红联Linux门户
Linux帮助

基于FreeBSD5.4全能服务器安装v1.01(dns,ftp,apache,qmail)

发布时间:2006-08-25 00:35:48来源:红联作者:pkncoin
注意:qmail部分暂停公布
改版声明:此次改版主要增加了相应的说明文字特别是在ftp服务器方面
版权声明:本着开源的思想,大家尽可以转载也希望大家不要垄断技术
作者:曹海波(b.s.d)
强烈建议:安装系统时安装src和ports
理由:经过试验可以提升同步src和ports的速度

setenv PACKAGEROOT "ftp://ftp.jp.freebsd.org"
设置环境变量使pkg_addr 源代码安装方式选择较快的服务器下载二进制软件安装
pkg_add -r cvsup-without-gui
下载并安装二进制代码程序cvsup-without-gui(cvsup-without-gui无图形支持在文本方式下工作的软件,用来同步代码及ports用。)

编辑/etc/rc.conf
ee /etc/rc.conf

增加以下(用来停止sendmail)
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

mkdir /usr/home/chb/pkg_info
reboot
pkg_info | col -b > /usr/home/chb/pkg_info/pkg_info_cvsup-without-gui.txt
(主要是记录安装的软件,用来以后分析软件包的关联性)


####同步系统代码#######

cvsup -g -L 2 -h cvsup.jp.FreeBSD.org /usr/share/examples/cvsup/standard-supfile
(注意:standard-supfile这个文件同步前一定要查看里面内容是否正确!即:[*default release=cvs tag= ]
默认的情况下可能会把代码同步到当前的最新版本,当然这个最新版本可能是current版!所以一定要指定!
我的写法是:
*default release=cvs tag=RELENG_5_4 意思是同步到FreeBSD5.4的当前稳定版代码
还有就是值得注意的是:
目前同步代码可以选择两个文件
一是:stable-supfile
二是:standard-supfile


stable-supfile 一般已经指定了同步代码的版本,一般也不需要设定!但是用FreeBSD5.2.1的朋友们就需要注意了因为FreeBSD5.2.1会把代码同步到4系的最新版,我一直没明白FreeBSD开发小组为什么会这么做!一旦没有修改就同步的话,轻则造成部分软件无法使用重则造成内核错误根本就无法进入系统!我可亲身经历过

standard-supfile 我认为同步前最好核对一下里面关于同步代码版本的部分。

至于为什么选择standard-supfile而不选择stable-supfile我可是经过N次的重做才确定用standard-supfile

登陆系统后运行uname v查看系统版本号你会发现
以standard -supfile同步的系统显示的是FreeBSD 5.4-RELEASE-p4 #0: Sat Jul 16 09:29:22 CST 2005 chb@ns1.tjhaina.net:/usr/obj/usr/src/sys/GENERIC
注意这里的5.4-RELEASE-p4用stable-supfile是不会出现p4的!
当然这只是我个人的做法!

)
reboot



####编译系统内核#######
cd /usr/src
make -j4 buildworld
多线程支持加快编译速度(注意:cpu的占用率会升高)
cd /usr/src/sys/i386/conf
cp GENERIC /root/GENERIC.OLD
ee NS1
编辑内核
cd /usr/src
make buildkernel
建立内核
make installkernel
安装内核
shutdown -r now

mergemaster -p
更新系统配置文件。这个命令后会跟随多个提示问题建议仔细阅读后做出选择,如果是安装系统后第一次同步代码,并是在没有安装任何软件的情况下,可以考虑执行mergemaster ai
跳过询问信息选择全部跟新
cd /usr/src
make installworld
mergemaster
shutdown -r now

delete
删除/usr/obj(以防影响下一次编译内核)
/usr/obj
cd /usr/obj
chflags -R noschg *
rm -rf *

##同步ports软件包######
cvsup -g -L 2 -h cvsup.jp.FreeBSD.org /usr/share/examples/cvsup/ports-supfile
reboot




DNS服务器

####设置bind9.3.1######

%%%%%%%%%%%%%%%%%建立正反向解析目录%%%%%%%%%%%%%%

mkdir /etc/namedb/rev
mkdir /etc/namedb/hosts

%%%%%%%%%%%%%%%改变正反向解析目录属性%%%%%%%%%%%%%%

chown bind:bind /etc/namedb/rev
chown bind:bind /etc/namedb/hosts
chmod 750 /etc/namedb/rev
chmod 750 /etc/namedb/hosts
%%%%%%%%%%%%%生成正反向解析文件的例子文件%%%%%%%%%%%%
cd /etc/namedb
sh make-localhost
%%%%%%%%%%%%%%%%生成这正反向解析文件%%%%%%%%%%%%%%
cp /etc/namedb/master/localhost.rev /etc/namedb/rev/192.168.0.rev
cp /etc/namedb/master/localhost.rev /etc/namedb/hosts/tjhaina.net.hosts



%%%%%%%%%%%%%%%%设置DNS服务器的主域%%%%%%%%%%%%%%%
ee /etc/namedb/named.conf

zone "0.168.192.IN-ADDR.ARPA" {
type master;
file "/etc/namedb/rev/192.168.0.rev";
};
zone "tjhaina.net" {
type master;
file "/etc/namedb/hosts/tjhaina.net.hosts";
};


%%%%%%%%%%%%%设置DNS服务器反向解析文件%%%%%%%

ee /etc/namedb/rev/192.168.0.rev

$TTL 3600

@ IN SOA ns1.tjhaina.net. root.ns1.tjhaina.net. (
20050430 ; Serial
3600 ; Refresh
900 ; Retry
3600000 ; Expire
3600 ) ; Minimum
IN NS ns1.tjhaina.net.
205 IN PTR ns1.tjhaina.net.
205 IN PTR www.tjhaina.net.
205是你的IP地址
(增加反向解析PTR记录 注意:不建议全部的域名及二级域名增加PTR记录)



%%%%%%%%%%%%%设置DNS服务器的正向击文件%%%%%%%

ee /etc/namedb/hosts/tjhaina.net.hosts


$TTL 3600

@ IN SOA ns1.tjhaina.net. root.ns1.tjhaina.net. (
20050621 ; Serial
3600 ; Refresh
900 ; Retry
3600000 ; Expire
3600 ) ; Minimum
IN NS ns1.tjhaina.net.
ns1 IN A 192.168.0.205
www IN A 192.168.0.205
mail IN A 192.168.0.205
tjhaina.net. IN MX 10 mail.tjhaina.net

