# Example config file /etc/vsftpd/vsftpd.conf6 o# M# r" f4 L$ G
#
! e" _9 n" s T9 X# The default compiled in settings are fairly paranoid. This sample file/ ]4 q% F; Y" Z- L1 B: O
# loosens things up a bit, to make the ftp daemon more usable.
# b0 m' ~, ]& Y8 l- f# Please see vsftpd.conf.5 for all compiled in defaults.
- m* s# b! N# f( ]: c6 Z#
7 [( z, y' u! h g7 h# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
b6 h- C3 Q7 h& z) z# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's d( P4 h7 X; Z- k1 `& U
# capabilities.
8 S: T3 R. ?0 ~* f1 b, V8 t#
& l! w1 V+ Y: v# Q# Allow anonymous FTP? (Beware - allowed by default if you comment this out).8 P, \5 \+ K5 K" C @+ `" b. |& z
anonymous_enable=NO2 j# q% b! E# g1 z* V' t5 N
#- i' b+ S. M) l" ?6 N l
# Uncomment this to allow local users to log in.
8 ]& o$ w: o. B# When SELinux is enforcing check for SE bool ftp_home_dir( {% `1 @' k: L) m4 g7 g
local_enable=YES7 a' I$ p( `8 b" w& s1 O
#
# O+ G" \9 ]; B2 F# Uncomment this to enable any form of FTP write command.! E7 Q8 W- e" q( z! v
write_enable=YES
0 D- E% |/ H& D& s/ g7 N4 y/ `#
7 k. f& v }. H: f+ @: T6 U# Default umask for local users is 077. You may wish to change this to 022,
; ~& q& D' G. F0 @# if your users expect that (022 is used by most other ftpd's) ]' S, n. Q4 Q1 f, ?
local_umask=022
* D, b R: {4 j. q! x& \5 A0 o0 x#
" W" ~& A1 e& u$ w6 c% M8 K' U. K2 Q# Uncomment this to allow the anonymous FTP user to upload files. This only
& G2 l$ v9 [+ g' Y# has an effect if the above global write enable is activated. Also, you will; ^$ A9 G# d. o. h; l
# obviously need to create a directory writable by the FTP user.( u4 k7 ?" ~; l3 [; @! w" s' ]5 l ?
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access: V5 T. m* C( H4 M8 E2 |, w, `9 Y
