一、安装 pure-ftp
yum install -y epel-release
yum install -y pure-ftpd
二、配置 pure-ftp
1、创建 ftp 系统用户
useradd ftp -s /sbin/nologin
2、配置FTP存储根目录
mkdir /data/ftp
chown -R ftp.ftp /data/ftp/
3、编辑 pure-ftp 配置文件
编辑 pure-ftp 配置文件 /etc/pure-ftpd/pure-ftpd.conf 部分参数如下:
PureDB /etc/pure-ftpd/pureftpd.pdb
ChrootEveryone yes
CreateHomeDir yes
BrokenClientsCompatibility yes
DisplayDotFiles no
CustomerProof yes
PassivePortRange 30000 50000
ForcePassiveIP 192.168.1.100
AnonymousOnly no
NoAnonymous yes
AnonymousCantUpload yes
AnonymousCanCreateDirs yes
AllowUserFXP no
AllowAnonymousFXP no
SyslogFacility none
4、创建 ftp 虚拟用户
mkdir /data/ftp/aaa
chown -R ftp.ftp /data/ftp/aaa/
pure-pw useradd aaa -u ftp -d /data/ftp/aaa/
pure-pw mkdb
pure-pw list
5、启动 pure-ftp 服务
systemctl start pure-ftpd.service
systemctl enable pure-ftpd.service
systemctl enable --now pure-ftpd.service
6、使用客户端测试连接
使用 Windows 或 Linux 客户端登录 FTP 测试服务是否正常。
三、配置文件 /etc/pure-ftpd/pure-ftpd.conf 完整参数说明
############################################################
# #
# Configuration file for pure-ftpd wrappers #
# #
############################################################
# If you want to run Pure-FTPd with this configuration
# instead of command-line options, please run the
# following command :
#
# /usr/local/pureftpd/sbin/pure-config.pl /usr/local/pureftpd/etc/pure-ftpd.conf
#
# Please don't forget to have a look at documentation at
# http://www.pureftpd.org/documentation.shtml for a complete list of
# options.
# Cage in every user in his home directory
# 锁定所有用户到家目录中
ChrootEveryone yes
# If the previous option is set to "no", members of the following group
# won't be caged. Others will be. If you don't want chroot()ing anyone,
# just comment out ChrootEveryone and TrustedGID.
# 信任组ID100,可以不锁定
# TrustedGID 100
# Turn on compatibility hacks for broken clients
# 兼容不同客户端
BrokenClientsCompatibility no
# Maximum number of simultaneous users
# 最大的客户端数量
MaxClientsNumber 50
# Fork in background
# 后台运行
Daemonize yes
# Maximum number of sim clients with the same IP address
# 每个ip最大连接数
MaxClientsPerIP 8
# If you want to log all client commands, set this to "yes".
# This directive can be duplicated to also log server responses.
# 记录日志
VerboseLog no
# List dot-files even when the client doesn't send "-a".
# 显示隐藏文件
DisplayDotFiles no
# Don't allow authenticated users - have a public anonymous FTP only.
# 只允许匿名用户访问
AnonymousOnly no
# Disallow anonymous connections. Only allow authenticated users.
# 不允许匿名用户
NoAnonymous yes
# Syslog facility (auth, authpriv, daemon, ftp, security, user, local*)
# The default facility is "ftp". "none" disables logging.
# 设置日志的告警级别,默认为ftp,none是禁止记录日志
SyslogFacility ftp
# Display fortune cookies
# 定制用户登陆后的显示信息
# FortunesFile /usr/share/fortune/zippy
# Don't resolve host names in log files. Logs are less verbose, but
# it uses less bandwidth. Set this to "yes" on very busy servers or
# if you don't have a working DNS.
# 是否在日志文件中进行主机名解析,不进行客户端DNS解析
DontResolve yes
# Maximum idle time in minutes (default = 15 minutes)
# 最大空闲时间
MaxIdleTime 30
# LDAP configuration file (see README.LDAP)
# LDAP 配置文件路径
# LDAPConfigFile /etc/pureftpd-ldap.conf
# MySQL configuration file (see README.MySQL)
# MySQL 配置文件路径
MySQLConfigFile /usr/local/pureftpd/etc/pureftpd-mysql.conf
# Postgres configuration file (see README.PGSQL)
# Postgres 配置文件路径
# PGSQLConfigFile /etc/pureftpd-pgsql.conf
# PureDB user database (see README.Virtual-Users)
# PureDB 用户数据库路径
PureDB /usr/local/pureftpd/etc/pureftpd.pdb
