![[PukiWiki]](image/pukiwiki.png "[PukiWiki]")
#author("2019-09-23T13:54:24+09:00","","") #author("2019-09-23T14:02:32+09:00","","") #nofollow #norelated 総数:&counter(total); 今日:&counter(today); 昨日:&counter(yesterday); * もくじ [#cb9dc28c] #contents 参考URL [[How to Setup FTP Server with VSFTPD on Ubuntu 18.04>https://linuxize.com/post/how-to-setup-ftp-server-with-vsftpd-on-ubuntu-18-04/]] * IP固定化しておく [#h66110f6] [[参考url>http://foxtailmemo.php.xdomain.jp/wiki/doc/pukiwiki-1_5_1_utf8/qzr00321.php?cmd=read&page=installing%20apache%20on%20ubuntu%20desktop%2018.04.1&word=%E5%9B%BA%E5%AE%9A%E5%8C%96#r23c4641]] 例 192.168.3.19 * Installing vsftpd on Ubuntu 18.04 [#k2c58bf2] ~$ sudo apt update ~$ sudo apt install vsftpd ~$ sudo apt install vsftpd パッケージリストを読み込んでいます... 完了 依存関係ツリーを作成しています 状態情報を読み取っています... 完了 以下のパッケージが新たにインストールされます: vsftpd アップグレード: 0 個、新規インストール: 1 個、削除: 0 個、保留: 137 個。 115 kB のアーカイブを取得する必要があります。 この操作後に追加で 334 kB のディスク容量が消費されます。 取得:1 http://jp.archive.ubuntu.com/ubuntu bionic/main amd64 vsftpd amd64 3.0.3-9build1 [115 kB] 115 kB を 0秒 で取得しました (267 kB/s) パッケージを事前設定しています ... 以前に未選択のパッケージ vsftpd を選択しています。 (データベースを読み込んでいます ... 現在 134926 個のファイルとディレクトリがインストールされています。) .../vsftpd_3.0.3-9build1_amd64.deb を展開する準備をしています ... vsftpd (3.0.3-9build1) を展開しています... ureadahead (0.100.0-21) のトリガを処理しています ... vsftpd (3.0.3-9build1) を設定しています ... Created symlink /etc/systemd/system/multi-user.target.wants/vsftpd.service → /lib/systemd/system/vsftpd.service. systemd (237-3ubuntu10.24) のトリガを処理しています ... man-db (2.8.3-2ubuntu0.1) のトリガを処理しています ... ureadahead (0.100.0-21) のトリガを処理しています ... **Verify vsftpd service by printing the service status [#ac4bf9ad] vsftpd service will automatically start after the installation process is complete.&br; Verify it by printing the service status:&br; ~$ sudo systemctl status vsftpd vsftpd.service - vsftpd FTP server Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2019-09-22 13:56:16 JST; 4min 32s ago Main PID: 3244 (vsftpd) Tasks: 1 (limit: 4672) CGroup: /system.slice/vsftpd.service └─3244 /usr/sbin/vsftpd /etc/vsftpd.conf 9月 22 13:56:16 test-ftp-server systemd[1]: Starting vsftpd FTP server... 9月 22 13:56:16 test-ftp-server systemd[1]: Started vsftpd FTP server. * Configuring vsftpd [#u7f2b630] The vsftpd server can be configured by editing the /etc/vsftpd.conf file.&br; Most of the settings are well documented inside the configuration file.&br; &br; In the following sections, we will go over some important settings needed to configure a secure vsftpd installation.&br; **設定ファイルをバックアップしておこう [#n54572bc] $ sudo cp -p /etc/vsftpd.conf /etc/vsftpd.conf.original ~$ ls -la /etc/vsftpd.conf* -rw-r--r-- 1 root root 5850 2月 6 2018 /etc/vsftpd.conf -rw-r--r-- 1 root root 5850 2月 6 2018 /etc/vsftpd.conf.original ** Start by opening the vsftpd configuration file [#ab1ca30f] $ sudo gvim -f /etc/vsftpd.conf ** FTP Access ローカルユーザーのみを許可する[#g1a92363] ローカルユーザーのみを許可する。&br; We’ll allow access to the FTP server only the local users, &br; find the anonymous_enable and local_enable directives and &br; verify your configuration match to lines below:&br; anonymous_enable=NO local_enable=YES ** Enabling uploads アップロードと削除を許可する [#f3da6ad7] Uncomment the write_enable setting to allow changes to the filesystem such as uploading and deleting files.&br; write_enable=YES ** Chroot Jail [#l55cd356] To prevent the FTP users to access any files outside of their home directories uncomment the chroot setting.&br; chroot_local_user=YES By default to prevent a security vulnerability, when chroot is enabled vsftpd will refuse to upload files if the directory that users are locked in is writable.&br; &br; Use one of the methods below to allow uploads when chroot is enabled.&br; *** Method 1. この方法でやってみよう [#k8be5a95] The recommended method to allow upload is to keep chroot enabled, and configure FTP directories. &br; In this tutorial, we will create an ftp directory inside the user home which will serve as the chroot and a writable uploads directory for uploading files.&br; 下記をファイルの末尾に追記する。&br; user_sub_token=$USER local_root=/home/$USER/ftp *** Method 2. この方法も記載が必要だった [#m491657a] *** Method 2. この方法はしない [#m491657a] Another option is to add the following directive in the vsftpd configuration file.