(注意:MX记录的添加要先做一个mail的A记录再做MX记录。MX记录添加的原则是用你的域名指向你的mail的二级域名。不过还有其他的添加方法大家自己可以找一下相关资料)




%%%%%%%%%%%%%生成DNS服务器的key文件%%%%%%%%%%%%%%%
/usr/sbin/rndc-confgen > /etc/namedb/rndc.conf


%%%%%%%%%%%%%将key文件导入named.conf文件%%%%%%%%%%%%%
cd /etc/namedb
tail -n10 rndc.conf | head -n9 | sed -e s/#\ //g >> named.conf
(这个命令我也不知道为什么这么写!希望大家一起讨论)

%%%%%%%%%%%%%启动DNS服务器%%%%%%%%%%%%%%%%%%%%%
/usr/sbin/named -gc /etc/namedb/named.conf &
(& 表示后台运行)
/usr/sbin/rndc status
(查看DNS的启动情况)


%%%%%%%%%%%%%设置本机DNS服务器地址%%%% %%%%%%%%%%%%
ee /etc/resolv.conf

添加

nameserver 127.0.0.1
nameserver 211.98.2.4
nameserver 202.99.104.68
nameserver 202.99.96.68
nameserver 202.102.128.68
nameserver 202.103.0.117
nameserver 202.103.44.5

(所以选这么多DNS是考虑到了冗余设计防止万一出错)
%%%%%%%%%%%%删除或注释掉DNS服务器的监听地址%%%%%%
ee /etc/namedb/named.conf

删除
20 listen-on { 127.0.0.1; };
注释掉
// listen-on { 127.0.0.1; };
rndc reload
(由于bind9在默认的情况下只是给自己,所以要去除监听地址listen-on { 127.0.0.1; };)
%%%%%%%%%%%%使DNS服务器和系统一起启动%%%%%%%%
ee /etc/rc.conf
添加
named_enable="YES"


###################安装perl5.8.X################
cd /usr/ports/lang/perl5.8

make WITH_DEBUGGING=yes \
WITH_GDBM=yes \
WITHOUT_PERL_MALLOC=yes \
WITHOUT_PERL_64BITINT=yes \
WITH_THREADS=yes \
ENABLE_SUIDPERL=yes
(注意:以上命令及参数是按行输入)
make test
make install
make clean
make rmconfig
shutdown -r now
perl -v
ps auwx|grep perl
pkg_info
pkg_info | col -b > /usr/home/chb/pkg_info/pkg_info_perl5.8.txt



###############更改ports软件包的默认下载路径(因为只有安装了perl后才会有/etc/make.conf)##############
ee /etc/make.conf

添加

MASTER_SITE_OVERRIDE=ftp://ftp3.jp.freebsd.org/pub/FreeBSD/ports/distfiles/${DIST_SUBDIR}


(更改ports默认的下载路径,可以根据自己的实际情况进行设置)

####安装openssl########
cd /usr/ports/security/openssl
make
make install
make clean
make rmconfig
pkg_info
pkg_info | col -b > /usr/home/chb/pkg_info/pkg_info_openssl.txt



#####安装web管理系统##
cd /usr/ports/sysutils/webmin
make
make install
make clean
make rmconfig
/usr/local/lib/webmin/setup.sh
ee /etc/rc.conf
添加
webmin_enable="YES"

pkg_info
pkg_info | col -b > /usr/home/chb/pkg_info/pkg_info_webmin.txt



#####安装数据库mysql4.0
cd /usr/ports/databases/mysql40-server
make WITH_CHARSET=gbk \
WITH_XCHARSET=all \
SKIP_DNS_CHECK=yes \
BUILD_OPTIMIZED=yes \
BUILD_STATIC=yes
make install
make clean
make rmconfig

pkg_info
pkg_info | col -b > /usr/home/chb/pkg_info/pkg_info_mysql40-server.txt



%%%%%%%%%%%%安装mysql40组件%%%%%%%%%%%%%%
cd /usr/ports/databases/p5-DBD-mysql40
make
make install
make clean
make rmconfig

%%%%%%%%%%%使mysql40和系统一起启动%%%%%%%%%%%
ee /etc/rc.conf
mysql_enable="YES"


%%%%%%%%%%%设置mysql40的密码%%%%%%%%%%%%%%
/usr/local/bin/mysqladmin -u root password 'password'
mysql -u root -ppassword


%%%%%%%%%%启动mysql40%%%%%%%%%%%%%%%%%%%
start mysql
#/usr/local/share/mysql/mysql.server start
/usr/local/etc/rc.d/mysql-server.sh start

如果以上两条命令不能启动mysql
那么请reboot系统来启动mysql

pkg_info
pkg_info | col -b > /usr/home/chb/pkg_info/pkg_info_mysql40.txt


###安装expat2#########
cd /usr/ports/textproc/expat2
make
make install
make clean
make rmconfig
pkg_info
pkg_info | col -b > /usr/home/chb/pkg_info/pkg_info_expat2.txt


###安装web服务器apache1.33######################
cd /usr/ports/www/apache13
make
make install
make clean
make rmconfig

%%%%%%%%%%%使apache和系统一起启动%%%%%%%%%%%
ee /etc/rc.conf
添加
apache_enable="YES"

%%%%%%%%%%%%更改apache的相应设置%%%%%%%%%%%
ee /usr/local/etc/apache/httpd.conf
change 330
ServerAdmin you@your.address ==>ServerAdmin b.s.d@163.com
change 348
#ServerName www.example.com==>ServerName www.tjhaina.net
添加 794
添加Language zh-cn .zh-cn
添加 822
添加charset GB2312 .gb2312
添加 977
NameVirtualHost 192.168.0.205 (your hosts ip)

%%%%%%%%%%%%启动apache%%%%%%%%%%%%%%%%%
start apache
/usr/local/sbin/apachectl start
pkg_info
pkg_info | col -b > /usr/home/chb/pkg_info/pkg_info_apache.txt



