S4 R, I; h$ W" d7 s# a different user. Note! Using "root" for uploaded files is not2 K/ w/ f, X7 P! s3 d" M
# recommended!, b# M5 b6 ~) e# U
#chown_uploads=YES
1 U5 v1 Q ?9 T, A1 a#chown_username=whoever
& k. a3 X7 g4 V' P; L## m0 ]% H7 r& U: S! v G1 C6 S
# You may override where the log file goes if you like. The default is shown: [* X% }; S+ j. k6 f7 L0 A) s: Q
# below.
+ r$ w. [" b- Yxferlog_file=/var/log/xferlog ?! [; k4 Z9 r
#
) Y1 _! u4 `& u# If you want, you can have your log file in standard ftpd xferlog format. ?: U b3 W- l J
# Note that the default log file location is /var/log/xferlog in this case.0 A5 G1 B; l9 n9 e% ?4 l
xferlog_std_format=YES
) x7 M. r7 e! d5 [0 c. O7 I#
) Z$ ?' T9 s8 N0 V2 C# You may change the default value for timing out an idle session.
# ?2 D3 K2 r5 N#idle_session_timeout=600
4 A. c h8 D, o2 {; X5 I#
6 X; X% k4 ~5 [* X) P2 T }; e# You may change the default value for timing out a data connection.
/ [5 |+ B, ^! b/ h q' d: z# K#data_connection_timeout=120! g C: j' I" t9 ^- Y
#5 ~# Y1 N+ y @
# It is recommended that you define on your system a unique user which the3 A4 _8 \, Z! V Q
# ftp server can use as a totally isolated and unprivileged user.4 z3 d ?0 p3 J0 F% w
#nopriv_user=ftpsecure
% M+ D+ w, |5 ?7 t$ t- K- {#" r9 W" N( ~! Q% R+ M
# Enable this and the server will recognise asynchronous ABOR requests. Not
1 u- B$ c" g+ a9 p# recommended for security (the code is non-trivial). Not enabling it,( L% K# I& ^5 d! i7 {: H
# however, may confuse older FTP clients.
/ E' c- w# @# H \; h- @#async_abor_enable=YES
4 ?& d) w D; K$ q; b% g6 j* W! u#
' [: {0 G3 N2 q# By default the server will pretend to allow ASCII mode but in fact ignore
3 ^0 y6 m: K+ O4 {+ W4 A' i2 I' A# the request. Turn on the below options to have the server actually do ASCII
* @/ T8 k) b4 r; n: x# mangling on files when in ASCII mode. The vsftpd.conf(5) man page explains: w% y0 W9 d- f& y* l) U
# the behaviour when these options are disabled.
5 \. X3 [5 b- y1 q& a# Beware that on some FTP servers, ASCII support allows a denial of service* j+ T: Q; d: S, w" |
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
+ ?" c- q6 y) U5 D4 ^8 D9 k# predicted this attack and has always been safe, reporting the size of the, I, F9 x% O; J" [' T+ _
# raw file.2 E5 z0 `: L5 w: Q9 Q3 N$ }( X
# ASCII mangling is a horrible feature of the protocol.! s& ]. ~ L2 t' a5 q2 t3 `8 o
ascii_upload_enable=YES
# ]- S; F. o* L1 Oascii_download_enable=YES- M( l4 O( {; y' c( ]8 [
#/ P, j' I$ o, F0 Y
# You may fully customise the login banner string:
" f5 e6 q6 j; X. ?#ftpd_banner=Welcome to blah FTP service.
& O- ~; G9 S" W/ G; l6 M% }#
& _( X6 @1 m. X; r" \2 |# You may specify a file of disallowed anonymous e-mail addresses. Apparently( P; d5 R( X! e9 W6 W
# useful for combatting certain DoS attacks.8 h i, U! H$ P6 K
#deny_email_enable=YES
0 d { d4 N# W) t3 t V$ h5 N# (default follows)8 A% r( N+ s1 y4 F
#banned_email_file=/etc/vsftpd/banned_emails* J& r0 x) K) @; k
#) r+ `7 ~% B3 S- D& i2 D# v* t
# You may specify an explicit list of local users to chroot() to their home, p2 y; o5 X7 `. C
# directory. If chroot_local_user is YES, then this list becomes a list of
1 Z9 G5 T# M+ Z# users to NOT chroot().
# U6 P; _ L: b' P0 J# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
7 |6 X# [! H" r+ b# the user does not have write access to the top level directory within the5 b/ \4 c" Z( a
# chroot)
3 m, O' Q0 {4 r) y. t7 lchroot_local_user=YES
( f" o8 t! T8 T/ L3 G$ m#chroot_list_enable=YES7 e6 s% b: \$ K! J
# (default follows)
/ K8 Q( J! M4 |% M' ], ?- a+ t#chroot_list_file=/etc/vsftpd/chroot_list+ D& |0 |: d4 `4 S- [
#' \8 z9 V9 {: x4 f
# You may activate the "-R" option to the builtin ls. This is disabled by$ c+ _' K4 ]9 y" A* t; r3 G
# default to avoid remote users being able to cause excessive I/O on large
& E% }' k% }0 s7 d- h4 E# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# w, h5 z; T$ P, ~( p- j$ F# the presence of the "-R" option, so there is a strong case for enabling it.