# Path to pure-authd socket (see README.Authentication-Modules)
# pure-authd 的socket 路径
# ExtAuth /var/run/ftpd.sock
# If you want to enable PAM authentication, uncomment the following line
# 如果你要启用 PAM 认证方式, 去掉下面行的注释
# PAMAuthentication yes
# If you want simple Unix (/etc/passwd) authentication, uncomment this
# 如果你要启用 简单的 Unix系统 认证方式(/etc/passwd), 去掉下面行的注释
# UnixAuthentication yes
# Please note that LDAPConfigFile, MySQLConfigFile, PAMAuthentication and
# UnixAuthentication can be used only once, but they can be combined
# together. For instance, if you use MySQLConfigFile, then UnixAuthentication,
# the SQL server will be asked. If the SQL authentication fails because the
# user wasn't found, another try # will be done with /etc/passwd and
# /etc/shadow. If the SQL authentication fails because the password was wrong,
# the authentication chain stops here. Authentication methods are chained in
# the order they are given.
# 'ls' recursion limits. The first argument is the maximum number of
# files to be displayed. The second one is the max subdirectories depth
# 'ls' 命令的递归限制。第一个参数给出文件显示的最大数目。第二个参数给出最大的子目录深度。
LimitRecursion 10000 8
# Are anonymous users allowed to create new directories ?
# 是否允许匿名用户创建新目录
AnonymousCanCreateDirs no
# If the system is more loaded than the following value,
# anonymous users aren't allowed to download.
# 超出负载后禁止下载
MaxLoad 4
# Port range for passive connections replies. - for firewalling.
# 被动模式的端口范围
# PassivePortRange 30000 50000
# Force an IP address in PASV/EPSV/SPSV replies. - for NAT.
# Symbolic host names are also accepted for gateways with dynamic IP
# addresses.
# 强制一个IP地址使用被动响应
# ForcePassiveIP 192.168.0.1
# Upload/download ratio for anonymous users.
# 匿名用户的上传/下载的比率
# AnonymousRatio 1 10
# Upload/download ratio for all users.
# This directive superscedes the previous one.
# 所有用户的上传/下载的比率
# UserRatio 1 10
# Disallow downloading of files owned by "ftp", ie.
# files that were uploaded but not validated by a local admin.
# 禁止下载匿名用户上传但未经验证的文件
AntiWarez yes
# IP address/port to listen to (default=all IP and port 21).
# 服务监听的IP 地址和端口。(默认是所有IP地址和21端口)
# Bind 127.0.0.1,21
# Maximum bandwidth for anonymous users in KB/s
# 匿名用户带宽限制(KB)
# AnonymousBandwidth 8
# Maximum bandwidth for *all* users (including anonymous) in KB/s
# Use AnonymousBandwidth *or* UserBandwidth, both makes no sense.
# 所有用户的最大带宽(KB/s),包括匿名用户。
UserBandwidth 1024
# File creation mask. <umask for files>:<umask for dirs> .
# 177:077 if you feel paranoid.
# 新建目录及文件的属性掩码值
Umask 133:022
# Minimum UID for an authenticated user to log in.
# 认证用户允许登陆的最小组ID(UID)
MinUID 100
# Allow FXP transfers for authenticated users.
# 仅允许认证用户进行 FXP 传输。
AllowUserFXP no
# Allow anonymous FXP for anonymous and non-anonymous users.
# 对匿名用户和非匿名用户允许进行匿名 FXP 传输
AllowAnonymousFXP no
# Users can't delete/write files beginning with a dot ('.')
# even if they own them. If TrustedGID is enabled, this group
# will have access to dot-files, though.
# 不能删除/写入隐藏文件
ProhibitDotFilesWrite no
# Prohibit *reading* of files beginning with a dot (.history, .ssh...)
# 禁止读取隐藏文件
ProhibitDotFilesRead no
# Never overwrite files. When a file whose name already exist is uploaded,
# it get automatically renamed to file.1, file.2, file.3, ...
# 有同名文件时自动重新命名
AutoRename no
# Disallow anonymous users to upload new files (no = upload is allowed)
# 不允许匿名用户上传文件
AnonymousCantUpload no
# Only connections to this specific IP address are allowed to be
# non-anonymous. You can use this directive to open several public IPs for
# anonymous FTP, and keep a private firewalled IP for remote administration.
# You can also only allow a non-routable local IP (like 10.x.x.x) to
# authenticate, and keep a public anon-only FTP server on another IP.
# 仅允许来自以下IP地址的非匿名用户连接。你可以使用这个指令来打开几个公网IP来提供匿名FTP,
# 而保留一个私有的防火墙保护的IP来进行远程管理。你还可以只允许一内网地址进行认证,而在另外
# 一个IP上提供纯匿名的FTP服务。
#
#TrustedIP 10.1.1.1
# If you want to add the PID to every logged line, uncomment the following
# line.
# 如果你要为日志每一行添加 PID 去掉下面行的注释
#LogPID yes
# Create an additional log file with transfers logged in a Apache-like format :
# fw.c9x.org - jedi [13/Dec/1975:19:36:39] "GET /ftp/linux.tar.bz2" 200 21809338
# This log file can then be processed by www traffic analyzers.
# 使用类似于Apache的格式创建一个额外的日志文件
# AltLog clf:/var/log/pureftpd.log
# Create an additional log file with transfers logged in a format optimized
# for statistic reports.
# 使用优化过的格式为统计报告创建一个额外的日志文件
# AltLog stats:/var/log/pureftpd.log
# Create an additional log file with transfers logged in the standard W3C
# format (compatible with most commercial log analyzers)
# 使用标准的W3C格式创建一个额外的日志文件
# AltLog w3c:/var/log/pureftpd.log
# Disallow the CHMOD command. Users can't change perms of their files.
# 不接受 CHMOD 命令。用户不能更改他们文件的属性
#NoChmod yes
