# Example config file /etc/vsftpd/vsftpd.conf. o2 W. o& a" c' s
#
1 M1 }, e& i+ E; a4 _# The default compiled in settings are fairly paranoid. This sample file
/ ~2 q( D2 S/ w1 U1 O# loosens things up a bit, to make the ftp daemon more usable.
+ ~; s8 Y( K- F8 t4 b# Please see vsftpd.conf.5 for all compiled in defaults.
* E! E8 k. M; X1 g#
" K) b( x" u+ R) @' @5 o7 N# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
: t8 P4 H! a3 `' p3 `9 K# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
% N1 d( q4 i/ G, a# capabilities.1 J* w+ K+ e# x2 c: }8 V, u+ N# p
#7 {5 e) C/ ?1 |0 t9 }$ N
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
3 ^3 d& m9 O. x7 Z& Vanonymous_enable=NO
% z( p! Q. y6 v) @5 B. e3 s#
$ P" F- {0 m/ `9 U& z+ S7 d" k" m* C# Uncomment this to allow local users to log in.* Y0 J, g% _+ d& l& o
# When SELinux is enforcing check for SE bool ftp_home_dir
. O0 \$ i; [/ o! d2 W: p; |local_enable=YES
5 w2 o: |! j8 k) A#
- n2 R- [# @$ I, N6 F" b3 b# Uncomment this to enable any form of FTP write command.
" U z ~, A0 x0 Wwrite_enable=YES3 k. v5 A! f0 o* e; {! x" j; C" B
#
7 ~9 |2 V/ K B6 I& n/ G& y# Default umask for local users is 077. You may wish to change this to 022,
* a6 V/ H/ E" ~5 c4 h3 b/ Q# if your users expect that (022 is used by most other ftpd's)( F7 H ?6 ~% t8 F! m p
local_umask=022- d; M) p+ H) ^3 {7 Q
#
* {! h% V [( t+ M( S5 u# Uncomment this to allow the anonymous FTP user to upload files. This only6 l- T% b8 W" ~9 M0 J- R2 z2 C
# has an effect if the above global write enable is activated. Also, you will$ _5 }7 z0 X# r
# obviously need to create a directory writable by the FTP user.
& \' L; U, u) l6 M! x" Z- n# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access6 ~6 F5 {$ \) C9 f; g
#anon_upload_enable=YES
1 @: @ t' _- ?6 ^# i, K2 a#) Q9 ~# c1 I+ y3 S6 b/ F' l
# Uncomment this if you want the anonymous FTP user to be able to create
: }( \& q$ n% S5 Z- c$ D# new directories.: d7 z( I" ?& a# L
#anon_mkdir_write_enable=YES
' d- k) a6 p, m0 O5 P% B- z#
; C% f! b1 N4 T& f+ P$ f# Activate directory messages - messages given to remote users when they! q3 Y* D* L% g& H0 E7 g6 i
# go into a certain directory.0 Y; ]& N! }5 E, A4 X2 o+ }3 y {
dirmessage_enable=YES
5 M" T3 {8 x0 J. y) N#
6 l! A, y, \& G0 `$ H& n# Activate logging of uploads/downloads.& O5 l& i& W6 C3 F _+ y' p( O/ b
xferlog_enable=YES
2 t: a0 O$ T+ U/ L3 a; l" z#. k8 A0 e* s; j' \
# Make sure PORT transfer connections originate from port 20 (ftp-data).
# E l' c R- b' @! _! ~) Oconnect_from_port_20=YES& Y- Q- K2 T% t5 G5 r$ t& h
#
: ~* s' f, j$ R8 o$ ?# If you want, you can arrange for uploaded anonymous files to be owned by
0 p" M) m& Z" S* \% j+ t# a different user. Note! Using "root" for uploaded files is not/ J4 K8 N! H. T5 x" l
# recommended!+ z) }9 M1 f% f1 J9 m1 ]& C G& m
#chown_uploads=YES8 q0 f6 _' b1 }2 s3 i6 v
#chown_username=whoever
/ `4 p6 e; N d5 [7 T1 u" a#& o+ U, W! O1 H( |+ }, X Q/ `
# You may override where the log file goes if you like. The default is shown
8 ?$ b; w- @% O( X1 H; j9 Y# below.9 T x d9 m( h, P+ R' {
xferlog_file=/var/log/xferlog
7 ~4 u* R3 u! W#
y" Q* X! q3 g. q* o# If you want, you can have your log file in standard ftpd xferlog format.# O5 W6 a( X9 u6 J0 p5 j. q6 S