########安装php#######
cd /usr/ports/lang/php4
make
make install
make clean
make rmconfig
pkg_info
pkg_info | col -b > /usr/home/chb/pkg_info/pkg_info_php4.txt



#######安装php扩展####
cd /usr/ports/lang/php4-extensions
make (+ bz2)
make install
make clean
make rmconfig
cd /usr/local/etc
cp php.ini-recommended php.ini
pkg_info
pkg_info | col -b > /usr/home/chb/pkg_info/pkg_info_php4-extensions.txt

########################安装phpSysInfo基于php的系统监测#######################
cd /usr/ports/www/phpSysInfo/
make
make install
make clean
make rmconfig
cd /usr/local/www/data/phpSysInfo/
cp config.php.new config.php
chown www:www config.php
(改变config.php的所属组和用户)
pkg_info
pkg_info | col -b > /usr/home/chb/pkg_info/pkg_info_phpSysInfo.txt



####################安装phpmyadmin基于php的数据库web管理系统################
cd /usr/ports/databases/phpmyadmin/
make
make install
make clean
make rmconfig

%%%%%%%%%%%%%更改phpMyAdmin的配置%%%%%%%%%%%%
cd /usr/local/www/phpMyAdmin
chmod 755 config.inc.php
ee /usr/local/www/phpMyAdmin/config.inc.php
将84行
$cfg['Servers'][$i]['auth_type'] = 'config'; // Authentication method (config, http or cookie based)?
改成
$cfg['Servers'][$i]['auth_type'] = 'http'; // Authentication method (config, http or cookie based)?
[#将39行
#$cfg['PmaAbsoluteUri'] = ' ';
#改成
#$cfg['PmaAbsoluteUri'] = 'http://192.168.0.205/phpMyAdmin/';
pkg_info
pkg_info | col -b > /usr/home/chb/pkg_info/pkg_info_phpmyadmin.txt ]

(我现在不建议更改39行的内容虽然phpMyAdmin提示更改!但并没有发现39行对phpMyAdmin有影响!改不好反而使phpMyAdmin不能正常显示)





安装FTP服务器

#安装ftp服务器pure-ftpd#
cd /usr/ports/ftp/pure-ftpd
ee /usr/ports/ftp/pure-ftpd/Makefile
添加

--with-everything \
--with-paranoidmsg \
--with-virtualchroot \
--with-tls \
--with-largefile \
--with-welcomemsg \
--with-uploadscript \
--with-cookie \
--with-virtualhosts \
--with-virtualroot \
--with-diraliases \
--with-quotas \
--with-sysquotas \
--with-ratios \
--with-ftpwho \
--with-throttling \
--sysconfdir=${PREFIX}/etc

make WITH_MYSQL=1 \
WITH_LANG=simplified-chinese
make install
make clean
make rmconfig

cd /usr/local/etc
cp pureftpd-mysql.conf.sample pureftpd-mysql.conf
cp pure-ftpd.conf.sample pure-ftpd.conf
ee /usr/local/etc/pure-ftpd.conf

安装参数详解

--with-everything: 编译一个几乎所有特性都开启的“大”服务器。


--with-paranoidmsg: 当该参数被开启,不论何种原因登录失败都将显示同样的信息给用户。不开启该参数是,密码问题将显示“验证失败”,被禁止用户将显示“对不起,我不信任你”。


-- with-virtualchroot:通常一个用户使用chrooted(使用-A 和 -a 参数)命令不会转出他的home目录。开启该功能之后将使其成为可能:符号连接总是一起作用,甚至他们指向的目录不在用户的home目录内。这对于共享路径是一个非常拥有的功能(例如,每一个home目录下都有一个符号连接到/var/incoming)。该功能默认不开启。


--with-tls \


--with-largefile: 支持在32位架构下下载大于2 gigabytes 的文件。通过FTP传输一个如此之大的文件是一个较为奇怪的主意。并且你的文件系统,你的系统内核、你的FTP客户端也需要支持才行。并且当该功能被开启后,下载将会比不开启变慢(或需要耗费更多的CPU)。简单的说,不要应为好玩而开启该功能,除非你真的计划下载大于gigabytes的文件。


--with-welcomemsg: (为兼容)其它FTP服务器pure-ftp可以阅读 'welcome.msg' 。这是一个安全的缺陷(匿名用户可以上载'welcome.msg'文件到随机显示)。Pure-ftpd 默认使用 '.banner'文件。


--with-uploadscript: 自从0.98版开始, Pure-FTPd 开始关注上传。当一个上传成功完成之后,任何额外的程序或脚本可以被自动启动。该功能需要一个称为“pure-uploadscript”的程序安装在Pure-FTPd包内。


--with-cookie: 在用户登录的时候显示随机或定制的信息。


--with-virtualhosts: 支持虚拟主机。这意味着每个IP地址可以有不同的匿名FPT区域。如果服务器只有一个IP地址,就不需要该功能。但是如果有多个IP地址,并且需要一个客户端连接到IP xxx 去获得/etc/pure-ftpd/xxx/而不是~ftp/,就可以开启该功能。


--with-virtualroot \ //虚拟root支持


--with-diraliases: 支持路径的别名。


--with-quotas: 开启虚拟限额,可以限制一个用户可以在他的帐号下存储的最大数字,也可以限制总的大小。



--with-sysquotas: 支持系统限额(非Pure-ftpd的虚拟限额)。只有在计划使用系统限额的时候启用。


--with-ratios: 支持上传/下载比。


--with-ftpwho: 支持'pure-ftpwho' 命令。开启这个功能需要额外的内存。当pure-ftp运行在standalone模式时比较好,在inetd模式下启用较慢。



--with-throttling: 支持带宽限制。


其它参数


--with-altlog: 除了系统输出,还支持一些特殊的文件格式,目前已实现了:CLF, Stats, W3C 和 xferlog 格式
CLF (通用日志格式)是Apache, WebFS, Roxen以及其它最常用 web 服务器的基本格式;该日志文件仅仅记录文件传输,可以被web流量统计软件(Analog, Webalizer, etc.) 所分析。Stats格式是一种专门为日志文件分析软件设计的特殊输出格式。W3C格式是一种商业日志分析软件(所有支持IIS日志的分析器)的标准格式。 Xferlog 是一种源于wu-ftpd的格式。


--with-brokenrealpath: 一些 Solaris 版本中realpath()运行不可靠。如果altlog和(或)pure-uploadscript没有很好的运行,请用这个参数重新编译。


--with-certfile=: 该file用来做SSL认证,默认为 /etc/ssl/private/pure-ftpd.pem .


