1) 建立 local user account - vftp

useradd -d /home/ftproot vftp -s /sbin/nologin -m

passwd -l vftp

2) 建立 virtual user

mkdir /etc/vsftpd/vftp

chmod 700 !$; cd !$

users.txt

vuser1
pw1
vuser2
pw2

db_load -T -t hash -f /etc/vsftpd/vftp/users.txt /etc/vsftpd/vftp/users.db

Notes: db_load

3) 設定使用 virtual 的 PAM

/etc/pam.d/vsftpd.vftp

auth    required pam_userdb.so   db=/etc/vsftpd/vftp/users
account required pam_userdb.so   db=/etc/vsftpd/vftp/users
session required pam_loginuid.so

4) 建立 virtual user 的 home directory

mkdir /home/ftproot/vuser1

chown vftp: !$

5) 設定 vsftpd

/etc/vsftpd/vsftpd.conf

# 只 listen ipv4 的 2121/tcp
listen=YES
listen_ipv6=NO
listen_port=2121

# PASV Mode Settings
pasv_enable=YES
pasv_min_port=9001
pasv_max_port=9100
pasv_addr_resolve=YES
pasv_address=ftp.datahunter.org

# This must be enable for any non-anonymous login to work, including virtual users
local_enable=YES
anonymous_enable=NO

# Chroot Settings
chroot_local_user=YES
allow_writeable_chroot=YES

# Virtual User 設定
guest_enable=YES
pam_service_name=vsftpd.vftp
guest_username=vftp
virtual_use_local_privs=YES
user_sub_token=$USER
local_root=/home/ftproot/$USER
userlist_enable=NO

# Write
write_enable=YES
local_umask=027

# Log (使用 rsyslog 接 fail2ban)
syslog_enable=YES

# Resource
max_clients=8
reverse_lookup_enable=NO
idle_session_timeout=300

# Other
hide_ids=YES
delay_failed_login=5
dirmessage_enable=YES
use_localtime=YES
banner_file=/etc/vsftpd/banner.txt

說明

guest_enable

All non-anonymous logins are classed as "guest" logins.

A guest login is remapped to "guest_username"

userlist_enable

vsftpd will load a list of usernames, from the filename given by userlist_file.

they will be denied before they are asked for a password (userlist_deny=YES(DEFAULT))

local_root

vsftpd will try to change into after a local

user_sub_token

This option also takes affect if local_root contains user_sub_token.

It is used to automatically generate a home directory for each virtual user, based on a template.