# Example config file /etc/vsftpd/vsftpd.conf
! R& }! C0 _2 |# t3 H#1 o& L4 V! A$ ]) z0 e
# The default compiled in settings are fairly paranoid. This sample file0 r( R) b4 t- l* G7 b
# loosens things up a bit, to make the ftp daemon more usable.
! P) ^' E% `6 n4 M9 C: I# Please see vsftpd.conf.5 for all compiled in defaults.
! {1 j$ Z$ Y, h% \% ^* x& ~#. z- F$ K' F9 R0 S* [* \% X
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.9 j' M) C2 ]+ R* C6 u* [
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's m" L, U: Z8 Q+ ]& T- l) G) \
# capabilities.$ [9 x( |* H5 t, ?3 }& L
#
) {$ ]. w" L1 j$ Z# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
- C \0 j( N# t& g* I0 F6 m8 ^9 wanonymous_enable=NO" v0 c% r: t! l) A$ S, L9 p7 a) p
#
( \1 Q% m2 Y' t. ~# Uncomment this to allow local users to log in.
$ X4 F& T4 N1 o# When SELinux is enforcing check for SE bool ftp_home_dir
- [: I: p/ k. V5 C# j& L% Tlocal_enable=YES: T! {- J# k1 V9 X, }; [
#, H8 l( D* j' I
# Uncomment this to enable any form of FTP write command.
8 ]( X5 X B# kwrite_enable=YES; @* P5 `* H' W7 r4 w3 M8 I
#
; t$ b$ C$ d8 l/ [# Default umask for local users is 077. You may wish to change this to 022,' D+ j. B) w2 s3 W* J6 m
# if your users expect that (022 is used by most other ftpd's)
( S( X7 g6 F( I6 B* vlocal_umask=022
2 \$ a& Z. @# j* n5 C1 u#
" }! h, R0 t+ R9 e# U7 X1 m# Uncomment this to allow the anonymous FTP user to upload files. This only
& L, v% `' ?, P! F$ D# has an effect if the above global write enable is activated. Also, you will
& b. E, S+ l0 g# E1 ^7 V, e# obviously need to create a directory writable by the FTP user.* E% ~, T% p- K2 k
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
' Y, |& ^* Q9 H' A9 `6 g5 i#anon_upload_enable=YES9 P. m% x& i9 t7 V8 a
#5 ] z1 N' e J- {. {/ U
# Uncomment this if you want the anonymous FTP user to be able to create6 u0 T5 O6 x/ d9 O* ~: N
# new directories.
/ s, N$ l3 f6 ~5 g3 @9 f3 u#anon_mkdir_write_enable=YES
5 v6 K) C, Z- Y* `3 R* |% X' i) \#* H! @; ~4 R) E+ K: c
# Activate directory messages - messages given to remote users when they, D% n, c) f+ T* G3 L. I
# go into a certain directory.
# j$ A8 q, |* rdirmessage_enable=YES) V9 ^( u# S' o9 p) |% K, U. M6 n
#: N5 i8 o+ h% Q, V/ u2 d$ }
# Activate logging of uploads/downloads.8 W t* ]( H( x5 h% ]3 Z( U
xferlog_enable=YES9 l, |4 R7 h& H) m; u
#
" t5 L% _# a3 G6 z/ W# Make sure PORT transfer connections originate from port 20 (ftp-data).- W' f! h9 ?4 K6 Y! {$ z
connect_from_port_20=YES- ~) k& k2 w' ~
#+ {8 b) F- s0 n. G9 p4 L7 P2 G. ^
# If you want, you can arrange for uploaded anonymous files to be owned by
; C( @6 J) }: b) m# a different user. Note! Using "root" for uploaded files is not
" n/ s1 Q8 Z% j1 `. O# recommended!
8 @4 i; g. r6 s0 \; u9 W#chown_uploads=YES9 @1 c" T; W' Q* I3 M1 z: f
#chown_username=whoever
% o3 S' x! X) |8 C8 i#
- z2 I0 H- u) @. L. N: q0 R* G5 @# You may override where the log file goes if you like. The default is shown
1 U' n5 @% z8 y, ~+ k, ^4 W* k# below.9 g1 h2 X4 \. [+ \
xferlog_file=/var/log/xferlog' q% J; r, |, J. I4 r# f7 |: b" K
#
! F) H- C7 g8 B8 z( v$ d2 n# If you want, you can have your log file in standard ftpd xferlog format.* V7 l8 o0 o$ ^/ `
# Note that the default log file location is /var/log/xferlog in this case.
9 W: V: u5 z& F9 w' Txferlog_std_format=YES
8 `+ S- D$ N- n4 j8 o" G" O#
/ Q' m+ D2 K) S# You may change the default value for timing out an idle session.
