# Example config file /etc/vsftpd/vsftpd.conf2 E, @3 F. E( x4 S; M0 l1 d. m- D
#
L; a }2 @5 E# The default compiled in settings are fairly paranoid. This sample file ?5 [- u3 s: Y( E+ l0 b
# loosens things up a bit, to make the ftp daemon more usable.; N# B. F7 A V- a
# Please see vsftpd.conf.5 for all compiled in defaults.
' Z( f3 H8 U7 J8 R& A7 M+ Q+ H#
; D a$ G3 E- k# READ THIS: This example file is NOT an exhaustive list of vsftpd options.; e+ h! `& C2 @' ? T. S/ ~) H
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's1 n/ n) Q2 p* U# V' k3 {1 Q9 E
# capabilities.
! ]: e, i2 t- S" z+ ], \#
9 D; b1 }7 i1 T; V, i& W# Allow anonymous FTP? (Beware - allowed by default if you comment this out).+ v6 C5 {' y; W2 R7 ~( S$ ~
anonymous_enable=NO
8 G0 S/ ?+ O3 i2 \4 o. I, d#7 d' I1 X# p/ H) o% X& f. J
# Uncomment this to allow local users to log in.( W: Y5 F( U1 `$ D6 v2 t! J
# When SELinux is enforcing check for SE bool ftp_home_dir
/ w z6 O! S/ g+ @4 c9 mlocal_enable=YES
4 z8 @5 e) D% m5 D& E9 T#
" f5 G" p7 A' z* q' A3 O+ Y# Uncomment this to enable any form of FTP write command. V9 _$ x3 N- j. ^& e6 ?$ Y- d
write_enable=YES& x* s& z& C5 V2 ^& v5 q8 [* x7 b
#: y# f' K) m, h, [2 Y( z
# Default umask for local users is 077. You may wish to change this to 022,
+ i+ h* C' b! B# if your users expect that (022 is used by most other ftpd's)) q: j6 s% c3 q5 p! F
local_umask=022
4 a/ e, d, J, D0 e3 o8 G/ H1 ]## X# V( L4 _- E1 x# w
# Uncomment this to allow the anonymous FTP user to upload files. This only
Z @3 h @% N# has an effect if the above global write enable is activated. Also, you will2 Z# D% U) Y6 S3 w; z0 W, G
# obviously need to create a directory writable by the FTP user.
" n! U8 C8 N1 F; D7 |: a! ]# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
/ @: [0 h1 J' c" L! [#anon_upload_enable=YES H, e8 t% g; W4 r! J4 J5 \- w4 R
#
7 _, p3 A( |' V8 Q# Uncomment this if you want the anonymous FTP user to be able to create0 b* K' ~1 _/ \/ B) G
# new directories.
9 O0 X9 F9 i5 v$ I#anon_mkdir_write_enable=YES
- U, }- y' g: z; N+ D( c#- s* ~& H) b, _$ H' r
# Activate directory messages - messages given to remote users when they
$ G$ I, E+ d" @( F# go into a certain directory.5 ?: w7 \+ O5 C! d: @
dirmessage_enable=YES
$ O; r7 H) H7 @" x#
$ e8 j( l7 [" _% ~) b0 W( X9 P" C9 e- Z# Activate logging of uploads/downloads.7 c |( C+ ^6 u, i: w7 p
xferlog_enable=YES6 e( d9 e% Q$ s% O4 q5 [, f
#
1 \: J# K- c8 e1 h, J) p& i# Make sure PORT transfer connections originate from port 20 (ftp-data).$ n6 i6 G% _- {3 p$ j: w
connect_from_port_20=YES, W v4 `& x3 G5 l5 P: a8 g
#' Q. \/ A* R" {1 y! o8 {& i$ J$ v
# If you want, you can arrange for uploaded anonymous files to be owned by7 I( M* v3 [" D% D$ V! U8 k
# a different user. Note! Using "root" for uploaded files is not& W0 E( i5 Y* \- m, I+ x
# recommended!
! n5 F; l! j" ^' [6 G8 ?. T4 k#chown_uploads=YES
# y7 _& p* B' y7 L5 Y! f6 e#chown_username=whoever4 D6 Q# x r& c* h9 J
#
/ ^5 j- U# e8 ?6 M4 ?# You may override where the log file goes if you like. The default is shown
+ S1 q) U2 ]! T2 P [- U# below.6 W$ q4 V6 D/ P% h) u. y7 M+ [
xferlog_file=/var/log/xferlog
9 W9 ~+ l1 e* m. m- ^/ J4 R0 C#
8 i: H% \, r5 n9 a4 e" H& I( ~- t# If you want, you can have your log file in standard ftpd xferlog format.
