./pure-ftpd -4 -A -c 10 -C 1 -G -H -i -I 1 -k 95 -K -r -l puredb:/home/ftp/pureftp/pureftp.pdb -L 100:2 \
-O stats:/home/ftp/log/pureftpd.log -p 40000:50000 -R -T 500 -w -X -y 3:10 -F /home/ftp/pureftp/pure-fortune
这时候再登录一下试试看,是不是可以显示了。
声明:本文仅仅用于互相交流,未经许可,禁止商业用途,请联系thelastender@gmail.com
附录:
1.pureftpd参数简单说明:
- ‘-0′: when a file is uploaded and there is already a previous version of the
file with the same name, the old file will neither get removed nor truncated.
Upload will take place in a temporary file and once the upload is complete,
the switch to the new version will be atomic. For instance, when a large PHP
script is being uploaded, the web server will still serve the old version and
immediatly switch to the new one as soon as the full file will have been
transfered. This option is incompatible with virtual quotas.
- ‘-1′: log the PID of each session in syslog output.
- ‘-4′: only listen to IPv4 connections.
- ‘-6′: don’t listen to IPv4, only listen to IPv6.
- ‘-a <gid>’: Authenticated users will be granted access to their home
directory and nothing else (chroot) . This is especially useful for users
without shell access, for instance, WWW-hosting services shared by several
customers. Only member of group number <gid> will have unrestricted access
to the whole filesystem. So add a “staff”, “admin” or “ftpadmin” group and
put your trusted users in. <gid> is a NUMERIC group number, not a group name.
This feature is mainly designed for system users, not for virtual ones.
- ‘-A’: chroot() everyone, but root.
- ‘-b’: Ignore parts of RFC standards in order to deal with some totally
broken FTP clients, or broken firewalls/NAT boxes.
- ‘-B’: Have the standalone server start in background (daemonization).
- ‘-c <number of clients>’: Allow a maximum of clients to be connected. For
instance ‘-c 42′ will limit access to simultaneous 42 clients. There is a
50 client limit by default.
- ‘-C <max connection per ip>’: Limit the number of simultanous connections
coming from the same IP address. This is yet another very effective way to
prevent stupid denial of services and bandwidth starvation by a single user.
It works only when the server is launched in standalone mode (if you use a
super-server, it is supposed to do that) . If the server is launched with
‘-C 2′, it doesn’t mean that the total number of connections is limited to 2.
But the same client, coming from the same machine (or at least the same IP),
can’t have more than two simultaneous connections. This feature needs some
memory to track IP addresses, but it’s recommended to use it.
- ‘-d’: Send various debugging messages to the syslog. Don’t use this
unless you really want to debug Pure-FTPd. Passwords aren’t logged.
Duplicate ‘-d’ to log responses, too.
- ‘-D’: List files beginning with a dot (’.’) even when the client doesn’t
append the ‘-a’ option to the list command. A workaround for badly
configured FTP clients. If you are a purist, don’t enable this. If you
provide hosting services and if you have lousy customers, enable this.
- ‘-e’: Only allow anonymous users. Use this on a public FTP site with no
remote FTP access to real accounts.
- ‘-f <facility>’: Use that facility for syslog logging. It defaults to
‘ftp’ (or ‘local2′ if you got an obsolete libc without that facility).
Logging can be disabled with ‘-f none’ .
- ‘-F <fortune file>’: Display a fortune cookie on login. The sentence is
a random extract from the text file <fortune file>. This text file should be
formatted like standard “fortune” files (fortunes are separated by a ‘%’
sign on a single line) . Pure-FTPd has to be compiled with support for
cookies (–with-cookie). If you just want a simple banner displayed before
the login prompt, add the name of any text file here.
- ‘-g <pid file>’: Change the location of the pid file when the server is
run in standalone mode. The default is /var/run/pure-ftpd.pid .
- ‘-G’: Disallow renaming.
