# Example config file /etc/vsftpd/vsftpd.conf# _6 Z0 q) @% A' B6 Y
#" ~0 N5 J4 q) A M4 ?
# The default compiled in settings are fairly paranoid. This sample file
5 T; |4 k% }: @" f. R# loosens things up a bit, to make the ftp daemon more usable.
7 N) L8 z& N9 R. _0 `( J% t# Please see vsftpd.conf.5 for all compiled in defaults.
1 t2 k7 D- b1 e; k#1 j, @! d7 D. r4 N9 u1 D% N- Y6 F# o# |
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
9 \& j& w2 U' b3 R% u" w5 O9 c# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's4 k0 j. I1 @! a- H
# capabilities.' ^6 u" C5 M3 I% F
#
. D* y H' T5 W) Y* [# Allow anonymous FTP? (Beware - allowed by default if you comment this out).3 L' s! C2 |+ f6 L. f! p' N
anonymous_enable=NO
5 e- c# Y/ _' G7 ~% S#& i* N. p4 T& x7 t9 h @5 J4 w
# Uncomment this to allow local users to log in.
! L, J6 R( r8 n# When SELinux is enforcing check for SE bool ftp_home_dir
/ P0 H" h4 z% B' g' [" _local_enable=YES
" o: ?( O; J& s( p2 j. T#
* K: H+ D4 J# M3 O# Uncomment this to enable any form of FTP write command.4 x2 Q5 B0 w' N( S7 t. L
write_enable=YES
4 j. P% q r/ }% W1 a#
6 s. a6 c3 |0 V) ]0 E- \0 l# Default umask for local users is 077. You may wish to change this to 022,
0 F) g# U9 Y' g- q, o# if your users expect that (022 is used by most other ftpd's)
' V3 u$ O7 F0 \* V1 ?local_umask=0220 K7 Y" s y, w4 h
#
r* H$ }* r* l' o# Uncomment this to allow the anonymous FTP user to upload files. This only% W9 s- d; T9 K9 E+ E- _8 @
# has an effect if the above global write enable is activated. Also, you will" Y" ^8 L- R- N
# obviously need to create a directory writable by the FTP user.
# N- d1 s5 }4 S: }" f1 t: |: |) _# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access7 u: P& o& V6 \
#anon_upload_enable=YES
7 n6 O/ W+ K9 t0 P. r5 h9 R#+ E/ l1 J5 m6 t+ r0 f& N/ X
# Uncomment this if you want the anonymous FTP user to be able to create
) s% k. f) K+ E2 |, m# new directories.
6 C( C3 V) z0 c1 ~#anon_mkdir_write_enable=YES
1 [0 x9 _4 p, x. K) {- _#
6 }" t* Y' H' t! X' L$ X# Activate directory messages - messages given to remote users when they
" u% ^* O- t _- S8 B: g# go into a certain directory.
) c0 i6 g! P4 W2 }9 xdirmessage_enable=YES) o v- Z& Z5 Y! T2 @# f2 B
#
9 G; b$ Q6 g' `+ Y: l# Activate logging of uploads/downloads.
- ^9 G( K8 r! D4 Vxferlog_enable=YES9 f! n/ V: g8 {$ d: k5 d1 ^! v. R
#$ s8 V/ ]5 C7 p0 V, y2 } P$ O
# Make sure PORT transfer connections originate from port 20 (ftp-data).9 [) x* J5 ?' D% G1 q$ [
connect_from_port_20=YES4 [0 w5 A, t4 H$ f! s
#
0 e9 R" q2 C: L9 P+ ^7 _& @# If you want, you can arrange for uploaded anonymous files to be owned by
3 M' `! }6 K6 {! `- c# a different user. Note! Using "root" for uploaded files is not! |+ S0 T: a; `8 k
# recommended!
" T E3 U$ W+ I#chown_uploads=YES2 k+ G, u( G; Q" ]+ X
#chown_username=whoever
; [2 Y, r9 q' z2 p: p1 S2 W5 z6 a \) G#
5 a! g5 t. g3 O$ Q' V# You may override where the log file goes if you like. The default is shown/ m9 h& U$ m- v3 H