# Note that the default log file location is /var/log/xferlog in this case.
9 i1 J9 g1 ~0 ?# T+ f9 b2 Ixferlog_std_format=YES
& t9 B5 D; {. i# }#; }* T2 @+ Z5 c+ ^9 v* t
# You may change the default value for timing out an idle session.
0 @2 `* c+ m ]- ?8 k6 a, U#idle_session_timeout=600+ v5 K6 z3 x/ U Y" Y8 m
#
% h y, K; L/ g" Z/ x; x# You may change the default value for timing out a data connection.2 l) i0 g: [7 _7 ~1 U* l7 `) h
#data_connection_timeout=120; V8 e0 j# r# q) L0 e) V
#& W* j8 W f0 c/ n$ t
# It is recommended that you define on your system a unique user which the8 U, F1 f$ H" {9 X7 a
# ftp server can use as a totally isolated and unprivileged user.
A2 v. Z$ f) I! [6 E5 f8 f#nopriv_user=ftpsecure& c% p7 H$ R! Z' F% G
#
# ?: Z% c+ J7 D" v0 U' u8 Q$ }# Enable this and the server will recognise asynchronous ABOR requests. Not, D/ V! h0 v. P1 u" n( O; l
# recommended for security (the code is non-trivial). Not enabling it,! f1 B1 [; M5 p+ |# {; ^4 [; w: c
# however, may confuse older FTP clients.+ A3 k, z1 p; X
#async_abor_enable=YES
" l5 e$ q* \" T; s) ?#5 i9 O, @' P& Z0 y4 ]. m* y8 E
# By default the server will pretend to allow ASCII mode but in fact ignore) Y8 O. h$ u6 L: x7 c
# the request. Turn on the below options to have the server actually do ASCII: R& M/ {+ f$ O" [/ F
# mangling on files when in ASCII mode. The vsftpd.conf(5) man page explains
+ _ \5 C8 t: x0 m# the behaviour when these options are disabled.$ I% r n- Y, Z. U7 l
# Beware that on some FTP servers, ASCII support allows a denial of service3 Q# |# f0 D+ Q: K6 J
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
) B; w5 D3 i+ k/ M# predicted this attack and has always been safe, reporting the size of the# w; L& }% H: w( E
# raw file., m5 i4 Q# u; c) Y7 G1 t0 a
# ASCII mangling is a horrible feature of the protocol.
: R" \$ L; N+ b- M' D* oascii_upload_enable=YES& f4 {" {+ G9 T% I& |
ascii_download_enable=YES
' s/ W+ Q4 p' Q#& L$ [4 J/ m' k/ h/ z. s
# You may fully customise the login banner string:
/ ^/ O' Z$ m" L0 I# g( Q#ftpd_banner=Welcome to blah FTP service.; B/ W+ L8 ` }
#9 M0 u: f0 F6 S! v
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
( r; G+ U. p$ z7 P" B7 _; U# useful for combatting certain DoS attacks.3 @* e3 ?& d$ b0 x" z
#deny_email_enable=YES
4 Z' H$ F! T% @# K+ K! {! h# (default follows)
; R- V+ o* ^" G" J#banned_email_file=/etc/vsftpd/banned_emails& [" U6 x+ k! `4 S
#* P3 \" S8 [( K+ }3 I
# You may specify an explicit list of local users to chroot() to their home$ F9 G3 V9 }: X+ W( Y
# directory. If chroot_local_user is YES, then this list becomes a list of
) S' e V& h' P* _' Q- B# users to NOT chroot()." o8 m' u' O: h D8 x
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
" ?9 h9 Z" a5 B# the user does not have write access to the top level directory within the7 f6 ^" z o, V' e3 M; i$ t2 d7 [3 w
# chroot)( W" e s4 P" v) G8 U* e/ R, N$ R
chroot_local_user=YES
+ p6 k( U- ]2 C8 ^* y( x1 A4 N+ V+ e* f#chroot_list_enable=YES/ A6 I0 }7 _4 J
# (default follows)" r* l3 v/ U2 P" _1 l# L
#chroot_list_file=/etc/vsftpd/chroot_list: f% c" C$ ~3 P- g( `7 C( [- {* v
#
7 l v) R2 L" m+ M- |# You may activate the "-R" option to the builtin ls. This is disabled by
; n% U* E# S5 S- e9 ]# default to avoid remote users being able to cause excessive I/O on large
1 s4 k& C8 m: v* F c# S; l# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
+ j2 L! v% A% f2 p' r# the presence of the "-R" option, so there is a strong case for enabling it.
