由于Directadmin面板本身中并没有关于pureftpd服务的参数设置。因此要修改pureftd的参数就需要更改文件。
可参考官方文档https://help.directadmin.com/item.php?id=491
在CentOS/Debian环境下,修改 /etc/init.d/pure-ftpd 文件中的以下行的参数值,并/etc/init.d/pure-ftpd restart 重启pureftpd服务即可。
OPTIONS="-B -A -C 15 -E -H -k 99 -L 10000:8 -O stats:${LOG} -l puredb:${DB} -p 35000:35999 -u 100 -U 133:022 -w -Z"
例如要修改每个ip允许的连接数,由修改-C 后的数字15。
上数中的10000代表在FTP目录中允许显示的文件个数。
35000:35999 代表设置port模式的端口。
如果是FreeBSD环境则修改 /usr/local/etc/rc.d/pure-ftpd 文件。
**附pureftp各参数值代表的意义。
- ‘-0′: when a file is uploaded and there is already a previous version of the file with the same name, the old file will neither get removed nor truncated. Upload will take place in a temporary file and once the upload is complete,the switch to the new version will be atomic. For instance, when a large PHP script is being uploaded, the web server will still serve the old version and immediatly switch to the new one as soon as the full file will have been transfered. This option is incompatible with virtual quotas. - ‘-1′: log the PID of each session in syslog output. - ‘-4′: only listen to IPv4 connections. - ‘-6′: don’t listen to IPv4, only listen to IPv6. - ‘-a ’: Authenticated users will be granted access to their home directory and nothing else (chroot) . This is especially useful for users without shell access, for instance, WWW-hosting services shared by several customers. Only member of group number will have unrestricted access to the whole filesystem. So add a “staff”, “admin” or “ftpadmin” group and put your trusted users in. is a NUMERIC group number, not a group name. This feature is mainly designed for system users, not for virtual ones. - ‘-A’: chroot() everyone, but root. - ‘-b’: Ignore parts of RFC standards in order to deal with some totally broken FTP clients, or broken firewalls/NAT boxes. - ‘-B’: Have the standalone server start in background (daemonization). - ‘-c ’: Allow a maximum of clients to be connected. For instance ‘-c 42′ will limit access to simultaneous 42 clients. There is a 50 client limit by default. - ‘-C ’: Limit the number of simultanous connections coming from the same IP address. This is yet another very effective way to prevent stupid denial of services and bandwidth starvation by a single user. It works only when the server is launched in standalone mode (if you use a super-server, it is supposed to do that) . If the server is launched with ‘-C 2′, it doesn’t mean that the total number of connections is limited to 2. But the same client, coming from the same machine (or at least the same IP), can’t have more than two simultaneous connections. This feature needs some memory to track IP addresses, but it’s recommended to use it. - ‘-d’: Send various debugging messages to the syslog. Don’t use this unless you really want to debug Pure-FTPd. Passwords aren’t logged. Duplicate ‘-d’ to log responses, too. - ‘-D’: List files beginning with a dot (’.') even when the client doesn’t append the ‘-a’ option to the list command. A workaround for badly configured FTP clients. If you are a purist, don’t enable this. If you provide hosting services and if you have lousy customers, enable this. - ‘-e’: Only allow anonymous users. Use this on a public FTP site with no remote FTP access to real accounts. - ‘-f ’: Use that facility for syslog logging. It defaults to ‘ftp’ (or ‘local2′ if you got an obsolete libc without that facility). Logging can be disabled with ‘-f none’ . - ‘-F ’: Display a fortune cookie on login. The sentence is a random extract from the text file . This text file should be formatted like standard “fortune” files (fortunes are separated by a ‘%’ sign on a single line) . Pure-FTPd has to be compiled with support for cookies (–with-cookie). If you just want a simple banner displayed before the login prompt, add the name of any text file here. - ‘-g ’: Change the location of the pid file when the server is run in standalone mode. The default is /var/run/pure-ftpd.pid . - ‘-G’: Disallow renaming. - ‘-H’: By default, fully-qualified host names are logged. To achieve this, DNS lookups are mandatory. The ‘-H’ flag avoids host names resolution. (”213.41.14.252″ will be logged instead of “www.toolinux.com”) . It can significantly speed up connections and reduce bandwidth usage on busy servers. Use