# below.+ g0 c j) _( G- z- g
xferlog_file=/var/log/xferlog$ q! i# G& T- x; p" a9 {
#. z% G4 t y2 a+ w8 ]. S) m
# If you want, you can have your log file in standard ftpd xferlog format. |$ o# u+ W+ y4 D) L
# Note that the default log file location is /var/log/xferlog in this case.
, v- o0 e; O# ?! W3 l8 uxferlog_std_format=YES P* j0 R* m/ Z
#/ p1 U$ V( y; F4 s
# You may change the default value for timing out an idle session.
0 j9 a: r8 X2 A, ^" v#idle_session_timeout=600
3 q9 Q+ X" E5 ~' u( e; B+ z. }#+ N8 A4 M5 {6 W4 q0 o
# You may change the default value for timing out a data connection.; ~) ]2 l- Y3 z. n! R5 l
#data_connection_timeout=120
0 @4 L k8 N, f: J#6 ~+ B4 G/ O. h2 v4 z) G5 v
# It is recommended that you define on your system a unique user which the
0 x m6 p R& t# ftp server can use as a totally isolated and unprivileged user.. A: ^8 N1 r2 [% Z
#nopriv_user=ftpsecure, k7 n7 R" z! T: \) J
# T- [0 W1 l% O5 {% ^ k
# Enable this and the server will recognise asynchronous ABOR requests. Not
2 s% `6 `1 p( I# recommended for security (the code is non-trivial). Not enabling it,
; _, w9 b' Q, X7 `4 b# however, may confuse older FTP clients.
5 N/ g! k0 l; N; n3 K#async_abor_enable=YES
) p8 j) B7 g5 b#
5 [0 m8 U5 U; ]# By default the server will pretend to allow ASCII mode but in fact ignore. @4 j; y+ g6 J. d
# the request. Turn on the below options to have the server actually do ASCII/ f/ X! T4 f5 Y. @) ?3 k% ?
# mangling on files when in ASCII mode. The vsftpd.conf(5) man page explains) n* t" y p, u7 D1 }
# the behaviour when these options are disabled.
* O4 ]+ d5 W5 Z2 ~6 q5 W+ D- V4 }# Beware that on some FTP servers, ASCII support allows a denial of service! C3 ?- r) y& F) b/ O L$ n
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
- W. @* u: I& j5 X: [# predicted this attack and has always been safe, reporting the size of the
$ y# ?2 H8 e2 o/ Q# raw file.( r% l; Y/ U, G. p! J- _/ _
# ASCII mangling is a horrible feature of the protocol.: V2 U( A \+ H4 k) e
ascii_upload_enable=YES
% k! n/ `& H* Y |ascii_download_enable=YES
/ V* \( P; i& V! ^* C## x; ^2 t" L$ t1 I8 u5 B% M* d$ m
# You may fully customise the login banner string:' t: I/ g! c! k% Q9 U- I/ Y- @
#ftpd_banner=Welcome to blah FTP service.
4 E& x! d# s# h+ p8 n* ?4 |8 M#
4 e! D7 W- v; W# w" r* G- u. `( `# You may specify a file of disallowed anonymous e-mail addresses. Apparently
7 _3 G) o3 ^6 S# p9 W! T# useful for combatting certain DoS attacks.: m7 y0 I4 z2 g' S4 I5 X
#deny_email_enable=YES# n" o6 F" u, t; t1 o; B
# (default follows)( _* P# [* ^8 e6 D, i) \5 Q
#banned_email_file=/etc/vsftpd/banned_emails
0 }" J. ?6 L# n6 ]: Q/ o' w: U#8 \: ?$ _1 N# |0 g5 s
# You may specify an explicit list of local users to chroot() to their home
* `; n) p1 b' U) ~& L# directory. If chroot_local_user is YES, then this list becomes a list of
) o! i, f( q8 y' H# s( ]# users to NOT chroot().# s' d# M5 A: _; l% J5 [& e: K
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that, r* f2 z" J7 i) D! ]9 |
# the user does not have write access to the top level directory within the) z) p0 t2 n4 S/ }5 @1 a
# chroot)
7 b# |4 c3 y$ {# ?' t2 T' cchroot_local_user=YES5 A3 r. E" F4 C2 y6 k# i
