# Example config file /etc/vsftpd/vsftpd.conf* o% ]; u. ]- p; o
#
& {9 {9 u% \+ i! M- }8 P# The default compiled in settings are fairly paranoid. This sample file5 C7 R7 y, e" S; x
# loosens things up a bit, to make the ftp daemon more usable.1 i# q" x. l' _$ ?" t
# Please see vsftpd.conf.5 for all compiled in defaults.5 D7 a* d" g5 J' B2 I1 n
#
& q$ k+ o% D O" @# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
* C% [0 _0 b. g8 G# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's9 z; k. \4 g& d7 t) A+ j' D
# capabilities.
: ]1 }) G3 U: V# M7 I: |# D+ Y#
* [. d3 k% C3 y" x1 s# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
! z( Y) a* B! U7 X( [anonymous_enable=NO, m4 W# `5 m5 A6 n
#
8 m7 {0 E) e3 G+ Q0 Q" N1 T# Uncomment this to allow local users to log in.
; x9 I$ B; @: d. v# W# When SELinux is enforcing check for SE bool ftp_home_dir
$ d0 ?$ M: V6 @+ P/ Mlocal_enable=YES+ w$ X$ Z2 d) o9 p5 o% b x
#0 n+ @4 q* y& r' B& b
# Uncomment this to enable any form of FTP write command." H/ m5 |) D8 x+ f7 a
write_enable=YES/ ~8 f) m; C M z2 e& q
#
j2 R0 |) R3 i$ c; Q- J; f$ ^# Default umask for local users is 077. You may wish to change this to 022,( `" h! b2 J3 v0 Q
# if your users expect that (022 is used by most other ftpd's)8 M, z, I9 x9 W9 l- z
local_umask=0224 y+ }# m1 N8 R, [ f5 z. ]
#7 @: R) {8 Q$ s) K
# Uncomment this to allow the anonymous FTP user to upload files. This only
# g9 O8 D; Q* c; \0 K/ Q5 S! ^) ~ _- |" I# has an effect if the above global write enable is activated. Also, you will. r7 Q% @) A; F3 N; v1 Q' c
# obviously need to create a directory writable by the FTP user.: t" [2 J" {# V/ B% i$ s" ~
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access4 `/ f% e8 M; @* [. d
#anon_upload_enable=YES$ R! l, F4 i" q: E
#$ r; ?$ _* D! l$ L* V
# Uncomment this if you want the anonymous FTP user to be able to create
8 J0 K) o7 L; |+ i; B0 ?* P1 p. b) A# new directories.8 |; |4 ?# v5 C1 f
#anon_mkdir_write_enable=YES
) G: }* @( m! t% ~4 L4 D0 u#9 [" {: E8 @( m ?2 C
# Activate directory messages - messages given to remote users when they
5 _# q: O. Z f5 s# go into a certain directory.# O( N- o9 {( g: w
dirmessage_enable=YES" J. K7 Q* d# z& z
#) y) ~% Y/ w/ E6 H+ q+ W% Z5 o( q
# Activate logging of uploads/downloads.; F( ~- F% ~* a( i3 g; y
xferlog_enable=YES
8 T. p5 x% [- n5 E$ a& H y# K9 C+ A/ _" K$ K. G5 T( V
# Make sure PORT transfer connections originate from port 20 (ftp-data).6 m. u: S0 q4 a, Z9 J3 V
connect_from_port_20=YES
, ]& |) A+ I' Y, Y6 N: h; n$ `#
3 S$ o9 E4 K0 x3 D4 J! T# If you want, you can arrange for uploaded anonymous files to be owned by
1 V- D. a* {( J# a different user. Note! Using "root" for uploaded files is not. e& Q/ g+ j# ?9 n- M5 e) G; |! C/ z
# recommended!! _* y, @0 d) `' g% t/ P& V$ m# Y$ X
#chown_uploads=YES
- k; u' T/ Y/ Y* c#chown_username=whoever
/ ?, E/ C0 v! Y( F! e0 ?#
1 C! r4 I4 o2 \# You may override where the log file goes if you like. The default is shown
4 M4 {; B9 b9 o. b# below.
7 |! M7 c, V" p- F! u" w9 W& Pxferlog_file=/var/log/xferlog, v% k& |' s" F( y( y: \/ o
#' G" }& i Q! T
# If you want, you can have your log file in standard ftpd xferlog format.
/ w( J, z/ t! H5 r: @# Note that the default log file location is /var/log/xferlog in this case.