#anon_upload_enable=YES
1 \$ g$ V( q+ }& {; ~#% y" S8 }5 G/ A) w/ H
# Uncomment this if you want the anonymous FTP user to be able to create1 M! @* `" P- D" Y" m! d
# new directories.
4 Y* `- m! n7 ]( p% I4 x#anon_mkdir_write_enable=YES
. O+ G) L1 a( v, u% A## a0 [* w: Q8 p( P( U1 ~& \
# Activate directory messages - messages given to remote users when they6 g( _" V* U' B& B- p4 D
# go into a certain directory.
8 k- c2 I p- Vdirmessage_enable=YES
F, n& q* t4 s+ ^" w4 H8 e: j#
6 G: N- v; o, v0 I7 v, b# Activate logging of uploads/downloads.* Q1 H& G' X" P) S
xferlog_enable=YES
) P- x: A5 v; y- T" S' J#
3 T1 D9 q$ j1 L* q. v8 S% k0 U# Make sure PORT transfer connections originate from port 20 (ftp-data).
% @6 C. P: q, i. R Hconnect_from_port_20=YES, p! x% E5 u; t/ y
#$ r( [* `$ v, j0 M6 b
# If you want, you can arrange for uploaded anonymous files to be owned by H6 K- ~. A- R, _( ^; p$ |
# a different user. Note! Using "root" for uploaded files is not
5 }; ^' S2 z- ]# recommended!( A6 g! }& U) E# f) F/ F
#chown_uploads=YES
0 Y5 a5 h5 \5 Q' ^3 `9 i |6 f j#chown_username=whoever
! u6 ]& W0 C5 R9 _6 G! W#& ~) g% O, `: n/ Q9 s; Y
# You may override where the log file goes if you like. The default is shown+ s: L9 Y9 \" @& ~
# below.
: E$ A0 ]# Q/ ]; O9 kxferlog_file=/var/log/xferlog4 r5 H9 h, H) ^
#5 a2 D% a) v, p# B: X+ h
# If you want, you can have your log file in standard ftpd xferlog format.
- t; b& Z' ]. K t7 S( f9 @" O# Note that the default log file location is /var/log/xferlog in this case.% @. H/ _. B. d& M. `0 u' s" c9 O W- q
xferlog_std_format=YES; ?+ A' J3 s; n; @
#
" ~$ K$ \0 L9 ]/ ?& o7 ]) M2 F# You may change the default value for timing out an idle session.; [/ Z8 N5 f5 L/ ~1 X! W. j6 M V$ A
#idle_session_timeout=600
1 j: L. r1 T N0 }! z* g& j3 c#
. V% a1 S2 f( l, l# You may change the default value for timing out a data connection.+ d$ s$ @! O. B8 e z
#data_connection_timeout=120
% s, Y; `3 S( V; S4 D5 k#
* \% O: ~$ C3 Y- u8 T4 F" z B. a# It is recommended that you define on your system a unique user which the
1 {, t. s. |7 l* Q# ftp server can use as a totally isolated and unprivileged user.
- L; z3 {- d! i; j& W3 Q- g#nopriv_user=ftpsecure" C5 P7 \$ J8 I
#
, i/ c0 h: X+ w2 j) a$ n+ o6 ^# Enable this and the server will recognise asynchronous ABOR requests. Not5 ^# ~0 B- f$ O6 i; S" o* H' i+ N
# recommended for security (the code is non-trivial). Not enabling it,) J9 N/ s) }- g F3 S
# however, may confuse older FTP clients.
$ h6 G3 k S6 O: U) T, c- K$ C#async_abor_enable=YES* q; o8 }5 \7 v# G( D* Q
#! k, x* B8 x- F$ m( M) s7 x
# By default the server will pretend to allow ASCII mode but in fact ignore
3 S6 X+ Y6 `8 k$ H5 o! O# the request. Turn on the below options to have the server actually do ASCII
1 J! g# [1 D" z/ |: }# mangling on files when in ASCII mode. The vsftpd.conf(5) man page explains) y1 Q) D1 ?! ~0 ]! u& r: ?& |
# the behaviour when these options are disabled.
$ Q9 k' l. {4 C) Y, s2 k( y; P# H# Beware that on some FTP servers, ASCII support allows a denial of service
2 ]2 X; w! @5 s) m7 X. [5 U2 Z# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
5 s' T+ A4 W$ E, P% @# predicted this attack and has always been safe, reporting the size of the
- |- V; U1 j+ z# M3 S# raw file.$ L* b( b3 k' v# R
# ASCII mangling is a horrible feature of the protocol.
8 o) l& l% ~( A% j. m- P8 e3 L- }( rascii_upload_enable=YES
* d3 q# D3 |) q# X h& D6 b( vascii_download_enable=YES
8 Z& t: h! ] J4 f& v7 h) t& r5 x#0 |% R! v6 V3 ?7 H. Z8 ?
# You may fully customise the login banner string:
; V; Z4 u8 V7 n6 p2 `2 {#ftpd_banner=Welcome to blah FTP service.! V2 Z& {! @8 B z+ _+ S1 d6 l
#
9 d% `, ]$ z. f) L& [( N# You may specify a file of disallowed anonymous e-mail addresses. Apparently8 {, D3 ]( D2 }
# useful for combatting certain DoS attacks.
7 ?1 o& k% G4 S: C- c- k, Q! T#deny_email_enable=YES
9 Z* M: H1 o# O( o" F1 F9 T# (default follows)
1 T, }/ K( c. |1 n: X& P#banned_email_file=/etc/vsftpd/banned_emails2 H n4 W/ F( M' s( e, ~8 k
#
+ L6 F( x( y. T0 O- i' B) o% @# You may specify an explicit list of local users to chroot() to their home8 x; a# \2 \' p% ?
