|
|
第1行: |
第1行: |
| proftpd安装配置案例:
| | #redirect [[ProFTPd]] |
| 要保障FTP服务器的安全,特要求如下:
| |
| 1、系统要求LINUX或UNIX。
| |
| 2、虚拟用户,不能是系统用户。
| |
| 3、可以限制上传,下载速度。
| |
| 4、可以限制迅雷多线程下载。
| |
| 5、可以限制用户目录大小,以及上传文件大小等。)
| |
|
| |
| 下面开始安装配置proftpd
| |
|
| |
| # wget ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.2.tar.gz | |
| # tar zxvf proftpd-1.3.2
| |
| # cd proftpd-1.3.2
| |
| # ./configure --prefix=/usr/local/proftpd --with-modules=mod_quotatab:mod_quotatab_file
| |
| # make
| |
| # make install
| |
| # cp contrib/ftpasswd /usr/local/proftpd/bin/
| |
| # cp contrib/ftpquota /usr/local/proftpd/bin/
| |
| # vi /usr/local/proftpd/etc/proftpd.conf
| |
| ServerName "Idcspy.com Ftp System"
| |
| ServerType standalone
| |
| DefaultServer on
| |
| Port 21
| |
| # Don't use IPv6 support by default.
| |
| UseIPv6 off
| |
| Umask 022
| |
| # To prevent DoS attacks, set the maximum number of child processes
| |
| # to 30. If you need to allow more than 30 concurrent connections
| |
| # at once, simply increase this value. Note that this ONLY works
| |
| # in standalone mode, in inetd mode you should use an inetd server
| |
| # that allows you to limit maximum number of processes per service
| |
| # (such as xinetd).
| |
| MaxInstances 30
| |
|
| |
| #限制连接数
| |
| MaxClients 10 "最大允许10个用户同时访问"
| |
| | |
| MaxHostsPerUser 1 #每个帐户最多允许来源ip为1个, 对防止ftp帐号还是比较有用的。
| |
|
| |
| MaxClientsPerUser 1 #每个帐户在每个客户端最多可以同时登陆1次,可以防止多线程软件下载对服务器的破坏。(用迅雷下载,线程只能限定为1个。)
| |
|
| |
| MaxClientsPerHost 1 #同一个客户端只能最多1个帐号可以登陆
| |
|
| |
| # 不显示服务器相关信息, 如proftpd版本
| |
| ServerIdent off
| |
| # 禁用反向域名解析
| |
| UseReverseDNS off
| |
|
| |
| User nobody
| |
| Group nobody
| |
|
| |
| # To cause every FTP user to be "jailed" (chrooted) into their home
| |
| # directory, uncomment this line.
| |
| DefaultRoot ~ # 把用户锁定在自己的目录下,根目录无法访问。
| |
|
| |
| # Normally, we want files to be overwriteable.
| |
|
| |
| AllowOverwrite on #设置文件可以被覆盖
| |
| AllowForeignAddress on # 支持FXP
| |
| PassivePorts 49152 65534 # 支持被动模式
| |
| AllowRetrieveRestart on # 允许下载续传,默认即开启
| |
| AllowStoreRestart on # 允许上载续传
| |
| RequireValidShell off # 不要求有合法shell,直接效果是允许nologin用户和虚拟用户登录
| |
| AuthOrder mod_auth_file.c mod_auth_unix.c
| |
| AuthUserFile /usr/local/proftpd/etc/passwd
| |
| TransferRate STOR 150 user tom # 限制tom用户上传的速率限制在150Kbytes/s
| |
| TransferRate RETR 100 user tom # 限制tom用户下载的速率限制在100Kbytes/s
| |
| # Using a file-based limit table
| |
| QuotaLimitTable file:/usr/local/proftpd/etc/ftpquota.limittab
| |
| # Using a file-based tally table
| |
| QuotaTallyTable file:/usr/local/proftpd/etc/ftpquota.tallytab
| |
| QuotaDirectoryTally on
| |
| QuotaDisplayUnits Mb # 显示以MB为单位
| |
| QuotaEngine on
| |
| QuotaLog /usr/local/proftpd/etc/Quota.log
| |
| QuotaShowQuotas on
| |
| QuotaOptions ScanOnLogin
| |
|
| |
| # Bar use of SITE CHMOD by default
| |
| <Limit SITE_CHMOD>
| |
| AllowAll
| |
| </Limit>
| |
|
| |
| <Directory /opt/tom/>
| |
| <Limit write>
| |
| AllowUser tom
| |
| DenyALL
| |
| </Limit>
| |
| </Directory>
| |
|
| |
| # A basic anonymous configuration, no upload directories. If you do not
| |
| # want anonymous users, simply delete this entire <Anonymous> section.