--with-extauth: 支持额外的校验模块。大多数用户不需要此参数。.


所支持语言
--with-language=english
--with-language=german
--with-language=romanian
--with-language=french
--with-language=polish
--with-language=spanish
--with-language=danish
--with-language=italian
--with-language=brazilian-portuguese
--with-language=slovak
--with-language=dutch
--with-language=korean
--with-language=swedish
--with-language=norwegian
--with-language=russian
--with-language=traditional-chinese
--with-language=simplified-chinese
--with-language=hungarian
--with-language=catalan
--with-language=czech: change the language of server messages.
默认为英语。


--with-ldap: 支持原始的LDAP路径。当该功能被开启,系统帐号将被忽略。你同时需要使用OpenLDAP。如果OpenLDAP被安装在一个特定的位置,你可以使用--with-ldap= 的参数。



--with-minimal: 为了有效运用现代FTP客户端的功能,Pure-FTPd采用基本的FTP协议加扩展(SITE IDLE,SITE CHMOD, MLSD, ...)的方式 。使用 --with-minimal 参数,这些扩展间不会被编译。同样的,也就不会有standalone server, 不会有lookup for user/group names, 不会有 humor也不会有 ASCII 的支持。但是执行文件将会比默认安装更小。该参数你至少需要GCC 3.3 以上来编译。如果你还想减少(执行)文件大小,可以采用--without-globbing 关联--with-minimal参数。如果你建立一个嵌入系统,可以这样使用;在其它场合,为了避免客户的抱怨(特别是使用windows客户端的客户),请忘记它吧


--with-mysql: 使用MySQL来提供用户数据库。当开启该参数,系统帐号被忽略。使用该功能MySQL 客户端的库文件将被安装。如果MySQL安装在特殊位置,可以使用--with-mysql= 语法。


--with-nonroot: 设置服务以非root特权用户启动。任何普通用户都可以运行服务。这对于在服务器上只有一个受限帐号的情况非常有用。但是一些特性将不能使用,而且密码只能通过LDAP,SQL或PureDB进行校验。当虚拟 chroot 被开启,用户将被限制在服务启动的目录。这是一种不安全的模式,一般用于普通(非root)用户建立临时性的服务器。在standalone模式下, 2121端口将被侦听。如果想采用nonroot模式,需要编译并安装该软件(./configure --prefix=... && make install-strip) . /sbin, /bin and /man 目录需要被写入 prefix,同时还需要增加运行pure-ftpd用户在 /etc 目录的读写权限。


--with-pam: 使用紧密校验模式。Don't use this option if your login/passwd pairs are always refused (but the real fix would be to
fix your PAM configuration). 需要创建一个 /etc/pam.d/pure-ftpd 文件来运用PAM校验。'pam' 路径中包含该文件的一个样本。


--with-peruserlimits: 开启每用户同时在线限制,在繁忙的服务器上避免该参数。


--with-pgsql: 使用 Postgres 提供用户数据库。当开启该参数,系统帐号将被忽略,Postgres客户端库将被安装。如果Postgres安装与特殊位置,可以使用--with-pgsql= 语法。


--with-probe-random-dev: Pure-FTPd 使用 /dev/arandom, /dev/urandom 或者/dev/random 设备来提供严格的随机数字。这些设备通常在编译时被探测。如果想编译一个二进制包在其它主机上运行,该参数将在运行时被探测。该参数在Linux和BSD 系统上无效,但可以使用在Solaris 和 QNX上。


--with-puredb: 支持虚拟用户,一个本地的用户数据库,不用于系统帐号。

--with-boring: 显示 "professionnal-looking" 信息。


--with-privsep: 开启权限分离。


--withrendez-vous: 允许在MacOS X上支持Rendezvous。


--without-ascii: 不支持 7-bits 传输 (ASCII)。如果有客户使用windows客户端程序发送脚本和HTML文件,不要使用 该参数或让他们对你大叫。


--without-banner: 不使用初始标语,这是一种通过隐瞒获得的愚蠢的安全。


--without-capabilities: 如果性能库 (libcap) 被找到,Pure-FTPd 将使用其提供安全性。该参数不测试这个库是否存在。如果性能库没有正常工作,可以到ftp: //ftp.kernel.org/pub/linux/libs/security/linux-privs/ 下载。


--without-globbing: 不包括全局代码。能够减少内存消耗但经常不能工作。大多数用户不需要使用--without-globbing。Globbing是一个不错的功能。


--without-humor: 如果你没有查看过源代码而使用这个参数,就只好祝你幸运了。


--without-inetd: 如果Pure-FTPd总是运行在standalone模式下,这个参数可以节约一些代码字节。不要同时使用 --without-inetd和


--without-standalone参数,可能会导致服务不能运行。这些参数在Pure-FTPd的二进制分发包上都没有使用,所以inetd和standalone都被支持。


--without-iplogging: 为了保守机密而不记录任何IP地址,除非是政治敏感的服务器。


--without-nonalnum: 非法文件名检查。只支持基本的字符。不要盲目的使用这个参数,或者接受用户的抱怨。


--without-unicode: 不接受非拉丁字符。如果服务器文件名不含特殊字符则推荐使用。
--without-sendfile: 在Linux, Solaris, HPUX 和 FreeBSD 内核, Pure-FTPd采用特殊系统调用(sendfile)尝试减少CPU和内存的使用。在大多数文件系统中该方式运行良好,但该优化并不能在所有文件系统中正常工作。用户曾经报告过SMBFS(Samba)在FreeBSD以及TmpFS和NTFS在Linux(服务器报告错误为“broken pipe”或“Error during write to data connection”)上通过Pure-FTPd下载文件失败。如果计划在上述文件系统中运行服务,就不得不使用--without-sendfile 参数来定义一个工作区。同样来自PA-Risc Linux 的系统也需要这个参数。


--without-shadow: 忽略shadow密码,即使他们被自动探测到。这通常是一个坏主意,除非使用的是PAM, LDAP 或 SQL。Pure-FTPd 支持shadow密码有效期 (包括帐号和密码)。.