9 e3 V9 }7 G K! A$ n( a# Note that the default log file location is /var/log/xferlog in this case.
2 s, D& H& c; l1 K' F; R cxferlog_std_format=YES
& _1 e: o# c* ?4 O0 h) I#
6 p! O% A3 G3 s% D7 M# You may change the default value for timing out an idle session.$ S' V' P7 X. v" [( ^" i
#idle_session_timeout=600
5 D9 R( [2 _$ v% u#
- n" D8 p" C0 C5 O! f# You may change the default value for timing out a data connection.( q, H+ d/ p4 x$ |6 e
#data_connection_timeout=120
9 s7 [$ y/ D ^% ^: H* m2 Y#/ }; U P! i, ^- I( ?$ I2 c
# It is recommended that you define on your system a unique user which the3 e I2 X8 B! E
# ftp server can use as a totally isolated and unprivileged user.: K, |" z4 h: e$ |; S# \& O
#nopriv_user=ftpsecure/ o% p9 ` U0 @7 C2 r: v
#
! G2 K8 o8 E9 o. C' E+ l% W9 V# Enable this and the server will recognise asynchronous ABOR requests. Not
: p3 a2 x& n! E: A# recommended for security (the code is non-trivial). Not enabling it,; b d# s6 t; {
# however, may confuse older FTP clients.
. F: Q# m( R1 T% V/ d9 _7 k#async_abor_enable=YES
+ V0 ?+ I( X7 \5 H#! z4 c; M' }7 _/ Q" ~' Q% z/ B* l
# By default the server will pretend to allow ASCII mode but in fact ignore
, }$ \: A: y) t! {: a# the request. Turn on the below options to have the server actually do ASCII
( M1 Q/ I% ?, D! n5 z; ?# mangling on files when in ASCII mode. The vsftpd.conf(5) man page explains
* q# n: @ m6 b/ C, \ B# the behaviour when these options are disabled.
! W& G+ b: S K/ u9 d" W1 [# Beware that on some FTP servers, ASCII support allows a denial of service
. q( C+ J, [3 k" t; V; j" `5 E# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
* \8 [ ]7 G8 L3 Q# predicted this attack and has always been safe, reporting the size of the
+ h2 C8 e. H7 Z, Y) s& L: p# raw file.) v" c$ p, U, x$ m$ B
# ASCII mangling is a horrible feature of the protocol.
9 b$ k2 M: Y2 T. f" t6 ?ascii_upload_enable=YES& q& k3 \6 E$ q `8 M% c
ascii_download_enable=YES- E9 W4 a( D& Q+ T9 a
#
$ O$ M/ h+ n) H$ U# You may fully customise the login banner string:- e4 ~0 t2 m2 D2 ~
#ftpd_banner=Welcome to blah FTP service.
1 G" e" a$ i4 M' n6 W#4 [# r# g) H3 @
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
" E. n* t6 \2 o# useful for combatting certain DoS attacks.' Q5 M: J& p7 ~3 v+ Y
#deny_email_enable=YES7 N, S M9 Z+ y6 v: `, r
# (default follows)6 H; F( [/ |( O+ h, D4 f8 v1 B1 z
#banned_email_file=/etc/vsftpd/banned_emails
; t' @1 W: y/ ?$ \#
. |: X& c6 O: [2 c; |+ N# You may specify an explicit list of local users to chroot() to their home! H1 R" h- O8 U8 c1 @& Y8 R
# directory. If chroot_local_user is YES, then this list becomes a list of) P$ G$ s$ V4 R( r9 J
# users to NOT chroot().: K X2 _" K* \2 @( D; |
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that( W0 {$ n( r0 }3 h8 [
# the user does not have write access to the top level directory within the
* L+ U0 l$ h9 q& X( X# chroot)# _2 x7 R8 J% V$ @1 w
chroot_local_user=YES6 T2 v1 k7 [/ K2 p( K
#chroot_list_enable=YES
' n2 J! a2 @ H) d! @% F# (default follows)
) Q2 F. w- e3 j5 ?% Y#chroot_list_file=/etc/vsftpd/chroot_list' e/ N0 d1 X7 P8 N2 x' t# W
#% L( U2 h) n5 \; m
# You may activate the "-R" option to the builtin ls. This is disabled by
- P* ^' f. _# ~3 C, s' I( y( Y# default to avoid remote users being able to cause excessive I/O on large
( J3 V3 X. a8 S" [' a2 y% ~. F$ i( c# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
* `' A1 `- Q9 o0 l9 x2 k ?. A2 Q# the presence of the "-R" option, so there is a strong case for enabling it.
