1.vim /etc/sysconfig/iptables
-A INPUT -p TCP --dport 21 --sport 1024:65534 -j ACCEPT
-A INPUT -p TCP --dport 65400:65410 --sport 1024:65534 -j ACCEPT
2.vim /etc/sysconfig/iptables-config
IPTABLES_MODULES="ip_nat_ftp ip_conntrack_ftp"
3.vim /etc/sysconfig/vsftpd.conf
ssl_enable=YES
ssl_ciphers=AES128-SHA
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem
max_clients=50
max_per_ip=5
use_localtime=yes
ftpd_banner=Welcome.
dual_log_enable=YES
pasv_min_port=65400
pasv_max_port=65410
4.生成vsftpd.pem
[root@www ~]# cd /etc/pki/tls/certs
[root@www certs]# make vsftpd.pem
----- ....(前面省略)....
Country Name (2 letter code) [XX]:TW
State or Province Name (full name) []:Taiwan
Locality Name (eg, city) [Default City]:Tainan
Organization Name (eg, company) [Default Company Ltd]:KSU
Organizational Unit Name (eg, section) []:DIC
Common Name (eg, your name or your server's hostname) []:www.centos.vbird
Email Address []:root@www.centos.vbird
[root@www certs]# cp -a vsftpd.pem /etc/vsftpd/
[root@www certs]# ll /etc/vsftpd/vsftpd.pem
-rw-------. 1 root root 3116 2011-08-08 16:52 /etc/vsftpd/vsftpd.pem
# 要注意一下權限喔!
5.selinux
[root@www ~]# setsebool -P ftp_home_dir=1
6.chkconfig
chkconfig vsftpd on
7.添加用户
useradd -d /home/wwwroot/ftpuser -g ftp -s /sbin/nologin ftpuser
8.restart
service vsftpd restart
service iptables restart
注:
指定ssl_ciphers=AES128-SHA很重要,否则不能正确读取证书
证书及证书所在目录的权限也可能造成读取证书问题。
参考:
http://linux.vbird.org/linux_server/0410vsftpd.php
http://www.centos.bz/2011/03/centos-install-vsftpd-ftp-server/
http://www.centos.bz/category/ftp/vsftpd-ftp/
http://www.cmdsir.com/linux/centos6-3-vsftp-ssl.cgi