( h$ k' _# k$ {4 P, c [) vxferlog_std_format=YES7 L3 m' m7 o8 w( `6 q
#
1 E; |9 j0 ^- J' E- @5 u& e# You may change the default value for timing out an idle session.
4 E/ V `2 U& m+ [, R2 W) D1 X#idle_session_timeout=600
: \" q* y& q) V& s#
" C( M. V! L( {& G p1 L# You may change the default value for timing out a data connection.
2 b) K( ~. B- h+ M+ W#data_connection_timeout=120
# U7 T" j% Q1 j4 u#) h' |& W( R' ]# n" }
# It is recommended that you define on your system a unique user which the- W7 h' o; @; ~ n6 C- U
# ftp server can use as a totally isolated and unprivileged user.
4 q: [0 I$ T% N1 h! a) f7 h#nopriv_user=ftpsecure) j5 e! N7 B2 o4 Y: U0 Z
#" V3 P7 |7 M3 n6 J( r8 a) v
# Enable this and the server will recognise asynchronous ABOR requests. Not
2 _6 a* c7 b L* ?6 Y# recommended for security (the code is non-trivial). Not enabling it,1 s2 L- D* ~8 I9 f- H! \6 o
# however, may confuse older FTP clients.4 e9 R( J2 ~* E9 e' h* \5 L! H. A
#async_abor_enable=YES4 x' O; K- }: Z% D+ {; B
#
, Y* F' }' ~0 h# By default the server will pretend to allow ASCII mode but in fact ignore' ^" u4 ? {5 d% M2 F' g9 Z! K
# the request. Turn on the below options to have the server actually do ASCII
& R9 R+ o; b6 a' a7 ]) e3 \! g# mangling on files when in ASCII mode. The vsftpd.conf(5) man page explains& E6 j7 B7 W% Y4 ?& q$ g- U; I
# the behaviour when these options are disabled./ D4 {* {) J, M9 ^* E2 L
# Beware that on some FTP servers, ASCII support allows a denial of service
* R2 [ g* ^1 m6 C! C5 W% y# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
" O# t* {0 K2 n# predicted this attack and has always been safe, reporting the size of the) G& f: ]& N! ]7 J& o, S" }( b
# raw file.# m3 T% y6 j! N1 r# x" r
# ASCII mangling is a horrible feature of the protocol.; N; P0 n/ X4 e
ascii_upload_enable=YES
/ \! Y' K1 U$ ?0 s" g A+ bascii_download_enable=YES
( r: g, F- g3 A#. X1 b O6 x0 ]! U8 g p/ ~
# You may fully customise the login banner string:6 P$ K( i. U. K
#ftpd_banner=Welcome to blah FTP service." D _4 R! g6 y+ G& G
#. K* k4 x9 S6 m5 c1 |# f4 q6 t
# You may specify a file of disallowed anonymous e-mail addresses. Apparently+ A5 y# F* w$ t) D: N2 t+ Q' I& w
# useful for combatting certain DoS attacks.$ V: X5 ]2 X! L/ H- ^5 l, l( o
#deny_email_enable=YES4 N. G& I! ?" I1 r. N& C# R; l
# (default follows)( F' o" B$ Y) P ~
#banned_email_file=/etc/vsftpd/banned_emails# h7 K& b% e8 d- |6 |* Y
#& I# Z9 C R' |/ W
# You may specify an explicit list of local users to chroot() to their home
) C4 Y* Z+ E- W9 j: T# directory. If chroot_local_user is YES, then this list becomes a list of
/ p! _# H& z1 U# users to NOT chroot().4 n3 ] W3 h7 a/ j
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
]6 ~; K% g& N/ v# e8 H, l# the user does not have write access to the top level directory within the9 I; [) Q2 O4 q! k6 q
# chroot)0 g2 K6 e. V8 e5 c
chroot_local_user=YES
, E; T; C2 B" [7 N7 X#chroot_list_enable=YES1 L5 {$ w& @) Q! q# `) X
# (default follows)% o0 A+ j( }: B2 q8 o2 c( m" i
#chroot_list_file=/etc/vsftpd/chroot_list& {6 G# ]7 ?8 n4 _1 D5 n* N+ B3 `& z( D
#! `7 \, \/ n# z; u2 @
# You may activate the "-R" option to the builtin ls. This is disabled by
3 ~; T; i3 \% q% s7 ~& n! O# default to avoid remote users being able to cause excessive I/O on large
$ v! s" {8 m2 M3 Z- s3 G/ a# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume f/ ]) x9 {9 f5 H& o
# the presence of the "-R" option, so there is a strong case for enabling it.% u: v9 \: l( W. u
#ls_recurse_enable=YES& G3 ]' G( C5 u; N# r0 r
#
9 B5 A8 B( k3 I% p# When "listen" directive is enabled, vsftpd runs in standalone mode and
) n9 Q( R- Y( V0 ^8 q7 G6 ^1 ?# listens on IPv4 sockets. This directive cannot be used in conjunction U7 W. E! @" H1 J
