Pure-FTPd完全配置
这篇文档描述了在CentOS 6.2下安装Pure-FTPd服务器,包括使用MySQL的虚拟用户,磁盘配额,带宽管理,TLS加密会话和集成病毒检查功能。
在文档开始之前,假设你已经安装好了基本的CentOS 6.2操作系统,且网络正常,安装并配置好了MySQL数据库。如果没有,下面简单说明一下。
安装MySQL数据库服务器
yum install mysql mysql-server
使MySQL随系统启动,并启动MySQL。
chkconfig --levels 235 mysqld on
service mysqld start
配置MySQL
mysql_secure_installation
安装具有MySQL支持的PureFTPd
yum install pure-ftpd
之后我们创建一个所有虚拟用户映射的FTP用户组(ftpgroup)和用户(ftpuser)。用你系统中空余的号替代groupid和userid 2001。
groupadd -g 2001 ftpgroup
useradd -u 2001 -s /bin/false -d /bin/null -c "pureftpd user" -g ftpgroup ftpuser
创建Pure-FTPd使用的mysql库
现在我们创建一个pureftpd数据库和一个pureftpd守护进程用于连接pureftpd数据库的mysql用户。
mysql -u root -p
可以更改ftpdpass,这是mysql用户的密码。
mysql> CREATE DATABASE pureftpd;
mysql> GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON pureftpd.* TO 'pureftpd'@'localhost' IDENTIFIED BY 'ftpdpass';
mysql> FLUSH PRIVILEGES;
mysql> USE pureftpd;
mysql> CREATE TABLE ftpd (
User varchar(16) NOT NULL default '',
status enum('0','1') NOT NULL default '0',
Password varchar(64) NOT NULL default '',
Uid varchar(11) NOT NULL default '-1',
Gid varchar(11) NOT NULL default '-1',
Dir varchar(128) NOT NULL default '',
ULBandwidth smallint(5) NOT NULL default '0',
DLBandwidth smallint(5) NOT NULL default '0',
comment tinytext NOT NULL,
ipaccess varchar(15) NOT NULL default '*',
QuotaSize smallint(5) NOT NULL default '0',
QuotaFiles int(11) NOT NULL default 0,
PRIMARY KEY (User),
UNIQUE KEY User (User) ) ENGINE=MyISAM;
mysql> quit;
配置Pure-FTPd
vi /etc/pure-ftpd/pure-ftpd.conf
修改如下配置小节
[...]
ChrootEveryone yes
MySQLConfigFile /etc/pure-ftpd/pureftpd-mysql.conf
CreateHomeDir yes
[...]
ChrotEveryone设置可以使Pureftpd将每一个虚拟用户锁定在自己的home目录里,这样的话,虚拟用户就不能浏览自己的home目录以外的目录和文件了。CreateHomeDir的作用是当虚拟用户的home目录不存在时,它使PureFTPD创建虚拟用户的home目录。
现在编辑/etc/pure-ftpd/pureftpd-mysql.conf
cp /etc/pure-ftpd/pureftpd-mysql.conf /etc/pure-ftpd/pureftpd-mysql.conf_orig
cat /dev/null > /etc/pure-ftpd/pureftpd-mysql.conf
vi /etc/pure-ftpd/pureftpd-mysql.conf
加入下面的内容:
MYSQLSocket /var/lib/mysql/mysql.sock
#MYSQLServer localhost
#MYSQLPort 3306
MYSQLUser pureftpd
MYSQLPassword ftpdpass
MYSQLDatabase pureftpd
#MYSQLCrypt md5, cleartext, crypt() or password() - md5 is VERY RECOMMENDABLE uppon cleartext
MYSQLCrypt md5
MYSQLGetPW SELECT Password FROM ftpd WHERE User="\L" AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MYSQLGetUID SELECT Uid FROM ftpd WHERE User="\L" AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MYSQLGetGID SELECT Gid FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MYSQLGetDir SELECT Dir FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MySQLGetBandwidthUL SELECT ULBandwidth FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MySQLGetBandwidthDL SELECT DLBandwidth FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MySQLGetQTASZ SELECT QuotaSize FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MySQLGetQTAFS SELECT QuotaFiles FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
现在我们创建启动连接并启动pureftpd
chkconfig --levels 235 pure-ftpd on
service pure-ftpd start
测试Pure-FTPd
现在我们创建一个用户,使用ftp工具连接服务器实验一下。
USE pureftpd;
INSERT INTO `ftpd` (`User`, `status`, `Password`, `Uid`, `Gid`, `Dir`, `ULBandwidth`, `DLBandwidth`, `comment`, `ipaccess`, `QuotaSize`, `QuotaFiles`) VALUES ('exampleuser', '1', MD5('secret'), '2001', '2001', '/home/www.example.com', '100', '100', '', '*', '50', '0');
quit;
现在用工具连接看看情况。是不是连上了?
安装OpenSSL(TLS会话)
yum install openssl
配置Pure-FTPd
[...] # This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
# including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.
TLS 1
[...]
说明:0表示禁用SSL/TLS加密层,默认不加密;1表示服务器接受普通FTP会话和加密FTP会话;2表示只接受SSL/TLS会话。
创建TLS使用的SSL证书
mkdir -p /etc/ssl/private/
开始创建证书
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Country Name (2 letter code) [XX]: <– 输入国家名称简写 (例如, “CN”).
State or Province Name (full name) []: <– 输入省份名称.
Locality Name (eg, city) [Default City]: <– 输入市名
Organization Name (eg, company) [Default Company Ltd]: <– 输入组织名称 (例如, the stanley’s private ftp).
Organizational Unit Name (eg, section) []: <– 输入部名、科名 (例如. “IT 部”).
Common Name (eg, your name or your server’s hostname) []: <– 输入你的域名 (例如. “server1.example.com”).
Email Address []: <– 输入你的Email地址
修改SSL证书的权限
chmod 600 /etc/ssl/private/pure-ftpd.pem
之后重启Pure-FTPd使之生效
service pure-ftpd restart
安装ClamAV(杀毒软件)
yum install clamav clamd
创建系统启动连接并启动它
chkconfig --levels 235 clamd on
/usr/bin/freshclam
/etc/init.d/clamd start
配置Pure-FTPd
编辑/etc/pure-ftpd/pure-ftpd.conf 文件,修改 CallUploadScript 的值为YES。
vi /etc/pure-ftpd/pure-ftpd.conf
[...]
# If your pure-ftpd has been compiled with pure-uploadscript support,
# this will make pure-ftpd write info about new uploads to
# /var/run/pure-ftpd.upload.pipe so pure-uploadscript can read it and
# spawn a script to handle the upload.
# Don't enable this option if you don't actually use pure-uploadscript.
CallUploadScript yes
[...]
现在创建 /etc/pure-ftpd/clamav_check.sh 脚本,每当有文件上传时,它让clamdscan扫描上传的文件。
vi /etc/pure-ftpd/clamav_check.sh
#!/bin/sh
/usr/bin/clamdscan --remove --quiet --no-summary "$1"
修改脚本权限为可执行
chmod 755 /etc/pure-ftpd/clamav_check.sh
现在启动pure-uploadscript程序让它成为守护进程,当有文件上传完毕,它会呼叫clamav_check.sh脚本来处理。
将它加入/etc/rc.local,系统启动时可自行启动。
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
/usr/sbin/pure-uploadscript -B -r /etc/pure-ftpd/clamav_check.sh
touch /var/lock/subsys/local
注意:必须要先启动pure-uploadscript这个程序,然后再启动pure-ftpd守护进程,否则pure-ftpd启动不了。
Last modified on 2012-07-10