- ‘-H’: By default, fully-qualified host names are logged. To achieve this,
DNS lookups are mandatory. The ‘-H’ flag avoids host names resolution.
(”213.41.14.252″ will be logged instead of “www.toolinux.com”) . It can
significantly speed up connections and reduce bandwidth usage on busy
servers. Use it especially on public FTP sites. Also, please note that
without -H, host names are informative but shouldn’t be trusted: no reverse
mapping check is done to save DNS queries.
- ‘-i’: Disallow upload for anonymous users, whatever directory permissions
are. This option is especially useful for virtual hosting, to avoid your
users creating warez sites in their account.
- ‘-I <timeout>’: Change the maximum idle time. The timeout is in minutes
and defaults to 15 minutes. Modern FTP clients are trying to fool timeouts
by sending fake commands at regular interval. We disconnect these clients
when they are idle for twice (because they are active anyway) the normal
timeout.
- ‘-j’: If the home directory of a user doesn’t exist, automatically create
it. The newly created home directory belongs to the user and permissions are
set according to the current directory mask. Only the home directory can be
created (so /home/john/./public_html won’t work, but /home/john will) . To
avoid local attacks, the parent directory should never belong to an untrusted
user. Also note that you must trust whoever manages the users databases,
because with that feature, he’ll be able to create/chown directories anywhere
on the server’s filesystem.
- ‘-k <percentage>’: Don’t allow uploads if the partition is more than
<percentage>% full. For instance, “-k 95″ will ensure your disks will never
get filled more than 95% by FTP. No need for the “percent” sign after the
number.
- ‘-K’: Allow users to resume and upload files, but *NOT* to delete or rename
them. Directories can be removed, but only if they are empty. However,
overwriting existing files is still allowed (to support upload resume) . If
you want to disable this too, add -r (–autorename) .
- ‘-l <authentication>’ or ‘-l <authentication>:<config file>’: Adds a new
rule to the authentication chain. Please read the “Authentication” section,
later in this README file. It’s an important section.
- ‘-L <max files>:<max depth>’: To avoid stupid denial-of-service attacks
(or just CPU hogs), Pure-FTPd never displays more than 2000 files in response
to an ‘ls’ command. Also, a recursive ‘ls’ (-R) never goes further than 5
subdirectories. You can increase/decrease those limits with the ‘-L’ option.
- ‘-m <cpu load>’: Don’t allow anonymous download if the load is above <cpu
load> . A very efficient way to prevent overloading your server. Upload is
still allowed, though.
- ‘-M’: Allow anonymous users to create directories.
- ‘-n <max files>:<max size>’: If the server has been compiled with support
for virtual quotas, enforce these quota settings for all users (except
members of the ‘trusted’ group) . <max size> is in Megabytes. See the
“virtual quotas” section later in this document.
- ‘-N’: NAT mode. Force ACTIVE mode. If your FTP server is behind a NAT box
that doesn’t support applicative FTP proxying, or if you use port
redirection without a transparent FTP proxy, use this. Well… the previous
sentence isn’t very clear. Okay: if your network looks like this:
(FTP server)——-(NAT/masquerading gateway/router)——(Internet)
and if you want people coming from the internet to have access to your FTP
server, please try without this option first. If Netscape clients can
connect without any problem, your NAT gateway rulez. If Netscape doesn’t
display directory listings, your NAT gateway sucks. Use ‘-N’ as a workaround.
- ‘-o’: Write all uploaded files to ‘/var/run/pure-ftpd.upload.pipe’ so
that the ‘pure-uploadscript’ program can run. Don’t enable that option if
you don’t actually use ‘pure-uploadscript’.
- ‘-O <format>:<log file>’: Record all file transfers into a specific log
file, in an alternative format. Currently, four formats are supported: CLF
(Apache-like), Stats, W3C and xferlog.
