vsftpd-1.1.3配制實例之一：INTERNET

　　This example shows how you might set up a (possibly large) internet facing
　　FTP site
　　The emphasis will be on security and performance
　　We will see how by integrating vsftpd with xinetd we get a powerful
　　combination
　　Step ) Set up your xinetd configuration file
　　An example xinetd configuration file vsftpdxinetd is supplied
　　To install it:
　　cp vsftpdxinetd /etc/xinetdd/vsftpd
　　Lets look at the important content in this file and see what it does:
　　disable = no
　　socket_type = stream
　　wait = no
　　This says that the service is active and it is using standard TCP sockets
　　user = root
　　server = /usr/local/sbin/vsftpd
　　The server program /usr/local/sbin/vsftpd is used to handle incoming FTP
　　requests and the program is started as root (vsftpd will of course quickly
　　drop as much privilege as possible) NOTE! Make sure that you have the vsftpd
　　binary installed in /usr/local/sbin (or change the file path in the xinetd
　　file)
　　per_source =
　　instances =
　　For security the maximum allowed connections from a single IP address is
　　The total maximum concurrent connections is
　　no_access =
　　As an example of how to ban certain sites from connecting will
　　be denied access
　　banner_fail = /etc/vsftpdbusy_banner
　　This is the file to display to users if the connection is refused for whatever
　　reason (too many users IP banned)
　　Example of how to populate it:
　　echo Server busy please try later > /etc/vsftpdbusy_banner
　　log_on_success += PID HOST DURATION
　　log_on_failure += HOST
　　This will log the IP address of all connection attempts successful or not
　　along with the time If an FTP server is launched for the connection its
　　process ID and usage duration will be logged too If you are using RedHat
　　like me this log information will appear in /var/log/secure
　　Step ) Set up your vsftpd configuration file
　　An example file is supplied Install it like this:
　　cp nf /etc
　　Lets example the contents of the file:
　　# Access rights
　　anonymous_enable=YES
　　local_enable=NO
　　write_enable=NO
　　anon_upload_enable=NO
　　anon_mkdir_write_enable=NO
　　anon_other_write_enable=NO
　　This makes sure the FTP server is in anonymousonly mode and that all write
　　and upload permissions are disabled Note that most of these settings are
　　the same as the default values anyway but where security is concerned it
　　is good to be clear
　　# Security
　　anon_world_readable_only=YES
　　connect_from_port_=YES
　　hide_ids=YES
　　pasv_min_port=
　　pasv_max_port=
　　These settings in order
　　 Make sure only worldreadable files and directories are served
　　 Originates FTP port connections from a secure port so users on the FTP
　　server cannot try and fake file content
　　 Hide the FTP server user IDs and just display ftp in directory listings
　　This is also a performance boost
　　 Set a port range for passive connections may enable easier
　　firewall setup!
　　# Features
　　xferlog_enable=YES
　　ls_recurse_enable=NO
　　ascii_download_enable=NO
　　async_abor_enable=YES
　　In order
　　 Enables recording of transfer stats to /var/log/vsftpdlog
　　 Disables ls R to prevent it being used as a DoS attack Note sites
　　wanting to be copied via the mirror program might need to enable this
　　 Disables downloading in ASCII mode to prevent it being used as a DoS
　　attack (ASCII downloads are CPU heavy)
　　 Enables older FTP clients to cancel inprogress transfers
　　# Performance
　　one_process_model=YES
　　idle_session_timeout=
　　data_connection_timeout=
　　accept_timeout=
　　connect_timeout=
　　anon_max_rate=
　　In order
　　 Activates a faster one process per connection model Note! To maintain
　　security this feature is only available on systems with capabilities eg
　　Linux kernel
　　 Boots off idle users after minutes
　　 Boots off idle downloads after minutes
　　 Boots off hung passive connects after minute
　　 Boots off hung active connects after minute
　　 Limits a single client to ~kbytes / sec download speed
　　Step ) Restart xinetd
　　(on RedHat)
　　/etc/rcd/initd/xinetd restart
　　If you run into problems check:
　　) Your /etc/xinetdd directory only has one FTP service
　　nf
　　# Access rights
　　anonymous_enable=YES
　　local_enable=NO
　　write_enable=NO
　　anon_upload_enable=NO
　　anon_mkdir_write_enable=NO
　　anon_other_write_enable=NO
　　# Security
　　anon_world_readable_only=YES
　　connect_from_port_=YES
　　hide_ids=YES
　　pasv_min_port=
　　pasv_max_port=
　　# Features
　　xferlog_enable=YES
　　ls_recurse_enable=NO
　　ascii_download_enable=NO
　　async_abor_enable=YES
　　# Performance
　　one_process_model=YES
　　idle_session_timeout=
　　data_connection_timeout=
　　accept_timeout=
　　connect_timeout=
　　anon_max_rate=
　　vsftpdxinetd
　　# vsftpd is the secure FTP server
　　service ftp
　　{
　　disable = no
　　socket_type = stream
　　wait = no
　　user = root
　　server = /usr/local/sbin/vsftpd
　　per_source =
　　instances =
　　no_access =
　　banner_fail = /etc/vsftpdbusy_banner
　　log_on_success += PID HOST DURATION
　　log_on_failure += HOST
　　}
　　

From:http://tw.wingwit.com/Article/program/Oracle/201311/18877.html