--without-standalone: FTP 服务器能够正常地以 standalone 模式运行(没有任何超级服务)。如果不需要该功能并且想要节省一些代码字节的话,就可以开启该参数。一个类似于g2s, xinetd或tcpserver 的超级服务将强制运行该服务,但是推荐使用standalone模式。


--without-usernames: 从不在在路径列表里输出用户和组名,而代之以UIDs和GIDs。这将提高安全和性能,但会有用户觉得不够友好。


--without-capabilities: 如果性能库 (libcap) 被找到,Pure-FTPd 将使用其提供安全性。该参数不测试这个库是否存在。如果性能库没有正常工作,可以到ftp: //ftp.kernel.org/pub/linux/libs/security/linux-privs/ 下载。

--without-usernames: 从不在在路径列表里输出用户和组名,而代之以UIDs和GIDs。这将提高安全和性能,但会有用户觉得不够友好。


"--prefix=" 改变安装路径,默认为 "/usr/local/".











配置文件详解

pure-ftpd.conf


ChrootEveryone yes
chroot每一个用户,等同于Proftpd 中的DefaultRoot~ , 可以限制用户在某个地方活动,增强服务器的安全性。使用户不能通过cd命令进入上一级目录。
TrustedGID 50
#以上两者要一起用


BrokenClientsCompatibility no


MaxClientsNumber 50
#最大链接数


Daemonize yes
#Fork in background 以守护进程方式在后台运行


MaxClientsPerIP 5
#每个ip最多链接数,最好设小点。


VerboseLog no
#是否要把所有client端的指令都log下来


DisplayDotFiles no
#显示开头的文件


AnonymousOnly no
#是否只让匿名登录

NoAnonymous no
#不开放匿名登入


SyslogFacility ftp
#应该是对日志做一下过滤 (auth, authpriv, daemon, ftp, security, user, local*)可以让日志只记录想要的信息


DontResolve yes
#不反向解释客户端的ip


MaxIdleTime 5
#最大闲置fB?


#LDAPConfigFile /usr/local/pureftpd/etc/pureftpd-ldap.conf
#使用LDAP认证,


MySQLConfigFile /usr/local/pureftpd/etc/pureftpd-mysql.conf
#使用MySQL认证


#PGSQLConfigFile /usr/local/pureftpd/etc/pureftpd-pgsql.conf
#使用PGSQL认证


#PureDB /ftp/etc/pureftpd.pdb
#使用者资料的DB存放地点 [由于我是用PureFTPD的Qg建DB.固有此选项]


#ExtAuth /var/run/ftpd.sock
#pure-authd socket 路径 (详细请看 README.Authentication-Modules)


#PAMAuthentication yes
#开启PAM认证


#UnixAuthentication yes
#如果你想要有简单的Unix(/etc/passwd)的认证的?

FortunesFile /usr/local/pureftpd/etc/.welcome
#显示的欢迎信息文件,你可以创建该文件,输入一些文字,然后你重启你的FTP服务,就会有意外的发现。


LimitRecursion 2000 8
#ls最多列出3000个文件.最深8层


AnonymousCanCreateDirs no
#匿名用户可以创建目录


MaxLoad 4
#当system load超过4fB.使用者将不能再下载


PassivePortRange 30000 50000
#被动连接应答范围


ForcePassiveIP 192.168.0.1
#


AnonymousRatio 1 10
#Anonymous连接上传/下载比率


UserRatio 1 10
#用户上传/下载比率(注:如果使用ldap,mysql,pgsql,pam不要启用该功能,否则你在ldap等中设置的Ratio无校)


AntiWarez no
#上传的文件不能被下载(owner is ftp).等到local admin确认


Bind 127.0.0.1,8021
#要绑定和ip/port,在你的系统中有两个FTP Server这样你其中一个FTP就要使用其它端口。
#格式-> 127.0.0.1,21 如果只写port表All ip,port



AnonymousBandwidth 8
#Anonymous 带宽,单位KB/s


UserBandwidth 8
#用户带宽,单位KB/s


Umask 133:022
#上传文件的Umask.(: )


MinUID 1000
# UID至少多少才能登录


AllowUserFXP yes
#支不支持FXP


AllowAnonymousFXP no
#Anonymous支不支持FXP


ProhibitDotFilesWrite no
ProhibitDotFilesRead no
#(”.”)开头的文件能不能被读/写,UNIX Like下以点开头的文件是隐藏文件ls a才能列出
#Pureftpd Quota模式下做产生” .ftpquota”文件。


AutoRename no
#上传文件若有相同文件名自动改名(file.1,file.2...)


AnonymousCantUpload no
#匿名用户上传文件


TrustedIP 10.1.1.1
#锁IP.


LogPID
#Log文件添加PID
AltLog stats:/ftp/etc/log/pureftpd.log
#log存放地点,注日志有几种常用的格式
#clf 类似apache格式,stats UNIX log格式,w3c 标准W3C格式,可能是HTML格式


NoChmod yes
#不给Chmod指令的权限


KeepAllFiles no
#使用者可续传.但不可R*除文件


CreateHomeDir yes
#如果user的home不存在自动建立(我把这个设为YES)


Quota 1000:10
#Quota <文件数>:<容量Megabytes >,FTP限制10M空间,可以上传1000个文件(注:如果使用ldap,mysql,pgsql,pam不要启用该功能,否则你在ldap等中设置的Quota无校)


PIDFile /ftp/etc/log/pure-ftpd.pid
#记录pure-ftpd的PID文件


CallUploadScript yes
#呼叫UploadScript


MaxDiskUsage 99
#当硬盘使用率到多少fB将停止上传


NoRename yes
#用户不能重命名文件名

CustomerProof yes
PerUserLimits 3:20
#<每个账号最多可登入几次:Anonymous最多可同fB登入几次>


pureftpd-mysql.conf

MYSQLServer 127.0.0.1
#MYSQL服务器的IP


MYSQLPort 3306
#MYSQL 端口号


MYSQLSocket /var/lib/mysql/mysql.sock
#使用UNIX.sock本地连接
注:MYSQLServer 与 MYSQLSocket 选择一种即可


