如何在Ubuntu 18.04上设置MySecureShell SFTP服务器
时间:2020-03-05 15:29:31 来源:igfitidea点击:
在本文中,我将向我们介绍如何在Ubuntu 18.04上使用MySecureShell设置SFTP服务器。
SFTP是使用加密的SSH连接传输文件的安全方式。
尽管它已被现代FTP客户端广泛支持,但它是与FTP(文件传输协议)完全不同的协议。
我们可能会问为什么使用MySecureShell而不是传统的FTP服务器。
以下是一些功能,
- 使用SSH进行安全的数据传输
- 无需管理SSL证书
- 易于安装和配置
- 限制带宽使用
- 文件和文件夹限制
- 使用IP /用户名/组/VirtualHost的访问控制列表
- 限制用户仅使用sftp(默认情况下,shell程序访问处于禁用状态)
- 增强的日志记录系统
因此,让我们从安装开始,FTP的基本知识足以理解本教程。
安装
从ubuntu 15.04起,默认存储库中提供MySecureShell。
我们正在使用ubuntu 18.04进行此安装。
只需运行以下命令即可安装MySecureShell。
apt-get install mysecureshell
如果没有可用的步骤,请确保以下所有步骤均以root用户身份运行。
vim /etc/apt/sources.list
添加以下两行,
deb http://mysecureshell.free.fr/repository/index.php/ubuntu testing main deb-src http://mysecureshell.free.fr/repository/index.php/ubuntu testing main
现在添加gpg键为,
gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys E328F22B; gpg --export E328F22B | apt-key add
gpg: keybox '/root/.gnupg/pubring.kbx' created gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 7601D76CE328F22B: public key "MySecureShell repository " imported gpg: Total number processed: 1 gpg: imported: 1 OK
添加存储库后,我们可以开始安装
apt-get update
apt-get install mysecureshell
现在,我们都可以启动该服务并检查其状态了
systemctl start mysecureshell.service
systemctl status mysecureshell.service
输出示例
# systemctl start mysecureshell.service
root@li1004-153:~# systemctl status mysecureshell.service
* mysecureshell.service - LSB: MySecureShell SFTP Server
Loaded: loaded (/etc/init.d/mysecureshell; generated)
Active: active (exited) since Fri 2016-05-18 01:02:17 UTC; 4min 44s ago
Docs: man:systemd-sysv-generator(8)
Tasks: 0 (limit: 2322)
CGroup: /system.slice/mysecureshell.service
Jan 18 01:02:17 004-153 systemd[1]: Starting LSB: MySecureShell SFTP Server...
Jan 18 01:02:17 004-153 mysecureshell[1314]: Starting MySecureShell SFTP Server: mysecureshell is now online with restricted features
Jan 18 01:02:17 004-153 mysecureshell[1314]: Note: To enable all features you have to change mysecureshell binary rights to 4755
Jan 18 01:02:17 004-153 systemd[1]: Started LSB: MySecureShell SFTP Server.
# systemctl status mysecureshell.service
* mysecureshell.service - LSB: MySecureShell SFTP Server
Loaded: loaded (/etc/init.d/mysecureshell; generated)
Active: active (exited) since Fri 2016-05-18 01:02:17 UTC; 50min ago
Docs: man:systemd-sysv-generator(8)
Tasks: 0 (limit: 2322)
CGroup: /system.slice/mysecureshell.service
Jan 18 01:02:17 004-153 systemd[1]: Starting LSB: MySecureShell SFTP Server...
Jan 18 01:02:17 004-153 mysecureshell[1314]: Starting MySecureShell SFTP Server: mysecureshell is now online with restricted features
Jan 18 01:02:17 004-153 mysecureshell[1314]: Note: To enable all features you have to change mysecureshell binary rights to 4755
Jan 18 01:02:17 004-153 systemd[1]: Started LSB: MySecureShell SFTP Server.
#
使用以下命令停止和重新启动mysecureshell服务
systemctl stop mysecureshell.service
systemctl restart mysecureshell.service
MySecureShell SFTP用户创建
首先,我们必须找到MySecureShell的安装位置,
whereis mysecureshell
如下面的输出所示,mysecureshell的安装路径为/usr/bin/mysecureshell。
mysecureshell: /usr/bin/mysecureshell /usr/share/man/man8/mysecureshell.8.gz
现在,在验证路径之后,让我们创建一个用户
useradd -m -s /usr/bin/mysecureshell testsftpuser
passwd testsftpuser
如我们在上面的命令中看到的,我们正在创建一个用户并分配mysecureshell位置的路径。
另外,我们可以使用以下命令分配现有用户访问和使用MySecureShell:
sudo usermod -s /usr/bin/mysecureshell testsftpuser
用户连接
现在,“ testsftpuser”用户可以使用计算机IP地址从客户端连接到SFTP服务器,如下所示,
sftp [email protected]
我们机器的IP
Connected to 45.33.54.153 sftp>
同样,我们可以使用任何图形客户端(例如,来自客户端系统的FileZilla)登录到SFTP服务器。
MySecureShell命令
MySecureShell具有以下命令集来管理SFTP服务器。
- SFTP管理员
- SFTP杀
- sftp状态
- sftp用户
- SFTP验证
- sftp-谁
SFTP管理员
此命令允许远程管理MySecureShell。
sftp-admin [ssh options] user@hostname
SFTP杀
它将断开用户与FTP服务器的连接。
sftp-kill testsftpuser
Kill testsftpuser on PID 1961 (Press "Y" when requested)
sftp状态
显示ftp服务器状态
# sftp-state
输出示例
# sftp-state Server is up #
sftp用户
此命令使我们可以创建SFTP用户,而无需指定之前的路径。
sftp-user create test
列出SFTP用户
sftp-user list test testsftpuser
命令将删除用户测试
sftp-user delete test
SFTP验证
此命令将验证并纠正MySecureShell服务器上的问题。
sftp-verif
/bin/MySecureShell [ OK ] /bin/sftp-who [ OK ] /bin/sftp-kill [ OK ] /bin/sftp-state [ OK ] /bin/sftp-admin [ OK ] /bin/sftp-verif [ OK ] /bin/sftp-user [ OK ] ### Verifing rights ### Verifing file rights of /etc/ssh/sftp_config [ OK ] Verifing file rights of /bin/sftp-who [ OK ] Verifing file rights of /bin/sftp-verif [ OK ] Verifing file rights of /bin/sftp-user [ OK ] Verifing file rights of /bin/sftp-kill [ OK ] Verifing file rights of /bin/sftp-state [ OK ] Verifing file rights of /bin/sftp-admin [ OK ] Verifing file rights of /bin/MySecureShell [ OK ] ### Verifing rotation logs ### Rotation logs have been found [ OK ] ### Verifing server status ### Verifing server status (ONLINE) [ OK ] [...]
