Ṣiṣeto Server FTP Alailowaya nipa lilo SSL/TLS lori Ubuntu

Ninu ẹkọ yii, a yoo ṣe apejuwe bawo ni a ṣe le rii daju olupin FTP kan (VSFTPD duro fun\"FTP Daemon ti o ni aabo pupọ") ni lilo SSL/TLS ni Ubuntu 16.04/16.10.

Ti o ba n wa lati ṣeto olupin FTP to ni aabo fun awọn pinpin kaakiri CentOS, o le ka - Ṣe aabo olupin FTP kan Lilo SSL/TLS lori CentOS

Lẹhin ti o tẹle awọn igbesẹ oriṣiriṣi ninu itọsọna yii, a yoo ti kọ awọn ipilẹ ti muu awọn iṣẹ fifi ẹnọ kọ nkan ṣiṣẹ ninu olupin FTP fun awọn gbigbe data to ni aabo jẹ pataki.

  1. O gbọdọ Fi sori ẹrọ ati Tunto olupin FTP kan ni Ubuntu

Ṣaaju ki a to lọ siwaju, rii daju pe gbogbo awọn ofin ninu nkan yii yoo ṣiṣẹ bi gbongbo tabi akọọlẹ anfani sudo.

Igbesẹ 1: Ṣiṣẹda Ijẹrisi SSL/TLS fun FTP lori Ubuntu

1. A yoo bẹrẹ nipasẹ ṣiṣẹda itọnisọna kekere labẹ:/ati be be lo/ssl/lati tọju iwe-ẹri SSL/TLS ati awọn faili bọtini ti ko ba si tẹlẹ:

$ sudo mkdir /etc/ssl/private

2. Bayi jẹ ki a ṣe ina ijẹrisi ati bọtini ninu faili kan, nipa ṣiṣe pipaṣẹ ni isalẹ.

$ sudo openssl req -x509 -nodes -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem -days 365 -newkey rsa:2048

Aṣẹ ti o wa loke yoo tọ ọ lati dahun awọn ibeere ni isalẹ, maṣe gbagbe lati tẹ awọn iye ti o wulo fun oju iṣẹlẹ rẹ.

Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Lower Parel
Locality Name (eg, city) [Default City]:Mumbai
Organization Name (eg, company) [Default Company Ltd]:TecMint.com
Organizational Unit Name (eg, section) []:Linux and Open Source
Common Name (eg, your name or your server's hostname) []:tecmint
Email Address []:[email 

Igbesẹ 2: Tito leto VSFTPD lati Lo SSL/TLS lori Ubuntu

3. Ṣaaju ki a to ṣe awọn atunto VSFTPD eyikeyi, fun awọn ti o ni ogiriina UFW ṣiṣẹ, o ni lati ṣii awọn ibudo 990 ati 40000-50000 lati gba awọn asopọ TLS laaye ati ibiti ibudo ti awọn ebute oko oju omi lati ṣeto ni faili iṣeto VSFTPD lẹsẹsẹ:

$ sudo ufw allow 990/tcp
$ sudo ufw allow 40000:50000/tcp
$ sudo ufw status

4. Bayi, ṣii faili atunto VSFTPD ki o ṣalaye awọn alaye SSL ninu rẹ:

$ sudo vi /etc/vsftpd/vsftpd.conf
OR
$ sudo nano /etc/vsftpd/vsftpd.conf

Lẹhinna, ṣafikun tabi wa aṣayan ssl_enable ki o ṣeto iye rẹ si BẸẸNI lati muu lilo SSL ṣiṣẹ, lẹẹkansi, nitori TLS ni aabo diẹ sii ju SSL lọ, a yoo ni ihamọ VSFTPD lati lo TLS dipo, nipa muu aṣayan ssl_tlsv1 :

ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

5. Itele, ṣe asọye awọn ila isalẹ ni lilo ohun kikọ # bi atẹle:

#rsa_cert_file=/etc/ssl/private/ssl-cert-snakeoil.pem
#rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

Lẹhinna, ṣafikun awọn ila ni isalẹ lati ṣalaye ipo ti ijẹrisi SSL ati faili bọtini:

rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem

6. Nisisiyi, a tun ni lati ṣe idiwọ awọn olumulo alailorukọ lati lilo SSL, lẹhinna ipa gbogbo awọn ibuwolu ti kii ṣe orukọ lati lo asopọ SSL ti o ni aabo fun gbigbe data ati lati firanṣẹ ọrọ igbaniwọle lakoko wiwọle:

allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

7. Pẹlupẹlu, a le lo awọn aṣayan ni isalẹ lati ṣafikun awọn ẹya aabo diẹ sii ninu olupin FTP. Pẹlu aṣayan ask_ssl_reuse = BẸẸNI , gbogbo awọn asopọ data SSL ni a nilo lati ṣe afihan ilotunlo igba SSL; ni idaniloju pe wọn mọ aṣiri oluwa kanna bi ikanni iṣakoso. Nitorinaa, o yẹ ki a mu o kuro.