MYSQLUser ftp
#MYSQLUser 数据用户名


MYSQLPassword 123456
#MYSQL数据库用户的密码


MYSQLDatabase ftpusers
#FTP数据数据库


MYSQLCrypt md5
#密码加密方式"cleartext", "crypt", "md5" and "password"


# cleartext 明文,crypt,md5,password是Backend password(‘your-passwd’)函数(MYSQL数据库所使用的password()函数)


MYSQLGetPW SELECT Password FROM users WHERE User="\L"
# 密码字段,我使用users表中的Password做为密码字段


MYSQLGetUID SELECT Uid FROM users WHERE User="\L"
#UID用户ID字段


MYSQLDefaultUID 1000
#默认的UID (注:如何开启该选项,MYSQLGetUID将失去作用)


MYSQLGetGID SELECT Gid FROM users WHERE User="\L"
#GID组ID字段


MYSQLDefaultGID 1000
#默认的GID (注:如何开启该选项,MYSQLGetGID将失去作用)


MYSQLGetDir SELECT Dir FROM users WHERE User="\L"
#FTP用户目录如/home/web/www-9812-net


MySQLGetQTAFS SELECT QuotaFiles FROM users WHERE User="\L"
#磁盘限额,文件数限制。如1000,允许用户上传1千个文件


MySQLGetQTASZ SELECT QuotaSize FROM users WHERE User="\L"
#磁盘限额,FTP用户空间限制(单位为M),如:100M

MySQLGetRatioUL SELECT ULRatio FROM users WHERE User="\L"
MySQLGetRatioDL SELECT DLRatio FROM users WHERE User="\L"
#上传/下载比率。MySQLGetRatioUL为上传比,MySQLGetRatioDL下载比。如:1:5


MySQLGetBandwidthUL SELECT ULBandwidth FROM users WHERE User="\L"
MySQLGetBandwidthDL SELECT DLBandwidth FROM users WHERE User="\L"
#下传/下载带宽(单位KB/s)。MySQLGetBandwidthUL上传带宽,MySQLGetBandwidthDL下载带宽。如上传500KB/s,下载50KB/s


