Linux 在亚马逊云服务器上设置 FTP
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7052875/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Setting up FTP on Amazon Cloud Server
提问by SharkTheDark
I am trying to set up FTP on Amazon Cloud Server, but without luck. I search over net and there is no concrete steps how to do it.
我正在尝试在 Amazon Cloud Server 上设置 FTP,但没有运气。我在网上搜索,没有具体的步骤如何去做。
I found those commands to run:
我发现这些命令可以运行:
$ yum install vsftpd
$ ec2-authorize default -p 20-21
$ ec2-authorize default -p 1024-1048
$ vi /etc/vsftpd/vsftpd.conf
#<em>---Add following lines at the end of file---</em>
pasv_enable=YES
pasv_min_port=1024
pasv_max_port=1048
pasv_address=<Public IP of your instance>
$ /etc/init.d/vsftpd restart
But I don't know where to write them.
但我不知道在哪里写它们。
回答by jaminto
To enable passive ftp on an EC2 server, you need to configure the ports that your ftp server should use for inbound connections, then open a list of available ports for the ftp client data connections.
要在 EC2 服务器上启用被动 ftp,您需要配置 ftp 服务器应用于入站连接的端口,然后打开 ftp 客户端数据连接的可用端口列表。
I'm not that familiar with linux, but the commands you posted are the steps to install the ftp server, configure the ec2 firewall rules (through the AWS API), then configure the ftp server to use the ports you allowed on the ec2 firewall.
我对linux不是很熟悉,但是你贴的命令是安装ftp服务器,配置ec2防火墙规则(通过AWS API),然后配置ftp服务器使用你在ec2防火墙上允许的端口的步骤.
So this step installs the ftp client (VSFTP)
所以这一步安装ftp客户端(VSFTP)
> yum install vsftpd
> yum install vsftpd
These steps configure the ftp client
这些步骤配置ftp客户端
> vi /etc/vsftpd/vsftpd.conf
-- Add following lines at the end of file --
pasv_enable=YES
pasv_min_port=1024
pasv_max_port=1048
pasv_address=<Public IP of your instance>
> /etc/init.d/vsftpd restart
but the other two steps are easier done through the amazon console under EC2 Security groups. There you need to configure the security group that is assigned to your server to allow connections on ports 20,21, and 1024-1048
但是其他两个步骤通过 EC2 安全组下的亚马逊控制台更容易完成。您需要配置分配给您的服务器的安全组以允许端口 20、21 和 1024-1048 上的连接
回答by clone45
Jaminto did a great job of answering the question, but I recently went through the process myself and wanted to expand on Jaminto's answer.
Jaminto 在回答这个问题方面做得很好,但我最近自己经历了这个过程,并想扩展 Jaminto 的回答。
I'm assuming that you already have an EC2 instance created and have associated an Elastic IP Address to it.
我假设您已经创建了一个 EC2 实例并为其关联了一个弹性 IP 地址。
Step #1: Install vsftpd
第 1 步:安装 vsftpd
SSH to your EC2 server. Type:
通过 SSH 连接到您的 EC2 服务器。类型:
> sudo yum install vsftpd
This should install vsftpd.
这应该安装 vsftpd。
Step #2: Open up the FTP ports on your EC2 instance
第 2 步:打开 EC2 实例上的 FTP 端口
Next, you'll need to open up the FTP ports on your EC2 server. Log in to the AWS EC2 Management Console and select Security Groups from the navigation tree on the left. Select the security group assigned to your EC2 instance. Then select the Inbound tab, then click Edit:
接下来,您需要打开 EC2 服务器上的 FTP 端口。登录 AWS EC2 管理控制台并从左侧导航树中选择安全组。选择分配给您的 EC2 实例的安全组。然后选择入站选项卡,然后单击编辑:
Add two Custom TCP Rules with port ranges 20-21 and 1024-1048. For Source, you can select 'Anywhere'. If you decide to set Source to your own IP address, be aware that your IP address might change if it is being assigned via DHCP.
添加两个自定义 TCP 规则,端口范围为 20-21 和 1024-1048。对于来源,您可以选择“任何地方”。如果您决定将 Source 设置为您自己的 IP 地址,请注意,如果您的 IP 地址是通过 DHCP 分配的,则它可能会更改。
Step #3: Make updates to the vsftpd.conf file
第 3 步:更新 vsftpd.conf 文件
Edit your vsftpd conf file by typing:
通过键入以下内容来编辑您的 vsftpd conf 文件:
> sudo vi /etc/vsftpd/vsftpd.conf
Disable anonymous FTP by changing this line:
通过更改此行禁用匿名 FTP:
anonymous_enable=YES
to
到
anonymous_enable=NO
Then add the following lines to the bottom of the vsftpd.conf file:
然后将以下行添加到 vsftpd.conf 文件的底部:
pasv_enable=YES
pasv_min_port=1024
pasv_max_port=1048
pasv_address=<Public IP of your instance>
Your vsftpd.conf file should look something like the following - except make sure to replace the pasv_address with your public facing IP address:
您的 vsftpd.conf 文件应该类似于以下内容 - 除了确保将 pasv_address 替换为您面向公众的 IP 地址:
To save changes, press escape, then type :wq, then hit enter.