# Allow users to resume and upload files, but *NOT* to delete them.
# 允许用户恢复和上传文件,却不允许删除他们
#KeepAllFiles yes
# Automatically create home directories if they are missing
# 用户主目录不存在的话,自动创建
CreateHomeDir yes
# Enable virtual quotas. The first number is the max number of files.
# The second number is the max size of megabytes.
# So 1000:10 limits every user to 1000 files and 10 Mb.
# 限制用户可以创建的最大文件数和用户空间大小
Quota 10000:10240
# If your pure-ftpd has been compiled with standalone support, you can change
# the location of the pid file. The default is /var/run/pure-ftpd.pid
# PID文件位置
#PIDFile /var/run/pure-ftpd.pid
# If your pure-ftpd has been compiled with pure-uploadscript support,
# this will make pure-ftpd write info about new uploads to
# /var/run/pure-ftpd.upload.pipe so pure-uploadscript can read it and
# spawn a script to handle the upload.
# Don't enable this option if you don't actually use pure-uploadscript.
# 如果你的 pure-ftpd 编译时加入了 pure-uploadscript 支持,这个指令将会使 pure-ftpd
# 发送关于新上传的情况信息到 /var/run/pure-ftpd.upload.pipe,这样 pure-uploadscript
# 就能读然后调用一个脚本去处理新的上传
#
#CallUploadScript yes
# This option is useful with servers where anonymous upload is
# allowed. As /var/ftp is in /var, it save some space and protect
# the log files. When the partition is more that X percent full,
# new uploads are disallowed.
# 文件所在磁盘的最大使用率
MaxDiskUsage 99
# Set to 'yes' if you don't want your users to rename files.
# 是否允许重命名文件(默认不允许)
#NoRename yes
# Be 'customer proof' : workaround against common customer mistakes like
# 'chmod 0 public_html', that are valid, but that could cause ignorant
# customers to lock their files, and then keep your technical support busy
# with silly issues. If you're sure all your users have some basic Unix
# knowledge, this feature is useless. If you're a hosting service, enable it.
# 打开以防止用户犯常识性错误
CustomerProof yes
# Per-user concurrency limits. It will only work if the FTP server has
# been compiled with --with-peruserlimits (and this is the case on
# most binary distributions) .
# The format is : <max sessions per user>:<max anonymous sessions>
# For instance, 3:20 means that the same authenticated user can have 3 active
# sessions max. And there are 20 anonymous sessions max.
# 单个用户限制:每一个用户最大允许的进程;最大的匿名用户进程
# PerUserLimits 3:20
# When a file is uploaded and there is already a previous version of the file
# with the same name, the old file will neither get removed nor truncated.
# Upload will take place in a temporary file and once the upload is complete,
# the switch to the new version will be atomic. For instance, when a large PHP
# script is being uploaded, the web server will still serve the old version and
# immediatly switch to the new one as soon as the full file will have been
# transfered. This option is incompatible with virtual quotas.
# NoTruncate yes
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
# including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.
# TLS 1
# List of ciphers that will be accepted for SSL/TLS connections
# Prefix with -S: in order to totally disable SSL but not TLS.
# TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
# Listen only to IPv4 addresses in standalone mode (ie. disable IPv6)
# By default, both IPv4 and IPv6 are enabled.
# IPV4Only yes
# Listen only to IPv6 addresses in standalone mode (ie. disable IPv4)
# By default, both IPv4 and IPv6 are enabled.
# IPV6Only yes
# UTF-8 support for file names (RFC 2640)
# Define charset of the server filesystem and optionnally the default charset
# for remote clients if they don't use UTF-8.
# Works only if pure-ftpd has been compiled with --with-rfc2640
# FileSystemCharset big5
# ClientCharset big5