基础部署

yum install -y vsftpd ftp
cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf #备份初始配置文件
systemctl start vsftpd    
systemctl enable vsftpd    

创建ftp用户并配置密码：

useradd -d /home/ftpuser1 -g ftp -s /sbin/nologin ftpuser1  
passwd ftpuser1

新增chroot_list文件添加用户：

vi /etc/vsftpd/chroot_list 
ftpuser1

配置文件

# Example config file /etc/vsftpd/vsftpd.conf    
#    
# The default compiled in settings are fairly paranoid. This sample file    
# loosens things up a bit, to make the ftp daemon more usable.    
# Please see vsftpd.conf.5 for all compiled in defaults.    
#    
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.    
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's    
# capabilities.    
#    
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).    
anonymous_enable=NO #关闭匿名登录   
#    
# Uncomment this to allow local users to log in.    
# When SELinux is enforcing check for SE bool ftp_home_dir    
local_enable=YES # 在/etc/passwd内的账号才能以实体用户的方式登入ftp
#    
# Uncomment this to enable any form of FTP write command.    
write_enable=YES #具有写权限  
#    
# Default umask for local users is 077. You may wish to change this to 022,    
# if your users expect that (022 is used by most other ftpd's)    
local_umask=022 #本地用户创建文件或目录的掩码    
#    
# Uncomment this to allow the anonymous FTP user to upload files. This only    
# has an effect if the above global write enable is activated. Also, you will    
# obviously need to create a directory writable by the FTP user.    
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access    
#anon_upload_enable=YES    
#    
# Uncomment this if you want the anonymous FTP user to be able to create    
# new directories.    
#anon_mkdir_write_enable=YES    
#    
# Activate directory messages - messages given to remote users when they    
# go into a certain directory.    
dirmessage_enable=YES #当dirmessage_enable=YES时，可以设定这个项目来让vsftpd寻找该档案来显示信息    
#    
# Activate logging of uploads/downloads.    
xferlog_enable=YES #当设定为YES时，使用者上传与下载日志都会被纪录 记录日志与下一个xferlog_file设定选项有关    
#    
# Make sure PORT transfer connections originate from port 20 (ftp-data).    
connect_from_port_20=YES #开启20端口    
#    
# If you want, you can arrange for uploaded anonymous files to be owned by    
# a different user. Note! Using "root" for uploaded files is not    
# recommended!    
chown_uploads=YES    
#chown_username=whoever    
#    
# You may override where the log file goes if you like. The default is shown    
# below.    
#xferlog_file=/var/log/xferlog    
#    
# If you want, you can have your log file in standard ftpd xferlog format.    
# Note that the default log file location is /var/log/xferlog in this case.    
xferlog_std_format=YES 记录日志与下一个xferlog_file设定选项有关    
#    
# You may change the default value for timing out an idle session.    
#idle_session_timeout=600    
#    
# You may change the default value for timing out a data connection.    
#data_connection_timeout=120    
#    
# It is recommended that you define on your system a unique user which the    
# ftp server can use as a totally isolated and unprivileged user.    
#nopriv_user=ftpsecure    
#    
# Enable this and the server will recognise asynchronous ABOR requests. Not    
# recommended for security (the code is non-trivial). Not enabling it,    
# however, may confuse older FTP clients.    
#async_abor_enable=YES    
#    
# By default the server will pretend to allow ASCII mode but in fact ignore    
# the request. Turn on the below options to have the server actually do ASCII    
# mangling on files when in ASCII mode. The vsftpd.conf(5) man page explains    
# the behaviour when these options are disabled.    
# Beware that on some FTP servers, ASCII support allows a denial of service    
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd    
# predicted this attack and has always been safe, reporting the size of the    
# raw file.    
# ASCII mangling is a horrible feature of the protocol.    
ascii_upload_enable=YES #类似下面一个注释说明，只是这个设定针对上传而言    
ascii_download_enable=YES #如果设定为YES ，那么 client 就可以使用 ASCII 格式下载,一般来说，由于启动了这个设定项目可能会导致DoS 的攻击   
#    
# You may fully customise the login banner string:    
#ftpd_banner=Welcome to blah FTP service.    
#    
# You may specify a file of disallowed anonymous e-mail addresses. Apparently    
# useful for combatting certain DoS attacks.    
#deny_email_enable=YES    
# (default follows)    
#banned_email_file=/etc/vsftpd/banned_emails    
#    
# You may specify an explicit list of local users to chroot() to their home    
# directory. If chroot_local_user is YES, then this list becomes a list of    
# users to NOT chroot().    
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that    
# the user does not have write access to the top level directory within the    
# chroot)    
chroot_local_user=YES    
chroot_list_enable=YES #通过搭配能实现以下几种效果： 1）当chroot_list_enable=YES，chroot_local_user=YES时，在/etc/vsftpd.chroot_list文件中列出的用户，可以切换到其他目录；未在文件中列出的用户，不能切换到其他目录。 2）当chroot_list_enable=YES，chroot_local_user=NO时， 在/etc/vsftpd.chroot_list文件中列出的用户，不能切换到其他目录；未在文件中列出的用户，可以切换到其他目录。 3）当chroot_list_enable=NO， chroot_local_user=YES时，所有的用户均不能切换到其他目录。 4）当chroot_list_enable=NO， chroot_local_user=NO时，所有的用户均可以切换到其他目录。    
# (default follows)    
chroot_list_file=/etc/vsftpd/chroot_list    
allow_writeable_chroot=YES #不添加这个会报错：500 OOPS: vsftpd: refusing to run with writable root inside chroot()   
#    
# You may activate the "-R" option to the builtin ls. This is disabled by    
# default to avoid remote users being able to cause excessive I/O on large    
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume    
# the presence of the "-R" option, so there is a strong case for enabling it.    
#ls_recurse_enable=YES    
#    
# When "listen" directive is enabled, vsftpd runs in standalone mode and    
# listens on IPv4 sockets. This directive cannot be used in conjunction    
# with the listen_ipv6 directive.    
listen=NO    
#    
# This directive enables listening on IPv6 sockets. By default, listening    
# on the IPv6 "any" address (::) will accept connections from both IPv6    
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6    
# sockets. If you want that (perhaps because you want to listen on specific    
# addresses) then you must run two copies of vsftpd with two configuration    
# files.    
# Make sure, that one of the listen options is commented !!    
listen_ipv6=YES    

pam_service_name=vsftpd #这个是pam模块的名称，我们放置在/etc/pam.d/vsftpd    
userlist_enable=YES #ftpusers文件又被称为“禁止使用vsftpd的用户列表文件，当userlist_enable为NO时，ftpusers文件中的用户将禁止访问FTP服务器   
tcp_wrappers=YES    

出现530 Login incorrect

tail -f /var/log/secure  #查看错误信息

修改/etc/pam.d/vsftpd文件，注释掉auth required pam_shells.so