- ‘-p <first port>:<last port>’: Use only ports in the range <first port>
to <last port> inclusive for passive-mode downloads. This is especially
useful if the server is behind a firewall without FTP connection tracking.
Use high ports (40000-50000 for instance), where no regular server should be
listening.
- ‘-P <ip address or host name>’: Force the specified IP address in reply to
a PASV/EPSV/SPSV command. If the server is behind a masquerading (NAT) box
that doesn’t properly handle stateful FTP masquerading, put the ip address
of that box here. If you have a dynamic IP address, you can put the public
host name of your gateway, that will be resolved every time a new client will
connect.
- ‘-q <upload ratio>:<download ratio>’: Enable ratios for anonymous users.
- ‘-Q <upload ratio>:<download ratio>’: Enable ratios for everybody
(anonymous and non-anonymous). Members of the root (0, something called
‘wheel’) have no ratio.
- ‘-r’: Never overwrite existing files. Uploading a file whoose name
already exists cause an automatic rename. Files are called xyz, xyz.1, xyz.2,
xyz.3, etc.
- ‘-R’: Disallow users (even non-anonymous ones) usage of the CHMOD
command. On hosting services, it may prevent newbies from making mistakes,
like setting bad permissions on their home directory. Only root can use
CHMOD when -R is enabled.
- ‘-s’: The “waReZ protection”. Don’t allow anonymous users to download
files owned by “ftp” (generally, files uploaded by other anonymous users) .
So that uploads have to be validated by a system administrator (chown to
another user) before being available for download.
- ‘-S [<ip address>,|<hostname>,] [<port>|<service name>]’. This option is
only effective when the server is launched as a standalone server.
Connections are accepted on the specified IP and port. IPv4 and IPv6 are
supported. Numeric and fully-qualified host names are accepted. A service
name (see /etc/services) can be used instead of a numeric port number.
- ‘-T <bandwidth>’ and ‘-t <bandwidth>’: Enable bandwidth limitation (see
below) . <bandwidth> is specified in kilobytes/seconds. To set up separate
upload/download bandwidth, the [<upload>]:[<download>] syntax is supported.
- ‘-u <uid>’: Don’t allow uids below <uid> to log in. ‘-u 1′ denies access
to root (safe), ‘-u 100′ denies access to virtual accounts on most Linux
distros.
- ‘-U <umask for files>:<umask for dirs>’: Change the file creation mask.
The default is 133:022. If you want a new file uploaded by a user to only be
readable by that user, use ‘-U 177:077′. If you want uploaded files to be
executable, use 022:022 (files will be readable -but not writable- by other
users) or 077:077 (files will only be executable and readable by their
owner) . Please note that Pure-FTPd support the SITE CHMOD extension, so a
user can change the permissions of his own files.
- ‘-V <ip address>’: Allow non-anonymous FTP access only on this specific
local IP address. All other IP addresses are only anonymous. With that
option, you can have routed IPs for public access and a local IP (like
10.x.x.x) for administration. You can also have a routable trusted IP
protected by firewall rules and only that IP can be used to login as a
non-anonymous user.
- ‘-v <name>’: Set the service name for Apple’s Bonjour. Only available on
MacOS X when Bonjour support is compiled in.
- ‘-w’: Support the FXP protocol only for authenticated users. FXP works
with IPv4 and IPv6 addresses.
- ‘-W’: Support the FXP protocol. FXP allows transfers between two remote
servers without any file data going to the client asking for the transfer.
- ‘-x’: In normal operation mode, authenticated users can read/write files
beginning with a dot (’.’) . Anonymous users can’t, for security reasons
(like changing banners or a forgotten .rhosts) . When ‘-x’ is used,
authenticated users can download dot-files, but not overwrite/create them,
even if they own them. That way, you can prevent hosted users from messing
.qmail files. If you want to give user access to a special dot-file, create a
symbolic link to the dot-file with a file name that has no dot in it and the
client will be able to retrieve the file through that link.
