vsftpd-1.1.3配制实例之一:INTERNET_SITE
this example shows how you might set up a (possibly large) internet facing ftp site.
the emphasis will be on security and performance.
we will see how by integrating vsftpd with xinetd, we get a powerful
combination.
step 1) set up your xinetd configuration file.
an example xinetd configuration file 'vsftpd.xinetd' is supplied.
to install it:
cp vsftpd.xinetd /etc/xinetd.d/vsftpd
let’s look at the important content in this file and see what it does:
disable = no
socket_type = stream
wait = no
this says that the service is active, and it is using standard tcp sockets.
user = root
server = /usr/local/sbin/vsftpd
the server program /usr/local/sbin/vsftpd is used to handle incoming ftp
requests, and the program is started as root (vsftpd will of course quickly
drop as much privilege as possible). note! make sure that you have the vsftpd
binary installed in /usr/local/sbin (or change the file path in the xinetd
file).
per_source = 5
instances = 200
for security, the maximum allowed connections from a single ip address is 5.
the total maximum concurrent connections is 200.
no_access = 192.168.1.3
as an example of how to ban certain sites from connecting, 192.168.1.3 will
be denied access.
banner_fail = /etc/vsftpd.busy_banner
this is the file to display to users if the connection is refused for whatever
reason (too many users, ip banned).
example of how to populate it:
echo '421 server busy, please try later.' > /etc/vsftpd.busy_banner
log_on_success += pid host duration
log_on_failure += host
this will log the ip address of all connection attempts - successful or not,
along with the time. if an ftp server is launched for the connection, it’s
process id and usage duration will be logged too. if you are using redhat
like me, this log information will appear in /var/log/secure.
step 2) set up your vsftpd configuration file.
an example file is supplied. install it like this:
cp vsftpd.conf /etc
let’s example the contents of the file:
# access rights
anonymous_enable=yes
local_enable=no
write_enable=no
anon_upload_enable=no
anon_mkdir_write_enable=no
anon_other_write_enable=no
this makes sure the ftp server is in anonymous-only mode and that all write