| |
| #<Anonymous ~ftp>
| |
| # User ftp
| |
| # Group ftp
| |
| #
| |
| # # We want clients to be able to login with "anonymous" as well as "ftp"
| |
| # UserAlias anonymous ftp
| |
| #
| |
| # Limit the maximum number of anonymous logins
| |
| # MaxClients 10
| |
|
| |
| # We want 'welcome.msg' displayed at login, and '.message' displayed
| |
| # in each newly chdired directory.
| |
| # DisplayLogin welcome.msg
| |
| # DisplayChdir .message
| |
|
| |
| # Limit WRITE everywhere in the anonymous chroot
| |
| # <Limit WRITE>
| |
| # DenyAll
| |
| # </Limit>
| |
| #</Anonymous>
| |
|
| |
| # 创建虚拟用户
| |
| # /usr/local/proftpd/bin/ftpasswd --passwd --name=tom --uid=99 --gid=99 --home=/opt/tom/ --shell=/sbin/nologin --file=/usr/local/proftpd/etc/passwd
| |
| ...
| |
| Password: <new password>
| |
| Re-type password: <new password>
| |
|
| |
| 之后会自动生成/usr/local/proftpd/etc/passwd
| |
|
| |
| # chmod -R 777 /opt/tom
| |
| 要注意,因为虚拟用户并不在本地系统用户中存在,所以要设置虚拟用户可以访问的所有目录都允许其它用户写,这样才能保证虚拟用户正常增删文件。
| |
|
| |
| # cd /usr/local/proftpd/bin/
| |
| # ftpquota -create -type=tally -table-path=/usr/local/proftpd/etc/ftpquota.tallytab
| |
| # ftpquota -create -type=limit -table-path=/usr/local/proftpd/etc/ftpquota.limittab
| |
| # ftpquota --type=limit --table-path=/usr/local/proftpd/etc/ftpquota.limittab --add-record --quota-type=user --name=tom --units=Mb --bytes-upload=50 --bytes-xfer=1
| |
|
| |
| # (上面意思是:限定tom用户空间大小为50M,上传文件大小为1M)
| |
|
| |
| ftpquota 具体用法参照 ftpquota --help即可。
| |
|
| |
| 这样都设置完了以后
| |
| 启动proftpd
| |
| 再ftp上去的时候
| |
| 用命令site quota就可以看当前用户的quota信息
| |
|
| |
| 如图所示:
| |
|
| |
| 或者
| |
|
| |
|
| |
| 常用全局设置:
| |
|
| |
| DefaultRoot ~ # 限制每个FTP用户在自己的目录下,不可查看上一级目录
| |
|
| |
| AllowRetrieveRestart on #下载时,允许断点续传
| |
|
| |
| AllowStoreRestart on #上传时,允许断点续传
| |
|
| |
| ServerIdent off #屏蔽服务器版本信息
| |
|
| |
| TransferRate STOR RETR 速度(Kbytes/s) user 使用者 #设定用户传输速率
| |
|
| |
| MaxHostsPerUser 1 #每个帐户最多允许来源ip为1个, 对防止ftp帐号还是比较有用的。
| |
|
| |
| MaxClientsPerUser 1 #每个帐户在每个客户端最多可以同时登陆1次,可以防止多线程软件下载对服务器的破坏。
| |
|
| |
| MaxClientsPerHost 1 #同一个客户端只能最多1个帐号可以登陆
| |
|
| |
| WtmpLog on #是否要把ftp记录在日志中,如果不想可以设置成off屏蔽掉log日志。
| |
|
| |
| TimeoutIdle 600 #客户端idle时间设置,默认就是600秒
| |
|
| |
| DisplayLogin welcome.msg #设置ftp登陆欢迎信息文件
| |
|
| |
| RootLogin on #允许root用户登录,默认是不允许的,安全起见不推荐此选项。
| |
|
| |
|
| |
| Iptables防火墙设置:
| |
|
| |
| /etc/init.d/iptables stop
| |
| iptables -P INPUT DROP
| |
| # 打开主动模式21端口
| |
| iptables -A INPUT -p tcp --dport 21 -j ACCEPT
| |
| # 打开被动模式49152~65534之间的端口
| |
| iptables -A INPUT -p tcp --dport 49152:65534 -j ACCEPT
| |
| iptables -A INPUT -i lo -j ACCEPT
| |
| iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
| |