# with the listen_ipv6 directive.
( ]8 N; i% W _- ]listen=YES
1 g; j0 c* d2 [4 s6 ilisten_port=990 j E( G* f, q5 b8 ]4 _
pasv_address=公网IP
6 b( O6 X+ Y- I& i2 J: {; E$ k, ?#3 e B. M. u5 o) A% o2 \) `, ? {
# This directive enables listening on IPv6 sockets. By default, listening
2 L. w+ E& M+ q- W s# on the IPv6 "any" address (: will accept connections from both IPv6
! L8 d, Z, X- {: q' |+ _6 q# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# o: T4 u, F1 y3 K; ]# sockets. If you want that (perhaps because you want to listen on specific
- j7 A) E/ c5 L8 V7 k+ v# addresses) then you must run two copies of vsftpd with two configuration
$ y# v" n7 Q& Q# files.
3 U% s0 Y9 E/ V+ P6 ^; @: k8 _# Make sure, that one of the listen options is commented !!
! |. P J) u, k8 Ulisten_ipv6=NO
$ w# k6 {1 {, F! I4 ?$ r2 ?& Rpam_service_name=vsftpd
, u3 c: H! U& buserlist_enable=NO
) q& W. x2 ]3 r, rtcp_wrappers=YES
5 O/ J! m; n6 Z. h7 ]4 ^allow_writeable_chroot=YES
- t K, g% I" G" Huserlist_file=/etc/vsftpd/userlist" [, W8 d- q' q0 K B3 W
userlist_deny=NO6 w. P ?7 s! J
ssl_enable=YES: ?$ A; U% X2 B3 T" g0 e
ssl_tlsv1_2=YES
3 O: R& x/ J% ?' `. a; g8 Nssl_sslv2=YES, q/ Z6 }( U6 }' c! B/ F
ssl_sslv3=YES" [7 [' \# i: ?* t
rsa_cert_file=/etc/ssl/private/vsftpd.pem
# C. g9 Q, `" L+ g' Q! o$ m2 Nrsa_private_key_file=/etc/ssl/private/vsftpd.pem( M( z$ N& h( W, v& m6 z% t$ N4 x
allow_anon_ssl=NO
+ L8 z2 i2 ]- S1 Cforce_local_data_ssl=YES9 t U$ ?5 R( E) J- n$ {4 I
force_local_logins_ssl=YES
+ C" X" S1 x4 e' urequire_ssl_reuse=NO; r, y" s. X* h/ m4 j; X
ssl_ciphers=HIGH
: y3 G8 s1 a: b; Mimplicit_ssl=YES
6 d0 H( b2 S* C" @ftp_data_port=50000/ h) C. }( q) i+ ]: u5 V) G
pasv_enable=YES( v! y: G6 [$ r. \: U
pasv_min_port=40000
6 J: X9 n3 m3 P" `) B Upasv_max_port=50000$ } }0 X/ y' a T$ L( E& A
port_enable=YES
2 z7 T" [, n) b2 ]0 Sdebug_ssl=YES
* p; i" o" t; H% K- q- Upasv_promiscuous=YES 解决vsftpd连接错误425 Security: Bad IP connecting7 W# `! z( ~% A( Y A6 h, h* c
# s& C! o! W7 `: b1 n( h: x
8 P1 O, G$ f, ?" C8 l9 j" @ o- [不知道他们IT修改了哪里 换个IP居然联不上 尼玛 把报错一个一个排查完 X! I0 P2 q: U# i% n
|
|华强北 电脑城 龙岗电子世界 龙华电脑城 pc4g.com
( 粤ICP备16039863号 )
发表于 2023-1-5 18:35:50