Bii o ṣe le rii daju olupin FTP Lilo SSL/TLS fun Gbigbe Faili ni aabo ni CentOS 7
Nipa apẹrẹ atilẹba rẹ, FTP (Protocol Transfer Protocol) ko ni aabo, tumọ si pe ko ṣe encrypt data ti n gbe laarin awọn ero meji, pẹlu awọn iwe eri olumulo. Eyi jẹ irokeke nla si data bii aabo olupin.
Ninu ẹkọ yii, a yoo ṣalaye bi o ṣe le fi ọwọ ṣe awọn iṣẹ fifi ẹnọ kọ nkan data ni olupin FTP kan ni CentOS/RHEL 7 ati Fedora; a yoo lọ nipasẹ ọpọlọpọ awọn igbesẹ ti ifipamo awọn iṣẹ VSFTPD (F Secure FTP Daemon) lilo awọn iwe-ẹri SSL/TLS.
- O gbọdọ ti fi sori ẹrọ ati tunto olupin FTP kan ni CentOS 7
Ṣaaju ki a to bẹrẹ, ṣe akiyesi pe gbogbo awọn aṣẹ ninu ẹkọ yii yoo ṣiṣẹ bi gbongbo, bibẹẹkọ, lo aṣẹ sudo lati ni awọn anfani root ti o ko ba ṣakoso olupin nipa lilo akọọlẹ gbongbo.
Igbesẹ 1. Ṣiṣẹda Ijẹrisi SSL/TLS ati Bọtini Ikọkọ
1. A nilo lati bẹrẹ nipa ṣiṣẹda itọnisọna labẹ labẹ: /etc/ssl/ nibi ti a yoo tọju iwe-ẹri SSL/TLS ati awọn faili bọtini:
# mkdir /etc/ssl/private
2. Lẹhinna ṣiṣe aṣẹ ni isalẹ lati ṣẹda ijẹrisi ati bọtini fun vsftpd ninu faili kan, eyi ni alaye ti asia kọọkan ti a lo.
- req - jẹ aṣẹ fun X.509 Ibere Wiwole Ijẹrisi (CSR).
- x509 - tumọ si iṣakoso data ijẹrisi X.509.
- ọjọ - ṣalaye nọmba ti ijẹrisi ọjọ wulo fun.
- tuntun - ṣe afihan oluṣeto bọtini ijẹrisi.
- rsa: 2048 - Oluṣakoso bọtini bọtini RSA, yoo ṣe agbekalẹ bọtini ikọkọ 2048 bit.
- keyout - ṣeto faili ipamọ bọtini.
- jade - ṣeto faili ipamọ ijẹrisi, ṣe akiyesi pe ijẹrisi mejeeji ati bọtini ti wa ni fipamọ ni faili kanna: /etc/ssl/private/vsftpd.pem.
# openssl req -x509 -nodes -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem -days 365 -newkey rsa:2048
Ofin ti o wa loke yoo beere lọwọ rẹ lati dahun awọn ibeere ni isalẹ, ranti lati lo awọn iye ti o kan si oju iṣẹlẹ rẹ.
Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:Lower Parel Locality Name (eg, city) [Default City]:Mumbai Organization Name (eg, company) [Default Company Ltd]:TecMint.com Organizational Unit Name (eg, section) []:Linux and Open Source Common Name (eg, your name or your server's hostname) []:tecmint Email Address []:[email
Igbese 2. Tito leto VSFTPD Lati Lo SSL/TLS
3. Ṣaaju ki a to ṣe awọn atunto VSFTPD eyikeyi, jẹ ki a ṣii awọn ibudo 990 ati 40000-50000 lati gba awọn asopọ TLS ati ibiti ibudo ti awọn ebute oko oju omi lati ṣalaye ninu faili iṣeto VSFTPD lẹsẹsẹ:
# firewall-cmd --zone=public --permanent --add-port=990/tcp # firewall-cmd --zone=public --permanent --add-port=40000-50000/tcp # firewall-cmd --reload
4. Bayi, ṣii faili atunto VSFTPD ki o ṣalaye awọn alaye SSL ninu rẹ:
# vi /etc/vsftpd/vsftpd.conf
Wa aṣayan ssl_enable ki o ṣeto iye rẹ si BẸẸNI lati mu lilo SSL ṣiṣẹ, ni afikun, nitori TSL ni aabo diẹ sii ju SSL lọ, a yoo ni ihamọ VSFTPD lati lo TLS dipo, ni lilo aṣayan ssl_tlsv1_2:
ssl_enable=YES ssl_tlsv1_2=YES ssl_sslv2=NO ssl_sslv3=NO
5. Lẹhinna, ṣafikun awọn ila isalẹ lati ṣalaye ipo ti ijẹrisi SSL ati faili bọtini:
rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem
6. Itele, a ni lati ṣe idiwọ awọn olumulo alailorukọ lati lilo SSL, lẹhinna ipa gbogbo awọn ibuwolu ti kii ṣe orukọ lati lo asopọ SSL to ni aabo fun gbigbe data ati lati fi ọrọ igbaniwọle ranṣẹ lakoko ibuwolu wọle:
allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES
7. Ni afikun, a le ṣafikun awọn aṣayan ni isalẹ lati ṣe alekun aabo olupin FTP. Nigbati aṣayan ti ṣeto_ssl_reuse ti ṣeto si BẸẸNI , lẹhinna, gbogbo awọn asopọ data SSL ni a nilo lati ṣe afihan ilotunlo igba SSL; ni idaniloju pe wọn mọ aṣiri oluwa kanna bi ikanni iṣakoso.