MySQLForceTildeExpansion 1
MySQLTransactions On


配置文件实例

pure-ftpd.conf配置文件

#######################

# #

# Configuration file for pure-ftpd wrappers #

# #

####



# If you want to run Pure-FTPd with this configuration

# instead of command-line options, please run the

# following command :

#

# /usr/local/pureftpd/sbin/pure-config.pl /usr/local/pureftpd/etc/pure-ftpd.conf

#

# RPM binary files use another configuration file by default :

# /etc/sysconfig/pure-ftpd

#

# Please don't forget to have a look at documentation at

# http://www.pureftpd.org/documentation.html for a complete list of

# options.

# Cage in every user in his home directory

ChrootEveryone yes

# If the previous option is set to "no", members of the following group

# won't be caged. Others will be. If you don't want chroot()ing anyone,

# just comment out ChrootEveryone and TrustedGID.

# TrustedGID 100

# Turn on compatibility hacks for broken clients

BrokenClientsCompatibility no

# Maximum number of simultaneous users

MaxClientsNumber 50

# Fork in background

Daemonize yes

# Maximum number of sim clients with the same IP address

MaxClientsPerIP 8

# If you want to log all client commands, set this to "yes".

# This directive can be duplicated to also log server responses.

VerboseLog no

# List dot-files even when the client doesn't send "-a".

DisplayDotFiles yes

# Don't allow authenticated users - have a public anonymous FTP only.

AnonymousOnly no

# Disallow anonymous connections. Only allow authenticated users.

NoAnonymous no

# Syslog facility (auth, authpriv, daemon, ftp, security, user, local*)

# The default facility is "ftp". "none" disables logging.

SyslogFacility ftp

# Display fortune cookies

# FortunesFile /usr/share/fortune/zippy

# Don't resolve host names in log files. Logs are less verbose, but

# it uses less bandwidth. Set this to "yes" on very busy servers or

# if you don't have a working DNS.

DontResolve yes

# Maximum idle time in minutes (default = 15 minutes)

MaxIdleTime 15

# LDAP configuration file (see README.LDAP)

# LDAPConfigFile /etc/pureftpd-ldap.conf

LDAPConfigFile /usr/local/pureftpd/etc/pureftpd-ldap.conf

# MySQL configuration file (see README.MySQL)

# MySQLConfigFile /etc/pureftpd-mysql.conf

MySQLConfigFile /usr/local/pureftpd/etc/pureftpd-mysql.conf

# Postgres configuration file (see README.PGSQL)

# PGSQLConfigFile /etc/pureftpd-pgsql.conf

PGSQLConfigFile /usr/local/pureftpd/etc/pureftpd-pgsql.conf

# PureDB user database (see README.Virtual-Users)

# PureDB /etc/pureftpd.pdb

PureDB /usr/local/pureftpd/etc/pureftpd.pdb

# Path to pure-authd socket (see README.Authentication-Modules)

# ExtAuth /var/run/ftpd.sock

# If you want to enable PAM authentication, uncomment the following line

# PAMAuthentication yes

# If you want simple Unix (/etc/passwd) authentication, uncomment this

# UnixAuthentication yes

# Please note that LDAPConfigFile, MySQLConfigFile, PAMAuthentication and

# UnixAuthentication can be used only once, but they can be combined

# together. For instance, if you use MySQLConfigFile, then UnixAuthentication,

# the SQL server will be asked. If the SQL authentication fails because the

# user wasn't found, another try # will be done with /etc/passwd and

# /etc/shadow. If the SQL authentication fails because the password was wrong,

# the authentication chain stops here. Authentication methods are chained in

# the order they are given.

# 'ls' recursion limits. The first argument is the maximum number of

# files to be displayed. The second one is the max subdirectories depth

LimitRecursion 2000 8

# Are anonymous users allowed to create new directories ?

AnonymousCanCreateDirs no

# If the system is more loaded than the following value,

# anonymous users aren't allowed to download.

MaxLoad 4

# Port range for passive connections replies. - for firewalling.

# PassivePortRange 30000 50000

# Force an IP address in PASV/EPSV/SPSV replies. - for NAT.

# Symbolic host names are also accepted for gateways with dynamic IP

# addresses.

# ForcePassiveIP 192.168.0.1

# Upload/download ratio for anonymous users.

# AnonymousRatio 1 10

# Upload/download ratio for all users.

# This directive superscedes the previous one.

# UserRatio 1 10

# Disallow downloading of files owned by "ftp", ie.

# files that were uploaded but not validated by a local admin.

AntiWarez yes

# IP address/port to listen to (default=all IP and port 21).

# Bind 127.0.0.1,21

Bind 127.0.0.1,8021

# Maximum bandwidth for anonymous users in KB/s

# AnonymousBandwidth 8

# Maximum bandwidth for *all* users (including anonymous) in KB/s

# Use AnonymousBandwidth *or* UserBandwidth, both makes no sense.

# UserBandwidth 8

# File creation mask. : .

# 177:077 if you feel paranoid.

Umask 133:022

# Minimum UID for an authenticated user to log in.

MinUID 100

# Allow FXP transfers for authenticated users only.

AllowUserFXP yes

# Allow anonymous FXP for anonymous and non-anonymous users.

AllowAnonymousFXP no

# Users can't delete/write files beginning with a dot ('.')

# even if they own them. If TrustedGID is enabled, this group

# will have access to dot-files, though.

ProhibitDotFilesWrite no

# Prohibit *reading* of files beginning with a dot (.history, .ssh...)

ProhibitDotFilesRead no

# Never overwrite files. When a file whoose name already exist is uploaded,

# it get automatically renamed to file.1, file.2, file.3, ...

AutoRename no

# Disallow anonymous users to upload new files (no = upload is allowed)

AnonymousCantUpload no

# Only connections to this specific IP address are allowed to be

# non-anonymous. You can use this directive to open several public IPs for

# anonymous FTP, and keep a private firewalled IP for remote administration.

# You can also only allow a non-routable local IP (like 10.x.x.x) to

# authenticate, and keep a public anon-only FTP server on another IP.

#TrustedIP 10.1.1.1

# If you want to add the PID to every logged line, uncomment the following

# line.

#LogPID yes

# Create an additional log file with transfers logged in a Apache-like format :

# fw.c9x.org - jedi [13/Dec/1975:19:36:39] "GET /ftp/linux.tar.bz2" 200 21809338

# This log file can then be processed by www traffic analyzers.

# AltLog clf:/var/log/pureftpd.log

# Create an additional log file with transfers logged in a format optimized

# for statistic reports.

# AltLog stats:/var/log/pureftpd.log

#AltLog stats:/var/log/pureftpd.log

# Create an additional log file with transfers logged in the standard W3C

# format (compatible with most commercial log analyzers)

# AltLog w3c:/var/log/pureftpd.log

# Disallow the CHMOD command. Users can't change perms of their files.

#NoChmod yes

# Allow users to resume and upload files, but *NOT* to delete them.

#KeepAllFiles yes

# Automatically create home directories if they are missing

#CreateHomeDir yes

# Enable virtual quotas. The first number is the max number of files.

# The second number is the max size of megabytes.

# So 1000:10 limits every user to 1000 files and 10 Mb.

#Quota 1000:10

# If your pure-ftpd has been compiled with standalone support, you can change

# the location of the pid file. The default is /var/run/pure-ftpd.pid

#PIDFile /var/run/pure-ftpd.pid

# If your pure-ftpd has been compiled with pure-uploadscript support,

# this will make pure-ftpd write info about new uploads to

# /var/run/pure-ftpd.upload.pipe so pure-uploadscript can read it and

# spawn a script to handle the upload.

#CallUploadScript yes

# This option is useful with servers where anonymous upload is

# allowed. As /var/ftp is in /var, it save some space and protect

# the log files. When the partition is more that X percent full,

# new uploads are disallowed.

MaxDiskUsage 99

# Set to 'yes' if you don't want your users to rename files.

#NoRename yes

# Be 'customer proof' : workaround against common customer mistakes like

# 'chmod 0 public_html', that are valid, but that could cause ignorant

# customers to lock their files, and then keep your technical support busy

# with silly issues. If you're sure all your users have some basic Unix

# knowledge, this feature is useless. If you're a hosting service, enable it.

CustomerProof yes

# Per-user concurrency limits. It will only work if the FTP server has

# been compiled with --with-peruserlimits (and this is the case on

# most binary distributions) .

# The format is : :

# For instance, 3:20 means that the same authenticated user can have 3 active

# sessions max. And there are 20 anonymous sessions max.

# PerUserLimits 3:20



pureftpd-mysql.conf配置文件


##################

# #

# Sample Pure-FTPd Mysql configuration file. #

# See README.MySQL for explanations. #

# #

##################

# Optional : MySQL server name or IP. Don't define this for unix sockets.

#MYSQLServer 127.0.0.1

# Optional : MySQL port. Don't define this if a local unix socket is used.

#MYSQLPort 3306

# Optional : define the location of mysql.sock if the server runs on this host.

MYSQLSocket /var/lib/mysql/mysql.sock

# Mandatory : user to bind the server as.

MYSQLUser pureftpd

# Mandatory : user password. You must have a password.

MYSQLPassword qKiscCbwbXAkWp.