要保存更改,请按 Esc,然后键入:wq,然后按Enter。
Step #4: Restart vsftpd
第 4 步:重新启动 vsftpd
Restart vsftpd by typing:
键入以下命令重新启动 vsftpd:
> sudo /etc/init.d/vsftpd restart
You should see a message that looks like:
您应该会看到如下所示的消息:
If this doesn't work, try:
如果这不起作用,请尝试:
> sudo /sbin/service vsftpd restart
Step #5: Create an FTP user
第 5 步:创建 FTP 用户
If you take a peek at /etc/vsftpd/user_list, you'll see the following:
如果您看一下 /etc/vsftpd/user_list,您将看到以下内容:
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
This is basically saying, "Don't allow these users FTP access." vsftpd will allow FTP access to any user not on this list.
这基本上是说,“不允许这些用户进行 FTP 访问”。vsftpd 将允许任何不在此列表中的用户进行 FTP 访问。
So, in order to create a new FTP account, you may need to create a new user on your server. (Or, if you already have a user account that's not listed in /etc/vsftpd/user_list, you can skip to the next step.)
因此,为了创建一个新的 FTP 帐户,您可能需要在您的服务器上创建一个新用户。(或者,如果您已有一个未在 /etc/vsftpd/user_list 中列出的用户帐户,则可以跳到下一步。)
Creating a new user on an EC2 instance is pretty simple. For example, to create the user 'bret', type:
在 EC2 实例上创建新用户非常简单。例如,要创建用户 'bret',请键入:
> sudo adduser bret
> sudo passwd bret
Here's what it will look like:
这是它的样子:
Step #6: Restricting users to their home directories
第 6 步:限制用户访问他们的主目录
At this point, your FTP users are not restricted to their home directories. That's not very secure, but we can fix it pretty easily.
此时,您的 FTP 用户不受限于他们的主目录。这不是很安全,但我们可以很容易地修复它。
Edit your vsftpd conf file again by typing:
通过键入以下内容再次编辑您的 vsftpd conf 文件:
> sudo vi /etc/vsftpd/vsftpd.conf
Un-comment out the line:
取消注释该行:
chroot_local_user=YES
It should look like this once you're done:
完成后它应该如下所示:
Restart the vsftpd server again like so:
再次重新启动 vsftpd 服务器,如下所示:
> sudo /etc/init.d/vsftpd restart
All done!
全部完成!
Appendix A: Surviving a reboot
附录 A:在重启后幸存下来
vsftpd doesn't automatically start when your server boots. If you're like me, that means that after rebooting your EC2 instance, you'll feel a moment of terror when FTP seems to be broken - but in reality, it's just not running!. Here's a handy way to fix that:
当您的服务器启动时,vsftpd 不会自动启动。如果你像我一样,那就意味着在重启你的 EC2 实例后,你会感到一阵恐怖,当 FTP 似乎被破坏了——但实际上,它只是没有运行!。这里有一个方便的方法来解决这个问题:
> sudo chkconfig --level 345 vsftpd on
Alternatively, if you are using redhat, another way to manage your services is by using this nifty graphic user interface to control which services should automatically start:
或者,如果您使用的是 redhat,另一种管理服务的方法是使用这个漂亮的图形用户界面来控制哪些服务应该自动启动:
> sudo ntsysv
Now vsftpd will automatically start up when your server boots up.
现在,当您的服务器启动时,vsftpd 将自动启动。
Appendix B: Changing a user's FTP home directory
附录 B:更改用户的 FTP 主目录
* NOTE: Iman Sedighi has posted a more elegant solution for restricting users access to a specific directory. Please refer to his excellent solution posted as an answer *
* 注意:Iman Sedighi 发布了一个更优雅的解决方案,用于限制用户访问特定目录。请参考他作为答案发布的优秀解决方案*
You might want to create a user and restrict their FTP access to a specific folder, such as /var/www. In order to do this, you'll need to change the user's default home directory:
您可能希望创建一个用户并将其 FTP 访问权限限制为特定文件夹,例如 /var/www。为此,您需要更改用户的默认主目录:
> sudo usermod -d /var/www/ username
In this specific example, it's typical to give the user permissions to the 'www' group, which is often associated with the /var/www folder:
在此特定示例中,通常将用户权限授予“www”组,该组通常与 /var/www 文件夹相关联:
> sudo usermod -a -G www username
回答by Kevin Meek
Don't forget to update your iptables firewall if you have one to allow the 20-21 and 1024-1048 ranges in.
