标签:存储 etc sudo deepin server vsftpd YES local 搭建
FTP服务搭建
vsftpd配置使用
概述
vsftpd 是Linus上非常安全好用的ftp服务,只需要简单的安装后就可以搭建起ftp服务;
该服务主要的配置文件就是vsftpd.conf ,在deepin/uos系统中的绝对路径是:
/etc/vsftpd.conf
安装
# 只需要简单的进行安装配置即可,前提是你开启了开发者模式我们才能通过终端安装软件
sudo apt install vsftpd
# 如果提示没有找到对应安装包,则可能是没有进行仓库的更新连接,执行如下命令即可
sudo apt update
服务的启停配置
# 启动服务
service vsftpd start
# 停止服务
service vsftpd stop
# 重启服务
service vsftpd restart
# 查看服务状态
service vsftpd status
#执行后结果如下:active则表示正常运行,如果失败了则可以通过提示信息查询对应问题
babyfengfjx@babyfengfjx:~$ service vsftpd status
● vsftpd.service - vsftpd FTP server
Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2021-10-09 16:22:48 CST; 1s ago
Process: 18334 ExecStartPre=/bin/mkdir -p /var/run/vsftpd/empty (code=exited, status=0/SUCCESS)
Main PID: 18335 (vsftpd)
Tasks: 1 (limit: 4915)
Memory: 568.0K
CGroup: /system.slice/vsftpd.service
└─18335 /usr/sbin/vsftpd /etc/vsftpd.conf
配置文件展示
在使用该服务过程中,主要就是这些配置文件该如何配置,很多同学在实际配置过程中很难一次配置成功,这里就给出一个实际可用的配置参数以供参考
配置文件路径:/etc/vsftpd.conf
配置过程中尽量是将匿名登录关闭,使用本地用户登录,以确保安全。
# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
#
# Run standalone? vsftpd can run either from an inetd or as a standalone
# daemon started from an initscript.
listen=YES
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
listen_ipv6=NO
#
# Allow anonymous FTP? (Disabled by default).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# If enabled, vsftpd will display directory listings with the time
# in your local time zone. The default is to display GMT. The
# times returned by the MDTM FTP command are also affected by this
# option.
use_localtime=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may restrict local users to their home directories. See the FAQ for
# the possible risks in this before using chroot_local_user or
# chroot_list_enable below.
# chroot_local_user=YES
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
# chroot_local_user=YES
# chroot_list_enable=YES
# (default follows)
# chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# Customization
#
# Some of vsftpd's settings don't fit the filesystem layout by
# default.
#
# This option should be the name of a directory which is empty. Also, the
# directory should not be writable by the ftp user. This directory is used
# as a secure chroot() jail at times vsftpd does not require filesystem
# access.
secure_chroot_dir=/var/run/vsftpd/empty
#
# This string is the name of the PAM service vsftpd will use.
pam_service_name=vsftpd
#
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO
#
# Uncomment this to indicate that vsftpd use a utf8 filesystem.
#utf8_filesystem=YES
实际开启的配置项如下:
按照如下简单的配置就可以通过本地用户进行访问了
listen=YES
listen_ipv6=NO
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO
遇到的问题
- 无法配置指定根目录,也就是任何本地账户登录后的目录都是根目录,无法自定义配置指定目录,配置后也不生效;
- 在添加新用户配置成nologin时,是无法正常使用该类用户进行访问的;
- 添加的新用户,需要先登录一次后,方可使用该账号访问ftp;
SFTP服务搭建
群组配置---服务端
sudo groupadd sftp
cat /etc/group # 确认组新建成功
sudo vim /etc/group #修改 sftp:x:1002:
sudo useradd -g sftp -s /bin/false mysftp