# Mandatory : database to open.

MYSQLDatabase pureftpd

# Mandatory : how passwords are stored

# Valid values are : "cleartext", "crypt", "md5" and "password"

# ("password" = MySQL password() function)

# You can also use "any" to try "crypt", "md5" *and* "password"

#MYSQLCrypt leartext

MYSQLCrypt crypt

# In the following directives, parts of the strings are replaced at

# run-time before performing queries :

#

# \L is replaced by the login of the user trying to authenticate.

# \I is replaced by the IP address the user connected to.

# \P is replaced by the port number the user connected to.

# \R is replaced by the IP address the user connected from.

# \D is replaced by the remote IP address, as a long decimal number.

#

# Very complex queries can be performed using these substitution strings,

# especially for virtual hosting.

# Query to execute in order to fetch the password

MYSQLGetPW SELECT Password FROM users WHERE User="\L"

# Query to execute in order to fetch the system user name or uid

MYSQLGetUID SELECT Uid FROM users WHERE User="\L"

# Optional : default UID - if set this overrides MYSQLGetUID

#MYSQLDefaultUID 1000

# Query to execute in order to fetch the system user group or gid

MYSQLGetGID SELECT Gid FROM users WHERE User="\L"

# Optional : default GID - if set this overrides MYSQLGetGID

#MYSQLDefaultGID 1000

# Query to execute in order to fetch the home directory

MYSQLGetDir SELECT Dir FROM users WHERE User="\L"

# Optional : query to get the maximal number of files

# Pure-FTPd must have been compiled with virtual quotas support.

MySQLGetQTAFS SELECT QuotaFiles FROM users WHERE User="\L"

# Optional : query to get the maximal disk usage (virtual quotas)

# The number should be in Megabytes.

# Pure-FTPd must have been compiled with virtual quotas support.

MySQLGetQTASZ SELECT QuotaSize FROM users WHERE User="\L"

# Optional : ratios. The server has to be compiled with ratio support.

# MySQLGetRatioUL SELECT ULRatio FROM users WHERE User="\L"

# MySQLGetRatioDL SELECT DLRatio FROM users WHERE User="\L"

# Optional : bandwidth throttling.

# The server has to be compiled with throttling support.

# Values are in KB/s .

MySQLGetBandwidthUL SELECT ULBandwidth FROM users WHERE User="\L"

MySQLGetBandwidthDL SELECT DLBandwidth FROM users WHERE User="\L"

# Enable ~ expansion. NEVER ENABLE THIS BLINDLY UNLESS :

# 1) You know what you are doing.

# 2) Real and virtual users match.

# MySQLForceTildeExpansion 1

# If you upgraded your tables to transactionnal tables (Gemini,

# BerkeleyDB, Innobase...), you can enable SQL transactions to

# avoid races. Leave this commented if you are using the

# traditionnal MyIsam databases or old (< 3.23.x) MySQL versions.

# MySQLTransactions On

########建立ftp用户组##

pw groupadd ftpusers -g 2000
pw useradd ftp -u 2000 -g ftpusers -s /sbin/nologin






#################将以下代码保存成文本文件并命名成script.mysql####################
INSERT INTO mysql.user (Host, User, Password, Select_priv, Insert_priv,
Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv,
Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv,
Index_priv, Alter_priv) VALUES
('localhost','ftp',PASSWORD('password'),'Y','Y','Y','Y','N','N','N','N',
'N','N','N','N','N','N');

FLUSH PRIVILEGES;

CREATE DATABASE ftpusers;

USE ftpusers;

CREATE TABLE admin (
Username varchar(35) NOT NULL default '',
Password char(32) binary NOT NULL default '',
PRIMARY KEY (Username)
) TYPE=MyISAM;

INSERT INTO admin VALUES ('Administrator',MD5('password'));

CREATE TABLE users (
User char(16) NOT NULL default '',
Password char(32) binary NOT NULL default '',
Uid int(11) NOT NULL default '2000',
Gid int(11) NOT NULL default '2000',
Dir char(128) NOT NULL default '',
QuotaFiles int(10) NOT NULL default '500',
QuotaSize int(10) NOT NULL default '30',
ULBandwidth int(10) NOT NULL default '80',
DLBandwidth int(10) NOT NULL default '80',
status enum('0','1') NOT NULL default '1',
ipaccess varchar(15) NOT NULL default '*',
comment tinytext NOT NULL,
PRIMARY KEY (User),
UNIQUE KEY User (User)
) TYPE=MyISAM;

INSERT INTO `users` VALUES ('test1',MD5('123456'),2001,2000,'/home/test1',500,30,80,5,1,'*','*');
##################


#####添加ftp用户数据库#
upload
script.mysql
mysql -u root -ppassword < script.mysql


#####启动pure-ftpd######
/usr/local/sbin/pure-config.pl /usr/local/etc/pure-ftpd.conf
也可以通过
/usr/local/etc/rc.d/pure-ftpd.sh start

提示一下信息证明pure-ftpd已经工作
Running: /usr/local/sbin/pure-ftpd -A -c50 -B -C8 -D -E -fftp -H -I15
-lmysql:/usr/local/etc/pureftpd-mysql.conf -L2000:8 -m4 -Q1:10 -s -U133:022
-u100 -Ow3c:/var/log/pureftpd.log -j -k99 -Z


#####测试pureftp########
ftp 192.168.0.205
Connected to 192.168.0.205.
220---------- 欢迎来到 Pure-FTPd [TLS] ----------
220-您是第 1 个使用者,最多可达 50 个连接
220-现在本地时间是 13:17。服务器端口: 21。
220-这是私人系统 - 不开放匿名登录
220-这部主机也欢迎IPv6的连接
220 在 15 分钟内没有活动,您被会断线。
Name (192.168.0.205:chb):
输入用户名、密码

######设置ftp管理界面##
upload
chinaPHP_Manager
ee config.php


require 'language.php';

$LANG = $ZH_CN; //Language (Options are $DUTCH, $ENGLISH, $PT_BR, $RUSSIAN
//$SPANISH, $COREAN, $FRENCH, $HUNGARIAN, $GERMAN
// $TURKISH, $DANISH , $NORWEGIAN or $ZH_CN)

$LocationImages = "images"; // Location of images

$DBHost = "localhost"; // Ip-adres of MySQL server
// (Dont change this if you are using the default database)

$DBLogin = "ftp"; // Username of MySQL user

$DBPassword = "password"; // Password of MySQL user

$DBDatabase = "ftpusers"; // Name of database

$FTPaddress = "192.168.0.205:21"; // Domain name or ip-address of your ftp server

$DEFUserID = "2000"; // nobody // Default user id of virtual ftp user.

$DEFGroupID = "2000"; // guest // Default group is of virtual ftp user.

##设置ftp管理的虚拟主机
ee /usr/local/etc/apache/httpd.conf

添加


DocumentRoot "/home/chb/ftp"
ServerName www.chb.com

allow from all
Options +Indexes





#######增加ftp启动项###
ee /etc/rc.conf
添加
pureftpd_enable="YES"
文章评论

共有 0 条评论