# directory. If chroot_local_user is YES, then this list becomes a list of4 ~$ b5 L& A) O) R/ E) R
# users to NOT chroot().
* B8 D- n& Y, e# R5 ^' a# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
* p a" k+ A5 j# the user does not have write access to the top level directory within the
% s. G& ?! Q V+ e: b2 n# K# chroot)
7 o m |$ p6 X" Nchroot_local_user=YES
( `/ @6 O" N# Z7 z& D#chroot_list_enable=YES( k. U/ ^9 }$ k7 ~7 |
# (default follows). R( [5 x q: u" i
#chroot_list_file=/etc/vsftpd/chroot_list
6 J2 o, y) Z! g8 g#
`9 J. k4 ?6 W! C# You may activate the "-R" option to the builtin ls. This is disabled by9 H1 y8 L% Z0 p" c& O; x
# default to avoid remote users being able to cause excessive I/O on large
V$ v) m: i# F& A! Z4 E" r2 l5 g# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume/ B5 W. _: v, r
# the presence of the "-R" option, so there is a strong case for enabling it.; q# w3 s/ v% i f; Y6 {
#ls_recurse_enable=YES- A; C( x' o' x h& ~% _6 g
#
( v+ X r; t% M5 \9 A. ^# When "listen" directive is enabled, vsftpd runs in standalone mode and
. ~$ a1 @7 M* q0 V/ B0 G# listens on IPv4 sockets. This directive cannot be used in conjunction4 k6 m9 |& O4 P$ ^: G
# with the listen_ipv6 directive.
- T) H2 w& ~ O! c1 qlisten=YES4 U' K: ]4 _6 V% T7 P7 z
listen_port=990# f/ e. r9 a* U' k
pasv_address=公网IP
! S @: c. z) b0 R# S#5 B/ M& I: F) ]# f. o5 h0 I* O& _( ~* m
# This directive enables listening on IPv6 sockets. By default, listening5 J' L& d% H' [1 t. j
# on the IPv6 "any" address (: will accept connections from both IPv6
) H3 z# n: E4 v+ k8 k- h x# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
: X8 y/ n+ S& a: R h8 {* U _# sockets. If you want that (perhaps because you want to listen on specific
( \% e, Z3 d r$ u |% `# k+ z# addresses) then you must run two copies of vsftpd with two configuration
# E1 w; j/ D: N# files.+ L! V5 ]* V( x
# Make sure, that one of the listen options is commented !!
* i. a9 [6 L- z$ a* Elisten_ipv6=NO
" C# k+ L" Q; @. r+ Ppam_service_name=vsftpd
- B1 G5 ]4 q& l6 M& I: Zuserlist_enable=NO
: k5 N% Z- s% s J7 wtcp_wrappers=YES M5 R# N: C5 I
allow_writeable_chroot=YES
8 |' d1 y( [* x% Fuserlist_file=/etc/vsftpd/userlist5 K" ~$ e6 u: j# V9 G2 [$ z
userlist_deny=NO
' o" Q2 y6 W( \" u+ a! l. n9 jssl_enable=YES
# ]" G' x2 H3 l. X( r6 z1 d2 {' \ssl_tlsv1_2=YES* o8 t. E( S) @- `" F
ssl_sslv2=YES2 m; s+ N2 s% ]# S6 W" D
ssl_sslv3=YES9 T# v6 s7 G/ J2 u* V
rsa_cert_file=/etc/ssl/private/vsftpd.pem6 L0 z( G" y6 l! D
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
, S+ `& ?( X- k8 Lallow_anon_ssl=NO5 `; J+ Z; N! W2 C1 B% d' n* s
force_local_data_ssl=YES+ k' {: c7 _& [& [7 ]- X
force_local_logins_ssl=YES7 ^2 q8 e' B. @5 c$ F% S1 N
require_ssl_reuse=NO& H- G+ Y8 h3 J
ssl_ciphers=HIGH& l1 W3 H9 b1 g" a P8 e( T
implicit_ssl=YES
( x2 ^! y1 O# o; ?& u; Hftp_data_port=50000& \1 [! ?0 H/ O8 U! P0 T
pasv_enable=YES
' @7 y1 n3 m: O7 Z0 x' r0 mpasv_min_port=40000. J5 w- B# V0 e/ M; _. m0 D
pasv_max_port=500005 A- i1 Q6 C' e: v9 X( D
port_enable=YES
+ N. l; [+ I( N# k! kdebug_ssl=YES& d% S0 m9 C% D! c# M3 [
pasv_promiscuous=YES 解决vsftpd连接错误425 Security: Bad IP connecting
$ t- `1 O% s, m3 c6 J& @/ N3 ?% Z. ]
/ C' f7 |+ ]7 c' X. v
不知道他们IT修改了哪里 换个IP居然联不上 尼玛 把报错一个一个排查完
0 d* C5 B' s/ w |
|华强北 电脑城 龙岗电子世界 龙华电脑城 pc4g.com
( 粤ICP备16039863号 )
发表于 2023-1-5 18:35:50