3 D. X, o4 |. z- C, M8 j#idle_session_timeout=600
; o/ G! _1 d, q- {! k) h& ]#
0 P- e% ^* g7 c# You may change the default value for timing out a data connection.
! a! u' g& }( ?/ ]; {4 w1 |8 r8 x' y#data_connection_timeout=120/ U5 s9 c: k+ ~) V/ k; ?
#
* G4 q6 ^) @' f. o# C: J ~- _# It is recommended that you define on your system a unique user which the( H9 J, ^2 f! R+ D7 v( i
# ftp server can use as a totally isolated and unprivileged user.
# V5 c) Y2 g) v9 C#nopriv_user=ftpsecure
5 u6 ~+ O+ ^- {+ t$ g0 `! \#
2 h: ]/ n, x& v, a/ z9 L# Enable this and the server will recognise asynchronous ABOR requests. Not
0 H( b( t- S6 w0 A% @. s# recommended for security (the code is non-trivial). Not enabling it,
7 ^& _6 G1 B. L0 `# however, may confuse older FTP clients.6 h2 g: @. N N2 e
#async_abor_enable=YES$ ` }6 P- M: ], }, ~8 y) C3 t
#, A2 T; e' y- y6 N, x6 k
# By default the server will pretend to allow ASCII mode but in fact ignore7 ?6 w1 P' w Z
# the request. Turn on the below options to have the server actually do ASCII
) D# H8 q6 B, {, \# mangling on files when in ASCII mode. The vsftpd.conf(5) man page explains
0 [4 f0 \" l {9 u! n# the behaviour when these options are disabled.
. Q0 G- c, Z2 r; v- m# Beware that on some FTP servers, ASCII support allows a denial of service
* D A6 V, L0 e# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
" R7 g+ K3 S. [8 d( T4 h( q# predicted this attack and has always been safe, reporting the size of the
7 t! U4 J5 ~9 N2 A; j( S. ^9 n# raw file.
" f0 P6 ^$ B, O3 H6 y# ASCII mangling is a horrible feature of the protocol.
& ^) E5 o: ]; z& uascii_upload_enable=YES
, ]4 k$ a0 X/ Iascii_download_enable=YES
) B. O# @: X5 ^8 W# e5 M- r- R1 |#
- F: M4 U% h- `4 N$ m4 _) v5 F# You may fully customise the login banner string:
3 w0 J3 y; ]+ J$ Q8 N6 Z1 U#ftpd_banner=Welcome to blah FTP service." X2 i0 W, l' l/ k7 {+ `
#. V' {9 h! G6 ^: Y$ v8 L8 V$ l
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
8 l% C6 J" l/ Q* ]3 s# Z Y: ?& V# useful for combatting certain DoS attacks.