6 {3 j1 c" Y9 M% g$ u7 [#ls_recurse_enable=YES, O+ [% Z, w. e' e h3 R, Z0 l# `& I
#
. n) g+ I( k- W# When "listen" directive is enabled, vsftpd runs in standalone mode and
+ P# Q' O5 K( j2 o& f# listens on IPv4 sockets. This directive cannot be used in conjunction
7 Y. i% X! g( A/ l! e# with the listen_ipv6 directive." b. {) t+ g6 R3 G) {1 u, l+ S* f
listen=YES
* ], C a3 a3 ]listen_port=990& B; t( ]8 } d6 l1 G
pasv_address=公网IP
. p4 N9 ~5 e3 w" ?- t$ H4 y* H4 M6 f#
9 a8 ?2 l& V5 N5 s* R' W) U# This directive enables listening on IPv6 sockets. By default, listening' p& D$ l% M8 l- T
# on the IPv6 "any" address (: will accept connections from both IPv6
. f" w- V! r/ Y3 u# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv65 B; _3 B/ S* T
# sockets. If you want that (perhaps because you want to listen on specific
- k2 m( R! @/ N2 l( S+ n2 F7 k# addresses) then you must run two copies of vsftpd with two configuration. W5 K+ i n% m& W8 M* o1 Y. E1 _
# files.
6 d( {! D" F; `5 ?+ N3 f1 f- i# Make sure, that one of the listen options is commented !!6 k! t) z- d9 ~8 {9 L/ w
listen_ipv6=NO
) S" m2 ~& U# @/ B+ J; Hpam_service_name=vsftpd
" a$ W3 H! M) R" `5 Puserlist_enable=NO' x, @1 a$ ^, \- D) S+ E
tcp_wrappers=YES
0 W9 q1 {# S2 a% S# L3 O) G! W% Jallow_writeable_chroot=YES
8 o* g4 |) ^# m, q% Cuserlist_file=/etc/vsftpd/userlist6 }8 V" P3 o0 q, m7 X ?0 N6 x% L3 Z5 C
userlist_deny=NO( ?+ v- t' ^- k" {. T
ssl_enable=YES5 @3 e4 \ G h" y
ssl_tlsv1_2=YES) h0 K. |1 W0 Y0 ^+ z# V# |3 h, u
ssl_sslv2=YES
; O1 j) h- j8 a! y5 _7 kssl_sslv3=YES2 P2 P& S3 ]* d7 l# ~
rsa_cert_file=/etc/ssl/private/vsftpd.pem# q4 t; w4 j( k/ m
rsa_private_key_file=/etc/ssl/private/vsftpd.pem0 [0 K8 }% _- b$ Z6 K8 V
allow_anon_ssl=NO
$ {3 ]6 B1 X+ [8 k8 i" B' tforce_local_data_ssl=YES
5 @! f$ O! U& e6 Q/ T( |" L( Wforce_local_logins_ssl=YES. j# J! \$ b P) o/ i/ r; u
require_ssl_reuse=NO/ a( i9 S+ t; O0 ?
ssl_ciphers=HIGH" ?8 v7 _' v5 v) e- z) ~+ ?4 t* h
implicit_ssl=YES
8 z7 p5 |* s- Yftp_data_port=50000
, L/ g; {# L4 Q; jpasv_enable=YES
+ O) T) A0 ]5 qpasv_min_port=40000: ?+ Z7 D) W+ ^" @( X4 o+ L
pasv_max_port=50000
+ B" `+ x# \' iport_enable=YES' Z: @! ]9 I8 p" C
debug_ssl=YES
6 W: [, z+ ]/ O) C, Ppasv_promiscuous=YES 解决vsftpd连接错误425 Security: Bad IP connecting
# n3 k3 o" n1 V$ Q) B4 w! Z: F0 Y' S* J" a, |1 W
* n4 o! ^- w. X6 d- J5 x不知道他们IT修改了哪里 换个IP居然联不上 尼玛 把报错一个一个排查完
- }4 b: q. \* }! w |
|华强北 电脑城 龙岗电子世界 龙华电脑城 pc4g.com
( 粤ICP备16039863号 )
发表于 2023-1-5 18:35:50