本节主要内容:
proftpd实现虚拟用户和quota(不用数据库)和限速。
需求:
在保证FTP服务器安全的情况下,特要求如下:
安装与配置proftpd。
# vi /usr/local/proftpd/etc/proftpd.conf
ServerName "mz16.cn Ftp System"
ServerType standalone
DefaultServer on
Port 21
# Don't use IPv6 support by default.
UseIPv6 off
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 30
#限制连接数
MaxClients 10 "最大允许10个用户同时访问"
MaxHostsPerUser 1 #每个帐户最多允许来源ip为1个, 对防止ftp帐号还是比较有用的。
MaxClientsPerUser 1 #每个帐户在每个客户端最多可以同时登陆1次,可以防止多线程软件下载对服务器的破坏。(用迅雷下载,线程只能限定为1个。)
MaxClientsPerHost 1 #同一个客户端只能最多1个帐号可以登陆
# 不显示服务器相关信息, 如proftpd版本
ServerIdent off
# 禁用反向域名解析
UseReversedNS off
User nobody
Group nobody
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
DefaultRoot ~ # 把用户锁定在自己的目录下,根目录无法访问。
# Normally, we want files to be overwriteable.
AllowOverwrite on #设置文件可以被覆盖
AllowForeignAddress on # 支持FXP
PassivePorts 49152 65534 # 支持被动模式
AllowRetrieveRestart on # 允许下载续传,默认即开启
AllowStoreRestart on # 允许上载续传
requireValidshell off # 不要求有合法shell,直接效果是允许nologin用户和虚拟用户登录
AuthOrder mod_auth_file.c mod_auth_unix.c
AuthUserFile /usr/local/proftpd/etc/passwd
TransferRate STOR 150 user tom # 限制tom用户上传的速率限制在150Kbytes/s
TransferRate RETR 100 user tom # 限制tom用户下载的速率限制在100Kbytes/s
# Using a file-based limit table
QuotaLimitTable file:/usr/local/proftpd/etc/ftpquota.limittab
# Using a file-based tally table
QuotaTallyTable file:/usr/local/proftpd/etc/ftpquota.tallytab
QuotaDirectoryTally on
QuotaDisplayUnits Mb # 显示以MB为单位
QuotaEngine on
QuotaLog /usr/local/proftpd/etc/Quota.log
QuotaShowQuotas on
#QuotaOptions ScanOnLogin # 如果去掉此选项的注释,会先扫描用户目录的大小,比如用户目录限定为50M,已经使用了18M,那么只能上传小于32M的文件,否则会失败。
#如果加上这个选项,会忽略掉用户目录大小,上传只要小于50M,都可以上传。建议注释这条选项。
# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
AllowAll
</Limit>
<Directory /opt/tom/>
<Limit write>
AllowUser tom
DenyALL
</Limit>
</Directory>
# A basic anonymous configuration, no upload directories. If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
#<Anonymous ~ftp>
# User ftp
# Group ftp
#
# # We want clients to be able to login with "anonymous" as well as "ftp"
# Useralias anonymous ftp
#
# Limit the maximum number of anonymous logins
# MaxClients 10
# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayChdir .message
# Limit WRITE everywhere in the anonymous chroot
# <Limit WRITE>
# DenyAll
# </Limit>
#</Anonymous>
# 创建虚拟用户
# /usr/local/proftpd/bin/ftpasswd --passwd --name=tom --uid=99 --gid=99 --home=/opt/tom/ --shell=/sbin/nologin --file=/usr/local/proftpd/etc/passwd
...
Password: <new password>
Re-type password: <new password>
#自动生成/usr/local/proftpd/etc/passwd
# chmod -R 777 /opt/tom
注意,因为虚拟用户并不在本地系统用户中存在,所以要设置虚拟用户可以访问的所有目录都允许其它用户写,这样才能保证虚拟用户正常增删文件。
ftpquota 具体用法参照 ftpquota --help即可。
设置完成以后,启动proftpd即可。
再ftp连接后,用命令site quota即可查看当前用户的quota信息。
附,proftpd常用全局设置:
RootLogin on #允许root用户登录,默认是不允许的,安全起见不推荐此选项。