: c; S; h5 ]; J @#deny_email_enable=YES
0 j& u$ w- c0 L( _4 d6 J# (default follows)0 g% U( U4 R8 o& r
#banned_email_file=/etc/vsftpd/banned_emails/ @2 T J% r L m
#
' b% a5 M- ^+ c4 \# You may specify an explicit list of local users to chroot() to their home
' n9 M6 f( h8 z# C$ ~+ v5 ^* j# directory. If chroot_local_user is YES, then this list becomes a list of3 R3 @. Q, J9 Q
# users to NOT chroot().: e& r4 B: M* z3 x" t
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that6 I2 E' V: e r
# the user does not have write access to the top level directory within the9 \8 V: J; g/ u) N! K) m
# chroot)
( M4 K! ^/ p6 n+ \! o6 L! Jchroot_local_user=YES* ]( R3 J9 C; C" w: h% O% s. v
#chroot_list_enable=YES g+ J2 v- I# |
# (default follows)3 `% N6 |1 g9 N1 N1 i: e, B ~
#chroot_list_file=/etc/vsftpd/chroot_list& z) q' P: D7 E+ s' @' M" @3 ^
#& I( ]: e- z3 [2 H; X5 t
# You may activate the "-R" option to the builtin ls. This is disabled by
( B4 N$ K. n4 \, M# |( {+ ~# default to avoid remote users being able to cause excessive I/O on large6 B: R( b) f1 J& W
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
5 ` c; A& Z, k, R v3 J2 R L1 f# the presence of the "-R" option, so there is a strong case for enabling it. ]# W# D1 K! {4 D! z
#ls_recurse_enable=YES8 }& O, c, ]! m- x, f7 ~
#" S k/ V. M) J3 N' K- C
# When "listen" directive is enabled, vsftpd runs in standalone mode and7 M+ [( }7 V( V F: W
# listens on IPv4 sockets. This directive cannot be used in conjunction: A: l4 O1 Y( z* K8 {
# with the listen_ipv6 directive.5 k- m' A' D7 _0 J' k7 \
listen=YES
8 M+ d- z- [, }$ F$ T7 ~/ ]listen_port=990+ ?8 h& M0 ]7 n0 t+ d
pasv_address=公网IP; \# R6 i" G; r) |
#
( \- C+ j5 d& h2 y2 i& Y! i# This directive enables listening on IPv6 sockets. By default, listening# @# ]3 k" d! e# J- y3 N1 B
# on the IPv6 "any" address (: will accept connections from both IPv6$ B) z0 v5 v& \* o+ `
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6' N" c2 N9 h, O. B# N1 [
# sockets. If you want that (perhaps because you want to listen on specific
( M! S3 q. d. h. {: m6 N2 l" O* h# addresses) then you must run two copies of vsftpd with two configuration. U) U; s ^" k0 E: J c! x
# files.
+ a( F, y/ D( ]7 x4 Y# Make sure, that one of the listen options is commented !!7 K4 p$ n! ]' \' E1 M/ d Z
listen_ipv6=NO6 i( o0 O( x9 p
pam_service_name=vsftpd
8 }9 B7 \ {" Xuserlist_enable=NO
' j$ Z _! O( w f$ F4 Vtcp_wrappers=YES8 `* C! w; L/ s) \5 o# ^
allow_writeable_chroot=YES+ o& F& P% A3 ] c8 ~' v* \
userlist_file=/etc/vsftpd/userlist1 F& H, I" v* q- R2 n$ k8 N
userlist_deny=NO
# @, y# @3 ^: L3 f y9 [ssl_enable=YES& u' m, {6 t. C( U: t: I9 L! S
ssl_tlsv1_2=YES5 o% X }& Z8 W% ?0 @
ssl_sslv2=YES
) M9 Y [4 X8 ]ssl_sslv3=YES
4 X. D/ n! Q- E P. f" K* brsa_cert_file=/etc/ssl/private/vsftpd.pem
. [0 O% O( G" _rsa_private_key_file=/etc/ssl/private/vsftpd.pem2 A' q, s# X6 c/ [' H
allow_anon_ssl=NO
0 T* U# Q6 `! @- l9 F3 Fforce_local_data_ssl=YES
) e v5 C2 i& k, `, `. g, vforce_local_logins_ssl=YES B7 Q V1 q# ~4 t
require_ssl_reuse=NO
" q0 ^; l$ _/ j* I2 `0 s" ^+ j5 kssl_ciphers=HIGH+ {. }8 n" J: R1 R1 i" H! D
implicit_ssl=YES4 x3 z, y8 M k3 _2 l# q) L
ftp_data_port=50000+ _, a { `% f/ F
pasv_enable=YES
/ o, o9 _6 _, B$ N; Dpasv_min_port=40000" \* c% z$ L; ^3 p" k( R' Q) z$ d
pasv_max_port=50000
4 |- i- V* w% _7 Iport_enable=YES {- y$ W J* o# T
debug_ssl=YES$ a; J( _' w9 ~
pasv_promiscuous=YES 解决vsftpd连接错误425 Security: Bad IP connecting% k$ J5 ^ F/ g6 h( s" n
3 R% i, s1 Z/ w- t1 l, ~- k! l0 t
/ P0 }2 P3 f( A# B不知道他们IT修改了哪里 换个IP居然联不上 尼玛 把报错一个一个排查完 3 I+ E" D2 R: o1 X7 B8 J6 a
|
|华强北 电脑城 龙岗电子世界 龙华电脑城 pc4g.com
( 粤ICP备16039863号 )
发表于 2023-1-5 18:35:50