文章

Pure-FTPd完全配置

这篇文档描述了在CentOS 6.2下安装Pure-FTPd服务器,包括使用MySQL的虚拟用户,磁盘配额,带宽管理,TLS加密会话和集成病毒检查功能。

在文档开始之前,假设你已经安装好了基本的CentOS 6.2操作系统,且网络正常,安装并配置好了MySQL数据库。如果没有,下面简单说明一下。

安装MySQL数据库服务器

yum install mysql mysql-server

使MySQL随系统启动,并启动MySQL。

chkconfig --levels 235 mysqld on service mysqld start

配置MySQL

mysql_secure_installation

安装具有MySQL支持的PureFTPd

yum install pure-ftpd

之后我们创建一个所有虚拟用户映射的FTP用户组(ftpgroup)和用户(ftpuser)。用你系统中空余的号替代groupid和userid 2001。

groupadd -g 2001 ftpgroup useradd -u 2001 -s /bin/false -d /bin/null -c "pureftpd user" -g ftpgroup ftpuser

创建Pure-FTPd使用的mysql库

现在我们创建一个pureftpd数据库和一个pureftpd守护进程用于连接pureftpd数据库的mysql用户。

mysql -u root -p

可以更改ftpdpass,这是mysql用户的密码。

mysql> CREATE DATABASE pureftpd; mysql> GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON pureftpd.* TO 'pureftpd'@'localhost' IDENTIFIED BY 'ftpdpass'; mysql> FLUSH PRIVILEGES; mysql> USE pureftpd; mysql> CREATE TABLE ftpd ( User varchar(16) NOT NULL default '', status enum('0','1') NOT NULL default '0', Password varchar(64) NOT NULL default '', Uid varchar(11) NOT NULL default '-1', Gid varchar(11) NOT NULL default '-1', Dir varchar(128) NOT NULL default '', ULBandwidth smallint(5) NOT NULL default '0', DLBandwidth smallint(5) NOT NULL default '0', comment tinytext NOT NULL, ipaccess varchar(15) NOT NULL default '*', QuotaSize smallint(5) NOT NULL default '0', QuotaFiles int(11) NOT NULL default 0, PRIMARY KEY (User), UNIQUE KEY User (User) ) ENGINE=MyISAM; mysql> quit;

配置Pure-FTPd

vi /etc/pure-ftpd/pure-ftpd.conf

修改如下配置小节

[...] ChrootEveryone yes MySQLConfigFile /etc/pure-ftpd/pureftpd-mysql.conf CreateHomeDir yes [...]

ChrotEveryone设置可以使Pureftpd将每一个虚拟用户锁定在自己的home目录里,这样的话,虚拟用户就不能浏览自己的home目录以外的目录和文件了。CreateHomeDir的作用是当虚拟用户的home目录不存在时,它使PureFTPD创建虚拟用户的home目录。

现在编辑/etc/pure-ftpd/pureftpd-mysql.conf

cp /etc/pure-ftpd/pureftpd-mysql.conf /etc/pure-ftpd/pureftpd-mysql.conf_orig cat /dev/null > /etc/pure-ftpd/pureftpd-mysql.conf vi /etc/pure-ftpd/pureftpd-mysql.conf

加入下面的内容:

MYSQLSocket      /var/lib/mysql/mysql.sock #MYSQLServer     localhost #MYSQLPort       3306 MYSQLUser       pureftpd MYSQLPassword   ftpdpass MYSQLDatabase   pureftpd #MYSQLCrypt md5, cleartext, crypt() or password() - md5 is VERY RECOMMENDABLE uppon cleartext MYSQLCrypt      md5 MYSQLGetPW      SELECT Password FROM ftpd WHERE User="\L" AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R") MYSQLGetUID     SELECT Uid FROM ftpd WHERE User="\L" AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R") MYSQLGetGID     SELECT Gid FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R") MYSQLGetDir     SELECT Dir FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R") MySQLGetBandwidthUL SELECT ULBandwidth FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R") MySQLGetBandwidthDL SELECT DLBandwidth FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R") MySQLGetQTASZ   SELECT QuotaSize FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R") MySQLGetQTAFS   SELECT QuotaFiles FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")