#chroot_list_enable=YES% T4 n" e* m: m; g* v& i* e8 n! t7 J4 d
# (default follows)
4 d% U# X7 K; q( v/ p' n#chroot_list_file=/etc/vsftpd/chroot_list$ @& C D4 J! Q% b& R8 n. v
#* P% _ k! ^% A8 D$ [" ~1 A
# You may activate the "-R" option to the builtin ls. This is disabled by
$ i- @6 `" t" i# default to avoid remote users being able to cause excessive I/O on large6 _, R- H0 I5 l+ H# G$ F: h+ y/ p
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume$ Y1 o. @" `& n7 H
# the presence of the "-R" option, so there is a strong case for enabling it.2 f' Q1 b P9 d7 A2 d( M4 p
#ls_recurse_enable=YES4 F9 h3 M- x1 [ \* }/ F5 W
#
: c: I4 X- G9 X& B0 h7 b# When "listen" directive is enabled, vsftpd runs in standalone mode and
8 L6 [4 d+ G. B" V0 n4 g# listens on IPv4 sockets. This directive cannot be used in conjunction( y7 d0 q* u) e+ N0 t' k8 b4 l
# with the listen_ipv6 directive.1 w$ K- U) C2 S5 ]" C7 q
listen=YES
# o# ]9 Y4 R, J/ B) Vlisten_port=990" T) ]+ X6 E- n0 s8 P* h% T" _
pasv_address=公网IP
. z O+ p# a" o; s#
7 d) M5 S. N/ _& X% ?3 o# This directive enables listening on IPv6 sockets. By default, listening
* \* P% |9 V! E3 z* O# on the IPv6 "any" address (: will accept connections from both IPv6: V4 \. O2 L2 |( V% w4 q
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
$ C# f; g/ S" _% U; k! t# sockets. If you want that (perhaps because you want to listen on specific5 V2 q% X9 { E1 o+ ?% v
# addresses) then you must run two copies of vsftpd with two configuration8 \ ]' {" c7 R& G. A6 p
# files.
/ a2 r" o M/ C6 ]5 W4 |# Make sure, that one of the listen options is commented !!+ R/ X! H4 k9 o- G. j4 V- Q. S
listen_ipv6=NO
m: Z% [: @$ o4 X7 X( qpam_service_name=vsftpd
& _/ i: Y) A; F4 Q3 puserlist_enable=NO
+ a' q# F9 ^% H& d% [tcp_wrappers=YES
5 i; Z+ l. M" d3 {allow_writeable_chroot=YES
) R$ I# ~! J$ B! Yuserlist_file=/etc/vsftpd/userlist
# X% J+ d% d' V: Y fuserlist_deny=NO, M' M6 z, @, m' a9 t( I/ H: |
ssl_enable=YES5 S: U7 `- V" D$ H
ssl_tlsv1_2=YES
o. B2 n4 j; f& V5 C. H. tssl_sslv2=YES* O. o+ |4 r3 z! b3 e: r# A
ssl_sslv3=YES
, p4 o5 r6 [2 K5 y5 wrsa_cert_file=/etc/ssl/private/vsftpd.pem2 q* D Z# Q( o! I6 x! u6 h! L$ B! C
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
% `9 T7 B2 t: ^allow_anon_ssl=NO
+ K& h& ]7 k' F; k2 m; h1 dforce_local_data_ssl=YES/ l: w4 e/ [: g, ]. q
force_local_logins_ssl=YES' |2 G6 B/ f! q/ U \3 p" M! T
require_ssl_reuse=NO. v- [! E" V) j6 u) l- ^
ssl_ciphers=HIGH6 m4 f8 U8 S7 q5 w* ?; ^* w
implicit_ssl=YES; I' E2 f% J0 X! {/ F7 U( b
ftp_data_port=50000- g9 i5 o6 j2 l- u9 Q \- P
pasv_enable=YES
& Z4 q6 e. i+ b2 N, z' }/ N8 }* _5 tpasv_min_port=400003 D6 n8 r; K! o% P- S
pasv_max_port=50000
9 R' m2 O4 n, T- o. ?port_enable=YES
4 _) x. u5 [" g$ o7 fdebug_ssl=YES
/ f; V! x. L. o4 e" }4 A f6 Epasv_promiscuous=YES 解决vsftpd连接错误425 Security: Bad IP connecting* r V* J: B3 l6 ^, ?
1 R- y+ Q" w8 f+ y0 h! @
5 E( a) m6 c% O) v3 O不知道他们IT修改了哪里 换个IP居然联不上 尼玛 把报错一个一个排查完 3 @# w M+ G4 w, w+ y5 j) \
|
|华强北 电脑城 龙岗电子世界 龙华电脑城 pc4g.com
( 粤ICP备16039863号 )
发表于 2023-1-5 18:35:50