sudo passwd mysftp # 设置新密码为服务器访问密码
共享目录---服务端
sudo mkdir -p /data/sftp/mysftp
sudo usermod -d /data/sftp/mysftp mysftp
配置文件修改---服务端
sudo vim /etc/ssh/sshd_config
Subsystem sftp /usr/libexec/openssh/sftp-server # 该行原本配置,需要手动注释掉
并在文件最后面添加如下几行内容然后保存
Subsystem sftp internal-sftp
Match Group sftp
ChrootDirectory /data/sftp/%u
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
目录授权与新建---服务端
sudo chown root:sftp /data/sftp/mysftp
sudo chmod 755 /data/sftp/mysftp
sudo mkdir /data/sftp/mysftp/upload
sudo chown mysftp:sftp /data/sftp/mysftp/upload
sudo chmod 755 /data/sftp/mysftp/upload
重启服务---服务端
sudo systemctl restart sshd.service # 重启服务时如果提示服务不存在,则先添加如下服务
systemctl enable ssh.service
# 再执行:
sudo systemctl restart sshd.service
访问服务器---客户端
进入文件管理器或我的电脑
输入---例如sftp://10.20.32.** (根据实际服务端IP输入,并键如账号密码,即可访问)
NFS服务搭建
服务端
工具安装
sudo apt-get install nfs-kernel-server # 安装 NFS服务器端
创建共享文件夹
sudo mkdir /home/deepin-server/nfs # 路径可以根据自己需要设置
sudo chmod -R 777 /home/deepin-server/nfs # 设置共享目录权限
修改配置文件
vim /etc/exports
-
配置文件虽然只有一句,但是其中还是有很多讲究;
-
共享文件可执行权限有:
-
ro 只读访问
-
rw 读写访问
-
sync 所有数据在请求时写入共享
-
hide 在NFS共享目录中不共享其子目录
-
no_hide 共享NFS目录的子目录
-
all_squash 共享文件的UID和GID映射匿名用户anonymous,适合公用目录。
-
no_all_squash 保留共享文件的UID和GID(默认)
-
root_squash root用户的所有请求映射成如anonymous用户一样的权限(默认)
-
no_root_squas root用户具有根目录的完全管理访问权限
-
ip配置一般需要进行限定,最好不要使用* ,不然存在安全问题,可以限定具体ip或者ip段才能挂载。
vim /etc/exports
# 配置文件修改如下:
deepin-server@deepin-server-PC:~$ cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
/home/deepin-server/nfs 10.20.*(rw)#此处ip只做了部分限制,圆括号里面就是配置权限的。
启动服务
systemctl start rpcbind nfs-server
查看服务状态
服务在running态即可
deepin-server@deepin-server-PC:~$ sudo systemctl status rpcbind nfs-server
● rpcbind.service - RPC bind portmap service
Loaded: loaded (/lib/systemd/system/rpcbind.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2022-01-05 11:53:19 CST; 1h 56min ago
Docs: man:rpcbind(8)
Main PID: 19304 (rpcbind)
Tasks: 1 (limit: 19660)
Memory: 608.0K
CGroup: /system.slice/rpcbind.service
└─19304 /sbin/rpcbind -f -w
1月 05 11:53:19 deepin-server-PC systemd[1]: Starting RPC bind portmap service...
1月 05 11:53:19 deepin-server-PC systemd[1]: Started RPC bind portmap service.
● nfs-server.service - NFS server and services
Loaded: loaded (/lib/systemd/system/nfs-server.service; enabled; vendor preset: enabled)
Active: active (exited) since Wed 2022-01-05 11:53:21 CST; 1h 56min ago
Process: 19319 ExecStartPre=/usr/sbin/exportfs -r (code=exited, status=0/SUCCESS)
Process: 19320 ExecStart=/usr/sbin/rpc.nfsd $RPCNFSDARGS (code=exited, status=0/SUCCESS)
Main PID: 19320 (code=exited, status=0/SUCCESS)
1月 05 11:53:20 deepin-server-PC systemd[1]: Starting NFS server and services...
1月 05 11:53:20 deepin-server-PC exportfs[19319]: exportfs: /etc/exports [1]: Neither 'subtree_check' or 'no_subtree_check' specified for export "10.20.*:/home/deepin-server/Documents/NFS文件目录for-test".
1月 05 11:53:20 deepin-server-PC exportfs[19319]: Assuming default behaviour ('no_subtree_check').
