我试图通过Filezilla与我的本地用户进入一个NGINX文件夹。
我的服务器的操作系统是CentOS 7.我这样安装了vsftpd:
#Install VSFTP sudo yum -y install vsftpd #Make Log file sudo mkdir /var/log/vsftpd sudo touch /var/log/vsftpd/vsftpd.log sudo chmod 0777 /var/log/vsftpd/vsftpd.log #Make SSL/TLS certificate; Pem file sudo openssl req -x509 -days 365 -newkey rsa:2048 -nodes -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem #Update the SELinux boolean values for FTP service; getsebool -a | grep ftp sudo setsebool -P ftp_home_dir on #Place "free" Users in Allow list sudo echo "bla_user" > /etc/vsftpd.chroot_list 这是我的/etc/vsftpd/vsftpd.conf文件:
#Banner ftpd_banner=Welcome to FTP service #Pam service name pam_service_name=vsftpd #Tuning FTP users anonymous_enable=NO #Connect Local users; TLS/SSL/FTPS local_enable=YES #Check shell check_shell=NO #Write permissions write_enable=YES #Enable Chroot; Some Users are "free" chroot_local_user=YES chroot_list_enable=YES #List of "free" Users chroot_list_file=/etc/vsftpd.chroot_list #Root dir local_root=/usr/share/nginx/html/ #Ascii mode ascii_upload_enable=YES ascii_download_enable=YES #Enable TLS/SSL ssl_enable=YES #Force Users to use TLS encryption allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO require_ssl_reuse=NO ssl_ciphers=HIGH #Specify SSL certificate/private key; Pem file rsa_cert_file=/etc/vsftpd/vsftpd.pem rsa_private_key_file=/etc/vsftpd/vsftpd.pem #Define port range for Passive mode connections pasv_max_port=51000 pasv_min_port=50000 pasv_address=<My router IP> pasv_addr_resolve=NO #Client session is timed out after 300 seconds idle_session_timeout=300 #Maximum number of connections per IP, helps against DoS/DDoS attacks max_per_ip=50 #Show hidden files and the "." and ".." folders force_dot_files=YES #Use localtime use_localtime=YES #Make files Executable file_open_mode=0777 #Enable logging xferlog_enable=YES xferlog_std_format=NO xferlog_file=/var/log/vsftpd/vsftpd.log log_ftp_protocol=YES debug_ssl=YES
我为chroot用户创build了一个目录(这个目录不应该是免费的),例如:
#Make dir sudo mkdir /usr/share/nginx/html/test_user #Make SFTP User sudo useradd -d /usr/share/nginx/html/test_user -s /usr/sbin/nologin test_user #Define Password sudo passwd ksuser #Place ftp user in NGINX group sudo usermod -aG nginx test_user
然后我开始这样的服务:
#Start services sudo systemctl start vsftpd sudo systemctl enable vsftpd sudo firewall-cmd --permanent --add-port=21/tcp sudo firewall-cmd --permanent --add-service=ftp sudo firewall-cmd --permanent --add-port=51000/tcp #Restart firewall sudo firewall-cmd --reload
但是当我尝试用Filezillalogin时,我得到:
230 Login successful, 200 PROT now Private ect.
但最后我得到了:
Connection lost, and Receiving folders failed
我尝试打开我的端口,并重新加载我的防火墙,由HBruijnbuild议。 我也运行这些命令,运行audit2whybuild议由Mircea:
#Allow access sudo setsebool -P nis_enabled 1 #Allow ftpd to connect all unreserved sudo setsebool -P ftpd_connect_all_unreserved 1
我仍然无法进入我的文件夹。 它可以是我的路由器,或者我应该更多地用setsebool? 这是我的布尔列表:
ftp_home_dir --> on ftpd_anon_write --> off ftpd_connect_all_unreserved --> on ftpd_connect_db --> off ftpd_full_access --> off ftpd_use_cifs --> off ftpd_use_fusefs --> off ftpd_use_nfs --> off ftpd_use_passive_mode --> off httpd_can_connect_ftp --> off httpd_enable_ftp_server --> off sftpd_anon_write --> off sftpd_enable_homedirs --> off sftpd_full_access --> off sftpd_write_ssh_home --> off tftp_anon_write --> off tftp_home_dir --> off
您可以在vsftpd.conf中定义50000-51000的被动端口范围,但只能在防火墙configuration中明确打开单个端口51000。
由于您使用TLS来保护连接,所以普通的netfilter FTP帮助程序模块不能dynamic地打开相关的被动端口。
解决方法:打开正确的端口范围。
sudo firewall-cmd --permanent --add-port=50000-51000/tcp
首先,你应该排除一个SELinux问题。 searchftp条目的/var/log/audit/audit.log:
audit2why < /var/log/audit/audit.log
检查vsftpd日志是否有错误。
如果没有什么工作,使用strace vfstp,并试图找出失败的地方。
/ usr / share / nginx / html /文件设置了哪个SELinux上下文? 运行以下命令查看:
ls -lZd /usr/share/nginx/html/