现在我们创建启动连接并启动pureftpd

chkconfig --levels 235 pure-ftpd on service pure-ftpd start

测试Pure-FTPd

现在我们创建一个用户,使用ftp工具连接服务器实验一下。

USE pureftpd; INSERT INTO `ftpd` (`User`, `status`, `Password`, `Uid`, `Gid`, `Dir`, `ULBandwidth`, `DLBandwidth`, `comment`, `ipaccess`, `QuotaSize`, `QuotaFiles`) VALUES ('exampleuser', '1', MD5('secret'), '2001', '2001', '/home/www.example.com', '100', '100', '', '*', '50', '0'); quit;

现在用工具连接看看情况。是不是连上了?

安装OpenSSL(TLS会话)

yum install openssl

配置Pure-FTPd

[...] # This option can accept three values : # 0 : disable SSL/TLS encryption layer (default). # 1 : accept both traditional and encrypted sessions. # 2 : refuse connections that don't use SSL/TLS security mechanisms, #     including anonymous sessions. # Do _not_ uncomment this blindly. Be sure that : # 1) Your server has been compiled with SSL/TLS support (--with-tls), # 2) A valid certificate is in place, # 3) Only compatible clients will log in. TLS                      1 [...]

说明:0表示禁用SSL/TLS加密层,默认不加密;1表示服务器接受普通FTP会话和加密FTP会话;2表示只接受SSL/TLS会话。

创建TLS使用的SSL证书

mkdir -p /etc/ssl/private/

开始创建证书

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Country Name (2 letter code) [XX]: <– 输入国家名称简写 (例如, “CN”). State or Province Name (full name) []: <– 输入省份名称. Locality Name (eg, city) [Default City]: <– 输入市名 Organization Name (eg, company) [Default Company Ltd]: <– 输入组织名称 (例如, the stanley’s private ftp). Organizational Unit Name (eg, section) []: <– 输入部名、科名 (例如. “IT 部”). Common Name (eg, your name or your server’s hostname) []: <– 输入你的域名 (例如. “server1.example.com”). Email Address []: <– 输入你的Email地址

修改SSL证书的权限

chmod 600 /etc/ssl/private/pure-ftpd.pem

之后重启Pure-FTPd使之生效

service pure-ftpd restart

安装ClamAV(杀毒软件)

yum install clamav clamd

创建系统启动连接并启动它

chkconfig --levels 235 clamd on /usr/bin/freshclam /etc/init.d/clamd start

配置Pure-FTPd

编辑/etc/pure-ftpd/pure-ftpd.conf 文件,修改 CallUploadScript 的值为YES

vi /etc/pure-ftpd/pure-ftpd.conf
[...] # If your pure-ftpd has been compiled with pure-uploadscript support, # this will make pure-ftpd write info about new uploads to # /var/run/pure-ftpd.upload.pipe so pure-uploadscript can read it and # spawn a script to handle the upload. # Don't enable this option if you don't actually use pure-uploadscript. CallUploadScript yes [...]

现在创建 /etc/pure-ftpd/clamav_check.sh 脚本,每当有文件上传时,它让clamdscan扫描上传的文件。

vi /etc/pure-ftpd/clamav_check.sh
#!/bin/sh /usr/bin/clamdscan --remove --quiet --no-summary "$1"

修改脚本权限为可执行

chmod 755 /etc/pure-ftpd/clamav_check.sh

现在启动pure-uploadscript程序让它成为守护进程,当有文件上传完毕,它会呼叫clamav_check.sh脚本来处理。

将它加入/etc/rc.local,系统启动时可自行启动。

#!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. /usr/sbin/pure-uploadscript -B -r /etc/pure-ftpd/clamav_check.sh touch /var/lock/subsys/local

注意:必须要先启动pure-uploadscript这个程序,然后再启动pure-ftpd守护进程,否则pure-ftpd启动不了。

本文由作者按照 CC BY 4.0 进行授权