&br; Use this option if you must to grant writable access to your user to its home directory.&br; allow_writeable_chroot=YES ** Passive FTP Connections [#d063a861] vsftpd can use any port for passive FTP connections.&br; We’ll specify the minimum and maximum range of ports and later open the range in our firewall.&br; Add the following lines to the configuration file:&br; pasv_min_port=30000 pasv_max_port=31000 ** Limiting User Login [#w2d10ad7] To allow only certain users to log in to the FTP server add the following lines at the end of the file:&br; userlist_enable=YES userlist_file=/etc/vsftpd.user_list userlist_deny=NO ** ユーザーを予め登録しておく /etc/vsftpd.user_list ファイル [#p8506772] When this option is enabled you need to explicitly specify &br; which users are able to log in &br; by adding the user names to the /etc/vsftpd.user_list file (one user per line).&br; $ sudo gvim -f /etc/vsftpd.user_list 下記の1行を記述する ftp_user **この時点での設定ファイル/etc/vsftpd.confの内容 [#n3f98e60] # Example config file /etc/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # # Run standalone? vsftpd can run either from an inetd or as a standalone # daemon started from an initscript. listen=NO # # This directive enables listening on IPv6 sockets. By default, listening # on the IPv6 "any" address (::) will accept connections from both IPv6 # and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6 # sockets. If you want that (perhaps because you want to listen on specific # addresses) then you must run two copies of vsftpd with two configuration # files. listen_ipv6=YES # # Allow anonymous FTP? (Disabled by default). anonymous_enable=NO # # Uncomment this to allow local users to log in. local_enable=YES # # Uncomment this to enable any form of FTP write command. write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) #local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. #anon_upload_enable=YES # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # If enabled, vsftpd will display directory listings with the time # in your local time zone. The default is to display GMT. The # times returned by the MDTM FTP command are also affected by this # option. use_localtime=YES # # Activate logging of uploads/downloads. xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #chown_username=whoever # # You may override where the log file goes if you like. The default is shown # below. #xferlog_file=/var/log/vsftpd.log # # If you want, you can have your log file in standard ftpd xferlog format. # Note that the default log file location is /var/log/xferlog in this case. #xferlog_std_format=YES # # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. #ascii_upload_enable=YES #ascii_download_enable=YES # # You may fully customise the login banner string: #ftpd_banner=Welcome to blah FTP service. # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd.banned_emails # # You may restrict local users to their home directories. See the FAQ for # the possible risks in this before using chroot_local_user or # chroot_list_enable below. chroot_local_user=YES # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). # (Warning! chroot'ing can be very dangerous. If using chroot, make sure that # the user does not have write access to the top level directory within the # chroot) #chroot_local_user=YES #chroot_list_enable=YES # (default follows) #chroot_list_file=/etc/vsftpd.chroot_list # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # # Customization # # Some of vsftpd's settings don't fit the filesystem layout by # default. # # This option should be the name of a directory which is empty. Also, the # directory should not be writable by the ftp user. This directory is used # as a secure chroot() jail at times vsftpd does not require filesystem # access. secure_chroot_dir=/var/run/vsftpd/empty # # This string is the name of the PAM service vsftpd will use. pam_service_name=vsftpd # # This option specifies the location of the RSA certificate to use for SSL # encrypted connections. rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key ssl_enable=NO # # Uncomment this to indicate that vsftpd use a utf8 filesystem. #utf8_filesystem=YES # keep chroot enabled, and configure FTP directories. # In this case, we will create an ftp directory inside the user home # which will serve as the chroot