sftp-谁
该命令将告诉我们当前登录到FTP服务器的用户。
sftp-who
# sftp-who
--- 1/10 clients --
Global used bandwidth : 0 bytes/s/0 bytes/s
PID: 2207 Name: testsftpuser IP: pa39-178-9-194.pa.nsw.optusnet.com.au
Home: /home/testsftpuser
Status: idle Path: /
File:
Connected: 2016/05/18 01:30:50 [since 03mins 59s]
Speed: Download: 0 bytes/s [5.00 kbytes/s] Upload: 0 bytes/s [unlimited]
Total: Download: 924 bytes Upload: 100 bytes
#
配置
MySecureShell的主要配置文件是/etc/ssh/sftp_config。
我们可以在配置文件中配置上传和下载带宽,chroot用户,最大连接数等。
我们可以将此选项设置为所有人,也可以仅针对特定组。
cat /etc/ssh/sftp_config
默认标签
如果要为所有用户应用配置,则使用默认标记
#Default rules for everybody
Default
GlobalDownload 50k #total speed download for all clients
# o -> bytes k -> kilo bytes m -> mega bytes
GlobalUpload 0 #total speed download for all clients (0 for unlimited)
Download 5k #limit speed download for each connection
Upload 0 #unlimit speed upload for each connection
StayAtHome true #limit client to his home
VirtualChroot true #fake a chroot to the home account
LimitConnection 10 #max connection for the server sftp
LimitConnectionByUser 1 #max connection for the account
LimitConnectionByIP 2 #max connection by ip for the account
Home /home/$USER #overrite home of the user but if you want you can use
# environment variable (ie: Home /home/$USER)
IdleTimeOut 5m #(in second) deconnect client is idle too long time
ResolveIP true #resolve ip to dns
LogFile /var/log/sftp-server_ftp.log
# IgnoreHidden true #treat all hidden files as if they don't exist
# DirFakeUser true #Hide real file/directory owner (just change displayed permissions)
# DirFakeGroup true #Hide real file/directory group (just change displayed permissions)
# DirFakeMode 0400 #Hide real file/directory rights (just change displayed permissions)
#Add execution right for directory if read right is set
HideNoAccess true #Hide file/directory which user has no access
# MaxOpenFilesForUser 20 #limit user to open x files on same time
# MaxWriteFilesForUser 10 #limit user to x upload on same time
# MaxReadFilesForUser 10 #limit user to x download on same time
DefaultRights 0640 0750 #Set default rights for new file and new directory
# MinimumRights 0400 0700 #Set minimum rights for files and dirs
ShowLinksAsLinks false #show links as their destinations
# ConnectionMaxLife 1d #limits connection lifetime to 1 day
# Charset "ISO-8859-15" #set charset of computer
Default
注意:默认情况下未启用日志,我们可以在配置文件中定义日志文件的位置。
FileSpec标签
FileSpec标记用于在文件和目录上创建过滤器。
# Only check against filenames/folder names only
FileSpec
UseFullPath false
# we can use multiple deny/allow directives for clarity
Order DenyAllow
Deny ".*.exe$"
Deny ".*.sh$"
Allow all
FileSpec
用户标签
用户标签为特定的用户主文件夹定义
User tom Home /home/tom User
VirtualHost标签
VirtualHost标记可以基于虚拟主机名设置限制
# Set home directory for this virtualhost
VirtualHost
Home /var/www/html/www.mysftpsite.com
# Set dedicated log file
LogFile /var/log/sftp/www.mysftpsite.com
# Override the maximum number of connection per user
LimitConnectionByUser 5
VirtualHost
gFTP安装
现在,让我们尝试在Ubuntu 18.04上安装gFTP,请执行以下步骤,
sudo apt-get install gftp
- 从应用程序打开gFTP
- 输入SFTP服务器的IP地址,端口号(配置服务器时默认/指定),用户名和密码并使用SSH2. 按Enter登录
- 如果登录尝试成功。我们使用gFTP连接到SFTP