- ‘-X’: This flag is identical to the previous one (writing dot-files is
prohibited), but in addition, users can’t even *read* files and directories
beginning with a dot (like “cd .ssh”) .
- ‘-y <max user logins>:<max anonymous logins>’: This option only
works if the server has been compiled with –with-peruserlimits. It
restricts the number of concurrent sessions the same user can have.
A null value (’0′) means ‘unlimited’.
Here’s a concrete example:
/usr/local/sbin/pure-ftpd -y 3:20 -c 15 -C 5 -B
Here, we allow:
* A max total of 15 sessions.
* 5 connections max coming from the same IP address.
* 3 connections max with the same user name.
* 20 anonymous users max.
- ‘-Y 0′: Disable the SSL/TLS encryption layer (default).
‘-Y 1′: Accept both standard and encrypted sessions.
‘-Y 2′: Refuse connections that aren’t using SSL/TLS security mechanisms,
including anonymous sessions. The server must have been compiled with
–with-tls and a valid certificate must be in place to get this feature.
See the README.TLS file for more info about SSL/TLS.
- ‘-z’: Allow anonymous users to read files and directories starting with a
dot (’.’) .
2.Virtual users说明:
Since release 0.99.2, Pure-FTPd supports virtual users.
Virtual users is a simple mechanism to store a list of users, with their
password, name, uid, directory, etc. It’s just like /etc/passwd. But it’s
not /etc/passwd. It’s a different file, only for FTP.
It means that you can easily create FTP-only accounts without messing up
your system accounts.
Additionnaly, virtual users files can store individual quotas, ratios,
bandwidth, etc. System accounts can’t do this.
Thousands of virtual users can share the same system user, as long as they
all are chrooted and they have their own home directory.
So a good thing to do before using virtual users is to create a system user
for this. Of course, you can use any existing account like “nobody” (but not
root), but it’s better to have a dedicated account.
Let’s create an “ftpgroup” group and an “ftpuser” user.
Linux/OpenBSD/NetBSD/Solaris/HPUX/a lot of other Unix-like systems:
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
FreeBSD:
pw groupadd ftpgroup
pw useradd ftpuser -g ftpgroup -d /dev/null -s /etc
Then, all maintenance of virtual users can be made with the “pure-pw”
command. You can also edit the files by hand if you want.
- ‘-
Files storing virtual users have one line per user. These lines have the
following syntax:
<account>:<password>:<uid>:<gid>:<gecos>:<home directory>:<upload
bandwidth>:<download bandwidth>:<upload ratio>:<download ratio>:<max number
of connections>:<files quota>:<size quota>:<authorized local IPs>:<refused
local IPs>:<authorized client IPs>:<refused client IPs>:<time
restrictions>
Fields can be left empty (exceptions: account, password, uid, gid, home
directory) .
Passwords are compatible with the hashing function used in /etc/passwd or
/etc/master.passwd . They are crypto hashed with blowfish, md5, multiple-des
and simple des, in this order, according to what your system has support fort.
———————— CREATING A NEW USER ————————
To add a new user, use the following syntax:
pure-pw useradd <login> [-f <passwd file>] -u <uid> [-g <gid>]
-D/-d <home directory> [-c <gecos>]
[-t <download bandwidth>] [-T <upload bandwidth>]
[-n <max number of files>] [-N <max Mbytes>]
[-q <upload ratio>] [-Q <download ratio>]
[-r <allow client host>[/<mask>][,<allow client host>[/<mask>]]…]
[-R <deny client host>[/<mask>][,<deny client host>[/<mask>]]…]
[-i <allow local host>[/<mask>][,<allow client host>[/<mask>]]…]
[-I <deny local host>[/<mask>][,<deny local host>[/<mask>]]…]
[-y <max number of concurrent sessions>]
[-z <hhmm>-<hhmm>] [-m]
Let’s create “joe”, whoose home directory will be /home/ftpusers/joe . The
system account associated with “joe” is “ftpusers”.
pure-pw useradd joe -u ftpuser -d /home/ftpusers/joe
Joe’s password is asked twice.