( r, I( t" r% Z6 N* J) H9 {#ls_recurse_enable=YES
. y' x& {; L" C8 {3 B+ g; \#
9 }) B! A# P m# When "listen" directive is enabled, vsftpd runs in standalone mode and
6 \% G( M0 n# l# listens on IPv4 sockets. This directive cannot be used in conjunction
. P* V6 |* Y9 O# with the listen_ipv6 directive.
; m8 z3 X6 E% [/ \listen=YES5 p% s: W5 D$ }% y' @$ k, v
listen_port=990
4 X! E% d3 @8 G" b3 w) Q. @pasv_address=公网IP4 ?9 q% q# j! y) W$ u9 E0 K4 T
#
6 s" g! a+ k" k1 L1 M$ j8 z9 _# This directive enables listening on IPv6 sockets. By default, listening
! n4 B% U" H& n& x# on the IPv6 "any" address (: will accept connections from both IPv6' ^1 R1 N p9 v8 J; K
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv62 o I! d9 E7 N
# sockets. If you want that (perhaps because you want to listen on specific
/ q! |' L) S. c+ b( { l$ ^+ c# v8 S# addresses) then you must run two copies of vsftpd with two configuration
4 ]" s7 e1 x+ t# files.
- T2 F5 |. B6 e' K# m) E# Make sure, that one of the listen options is commented !!
+ V0 B8 p" {4 N: f% k: J, O5 Mlisten_ipv6=NO; u/ |1 x2 d$ a/ h* F1 z: Y+ f
pam_service_name=vsftpd
7 m8 E S# X1 g& g& [userlist_enable=NO% V% d5 d1 A1 [1 W( R2 A1 F& l
tcp_wrappers=YES8 u8 |* p! W* e: Q3 q( Q, p" l/ J
allow_writeable_chroot=YES# L! M" v+ h$ s' {2 ~
userlist_file=/etc/vsftpd/userlist- k$ m+ W% { l
userlist_deny=NO( d9 N9 X9 D9 K' P. w
ssl_enable=YES( b, V; |) y5 o/ U* c
ssl_tlsv1_2=YES
8 q/ @' C* {: A" { assl_sslv2=YES
) k+ O- T" k5 A' L; `2 m, jssl_sslv3=YES
6 n {& j. O2 s. a, t- D+ i5 [& drsa_cert_file=/etc/ssl/private/vsftpd.pem
6 o% I- o( N* v- G- Arsa_private_key_file=/etc/ssl/private/vsftpd.pem
$ @& }& v9 s0 s4 E) G1 mallow_anon_ssl=NO( `/ d h8 @. W: i6 F- i
force_local_data_ssl=YES, c1 J, w3 A1 q' V" a7 u! z
force_local_logins_ssl=YES
8 a, d" q5 F, [/ @2 L" J& X" X' E; irequire_ssl_reuse=NO) b* i/ `3 U ?; m; {
ssl_ciphers=HIGH
/ `8 D5 `, y6 ^1 yimplicit_ssl=YES
, C: O6 d$ t9 Z Cftp_data_port=50000
- j4 X- i- }0 p1 Wpasv_enable=YES; k9 R3 R8 s: N5 w( D
pasv_min_port=40000
: _* Q( _1 O" zpasv_max_port=50000" z0 @; }0 B$ g! W
port_enable=YES
$ O8 M$ A3 @9 Y Y3 J# K1 `4 hdebug_ssl=YES
3 ]3 m+ R" V1 l' u5 H- ppasv_promiscuous=YES 解决vsftpd连接错误425 Security: Bad IP connecting
, s9 G- M% T/ c0 |8 ?4 Z ]4 ^# B" I
8 y0 V$ L% S5 @$ w1 D不知道他们IT修改了哪里 换个IP居然联不上 尼玛 把报错一个一个排查完
7 Y5 m- X; M4 i \. P |
|华强北 电脑城 龙岗电子世界 龙华电脑城 pc4g.com
( 粤ICP备16039863号 )
发表于 2023-1-5 18:35:50