Diegiame ftp serverį (vsftpd) į CentOS

Čia pateikta kaip įdieginėjau vsftpd į CentOS 6.3. Pažingsniui, bet detaliai, smulkiai neaprašinėsiu. Manau ir taip dauguma aišku.

1. diegiame vsftpd:

yum install -y vsftpd

2. pasiruošiame:

cd /etc/vsftpd
cp -p vsftpd.conf vsftpd.conf.orig

3. tikriname nustatymus:

egrep -v "^#|^$" vsftpd.conf

Matome, kad reikia koreguoti:

[root@localhost vsftpd]# egrep -v “^#|^$” vsftpd.conf
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
[root@localhost vsftpd]#

4. keičiame, konfigūruojame pagal savo poreikius:

nano vsftpd.conf

(tik anonymous_enable=YES, keičiame į anonymous_enable=NO)

5. (jei selinux įjungtas) vykdome komandą:

[root@localhost vsftpd]# getsebool -a|grep ftp
allow_ftpd_anon_write –> off
allow_ftpd_full_access –> off
allow_ftpd_use_cifs –> off
allow_ftpd_use_nfs –> off
ftp_home_dir –> off
ftpd_connect_db –> off
ftpd_use_passive_mode –> off
httpd_enable_ftp_server –> off
tftp_anon_write –> off
[root@localhost vsftpd]# setsebool -P ftp_home_dir on
[root@localhost vsftpd]#
[root@localhost vsftpd]# getsebool -a|grep ftp
allow_ftpd_anon_write –> off
allow_ftpd_full_access –> off
allow_ftpd_use_cifs –> off
allow_ftpd_use_nfs –> off
ftp_home_dir –> on
ftpd_connect_db –> off
ftpd_use_passive_mode –> off
httpd_enable_ftp_server –> off
tftp_anon_write –> off
[root@localhost vsftpd]#

Dabar reikia atverti 20,21 prievadą, pasidarome kopija, koreguojame ir perkrauname iptables:

[root@localhost sysconfig]#cd /etc/sysconfig
[root@localhost sysconfig]#cp -p iptables iptables.orig

[root@localhost sysconfig]# cat iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp –dport 21 -j ACCEPT
-A INPUT -p tcp –dport 20 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
-A INPUT -j REJECT
COMMIT
[root@localhost sysconfig]# /etc/init.d/iptables restart

6. Startuojame vsftpd:

/etc/init.d/vsftpd start

chkconfig vsftpd on

7. Sukuriame vartotoją:

useradd test
passwd test

8. Viskas, bandome prisijungti naudojant ftp programą.

P.S. vartotojų apribojimų prisijungimui, rasute čia aprašyta čia:

[root@localhost vsftpd]# cat ftpusers
# Users that are not allowed to login via ftp
...

[root@localhost vsftpd]# cat user_list
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
...

9. Jei įdiegtas fail2ban, koreguojam:

nano /etc/fail2ban/filter.d/vsftpd.conf

surandame ir pakeičiame:

[Definition]
 failregex = vsftpd: pam_unix\(vsftpd:auth\):
 authentication failure; .* rhost=(?:\s+user=\S*)?\s*$
 ignoreregex =

ir koreguojam jail.conf:

nano /etc/fail2ban/jail.conf

surandame ir pasikoreguojame nuostatas, pvz:

[vsftpd-iptables]
enabled = true
 filter = vsftpd
 action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
 sendmail-whois[name=VSFTPD, dest=root@localhost]
 logpath = /var/log/secure
 maxretry = 5
 bantime = 1800

P.S. Saugesniam prisijungimui galime sukonfiguruoti su SSL:

cd /etc/vsftpd/

/usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem

Koreguojame /etc/vsftpd/vsftpd.conf :

#nano /etc/vsftpd/vsftpd.conf

...
ssl_enable=YES
 allow_anon_ssl=NO
 force_local_data_ssl=NO
 force_local_logins_ssl=YES
 ssl_tlsv1=YES
 ssl_sslv2=NO
 ssl_sslv3=NO
 rsa_cert_file=/etc/vsftpd/vsftpd.pem

service vsftpd restart