it especially on public FTP sites. Also, please note that without -H, host names are informative but shouldn’t be trusted: no reverse mapping check is done to save DNS queries. - ‘-i’: Disallow upload for anonymous users, whatever directory permissions are. This option is especially useful for virtual hosting, to avoid your users creating warez sites in their account. - ‘-I ’: Change the maximum idle time. The timeout is in minutes and defaults to 15 minutes. Modern FTP clients are trying to fool timeouts by sending fake commands at regular interval. We disconnect these clients when they are idle for twice (because they are active anyway) the normal timeout. - ‘-j’: If the home directory of a user doesn’t exist, automatically create it. The newly created home directory belongs to the user and permissions are set according to the current directory mask. Only the home directory can be created (so /home/john/./public_html won’t work, but /home/john will) . To avoid local attacks, the parent directory should never belong to an untrusted user. Also note that you must trust whoever manages the users databases, because with that feature, he’ll be able to create/chown directories anywhere on the server’s filesystem. - ‘-k ’: Don’t allow uploads if the partition is more than % full. For instance, “-k 95″ will ensure your disks will never get filled more than 95% by FTP. No need for the “percent” sign after the number. - ‘-K’: Allow users to resume and upload files, but *NOT* to delete or rename them. Directories can be removed, but only if they are empty. However, overwriting existing files is still allowed (to support upload resume) . If you want to disable this too, add -r (–autorename) . - ‘-l ’ or ‘-l :’: Adds a new rule to the authentication chain. Please read the “Authentication” section, later in this README file. It’s an important section. - ‘-L :’: To avoid stupid denial-of-service attacks (or just CPU hogs), Pure-FTPd never displays more than 2000 files in response to an ‘ls’ command. Also, a recursive ‘ls’ (-R) never goes further than 5 subdirectories. You can increase/decrease those limits with the ‘-L’ option. - ‘-m ’: Don’t allow anonymous download if the load is above . A very efficient way to prevent overloading your server. Upload is still allowed, though. - ‘-M’: Allow anonymous users to create directories. - ‘-n :’: If the server has been compiled with support for virtual quotas, enforce these quota settings for all users (except members of the ‘trusted’ group) . is in Megabytes. See the “virtual quotas” section later in this document. - ‘-N’: NAT mode. Force ACTIVE mode. If your FTP server is behind a NAT box that doesn’t support applicative FTP proxying, or if you use port redirection without a transparent FTP proxy, use this. Well… the previous sentence isn’t very clear. Okay: if your network looks like this: (FTP server)——-(NAT/masquerading gateway/router)——(Internet) and if you want people coming from the internet to have access to your FTP server, please try without this option first. If Netscape clients can connect without any problem, your NAT gateway rulez. If Netscape doesn’t display directory listings, your NAT gateway sucks. Use ‘-N’ as a workaround. - ‘-o’: Write all uploaded files to ‘/var/run/pure-ftpd.upload.pipe’ so that the ‘pure-uploadscript’ program can run. Don’t enable that option if you don’t actually use ‘pure-uploadscript’. - ‘-O :’: Record all file transfers into a specific log file, in an alternative format. Currently, four formats are supported: CLF (Apache-like), Stats, W3C and xferlog. - ‘-p :’: Use only ports in the range to inclusive for passive-mode downloads. This is especially useful if the server is behind a firewall without FTP connection tracking. Use high ports (40000-50000 for instance), where no regular server should be listening. - ‘-P ’: Force the specified IP address in reply to a PASV/EPSV/SPSV command. If the server is behind a masquerading (NAT) box that doesn’t properly handle stateful FTP masquerading, put the ip address of that box here. If you have a dynamic IP address, you can put the public host name of your gateway, that will be resolved every time a new client will connect. - ‘-q :’: Enable ratios for anonymous users. - ‘-Q :’: Enable ratios for