1月 05 11:53:20 deepin-server-PC exportfs[19319]: NOTE: this default has changed since nfs-utils version 1.0.x
1月 05 11:53:21 deepin-server-PC systemd[1]: Started NFS server and services.
deepin-server@deepin-server-PC:~$
至此服务端算是配置完成了。
客户端配置
客户端主要就是挂载操作,不过挂载nfs的时候同样需要安装客户端软件
客户端安装
sudo apt-get install nfs-common
查看服务端nfs共享信息
showmount -e 10.20.13.152
babyfengfjx@babyfengfjx:~$ showmount -e 10.20.13.152
Export list for 10.20.13.152:
/home/deepin-server/Documents/NFS文件目录for-test 10.20.*
babyfengfjx@babyfengfjx:~$
客户端创建挂载目录
随便在本地客户端创建一个目录作为NFS挂载目录即可
sudo mkdir /home/babyfengfjx/Documents/nfsfile/
客户端挂载
将服务端的NFS共享目录,挂载到本地客户端对应目录即可
sudo mount -t nfs 10.20.13.152:/home/deepin-server/Documents/NFS文件目录for-test /home/babyfengfjx/Documents/nfsfile/
查看并传输文件
上述操作完成后,此时就可以在客户端对应目录使用NFS存储了,上传新建文件均可以随心所欲。
开机自动挂载
-
写入fstab方法并不推荐,如果NFS挂载失败可能会影响设备正常启动
写入fstab进行开机自动挂载
echo "10.20.13.152:/home/deepin-server/Documents/NFS文件目录for-test /home/babyfengfjx/Documents/nfsfile/ nfs4 defaults 0 0" >> /etc/fstab
mount -av
通过配置开机自运行脚本
原理如下:
新建 /etc/rc.local 文件
-
这种方法的原理是系统开机后会自动启动 rc-local 服务;
-
rc-local 服务启动后就会自动执行 /etc 目录下的 rc.local 脚本;
-
该方法的优点就是不存在第一种方法的三个缺点,脚本执行失败不会出现黑屏弹窗、sleep 不会造成开机黑屏以及 执行脚本的用户是 root 用户。
主要步骤:
1、新建 /etc/rc.local 文件
2、粘贴以下模板
#!/bin/sh -e
# rc.local
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
# In order to enable or disable this script just change the execution
# bits.
# By default this script does nothing.
# 下面脚本是我配置的开机自动启动一个python脚本的
nohup python3 /home/babyfengfjx/Documents/typora_documents/TestScripts/01.LitterScript/02.bbsmonitor/bbsmonitor.py >bbs.log 2>&1 &
# 因为该命令本身就是会以root权限执行,所以不用加sudo
sleep 5;mount -t nfs 10.20.13.152:/home/deepin-server/Documents/NFS文件目录for-test /home/babyfengfjx/Documents/nfsfile/
exit 0
3、在 exit 0 上方插入你需要自启的命令(一行一个)后保存文件
4、给脚本加上 755 权限
sudo chmod +755 /etc/rc.local
5、调试脚本(可选)
sudo /etc/rc.local # 使用 sudo 模拟 root 用户开机自启 /etc/rc.local 文件
如果第 5 步模拟启动脚本没有报错,那我们就可以重启电脑看看是否可以成功实现脚本开机自启。重启进入系统后我们可以通过 systemctl status rc-local.service 查看 rc-local 的运行状态,如果结果显示的是 active (exited) 则说明你的脚本已经成功执行,反之如果结果显示 failed,那么你需要检查一下脚本是否哪里有问题。
2]、这里提供可能导致脚本无法正常启动的原因:
1、执行脚本的用户不一致
由于 rc.local 开机自启的时候是以 root 用户执行的,这里很多人会忽略了一个问题,很多情况下你的命令是必须要普通用户执行的。比如 conky 和虚拟机(用户A建立的VBox和VM Ware虚拟机用户B无法访问)等。
假设用户 lolimay 在终端用 VBoxHeadless -s aikuai & 后台启动了虚拟机名 aikuai,那么我们在 rc.local 文件应该用下面这种方式写:
su - lolimay -c "VBoxHeadless -s aikuai &" # 以 lolimay 用户执行该命令
2、多余的 sudo
前面已经提到 rc.local 开机时是以 root 用户启动的,所以写在 rc.local 文件中命令不需要带有 sudo 前缀(实际上就算你带有了 sudo 前缀也不会产生错误)。
3]、最佳实践
个人建议每当往 rc.local 文件中添加了一个需要自启的命令时,可以先用 sudo /etc/rc.local 命令模拟一下看看是否能够执行成功(如果执行失败也能够直观地看到出错的原因),这样能够有效减少你重启电脑来调试的次数。
标签:存储,etc,sudo,deepin,server,vsftpd,YES,local,搭建 来源: https://blog.csdn.net/babyfengfjx/article/details/122837362
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。