Bii o ṣe le Fi sii, Tunto ati Ni aabo Server FTP ni CentOS 7 - [Itọsọna Alaye]
FTP (Ilana Gbigbe Faili) jẹ aṣa ti aṣa ati lilo boṣewa ti a lo fun gbigbe awọn faili laarin olupin ati awọn alabara lori nẹtiwọọki kan, ni pataki nibiti ko si ijẹrisi ti o ṣe pataki (gba awọn olumulo alailorukọ laaye lati sopọ si olupin kan). A gbọdọ ni oye pe FTP ko ni aabo nipasẹ aiyipada, nitori pe o ndari awọn iwe eri olumulo ati data laisi fifi ẹnọ kọ nkan.
Ninu itọsọna yii, a yoo ṣe apejuwe awọn igbesẹ lati fi sori ẹrọ, tunto ati ni aabo olupin FTP kan (VSFTPD duro fun “Idaabobo FTP Daemon Gan”) ni CentOS/RHEL 7 ati awọn pinpin Fedora.
Akiyesi pe gbogbo awọn aṣẹ ninu itọsọna yii yoo ṣiṣẹ bi gbongbo, ni idi ti o ko ṣiṣẹ olupin pẹlu akọọlẹ gbongbo, lo aṣẹ sudo lati ni awọn anfani root.
Igbese 1: Fifi Server FTP sii
1. Fifi olupin vsftpd sii ni gígùn siwaju, kan ṣiṣe aṣẹ atẹle ni ebute naa.
# yum install vsftpd
2. Lẹhin fifi sori ẹrọ pari, iṣẹ naa yoo jẹ alaabo ni akọkọ, nitorinaa a nilo lati bẹrẹ pẹlu ọwọ fun akoko naa ki o jẹ ki o bẹrẹ laifọwọyi lati bata eto atẹle naa:
# systemctl start vsftpd # systemctl enable vsftpd
3. Itele, lati gba aaye si awọn iṣẹ FTP lati awọn ọna itagbangba, a ni lati ṣii ibudo 21, nibiti awọn daemons FTP n tẹtisi bi atẹle:
# firewall-cmd --zone=public --permanent --add-port=21/tcp # firewall-cmd --zone=public --permanent --add-service=ftp # firewall-cmd --reload
Igbese 2: Tito leto olupin FTP
4. Bayi a yoo gbe siwaju lati ṣe awọn atunto diẹ si iṣeto ati aabo olupin FTP wa, jẹ ki a bẹrẹ nipa ṣiṣe afẹyinti ti faili atunto atilẹba /etc/vsftpd/vsftpd.conf:
# cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.orig
Nigbamii, ṣii faili atunto loke ki o ṣeto awọn aṣayan wọnyi pẹlu awọn iye to baamu wọnyi:
anonymous_enable=NO # disable anonymous login local_enable=YES # permit local logins write_enable=YES # enable FTP commands which change the filesystem local_umask=022 # value of umask for file creation for local users dirmessage_enable=YES # enable showing of messages when users first enter a new directory xferlog_enable=YES # a log file will be maintained detailing uploads and downloads connect_from_port_20=YES # use port 20 (ftp-data) on the server machine for PORT style connections xferlog_std_format=YES # keep standard log file format listen=NO # prevent vsftpd from running in standalone mode listen_ipv6=YES # vsftpd will listen on an IPv6 socket instead of an IPv4 one pam_service_name=vsftpd # name of the PAM service vsftpd will use userlist_enable=YES # enable vsftpd to load a list of usernames tcp_wrappers=YES # turn on tcp wrappers
5. Bayi tunto FTP lati gba/sẹ wiwọle FTP si awọn olumulo ti o da lori faili atokọ olumulo /etc/vsftpd.userlist .
Nipa aiyipada, awọn olumulo ti a ṣe akojọ ni userlist_file =/ati be be/vsftpd.userlist ni a ko ni iwọle wiwọle pẹlu aṣayan olumulo_deny ti a ṣeto si BẸẸNI, ti o ba jẹ pe olumulo-olumulo_enable = BẸẸNI.