* Z" w! r/ V& \7 Q1 Z* j#ls_recurse_enable=YES
: ]" P8 o" l- j#
* G5 L5 [) p1 V0 X- Z# When "listen" directive is enabled, vsftpd runs in standalone mode and
! O% f! W6 b+ s! I4 `# listens on IPv4 sockets. This directive cannot be used in conjunction
) N- ]5 e3 L4 j# with the listen_ipv6 directive.8 c6 c5 r( ~+ c$ ~- e- t8 t
listen=YES, b% X' }5 Z2 l+ } h
listen_port=990, G) ]% @- ]5 p
pasv_address=公网IP
7 e2 B, f$ F2 C0 P6 Z#7 M6 p0 t V# O$ ]; V
# This directive enables listening on IPv6 sockets. By default, listening
. V8 w5 m/ g* m& E$ I# on the IPv6 "any" address (: will accept connections from both IPv67 e" h# X/ A( w0 S- E% d
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
( i% ]4 Y9 D8 C' M# W# sockets. If you want that (perhaps because you want to listen on specific
3 X7 y7 ^/ O( v" m/ X( e# addresses) then you must run two copies of vsftpd with two configuration& H6 L) h9 p0 V$ L* o- C
# files., b8 q$ T8 S4 x
# Make sure, that one of the listen options is commented !!
0 ?. e) S8 |4 I7 T3 {7 Hlisten_ipv6=NO
* Y. I& M) F, p6 {: _4 ~3 P3 Dpam_service_name=vsftpd
) `$ @; K1 l* ~. }; g% Y' G7 q: zuserlist_enable=NO
$ S) [) L* y" M1 W. ]+ J" Ltcp_wrappers=YES3 m. h+ P H2 _# S' _, H$ t! `& r
allow_writeable_chroot=YES
6 o5 j2 Q7 \" o# m7 {userlist_file=/etc/vsftpd/userlist
% {% n3 |' F( K2 D- s1 quserlist_deny=NO2 \0 d: t# A* Z' c
ssl_enable=YES6 T5 h: R) l" X8 E
ssl_tlsv1_2=YES
& F3 C4 Y' Q4 j4 i7 L. `ssl_sslv2=YES5 R W3 f* i' I2 F+ c8 W9 V
ssl_sslv3=YES
9 o" q3 U0 A& \" j W8 arsa_cert_file=/etc/ssl/private/vsftpd.pem! C6 I& ~1 u3 w- P) p' a8 @* S1 d
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
& U1 }6 Y: F( |, C3 v& Aallow_anon_ssl=NO% a0 P- O$ @- R0 a( Z( G$ Q
force_local_data_ssl=YES
$ X) q1 u9 o0 o/ n! Oforce_local_logins_ssl=YES& `9 |2 _, K; c1 C7 r
require_ssl_reuse=NO8 F( c W1 Q1 P& J. Q6 G& \2 R
ssl_ciphers=HIGH
; Z Y r2 C. H( d3 ^) Limplicit_ssl=YES
0 f. _# k0 y1 Y; a. pftp_data_port=50000
" W2 d8 L/ ^* M- @! N( bpasv_enable=YES9 E( P) m+ E0 ]. @
pasv_min_port=40000
% r3 ? F) u5 y [$ V8 w0 {# ipasv_max_port=50000; n7 P+ ]8 [6 Q! S0 c
port_enable=YES
. l; O# e- X3 F! x* Ndebug_ssl=YES
3 o+ |$ H0 L/ D8 L6 _" G- V! Epasv_promiscuous=YES 解决vsftpd连接错误425 Security: Bad IP connecting% e @# T' G3 @$ I9 k
, A/ }( n7 A7 t( ?6 Z3 E; `
7 I9 t0 u: f0 f: g% k不知道他们IT修改了哪里 换个IP居然联不上 尼玛 把报错一个一个排查完 7 |" z6 z! I ?9 n/ T# `! m8 A
|
|华强北 电脑城 龙岗电子世界 龙华电脑城 pc4g.com
( 粤ICP备16039863号 )
发表于 2023-1-5 18:35:50