and a writable uploads directory # for uploading files. user_sub_token=$USER local_root=/home/$USER/ftp allow_writeable_chroot=YES # vsftpd can use any port for passive FTP connections. # We’ll specify the minimum and maximum range of ports # and later open the range in our firewall. pasv_min_port=30000 pasv_max_port=31000 # allow only certain users to log in to the FTP server userlist_enable=YES userlist_file=/etc/vsftpd.user_list userlist_deny=NO *** 変更点のみ [#abd4d3bf] ~$ diff -uprN /etc/vsftpd.conf.original /etc/vsftpd.conf --- /etc/vsftpd.conf.original 2018-02-06 01:55:32.000000000 +0900 +++ /etc/vsftpd.conf 2019-09-22 16:54:58.583925247 +0900 @@ -28,7 +28,7 @@ anonymous_enable=NO local_enable=YES # # Uncomment this to enable any form of FTP write command. -#write_enable=YES +write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) @@ -111,7 +111,7 @@ connect_from_port_20=YES # You may restrict local users to their home directories. See the FAQ for # the possible risks in this before using chroot_local_user or # chroot_list_enable below. -#chroot_local_user=YES +chroot_local_user=YES # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of @@ -153,3 +153,25 @@ ssl_enable=NO # # Uncomment this to indicate that vsftpd use a utf8 filesystem. #utf8_filesystem=YES + +# keep chroot enabled, and configure FTP directories. +# In this case, we will create an ftp directory inside the user home +# which will serve as the chroot and a writable uploads directory +# for uploading files. +user_sub_token=$USER +local_root=/home/$USER/ftp + +allow_writeable_chroot=YES + +# vsftpd can use any port for passive FTP connections. +# We’ll specify the minimum and maximum range of ports +# and later open the range in our firewall. +pasv_min_port=30000 +pasv_max_port=31000 + + +# allow only certain users to log in to the FTP server +userlist_enable=YES +userlist_file=/etc/vsftpd.user_list +userlist_deny=NO + *ユーザーを新規追加しておく [#a7712a20] ** Create a new user named newftpuser: [#c348c56a] $ sudo adduser ftp_user ユーザー `ftp_user' を追加しています... 新しいグループ `ftp_user' (1001) を追加しています... 新しいユーザー `ftp_user' (1001) をグループ `ftp_user' に追加しています... ホームディレクトリ `/home/ftp_user' を作成しています... `/etc/skel' からファイルをコピーしています... 新しい UNIX パスワードを入力してください: ★ ftp_user と入力する 新しい UNIX パスワードを再入力してください: ★ ftp_user と入力する passwd: パスワードは正しく更新されました ftp_user のユーザ情報を変更中 新しい値を入力してください。標準設定値を使うならリターンを押してください フルネーム []: 部屋番号 []: 職場電話番号 []: 自宅電話番号 []: その他 []: 以上で正しいですか? [Y/n] Y ** Add the user to the allowed FTP users list: [#o5fe460c] ~$ sudo bash -c "echo 'ftp_user' | sudo tee -a /etc/vsftpd.user_list" ** Create the FTP directory tree and set the correct permissions: [#gc932427] ~$ sudo mkdir -p /home/ftp_user/ftp/upload/ ~$ sudo chmod 550 /home/ftp_user/ftp/ ~$ sudo chmod 750 /home/ftp_user/ftp/upload/ ~$ sudo chown -R ftp_user:ftp_user /home/ftp_user/ftp/ * Restart the vsftpd Service [#i55ac72c] restart the vsftpd service for changes to take effect:&br; sudo systemctl restart vsftpd **動作状況を確認する [#xeecec92] ~$ sudo systemctl status vsftpd ● vsftpd.service - vsftpd FTP server Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2019-09-22 15:50:56 JST; 19s ago Process: 5116 ExecStartPre=/bin/mkdir -p /var/run/vsftpd/empty (code=exited, status=0/SUCCESS) Main PID: 5117 (vsftpd) Tasks: 1 (limit: 4672) CGroup: /system.slice/vsftpd.service └─5117 /usr/sbin/vsftpd /etc/vsftpd.conf 9月 22 15:50:56 test-ftp-server systemd[1]: Stopping vsftpd FTP server... 9月 22 15:50:56 test-ftp-server systemd[1]: Stopped vsftpd FTP server. 9月 22 15:50:56 test-ftp-server systemd[1]: Starting vsftpd FTP server... 9月 22 15:50:56 test-ftp-server systemd[1]: Started vsftpd FTP server. * ftp server account の例 [#t5f36326] |host IP address|192.168.3.19| |username|ftp_user| |password|ftp_user| * Windows に ftp clientをinstallする [#yf2148f6] https://forest.watch.impress.co.jp/library/software/ffftp/ FFFTP(64bit版) v4.2(19/09/11) ** FFFTPを起動する [#gc04201c] ** 接続-ホストの設定-新規ホスト を選択する [#dc5c4f88] 変更した項目のみ ***基本タブ [#e2f8895e] |ホストの設定名|ftp server| |ホスト名|192.168.3.19| |ユーザー名|ftp_user| |パスワード/フレーズ|ftp_user| ***拡張タブ [#n34039b8] ***文字コードタブ [#z27edd06] ***ダイヤルアップタブ [#ld42d56b] ***高度タブ [#f6eaa1a0] ***暗号化タブ [#pdf5c73f] |暗号化なしで接続を許可|チェックする| |FTPS(Explicit)で接続|チェックしない| |FTPS(Implicit)で接続|チェックしない| ***特殊機能タブ [#lf532756]