require_ssl_reuse=NO

Ni afikun, a le ṣeto eyi ti SSL ciphers VSFTPD yoo gba laaye fun awọn asopọ SSL ti paroko pẹlu aṣayan ssl_ciphers . Eyi yoo ṣe iranlọwọ fun idiwọ eyikeyi awọn igbiyanju nipasẹ awọn ikọlu ti o gbiyanju lati fi ipa mu alabojuto kan pato eyiti wọn ṣee ṣe awari awọn ailagbara ni:

ssl_ciphers=HIGH

8. Lẹhinna, jẹ ki a ṣalaye ibiti ibudo (min ati ibudo max) ti awọn ibudo palolo.

pasv_min_port=40000
pasv_max_port=50000

9. Lati jẹki n ṣatunṣe aṣiṣe SSL, ti o tumọ si awọn iwadii asopọ openSSL ti wa ni igbasilẹ si faili log VSFTPD, a le lo aṣayan debug_ssl :

debug_ssl=YES

Ni ipari fi faili pamọ ki o pa. Lẹhinna tun bẹrẹ iṣẹ VSFTPD:

$ systemctl restart vsftpd

Igbesẹ 3: Ṣayẹwo FTP pẹlu Awọn isopọ SSL/TLS lori Ubuntu

10. Lẹhin ṣiṣe gbogbo awọn atunto ti o wa loke, ṣe idanwo ti VSFTPD nlo awọn isopọ SSL/TLS bayi nipa igbiyanju lati lo FTP lati laini aṣẹ bi isalẹ.

Lati iṣẹjade ti o wa ni isalẹ, ifiranṣẹ aṣiṣe wa ti o sọ fun wa VSFTPD le gba awọn olumulo laaye nikan (ti kii ṣe ailorukọ) lati buwolu wọle lati awọn alabara to ni aabo eyiti o ṣe atilẹyin awọn iṣẹ fifi ẹnọ kọ nkan.

$ ftp 192.168.56.10
Connected to 192.168.56.10  (192.168.56.10).
220 Welcome to TecMint.com FTP service.
Name (192.168.56.10:root) : ravi
530 Non-anonymous sessions must use encryption.
Login failed.
421 Service not available, remote server has closed connection
ftp>

Laini aṣẹ ko ṣe atilẹyin awọn iṣẹ fifi ẹnọ kọ nkan nitorinaa abajade si aṣiṣe loke. Nitorinaa, lati sopọ lailewu si olupin FTP pẹlu awọn iṣẹ fifi ẹnọ kọ nkan ṣiṣẹ, a nilo alabara FTP kan ti o ṣe atilẹyin awọn asopọ SSL/TLS nipasẹ aiyipada, gẹgẹbi FileZilla.

Igbesẹ 4: Fi FileZilla sori Awọn alabara lati So FTP ni aabo

FileZilla jẹ alagbara, alabara agbelebu-pẹpẹ Syeed FTP ti o ṣe atilẹyin FTP lori SSL/TLS ati diẹ sii. Lati fi FileZilla sori ẹrọ ẹrọ alabara Linux kan, lo aṣẹ atẹle.

--------- On Debian/Ubuntu ---------
$ sudo apt-get install filezilla   

--------- On CentOS/RHEL/Fedora --------- 
# yum install epel-release filezilla

--------- On Fedora 22+ --------- 
$ sudo dnf install filezilla

12. Ni kete ti fifi sori ẹrọ ba pari, ṣii ki o lọ si Faili => Awọn Ojula Ojula tabi (tẹ Ctrl + S) lati gba wiwo Oluṣakoso Aye ni isalẹ.

13. Nisisiyi, ṣalaye orukọ ogun/aaye, ṣafikun adirẹsi IP, ṣalaye ilana lati lo, fifi ẹnọ kọ nkan ati iru ibuwolu wọle bi ninu iboju iboju ni isalẹ (lo awọn iye ti o kan si oju iṣẹlẹ rẹ):

Tẹ lori Bọtini Aye Titun lati tunto aaye tuntun/asopọ asopọ.

Host:  192.168.56.10
Protocol:  FTP – File Transfer Protocol
Encryption:  Require explicit FTP over   #recommended 
Logon Type: Ask for password	        #recommended 
User: username

14. Lẹhinna tẹ lori Sopọ lati inu wiwo loke lati tẹ ọrọ igbaniwọle sii, ati lẹhinna ṣayẹwo ijẹrisi ti o nlo fun asopọ SSL/TLS, ki o tẹ O DARA lẹẹkan si lati sopọ si olupin FTP:

15. Bayi, o yẹ ki o ti wọle ni aṣeyọri sinu olupin FTP lori asopọ TLS kan, ṣayẹwo apakan ipo asopọ fun alaye diẹ sii lati inu wiwo ni isalẹ.

16. Ni ikẹhin, jẹ ki a gbe awọn faili lati inu ẹrọ agbegbe si fifọ FTP ninu folda awọn faili, ṣe akiyesi opin isalẹ ti wiwo FileZilla lati wo awọn iroyin nipa awọn gbigbe faili.

Gbogbo ẹ niyẹn! Ranti nigbagbogbo pe fifi sori olupin FTP kan laisi muu awọn iṣẹ fifi ẹnọ kọ nkan ni awọn ipa aabo kan. Gẹgẹbi a ti ṣalaye ninu ẹkọ yii, o le tunto olupin FTP kan lati lo awọn isopọ SSL/TLS lati ṣe aabo aabo ni Ubuntu 16.04/16.10.

Ti o ba dojuko eyikeyi awọn oran ni siseto SSL/TLS lori olupin FTP, ṣe lo fọọmu asọye ni isalẹ lati pin awọn iṣoro rẹ tabi awọn ero nipa itọnisọna/akọle yii.