如果您有允许 20-21 和 1024-1048 范围的防火墙,请不要忘记更新您的 iptables 防火墙。
Do this from /etc/sysconfig/iptables
从 /etc/sysconfig/iptables 执行此操作
Adding lines like this:
添加这样的行:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 20:21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 1024:1048 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 20:21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 1024:1048 -j ACCEPT
And restart iptables with the command:
并使用以下命令重新启动 iptables:
sudo service iptables restart
须藤服务 iptables 重启
回答by Ravi Shanker
Great Article... worked like a breeze on Amazon Linux AMI.
很棒的文章...在 Amazon Linux AMI 上工作起来轻而易举。
Two more useful commands:
两个更有用的命令:
To change the default FTP upload folder
更改默认 FTP 上传文件夹
Step 1:
第1步:
edit /etc/vsftpd/vsftpd.conf
Step 2: Create a new entry at the bottom of the page:
第 2 步:在页面底部创建一个新条目:
local_root=/var/www/html
To apply read, write, delete permission to the files under folder so that you can manage using a FTP device
对文件夹下的文件申请读、写、删除权限,以便您可以使用FTP设备进行管理
find /var/www/html -type d -exec chmod 777 {} \;
回答by chbong
In case you have ufw enabled, remember add ftp:
如果您启用了 ufw,请记住添加 ftp:
> sudo ufw allow ftp
It took me 2 days to realise that I enabled ufw.
我花了 2 天时间才意识到我启用了 ufw。
回答by user1802434
It will not be ok until you add your user to the group www by the following commands:
在您通过以下命令将用户添加到 www 组之前,这是不行的:
sudo usermod -a -G www <USER>
This solves the permission problem.
这样就解决了权限问题。
Set the default path by adding this:
通过添加以下内容来设置默认路径:
local_root=/var/www/html
回答by CodeBrew
I followed clone45's answer all the way to the end. A great article! Since I needed the FTP access to install plug-ins to one of my wordpress sites, I changed the home directory to /var/www/mysitename. Then I continued to add my ftp user to the apache(or www) group like this:
我一直跟着clone45的回答到最后。一篇很棒的文章!由于我需要 FTP 访问权限才能将插件安装到我的 wordpress 站点之一,因此我将主目录更改为 /var/www/mysitename。然后我继续将我的 ftp 用户添加到 apache(或 www)组,如下所示:
sudo usermod -a -G apache myftpuser
After this I still saw this error on WP's plugin installation page: "Unable to locate WordPress Content directory (wp-content)". Searched and found this solution on a wp.org Q&A session: https://wordpress.org/support/topic/unable-to-locate-wordpress-content-directory-wp-contentand added the following to the end of wp-config.php:
在此之后,我仍然在 WP 的插件安装页面上看到此错误:“无法找到 WordPress 内容目录 (wp-content)”。在 wp.org 问答环节中搜索并找到了此解决方案:https://wordpress.org/support/topic/unable-to-locate-wordpress-content-directory-wp-content并将以下内容添加到 wp-配置文件:
if(is_admin()) {
add_filter('filesystem_method', create_function('$a', 'return "direct";' ));
define( 'FS_CHMOD_DIR', 0751 );
}
After this my WP plugin was installed successfully.
在此之后,我的 WP 插件安装成功。
回答by Hartmut
maybe worth mentioning in addition to clone45's answer:
除了clone45的回答之外,也许还值得一提:
Fixing Write Permissions for Chrooted FTP Users in vsftpd
The vsftpd version that comes with Ubuntu 12.04 Precise does not permit chrooted local users to write by default. By default you will have this in /etc/vsftpd.conf:
chroot_local_user=YES write_enable=YESIn order to allow local users to write, you need to add the following parameter:
allow_writeable_chroot=YES
修复 vsftpd 中 Chrooted FTP 用户的写入权限
Ubuntu 12.04 Precise 自带的 vsftpd 版本默认不允许 chroot 本地用户写入。默认情况下,您将在/etc/vsftpd.conf 中有这个:
chroot_local_user=YES write_enable=YES为了允许本地用户写入,需要添加如下参数:
allow_writeable_chroot=YES
Note:Issues with write permissions may show up as following FileZillaerrors:
注意:写权限问题可能会显示为以下FileZilla错误:
Error: GnuTLS error -15: An unexpected TLS packet was received.