With -d, joe will be chrooted. If you want to give joe access to the whole
filesystem, use -D instead of -d.
You don’t need to create /home/ftpusers/joe if you run pure-ftpd with the
-j (–createhome) switch. With that switch, home directories will
automatically be created when users will log in for the first time.
The “-z” option allow an user to connect only during a range of day time.
For instance, with -z 0900-1800, joe will only be able to connect from 9 am
to 18 pm. Warning: an user that connected during authorized hours can
finish his session after these authorized hours.
-r and -R are handy to restrict where the user can connect from. They can be
followed by a simple IP/mask pair (-r 192.168.1.0/24), multiple pairs
separated by a coma (-r 192.168.1.0/24,10.1.0.0/16,127.0.0.1/32), single IPs
(-r 192.168.1.4,10.1.1.5), host names (-r bla.bla.net,yopcitron.com), or any
combination of those.
-y is to restrict the number of concurrent sessions an user can have
at the same time. ” or 0 mean unlimited. Avoid this feature on very loaded
servers. Use per-ip limits instead.
Ok, “joe” has been created. By default, the list of virtual users is stored
in the /etc/pureftpd.passwd file (you can of course change this with -f
<file>) .
Let’s have a look at its content:
joe:$1$LX/3.F60$bYdYwsQOYIaWq.Ko.hfI3.:500:101::/home/ftpusers/joe/./:::::::::::::
Passwords are hashed with the best one-way hash function your system supports.
Hashes are tried in this order: Blowfish, MD5, multiple DES, simple DES.
———————— CHANGING INFO ————————
Once virtual users have been created, you can edit their info. For instance
you can add bandwidth throttling, change quotas, add their full name, update
ratio, etc.
The “pure-pw usermod” command works just like “pure-pw useradd” except that
it modifies an existing account instead of creating a new one.
For instance, we will add a quota to Joe. Joe should be limited to 1000
files and 10 Megabytes.
pure-pw usermod joe -n 1000 -N 10
Let’s have a look at /etc/pureftpd.passwd:
joe:$1$LX/3.F60$bYdYwsQOYIaWq.Ko.hfI3.:500:101::/home/ftpusers/joe/./::::::1000:10485760::::::
As you can see, the size quota is stored in bytes in the file.
———————— RESETTING ATTRIBUTES ————————
To disable file quotas, use pure-pw usermod <user> -n ”
To disable size quotas, use pure-pw usermod <user> -N ”
To disable ratios, use pure-pw usermod <user> -q ” -Q ”
To disable download bandwidth throttling, use pure-pw usermod <user> -t ”
To disable upload bandwidth throttling, use pure-pw usermod <user> -T ”
To disable IP filtering, use pure-pw usermod <user> <-i,-I,-r or -R> ”
To disable time restrictions, use pure-pw usermod <user> -z ”
To disable the number of concurrent sessions, use pure-pw usermod <user> -y ”
———————— DELETING USERS ————————
We won’t delete Joe at this time. Joe is a fine guy 
But FYI, deleting an
user is as simple as running “pure-pw userdel”, whoose syntax is:
pure-pw userdel <login> [-f <passwd file>] [-m]
Deleting Joe would be:
pure-pw userdel joe
The content of his home directory is kept. Delete it by hand if you want.
———————— CHANGING PASSWORDS ————————
To change the password of an user, use “pure-pw passwd”:
pure-pw passwd <login> [-f <passwd file>] [-m]
———————— DISPLAYING INFO ————————
To review info about one user, reading the /etc/pureftpd.passwd file is ok,
but it’s not really human-friendly.
It’s why you can use “pure-pw show”, whoose syntax is:
pure-pw show <login> [-f <passwd file>]
Let’s try with joe:
pure-pw show joe
Login : joe
Password : $1$LX/3.F60$bYdYwsQOYIaWq.Ko.hfI3.
