熱點推薦:
您现在的位置: 電腦知識網 >> 編程 >> Oracle >> 正文

vsftpd-1.1.3配制實例之一:INTERNET

2013-11-13 22:21:37  來源: Oracle 

  This example shows how you might set up a (possibly large) internet facing
  FTP site
  The emphasis will be on security and performance
  We will see how by integrating vsftpd with xinetd we get a powerful
  combination
  Step ) Set up your xinetd configuration file
  An example xinetd configuration file vsftpdxinetd is supplied
  To install it:
  cp vsftpdxinetd /etc/xinetdd/vsftpd
  Lets look at the important content in this file and see what it does:
  disable = no
  socket_type = stream
  wait = no
  This says that the service is active and it is using standard TCP sockets
  user = root
  server = /usr/local/sbin/vsftpd
  The server program /usr/local/sbin/vsftpd is used to handle incoming FTP
  requests and the program is started as root (vsftpd will of course quickly
  drop as much privilege as possible) NOTE! Make sure that you have the vsftpd
  binary installed in /usr/local/sbin (or change the file path in the xinetd
  file)
  per_source =
  instances =
  For security the maximum allowed connections from a single IP address is
  The total maximum concurrent connections is
  no_access =
  As an example of how to ban certain sites from connecting will
  be denied access
  banner_fail = /etc/vsftpdbusy_banner
  This is the file to display to users if the connection is refused for whatever
  reason (too many users IP banned)
  Example of how to populate it:
  echo Server busy please try later > /etc/vsftpdbusy_banner
  log_on_success += PID HOST DURATION
  log_on_failure += HOST
  This will log the IP address of all connection attempts successful or not
  along with the time If an FTP server is launched for the connection its
  process ID and usage duration will be logged too If you are using RedHat
  like me this log information will appear in /var/log/secure
  Step ) Set up your vsftpd configuration file
  An example file is supplied Install it like this:
  cp nf /etc
  Lets example the contents of the file:
  # Access rights
  anonymous_enable=YES
  local_enable=NO
  write_enable=NO
  anon_upload_enable=NO
  anon_mkdir_write_enable=NO
  anon_other_write_enable=NO
  This makes sure the FTP server is in anonymousonly mode and that all write
  and upload permissions are disabled Note that most of these settings are
  the same as the default values anyway but where security is concerned it
  is good to be clear
  # Security
  anon_world_readable_only=YES
  connect_from_port_=YES
  hide_ids=YES
  pasv_min_port=
  pasv_max_port=
  These settings in order
   Make sure only worldreadable files and directories are served
   Originates FTP port connections from a secure port so users on the FTP
  server cannot try and fake file content
   Hide the FTP server user IDs and just display ftp in directory listings
  This is also a performance boost
   Set a port range for passive connections may enable easier
  firewall setup!
  # Features
  xferlog_enable=YES
  ls_recurse_enable=NO
  ascii_download_enable=NO
  async_abor_enable=YES
  In order
   Enables recording of transfer stats to /var/log/vsftpdlog
   Disables ls R to prevent it being used as a DoS attack Note sites
  wanting to be copied via the mirror program might need to enable this
   Disables downloading in ASCII mode to prevent it being used as a DoS
  attack (ASCII downloads are CPU heavy)
   Enables older FTP clients to cancel inprogress transfers
  # Performance
  one_process_model=YES
  idle_session_timeout=
  data_connection_timeout=
  accept_timeout=
  connect_timeout=
  anon_max_rate=
  In order
   Activates a faster one process per connection model Note! To maintain
  security this feature is only available on systems with capabilities eg
  Linux kernel
   Boots off idle users after minutes
   Boots off idle downloads after minutes
   Boots off hung passive connects after minute
   Boots off hung active connects after minute
   Limits a single client to ~kbytes / sec download speed
  Step ) Restart xinetd
  (on RedHat)
  /etc/rcd/initd/xinetd restart
  If you run into problems check:
  ) Your /etc/xinetdd directory only has one FTP service
  nf
  # Access rights
  anonymous_enable=YES
  local_enable=NO
  write_enable=NO
  anon_upload_enable=NO
  anon_mkdir_write_enable=NO
  anon_other_write_enable=NO
  # Security
  anon_world_readable_only=YES
  connect_from_port_=YES
  hide_ids=YES
  pasv_min_port=
  pasv_max_port=
  # Features
  xferlog_enable=YES
  ls_recurse_enable=NO
  ascii_download_enable=NO
  async_abor_enable=YES
  # Performance
  one_process_model=YES
  idle_session_timeout=
  data_connection_timeout=
  accept_timeout=
  connect_timeout=
  anon_max_rate=
  vsftpdxinetd
  # vsftpd is the secure FTP server
  service ftp
  {
  disable = no
  socket_type = stream
  wait = no
  user = root
  server = /usr/local/sbin/vsftpd
  per_source =
  instances =
  no_access =
  banner_fail = /etc/vsftpdbusy_banner
  log_on_success += PID HOST DURATION
  log_on_failure += HOST
  }
  

From:http://tw.wingwit.com/Article/program/Oracle/201311/18877.html
    推薦文章
    Copyright © 2005-2013 電腦知識網 Computer Knowledge   All rights reserved.