Nitorina, a ni lati pa a.
require_ssl_reuse=NO
Lẹẹkansi, a nilo lati yan iru awọn ciphers SSL VSFTPD yoo gba laaye fun awọn isopọ SSL ti paroko pẹlu aṣayan ssl_ciphers. Eyi le ṣe idinwo awọn ipa ti awọn ikọlu ti o gbiyanju lati fi ipa mu cipher kan pato eyiti wọn ṣee ṣe awari awọn ailagbara ni:
ssl_ciphers=HIGH
8. Bayi, ṣeto ibiti ibudo (min ati ibudo max) ti awọn ibudo palolo.
pasv_min_port=40000 pasv_max_port=50000
9. Ni aṣayan, gba laaye n ṣatunṣe aṣiṣe SSL, itumo awọn iwadii asopọ openSSL ti wa ni igbasilẹ si faili log VSFTPD pẹlu aṣayan debug_ssl:
debug_ssl=YES
Fipamọ gbogbo awọn ayipada ki o pa faili naa. Lẹhinna jẹ ki a tun bẹrẹ iṣẹ VSFTPD:
# systemctl restart vsftpd
Igbesẹ 3: Idanwo olupin FTP Pẹlu Awọn isopọ SSL/TLS
10. Lẹhin ṣiṣe gbogbo awọn atunto ti o wa loke, ṣe idanwo ti VSFTPD nlo awọn isopọ SSL/TLS nipasẹ igbiyanju lati lo FTP lati laini aṣẹ gẹgẹbi atẹle:
# ftp 192.168.56.10 Connected to 192.168.56.10 (192.168.56.10). 220 Welcome to TecMint.com FTP service. Name (192.168.56.10:root) : ravi 530 Non-anonymous sessions must use encryption. Login failed. 421 Service not available, remote server has closed connection ftp>
Lati ibọn iboju loke, a le rii pe aṣiṣe kan wa ti o n sọ fun wa pe VSFTPD le gba olumulo laaye nikan lati buwolu wọle lati ọdọ awọn alabara ti o ṣe atilẹyin awọn iṣẹ fifi ẹnọ kọ nkan.
Laini aṣẹ ko pese awọn iṣẹ fifi ẹnọ kọ nkan nitorina ṣiṣe aṣiṣe naa. Nitorinaa, lati sopọ ni aabo si olupin naa, a nilo alabara FTP kan ti o ṣe atilẹyin awọn asopọ SSL/TLS bii FileZilla.
Igbesẹ 4: Fi FileZilla sori ẹrọ lati sopọmọ ni ifipamo si olupin FTP kan
11. FileZilla jẹ igbalode, olokiki ati pataki alabara agbelebu-Syeed alabara FTP ti o ṣe atilẹyin awọn isopọ SSL/TLS nipasẹ aiyipada.
Lati fi FileZilla sori ẹrọ ni Linux, ṣiṣe aṣẹ ni isalẹ:
--------- On CentOS/RHEL/Fedora --------- # yum install epel-release filezilla --------- On Debian/Ubuntu --------- $ sudo apt-get install filezilla
12. Nigbati fifi sori ba pari (tabi ohun miiran ti o ba ti fi sii tẹlẹ), ṣii ki o lọ si Oluṣakoso => Awọn Ojula Ojula tabi (tẹ Ctrl + S ) lati gba wiwo Oluṣakoso Aye ni isalẹ.
Tẹ bọtini Bọtini Titun lati ṣafikun awọn alaye isopọ aaye tuntun/ogun kan.
13. Nigbamii, ṣeto orukọ ogun/aaye, ṣafikun adirẹsi IP, ṣalaye ilana lati lo, fifi ẹnọ kọ nkan ati iru ibuwolu wọle bi ninu iboju iboju ni isalẹ (lo awọn iye ti o kan si oju iṣẹlẹ rẹ):
Host: 192.168.56.10 Protocol: FTP – File Transfer Protocol Encryption: Require explicit FTP over #recommended Logon Type: Ask for password #recommended User: username
14. Lẹhinna tẹ lori Sopọ lati tẹ ọrọ igbaniwọle sii lẹẹkansi, ati lẹhinna rii daju ijẹrisi ti o nlo fun asopọ SSL/TLS ki o tẹ O dara lẹẹkan si lati sopọ si olupin FTP:
Ni ipele yii, o yẹ ki a ti wọle ni aṣeyọri sinu olupin FTP lori asopọ TLS kan, ṣayẹwo apakan ipo asopọ fun alaye diẹ sii lati inu wiwo ni isalẹ.
15. Ni ikẹhin ṣugbọn ko kere ju, gbiyanju gbigbe awọn faili lati ẹrọ agbegbe si fifọ FTP ninu folda awọn faili, ṣe akiyesi opin isalẹ ti wiwo FileZilla lati wo awọn iroyin nipa awọn gbigbe faili.
Gbogbo ẹ niyẹn! Nigbagbogbo ni lokan pe FTP ko ni aabo nipasẹ aiyipada, ayafi ti a ba tunto rẹ lati lo awọn isopọ SSL/TLS bi a ṣe fihan ọ ninu ẹkọ yii. Ma pin awọn ero rẹ nipa ẹkọ yii/koko-ọrọ nipasẹ fọọmu esi ni isalẹ.