UID : 500 (ftpuser)
GID : 101 (ftpgroup)
Directory : /home/ftpusers/joe/./
Full name :
Download bandwidth : 0 Kb (unlimited)
Upload bandwidth : 0 Kb (unlimited)
Max files : 1000 (enabled)
Max size : 10 Mb (enabled)
Ratio : 0:0 (unlimited:unlimited)
Allowed local IPs :
Denied local IPs :
Allowed client IPs : 192.168.0.0/16
Denied client IPs : 192.168.1.1,blah.verybadhost.com
Time restrictions : 0900-1800 (enabled)
Max sim sessions : 0 (unlimited)
“/./” at the end of a home directory means that this user will be chrooted.
———————— COMMITING CHANGES ————————
IMPORTANT:
You can add, modify and delete users with the previous commands, or by
editing /etc/pureftpd.passwd by hand. But the FTP server won’t consider the
changes you make to that file, until you commit them.
Commiting changes really means that a new file is created from
/etc/pureftpd.passwd (or whatever file name you choose) . That new file is a
PureDB file. It contains exactly the same info than the other file. But in
that file, accounts are sorted and indexed for faster access, even with
thousands of accounts. PureDB files are binary files, don’t try to view them
or your terminal will beep like hell.
Let’s create a PureDB file from /etc/pureftpd.passwd. The indexed file will
be called /etc/pureftpd.pdb (as always, choose whatever name you like):
pure-pw mkdb
this reads /etc/pureftpd.passwd and creates /etc/pureftpd.pdb by default, but
to read another file, add the pdb file, optionnaly followed by -f <passwd file>
For instance:
pure-pw mkdb /etc/accounts/myaccounts.pdb -f /etc/accounts/myaccounts.txt
All modifications you made to the virtual users database will be committed
atomatically: all new accounts will be activated at the same time and all
deleted users won’t be able to log in as soon as you’ll have hit the Return
key.
There’s no need to restart the pure-ftpd server to commit changes.
You can also change something to the text passwords file (add users, change
password, delete users, etc) and automatically run
“pure-pw mkdb /etc/pureftpd.pdb” afterwards. To do so, just use the -m
switch:
pure-pw passwd joe -m
This command will change Joe’s password in pureftpd.passwd *and* commit the
change to /etc/pureftpd.pwd .
———————— ENABLING VIRTUAL USERS ————————
Of course, to use virtual users, you have to enable their support in the FTP
server itself. At compile-time, this is done by giving –with-puredb to
./configure (–with-everything also enables it and binary packages have it
compiled in) .
Then, add this switch to your usual pure-ftpd switches:
-l puredb:/path/to/puredb_file
If long options are enabled, you can also use –login instead of -l .
Let’s run the server with automatic creation of home directories and puredb
authentication:
/usr/local/sbin/pure-ftpd -j -lpuredb:/etc/pureftpd.pdb &
Try to ‘ftp localhost’ and log in as joe.
———————— CONVERTING SYSTEM ACCOUNTS ————————
You can convert all system (/etc/passwd) accounts to virtual FTP users, with
the “pure-pwconvert” tool.
Just run it:
pure-pwconvert >> /etc/pureftpd.passwd
If you do it as a non-privileged user, passwords won’t be filled in. If you
do it as root, everything will be copied, even hashed passwords.
Copying system accounts to FTP accounts makes sense, because that way, users
can use different passwords for FTP and for Telnet access.
———————— ENVIRONNEMENT VARIABLES ————————
If defined, a PURE_PASSWDFILE environment variable can set the default path
to the pureftpd.passwd file. Without this variable, it defaults to
/etc/pureftpd.passwd .
If defined, a PURE_DBFILE environment variable can set the default path
to the pureftpd.pdb file. Without this variable, it defaults to
/etc/pureftpd.pdb .
添加到雅虎收藏