Error: Could not connect to server
References:
Fixing Write Permissions for Chrooted FTP Users in vsftpd
VSFTPd stopped working after update
回答by Willem Bressers
I've simplified clone45 steps:
我已经简化了 clone45 步骤:
Open the ports as he mentioned
按照他说的打开端口
sudo su
sudo yum install vsftpd
echo -n "Public IP of your instance: " && read publicip
echo -e "anonymous_enable=NO\npasv_enable=YES\npasv_min_port=1024\npasv_max_port=1048\npasv_address=$publicip\nchroot_local_user=YES" >> /etc/vsftpd/vsftpd.conf
sudo /etc/init.d/vsftpd restart
回答by Iman Sedighi
Thanks @clone45 for the nice solution. But I had just one important problem with Appendix b of his solution. Immediately after I changed the home directory to var/www/html then I couldn't connect to server through ssh and sftp because it always shows following errors
感谢@clone45 提供了不错的解决方案。但是我对他的解决方案的附录 b 只有一个重要问题。我将主目录更改为 var/www/html 后立即无法通过 ssh 和 sftp 连接到服务器,因为它总是显示以下错误
permission denied (public key)
or in FileZilla I received this error:
或在 FileZilla 中,我收到此错误:
No supported authentication methods available (server: public key)
But I could access the server through normal FTP connection.
但是我可以通过正常的 FTP 连接访问服务器。
If you encountered to the same error then just undo the appendix b of @clone45 solution by set the default home directory for the user:
如果您遇到同样的错误,那么只需通过为用户设置默认主目录来撤消@clone45 解决方案的附录 b:
sudo usermod -d /home/username/ username
But when you set user's default home directory then the user have access to many other folders outside /var/www/http. So to secure your server then follow these steps:
但是当您设置用户的默认主目录时,用户可以访问 /var/www/http 之外的许多其他文件夹。因此,为了保护您的服务器,请按照以下步骤操作:
1- Make sftponly groupMake a group for all users you want to restrict their access to only ftp and sftp access to var/www/html. to make the group:
1- 建立 sftponly 组为所有你想限制他们访问权限的用户创建一个组,限制他们只能访问 ftp,sftp 访问 var/www/html。使组:
sudo groupadd sftponly
2- Jail the chrootTo restrict access of this group to the server via sftp you must jail the chroot to not to let group's users to access any folder except html folder inside its home directory. to do this open /etc/ssh/sshd.config in the vim with sudo. At the end of the file please comment this line:
2-限制chroot要通过 sftp 限制该组对服务器的访问,您必须限制 chroot 不允许组的用户访问其主目录中除 html 文件夹之外的任何文件夹。要执行此操作,请在 vim 中使用 sudo 打开 /etc/ssh/sshd.config。请在文件末尾评论这一行:
Subsystem sftp /usr/libexec/openssh/sftp-server
And then add this line below that:
然后在下面添加这一行:
Subsystem sftp internal-sftp
So we replaced subsystem with internal-sftp. Then add following lines below it:
所以我们用 internal-sftp 替换了子系统。然后在它下面添加以下几行:
Match Group sftponly
ChrootDirectory /var/www
ForceCommand internal-sftp
AllowTcpForwarding no
After adding this line I saved my changes and then restart ssh service by:
添加此行后,我保存了更改,然后通过以下方式重新启动 ssh 服务:
sudo service sshd restart
3- Add the user to sftponly groupAny user you want to restrict their access must be a member of sftponly group. Therefore we join it to sftponly by: sudo usermod -G sftponly username
3- 将用户添加到 sftponly 组您想限制其访问的任何用户都必须是 sftponly 组的成员。因此,我们通过以下方式将其加入 sftponly: sudo usermod -G sftponly username
4- Restrict user access to just var/www/htmlTo restrict user access to just var/www/html folder we need to make a directory in the home directory (with name of 'html') of that user and then mount /var/www to /home/username/html as follow:
4- 限制用户只访问 var/www/html要限制用户只访问 var/www/html 文件夹,我们需要在该用户的主目录(名称为“html”)中创建一个目录,然后挂载 /var /www 到 /home/username/html 如下:
sudo mkdir /home/username/html
sudo mount --bind /var/www /home/username/html
5- Set write accessIf the user needs write access to /var/www/html, then you must jail the user at /var/www which must have root:root ownership and permissions of 755. You then need to give /var/www/html ownership of root:sftponly and permissions of 775 by adding following lines:
5- 设置写入权限如果用户需要对 /var/www/html 的写入权限,那么您必须将用户监禁在 /var/www 中,该用户必须具有 root:root 所有权和 755 的权限。然后您需要提供 /var/通过添加以下行,www/html root:sftponly 所有权和 775 权限:
sudo chmod 755 /var/www
sudo chown root:root /var/www
sudo chmod 775 /var/www/html
sudo chown root:www /var/www/html
6- Block shell accessIf you want restrict access to not access to shell to make it more secure then just change the default shell to bin/false as follow:
6- 阻止 shell 访问如果您想限制访问权限以使其不访问 shell 以使其更安全,那么只需将默认 shell 更改为 bin/false,如下所示:
sudo usermod -s /bin/false username
