Debian FTP服务器用户管理策略

Debian FTP Server User Management Strategy
Managing users for an FTP server on Debian involves configuring authentication, access control, permissions, and security to ensure secure and organized file transfers. Below is a structured strategy covering key aspects:

1. Install vsftpd (Recommended FTP Server)

vsftpd (Very Secure FTP Daemon) is the most widely used FTP server on Debian due to its security and flexibility. Install it using:

sudo apt update && sudo apt install vsftpd -y

2. Configure Core FTP Settings

Edit the main configuration file (/etc/vsftpd.conf) to set fundamental parameters. Key options include:

Disable Anonymous Access: anonymous_enable=NO (prevents unauthorized logins).
Allow Local Users: local_enable=YES (permits system users to log in).
Restrict to Home Directory: chroot_local_user=YES (locks users to their home directories; enhances security).
Allow Writeable Chroot: allow_writeable_chroot=YES (required if chroot_local_user=YES and users need to upload files).
Enable Logging: xferlog_enable=YES (logs transfer activity for auditing).

Save changes and restart vsftpd:

sudo systemctl restart vsftpd

3. Create Dedicated FTP Users

Create non-system users specifically for FTP access to avoid compromising critical accounts. Use the -m flag to create a home directory and -s /sbin/nologin to prevent shell login (restricts access to FTP only):

sudo useradd -m ftpuser1 -s /sbin/nologin
sudo passwd ftpuser1  # Set a strong password

Repeat for additional users (e.g., ftpuser2).

4. Manage User Access Control

Option A: User List (Allow/Deny Specific Users)

Add allowed users to /etc/vsftpd.user_list (one per line):

echo "ftpuser1" | sudo tee -a /etc/vsftpd.user_list
echo "ftpuser2" | sudo tee -a /etc/vsftpd.user_list

Configure the server to use this list by setting:

userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO  # Only users in the list can log in

Option B: Deny Specific Users

To deny specific users, set userlist_deny=YES and list them in /etc/vsftpd.user_list.

5. Set Directory Permissions

Ensure FTP users can access their home directories securely:

Change Ownership: Assign the home directory to the user and their group:
```
sudo chown ftpuser1:ftpuser1 /home/ftpuser1
```
Set Permissions: Grant read/write/execute to the owner, read/execute to others (prevents unauthorized modifications):
```
sudo chmod 755 /home/ftpuser1
```

Optional: Upload Directory: Create a subdirectory for uploads and grant write permissions:

sudo mkdir /home/ftpuser1/uploads
sudo chown ftpuser1:ftpuser1 /home/ftpuser1/uploads
sudo chmod 775 /home/ftpuser1/uploads

6. Implement User Quotas (Disk Space Limits)

Prevent users from consuming excessive disk space with quotas:

Install Quota Tools:
```
sudo apt install quota -y
```
Enable Quota on the Filesystem: Edit /etc/fstab and add usrquota to the home partition (e.g., /dev/sda1):
```
/dev/sda1  /home  ext4  defaults,usrquota  0  2
```
Remount the Filesystem: Apply changes:
```
sudo mount -o remount /home
```

Set Quotas: Use edquota to define limits (e.g., 1GB soft limit, 1.5GB hard limit for ftpuser1):

sudo edquota ftpuser1

Modify the file to include:

Disk quotas for user ftpuser1 (uid 1001):
  Filesystem                   blocks       soft       hard     inodes     soft     hard
  /dev/sda1                     0          1048576    1572864          0        0        0

7. Secure the FTP Server

Firewall Rules: Allow FTP traffic (port 21) and passive mode ports (range 40000-50000) using UFW:
```
sudo ufw allow 21/tcp
sudo ufw allow 40000:50000/tcp
sudo ufw enable
```
SELinux (If Enabled): Adjust policies to allow FTP access to home directories:
```
sudo setsebool -P ftp_home_dir on
```

8. Monitor and Audit User Activity

View Logs: Check FTP logs at /var/log/vsftpd.log for connection attempts and transfers.
Active Sessions: Use ftpwho to see current FTP sessions.
Port Usage: Use lsof -i :21 or netstat -tuln | grep 21 to monitor open FTP ports.

This strategy ensures secure, organized, and scalable FTP user management on Debian, balancing accessibility with security best practices.