Sibẹsibẹ, userlist_deny = KO ṣe yi eto pada, tumọ si pe awọn olumulo nikan ti o wa ni atokọ ni atokọ olumulo_file =/ati be be lo/vsftpd.userlist ni yoo gba laaye lati buwolu wọle.
userlist_enable=YES # vsftpd will load a list of usernames, from the filename given by userlist_file userlist_file=/etc/vsftpd.userlist # stores usernames. userlist_deny=NO
Iyẹn kii ṣe gbogbo rẹ, nigbati awọn olumulo ba buwolu wọle si olupin FTP, wọn gbe wọn sinu tubu chroot’ed, eyi ni itọsọna gbongbo agbegbe ti yoo ṣe bi itọsọna ile wọn fun igba FTP nikan.
Nigbamii ti, a yoo wo awọn oju iṣẹlẹ ti o ṣeeṣe meji ti bawo ni a ṣe le ṣe chroot awọn olumulo FTP si awọn ilana itọsọna Ile (gbongbo agbegbe) fun awọn olumulo FTP, bi a ti salaye ni isalẹ.
6. Bayi ṣafikun awọn aṣayan atẹle meji wọnyi lati ni ihamọ awọn olumulo FTP si awọn ilana Ile wọn.
chroot_local_user=YES allow_writeable_chroot=YES
chroot_local_user = BẸẸNI tumọ si awọn olumulo agbegbe yoo gbe sinu tubu chroot, itọsọna ile wọn lẹhin iwọle nipa awọn eto aiyipada.
Ati pe nipasẹ aiyipada, vsftpd ko gba laaye liana ewon chroot lati wa ni kikọ fun awọn idi aabo, sibẹsibẹ, a le lo aṣayan allow_writeable_chroot = BẸẸNI lati fagile eto yii.
Fipamọ faili naa ki o pa.
Ipamo olupin FTP pẹlu SELinux
7. Nisisiyi, jẹ ki a ṣeto boolean SELinux ni isalẹ lati gba FTP laaye lati ka awọn faili ninu itọsọna ile olumulo kan. Akiyesi pe eyi ni iṣaaju ṣe lilo pipaṣẹ:
# setsebool -P ftp_home_dir on
Sibẹsibẹ, itọsọna ftp_home_dir ti jẹ alaabo nipasẹ aiyipada bi a ti ṣalaye ninu ijabọ kokoro yii: https://bugzilla.redhat.com/show_bug.cgi?id=1097775.
Bayi a yoo lo pipaṣẹ semanage lati ṣeto ofin SELinux lati gba FTP laaye lati ka/kọ itọsọna ile olumulo.
# semanage boolean -m ftpd_full_access --on
Ni aaye yii, a ni lati tun vsftpd tun bẹrẹ lati ṣe gbogbo awọn ayipada ti a ṣe bẹ loke loke:
# systemctl restart vsftpd
Igbesẹ 4: Idanwo Olupin FTP
8. Bayi a yoo ṣe idanwo olupin FTP nipa ṣiṣẹda olumulo FTP pẹlu pipaṣẹ useradd.
# useradd -m -c “Ravi Saive, CEO” -s /bin/bash ravi # passwd ravi
Lẹhinna, a ni lati ṣafikun ravi olumulo si faili /etc/vsftpd.userlist nipa lilo pipaṣẹ iwoyi bi atẹle:
# echo "ravi" | tee -a /etc/vsftpd.userlist # cat /etc/vsftpd.userlist
9. Bayi o to akoko lati ṣe idanwo ti awọn eto wa loke ba n ṣiṣẹ ni deede. Jẹ ki a bẹrẹ nipa idanwo awọn iwọle ailorukọ, a le rii lati oju iboju ni isalẹ pe a ko gba awọn iwọle alailorukọ laaye:
# ftp 192.168.56.10 Connected to 192.168.56.10 (192.168.56.10). 220 Welcome to TecMint.com FTP service. Name (192.168.56.10:root) : anonymous 530 Permission denied. Login failed. ftp>
10. Jẹ ki a tun ṣe idanwo ti olumulo kan ko ba ṣe atokọ ninu faili /etc/vsftpd.userlist yoo gba igbanilaaye lati buwolu wọle, eyiti kii ṣe ọran bi ninu iboju iboju ni isalẹ:
# ftp 192.168.56.10 Connected to 192.168.56.10 (192.168.56.10). 220 Welcome to TecMint.com FTP service. Name (192.168.56.10:root) : aaronkilik 530 Permission denied. Login failed. ftp>
11. Bayi ṣe ayẹwo ikẹhin ti olumulo kan ba ṣe akojọ ninu faili /etc/vsftpd.userlist, ti wa ni ipo gangan ninu itọsọna ile rẹ lẹhin iwọle:
# ftp 192.168.56.10 Connected to 192.168.56.10 (192.168.56.10). 220 Welcome to TecMint.com FTP service. Name (192.168.56.10:root) : ravi 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls
Mu aṣayan yii ṣiṣẹ nikan ti o ba mọ ohun ti o n ṣe ni pato. O ṣe pataki lati ṣe akiyesi pe awọn idiyele aabo wọnyi kii ṣe pato vsftpd, wọn lo si gbogbo awọn daemons FTP eyiti o funni lati fi awọn olumulo agbegbe sinu awọn ewon chroot naa.
Nitorinaa, a yoo wo ọna ti o ni aabo diẹ sii ti siseto itọsọna oriṣiriṣi root ti agbegbe ti kii ṣe kikọ ni apakan ti nbọ.
Igbesẹ 5: Tunto Awọn itọsọna Ile FTP Olumulo Yatọ
12. Ṣii faili iṣeto vsftpd lẹẹkansii ki o bẹrẹ nipa sisọ asọye aṣayan ainiti aabo ni isalẹ:
#allow_writeable_chroot=YES
Lẹhinna ṣẹda itọsọna miiran gbongbo agbegbe fun olumulo ( ravi , tirẹ ṣee ṣe yatọ) ati yọ awọn igbanilaaye kikọ si gbogbo awọn olumulo si itọsọna yii:
# mkdir /home/ravi/ftp # chown nobody:nobody /home/ravi/ftp # chmod a-w /home/ravi/ftp
13. Nigbamii, ṣẹda itọsọna labẹ gbongbo agbegbe nibiti olumulo yoo fi awọn faili rẹ pamọ:
# mkdir /home/ravi/ftp/files # chown ravi:ravi /home/ravi/ftp/files # chmod 0700 /home/ravi/ftp/files/
Lẹhinna ṣafikun/yipada awọn aṣayan wọnyi ninu faili atunto vsftpd pẹlu awọn iye wọnyi:
user_sub_token=$USER # inserts the username in the local root directory local_root=/home/$USER/ftp # defines any users local root directory
Fipamọ faili naa ki o pa. Lẹẹkan si, jẹ ki a tun bẹrẹ iṣẹ naa pẹlu awọn eto tuntun:
# systemctl restart vsftpd
14. Nisisiyi ṣe idanwo ikẹhin lẹẹkansi ki o rii pe itọsọna awọn olumulo agbegbe root ni itọsọna FTP ti a ṣẹda ninu itọsọna ile rẹ.
# ftp 192.168.56.10 Connected to 192.168.56.10 (192.168.56.10). 220 Welcome to TecMint.com FTP service. Name (192.168.56.10:root) : ravi 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls
O n niyen! Ninu nkan yii, a ṣe apejuwe bi a ṣe le fi sori ẹrọ, tunto bi daradara bi aabo olupin FTP kan ni CentOS 7, lo abala ọrọ asọye ni isalẹ lati kọ pada si wa nipa itọsọna yii/pin eyikeyi alaye to wulo nipa koko yii.
Ninu nkan ti nbọ, a yoo tun fihan ọ bi o ṣe le rii daju olupin FTP nipa lilo awọn isopọ SSL/TLS ni CentOS 7, titi di igba naa, wa ni asopọ si TecMint.