everybody (anonymous and non-anonymous). Members of the root (0, something called ‘wheel’) have no ratio. - ‘-r’: Never overwrite existing files. Uploading a file whoose name already exists cause an automatic rename. Files are called xyz, xyz.1, xyz.2, xyz.3, etc. - ‘-R’: Disallow users (even non-anonymous ones) usage of the CHMOD command. On hosting services, it may prevent newbies from making mistakes, like setting bad permissions on their home directory. Only root can use CHMOD when -R is enabled. - ‘-s’: The “waReZ protection”. Don’t allow anonymous users to download files owned by “ftp” (generally, files uploaded by other anonymous users) . So that uploads have to be validated by a system administrator (chown to another user) before being available for download. - ‘-S [,|,] [|]’. This option is only effective when the server is launched as a standalone server. Connections are accepted on the specified IP and port. IPv4 and IPv6 are supported. Numeric and fully-qualified host names are accepted. A service name (see /etc/services) can be used instead of a numeric port number. - ‘-T ’ and ‘-t ’: Enable bandwidth limitation (see below) . is specified in kilobytes/seconds. To set up separate upload/download bandwidth, the []:[] syntax is supported. - ‘-u ’: Don’t allow uids below to log in. ‘-u 1′ denies access to root (safe), ‘-u 100′ denies access to virtual accounts on most Linux distros. - ‘-U :’: Change the file creation mask. The default is 133:022. If you want a new file uploaded by a user to only be readable by that user, use ‘-U 177:077′. If you want uploaded files to be executable, use 022:022 (files will be readable -but not writable- by other users) or 077:077 (files will only be executable and readable by their owner) . Please note that Pure-FTPd support the SITE CHMOD extension, so a user can change the permissions of his own files. - ‘-V ’: Allow non-anonymous FTP access only on this specific local IP address. All other IP addresses are only anonymous. With that option, you can have routed IPs for public access and a local IP (like 10.x.x.x) for administration. You can also have a routable trusted IP protected by firewall rules and only that IP can be used to login as a non-anonymous user. - ‘-v ’: Set the service name for Apple’s Bonjour. Only available on MacOS X when Bonjour support is compiled in. - ‘-w’: Support the FXP protocol only for authenticated users. FXP works with IPv4 and IPv6 addresses. - ‘-W’: Support the FXP protocol. FXP allows transfers between two remote servers without any file data going to the client asking for the transfer. - ‘-x’: In normal operation mode, authenticated users can read/write files beginning with a dot (’.') . Anonymous users can’t, for security reasons (like changing banners or a forgotten .rhosts) . When ‘-x’ is used, authenticated users can download dot-files, but not overwrite/create them, even if they own them. That way, you can prevent hosted users from messing .qmail files. If you want to give user access to a special dot-file, create a symbolic link to the dot-file with a file name that has no dot in it and the client will be able to retrieve the file through that link. - ‘-X’: This flag is identical to the previous one (writing dot-files is prohibited), but in addition, users can’t even *read* files and directories beginning with a dot (like “cd .ssh”) . - ‘-y :’: This option only works if the server has been compiled with –with-peruserlimits. It restricts the number of concurrent sessions the same user can have. A null value (’0′) means ‘unlimited’. Here’s a concrete example: /usr/local/sbin/pure-ftpd -y 3:20 -c 15 -C 5 -B Here, we allow: * A max total of 15 sessions. * 5 connections max coming from the same IP address. * 3 connections max with the same user name. * 20 anonymous users max. - ‘-Y 0′: Disable the SSL/TLS encryption layer (default). ‘-Y 1′: Accept both standard and encrypted sessions. ‘-Y 2′: Refuse connections that aren’t using SSL/TLS security mechanisms,including anonymous sessions. The server must have been compiled with –with-tls and a valid certificate must be in place to get this feature. See the README.TLS file for more info about SSL/TLS. - ‘-z’: Allow anonymous users to read files and directories starting with a dot (’.') .
