Diegiame ftp serverį (vsftpd) į CentOS
Čia pateikta kaip įdieginėjau vsftpd į CentOS 6.3. Pažingsniui, bet detaliai, smulkiai neaprašinėsiu. Manau ir taip dauguma aišku.
1. diegiame vsftpd:
yum install -y vsftpd
2. pasiruošiame:
cd /etc/vsftpd cp -p vsftpd.conf vsftpd.conf.orig
3. tikriname nustatymus:
egrep -v "^#|^$" vsftpd.conf
Matome, kad reikia koreguoti:
[root@localhost vsftpd]# egrep -v “^#|^$” vsftpd.conf anonymous_enable=YES local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES listen=YES pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES [root@localhost vsftpd]#
4. keičiame, konfigūruojame pagal savo poreikius:
nano vsftpd.conf
(tik anonymous_enable=YES, keičiame į anonymous_enable=NO)
5. (jei selinux įjungtas) vykdome komandą:
[root@localhost vsftpd]# getsebool -a|grep ftp allow_ftpd_anon_write –> off allow_ftpd_full_access –> off allow_ftpd_use_cifs –> off allow_ftpd_use_nfs –> off ftp_home_dir –> off ftpd_connect_db –> off ftpd_use_passive_mode –> off httpd_enable_ftp_server –> off tftp_anon_write –> off [root@localhost vsftpd]# setsebool -P ftp_home_dir on [root@localhost vsftpd]# [root@localhost vsftpd]# getsebool -a|grep ftp allow_ftpd_anon_write –> off allow_ftpd_full_access –> off allow_ftpd_use_cifs –> off allow_ftpd_use_nfs –> off ftp_home_dir –> on ftpd_connect_db –> off ftpd_use_passive_mode –> off httpd_enable_ftp_server –> off tftp_anon_write –> off [root@localhost vsftpd]#
Dabar reikia atverti 20,21 prievadą, pasidarome kopija, koreguojame ir perkrauname iptables:
[root@localhost sysconfig]#cd /etc/sysconfig [root@localhost sysconfig]#cp -p iptables iptables.orig
[root@localhost sysconfig]# cat iptables # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp –dport 21 -j ACCEPT -A INPUT -p tcp –dport 20 -j ACCEPT -A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT -A INPUT -j REJECT –reject-with icmp-host-prohibited -A FORWARD -j REJECT –reject-with icmp-host-prohibited -A INPUT -j REJECT COMMIT [root@localhost sysconfig]# /etc/init.d/iptables restart
6. Startuojame vsftpd:
/etc/init.d/vsftpd start
chkconfig vsftpd on
7. Sukuriame vartotoją:
useradd test passwd test
8. Viskas, bandome prisijungti naudojant ftp programą.
P.S. vartotojų apribojimų prisijungimui, rasute čia aprašyta čia:
[root@localhost vsftpd]# cat ftpusers # Users that are not allowed to login via ftp ...
[root@localhost vsftpd]# cat user_list # vsftpd userlist # If userlist_deny=NO, only allow users in this file # If userlist_deny=YES (default), never allow users in this file, and # do not even prompt for a password. # Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers # for users that are denied. ...
9. Jei įdiegtas fail2ban, koreguojam:
nano /etc/fail2ban/filter.d/vsftpd.conf
surandame ir pakeičiame:
[Definition] failregex = vsftpd: pam_unix\(vsftpd:auth\): authentication failure; .* rhost=(?:\s+user=\S*)?\s*$ ignoreregex =
ir koreguojam jail.conf:
nano /etc/fail2ban/jail.conf
surandame ir pasikoreguojame nuostatas, pvz:
[vsftpd-iptables] enabled = true filter = vsftpd action = iptables[name=VSFTPD, port=ftp, protocol=tcp] sendmail-whois[name=VSFTPD, dest=root@localhost] logpath = /var/log/secure maxretry = 5 bantime = 1800
P.S. Saugesniam prisijungimui galime sukonfiguruoti su SSL:
cd /etc/vsftpd/
/usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem
Koreguojame /etc/vsftpd/vsftpd.conf :
#nano /etc/vsftpd/vsftpd.conf
... ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=NO force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/vsftpd/vsftpd.pem
service vsftpd restart